Xen project Mailing List

Re: [PATCH 1/2] xsm: add ability to elevate a domain to privileged

To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

From: Jason Andryuk <jandryuk@xxxxxxxxx>

Date: Thu, 31 Mar 2022 09:16:53 -0400

Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Scott Davis <scott.davis@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Thu, 31 Mar 2022 13:17:17 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Mar 30, 2022 at 3:05 PM Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx> wrote: > > There are now instances where internal hypervisor logic needs to make resource > allocation calls that are protected by XSM checks. The internal hypervisor > logic > is represented a number of system domains which by designed are represented by > non-privileged struct domain instances. To enable these logic blocks to > function correctly but in a controlled manner, this commit introduces a pair > of privilege escalation and demotion functions that will make a system domain > privileged and then remove that privilege. > > Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx> > --- > xen/include/xsm/xsm.h | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > > diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h > index e22d6160b5..157e57151e 100644 > --- a/xen/include/xsm/xsm.h > +++ b/xen/include/xsm/xsm.h > @@ -189,6 +189,28 @@ struct xsm_operations { > #endif > }; > > +static always_inline int xsm_elevate_priv(struct domain *d) > +{ > + if ( is_system_domain(d) ) > + { > + d->is_privileged = true; > + return 0; > + } > + > + return -EPERM; > +} These look sufficient for the default policy, but they don't seem sufficient for Flask. I think you need to create a new XSM hook. For Flask, you would want the demote hook to transition xen_boot_t -> xen_t. That would start xen_boot_t with privileges that are dropped in a one-way transition. Does that require all policies to then have xen_boot_t and xen_t? I guess it does unless the hook code has some logic to skip the transition. For the default policy, you could start by creating the system domains as privileged and just have a single hook to drop privs. Then you don't have to worry about the "elevate" hook existing. The patch 2 asserts could instead become the location of xsm_drop_privs calls to have a clear demarcation point. That expands the window with privileges though. It's a little simpler, but maybe you don't want that. However, it seems like you can only depriv once for the Flask case since you want it to be one-way. Regards, Jason

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.