xsm/flask: add domain relabel support

This adds the ability to change a domain's XSM label after creation.
The new label will be used for all future access checks; however,
existing event channels and memory mappings will remain valid even if
their creation would be denied by the new label.

With appropriate security policy and hooks in the domain builder, this
can be used to create domains that the domain builder does not have
access to after building. It can also be used to allow a domain to
drop privileges - for example, prior to launching a user-supplied
kernel loaded by a pv-grub stubdom.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

5 files changed, 65 insertions, 7 deletions

diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
index bd4db3792c..9c8dfe76dd 100644
--- a/xen/xsm/flask/flask_op.c
+++ b/xen/xsm/flask/flask_op.c
@@ -573,6 +573,51 @@ static int flask_get_peer_sid(struct xen_flask_peersid *arg)
     return rv;
 }
 
+static int flask_relabel_domain(struct xen_flask_relabel *arg)
+{
+    int rc;
+    struct domain *d;
+    struct domain_security_struct *csec = current->domain->ssid;
+    struct domain_security_struct *dsec;
+    struct avc_audit_data ad;
+    AVC_AUDIT_DATA_INIT(&ad, NONE);
+
+    d = rcu_lock_domain_by_any_id(arg->domid);
+    if ( d == NULL )
+        return -ESRCH;
+
+    ad.sdom = current->domain;
+    ad.tdom = d;
+    dsec = d->ssid;
+
+    if ( arg->domid == DOMID_SELF )
+    {
+        rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, &ad);
+        if ( rc )
+            goto out;
+    }
+    else
+    {
+        rc = avc_has_perm(csec->sid, dsec->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, &ad);
+        if ( rc )
+            goto out;
+
+        rc = avc_has_perm(csec->sid, arg->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, &ad);
+        if ( rc )
+            goto out;
+    }
+
+    rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN, DOMAIN__TRANSITION, &ad);
+    if ( rc )
+        goto out;
+
+    dsec->sid = arg->sid;
+
+ out:
+    rcu_unlock_domain(d);
+    return rc;
+}
+
 long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op)
 {
     xen_flask_op_t op;
@@ -680,6 +725,10 @@ long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op)
         rv = flask_get_peer_sid(&op.u.peersid);
         break;
 
+    case FLASK_RELABEL_DOMAIN:
+        rv = flask_relabel_domain(&op.u.relabel);
+        break;
+
     default:
         rv = -ENOSYS;
     }
diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h
index 17a1c3695a..e7e20589f9 100644
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ b/xen/xsm/flask/include/av_perm_to_string.h
@@ -61,6 +61,9 @@
    S_(SECCLASS_DOMAIN, DOMAIN__SETPODTARGET, "setpodtarget")
    S_(SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO, "set_misc_info")
    S_(SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER, "set_virq_handler")
+   S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, "relabelfrom")
+   S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, "relabelto")
+   S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, "relabelself")
    S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc")
    S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
    S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")
diff --git a/xen/xsm/flask/include/av_permissions.h b/xen/xsm/flask/include/av_permissions.h
index 42eaf81921..cb1c5dcdd6 100644
--- a/xen/xsm/flask/include/av_permissions.h
+++ b/xen/xsm/flask/include/av_permissions.h
@@ -63,6 +63,10 @@
 #define DOMAIN__SET_MISC_INFO                     0x40000000UL
 #define DOMAIN__SET_VIRQ_HANDLER                  0x80000000UL
 
+#define DOMAIN2__RELABELFROM                      0x00000001UL
+#define DOMAIN2__RELABELTO                        0x00000002UL
+#define DOMAIN2__RELABELSELF                      0x00000004UL
+
 #define HVM__SETHVMC                              0x00000001UL
 #define HVM__GETHVMC                              0x00000002UL
 #define HVM__SETPARAM                             0x00000004UL
diff --git a/xen/xsm/flask/include/class_to_string.h b/xen/xsm/flask/include/class_to_string.h
index ab55700c4d..7716645f63 100644
--- a/xen/xsm/flask/include/class_to_string.h
+++ b/xen/xsm/flask/include/class_to_string.h
@@ -5,6 +5,7 @@
     S_("null")
     S_("xen")
     S_("domain")
+    S_("domain2")
     S_("hvm")
     S_("mmu")
     S_("resource")
diff --git a/xen/xsm/flask/include/flask.h b/xen/xsm/flask/include/flask.h
index 6d29c5a0ef..3bff99890f 100644
--- a/xen/xsm/flask/include/flask.h
+++ b/xen/xsm/flask/include/flask.h
@@ -7,13 +7,14 @@
  */
 #define SECCLASS_XEN                                     1
 #define SECCLASS_DOMAIN                                  2
-#define SECCLASS_HVM                                     3
-#define SECCLASS_MMU                                     4
-#define SECCLASS_RESOURCE                                5
-#define SECCLASS_SHADOW                                  6
-#define SECCLASS_EVENT                                   7
-#define SECCLASS_GRANT                                   8
-#define SECCLASS_SECURITY                                9
+#define SECCLASS_DOMAIN2                                 3
+#define SECCLASS_HVM                                     4
+#define SECCLASS_MMU                                     5
+#define SECCLASS_RESOURCE                                6
+#define SECCLASS_SHADOW                                  7
+#define SECCLASS_EVENT                                   8
+#define SECCLASS_GRANT                                   9
+#define SECCLASS_SECURITY                                10
 
 /*
  * Security identifier indices for initial entities