diff options
| author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-09-17 21:10:39 +0100 |
|---|---|---|
| committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-09-17 21:10:39 +0100 |
| commit | f6db6c7b888e0cdb42d653bd551f5d6490b33ad5 (patch) | |
| tree | eb01ff35139a346cfd655ee637002be9efb904fa /xen/xsm | |
| parent | 23ef6c3662d4a106117ea8c1370e6d5f8016a7db (diff) | |
| download | xen-f6db6c7b888e0cdb42d653bd551f5d6490b33ad5.tar.gz xen-f6db6c7b888e0cdb42d653bd551f5d6490b33ad5.tar.bz2 xen-f6db6c7b888e0cdb42d653bd551f5d6490b33ad5.zip | |
xsm/flask: remove unneeded create_sid field
This field was only used to populate the ssid of dom0, which can be
handled explicitly in the domain creation hook. This also removes the
unnecessary permission check on the creation of dom0.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'xen/xsm')
| -rw-r--r-- | xen/xsm/flask/hooks.c | 23 | ||||
| -rw-r--r-- | xen/xsm/flask/include/objsec.h | 1 |
2 files changed, 10 insertions, 14 deletions
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 8c853de6bb..88fef9cf53 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -108,12 +108,10 @@ static int flask_domain_alloc_security(struct domain *d) memset(dsec, 0, sizeof(struct domain_security_struct)); - dsec->create_sid = SECSID_NULL; switch ( d->domain_id ) { case DOMID_IDLE: dsec->sid = SECINITSID_XEN; - dsec->create_sid = SECINITSID_DOM0; break; case DOMID_XEN: dsec->sid = SECINITSID_DOMXEN; @@ -489,25 +487,24 @@ static int flask_domain_create(struct domain *d, u32 ssidref) int rc; struct domain_security_struct *dsec1; struct domain_security_struct *dsec2; + static int dom0_created = 0; dsec1 = current->domain->ssid; + dsec2 = d->ssid; - if ( dsec1->create_sid == SECSID_NULL ) - dsec1->create_sid = ssidref; + if ( is_idle_domain(current->domain) && !dom0_created ) + { + dsec2->sid = SECINITSID_DOM0; + dom0_created = 1; + return 0; + } - rc = avc_has_perm(dsec1->sid, dsec1->create_sid, SECCLASS_DOMAIN, + rc = avc_has_perm(dsec1->sid, ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); if ( rc ) - { - dsec1->create_sid = SECSID_NULL; return rc; - } - - dsec2 = d->ssid; - dsec2->sid = dsec1->create_sid; - dsec1->create_sid = SECSID_NULL; - dsec2->create_sid = SECSID_NULL; + dsec2->sid = ssidref; return rc; } diff --git a/xen/xsm/flask/include/objsec.h b/xen/xsm/flask/include/objsec.h index df5baeef3d..4ff52bed9f 100644 --- a/xen/xsm/flask/include/objsec.h +++ b/xen/xsm/flask/include/objsec.h @@ -19,7 +19,6 @@ struct domain_security_struct { u32 sid; /* current SID */ - u32 create_sid; }; struct evtchn_security_struct { |