On 21.04.2022 00:28, Daniel P. Smith wrote:
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -168,7 +168,7 @@ static int cf_check flask_domain_alloc_security(struct
> domain *d)
> switch ( d->domain_id )
> {
> case DOMID_IDLE:
> - dsec->sid = SECINITSID_XEN;
> + dsec->sid = SECINITSID_XENBOOT;
> break;
> case DOMID_XEN:
> dsec->sid = SECINITSID_DOMXEN;
> @@ -188,6 +188,7 @@ static int cf_check flask_domain_alloc_security(struct
> domain *d)
>
> static void cf_check flask_transition_running(void)
> {
> + struct domain_security_struct *dsec;
> struct domain *d = current->domain;
>
> if ( d->domain_id != DOMID_IDLE )
> @@ -198,6 +199,10 @@ static void cf_check flask_transition_running(void)
> * set to false for the consistency check(s) in the setup code.
> */
> d->is_privileged = false;
> +
> + dsec = d->ssid;
> + dsec->sid = SECINITSID_XEN;
> + dsec->self_sid = dsec->sid;
> }
If replacing SIDs is an okay thing to do, perhaps assert that the
values haven't changed from SECINITSID_XENBOOT prior to replacing
them?
Jan
