All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Jan Beulich <JBeulich@suse.com>, Zhongze Liu <blackskygg@gmail.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>,
	Julien Grall <julien.grall@arm.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Wei Liu <wei.liu2@citrix.com>,
	xen-devel@lists.xen.org
Subject: Re: [PATCH v3 2/7] xsm: flask: change the dummy xsm policy and flask hook for map_gmfn_foregin
Date: Thu, 19 Oct 2017 13:36:30 -0400	[thread overview]
Message-ID: <f3e12d04-ffcb-fe4a-4666-d147b292d141@tycho.nsa.gov> (raw)
In-Reply-To: <59E8AF7A020000780018815A@prv-mh.provo.novell.com>

On 10/19/2017 07:58 AM, Jan Beulich wrote:
>>>> On 19.10.17 at 04:36, <blackskygg@gmail.com> wrote:
>> --- a/xen/include/xsm/dummy.h
>> +++ b/xen/include/xsm/dummy.h
>> @@ -516,7 +516,8 @@ static XSM_INLINE int xsm_remove_from_physmap(XSM_DEFAULT_ARG struct domain *d1,
>>   static XSM_INLINE int xsm_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
>>   {
>>       XSM_ASSERT_ACTION(XSM_TARGET);
>> -    return xsm_default_action(action, d, t);
>> +    return xsm_default_action(action, current->domain, d) ?:
>> +        xsm_default_action(action, current->domain, t);
>>   }
> 
> When all three domains are different, how does the changed
> policy reflect the original "d has privilege over t" requirement?
> I understand you want to relax the current condition, but this
> shouldn't come at the price of granting access when access
> should be denied. Nor the inverse - the current domain not
> having privilege over both does also not mean d doesn't have
> the necessary privilege over t.
> 
> I continue to think that you can't validly retrofit the new
> intended functionality onto the existing hypercall, even if
> nothing except the permission check needs to be different.
> 
> Jan

If this operation is going to be allowed at all (and I agree it has
valid use cases), then there won't be a privilege relationship between
(d) and (t) to check - they'll both be (somewhat related) domUs as far
as Xen can tell.  If this hypercall isn't used, adding a new hypercall
(subop) is the only way I'd see to do it - and that seems very redundant
as it'd need to do all the same checks except for the one about the
relationship between (d) and (t).  I don't see the reason why the
existing hypercall should deny being used for that purpose once it's
possible using other means.

The only possible problem that springs to mind is a restricted kernel
interface (such as the one used by QEMU in dom0 that restricts to a
single target domain) that now doesn't realize it's relaying an
operation that also requires permission over (t) after only checking
that the origin is allowed to modify (d).

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

  reply	other threads:[~2017-10-19 17:36 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-19  2:36 [PATCH v3 0/7] Allow setting up shared memory areas between VMs from xl config files Zhongze Liu
2017-10-19  2:36 ` [PATCH v3 1/7] libxc: add xc_domain_remove_from_physmap to wrap XENMEM_remove_from_physmap Zhongze Liu
2017-10-31 12:40   ` Wei Liu
2017-10-19  2:36 ` [PATCH v3 2/7] xsm: flask: change the dummy xsm policy and flask hook for map_gmfn_foregin Zhongze Liu
2017-10-19 11:58   ` Jan Beulich
2017-10-19 17:36     ` Daniel De Graaf [this message]
2017-10-20  6:14       ` Jan Beulich
2017-10-20 13:34         ` Daniel De Graaf
2017-10-22 11:21           ` Zhongze Liu
2017-10-23  7:26             ` Jan Beulich
2017-10-23  9:54               ` Zhongze Liu
2017-10-25  9:37                 ` Zhongze Liu
2017-10-25 15:36                   ` Zhongze Liu
2017-10-26  6:41                   ` Jan Beulich
2017-10-19 17:36   ` Daniel De Graaf
2017-10-20  0:34     ` Zhongze Liu
2017-10-20  0:55       ` Zhongze Liu
2017-10-20 13:02         ` Daniel De Graaf
2017-10-19  2:36 ` [PATCH v3 3/7] libxl: introduce a new structure to represent static shared memory regions Zhongze Liu
2017-10-31 12:48   ` Wei Liu
2017-10-19  2:36 ` [PATCH v3 4/7] libxl: support mapping static shared memory areas during domain creation Zhongze Liu
2017-11-01 15:55   ` Wei Liu
2017-11-09  0:48     ` Zhongze Liu
2017-10-19  2:36 ` [PATCH v3 5/7] libxl: support unmapping static shared memory areas during domain destruction Zhongze Liu
2017-11-01 15:55   ` Wei Liu
2017-11-09  2:06     ` Zhongze Liu
2017-11-09  2:10       ` Zhongze Liu
2017-10-19  2:36 ` [PATCH v3 6/7] libxl:xl: add parsing code to parse "libxl_static_sshm" from xl config files Zhongze Liu
2017-10-19  2:36 ` [PATCH v3 7/7] docs: documentation about static shared memory regions Zhongze Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f3e12d04-ffcb-fe4a-4666-d147b292d141@tycho.nsa.gov \
    --to=dgdegra@tycho.nsa.gov \
    --cc=JBeulich@suse.com \
    --cc=blackskygg@gmail.com \
    --cc=ian.jackson@eu.citrix.com \
    --cc=julien.grall@arm.com \
    --cc=sstabellini@kernel.org \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.