[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v4 2/6] SUPPORT.md: Add qemu-depriv section

To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxx>
Date: Mon, 5 Nov 2018 18:07:07 +0000
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Wilk <konrad.wilk@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Anthony Perard <anthony.perard@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>
Delivery-date: Mon, 05 Nov 2018 18:08:02 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
---
Changes since v3:
- Moved from the qemu-depriv doc patches.
- Reword to include the possibility of having a non-dom0 "devicemodel"
  domain which may want to be protected
- Specify `Linux dom0` as the currently-tech-supported window

CC: Ian Jackson <ian.jackson@xxxxxxxxxx>
CC: Wei Liu <wei.liu2@xxxxxxxxxx>
CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CC: Jan Beulich <jbeulich@xxxxxxxx>
CC: Tim Deegan <tim@xxxxxxx>
CC: Konrad Wilk <konrad.wilk@xxxxxxxxxx>
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: Julien Grall <julien.grall@xxxxxxx>
CC: Anthony Perard <anthony.perard@xxxxxxxxxx>
CC: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
---
 SUPPORT.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/SUPPORT.md b/SUPPORT.md
index 4f203da84a..1f0f5857a7 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -525,6 +525,26 @@ Vulnerabilities of a device model stub domain
 to a hostile driver domain (either compromised or untrusted)
 are excluded from security support.
 
+### Device Model Deprivileging
+
+    Status, Linux dom0: Tech Preview, with limited support
+
+This means adding extra restrictions to a device model in order to
+prevent a compromised device model from attack the rest of the domain
+it's running in (normally dom0).
+
+"Tech preview with limited support" means we will not issue XSAs for
+the _additional_ functionality provided by the feature; but we will
+issue XSAs in the event that enabling this feature opens up a security
+hole that would not be present without the feature disabled.
+
+For example, while this is classified as tech preview, a bug in libxl
+which failed to change the user ID of QEMU would not receive an XSA,
+since without this feature the user ID wouldn't be changed. But a
+change which made it possible for a compromised guest to read
+arbitrary files on the host filesystem without compromising QEMU would
+be issued an XSA, since that does weaken security.
+
 ### KCONFIG Expert
 
     Status: Experimental
-- 
2.19.1


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v4 2/6] SUPPORT.md: Add qemu-depriv section
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH v4 2/6] SUPPORT.md: Add qemu-depriv section
  - From: Paul Durrant

References:
- [Xen-devel] [PATCH v4 1/6] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: George Dunlap

Prev by Date: [Xen-devel] [PATCH v4 6/6] RFC: test/depriv: Add a tool to check process-level depriv
Next by Date: [Xen-devel] [PATCH v4 3/6] tools/dm_restrict: Ask QEMU to chroot
Previous by thread: Re: [Xen-devel] [PATCH v4 6/6] RFC: test/depriv: Add a tool to check process-level depriv
Next by thread: Re: [Xen-devel] [PATCH v4 2/6] SUPPORT.md: Add qemu-depriv section
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.