[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] common: don't require use of DOMID_SELF


  • To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Thu, 14 Jan 2021 15:01:07 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1jCh94g6oZvKC5v97eK4sFOl++geGsWjx4TERsIiFmo=; b=ISaW9b5LyH/IUzvnaoJvuD3ZEE3IHgGSPLlh99Ke8e6OnFK+Mvw7IZ44W0yQY/M1PKXH7MP2OCTTvoYKPTneWWJ/dtGj5NgHaVksIyB15a/AfFZHRkqCy5hwUSpsjldPpNnLOGsQAzT+j8MuXHuHGBwNM/hO+eiPWj2TzWXIxm8KmoQLVHitT3F5mXKTi6AcoHizgsBoRE2GXiQS98whPzU07WEv+3Vl6mb68S1dTc6PuhPZPA7jAmJslH0xY1vFcFEbjeYBn4jTEb6ZHA9WEXYcZ+oX+Ax+uJcP0ThJhbuy7mQyLPMe8ZWlTSUdwVEl5RYB32ueLmgnyZgAxN5+sQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gLC+6MBASQ+/VH7sWbkCqnXK0B9bsH6YKVaUlTWQs/rf5FoGTnFLnUanyg2HrvRISbrXGrjm2Bdr/luev2BuiAc9TJ7FxDzOciMFkm3SgHU8HnU9RaFlklm8KoMVMyeegjmnlt3XGzTU2RDPWyHZ8lBQTP9SXyQaIStlnNMfpg3oNKoo9Psehq1xOPpAuhaAycxBw1torik+bg/EXC3oijGZ4JAEPRE9qCVmx1wLFBhUXoiELo95ws8Z2K1NMwvSp0NWqhSfKHWju6GPqr1Q4E+Lz3swsZmUVtugJzG7gpzsaTntIhhTiGOVWKEvsJ7MH4Hpy9boylvoeSKfMeLtXQ==
  • Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Thu, 14 Jan 2021 15:01:35 +0000
  • Ironport-sdr: hvASdtkYzqflHYWubjnAin6kyGYzgPhDAXEt2XwaTiP/uB3D39npFVgzn08HuNaI9lEWbjrmmF /LyHhjvb/LCVgSyVe2hTlJ0R/BR4k24zGlpzYMYr4R/qhtjf6Axc29B/hjrjYpJddJPVj6Bkab L9b+EPV1bKv1jH3Lfkshl3KDsgiieg2Etc5mAni54LZ24XP743awiNthuDw3pPYghXPTYbZoYD lgJnyyZxfjhW4RXT51gB0rn9C7o06wC+Skf6pnOzOGgbBhS1QTMgHA1WqFN5VqmtZDGeZLmE// 8x0=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 14/01/2021 14:02, Jan Beulich wrote:
> It's not overly difficult for a domain to figure out its ID, so
> requiring the use of DOMID_SELF in a very limited set of places isn't
> really helpful towards keeping the ID opaque to the guest.
>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>
> --- a/xen/common/grant_table.c
> +++ b/xen/common/grant_table.c
> @@ -2776,15 +2776,19 @@ struct gnttab_copy_buf {
>  static int gnttab_copy_lock_domain(domid_t domid, bool is_gref,
>                                     struct gnttab_copy_buf *buf)
>  {
> -    /* Only DOMID_SELF may reference via frame. */
> -    if ( domid != DOMID_SELF && !is_gref )
> -        return GNTST_permission_denied;
> -
>      buf->domain = rcu_lock_domain_by_any_id(domid);
>  
>      if ( !buf->domain )
>          return GNTST_bad_domain;
>  
> +    /* Only the local domain may reference via frame. */
> +    if ( buf->domain != current->domain && !is_gref )
> +    {
> +        rcu_unlock_domain(buf->domain);
> +        buf->domain = NULL;
> +        return GNTST_permission_denied;
> +    }

In this case, it's also a weird asymmetry where this is one grant table
operation which a privileged domain can't issue on behalf of an
unprivileged one.

> +
>      buf->ptr.domid = domid;
>  
>      return GNTST_okay;
> --- a/xen/common/page_alloc.c
> +++ b/xen/common/page_alloc.c
> @@ -2566,13 +2566,7 @@ __initcall(register_heap_trigger);
>  
>  struct domain *get_pg_owner(domid_t domid)
>  {
> -    struct domain *pg_owner = NULL, *curr = current->domain;
> -
> -    if ( unlikely(domid == curr->domain_id) )
> -    {
> -        gdprintk(XENLOG_WARNING, "Cannot specify itself as foreign 
> domain\n");
> -        goto out;
> -    }
> +    struct domain *pg_owner;

I'm not sure this is correct.

It isn't a DOMID_SELF check.  It's a "confirm the nominated domid is
remote" check, and I don't see all the callers of this interface having
appropriate checks to prohibit trying to do a foreign operation on
oneself, however they specify the foreign domid.

~Andrew



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.