[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] Merge IS_PRIV checks into XSM hooks



>>> On 11.09.12 at 15:21, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> wrote:
> On 09/11/2012 04:09 AM, Jan Beulich wrote:
>>>>> On 10.09.12 at 23:10, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> wrote:
>>> On 09/10/2012 04:51 PM, Keir Fraser wrote:
>>>> On 10/09/2012 20:48, "Daniel De Graaf" <dgdegra@xxxxxxxxxxxxx> wrote:
>>>>
>>>>> Overall, this series should not change the behavior of Xen when XSM is
>>>>> not enabled; however, in some cases, the exact errors that are returned
>>>>> will be different because security checks have been moved below validity
>>>>> checks. Also, once applied, newly introduced domctls and sysctls will
>>>>> not automatically be guarded by IS_PRIV checks - they will need to add
>>>>> their own permission checking code.
>>>>
>>>> How do we guard against accidentally forgetting to do this?
>>>
>>> The same way you guard against it when adding a new hypercall: when adding
>>> new functionality that needs access checks, also add the access checks.
>> 
>> Except that previously the access check was done centrally at the
>> top of do_domctl(), so newly added sub-functions didn't need to
>> worry.
> 
> One addition I am considering is an extra XSM hook at the start of do_domctl
> and do_sysctl that takes only the command (and domain, for domctl); this
> could be used to restrict access to unknown domctl/sysctls, and would fix
> the issues of adding sub-functions without access checks.

That sounds reasonable, the more that the performance aspect
of these additions doesn't matter for these two hypercalls.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.