[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 4/6] xsm: flask: change the interface and default policy for xsm_map_gmfn_foregin

To: "Zhongze Liu" <blackskygg@xxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Wed, 23 Aug 2017 03:55:21 -0600
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx, Julien Grall <julien.grall@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Delivery-date: Wed, 23 Aug 2017 09:55:35 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 22.08.17 at 20:08, <blackskygg@xxxxxxxxx> wrote:
> The original xsm_map_gmfn_foregin policy checks if source domain has the 
> proper
> privileges over the target domain. Under this policy, it's not allowed if a 
> Dom0
> wants to map pages from one DomU to another, this restricts some useful yet 
> not
> dangerous usages of the API, such as sharing pages among DomU's by calling
> XENMEM_add_to_physmap from Dom0.
> 
> Change the policy to: IIF current domain has the proper privilege on the
> target domain and source domain, grant the access.

You say "and here", yet ...

> --- a/xen/include/xsm/dummy.h
> +++ b/xen/include/xsm/dummy.h
> @@ -525,10 +525,12 @@ static XSM_INLINE int 
> xsm_remove_from_physmap(XSM_DEFAULT_ARG struct domain *d1,
>      return xsm_default_action(action, d1, d2);
>  }
>  
> -static XSM_INLINE int xsm_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, 
> struct domain *t)
> +static XSM_INLINE int xsm_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *cd,
> +                                           struct domain *d, struct domain 
> *t)
>  {
>      XSM_ASSERT_ACTION(XSM_TARGET);
> -    return xsm_default_action(action, d, t);
> +    return xsm_default_action(action, cd, d) ||
> +        xsm_default_action(action, cd, t);
>  }

... you use "or" here and ...

> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -1165,9 +1165,11 @@ static int flask_remove_from_physmap(struct domain 
> *d1, struct domain *d2)
>      return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__PHYSMAP);
>  }
>  
> -static int flask_map_gmfn_foreign(struct domain *d, struct domain *t)
> +static int flask_map_gmfn_foreign(struct domain *cd,
> +                                  struct domain *d, struct domain *t)
>  {
> -    return domain_has_perm(d, t, SECCLASS_MMU, MMU__MAP_READ | 
> MMU__MAP_WRITE);
> +    return domain_has_perm(cd, d, SECCLASS_MMU, MMU__MAP_READ | 
> MMU__MAP_WRITE) ||
> +        domain_has_perm(cd, t, SECCLASS_MMU, MMU__MAP_READ | MMU__MAP_WRITE);
>  }

... here. A domain can't have XSM_TARGET permission over two
other domains, so what you want to do here can't work at all,
afaict.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 4/6] xsm: flask: change the interface and default policy for xsm_map_gmfn_foregin
  - From: Zhongze Liu
- Re: [Xen-devel] [PATCH 4/6] xsm: flask: change the interface and default policy for xsm_map_gmfn_foregin
  - From: Stefano Stabellini

References:
- [Xen-devel] [PATCH 0/6] Allow setting up shared memory areas between VMs from xl config files
  - From: Zhongze Liu
- [Xen-devel] [PATCH 4/6] xsm: flask: change the interface and default policy for xsm_map_gmfn_foregin
  - From: Zhongze Liu

Prev by Date: Re: [Xen-devel] [PATCH v3 48/52] xen: add hypercall for setting parameters at runtime
Next by Date: Re: [Xen-devel] [PATCH V2 15/25] x86/vvtd: decode interrupt attribute from IRTE
Previous by thread: Re: [Xen-devel] [PATCH 4/6] xsm: flask: change the interface and default policy for xsm_map_gmfn_foregin
Next by thread: Re: [Xen-devel] [PATCH 4/6] xsm: flask: change the interface and default policy for xsm_map_gmfn_foregin
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.