|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 11/25] xsm, argo: XSM control for argo register operation, argo_mac bootparam
On Tue, Dec 4, 2018 at 1:52 AM Paul Durrant <Paul.Durrant@xxxxxxxxxx> wrote: > > > -----Original Message----- > > From: Christopher Clark [mailto:christopher.w.clark@xxxxxxxxx] > > Sent: 01 December 2018 01:33 > > To: xen-devel@xxxxxxxxxxxxxxxxxxxx > > Cc: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>; George Dunlap > > <George.Dunlap@xxxxxxxxxx>; Ian Jackson <Ian.Jackson@xxxxxxxxxx>; Jan > > Beulich <jbeulich@xxxxxxxx>; Julien Grall <julien.grall@xxxxxxx>; Konrad > > Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>; Paul Durrant > > <Paul.Durrant@xxxxxxxxxx>; Stefano Stabellini <sstabellini@xxxxxxxxxx>; > > Tim (Xen.org) <tim@xxxxxxx>; Wei Liu <wei.liu2@xxxxxxxxxx>; Daniel De > > Graaf <dgdegra@xxxxxxxxxxxxx>; Rich Persaud <persaur@xxxxxxxxx>; Ross > > Philipson <ross.philipson@xxxxxxxxx>; Eric Chanudet > > <eric.chanudet@xxxxxxxxx>; James McKenzie <voreekf@xxxxxxxxxxxxx>; Jason > > Andryuk <jandryuk@xxxxxxxxx>; Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx> > > Subject: [PATCH 11/25] xsm, argo: XSM control for argo register operation, > > argo_mac bootparam > > > > XSM hooks implement distinct permissions for these two distinct cases of > > Argo ring registration: > > > > * Single source: registering a ring for communication to receive messages > > from a specified single other domain. > > Default policy: allow. > > > > * Any source: registering a ring for communication to receive messages > > from any, or all, other domains (ie. wildcard). > > Default policy: deny, with runtime policy configuration via new > > bootparam. > > > > The reason why the default for wildcard rings is 'deny' is that there is > > currently no means other than XSM to protect the ring from DoS by a noisy > > domain spamming the ring, reducing the ability of other domains to send to > > it. > > Using XSM at least allows per-domain control over access to the send > > permission, to limit communication to domains that can be trusted. > > > > Since denying access to any-sender rings unless a flask XSM policy is > > active > > will prevent many users from using a key Argo feature, also introduce a > > bootparam > > that can override this constraint: > > "argo_mac" variable has allowed values: 'permissive' and 'enforcing'. > > Even though this is a boolean variable, use these descriptive strings in > > order > > to make it obvious to an administrator that this has potential security > > impact. > > > > Signed-off-by: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx> > > --- > > xen/common/argo.c | 15 +++++++++++++++ > > xen/include/xsm/dummy.h | 15 +++++++++++++++ > > xen/include/xsm/xsm.h | 17 +++++++++++++++++ > > xen/xsm/dummy.c | 4 ++++ > > xen/xsm/flask/hooks.c | 19 +++++++++++++++++++ > > xen/xsm/flask/policy/access_vectors | 11 +++++++++++ > > xen/xsm/flask/policy/security_classes | 1 + > > 7 files changed, 82 insertions(+) > > > > diff --git a/xen/common/argo.c b/xen/common/argo.c > > index 82fab36..2a95e09 100644 > > --- a/xen/common/argo.c > > +++ b/xen/common/argo.c > > @@ -32,6 +32,21 @@ DEFINE_XEN_GUEST_HANDLE(argo_ring_t); > > static bool __read_mostly opt_argo_enabled = 0; > > boolean_param("argo", opt_argo_enabled); > > > > +/* Xen command line option for conservative or relaxed access control */ > > +bool __read_mostly argo_mac_bootparam_enforcing = true; > > + > > +static int __init parse_argo_mac_param(const char *s) > > +{ > > + if ( !strncmp(s, "enforcing", 10) ) > > + argo_mac_bootparam_enforcing = true; > > + else if ( !strncmp(s, "permissive", 11) ) > > + argo_mac_bootparam_enforcing = false; > > + else > > Do you really want to parse e.g. 'enforcingfoobar' as 'enforcing'? No, I don't - and it doesn't do that because the number supplied to strncmp is large enough to include comparison of the string terminator too -- but I get the point: strncmp is just confusing and is for no clear benefit, so I've dropped it in favour of strcmp in the next revision. Christopher _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |