[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 12/18] xsm: Add missing domctl and mem_sharing hooks

On 08/06/2012 02:53 PM, Keir Fraser wrote:
> When someone wants to add a new domctl/sysctl, how many places will they
> have to add things to ensure that xsm dtrt for a basic setup, allowing only
> dom0 access to the new op? How big is the risk that we end up with new ops
> that have no access control?

Short answer: 3 files (xsm.h, dummy.h, dummy.c); 13 lines including whitespace.

Long answer: there are a couple ways to add access controls:

1. Add an explicit IS_PRIV check. That's pretty much what occurs before this
   series, only the IS_PRIV is at the top of the hypercall for domctl and 
sysctl.
   This is the least preferred, but is trivially correct for the new patch and
   fairly easy to wire up as an XSM hook in the future.
2. Reuse an existing XSM hook. This requires no changes required except at the
   caller, but requires that a suitable hook exist to reuse. There are generic
   hooks like xsm_domctl(), but it's best not to just create dumping grounds
   for permissions if we ever want to allow subsets of them to different 
domains.
   This is probably best for incremental modifications or trivial features.
3. Add a new XSM hook. This requires adding a hook function in xsm.h and a
   default implementation in dummy.h/dummy.c. The changes made in this patch
   to FLASK would not be required, as XSM will fall back to the dummy
   implementation when the FLASK module doesn't provide its own hook.

Patch #13 (tmem) is a good example of adding a single hook; all changes with
/flask/ could be done in a later patch implementing new FLASK permissions.

If you're adding a new function, the only way to compile both with and without
XSM enabled is to add functions in dummy.h, dummy.c, and xsm.h; incomplete
implementations will yield a compilation error in one of those cases.

One patch I haven't included in this series is adding automatic generation of
the xen/xsm/flask/include/av_*.h files from tools/flask/policy/policy/flask/*;
this simplifies adding the FLASK part of the XSM hook. The auto-generation
is in tools/flask/policy/policy/flask/Makefile, just not wired in to the xen
build.

-- 
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.