All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jan Beulich <jbeulich@suse.com>
To: "Roger Pau Monné" <roger.pau@citrix.com>
Cc: Jason Andryuk <jandryuk@gmail.com>,
	xen-devel <xen-devel@lists.xenproject.org>,
	Scott Davis <scott.davis@starlab.io>,
	Daniel De Graaf <dgdegra@tycho.nsa.gov>,
	"Daniel P. Smith" <dpsmith@apertussolutions.com>
Subject: Re: [PATCH 1/2] xsm: add ability to elevate a domain to privileged
Date: Wed, 6 Apr 2022 10:48:23 +0200	[thread overview]
Message-ID: <dd4fce17-2625-603b-25d5-3a586a682210@suse.com> (raw)
In-Reply-To: <Yk1Ta9ujHBuj+svN@Air-de-Roger>

On 06.04.2022 10:46, Roger Pau Monné wrote:
> On Wed, Apr 06, 2022 at 09:06:59AM +0200, Jan Beulich wrote:
>> On 05.04.2022 19:17, Jason Andryuk wrote:
>>> On Mon, Apr 4, 2022 at 11:34 AM Daniel P. Smith <dpsmith@apertussolutions.com> wrote:
>>>> On 3/31/22 09:16, Jason Andryuk wrote:
>>>>> For the default policy, you could start by creating the system domains
>>>>> as privileged and just have a single hook to drop privs.  Then you
>>>>> don't have to worry about the "elevate" hook existing.  The patch 2
>>>>> asserts could instead become the location of xsm_drop_privs calls to
>>>>> have a clear demarcation point.  That expands the window with
>>>>> privileges though.  It's a little simpler, but maybe you don't want
>>>>> that.  However, it seems like you can only depriv once for the Flask
>>>>> case since you want it to be one-way.
>>>>
>>>> This does simplify the solution and since today we cannot differentiate
>>>> between hypervisor setup and hypervisor initiated domain construction
>>>> contexts, it does not run counter to what I have proposed. As for flask,
>>>> again I do not believe codifying a domain transition bound to a new XSM
>>>> op is the appropriate approach.
>>>
>>> This hard coded domain transition does feel a little weird.  But it
>>> seems like a natural consequence of trying to use Flask to
>>> deprivilege.  I guess the transition could be behind a
>>> dom0less/hyperlaunch Kconfig option.  I just don't see a way around it
>>> in some fashion with Flask enforcing.
>>>
>>> Another idea: Flask could start in permissive and only transition to
>>> enforcing at the deprivilege point.  Kinda gross, but it works without
>>> needing a transition.
>>
>> I don't think that would be right. Logically such behavior ought to be
>> mirrored to SILO, and I'll take that for the example for being the
>> simpler model: Suppose an admin wants to disallow communication
>> between DomU-s created by Xen. Such would want enforcing when creating
>> those DomU-s, despite the creator (Xen) being all powerful. If the
>> device tree information said something different (e.g. directing for
>> an event channel to be established between two such DomU-s), this
>> should be flagged as an error, not be silently permitted.
> 
> I could also see this argument the other way around: what if an admin
> wants to disallow domUs freely communicating between them, but would
> still like some controlled domU communication to be possible by
> setting up those channels at domain creation?

Well, imo that would require a proper (Flask) policy then, not SILO mode.

Jan



  reply	other threads:[~2022-04-06  8:48 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-30 23:05 [PATCH 0/2] Introduce XSM ability for domain privilege escalation Daniel P. Smith
2022-03-30 23:05 ` [PATCH 1/2] xsm: add ability to elevate a domain to privileged Daniel P. Smith
2022-03-31 12:36   ` Roger Pau Monné
2022-04-01 17:52     ` Julien Grall
2022-04-04  8:08       ` Roger Pau Monné
2022-04-04 12:24         ` Jan Beulich
2022-04-04 14:21     ` Daniel P. Smith
2022-04-04 15:12       ` Roger Pau Monné
2022-04-04 15:17         ` Jan Beulich
2022-04-04 16:08         ` Daniel P. Smith
2022-04-05  7:42           ` Roger Pau Monné
2022-04-05 12:06             ` Daniel P. Smith
2022-04-05 15:01               ` Roger Pau Monné
2022-03-31 13:16   ` Jason Andryuk
2022-04-04 15:33     ` Daniel P. Smith
2022-04-05 17:17       ` Jason Andryuk
2022-04-05 19:05         ` Daniel P. Smith
2022-04-06  7:06         ` Jan Beulich
2022-04-06  8:46           ` Roger Pau Monné
2022-04-06  8:48             ` Jan Beulich [this message]
2022-04-06  9:09               ` Roger Pau Monné
2022-04-06  9:16                 ` Jan Beulich
2022-04-06  9:40                   ` Roger Pau Monné
2022-04-06 12:31           ` Jason Andryuk
2022-04-01 17:53   ` Julien Grall
2022-03-30 23:05 ` [PATCH 2/2] arch: ensure idle domain is not left privileged Daniel P. Smith
2022-03-31 12:46   ` Roger Pau Monné
2022-03-31 12:54     ` Julien Grall
2022-03-31 20:30       ` Stefano Stabellini
2022-04-04 14:56     ` Daniel P. Smith
2022-04-05  8:26   ` Jan Beulich
2022-04-05 12:24     ` Daniel P. Smith

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=dd4fce17-2625-603b-25d5-3a586a682210@suse.com \
    --to=jbeulich@suse.com \
    --cc=dgdegra@tycho.nsa.gov \
    --cc=dpsmith@apertussolutions.com \
    --cc=jandryuk@gmail.com \
    --cc=roger.pau@citrix.com \
    --cc=scott.davis@starlab.io \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.