[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v5] altp2m: Allow specifying external-only use-case


  • To: Tamas K Lengyel <tamas.lengyel@xxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Date: Tue, 28 Mar 2017 14:59:33 -0400
  • Cc: Sergej Proskurin <proskurin@xxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Delivery-date: Tue, 28 Mar 2017 18:59:48 +0000
  • Ironport-phdr: 9a23:vpMnxRxg9h/7UjrXCy+O+j09IxM/srCxBDY+r6Qd0ugSIvad9pjvdHbS+e9qxAeQG96KtrQU1qGK7OjJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhDexe7B/IRW5oQjetMQdnJdvJLs2xhbVuHVDZv5YxXlvJVKdnhb84tm/8Zt++ClOuPwv6tBNX7zic6s3UbJXAjImM3so5MLwrhnMURGP5noHXWoIlBdDHhXI4wv7Xpf1tSv6q/Z91SyHNsD4Ubw4RTKv5LpwRRT2lCkIKSI28GDPisxxkq1bpg6hpwdiyILQeY2ZKeZycr/Ycd4cS2VBRMJRXDFfDI26YYUEEu4NMf9Go4XholcDqwa1CwuxC+P10jJGm2H43aM63eQmEg/I0gIvEN0Mv3vIo9v4L7sSXOKvwaXU0TnOYfNb1DHg44bIaBAhpvSMUKp+f8XLz0kvFh3KjlGNooLrITyey+UDs3KB4OV6W+KklmkqpBx+ojey2MgshZPJiZgOx1DY9SR23IY1JdqiRE59et6rCoFcty6dN4toW84vRXxjtiUiyrAepJK2cycHxI4nyhLCcfCLbYeF7gz5WOqMJzpzmWhrd6ilhxmo9Eit0uj8Vs6p31lUtidFidzMtmwV1xzU98iHVuNx/ke/1jaL0ADe8v1ELloularaNp4h2aQ8loYTsEvfHi/2n1/6jKmKeUU/5uek8eHnYrTippOENo90jB/xMrg2l8CiDuk1PRICUmiG9eimyrHu8lP1TK9XgvEul6nWqpHaJcAVpq6jBA9V154u5AuwDzi7ztsYkmMHI0hedRKbj4nmJ1HOIPfiAfe5mFSjii1nx//BPr3/GpnNNGTMkK/9fbZh7E5R0BYzwspa551OEbENOvbzVVH3tNzXDh42LQi0zv3mCdpj0IMeRWOPAqGYMKzOq1OH+uUvI+yUbo8PpDn9M+Ql5+LpjXIhll4SY6+p0YIKZ3+mAPRpPUGZbGHogtcACmcKohE+QPbliVKcVz5Tf2yyX6U+5j4lFI2mEZ3PRoe3gLyOxC27BIFZZnhaClCQFnflb52EW+0LaCKJIc9hjyYEVbmnS4I6zhGhqhP1x6BmLurS4CEYqY/j1N1v6+LOix447SZ0ANiF02GRU2F0mXsFRz4s06B5u0B9yE2M3rR7g/xDEtxT4ehEXRknNZLG0+N6CszyWhjAftaGUlqpXtKmATQpRNIr39AOe1p9G8mljh3b0SulHb4Vm6aPBJw176LQwWP8KNp8y3bazqkhjlYnTtFTOm2hg6517xLTCJLRk0WFi6aqcrwR0zTL9Gie12qBok9ZXBRsXqXCWnAfflXZrc73607ZU7CuCKgnMhFAyc+NMKdFdtrpjVBeTvf5JNvee36xm3u3BRuQxLODd5Tle3gZ3CXcFEcEkxse/W2bNQglGCituX7RDDtrFQGnX0S5zeB7oWjzbQcQwgeFfkBln+6p8xscnrqYRvUcz78AkDUsrSl1Ele2mdnRDozE7xpseuBQbM0w5H9D1HnFrEptM5q4Nadgi1UCNQNtsBDAzRJyX6lJl8knqDsGwUJdM6uR3hsVezyU0J/qM5XLO2Ly+1apcKeQ1VbAhoXFspwT4eg1/g2w9DqiEVAvpjA+iYFY
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 03/22/2017 02:07 PM, Tamas K Lengyel wrote:
Currently setting altp2mhvm=1 in the domain configuration allows access to the
altp2m interface for both in-guest and external privileged tools. This poses
a problem for use-cases where only external access should be allowed, requiring
the user to compile Xen with XSM enabled to be able to appropriately restrict
access.

In this patch we deprecate the altp2mhvm domain configuration option and
introduce the altp2m option, which allows specifying if by default the altp2m
interface should be external-only. The information is stored in
HVM_PARAM_ALTP2M which we now define with specific XEN_ALTP2M_* modes.
If external mode is selected, the XSM check is shifted to use XSM_DM_PRIV
type check, thus restricting access to the interface by the guest itself. Note
that we keep the default XSM policy untouched. Users of XSM who wish to enforce
external mode for altp2m can do so by adjusting their XSM policy directly,
as this domain config option does not override an active XSM policy.

Also, as part of this patch we adjust the hvmop handler to require
HVM_PARAM_ALTP2M to be of a type other then disabled for all ops. This has been
previously only required for get/set altp2m domain state, all other options
were gated on altp2m_enabled. Since altp2m_enabled only gets set during set
altp2m domain state, this change introduces no new requirements to the other
ops but makes it more clear that it is required for all ops.

Signed-off-by: Tamas K Lengyel <tamas.lengyel@xxxxxxxxxxxx>
Signed-off-by: Sergej Proskurin <proskurin@xxxxxxxxxxxxx>

I think the XSM-enabled case using the default types should have the same
flexibility as the XSM-disabled case.  I agree that it is useful to be able
to restrict the p2m features based on policy, and I don't think that it's
useful to expand the number of XSM permissions here.  In that case, the best
way to proceed would be to require that both the domain configuration and
XSM policy must allow the action (similar to how SELinux file controls and
UNIX permissions interact).  Currently, enabling XSM effectively forces the
value of this setting to "mixed", and "limited" is impossible to use with XSM.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.