Xen project Mailing List

Re: [RFC PATCH 1/1] xsm: allows system domains to allocate evtchn

To: Jason Andryuk <jandryuk@xxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>

From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Date: Wed, 30 Mar 2022 10:04:30 -0400

Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1648649091; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=REcrB5TGQO9wO2RT8H7Y4NsA0RnhnjkQ+xQepfjdCzY=; b=fQucfuI1YZ7RKGKnXPrIUmNabnwBfGU+BY66ZmafYVEZVk0Emdzdl98Rd+481aAcxbWY0oW72eoUHC0bUcz/flPQFJuniMvWEZT69y8rpxztjrt6EZuhSWmnjI2VnGJHsQOxHyDkI6v8w1oM+XrvQxcNejslrtIN8Miq7wVY9fg=

Arc-seal: i=1; a=rsa-sha256; t=1648649091; cv=none; d=zohomail.com; s=zohoarc; b=KFQiduAsJ0JtkZOf+pxspHhS5oFbTnalD4KggaeT/LeUm4TqZZezJU8uBit3eRxmxxAHyYH3bj6w32sE5vMUtf1CVI7qI/KWXPFjHu73BWD5Qz6BH2e+DyR7RqoGPJ6sBVRW2fowTUPZ3jiCSLPI0ygRaOBppTUZ3KAzlcfUeds=

Cc: Scott Davis <scott.davis@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 30 Mar 2022 14:05:03 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 3/30/22 08:30, Jason Andryuk wrote: > On Wed, Mar 30, 2022 at 2:30 AM Jan Beulich <jbeulich@xxxxxxxx> wrote: >> >> On 29.03.2022 20:57, Daniel P. Smith wrote: >>> On 3/29/22 02:43, Jan Beulich wrote: >>>> Similarly I don't see how things would work transparently with a >>>> Flask policy in place. Regardless of you mentioning the restriction, >>>> I think this wants resolving before the patch can go in. >>> >>> To enable the equivalent in flask would require no hypervisor code >>> changes. Instead that would be handled by adding the necessary rules to >>> the appropriate flask policy file(s). >> >> Of course this can be dealt with by adjusting policy file(s), but until >> people do so they'd end up with a perceived regression and/or unexplained >> difference in behavior from running in dummy (or SILO, once also taken >> care of) mode. > > This need to change the Flask policy is the crux of my dislike for > making Xen-internal operations go through XSM checks. It is wrong, > IMO, to require the separate policy to grant xen_t permissions for > proper operation. I prefer restructuring the code so Xen itself > doesn't have to go through XSM checks since that way Xen itself always > runs properly regardless of the policy. > > This is more based on unmap_domain_pirq having an XSM check for an > internal operation. dom0less, hyperlaunch, & Live Update may all be > niche use cases where requiring a policy change is reasonable. I will continue to agree with the base logic that today any least privilege separation imposed is merely artificial in the face of any attack that gains execution control over hypervisor space. What I will disagree with is using that as a justification to create tight couplings between the internals of the hypervisor that have a potential of causing more work in the future when people are looking to use for instance's Arms upcoming capability pointers as a real separation enforcement mechanisms to de-privilege portions of the hypervisor. While on principle it is justified to object to having policy statements that present a facade, is it not better to look longer term than object to some thing on principle based in the now? v/r, dps

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.