[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] [PATCH v3 2/7] xsm: flask: change the dummy xsm policy and flask hook for map_gmfn_foregin
- To: Jan Beulich <JBeulich@xxxxxxxx>, Zhongze Liu <blackskygg@xxxxxxxxx>
- From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
- Date: Fri, 20 Oct 2017 09:34:56 -0400
- Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx
- Delivery-date: Fri, 20 Oct 2017 13:35:20 +0000
- Ironport-phdr: 9a23:sWmVlhDZAAmEhmEtdz7LUyQJP3N1i/DPJgcQr6AfoPdwSP36rsywAkXT6L1XgUPTWs2DsrQf2rqQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlCYHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6zTZ9MaQXdKUNhXWSJPH4iwa5IDA/QdMepdqYT2ulkAogakBQS0Ge3h1DFIiH/106M03esuHgPJ0xAvEd8VrHTZrs/4OLsOXe27zqTFyyjIYfNM2Tf67YjFah4vruuKXbJxb8XRzVQkGQ3bgV6NqILlJSma2f4Ds2OG6OdvSO2vhHM5pAF+uDig3NwhipXJh40JylDE8j91wIAuJdKiUkJ7btmkEIVJuiycKoB4QdsiTnl1tCs1xbAKo562cDUQxJg5yBPTdeaLf5WO7xn+TuieOy14i2hgeL+nghay9lWvxfPkW8mv1VZKsjJFkt7RtnARzxDT6taISv96/kq5xTaAzRrT6uBZIUAvj6bbN54gzaIwlpoUq0jDGDP5mF7qg6OMc0Uk++yo5/zmYrXguJCcK5d5hhzxP6khgMCyAfk0PhIQU2WU5+iwzqDv8VX8QLpQj/02lqfZsIrdJcQevqO2HgBV3Zs95BawFTepys8VnWUHLV1ZeBKHiJLlO1fVIP/iF/u/jFOskClzy/DcIrLhGonNLmTEkLr5ebhw9lBTyBc3zdBe+51UCqoMIOnuWk/qqtPUFAM2Mwuxw+z/EtVyypseWX6TAq+eKK7dqluI6fgzLOmPf48Vuzb8K/cq5/P1gn85nEUSfait3ZcNdH+4GfFmKV2DYXXwmtcBDXsKvg0mQezolV2CVT9TaGi0X64m6TE7EpipDYPHRo22mrOBxiK7EodKaWBBD1CGCW3oeJmcW/cQdCKSJddskzIaWrigUYMh0RCutBLkx7d8MuXU+zEYtYji1Nl6/eHciRYy9TlsBcSHz26NV310nn8PRzIu3aBwu0p9xk2B0adin/NYFsdT5/RPUgohK5Hc0vZ2BMzzWgLdZNeJSVmnTs+6DjE2S9I728UObFplG9W+khDD2DKnA6QOl7yXHpM76bzT33z1J8Z8zXbG1bIsj1o4TctVM22pmKp/+xLUB47TnEWTj7yqergE3C7R6GeDynKDvU5GXw52SKnKQG4QZlXIotT9/U7CS76uCa87Mgta08KDJbVFatvzgVVBXvfjN4eWX2XkuW62TTyF27eNZ4qiL0c30TjZCUMEuxsO5nvAPg87UGPpkWLZCjN8GBrLYl6kpeN6oXi4VUwlwA6iYEho1r7z8RkQ06+yUfQWi54NviYsr31YER6SxdvfBZLUqwVtcapGaPsh8VxH0iTfrAU7MZu+efMxzmUCehh66hu9ny58DZ9NxI1z9isn
- List-id: Xen developer discussion <xen-devel.lists.xen.org>
On 10/20/2017 02:14 AM, Jan Beulich wrote:
On 19.10.17 at 19:36, <dgdegra@xxxxxxxxxxxxx> wrote:
On 10/19/2017 07:58 AM, Jan Beulich wrote:
On 19.10.17 at 04:36, <blackskygg@xxxxxxxxx> wrote:
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -516,7 +516,8 @@ static XSM_INLINE int
xsm_remove_from_physmap(XSM_DEFAULT_ARG struct domain *d1,
static XSM_INLINE int xsm_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain
*d, struct domain *t)
{
XSM_ASSERT_ACTION(XSM_TARGET);
- return xsm_default_action(action, d, t);
+ return xsm_default_action(action, current->domain, d) ?:
+ xsm_default_action(action, current->domain, t);
}
When all three domains are different, how does the changed
policy reflect the original "d has privilege over t" requirement?
I understand you want to relax the current condition, but this
shouldn't come at the price of granting access when access
should be denied. Nor the inverse - the current domain not
having privilege over both does also not mean d doesn't have
the necessary privilege over t.
I continue to think that you can't validly retrofit the new
intended functionality onto the existing hypercall, even if
nothing except the permission check needs to be different.
Jan
If this operation is going to be allowed at all (and I agree it has
valid use cases), then there won't be a privilege relationship between
(d) and (t) to check - they'll both be (somewhat related) domUs as far
as Xen can tell. If this hypercall isn't used, adding a new hypercall
(subop) is the only way I'd see to do it - and that seems very redundant
as it'd need to do all the same checks except for the one about the
relationship between (d) and (t). I don't see the reason why the
existing hypercall should deny being used for that purpose once it's
possible using other means.
One problem is, as you mention here, ...
The only possible problem that springs to mind is a restricted kernel
interface (such as the one used by QEMU in dom0 that restricts to a
single target domain) that now doesn't realize it's relaying an
operation that also requires permission over (t) after only checking
that the origin is allowed to modify (d).
... the delegation of privilege checking responsibility to a
possibly untrusted environment. Plus, as explained before,
current callers expect privilege of d over t to be validated,
which isn't happening anymore with the proposed change. If
the existing sub-op was to be modified, I think we'd need
(with c representing the current domain)
- (d over t) || ((c over d) && (c over t)) for not regressing
the pre-existing use case,
- only (c over d) && (c over t) for not permitting something
that isn't intended to be permitted in the new use case.
Unless the sub-op has room for adding a flag to indicate
which of the two is meant (I didn't check), I don't see a way
around adding another sub-op, no matter how similar this
would end up being.
Jan
I would say the current lack of a check for (c over t) is an oversight,
which mostly doesn't matter because the ability to modify arbitrary
memory in your target is transitive in almost any security model (c can
modify d's code to modify t, so a malicious c can compromise t anyway).
If the three domains are all different, the only way this can happen in
non-XSM is for (c) to be dom0 or for your device model to have a device
model (which I don't think is forbidden, but doubt anyone uses).
I now agree that this deserves a new subop, since this code is reached
via the stable memory_op and not just a domctl.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel
|
