dgit.raspbian.org Git - xen.git/commit

author	Daniel De Graaf <dgdegra@tycho.nsa.gov>
	Thu, 13 Dec 2012 11:44:02 +0000 (11:44 +0000)
committer	Daniel De Graaf <dgdegra@tycho.nsa.gov>
	Thu, 13 Dec 2012 11:44:02 +0000 (11:44 +0000)
commit	a31ed4edbe48c8f24b4a7f1f41c7cc9d7453721e
tree	6f4794c68644445b60cd3c77df161077543bdcb7	tree \| snapshot
parent	b051ddb41617ba543ee8de5cfc3258a0a2b71aa6	commit \| diff

libxl: introduce XSM relabel on build

Allow a domain to be built under one security label and run using a
different label.  This can be used to prevent the domain builder or
control domain from having the ability to access a guest domain's memory
via map_foreign_range except during the build process where this is
required.

Example domain configuration snippet:
  seclabel='customer_1:vm_r:nomigrate_t'
  init_seclabel='customer_1:vm_r:nomigrate_t_building'

Note: this does not provide complete protection from a malicious dom0;
mappings created during the build process may persist after the relabel,
and could be used to indirectly access the guest's memory. However, if
dom0 correctly unmaps the domain upon building, a the domU is protected
against dom0 becoming malicious in the future.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

docs/man/xl.cfg.pod.5		diff \| blob \| history
docs/misc/xsm-flask.txt		diff \| blob \| history
tools/flask/policy/policy/modules/xen/xen.if		diff \| blob \| history
tools/flask/policy/policy/modules/xen/xen.te		diff \| blob \| history
tools/libxc/xc_flask.c		diff \| blob \| history
tools/libxc/xenctrl.h		diff \| blob \| history
tools/libxl/libxl_create.c		diff \| blob \| history
tools/libxl/libxl_types.idl		diff \| blob \| history
tools/libxl/xl_cmdimpl.c		diff \| blob \| history