xsm/flask: remove unneeded create_sid field

This field was only used to populate the ssid of dom0, which can be
handled explicitly in the domain creation hook. This also removes the
unnecessary permission check on the creation of dom0.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index e175d4b3584aa4a0587a63bb8b423c2a13507928..9cc5240b5cdf22f723724a1178fb047f3568370a 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -52,8 +52,6 @@ type device_t, resource_type;
 # Rules required to boot the hypervisor and dom0
 #
 ################################################################################
-allow xen_t dom0_t:domain { create };
-
 allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del
        scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo
        microcode cpupool_op sched_op pm_op };

diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 8c853de6bb0ca67ba0aa56d640d8d01f2aa0fef6..88fef9cf5324e8806695536890cf29a4fe4690e2 100644 (file)
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -108,12 +108,10 @@ static int flask_domain_alloc_security(struct domain *d)
 
     memset(dsec, 0, sizeof(struct domain_security_struct));
 
-    dsec->create_sid = SECSID_NULL;
     switch ( d->domain_id )
     {
     case DOMID_IDLE:
         dsec->sid = SECINITSID_XEN;
-        dsec->create_sid = SECINITSID_DOM0;
         break;
     case DOMID_XEN:
         dsec->sid = SECINITSID_DOMXEN;
@@ -489,25 +487,24 @@ static int flask_domain_create(struct domain *d, u32 ssidref)
     int rc;
     struct domain_security_struct *dsec1;
     struct domain_security_struct *dsec2;
+    static int dom0_created = 0;
 
     dsec1 = current->domain->ssid;
+    dsec2 = d->ssid;
 
-    if ( dsec1->create_sid == SECSID_NULL ) 
-        dsec1->create_sid = ssidref;
+    if ( is_idle_domain(current->domain) && !dom0_created )
+    {
+        dsec2->sid = SECINITSID_DOM0;
+        dom0_created = 1;
+        return 0;
+    }
 
-    rc = avc_has_perm(dsec1->sid, dsec1->create_sid, SECCLASS_DOMAIN, 
+    rc = avc_has_perm(dsec1->sid, ssidref, SECCLASS_DOMAIN,
                       DOMAIN__CREATE, NULL);
     if ( rc )
-    {
-        dsec1->create_sid = SECSID_NULL;
         return rc;
-    }
-
-    dsec2 = d->ssid;
-    dsec2->sid = dsec1->create_sid;
 
-    dsec1->create_sid = SECSID_NULL;
-    dsec2->create_sid = SECSID_NULL;
+    dsec2->sid = ssidref;
 
     return rc;
 }

diff --git a/xen/xsm/flask/include/objsec.h b/xen/xsm/flask/include/objsec.h
index df5baeef3ddfee71c2eeb9e0f7d21324ec0c40be..4ff52bed9f133211340ef75929a55286411d0f38 100644 (file)
--- a/xen/xsm/flask/include/objsec.h
+++ b/xen/xsm/flask/include/objsec.h
@@ -19,7 +19,6 @@
 
 struct domain_security_struct {
     u32 sid;               /* current SID */
-    u32 create_sid;
 };
 
 struct evtchn_security_struct {