|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2 1/3] xsm/xen_version: Add XSM for the xen_version hypercall.
>>> On 06.11.15 at 20:36, <konrad.wilk@xxxxxxxxxx> wrote:
> All of XENVER_* have now an XSM check.
>
> The subops for XENVER_[compile_info|changeset|commandline|
> extraversion] are now priviliged operations. To not break
> guests we still return an string - but it is just '<denied>'.
And I continue to question at least the extraversion part.
> The rest: XENVER_[version|capabilities|
> parameters|get_features|page_size|guest_handle] behave
> as before - allowed by default for all guests.
>
> This is with the XSM default policy and with the dummy ones.
And with a non-default policy you now ignore one of the latter
ops to also get denied.
> @@ -354,10 +356,17 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void)
> arg)
> return 0;
>
> case XENVER_commandline:
> - if ( copy_to_guest(arg, saved_cmdline, ARRAY_SIZE(saved_cmdline)) )
> + {
> + size_t len = ARRAY_SIZE(saved_cmdline);
> +
> + if ( deny )
> + len = strlen(xen_deny());
+1 (or else you fail to nul-terminate the output).
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |