[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] Merge IS_PRIV checks into XSM hooks

On 09/10/2012 04:51 PM, Keir Fraser wrote:
> On 10/09/2012 20:48, "Daniel De Graaf" <dgdegra@xxxxxxxxxxxxx> wrote:
> 
>> Overall, this series should not change the behavior of Xen when XSM is
>> not enabled; however, in some cases, the exact errors that are returned
>> will be different because security checks have been moved below validity
>> checks. Also, once applied, newly introduced domctls and sysctls will
>> not automatically be guarded by IS_PRIV checks - they will need to add
>> their own permission checking code.
> 
> How do we guard against accidentally forgetting to do this?

The same way you guard against it when adding a new hypercall: when adding
new functionality that needs access checks, also add the access checks.

>> The ARM architecture is not touched at all in these patches. The only
>> obvious breakage that I can see is due to rcu_lock_target_domain_by_id
>> being removed, but XSM hooks will be needed for domctls and sysctls.
> 
> So ARM build is broken? And/or ARM is made insecure because of unchecked
> sysctls/domctls?
> 
>  -- Keir

The ARM build is broken by patch #19 in this series; fixing it is fairly
simple (I'll send a non-compile-tested version as 21/20), or you could
postpone that patch as it's just cleanup.

Since ARM doesn't have any arch-specific domctls or sysctls yet, they are
not insecure. You could also add an IS_PRIV check at the top of ARM's
arch_do_{dom,sys}ctl functions if you don't want to add XSM hooks for each
operation as in x86.

> 
>> The rcu_lock_target_domain_by_id and rcu_lock_remote_target_domain_by_id
>> functions are removed by this series because they act as wrappers around
>> IS_PRIV_FOR; their callers have been changed to use XSM checks instead.
>>
>> Miscellaneous updates to FLASK:
>>     [PATCH 01/20] xsm/flask: remove inherited class attributes
>>     [PATCH 02/20] xsm/flask: remove unneeded create_sid field
>>     [PATCH 03/20] xen: Add versions of rcu_lock_*_domain without IS_PRIV
>>     [PATCH 04/20] xsm/flask: add domain relabel support
>>     [PATCH 05/20] libxl: introduce XSM relabel on build
>>     [PATCH 06/20] flask/policy: Add domain relabel example
>>
>> Preparatory new hooks:
>>     [PATCH 07/20] arch/x86: add distinct XSM hooks for map/unmap
>>     [PATCH 08/20] arch/x86: add missing XSM checks to XENPF_ commands
>>     [PATCH 09/20] xsm/flask: Add checks on the domain performing the
>>
>> Refactoring:
>>     [PATCH 10/20] xsm: Add IS_PRIV checks to dummy XSM module
>>     [PATCH 11/20] xen: use XSM instead of IS_PRIV where duplicated
>>     [PATCH 12/20] xen: avoid calling rcu_lock_*target_domain when an XSM
>>
>> Remaining IS_PRIV calls:
>>     [PATCH 13/20] arch/x86: Add missing domctl and mem_sharing XSM hooks
>>     [PATCH 14/20] tmem: Add access control check
>>     [PATCH 17/20] arch/x86: use XSM hooks for get_pg_owner access checks
>>     [PATCH 18/20] xen: Add XSM hook for XENMEM_exchange
>>
>> Cleanup, FLASK updates to support IS_PRIV emulation:
>>     [PATCH 15/20] xsm: remove unneeded xsm_call macro
>>     [PATCH 16/20] xsm/flask: add distinct SIDs for self/target access
>>     [PATCH 19/20] xen: remove rcu_lock_{remote_,}target_domain_by_id
>>     [PATCH 20/20] flask: add missing operations
>>

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.