[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 1/2] xsm: create idle domain privileged and demote after setup
- To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
- From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Date: Fri, 29 Apr 2022 09:12:15 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=E6AzNnw/PMQ8kbmS8HmtG0ziHAI8nDGsmIYY/bdJPAk=; b=XkLYo4y5thOd86KjuwhXlfMk83zG2V+RDWDSHh7xdYRYXYl+f4t/ZjuzPU2XAzukBmRjAzu2gKzQFzzmU26xXpVrOORKi0s+sKbMiCH31KeIDigsDeHOb+7iE3Cser/305CfjpRApTn2m9jz05Wl19Apl8Ip7ldxz01hJK5SAv0z17wizDhQ3aei8X+OOP07lb/U1G4mgZymtLkHDHUVEzBfaG3GAZlKRDND91Rgct50LvfEs7t0+pGr3B874hWKe3wfRVjiCvWoM0oYo35PTsaXO9snRzLfpjDUch6OizrMowYSu8Jlz2V5odrj4SvPJJOEeoft04uH81Qzy/kQNQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MPWu9VjjGhQwnEHUekevohaLkIGWxX8ZC9jJ3de+cpEzbdqYY5Pev1pcjn2qGz3ZRjffJVkJFiugRSSNcc7Vuqd9753gjc8LRR/J57xInsEglzeOs/AZAfiWLjtC5bPv7VRbIu84GpazdM6AjwPHsUgCvEis+tbdX+orJXf+1eYP17PhTlbgBTSxITkmIDdPf5w2QP8kPyUMBa8KgKRP9uH3qmz/AAyMNvSiFOEBHaZcwwN5s/QkG3nJLjJ9mX+1UPUtaR9RrVa9NGpdNxkCs3XdCOpoqUizyraulHGVYj1f2V2zltrCztdRtwb5Yru1jr12kDozChgd/bTzKOZVzw==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, scott.davis@xxxxxxxxxx, jandryuk@xxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
- Delivery-date: Fri, 29 Apr 2022 07:12:35 +0000
- Ironport-data: A9a23:xXmRjKLHXq/I/Gq8FE+Rl5UlxSXFcZb7ZxGr2PjKsXjdYENShWdWz zMXWD2HPvjcambwLdoia9mwpBgA75HQn4JmGQZlqX01Q3x08seUXt7xwmUcns+xwm8vaGo9s q3yv/GZdJhcokf0/0vrav67xZVF/fngqoDUUYYoAQgsA149IMsdoUg7wbRh3tQ52YHR7z6l4 rseneWOYDdJ5BYsWo4kw/rrRMRH5amaVJsw5zTSVNgT1LPsvyB94KE3fMldG0DQUIhMdtNWc s6YpF2PEsE1yD92Yj+tuu6TnkTn2dc+NyDW4pZdc/DKbhSvOkXee0v0XRYRQR4/ttmHozx+4 MxM6oy6ETwDBaTzws1NSjMCCQxCGLITrdcrIVDn2SCS52vvViK2htBRVgQxN4Be/ftrC2ZT8 /BeMCoKch2Im+OxxvS8V/VogcMgasLsOevzuFk5lW2fUalgH86FH/uiCdxwhV/cguhUGvnTf YwBYCdHZxXceRxffFwQDfrSmc/33iemL2UE9jp5o4Ir2Xf3zChowYSuH9nHJ5+oGOFVjG2H8 zeuE2PRR0ty2Mak4Tad6Xetmu/nlDv2Qp4PD6a/8uN2gVqV3SoYDxh+fUu2p7y1h1CzX/pbK lcI4Ww+oK4q7kupQ9LhGRqirxasgBkYXNZBFvwg3yuEwKHU/gWxC3ANS3hKb9lOnNAybSwn0 BmOhdyBLSdkt6GJD36U6LaPhSiuMDIRJGVEZChsZQkM5dX5sZwwph3KR9dnVqWyi7XdAirsy jqHqCw/gbQ7jsMR0ai/u1fdjFqEpIXNTwMzzhXaWCSi9AwRTISofZCy4F7Xq/NJNp+ET0Kpt WIB3cOZ6YgmD5uAiSiMS+UlB6yy6rCONzi0qVJhFpYu9jOp+la4YJtdpjp5IS9BPskIdDDza WfPqAhR49lVJ3LsYqhpC79dEOwvxKnkUNH6DPbda4MUZoArLFPZuiZzeUSXwmbh1lA2lr0yM ouadsDqCmsGDaNgz3y9QOJ1PaIX+x3SDFj7HfjTpylLG5LEDJJJYd/p6GezU90=
- Ironport-hdrordr: A9a23:MwEuFKHslMDvjic2pLqFYZHXdLJyesId70hD6qkvc3Fom52j/f xGws5x6faVslkssb8b6LW90Y27MAvhHPlOkPIs1NaZLXDbUQ6TQL2KgrGD/9SNIVycygcZ79 YbT0EcMqyOMbEZt7ec3ODQKb9Jrri6GeKT9IHjJh9WPH1XgspbnmNE42igYy9LrF4sP+tFKH PQ3LsOmxOQPVAsKuirDHgMWObO4/XNiZLdeBYDQzoq8hOHgz+E4KPzV0Hw5GZVbxp/hZMZtU TVmQ3w4auu99m91x/nzmfWq7BbgsHoxNdvDNGFzuIVNjLvoAC1Y5kJYczIgBkF5MWUrHo6mt jFpBkte+x19nPqZ2mw5SDg3gHxuQxenEMLZTej8AjeiP28YAh/J9tKhIpffBecwVEnpstA3K VC2H/cn4ZLDDvb9R6NqeTgZlVPrA6ZsHAimekcgzh0So0FcoJcqoQZ4Qd8DIoAJiTn84oqed MeQ/003MwmMW9yUkqp/VWGmLeXLzYO91a9MwQ/U/WuonlrdCsT9Tpc+CQd9k1wgK7VBaM0o9 gsCZ4Y5Y2mfvVmE56VO91xMfdfKla9Ny4kY1jiaGgOKsk8SgDwgq+yxokJz8eXX7FN5KcOuf 36ISZlXCgJCg/TNfE=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Apr 28, 2022 at 10:57:42AM -0400, Daniel P. Smith wrote:
> On 4/26/22 03:12, Roger Pau Monné wrote:
> > On Mon, Apr 25, 2022 at 12:39:17PM -0400, Daniel P. Smith wrote:
> >> On 4/25/22 05:44, Roger Pau Monné wrote:
> >>> On Fri, Apr 22, 2022 at 12:34:57PM -0400, Daniel P. Smith wrote:
> >>>> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> >>>> index 0bf63ffa84..8a62de2fd6 100644
> >>>> --- a/xen/xsm/flask/hooks.c
> >>>> +++ b/xen/xsm/flask/hooks.c
> >>>> @@ -186,6 +186,26 @@ static int cf_check
> >>>> flask_domain_alloc_security(struct domain *d)
> >>>> return 0;
> >>>> }
> >>>>
> >>>> +static int cf_check flask_set_system_active(void)
> >>>> +{
> >>>> + struct domain *d = current->domain;
> >>>
> >>> Nit: you should also add the assert for d->is_privileged, I don't see
> >>> a reason for the xsm and flask functions to differ in that regard.
> >>
> >> This goes back to an issued I have raised before, is_privileged really
> >> encompasses two properties of a domain. Whether the domain is filling
> >> the special control domain role versus what accesses the domain has
> >> based on the context under which is_control_domain() is called. For
> >> instance the function init_domain_msr_policy() uses is_control_domain()
> >> not to make an access control decision but configure behavior. Under
> >> flask is_privileged no longer reflects the accesses a domain with it set
> >> will have, thus whether it is cleared when flask is enabled is
> >> irrelevant as far as flask is concerned. For the ASSERT, what matters is
> >> that the label was set to xenboot_t on construction and that it was not
> >> changed before reaching this point. Or in a short form, when under the
> >> default policy the expected state is concerned with is_privilege while
> >> for flask it is only the SID.
> >
> > I certainly don't care that much, but you do set d->is_privileged =
> > false in flask_set_system_active, hence it would seem logic to expect
> > d->is_privileged == true also?
>
> Yes, I did this just for consistency not because there is any
> significance of is_privilege on the idle domain, in both contexts for
> which is_privileged is used, when flask is the enforcing policy.
>
> > If not for anything else, just to assert that the function is not
> > called twice.
>
> Under this patch flask_set_system_active() is effectively a no-op, so
> calling it twice has no effect. In the next patch flask_set_system()
> becomes a real check and there is an ASSERT on the SID as that is the
> relevant context under flask and will ensure calling only once.
>
> In the end I can add the ASSERT but it would be adding it for the sake
> of adding it as it would not be protecting the hypervisor from moving
> into an incorrect state.
If flask_set_system_active() is really a no-op then just adding a
comment in that regard and not touching is_privileged would be OK to
me, as otherwise I think it's confusing.
In any case I would leave that to the flask maintainers to decide.
Thanks, Roger.
|
