[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/2] xsm: add ability to elevate a domain to privileged
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Date: Wed, 6 Apr 2022 10:46:35 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=o0muEHvo0OwrGv5vA1iAbBVjF4EhQfRHpE8xOPgmp3Y=; b=HP4I12Vfo241nQRbIh6Lygyu/J75o12vz7/NNlTNMoHYbBGGZBiZaGS/L7FAZLH4y03J3I6dAycFbqluKI4tq2xnZAnLdn2ctUjQEIvS1K9I4Ey3PZdtwXdzGDeACgGkXnJCjxa4Xgn7wyoOW0/cLDGbmy7hFWAXydqleeqEHlJOIH7qHlIW3hUHo5b81NFE2Uyklkau552zyBVC/As1/8pQ8sCIEhVQeNtyCRJB31HVs0Sv387M4+YT9jpaXU5GBdOjUx90c4pMxEYfULbzl69S6REZmIivP+Bbdqs6lF6f+W1fbFMAdGds51dmUh09w/oa3ZcW6I5qszH5OkNaug==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kBtA8yQjZpcduh9FDP289GA49nBvEIYKdNdI45/K+JgM02a42d9vx/fKP20pq6soC2dIg1/i1awCFY+ZIRMyHuIhhZeIzh9+ZM1e0oxLt+FBlJteJYR6UY3hgassmuP0lH2PlA7/bJfGkAPyuVdWeHm8KzgEsjGxq7Ndj3W00iMj3rlqi+EFObG0xFdvpwEQ6s87/bbzh5Y3+FLfg0CDZwN3vbTmQtYBDISR2kOuylHgArjOltZ6Sd38G3Y0BZSWmVXFuo5CxstfLqX7cmRwmuwsYbxsI5BsM3nPvgz5Zz6y8AtQLnLVfRkJ0dHj0uv1l22fT23om0BcrPd5Qi7mMw==
- Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: Jason Andryuk <jandryuk@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Scott Davis <scott.davis@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Wed, 06 Apr 2022 08:47:01 +0000
- Ironport-data: A9a23:a2Jp/KMsVZG1jV/vrR1Hl8FynXyQoLVcMsEvi/4bfWQNrUog1WYPy mUZWDyHbqmDZjP1fdhxbo3ioxhQvZeDm9FlQQto+SlhQUwRpJueD7x1DKtR0wB+jCHnZBg6h ynLQoCYdKjYdleF+lH1dOKJQUBUjclkfJKlYAL/En03FFcMpBsJ00o5wbZl2tAw2LBVPivW0 T/Mi5yHULOa82Yc3lI8s8pvfzs24ZweEBtB1rAPTagjUG32zhH5P7pGTU2FFFPqQ5E8IwKPb 72rIIdVXI/u10xF5tuNyt4Xe6CRK1LYFVDmZnF+A8BOjvXez8CbP2lS2Pc0MC9qZzu1c99Z8 9ERp4y+QD8VJIL8msEQAzlCNHhsFPgTkFPHCSDXXc27ykTHdz3nwul0DVFwNoodkgp1KTgQr 7pCcmlLN03dwbLtqF64YrAEasALNs7kMZlZonh95TrYEewnUdbIRKCiCdpwgmdt2poQQ662i 8wxMmQwcDfMeCd0IwkmNpNho8ONwSf9bGgNwL6SjfVuuDWCpOBr65D2O93JZpqGTNtUhW6Du mvc+23zRBAdXPSTxjaI/WilrvPeliP8HoQJHfu38eACqFGL3WkSFB0+XEO2u+WkkVW5X89DK ksS4Wwlqq1a3E6hQ8T5Xha4iGWZpRNaUN1Ve8U44QeB0LvJ4C6WA2EFSnhKb9lOnN87Q3km2 0GEm/vtBCdzq/uFRHSF7LCWoDiufy8PIgc/iTQsFFVfpYO5+cdq00yJHo0L/LOJYsPdIjWs0 SCEpRACnZojj+sGh4Wh2gnVqmf5znTWdTId6gLSV2Ojywp2Yo+5eoClgWTmAeZ8wJWxFQfY4 iVd8ySKxKVXVMzWynTRKAkYNOvxj8tpJgEwlrKG83MJ0z22s0CucolLiN2VDBc4a51UEdMFj aK6hO+w2HOxFCbyBUOUS9joYyjP8UQGPY67PhwzRoATCqWdjCfdoElTibe4hggBanQEn6AlI ou8es2xF3scAqkP5GPoG7ZEgeN7lnBumji7qXXHI/KPi+T2iJm9E+ltDbdzRrphsPPsTPv9r b6zyPdmOz0ACbajM0E7AKYYLEwQLGhTOHwFg5c/SwJ3GSI/QDtJI6aImdsJItU594wIxrag1 izsASdwlQug7UAr3C3XMxiPnpu0Bs0hxZ/6VARxVWuVN48LOt/1tvpALsdpJtHKNoVLlJZJc hXMQO3ZatxnQTXb4TUNK577qY1pbhOwggySeSGiZVACk1RIHmQlJveMktPTyRQz
- Ironport-hdrordr: A9a23:bBHw8aNLzmu4n8BcTy/155DYdb4zR+YMi2TDiHoedfUFSKOlfp 6V8MjztSWVtN4QMEtQ/+xoHJPwPE80lKQFm7X5WI3CYOCIghrMEGgP1/qH/9SkIVyDygc/79 YQT0EdMqyJMbESt6+Ti2PUYrVQouVvsprY/ts2p00dMz2CAJsQljuRZDzrdXGfE2J9dOUE/d enl4J6jgvlXU5SQtWwB3EDUeSGj9rXlKj+aRpDIxI88gGBgR6h9ba/SnGjr10jegIK5Y1n3X nOkgT/6Knmm/anyiXE32uWy5hNgtPuxvZKGcTJoMkILTfHjBquee1aKva/lQFwhNvqxEchkd HKrRtlF8Nv60nJdmXwmhfp0xmI6kdY11bSjXujxVfzq83wQzw3T+Bbg5hCTxff4008+Plhza NixQuixtVqJCKFuB64y8nDVhlsmEbxi2Eli/Qvg3tWVpZbQKNNrLYY4FheHP47bW7HAbgcYa hT5fznlbZrmQvwVQGbgoAv+q3gYp0LJGbJfqBY0fblkQS/nxhCvj8lLYIk7zI9HakGOup5Dt T/Q9RVfY51P70rhIJGdZE8qJiMeyXwqSylChPmHb2gLtBCB07w
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Wed, Apr 06, 2022 at 09:06:59AM +0200, Jan Beulich wrote:
> On 05.04.2022 19:17, Jason Andryuk wrote:
> > On Mon, Apr 4, 2022 at 11:34 AM Daniel P. Smith
> > <dpsmith@xxxxxxxxxxxxxxxxxxxx> wrote:
> >> On 3/31/22 09:16, Jason Andryuk wrote:
> >>> For the default policy, you could start by creating the system domains
> >>> as privileged and just have a single hook to drop privs. Then you
> >>> don't have to worry about the "elevate" hook existing. The patch 2
> >>> asserts could instead become the location of xsm_drop_privs calls to
> >>> have a clear demarcation point. That expands the window with
> >>> privileges though. It's a little simpler, but maybe you don't want
> >>> that. However, it seems like you can only depriv once for the Flask
> >>> case since you want it to be one-way.
> >>
> >> This does simplify the solution and since today we cannot differentiate
> >> between hypervisor setup and hypervisor initiated domain construction
> >> contexts, it does not run counter to what I have proposed. As for flask,
> >> again I do not believe codifying a domain transition bound to a new XSM
> >> op is the appropriate approach.
> >
> > This hard coded domain transition does feel a little weird. But it
> > seems like a natural consequence of trying to use Flask to
> > deprivilege. I guess the transition could be behind a
> > dom0less/hyperlaunch Kconfig option. I just don't see a way around it
> > in some fashion with Flask enforcing.
> >
> > Another idea: Flask could start in permissive and only transition to
> > enforcing at the deprivilege point. Kinda gross, but it works without
> > needing a transition.
>
> I don't think that would be right. Logically such behavior ought to be
> mirrored to SILO, and I'll take that for the example for being the
> simpler model: Suppose an admin wants to disallow communication
> between DomU-s created by Xen. Such would want enforcing when creating
> those DomU-s, despite the creator (Xen) being all powerful. If the
> device tree information said something different (e.g. directing for
> an event channel to be established between two such DomU-s), this
> should be flagged as an error, not be silently permitted.
I could also see this argument the other way around: what if an admin
wants to disallow domUs freely communicating between them, but would
still like some controlled domU communication to be possible by
setting up those channels at domain creation?
Thanks, Roger.
|