[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 08/10] xsm: remove xsm_default_t from hook definitions


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Fri, 16 Jul 2021 16:55:16 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2uojqQarTUpRbJRlnbyxF9rZe/W+19PMnjTxP+/cSEc=; b=iidjROu/KeOVtUTlrLAwopPHYWOudUY5pNqkHTghFdicZ/jNOrophbMzdx91M8dbIDXCSFaVbte2zBu6vzgZR2259m//wAWpb/P1VZpugyjYjE3zlE7ms9r7uhFaDoV1/A4fC/l+Kt1gOWS68N4PiZYXPfbS9hDveS+nkXsTU0WJ558FYyreH7sX0byz06Xh4JCdHeXX+fHn6wpq9NcIR/PRoKA+dgFiInR8DKzQcbMkWJAEA0RoYs19hMdxe5gqIMbZ4IUos9wCJ2OwQPt1Dn+Yh7vUuhc1PL0+QAj+fXSuMLabibxdbcifoJxAxUst6X1W3GoJeijThLPKyI+AMg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P8YQEyH1UrTykSq3FeTlvIvYzNvFevk/d+a5hGRrLyymo/lBiNkJbTtuVvQBpnHeFA+ClwwWMFCzYJu5rLyBzHJ3GjK3qvzjpu6U+suqa0ufv1IIZCnB+YOnYLy0SBO041jTUuWEucS+W/jouDblum6sPm9ZRAF3qA+9XZSVFFoDidxVaJTywuM5MY4DsF/jd3lzn3L9MKTfPrppKcQPFC4zy2G6zYrOwyf7TLBvgRxJ0vH5pZL/DItGg108m0Fq5rYrbT21Rj/hykX30qVE3yUfFm7zSz8PY7ho/2dXFWAyUp6xcAVW2J1OOJPmqTBAmOM8Ql21bKM3iqT6yZw5vw==
  • Authentication-results: apertussolutions.com; dkim=none (message not signed) header.d=none;apertussolutions.com; dmarc=none action=none header.from=suse.com;
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Tim Deegan <tim@xxxxxxx>, Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Fri, 16 Jul 2021 14:55:36 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 16.07.2021 16:15, Andrew Cooper wrote:
> On 16/07/2021 08:23, Jan Beulich wrote:
>> On 12.07.2021 22:32, Daniel P. Smith wrote:
>>> The passing of an xsm_default_t at each of the xsm hook call sites
>>> served different functions depending on whether XSM was enabled or not.
>>> When XSM was not enabled it attempted to function as a link-time check
>>> that declared default action at the call site matched the default
>>> declared action for that hook in the dummy policy. When XSM was enabled,
>>> it would just drop the  parameter.
>>>
>>> The removal of these values is two fold. They are a redundancy that
>>> provides little context, especially when the value is XSM_OTHER.
>> For XSM_OTHER I may agree, but in general I find the call-site uses
>> helpful to know at least the rough level of intended restriction.
>> E.g. ...
>>
>>> --- a/xen/arch/x86/cpu/mcheck/mce.c
>>> +++ b/xen/arch/x86/cpu/mcheck/mce.c
>>> @@ -1376,7 +1376,7 @@ long do_mca(XEN_GUEST_HANDLE_PARAM(xen_mc_t) u_xen_mc)
>>>      struct xen_mc_msrinject *mc_msrinject;
>>>      struct xen_mc_mceinject *mc_mceinject;
>>>  
>>> -    ret = xsm_do_mca(XSM_PRIV);
>>> +    ret = xsm_do_mca();
>> ... to now understand what this enforces (or not) I have to go to
>> the actual implementation, even if I only want to know the trivial
>> dummy incarnation of it. This effectively extends the "provides
>> little context" from XSM_OTHER to all hooks.
> 
> The old scheme was even worse because it was only a plausible
> approximation for the !XSM case while being actively wrong for SILO and
> FLASK.

"Actively wrong" is perhaps going a little far? I don't think SILO
relaxes things anywhere over the !XSM case, and I also wouldn't
expect a Flask policy to commonly relax things. Of course these
simplistic categories can't reflect the full possible range with
an actual policy, but seeing XSM_PRIV in a call used to be a fair
hint that subsequent code isn't expected to be reachable for
unprivileged entities. No such hints would exist anymore following
this change, and its description didn't sound to me like this
aspect was taken into consideration. Yet it is a difference to me
whether such removal of information (no matter how precise it is)
is deliberate or an unintended / unnoticed / unexpected side effect.

> Furthermore, someone reading the code could be forgiven for thinking
> that XSM_HOOK was something other than dead code.

I certainly agree with this part.

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.