All of lore.kernel.org
 help / color / mirror / Atom feed
From: Julien Grall <julien.grall@arm.com>
To: Stefano Stabellini <sstabellini@kernel.org>
Cc: Stefano Stabellini <stefanos@xilinx.com>,
	andrii_anisov@epam.com, George.Dunlap@eu.citrix.com,
	andrew.cooper3@citrix.com, ian.jackson@eu.citrix.com,
	xen-devel@lists.xen.org, tim@xen.org, jbeulich@suse.com,
	wei.liu2@citrix.com, dgdegra@tycho.nsa.gov, nd@arm.com
Subject: Re: [PATCH v2 03/21] xen: allow console_io hypercalls from certain DomUs
Date: Thu, 19 Jul 2018 10:19:17 +0100	[thread overview]
Message-ID: <967a2077-36e9-3524-c5e9-73b48ec8913e@arm.com> (raw)
In-Reply-To: <alpine.DEB.2.10.1807181007240.21200@sstabellini-ThinkPad-X260>

Hi Stefano,

On 18/07/18 18:10, Stefano Stabellini wrote:
> On Tue, 17 Jul 2018, Julien Grall wrote:
>> Hi Stefano,
>>
>> On 17/07/2018 21:05, Stefano Stabellini wrote:
>>> On Mon, 9 Jul 2018, Julien Grall wrote:
>>>> Hi,
>>>>
>>>> On 07/07/18 00:11, Stefano Stabellini wrote:
>>>>> Introduce an is_console option to allow certain classes of domUs to use
>>>>> the Xen console. Specifically, it will be used to give console access to
>>>>> all domUs started from Xen from information on device tree.
>>>>>
>>>>> Signed-off-by: Stefano Stabellini <stefanos@xilinx.com>
>>>>> CC: andrew.cooper3@citrix.com
>>>>> CC: George.Dunlap@eu.citrix.com
>>>>> CC: ian.jackson@eu.citrix.com
>>>>> CC: jbeulich@suse.com
>>>>> CC: konrad.wilk@oracle.com
>>>>> CC: tim@xen.org
>>>>> CC: wei.liu2@citrix.com
>>>>> CC: dgdegra@tycho.nsa.gov
>>>>> ---
>>>>> Changes in v2:
>>>>> - introduce is_console
>>>>> - remove #ifdefs
>>>>> ---
>>>>>     xen/include/xen/sched.h | 2 ++
>>>>>     xen/include/xsm/dummy.h | 2 ++
>>>>>     xen/xsm/flask/hooks.c   | 5 ++++-
>>>>>     3 files changed, 8 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
>>>>> index 99d2af2..d66cec0 100644
>>>>> --- a/xen/include/xen/sched.h
>>>>> +++ b/xen/include/xen/sched.h
>>>>> @@ -379,6 +379,8 @@ struct domain
>>>>>         bool             auto_node_affinity;
>>>>>         /* Is this guest fully privileged (aka dom0)? */
>>>>>         bool             is_privileged;
>>>>> +    /* Can this guest access the Xen console? */
>>>>> +    bool             is_console;
>>>>>         /* Is this a xenstore domain (not dom0)? */
>>>>>         bool             is_xenstore;
>>>>>         /* Domain's VCPUs are pinned 1:1 to physical CPUs? */
>>>>> diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
>>>>> index ff6b2db..3888817 100644
>>>>> --- a/xen/include/xsm/dummy.h
>>>>> +++ b/xen/include/xsm/dummy.h
>>>>> @@ -230,6 +230,8 @@ static XSM_INLINE int
>>>>> xsm_memory_stat_reservation(XSM_DEFAULT_ARG struct domain
>>>>>     static XSM_INLINE int xsm_console_io(XSM_DEFAULT_ARG struct domain
>>>>> *d, int
>>>>> cmd)
>>>>>     {
>>>>>         XSM_ASSERT_ACTION(XSM_OTHER);
>>>>> +    if ( d->is_console )
>>>>> +        return xsm_default_action(XSM_HOOK, d, NULL);
>>>>
>>>> I will let Daniel commenting on this change. However ...
>>>>
>>>>>     #ifdef CONFIG_VERBOSE_DEBUG
>>>>>         if ( cmd == CONSOLEIO_write )
>>>>>             return xsm_default_action(XSM_HOOK, d, NULL);
>>>>> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
>>>>> index 78bc326..2551e4e 100644
>>>>> --- a/xen/xsm/flask/hooks.c
>>>>> +++ b/xen/xsm/flask/hooks.c
>>>>> @@ -443,7 +443,10 @@ static int flask_console_io(struct domain *d, int
>>>>> cmd)
>>>>>             return avc_unknown_permission("console_io", cmd);
>>>>>         }
>>>>>     -    return domain_has_xen(d, perm);
>>>>> +    if ( !d->is_console )
>>>>> +        return domain_has_xen(d, perm);
>>>>> +    else
>>>>> +        return 0;
>>>>
>>>> ... I don't think this change is correct. When a policy is used, the user
>>>> is
>>>> free to define what is the behavior. With your solution, you impose the
>>>> console access even if the user didn't to not give the permission.
>>>
>>> I was hoping Daniel would advise on the best way to do things here.
>>>
>>> I thought that the idea was that granting a domain "is_console" is
>>> equivalent to granting a domain XEN__READCONSOLE and XEN__WRITECONSOLE
>>> permissions.  Thus, if is_console is set, we return 0 from
>>> flask_console_io because the permissions check succeeds.
>>
>> Well, yes and no. That's equivalent when you use the dummy policy. When you
>> have a flask policy you want to give the control to the user.
>>
>> If you look at the code there are no such as d->is_privilege in that function.
>> This means that the user define the policy for the hardware domain. Why would
>> be d->is_console different here?
> 
> You are saying that in hooks.c the check should remain exactly as is:
> 
>    return domain_has_xen(d, perm);
> 
> and d->is_console should not be tested?

Yes.

> In that case, do you know if I
> need to do anything special with XEN__READCONSOLE and XEN__WRITECONSOLE
> permissions for the initial boot domains (such as adding those
> permissions as the same time d->is_console is set)?

The main purpose of XSM is to provide a fine grain permission for the 
user to configure. For instance, a user may not console access for 
initial domain for security purpose. So you don't have anything to in 
the code.

However, when you have XSM enabled, you will have to write down in the 
policy that initial domains will have console access. Although, I am not 
sure how to write that in the policy.

Cheers,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  reply	other threads:[~2018-07-19  9:19 UTC|newest]

Thread overview: 92+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-06 23:11 [PATCH v2 00/21] dom0less step1: boot multiple domains from device tree Stefano Stabellini
2018-07-06 23:11 ` [PATCH v2 01/21] xen/arm: rename get_11_allocation_size to get_allocation_size Stefano Stabellini
2018-07-09 12:55   ` Julien Grall
2018-07-11 20:09     ` Stefano Stabellini
2018-07-06 23:11 ` [PATCH v2 02/21] xen/arm: make allocate_memory work for non 1:1 mapped guests Stefano Stabellini
2018-07-09 13:43   ` Julien Grall
2018-07-09 23:02     ` Stefano Stabellini
2018-07-10 17:57       ` Julien Grall
2018-07-11 21:42         ` Stefano Stabellini
2018-07-09 13:58   ` Julien Grall
2018-07-09 23:10     ` Stefano Stabellini
2018-07-23 18:01   ` Andrii Anisov
2018-07-23 18:32     ` Stefano Stabellini
2018-07-24 12:09       ` Andrii Anisov
2018-07-06 23:11 ` [PATCH v2 03/21] xen: allow console_io hypercalls from certain DomUs Stefano Stabellini
2018-07-09 13:48   ` Julien Grall
2018-07-17 20:05     ` Stefano Stabellini
2018-07-17 20:26       ` Julien Grall
2018-07-18 17:10         ` Stefano Stabellini
2018-07-19  9:19           ` Julien Grall [this message]
2018-08-17 19:41             ` Daniel De Graaf
2018-07-06 23:11 ` [PATCH v2 04/21] xen/arm: move a few DT related defines to public/device_tree_defs.h Stefano Stabellini
2018-07-09 13:59   ` Julien Grall
2018-07-06 23:12 ` [PATCH v2 05/21] xen/arm: extend device tree based multiboot protocol Stefano Stabellini
2018-07-09 14:07   ` Julien Grall
2018-07-13 22:41     ` Stefano Stabellini
2018-07-16 14:14       ` Julien Grall
2018-07-16 22:02         ` Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 06/21] xen/arm: do not pass dt_host to make_memory_node and make_hypervisor_node Stefano Stabellini
2018-07-09 14:11   ` Julien Grall
2018-07-09 21:51     ` Stefano Stabellini
2018-07-10 17:28       ` Julien Grall
2018-07-11 20:33         ` Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 07/21] xen/arm: rename acpi_make_chosen_node to make_chosen_node Stefano Stabellini
2018-07-09 14:12   ` Julien Grall
2018-07-06 23:12 ` [PATCH v2 08/21] xen/arm: increase MAX_MODULES Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 09/21] xen/arm: move cmdline out of boot_modules Stefano Stabellini
2018-07-09 14:53   ` Julien Grall
2018-07-10  0:00     ` Stefano Stabellini
2018-07-10 21:11       ` Julien Grall
2018-07-13  0:04         ` Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 10/21] xen/arm: don't add duplicate boot modules Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 11/21] xen/arm: probe domU kernels and initrds Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 12/21] xen/arm: refactor construct_dom0 Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 13/21] xen/arm: introduce construct_domU Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 14/21] xen/arm: generate a simple device tree for domUs Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 15/21] xen/arm: generate vpl011 node on device tree for domU Stefano Stabellini
2018-07-12 18:14   ` Julien Grall
2018-07-13 21:24     ` Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 16/21] xen/arm: introduce a union in vpl011 Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 17/21] xen/arm: refactor vpl011_data_avail Stefano Stabellini
2018-07-24  9:58   ` Julien Grall
2018-07-27 22:37     ` Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 18/21] xen/arm: Allow vpl011 to be used by DomU Stefano Stabellini
2018-07-24 11:00   ` Julien Grall
2018-07-27  0:10     ` Stefano Stabellini
2018-07-27 11:00       ` Julien Grall
2018-07-27 21:42         ` Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 19/21] xen/arm: introduce create_domUs Stefano Stabellini
2018-07-16 16:10   ` Jan Beulich
2018-07-16 21:44     ` Stefano Stabellini
2018-07-24 13:53   ` Julien Grall
2018-07-28  2:42     ` Stefano Stabellini
2018-07-30 10:26       ` Julien Grall
2018-07-30 18:15         ` Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 20/21] xen: support console_switching between Dom0 and DomUs on ARM Stefano Stabellini
2018-07-16 16:19   ` Jan Beulich
2018-07-16 21:55     ` Stefano Stabellini
2018-07-17  6:37       ` Jan Beulich
2018-07-17 16:43         ` Stefano Stabellini
2018-07-18  6:41           ` Jan Beulich
2018-07-18 16:51             ` Stefano Stabellini
2018-07-17  8:40       ` Jan Beulich
2018-07-17 16:33         ` Stefano Stabellini
2018-07-17 20:29   ` Julien Grall
2018-07-18  7:12     ` Jan Beulich
2018-07-18 16:59       ` Julien Grall
2018-07-19  6:10         ` Jan Beulich
2018-07-19 17:18           ` Stefano Stabellini
2018-07-18 17:01       ` Stefano Stabellini
2018-07-18 20:37         ` George Dunlap
2018-07-17 20:34   ` Julien Grall
2018-07-18 17:31     ` Stefano Stabellini
2018-07-06 23:12 ` [PATCH v2 21/21] xen/arm: split domain_build.c Stefano Stabellini
2018-07-12 18:18 ` [PATCH v2 00/21] dom0less step1: boot multiple domains from device tree Julien Grall
2018-07-13 20:54   ` Stefano Stabellini
2018-07-18 16:48     ` Julien Grall
2018-07-18 17:48       ` Stefano Stabellini
2018-07-23 17:13         ` Julien Grall
2018-07-23 17:52           ` Stefano Stabellini
2018-07-23 17:14 ` Andrii Anisov
2018-07-23 17:55   ` Stefano Stabellini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=967a2077-36e9-3524-c5e9-73b48ec8913e@arm.com \
    --to=julien.grall@arm.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=andrii_anisov@epam.com \
    --cc=dgdegra@tycho.nsa.gov \
    --cc=ian.jackson@eu.citrix.com \
    --cc=jbeulich@suse.com \
    --cc=nd@arm.com \
    --cc=sstabellini@kernel.org \
    --cc=stefanos@xilinx.com \
    --cc=tim@xen.org \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.