[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/2] xen/xsm: forbid PV guest console reads



On Mon, Sep 30, 2013 at 02:29:57PM -0400, Daniel De Graaf wrote:
> On 09/30/2013 02:06 PM, Konrad Rzeszutek Wilk wrote:
> >On Mon, Sep 30, 2013 at 01:29:00PM -0400, Daniel De Graaf wrote:
> >>On 09/30/2013 12:10 PM, Jan Beulich wrote:
> >>>>>>On 30.09.13 at 17:48, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> wrote:
> >>>>When the hypervisor was compiled in debug mode (with VERBOSE defined),
> >>>>PV guests incorrectly had access to both read and write to the console.
> >>>>Change this to only allow write access; since such writes were limited
> >>>>by log levels in 48d50de8e0, remove the dependency on VERBOSE
> >>>>completely.
> >>>
> >>>I disagree, and iirc I disagreed already when you tried to drop the
> >>>dependency on VERBOSE with that earlier patch.
> >>>
> >>>>Reported-by: Jan Beulich <JBeulich@xxxxxxxx>
> >>>>Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> >>>>---
> >>>>
> >>>>Alternatively, if controlling writes with VERBOSE is still desired, the
> >>>>ifdef VERBOSE can be retained surrounding the if() with the following
> >>>>commit message:
> >>>>
> >>>>
> >>>
> >>>That's what I'd want to see go in.
> >>>
> >>>Jan
> >>
> >>This patch retains the existing behavior where only HVM guests can use
> >>the console for output, and only via the 0xE9 I/O port. With Konrad's
> >>Linux patch, this means that xen_raw_console_write in non-dom0 will
> >>produce output only on Xen <= 4.3 (which returns -ENOSYS rather than
> >>-EPERM, as this code does).
> >
> >I was under the impression that what we wanted is:
> >   - normal PV guests can do console_write
> >   - HVM guests can do console_write
> >   - priv guests (irregardless if they are HVM or PV) can do console_write
> >     _and_ console_read.
> >
> >Which I think the patch below still allows right?
> 
> All of your bullets are true if the hypervisor is compiled with VERBOSE
> (which is enabled if debug=y). Otherwise, only priv guests will be able
> to use console_write (and it won't matter if they are PV or HVM). Either
> way, only priv guests will be able to use console_read - which is the
> only thing the below patch actually changes.

Good! That is how it should be :-)
> 
> >>
> >>------------------------8<----------------------------------------------
> >>
> >>The CONSOLEIO_read operation was incorrectly allowed to PV guests if the
> >>hypervisor was compiled in debug mode (with VERBOSE defined).
> >>
> >>Reported-by: Jan Beulich <JBeulich@xxxxxxxx>
> >>Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> >>---
> >>  xen/include/xsm/dummy.h | 6 +++---
> >>  1 file changed, 3 insertions(+), 3 deletions(-)
> >>
> >>diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
> >>index 2abf018..b1edd29 100644
> >>--- a/xen/include/xsm/dummy.h
> >>+++ b/xen/include/xsm/dummy.h
> >>@@ -233,10 +233,10 @@ static XSM_INLINE int xsm_console_io(XSM_DEFAULT_ARG 
> >>struct domain *d, int cmd)
> >>  {
> >>      XSM_ASSERT_ACTION(XSM_OTHER);
> >>  #ifdef VERBOSE
> >>-    return xsm_default_action(XSM_HOOK, current->domain, NULL);
> >>-#else
> >>-    return xsm_default_action(XSM_PRIV, current->domain, NULL);
> >>+    if ( cmd == CONSOLEIO_write )
> >>+        return xsm_default_action(XSM_HOOK, d, NULL);
> >>  #endif
> >>+    return xsm_default_action(XSM_PRIV, d, NULL);
> >>  }
> >>  static XSM_INLINE int xsm_profile(XSM_DEFAULT_ARG struct domain *d, int 
> >> op)
> >>
> >
> >
> 
> 
> -- 
> Daniel De Graaf
> National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.