[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] xsm: add ability to elevate a domain to privileged

  • To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 6 Apr 2022 10:48:23 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bx4c/RgVuBr61y1OKVYyGwfuME8UXQZZHvxdJge+Vxc=; b=dJPgzwac3tWGrH0+Rbg8UBPQbSk8kR1z4h0R1XR2zNS2+WasQXr5ptdE7cJ6OdAUb+P/k1+qQGe6+HvkTXT+tf315MOPIRQZ3Boz3AxQP7zxTtXGquX8yt8AtAwKON6z1eCD6I4AeOleaVoXAncsFmbnzmSBAT/eIeZJVEpoQClBRpmxEI5EUZyIhSq8Oc8I+BxWzZ8yStlSqZIZ9j3/cYOxnqerkDaTQm0DI7GDJeDFD1v537KLM7jqilATi/er6zEm/K0FkbWZUZ8mPwfetuLT6G1v1o0s8S8E7f6mtJutoIAgI12F+HMUT0RjfZNLcoKfI/4HniNFdlo4841nag==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b46uv4LxBU6YsmgCsUcEoTw5hDnBAx0ywopOmJ31BiR00BM5E/ru827D5C0soZ3aHmYGROiIt4qmLD6DPifTY17PdIKv3V3ora39fARihnyOHrTQZC86Z1xC5WFVtv2WR5PEZYfi1VCLYH1fkNvGZPkT2KTIlyokY9o+rgtAHKxitFl9ZbByuaNGkv/6/eeArpkftZ2//bnUcwEMZ4aSEyzqAjJY6bVR/zwJzm7V3ujA7sIHVbyJ50POD83e1P3hftA8IpTmOOAlez4jZFx8lZ/OWUIC/i4ST6BT3HxAhfUV7rKsvf0kDERytQoMAmVeq/XYygUHyC6vF+q7QgBpQQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Jason Andryuk <jandryuk@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Scott Davis <scott.davis@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 06 Apr 2022 08:48:37 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 06.04.2022 10:46, Roger Pau Monné wrote:
> On Wed, Apr 06, 2022 at 09:06:59AM +0200, Jan Beulich wrote:
>> On 05.04.2022 19:17, Jason Andryuk wrote:
>>> On Mon, Apr 4, 2022 at 11:34 AM Daniel P. Smith 
>>> <dpsmith@xxxxxxxxxxxxxxxxxxxx> wrote:
>>>> On 3/31/22 09:16, Jason Andryuk wrote:
>>>>> For the default policy, you could start by creating the system domains
>>>>> as privileged and just have a single hook to drop privs.  Then you
>>>>> don't have to worry about the "elevate" hook existing.  The patch 2
>>>>> asserts could instead become the location of xsm_drop_privs calls to
>>>>> have a clear demarcation point.  That expands the window with
>>>>> privileges though.  It's a little simpler, but maybe you don't want
>>>>> that.  However, it seems like you can only depriv once for the Flask
>>>>> case since you want it to be one-way.
>>>>
>>>> This does simplify the solution and since today we cannot differentiate
>>>> between hypervisor setup and hypervisor initiated domain construction
>>>> contexts, it does not run counter to what I have proposed. As for flask,
>>>> again I do not believe codifying a domain transition bound to a new XSM
>>>> op is the appropriate approach.
>>>
>>> This hard coded domain transition does feel a little weird.  But it
>>> seems like a natural consequence of trying to use Flask to
>>> deprivilege.  I guess the transition could be behind a
>>> dom0less/hyperlaunch Kconfig option.  I just don't see a way around it
>>> in some fashion with Flask enforcing.
>>>
>>> Another idea: Flask could start in permissive and only transition to
>>> enforcing at the deprivilege point.  Kinda gross, but it works without
>>> needing a transition.
>>
>> I don't think that would be right. Logically such behavior ought to be
>> mirrored to SILO, and I'll take that for the example for being the
>> simpler model: Suppose an admin wants to disallow communication
>> between DomU-s created by Xen. Such would want enforcing when creating
>> those DomU-s, despite the creator (Xen) being all powerful. If the
>> device tree information said something different (e.g. directing for
>> an event channel to be established between two such DomU-s), this
>> should be flagged as an error, not be silently permitted.
> 
> I could also see this argument the other way around: what if an admin
> wants to disallow domUs freely communicating between them, but would
> still like some controlled domU communication to be possible by
> setting up those channels at domain creation?

Well, imo that would require a proper (Flask) policy then, not SILO mode.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.