[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/6] xen: add new domctl get_changed_domain


  • To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Jürgen Groß <jgross@xxxxxxxx>
  • Date: Thu, 24 Oct 2024 15:59:00 +0200
  • Autocrypt: addr=jgross@xxxxxxxx; keydata= xsBNBFOMcBYBCACgGjqjoGvbEouQZw/ToiBg9W98AlM2QHV+iNHsEs7kxWhKMjrioyspZKOB ycWxw3ie3j9uvg9EOB3aN4xiTv4qbnGiTr3oJhkB1gsb6ToJQZ8uxGq2kaV2KL9650I1SJve dYm8Of8Zd621lSmoKOwlNClALZNew72NjJLEzTalU1OdT7/i1TXkH09XSSI8mEQ/ouNcMvIJ NwQpd369y9bfIhWUiVXEK7MlRgUG6MvIj6Y3Am/BBLUVbDa4+gmzDC9ezlZkTZG2t14zWPvx XP3FAp2pkW0xqG7/377qptDmrk42GlSKN4z76ELnLxussxc7I2hx18NUcbP8+uty4bMxABEB AAHNH0p1ZXJnZW4gR3Jvc3MgPGpncm9zc0BzdXNlLmNvbT7CwHkEEwECACMFAlOMcK8CGwMH CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCw3p3WKL8TL8eZB/9G0juS/kDY9LhEXseh mE9U+iA1VsLhgDqVbsOtZ/S14LRFHczNd/Lqkn7souCSoyWsBs3/wO+OjPvxf7m+Ef+sMtr0 G5lCWEWa9wa0IXx5HRPW/ScL+e4AVUbL7rurYMfwCzco+7TfjhMEOkC+va5gzi1KrErgNRHH kg3PhlnRY0Udyqx++UYkAsN4TQuEhNN32MvN0Np3WlBJOgKcuXpIElmMM5f1BBzJSKBkW0Jc Wy3h2Wy912vHKpPV/Xv7ZwVJ27v7KcuZcErtptDevAljxJtE7aJG6WiBzm+v9EswyWxwMCIO RoVBYuiocc51872tRGywc03xaQydB+9R7BHPzsBNBFOMcBYBCADLMfoA44MwGOB9YT1V4KCy vAfd7E0BTfaAurbG+Olacciz3yd09QOmejFZC6AnoykydyvTFLAWYcSCdISMr88COmmCbJzn sHAogjexXiif6ANUUlHpjxlHCCcELmZUzomNDnEOTxZFeWMTFF9Rf2k2F0Tl4E5kmsNGgtSa aMO0rNZoOEiD/7UfPP3dfh8JCQ1VtUUsQtT1sxos8Eb/HmriJhnaTZ7Hp3jtgTVkV0ybpgFg w6WMaRkrBh17mV0z2ajjmabB7SJxcouSkR0hcpNl4oM74d2/VqoW4BxxxOD1FcNCObCELfIS auZx+XT6s+CE7Qi/c44ibBMR7hyjdzWbABEBAAHCwF8EGAECAAkFAlOMcBYCGwwACgkQsN6d 1ii/Ey9D+Af/WFr3q+bg/8v5tCknCtn92d5lyYTBNt7xgWzDZX8G6/pngzKyWfedArllp0Pn fgIXtMNV+3t8Li1Tg843EXkP7+2+CQ98MB8XvvPLYAfW8nNDV85TyVgWlldNcgdv7nn1Sq8g HwB2BHdIAkYce3hEoDQXt/mKlgEGsLpzJcnLKimtPXQQy9TxUaLBe9PInPd+Ohix0XOlY+Uk QFEx50Ki3rSDl2Zt2tnkNYKUCvTJq7jvOlaPd6d/W0tZqpyy7KVay+K4aMobDsodB3dvEAs6 ScCnh03dDAFgIq5nsB11j3KPKdVoPlfucX2c7kGNH+LUMbzqV6beIENfNexkOfxHfw==
  • Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>
  • Delivery-date: Thu, 24 Oct 2024 13:59:13 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 24.10.24 15:35, Daniel P. Smith wrote:
On 10/24/24 05:13, Jürgen Groß wrote:
On 23.10.24 17:55, Daniel P. Smith wrote:
On 10/23/24 09:10, Juergen Gross wrote:
Add a new domctl sub-function to get data of a domain having changed
state (this is needed by Xenstore).

The returned state just contains the domid, the domain unique id,
and some flags (existing, shutdown, dying).

In order to enable Xenstore stubdom being built for multiple Xen
versions, make this domctl stable.  For stable domctls the
interface_version is specific to the respective domctl op and it is an
in/out parameter: On input the caller is specifying the desired version
of the op, while on output the hypervisor will return the used version
(this will be at max the caller supplied version, but might be lower in
case the hypervisor doesn't support this version).

Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
---
V1:
- use a domctl subop for the new interface (Jan Beulich)
---
  tools/flask/policy/modules/dom0.te  |  2 +-
  xen/common/domain.c                 | 51 +++++++++++++++++++++++++++++
  xen/common/domctl.c                 | 19 ++++++++++-
  xen/common/event_channel.c          |  9 ++++-
  xen/include/public/domctl.h         | 33 +++++++++++++++++++
  xen/include/xen/event.h             |  6 ++++
  xen/include/xen/sched.h             |  2 ++
  xen/include/xsm/dummy.h             |  8 +++++
  xen/include/xsm/xsm.h               |  6 ++++
  xen/xsm/dummy.c                     |  1 +
  xen/xsm/flask/hooks.c               |  7 ++++
  xen/xsm/flask/policy/access_vectors |  2 ++
  12 files changed, 143 insertions(+), 3 deletions(-)

diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
index 16b8c9646d..6043c01b12 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -40,7 +40,7 @@ allow dom0_t dom0_t:domain {
  };
  allow dom0_t dom0_t:domain2 {
      set_cpu_policy gettsc settsc setscheduler set_vnumainfo
-    get_vnumainfo psr_cmt_op psr_alloc get_cpu_policy
+    get_vnumainfo psr_cmt_op psr_alloc get_cpu_policy get_domain_state

I don't think that is where you want it, as that restricts dom0 to only being able to make that call against dom0. The question I have is, are you looking for this permission to be explicitly assigned to dom0 or to the domain type that was allowed to create the domain. IMHO, I think you would want the latter, so not only should the permission go here, but also added to xen.if:create_domain_common.

Additionally, I would also recommend adding the following to xenstore.te:

allow xenstore_t domain_type:domain get_domain_state

Okay, but shouldn't this be:

allow xenstore_t domain_type:domain2 get_domain_state;

Apologies, yes that was a typo on my part.


  allow dom0_t dom0_t:resource { add remove };

...

@@ -866,6 +873,16 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
                  __HYPERVISOR_domctl, "h", u_domctl);
          break;
+    case XEN_DOMCTL_get_domain_state:
+        ret = xsm_get_domain_state(XSM_HOOK, d);

XSM_HOOK will allow any domain to make this call on any domain. What I think you want here is XSM_XS_PRIV. That will allow either a domain flagged as the xenstore domain or dom0 to make the call.

I thought so, too, but looking at the "getdomaininfo" example it seems
to be okay this way, too. Especially with the addition to xsm_domctl()
checking for XSM_XS_PRIV.

I know this has been done in the past, but imho it is not a very good practice. Access checks really should always restrict equal or down. There should be a strong reason, which probably would deserves a code comment, to allow a check to relax up. Restricting equal should not reduce access, and if it does, then it means there is an unintended access path which is now exposed.

Sounds logical.

I'll check if it works the way you are suggesting. If so, I'll send a patch
fixing the getdomaininfo case.


Juergen

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.