[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] xsm: add ability to elevate a domain to privileged


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Wed, 6 Apr 2022 11:09:08 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9Ki0E0TtXjHFVIPiYj6hRHXoysLy/KKSHYe9avwDFzQ=; b=bf9oWn2kw4FjLm9bmFQCyWOcYRlbyGLfEPHorgX4Ytx20IXvJof1Ys80P85+otTfuCZull5FlIcNijddh8nj7xEINV2LiWzt9/kJS3ytZwvUlcVbuLqKsMrIywOlMhaKeTLc9rTmvl/B1YlpeaMDNGYyPT1O1lrTi6vs4X2963bHGcHxrmRrKrTmvzqmaYu/B5gdLYNnicVNHhIBL5ICzVljGH1YTNMXBs+ndos7ozkcH18B4Fyr/0bJQdrhCJPJdaD7fmXOWVruViJbm1P9qYC5WaZBhdrR9uDZW0XKQ6hDgILqWyRvCBbO77W4MiumooK2IM6tPMxdHURI/dklew==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=icm14drdwQEcEvfuaLoW4SEGAaijJ32oYzwCSeljtAUY+VO53y/+4Tgebhpaji7Juw6p1sr7hXm7f9BMjXgQhOsi3/4R8pLq1pLon5JpaGddQ5xjInh3aKQJ99XeSqpotgEv1+AlcS8iN1dl6RWcKZX7QBCIyorScO3L9C6BcKGLjw2EoQoH63VBJ9V3XGIwIZCxXiBjhvCF5f906a/tuduy9pA8dTSL6uf37GcIlDQ8wRhCWDiJl6OkAQ6FKeH804SNKxOYoO0/P/+0Nxrjt66dIhnwURcOIQT45m49hqzU6BmQv9uVi42qAYlocg8OBMXW8iduCmk3azCSDKktSA==
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Jason Andryuk <jandryuk@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Scott Davis <scott.davis@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 06 Apr 2022 09:09:33 +0000
  • Ironport-data: A9a23:aDzzTavCmvGYf9ESg0eskg1/TOfnVLReMUV32f8akzHdYApBsoF/q tZmKWCBa/+OZGXwfIwlad7lpEtXv57Rn9QwS1Rqry1jQioS+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZhSAgk/nOHNIQMcacUsxLbVYMpBwJ1FQyw4bVvqYy2YLjW1/V5 4uryyHiEATNNwBcYzp8B52r8HuDjNyq0N/PlgVjDRzjlAa2e0g9VPrzF4noR5fLatA88tqBb /TC1NmEElbxpH/BPD8HfoHTKSXmSpaKVeSHZ+E/t6KK2nCurQRquko32WZ1he66RFxlkvgoo Oihu6BcRi8MHPTKl9UCVyVUOHxjGbBF0bP/GmGw5Jn7I03uKxMAwt1rBUAye4YZ5vx2ESdF8 vlwxDIlN07ZwbjsmfTiF7cq1p9LwMrDZevzvll6yj7UF7A+SI3rSKTW/95Imjw3g6iiGN6AN 5NEMWU0N3wsZTVLa3MIBbMfwtuaxUj8KH5cqXmo/bcetj27IAtZj+G2bYu9lsaxbd5emVqE4 G7P4WXiKgoGPcabwDDD83XEruPAkS70Qos6CKyz9vkshkaagGMUFnU+WUOgpPilima3Q99FN 1EP4S0qsLQz80qwCNL6WnWQonSJoxodUNp4CPAh5UeGza+8ywSQAGQeXyNCQNMjvc4yAzct0 zehj97vQDBirrCRYXac7auP6yO/PzAPKm0PbjNCShEKi+QPu6lq0EiJFIw6Vvfo0JulQlkc3 gxmsgAbpewVgv8U05m31g3apy+vj5TxdRc6s1C/sn2e0it1Y4usZoqN4Ffd7OpdIIvxcmRtr EToiODFsrlQUMjleDilBbxUQer3v6rt3Cj02wYHInU3y9i6F5dPl6h06So2GkpmO91sldTBM B6K4lM5CHO+0RKXgU5Lj2CZVpxCIUvIT42NuhXogjxmOMYZmOivpnwGWKJo9zqx+HXAaIlmU XthTe6iDGwBFYNsxyesSuEW3NcDn35ilDqDGcCrn0T4itJygUJ5r59fbjNiichjssu5TPj9q Y4DZ6NmNT0BOAEBXsUn2dFKdg1bRZTKLZv3t9ZWZoa+zvlOQwkc5wvq6ep5IeRNxv0N/s+Rp y3VchIImTLX2CycQS3XOy8LVV8adcsmxZ7NFXd3ZgjANrlKSdvH0ZrzgLNsJON9qbM6kaAvJ xTHEu3Zaslypv380211RbH2rZB4dQTtggSLPiG/ZyM4cYImTAvMkuIItCO0nMXSJkJbbfcDn oA=
  • Ironport-hdrordr: A9a23:HhOSsaDffCNW02HlHehIsceALOsnbusQ8zAXPh9KJyC9I/b2qy nxppgmPH/P6Ar4WBkb6La90Y27MA7hHPlOkPUs1NaZLXPbUQ6TTb2KgrGSpgEIdxeOktK1kJ 0QDJSWa+eAfWSS7/yKmDVQeuxIqLLsndHK9IXjJjVWPHpXgslbnnZE422gYzRLrWd9dP0E/M 323Ls4m9PsQwVdUu2LQl0+G8TTrdzCk5zrJTYAGh4c8QGLyRel8qTzHRS01goXF2on+8ZuzU H11yjCoomzufCyzRHRk0fV8pRtgdPkjv9OHtaFhMQ5IijlziyoeINicbufuy1dmpDk1H8a1P 335zswNcV67H3cOkmzvBvWwgHllA0j7nfzoGXo90fLkIjcfnYXGsBBjYVWfl/y8Ew7puxx16 pNwiawq4dXJQmoplWy2/H4EzVR0makq3srluAey1ZFV5EFVbNXpYsDuGtIDZY7Gj7g4oxPKp ggMCjl3ocXTbqmVQGbgoE2q+bcHEjbXy32DnTqg/blkgS/xxtCvg4lLM92pAZ2yHtycegB2w 3+CNUbqFh/dL5kUUtDPpZ1fSKWMB2FffueChPbHbzYfJt3T04l7aSHp4kI2A==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Apr 06, 2022 at 10:48:23AM +0200, Jan Beulich wrote:
