[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v9 0/3] Adds starting the idle domain privileged

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Stefano Stabellini <sstabellini@xxxxxxxxxx>
Date: Fri, 1 Jul 2022 10:56:22 -0700 (PDT)
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, scott.davis@xxxxxxxxxx, jandryuk@xxxxxxxxx, christopher.clark@xxxxxxxxxx, dgdegra@xxxxxxxxxxxxx, julien@xxxxxxx, george.dunlap@xxxxxxxxxx, andrew.cooper3@xxxxxxxxxx, dfaggioli@xxxxxxxx, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 01 Jul 2022 17:56:44 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, 1 Jul 2022, Jan Beulich wrote:
> On 01.07.2022 00:35, Stefano Stabellini wrote:
> > On Wed, 29 Jun 2022, Daniel P. Smith wrote:
> >> This series makes it so that the idle domain is started privileged under 
> >> the
> >> default policy, which the SILO policy inherits, and under the flask 
> >> policy. It
> >> then introduces a new one-way XSM hook, xsm_transition_running, that is 
> >> hooked
> >> by an XSM policy to transition the idle domain to its running privilege 
> >> level.
> >>
> >> Patch 3 is an important one, as first it addresses the issue raised under 
> >> an
> >> RFC late last year by Jason Andryuk regarding the awkward entanglement of
> >> flask_domain_alloc_security() and flask_domain_create(). Second, it helps
> >> articulate why it is that the hypervisor should go through the access 
> >> control
> >> checks, even when it is doing the action itself. The issue at hand is not 
> >> that
> >> the hypervisor could be influenced to go around these check. The issue is 
> >> these
> >> checks provides a configurable way to express the execution flow that the
> >> hypervisor should enforce. Specifically with this change, it is now 
> >> possible
> >> for an owner of a dom0less or hyperlaunch system to express a policy where 
> >> the
> >> hypervisor will enforce that no dom0 will be constructed, regardless of 
> >> what
> >> boot construction details were provided to it. Likewise, an owner that 
> >> does not
> >> want to see dom0less or hyperlaunch to be used can enforce that the 
> >> hypervisor
> >> will only construct a dom0 domain. This can all be accomplished without the
> >> need to rebuild the hypervisor with these features enabled or disabled.
> > 
> > 
> > It looks like this patch series is fully acked except:
> > - in theory we need an ack from Daniel for flask
> > - there is a very small change to sched that would need an ack from
> >   George/Dario
> 
> I don't think I've seen any R-b for the last patch.

Good point. I hope you'll be happy to give your Reviewed-by or Acked-by
to the next version with the minor comments fixed.

References:
- Re: [PATCH v9 0/3] Adds starting the idle domain privileged
  - From: Jan Beulich

Prev by Date: Re: [XEN PATCH v3 25/25] tools: Remove -Werror everywhere else
Next by Date: Re: [PATCH 2/2] xen/heap: pass order to free_heap_pages() in heap init
Previous by thread: Re: [PATCH v9 0/3] Adds starting the idle domain privileged
Next by thread: [xen-unstable-smoke test] 171430: tolerable all pass - PUSHED
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.