[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 06/17] xen/xsm: Expand XSM_XS_PRIV for untargetable domains
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Jason Andryuk <jason.andryuk@xxxxxxx>
- Date: Wed, 30 Jul 2025 17:36:57 -0400
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=suse.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8v+1xXV2DoetiDSFLfqzm/NEsECW0mFhILLJqc/Qsjo=; b=Awmhn2skdNu8B1tPogI9ehI44Lf4FNUemyM11QxWHT/iwuKNksCRPeRyBdnS7klVgByz2qrpJIZPOrAi1jCQdVqPfzjdSy9XiavO5B6a1/rex7D39CWqQQdw6lPCr/5OhbrhWGGaV+dP2LE2TXbcnnAk02qR4yWIB8eWRwf6z4qnj/RO9xAX3De6B16DXWMKqmQ4Sme9cGEBCVTUm4NmzzmVUIWvPncrBmi0DlmsUtMCc73sxo2iYQNNq2/Y8DTAe4kSWpnxJpiVUw08UEkhwzeSMHpbu0S4Uv6+IwhAxQUYRSSqRkNaIkkGotfodHWoLqn1F87AwKKbJF57REkOvA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UywwT5vYk7CRY+nEOhakEQq/+/nseBJ2OSC0U+8Cm8acIJADEWJJcciZ8fBwtKQH4AtZ9e9PF8jaxb1Ol6E41aXzb0BJW0S+BLUlHPAiyCZojmKz2rImYDHp7OCI/5jOLm+Bjm4soJE2nj9oL+gAKcmFL3topK/6mqtgL/P24rU5GQhLfZwllGH/VlGZ25tLRnqTl6rsbZEPmX3l/l9e9kmPDwXRmATwtqT3VJ93v0AU7SEqh/FjHP8XvheXK5aesa1k/6wA1czNEUb8I0lAsx16ChQyn+I1OHA+KmSVmfODATwxDQvwIwCqPhCk6W1tEtdGVOseMaDDVtdJGKfzBw==
- Cc: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Wed, 30 Jul 2025 21:37:12 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 2025-07-30 11:19, Jan Beulich wrote:
On 16.07.2025 23:14, Jason Andryuk wrote:
Untargetable domains are currently hidden from the control domain -
e.g. xl list will not show them. getdomaininfo fails on the
!is_hypercall_target() check in XSM_TARGET. Add control domain to the
XSM_XS_PRIV check so it can pass.
This feels like a pretty gross abuse of XS_PRIV. It once again supports
my take that the level of granularity you want will require Flask. Or of
course you could also come up with a new access control mechanism, much
lighter-weight than Flask, but still not dummy nor SILO.
I considered a new XSM module, but it just seemed so close to the dummy
policy. From my perspective the board permissions of
xsm_default_action() already implement the coarse permissions we need.
SILO works well because it builds on that and overrides a few hooks. A
new XSM module would need to re-implement ~every hook since
xsm_default_action() needs to change. So expanding xsm_default_action()
seemed like a better approach to try.
As per my reply to an earlier patch - whether it is okay to prevent e.g.
"xl list" to see all domains is questionable as well. I'm not seeing
"interference" there.
Yes, hiding domains from xl list seemed like it was going too far. A
system administrator should be able to see everything running on the
system. That's why this patch allows it.
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -87,7 +87,8 @@ static always_inline int xsm_default_action(
fallthrough;
case XSM_XS_PRIV:
if ( action == XSM_XS_PRIV &&
- evaluate_nospec(is_xenstore_domain(src)) )
+ (evaluate_nospec(is_xenstore_domain(src)) ||
+ is_control_domain(src)) )
Like in patch 2 (in is_priv_domain()), I think this wants collapsing the
two evaluate_nospec() into a single one.
Ok, thanks.
Regards,
Jason
|
