[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 06/19] xen: use XSM instead of IS_PRIV where duplicated



On Fri, 2012-11-16 at 18:28 +0000, Daniel De Graaf wrote:
> The Xen hypervisor has two basic access control function calls: IS_PRIV
> and the xsm_* functions. Most privileged operations currently require
> that both checks succeed, and many times the checks are at different
> locations in the code. This patch eliminates the explicit and implicit
> IS_PRIV checks that are duplicated in XSM hooks.

The downside is that you loose some context in the hypercall
implementation, i.e. the hint about whether a hypercall is available
only to the toolstack, or to only stubdomains or more generally to all
guests etc which is useful to have in front of you when changing the
code.

IOW I worry that we may end up introducing bugs due to hiding this
context away behind the xsm wrapper, e.g. you think a function is
privileged guest only but actually it is guest accessible.

I wonder if there is any way we can get the benefits of this change
without this downside?

Perhaps in the name of the hook? e.g. For each existing xsm_<foo> we
instead define exactly one of xsm_guest_<foo>, xsm_stubdom_<foo> or
xsm_priv_<foo>. This might also let us define some macros for use in
dummy.[ch] which simultaneously construct the correct function name and
include the appropriate boilerplate perm check thus ensuring they don't
get out of sync.

> Some checks are removed due to non-obvious duplicates in their callers:

If the duplicates are non-obvious wouldn't it be better to keep them as
a belt-and-braces measure?

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.