diff options
Diffstat (limited to 'xen/xsm')
-rw-r--r-- | xen/xsm/flask/hooks.c | 23 | ||||
-rw-r--r-- | xen/xsm/flask/include/objsec.h | 1 |
2 files changed, 10 insertions, 14 deletions
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 8c853de6bb..88fef9cf53 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -108,12 +108,10 @@ static int flask_domain_alloc_security(struct domain *d) memset(dsec, 0, sizeof(struct domain_security_struct)); - dsec->create_sid = SECSID_NULL; switch ( d->domain_id ) { case DOMID_IDLE: dsec->sid = SECINITSID_XEN; - dsec->create_sid = SECINITSID_DOM0; break; case DOMID_XEN: dsec->sid = SECINITSID_DOMXEN; @@ -489,25 +487,24 @@ static int flask_domain_create(struct domain *d, u32 ssidref) int rc; struct domain_security_struct *dsec1; struct domain_security_struct *dsec2; + static int dom0_created = 0; dsec1 = current->domain->ssid; + dsec2 = d->ssid; - if ( dsec1->create_sid == SECSID_NULL ) - dsec1->create_sid = ssidref; + if ( is_idle_domain(current->domain) && !dom0_created ) + { + dsec2->sid = SECINITSID_DOM0; + dom0_created = 1; + return 0; + } - rc = avc_has_perm(dsec1->sid, dsec1->create_sid, SECCLASS_DOMAIN, + rc = avc_has_perm(dsec1->sid, ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, NULL); if ( rc ) - { - dsec1->create_sid = SECSID_NULL; return rc; - } - - dsec2 = d->ssid; - dsec2->sid = dsec1->create_sid; - dsec1->create_sid = SECSID_NULL; - dsec2->create_sid = SECSID_NULL; + dsec2->sid = ssidref; return rc; } diff --git a/xen/xsm/flask/include/objsec.h b/xen/xsm/flask/include/objsec.h index df5baeef3d..4ff52bed9f 100644 --- a/xen/xsm/flask/include/objsec.h +++ b/xen/xsm/flask/include/objsec.h @@ -19,7 +19,6 @@ struct domain_security_struct { u32 sid; /* current SID */ - u32 create_sid; }; struct evtchn_security_struct { |