From a31ed4edbe48c8f24b4a7f1f41c7cc9d7453721e Mon Sep 17 00:00:00 2001 From: Daniel De Graaf Date: Thu, 13 Dec 2012 11:44:02 +0000 Subject: libxl: introduce XSM relabel on build Allow a domain to be built under one security label and run using a different label. This can be used to prevent the domain builder or control domain from having the ability to access a guest domain's memory via map_foreign_range except during the build process where this is required. Example domain configuration snippet: seclabel='customer_1:vm_r:nomigrate_t' init_seclabel='customer_1:vm_r:nomigrate_t_building' Note: this does not provide complete protection from a malicious dom0; mappings created during the build process may persist after the relabel, and could be used to indirectly access the guest's memory. However, if dom0 correctly unmaps the domain upon building, a the domU is protected against dom0 becoming malicious in the future. Signed-off-by: Daniel De Graaf acked-by: Ian Campbell Committed-by: Ian Campbell --- docs/man/xl.cfg.pod.5 | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'docs/man') diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5 index dc3f49417c..caba1628f5 100644 --- a/docs/man/xl.cfg.pod.5 +++ b/docs/man/xl.cfg.pod.5 @@ -270,6 +270,15 @@ UUID will be generated. Assign an XSM security label to this domain. +=item B + +Specify an XSM security label used for this domain temporarily during +its build. The domain's XSM label will be changed to the execution +seclabel (specified by "seclabel") once the build is complete, prior to +unpausing the domain. With a properly constructed security policy (such +as nomigrate_t in the example policy), this can be used to build a +domain whose memory is not accessible to the toolstack domain. + =item B Disable migration of this domain. This enables certain other features -- cgit v1.2.3