|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 00/18] RFC: Merge IS_PRIV checks into XSM hooks
Since this series changes a lot of code accessible to guests, I think
it's better to let people comment on it now, even if it won't go in
until 4.3. Overall, it should not change the behavior of Xen when XSM is
not enabled; however, in some cases, the exact errors that are returned
will be different because security checks have been moved below validity
checks. Also, once applied, newly introduced domctls and sysctls will
not automatically be guarded by IS_PRIV checks - they will need to add
their own permission checking code.
Background:
The Xen hypervisor has two basic access control function calls: IS_PRIV
and the xsm_* functions. Most privileged operations currently require
that both checks succeed, and many times the checks are at different
locations in the code.
When performing dom0 disaggregation, many of the functions normally
protected with IS_PRIV are handled by domains other than dom0. This
requires either making all such disaggregated domains privileged, or
allowing certain operations to be performed without an IS_PRIV check.
Because the privileged bit also short-circuits the IS_PRIV_FOR check,
and some IS_PRIV calls do not currently have an accompanying XSM call,
this series implements the second option.
Once applied, most IS_PRIV checks are isolated in the newly introduced
xen/include/xsm/dummy.h header. The remaining checks cover a few areas
that need further examining or that have reason to remain:
1. Overriding the IRQ and IO memory access checks (arch/x86/domctl.c).
These overrides should not be needed, as dom0 should have access
without needing the override.
2. Allow MAP_PIRQ_TYPE_GSI to ignore domain_pirq_to_irq negative return
3. PIRQ operations by HVM domains (TODO add hooks)
4. The hack for device model framebuffers in get_page_from_l1e
5. Installing maps of non-owned pages in shadow_get_page_from_l1e
6. PCI configuration space (arch/x86/traps.c). Allowing a PV Linux domU
to access the PCI configuration space is a good way to crash the
system as it reconfigures PCI devices during boot, so this needs to
remain to get a working system when FLASK is in permissive mode.
7. Various MSR accesses (arch/x86/traps.c)
8. ARM architecture - not touched at all in these patches.
The rcu_lock_target_domain_by_id and rcu_lock_remote_target_domain_by_id
functions are removed by this series because they act as wrappers around
IS_PRIV_FOR; their callers have been changed to use XSM checks instead.
Miscellaneous updates to FLASK:
[PATCH 01/18] xsm/flask: remove inherited class attributes
[PATCH 02/18] xsm/flask: remove unneeded create_sid field
[PATCH 03/18] xsm/flask: add domain relabel support
[PATCH 04/18] libxl: introduce XSM relabel on build
[PATCH 05/18] flask/policy: Add domain relabel example
Preparatory:
[PATCH 06/18] xsm, arch/x86: add distinct XSM hooks for map/unmap
[PATCH 07/18] arch/x86: add missing XSM checks to XENPF_ commands
[PATCH 08/18] xen: Add DOMID_SELF support to rcu_lock_domain_by_id
[PATCH 09/18] xsm/flask: Add checks on the domain performing set_target
Refactor checks into existing XSM hooks:
[PATCH 10/18] xsm: Add IS_PRIV checks to dummy XSM module
[PATCH 11/18] xen: use XSM instead of IS_PRIV where duplicated
Clean up remaining IS_PRIV calls (1):
[PATCH 12/18] xsm: Add missing domctl and mem_sharing hooks
[PATCH 13/18] tmem: Add access control check
FLASK updates to allow acting as a proper IS_PRIV replacement:
[PATCH 14/18] xsm: remove unneeded xsm_call macro
[PATCH 15/18] xsm/flask: add distinct SIDs for self/target access
Clean up remaining IS_PRIV calls (2):
[PATCH 16/18] arch/x86: use XSM hooks for get_pg_owner access checks
[PATCH 17/18] xen: Add XSM hook for XENMEM_exchange
[PATCH 18/18] xen: remove rcu_lock_target_domain_by_id
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |