From mboxrd@z Thu Jan  1 00:00:00 1970
From: Keir Fraser <keir@xen.org>
Subject: Re: [PATCH 03/18] xsm: allow use of
 XEN_DOMCTL_getdomaininfo by non-IS_PRIV domains
Date: Wed, 11 Jan 2012 17:49:14 +0000
Message-ID: <CB337C1A.373C1%keir@xen.org>
References: <CB3376ED.3724E%keir@xen.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <CB3376ED.3724E%keir@xen.org>
List-Unsubscribe: <http://lists.xensource.com/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>, xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

On 11/01/2012 17:27, "Keir Fraser" <keir@xen.org> wrote:

> On 11/01/2012 17:21, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:
> 
>> This domctl does not allow manipulation of domains, only basic
>> information such as size and state. XSM modules can also provide
>> fine-grained control over what domains are visible to domains that call
>> getdomaininfo.
> 
> Well there's a reason we might not disallow the hypercall. But why would we
> actually care to allow it?

Ah, I've now seen patch 00/18, so this is for xenstore stubdom.

Also this applies only to the XSM-enabled case, and just allows you to get
as far as the finer-grained xsm_getdomaininfo() check. Somehow I got the
ifdef the wrong way round in my head!

Okay, makes a lot of sense. However, if the dummy xsm module is supposed to
behave very similarly to a !XSM_ENABLE build (which is what I personally
would expect), then I think dummy_getdomaininfo() should be changed to
return 0 only when IS_PRIV(current->domain).

This of course will require a 'proper' XSM setup to be able to use the
xenstore stubdom, but probably setting eg XSM/Flask should be a core part of
setting up such a hardened Xen host anyway.

 -- Keir

>  -- Keir
> 
>> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>> ---
>>  xen/common/domctl.c |    4 ++++
>>  1 files changed, 4 insertions(+), 0 deletions(-)
>> 
>> diff --git a/xen/common/domctl.c b/xen/common/domctl.c
>> index a775aa3..2c1ca85 100644
>> --- a/xen/common/domctl.c
>> +++ b/xen/common/domctl.c
>> @@ -263,6 +263,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domctl_t) u_domctl)
>>              return -EPERM;
>>          break;
>>      }
>> +#ifdef XSM_ENABLE
>> +    case XEN_DOMCTL_getdomaininfo:
>> +        break;
>> +#endif
>>      default:
>>          if ( !IS_PRIV(current->domain) )
>>              return -EPERM;
> 
>