xense-devel
Re: [Xen-devel][Xense-devel][PATCH][1/4] Xen Security Modules: XSM
On 11/5/07 16:10, "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx> wrote:
>> The untidiest cases are where set_foreigndom() is involved. These
>> involve do_mmu_update(), do_update_va_otherdomain() and some
>> mmuext_ops. In particular, on the do_update_va_otherdomain() path,
>> IS_PRIV is checked twice. It would seem to me that the cleanest way
>> to do this is to have the permission check first (can domain X access
>> MFN Y of domain Z?), then carry out the set_foreigndom() logic.
>>
>
> I think I agree.
In this case you theoretically race reuse of the domid, don't you? Actually
you are saved by the RCU mechanism, but why is doing the check after
set_foreigndom() hard? The error path out of e.g., do_mmu_update() will
correctly give up the foreign reference.
-- Keir
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|