[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v7 1/2] xen/console: handle multiple domains using console_io hypercalls
- To: Jan Beulich <jbeulich@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>
- From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Jan 2026 09:27:28 -0500
- Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1769696852; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=Csi40rQ6fKyJbiyM0FXQWkQQah5ioh+4oM6lP9s5imQ=; b=LQgjpzY6DnPvLX0MNQEJ7kbTqt0x3B6oft645cD4yBkeVoplE3l+jRG+uEI/u6w+iCChC99CebVctB9WIidW1G8Q63tpxvGUPhLbnxghjrZNU2/NNh30c5RPV/TAbcgJiIKXukfwmFaCFRjZtByW0UV9Hdfqe9wC5zhYviPdPZ0=
- Arc-seal: i=1; a=rsa-sha256; t=1769696852; cv=none; d=zohomail.com; s=zohoarc; b=RmRZrQhgTnx8pI0Vt/7hDJuJAkvazWPBtKFQWS/Q04u5dda1jYh92a0l/943939Q2Q+XmaWG12jLCZBtrregbmXwiNWeMZ46FF3Fxg0beWjvSRYCkMDtIRzo9R9EyxdPSGAiQVrStY5xkYAkp18QHZB2JgjiuZbohEqdtc7NVX8=
- Cc: Stefano Stabellini <stefano.stabellini@xxxxxxx>, grygorii_strashko@xxxxxxxx, anthony.perard@xxxxxxxxxx, michal.orzel@xxxxxxx, julien@xxxxxxx, roger.pau@xxxxxxxxxx, jason.andryuk@xxxxxxx, victorm.lira@xxxxxxx, andrew.cooper3@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx
- Delivery-date: Thu, 29 Jan 2026 14:27:49 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 1/29/26 3:24 AM, Jan Beulich wrote:
On 29.01.2026 03:42, Stefano Stabellini wrote:
On Wed, 28 Jan 2026, Jan Beulich wrote:
On 23.01.2026 02:06, Stefano Stabellini wrote:
@@ -742,17 +758,36 @@ static long
guest_console_write(XEN_GUEST_HANDLE_PARAM(char) buffer,
if ( copy_from_guest(kbuf, buffer, kcount) )
return -EFAULT;
- if ( is_hardware_domain(cd) )
+ /*
+ * Take both cons->lock and console_lock:
+ * - cons->lock protects cons->buf and cons->idx
+ * - console_lock protects console_send and is_focus_domain
+ * checks
+ *
+ * The order must be respected. guest_printk takes the
+ * console_lock so it is important that cons->lock is taken
+ * first.
+ */
+ spin_lock(&cons->lock);
+ nrspin_lock_irq(&console_lock);
+ if ( is_focus_domain(cd) )
Why would any of the domains possibly being permitted to be "focus" suddenly
gain direct access here? Full access in do_console_io() is still prevented by
the XSM check there, afaict. Cc-ing Daniel, as it's not quite clear to me
whether to introduce another XSM check here, whether to check ->is_console
directly, or yet something else.
The XSM check still happens first in do_console_io() via
xsm_console_io(XSM_OTHER, current->domain, cmd), which validates that
the domain has permission to use console_io hypercalls. The focus check
is an additional restriction that only allows reading when the domain
has focus: it doesn't grant new permissions. Dom0less domains with
input_allowed = true are already permitted by XSM policy to use
console_io;
Are they? I don't see any XSM or Flask code checking that flag. What the
dummy xsm_console_io() checks is ->is_console.
Unless I am misunderstanding what you are asking here, I don't see why
XSM would be concerned with this check. The `is_focus_domain()`
conditional is not an access decision but a decision whether write to
the console or buffer the write.
However, what indeed I didn't pay attention to when writing the original
comment is that guest_console_write() has only a single caller,
do_console_io(). So there's no concern in this regard here as long as no
new caller appears.
Correct, the `xsm_console_io()` hook is the access check if the guest is
allowed to read/write to the console. Any paths to this function should
be guarded by a call to this hook.
v/r,
dps
|
