Re: [PATCH 03/22] xentoolcore, _restrict_all: Introduce new library and implementation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Wei Liu <wei.liu2@citrix.com>
To: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: xen-devel@lists.xensource.com, Wei Liu <wei.liu2@citrix.com>,
	Stefano Stabellini <sstabellini@kernel.org>
Subject: Re: [PATCH 03/22] xentoolcore, _restrict_all: Introduce new library and implementation
Date: Wed, 20 Sep 2017 16:24:46 +0100	[thread overview]
Message-ID: <20170920152446.okpsluz6625howpd@citrix.com> (raw)
In-Reply-To: <22976.63946.518931.688248@mariner.uk.xensource.com>

On Tue, Sep 19, 2017 at 12:04:42PM +0100, Ian Jackson wrote:
> Wei Liu writes ("Re: [PATCH 03/22] xentoolcore, _restrict_all: Introduce new library and implementation"):
> > The impression I get from the name and parameter from this API is that
> > the following use case is allowed: a device model serving multiple
> > domains.
> 
> Such a device model is obviously, by necessity, unrestricted.
> 
> > The device model will open two sets of handlers of various
> > libraries. The device model will call restrict_all(domid) to restrict
> > its own privileges on certain domid when it sees fit.
> 
> After it has restricted its privileges to domid A, it is no longer
> permitted to do things to domid B.  Attempting to call restrict_all(B)
> will fail.
> 
> > Without filtering, the callbacks are called for all the domains at the
> > same time. The code as-is, when resctrict_all(dom1) is called, makes
> > privileges on dom2 are also dropped sometimes -- imagine a xenstore
> > callback registered for dom2 is called, which makes the connection
> > unusable for dom2.
> > 
> > If the aforementioned use case is not anticipated, I think we shouldn't
> > accept domid parameter for the resctrict_all function.
> 
> But the domid is precisely the scope of the intended restriction.
> After making the call, the malign influence of the calling process is
> limited to the specified domid (at least, insofar as the malign
> influence is exercised via already-open Xen library handles).
> 

Ah, I know where I got myself confused.

You can have my Ack on this patch.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

next prev parent reply	other threads:[~2017-09-20 15:24 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-15 18:48 [PATCH 00/22] Provide some actual restriction of qemu Ian Jackson
2017-09-15 18:48 ` [PATCH 01/22] xen: Provide XEN_DMOP_remote_shutdown Ian Jackson
2017-09-18  9:44   ` Jan Beulich
2017-09-18 13:57     ` Ian Jackson
2017-09-18 14:16       ` Jan Beulich
2017-09-18 14:18   ` Wei Liu
2017-09-15 18:48 ` [PATCH 02/22] tools: libxendevicemodel: Provide xendevicemodel_shutdown Ian Jackson
2017-09-18 14:18   ` Wei Liu
2017-09-18 17:09     ` Ian Jackson
2017-09-15 18:48 ` [PATCH 03/22] xentoolcore, _restrict_all: Introduce new library and implementation Ian Jackson
2017-09-18 14:52   ` Wei Liu
2017-09-18 16:08     ` Ian Jackson
2017-09-19  8:52       ` Wei Liu
2017-09-19  8:52   ` Wei Liu
2017-09-19 10:42     ` Ian Jackson
2017-09-19  9:33   ` Wei Liu
2017-09-19 10:47     ` Ian Jackson
2017-09-19 10:57       ` Wei Liu
2017-09-19 11:04         ` Ian Jackson
2017-09-20 15:24           ` Wei Liu [this message]
2017-09-15 18:48 ` [PATCH 04/22] tools: qemu-xen build: prepare to link against xentoolcore Ian Jackson
2017-09-19  8:52   ` Wei Liu
2017-09-15 18:48 ` [PATCH 05/22] libxl: #include "xentoolcore_internal.h" Ian Jackson
2017-09-19  8:53   ` Wei Liu
2017-09-15 18:48 ` [PATCH 06/22] tools: move CONTAINER_OF to xentoolcore_internal.h Ian Jackson
2017-09-19  8:53   ` Wei Liu
2017-09-15 18:48 ` [PATCH 07/22] xentoolcore_restrict_all: Implement for libxendevicemodel Ian Jackson
2017-09-19  9:37   ` Wei Liu
2017-09-15 18:48 ` [PATCH 08/22] xentoolcore_restrict_all: "Implement" for libxencall Ian Jackson
2017-09-19  9:38   ` Wei Liu
2017-09-19 10:49     ` Ian Jackson
2017-09-15 18:48 ` [PATCH 09/22] xentoolcore_restrict: Break out xentoolcore__restrict_by_dup2_null Ian Jackson
2017-09-19  9:38   ` Wei Liu
2017-09-15 18:48 ` [PATCH 10/22] xentoolcore_restrict_all: Implement for libxenforeignmemory Ian Jackson
2017-09-19  9:40   ` Wei Liu
2017-09-19 10:51     ` Ian Jackson
2017-09-19 10:58       ` Wei Liu
2017-09-19 11:08         ` Ian Jackson
2017-09-20 15:25           ` Wei Liu
2017-09-21 16:18             ` Ian Jackson
2017-09-15 18:48 ` [PATCH 11/22] xentoolcore_restrict_all: Declare problems due to no evtchn support Ian Jackson
2017-09-19  9:40   ` Wei Liu
2017-09-15 18:48 ` [PATCH 12/22] xentoolcore_restrict_all: "Implement" for xengnttab Ian Jackson
2017-09-19  9:41   ` Wei Liu
2017-09-15 18:48 ` [PATCH 13/22] tools/xenstore: get_handle: use "goto err" error handling style Ian Jackson
2017-09-19  9:42   ` Wei Liu
2017-09-15 18:48 ` [PATCH 14/22] tools/xenstore: get_handle: Allocate struct before opening fd Ian Jackson
2017-09-19  9:43   ` Wei Liu
2017-09-15 18:48 ` [PATCH 15/22] xentoolcore_restrict_all: "Implement" for xenstore Ian Jackson
2017-09-19  9:43   ` Wei Liu
2017-09-15 18:48 ` [PATCH 16/22] xentoolcore, _restrict_all: Document implementation "complete" Ian Jackson
2017-09-18 14:49   ` Wei Liu
2017-09-18 16:06     ` Ian Jackson
2017-09-15 18:48 ` [PATCH 17/22] xl, libxl: Provide dm_restrict Ian Jackson
2017-09-19  9:48   ` Wei Liu
2017-09-19 10:54     ` Ian Jackson
2017-09-15 18:48 ` [PATCH 18/22] libxl: Rationalise calculation of user to run qemu as Ian Jackson
2017-09-18 14:49   ` Wei Liu
2017-09-15 18:48 ` [PATCH 19/22] libxl: libxl__dm_runas_helper: return pwd Ian Jackson
2017-09-19  9:48   ` Wei Liu
2017-09-15 18:48 ` [PATCH 20/22] libxl: userlookup_helper_getpwnam rename and turn into a macro Ian Jackson
2017-09-19  9:50   ` Wei Liu
2017-09-19 10:57     ` Ian Jackson
2017-09-15 18:48 ` [PATCH 21/22] libxl: dm_restrict: Support uid range user Ian Jackson
2017-09-15 18:48 ` [PATCH 22/22] RFC: tools: xentoolcore_restrict_all: use domid_t Ian Jackson
2017-09-19 10:02   ` Wei Liu
2017-09-19 11:01     ` Ian Jackson
2017-09-20 15:28       ` Wei Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170920152446.okpsluz6625howpd@citrix.com \
    --to=wei.liu2@citrix.com \
    --cc=ian.jackson@eu.citrix.com \
    --cc=sstabellini@kernel.org \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.