> On 06.04.2022 10:46, Roger Pau Monné wrote:
> > On Wed, Apr 06, 2022 at 09:06:59AM +0200, Jan Beulich wrote:
> >> On 05.04.2022 19:17, Jason Andryuk wrote:
> >>> On Mon, Apr 4, 2022 at 11:34 AM Daniel P. Smith 
> >>> <dpsmith@xxxxxxxxxxxxxxxxxxxx> wrote:
> >>>> On 3/31/22 09:16, Jason Andryuk wrote:
> >>>>> For the default policy, you could start by creating the system domains
> >>>>> as privileged and just have a single hook to drop privs.  Then you
> >>>>> don't have to worry about the "elevate" hook existing.  The patch 2
> >>>>> asserts could instead become the location of xsm_drop_privs calls to
> >>>>> have a clear demarcation point.  That expands the window with
> >>>>> privileges though.  It's a little simpler, but maybe you don't want
> >>>>> that.  However, it seems like you can only depriv once for the Flask
> >>>>> case since you want it to be one-way.
> >>>>
> >>>> This does simplify the solution and since today we cannot differentiate
> >>>> between hypervisor setup and hypervisor initiated domain construction
> >>>> contexts, it does not run counter to what I have proposed. As for flask,
> >>>> again I do not believe codifying a domain transition bound to a new XSM
> >>>> op is the appropriate approach.
> >>>
> >>> This hard coded domain transition does feel a little weird.  But it
> >>> seems like a natural consequence of trying to use Flask to
> >>> deprivilege.  I guess the transition could be behind a
> >>> dom0less/hyperlaunch Kconfig option.  I just don't see a way around it
> >>> in some fashion with Flask enforcing.
> >>>
> >>> Another idea: Flask could start in permissive and only transition to
> >>> enforcing at the deprivilege point.  Kinda gross, but it works without
> >>> needing a transition.
> >>
> >> I don't think that would be right. Logically such behavior ought to be
> >> mirrored to SILO, and I'll take that for the example for being the
> >> simpler model: Suppose an admin wants to disallow communication
> >> between DomU-s created by Xen. Such would want enforcing when creating
> >> those DomU-s, despite the creator (Xen) being all powerful. If the
> >> device tree information said something different (e.g. directing for
> >> an event channel to be established between two such DomU-s), this
> >> should be flagged as an error, not be silently permitted.
> > 
> > I could also see this argument the other way around: what if an admin
> > wants to disallow domUs freely communicating between them, but would
> > still like some controlled domU communication to be possible by
> > setting up those channels at domain creation?
> 
> Well, imo that would require a proper (Flask) policy then, not SILO mode.

But when creating such domains in SILO mode from dom0, dom0 would be
allowed to create and bind event channels to the created domains, even
if the domain themselves are not allowed the operation.

That's because the check in evtchn_bind_interdomain() is done against
'current' and not the domain where the event channel will be bound.
Maybe such check should instead take 3 parameters: current context
domain, domain to bind the event channel to and remote domain on the
other end of the event channel.

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.