|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2] Merge IS_PRIV checks into XSM hooks
Overall, this series should not change the behavior of Xen when XSM is
not enabled; however, in some cases, the exact errors that are returned
will be different because security checks have been moved below validity
checks. Also, once applied, newly introduced domctls and sysctls will
not automatically be guarded by IS_PRIV checks - they will need to add
their own permission checking code.
Background:
The Xen hypervisor has two basic access control function calls: IS_PRIV
and the xsm_* functions. Most privileged operations currently require
that both checks succeed, and many times the checks are at different
locations in the code.
When performing dom0 disaggregation, many of the functions normally
protected with IS_PRIV are handled by domains other than dom0. This
requires either making all such disaggregated domains privileged, or
allowing certain operations to be performed without an IS_PRIV check.
Because the privileged bit also short-circuits the IS_PRIV_FOR check,
and some IS_PRIV calls do not currently have an accompanying XSM call,
this series implements the second option.
Once applied, most IS_PRIV checks are isolated in the newly introduced
xen/include/xsm/dummy.h header. The remaining checks cover a few areas
that that have some reason to remain because they involve hardware
access or workarounds:
1. Overriding the IRQ and IO memory access checks (arch/x86/domctl.c).
These overrides should not be needed, as dom0 should have access
without needing the override.
2. Allow MAP_PIRQ_TYPE_GSI to ignore domain_pirq_to_irq negative return
3. The hack for device model framebuffers in get_page_from_l1e
4. Installing maps of non-owned pages in shadow_get_page_from_l1e
5. PCI configuration space (arch/x86/traps.c). Allowing a PV Linux domU
to access the PCI configuration space is a good way to crash the
system as it reconfigures PCI devices during boot, so this needs to
remain to get a working system when FLASK is in permissive mode.
6. Various MSR accesses (arch/x86/traps.c)
The ARM architecture is not touched at all in these patches. The only
obvious breakage that I can see is due to rcu_lock_target_domain_by_id
being removed, but XSM hooks will be needed for domctls and sysctls.
The rcu_lock_target_domain_by_id and rcu_lock_remote_target_domain_by_id
functions are removed by this series because they act as wrappers around
IS_PRIV_FOR; their callers have been changed to use XSM checks instead.
Miscellaneous updates to FLASK:
[PATCH 01/20] xsm/flask: remove inherited class attributes
[PATCH 02/20] xsm/flask: remove unneeded create_sid field
[PATCH 03/20] xen: Add versions of rcu_lock_*_domain without IS_PRIV
[PATCH 04/20] xsm/flask: add domain relabel support
[PATCH 05/20] libxl: introduce XSM relabel on build
[PATCH 06/20] flask/policy: Add domain relabel example
Preparatory new hooks:
[PATCH 07/20] arch/x86: add distinct XSM hooks for map/unmap
[PATCH 08/20] arch/x86: add missing XSM checks to XENPF_ commands
[PATCH 09/20] xsm/flask: Add checks on the domain performing the
Refactoring:
[PATCH 10/20] xsm: Add IS_PRIV checks to dummy XSM module
[PATCH 11/20] xen: use XSM instead of IS_PRIV where duplicated
[PATCH 12/20] xen: avoid calling rcu_lock_*target_domain when an XSM
Remaining IS_PRIV calls:
[PATCH 13/20] arch/x86: Add missing domctl and mem_sharing XSM hooks
[PATCH 14/20] tmem: Add access control check
[PATCH 17/20] arch/x86: use XSM hooks for get_pg_owner access checks
[PATCH 18/20] xen: Add XSM hook for XENMEM_exchange
Cleanup, FLASK updates to support IS_PRIV emulation:
[PATCH 15/20] xsm: remove unneeded xsm_call macro
[PATCH 16/20] xsm/flask: add distinct SIDs for self/target access
[PATCH 19/20] xen: remove rcu_lock_{remote_,}target_domain_by_id
[PATCH 20/20] flask: add missing operations
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |