[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [BUG v2] common/domctl: xsm update for get_domain_state access

To: Jason Andryuk <jason.andryuk@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Feb 2026 14:06:08 -0500
Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1771873572; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=k8MYDNYCfZAeLkeED8Y20w4FpWY+mPctCe9JrfHHJ+g=; b=crb2tdft9QOUaiqmcvjePInv2Am7h+MGaFWCF9qvP17puWEFkmq1VITLBtGEv8BQnmgGBEHJc/fwIQfbApwzWeYv0iPDI3tCJaRx3kug/o4hK/doHdJ2mnO2M0PuN8JQdtRjBI4G0CTRftOyCMCDckojygGgs1ejCbDYogL5KVY=
Arc-seal: i=1; a=rsa-sha256; t=1771873572; cv=none; d=zohomail.com; s=zohoarc; b=E2rqNKuo9tSP8cf2aF7BPj2m7f4i+KdP+rTrc+mWxAO/PD1hKDOB1tLbS4EUjK7CTBqApIrMS8f4MVmsg/Kh9Q+RW8AKDuUIZ9zvwM1tDAQmnnZQrEX+xHHSizR0+QnGnal8n7LWAqhMxX5KZUjL6ouPh2w+LNTp+lzJQ697G4o=
Autocrypt: addr=dpsmith@xxxxxxxxxxxxxxxxxxxx; keydata= xsJuBFYrueARCACPWL3r2bCSI6TrkIE/aRzj4ksFYPzLkJbWLZGBRlv7HQLvs6i/K4y/b4fs JDq5eL4e9BdfdnZm/b+K+Gweyc0Px2poDWwKVTFFRgxKWq9R7McwNnvuZ4nyXJBVn7PTEn/Z G7D08iZg94ZsnUdeXfgYdJrqmdiWA6iX9u84ARHUtb0K4r5WpLUMcQ8PVmnv1vVrs/3Wy/Rb foxebZNWxgUiSx+d02e3Ad0aEIur1SYXXv71mqKwyi/40CBSHq2jk9eF6zmEhaoFi5+MMMgX X0i+fcBkvmT0N88W4yCtHhHQds+RDbTPLGm8NBVJb7R5zbJmuQX7ADBVuNYIU8hx3dF3AQCm 601w0oZJ0jGOV1vXQgHqZYJGHg5wuImhzhZJCRESIwf+PJxik7TJOgBicko1hUVOxJBZxoe0 x+/SO6tn+s8wKlR1Yxy8gYN9ZRqV2I83JsWZbBXMG1kLzV0SAfk/wq0PAppA1VzrQ3JqXg7T MZ3tFgxvxkYqUP11tO2vrgys+InkZAfjBVMjqXWHokyQPpihUaW0a8mr40w9Qui6DoJj7+Gg DtDWDZ7Zcn2hoyrypuht88rUuh1JuGYD434Q6qwQjUDlY+4lgrUxKdMD8R7JJWt38MNlTWvy rMVscvZUNc7gxcmnFUn41NPSKqzp4DDRbmf37Iz/fL7i01y7IGFTXaYaF3nEACyIUTr/xxi+ MD1FVtEtJncZNkRn7WBcVFGKMAf+NEeaeQdGYQ6mGgk++i/vJZxkrC/a9ZXme7BhWRP485U5 sXpFoGjdpMn4VlC7TFk2qsnJi3yF0pXCKVRy1ukEls8o+4PF2JiKrtkCrWCimB6jxGPIG3lk 3SuKVS/din3RHz+7Sr1lXWFcGYDENmPd/jTwr1A1FiHrSj+u21hnJEHi8eTa9029F1KRfocp ig+k0zUEKmFPDabpanI323O5Tahsy7hwf2WOQwTDLvQ+eqQu40wbb6NocmCNFjtRhNZWGKJS b5GrGDGu/No5U6w73adighEuNcCSNBsLyUe48CE0uTO7eAL6Vd+2k28ezi6XY4Y0mgASJslb NwW54LzSSM0uRGFuaWVsIFAuIFNtaXRoIDxkcHNtaXRoQGFwZXJ0dXNzb2x1dGlvbnMuY29t PsJ6BBMRCAAiBQJWK7ngAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBTc6WbYpR8 KrQ9AP94+xjtFfJ8gj5c7PVx06Zv9rcmFUqQspZ5wSEkvxOuQQEAg6qEsPYegI7iByLVzNEg 7B7fUG7pqWIfMqFwFghYhQzOwU0EViu54BAIAL6MXXNlrJ5tRUf+KMBtVz1LJQZRt/uxWrCb T06nZjnbp2UcceuYNbISOVHGXTzu38r55YzpkEA8eURQf+5hjtvlrOiHxvpD+Z6WcpV6rrMB kcAKWiZTQihW2HoGgVB3gwG9dCh+n0X5OzliAMiGK2a5iqnIZi3o0SeW6aME94bSkTkuj6/7 OmH9KAzK8UnlhfkoMg3tXW8L6/5CGn2VyrjbB/rcrbIR4mCQ+yCUlocuOjFCJhBd10AG1IcX OXUa/ux+/OAV9S5mkr5Fh3kQxYCTcTRt8RY7+of9RGBk10txi94dXiU2SjPbassvagvu/hEi twNHms8rpkSJIeeq0/cAAwUH/jV3tXpaYubwcL2tkk5ggL9Do+/Yo2WPzXmbp8vDiJPCvSJW rz2NrYkd/RoX+42DGqjfu8Y04F9XehN1zZAFmCDUqBMa4tEJ7kOT1FKJTqzNVcgeKNBGcT7q 27+wsqbAerM4A0X/F/ctjYcKwNtXck1Bmd/T8kiw2IgyeOC+cjyTOSwKJr2gCwZXGi5g+2V8 NhJ8n72ISPnOh5KCMoAJXmCF+SYaJ6hIIFARmnuessCIGw4ylCRIU/TiXK94soilx5aCqb1z ke943EIUts9CmFAHt8cNPYOPRd20pPu4VFNBuT4fv9Ys0iv0XGCEP+sos7/pgJ3gV3pCOric p15jV4PCYQQYEQgACQUCViu54AIbDAAKCRBTc6WbYpR8Khu7AP9NJrBUn94C/3PeNbtQlEGZ NV46Mx5HF0P27lH3sFpNrwD/dVdZ5PCnHQYBZ287ZxVfVr4Zuxjo5yJbRjT93Hl0vMY=
Cc: Chris Rogers <rogersc@xxxxxxxxxxxx>, Dmytro Firsov <dmytro_firsov@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>
Delivery-date: Mon, 23 Feb 2026 19:06:34 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2/23/26 13:01, Jason Andryuk wrote:

On 2026-02-19 07:15, Daniel P. Smith wrote:
On 2/18/26 18:04, Jason Andryuk wrote:
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index 29a7726d32d0..2eedc639c72a 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -860,12 +860,9 @@ longdo_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
          break;
      case XEN_DOMCTL_get_domain_state:
-        ret = xsm_get_domain_state(XSM_XS_PRIV, d);
With the initial NULL deref issue, I wondered if this wouldn't bebetter off modified to drop the d param -xsm_get_domain_state(XSM_XS_PRIV) - and changing flask permissions like:
allow dom0_t xen_t:xen get_domain_state;
That would gate the external call, and individual domain permissionscould be checked with xsm_getdomaininfo(), or a new hook if you don'twant to re-use.
But as your approach avoids passing NULL, it seems okay to me. Italso doesn't change the flask policy, which is nice.
That's a plain nack from me. Whether it is viewed as a pipe dream ornot, my goal continues to be to work towards enabling the ability tohave a truly disaggregated platform. In the original architecture, itwas envisioned to have multiple toolstack domains, each responsiblefor a distinct set of domains. In terms of implementation, that wouldmean multiple xenstored instances, each with a purview over a subsetof domains.
I don't think what I wrote is at odds with your pipe dream.
My main concern is passing NULL as a domain. I think that is wrong,beyond the fault seen on ARM. In domain_target_sid(), I think the NULLdst was mistakenly matched to dom0's NULL src->target. src->target_sidis 0 from zalloc, which is not otherwise initialized and invalid. Thatis returned. Later when sidtab_search() can't find it, it is remappedto SECINITSID_UNLABELED and returned. That silent remapping is dubious,and it points toward unlabled_t should never be allowed in any rule.Maybe it should remap unknown sids to a dedicated invalid_t, but maybeinvalid_t is already supposed to be that?

Understand, which in my initial approach I considered instead of settingthe d to NULL for DOMID_INVALID, I was considered changing it todom_xen. This effectively says you must have permission to wildcardquery xen for domain states. I opted not to include it as I was able torework it so that NULL was never used for xsm_get_domain_state().

Your last statement is correct, unlabeled_t literally means it is anunknown object. Therefore, writing any rules for unlabeled_t is dubiousat a minimum, but more likely an invalid security statements. Thesuggestion to write the rule was not meant to be the solution, it wasjust a means to help allow people to boot their systems for the time being.


v/r,
dps

References:
- [BUG v2] common/domctl: xsm update for get_domain_state access
  - From: Daniel P. Smith
- Re: [BUG v2] common/domctl: xsm update for get_domain_state access
  - From: Jason Andryuk
- Re: [BUG v2] common/domctl: xsm update for get_domain_state access
  - From: Daniel P. Smith
- Re: [BUG v2] common/domctl: xsm update for get_domain_state access
  - From: Jason Andryuk

Prev by Date: Re: [PATCH v2 1/2] x86/cpu-policy: move CPU policy library code
Next by Date: [PATCH] xen/acpi-processor: fix _CST detection using undersized evaluation buffer
Previous by thread: Re: [BUG v2] common/domctl: xsm update for get_domain_state access
Next by thread: Re: [BUG v2] common/domctl: xsm update for get_domain_state access
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.