From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>, xen-devel@lists.xen.org
Subject: Re: [PATCH v2] Merge IS_PRIV checks into XSM hooks
Date: Tue, 11 Sep 2012 09:21:35 -0400 [thread overview]
Message-ID: <504F3ADF.8030402@tycho.nsa.gov> (raw)
In-Reply-To: <504F0DE3020000780009A727@nat28.tlf.novell.com>
On 09/11/2012 04:09 AM, Jan Beulich wrote:
>>>> On 10.09.12 at 23:10, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
>> On 09/10/2012 04:51 PM, Keir Fraser wrote:
>>> On 10/09/2012 20:48, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:
>>>
>>>> Overall, this series should not change the behavior of Xen when XSM is
>>>> not enabled; however, in some cases, the exact errors that are returned
>>>> will be different because security checks have been moved below validity
>>>> checks. Also, once applied, newly introduced domctls and sysctls will
>>>> not automatically be guarded by IS_PRIV checks - they will need to add
>>>> their own permission checking code.
>>>
>>> How do we guard against accidentally forgetting to do this?
>>
>> The same way you guard against it when adding a new hypercall: when adding
>> new functionality that needs access checks, also add the access checks.
>
> Except that previously the access check was done centrally at the
> top of do_domctl(), so newly added sub-functions didn't need to
> worry.
>
> Jan
>
One addition I am considering is an extra XSM hook at the start of do_domctl
and do_sysctl that takes only the command (and domain, for domctl); this
could be used to restrict access to unknown domctl/sysctls, and would fix
the issues of adding sub-functions without access checks.
--
Daniel De Graaf
National Security Agency
next prev parent reply other threads:[~2012-09-11 13:21 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-10 19:48 [PATCH v2] Merge IS_PRIV checks into XSM hooks Daniel De Graaf
2012-09-10 19:48 ` [PATCH 01/20] xsm/flask: remove inherited class attributes Daniel De Graaf
2012-09-10 19:48 ` [PATCH 02/20] xsm/flask: remove unneeded create_sid field Daniel De Graaf
2012-09-10 19:48 ` [PATCH 03/20] xen: Add versions of rcu_lock_*_domain without IS_PRIV checks Daniel De Graaf
2012-09-10 19:48 ` [PATCH 04/20] xsm/flask: add domain relabel support Daniel De Graaf
2012-09-10 19:48 ` [PATCH 05/20] libxl: introduce XSM relabel on build Daniel De Graaf
2012-09-10 19:48 ` [PATCH 06/20] flask/policy: Add domain relabel example Daniel De Graaf
2012-09-10 19:49 ` [PATCH 07/20] arch/x86: add distinct XSM hooks for map/unmap Daniel De Graaf
2012-09-10 19:49 ` [PATCH 08/20] arch/x86: add missing XSM checks to XENPF_ commands Daniel De Graaf
2012-09-10 19:49 ` [PATCH 09/20] xsm/flask: Add checks on the domain performing the set_target operation Daniel De Graaf
2012-09-10 19:49 ` [PATCH 10/20] xsm: Add IS_PRIV checks to dummy XSM module Daniel De Graaf
2012-09-11 7:44 ` Jan Beulich
2012-09-11 13:24 ` Daniel De Graaf
2012-09-10 19:49 ` [PATCH 11/20] xen: use XSM instead of IS_PRIV where duplicated Daniel De Graaf
2012-09-11 7:29 ` Jan Beulich
2012-09-11 9:05 ` Ian Campbell
2012-09-11 13:33 ` Daniel De Graaf
2012-09-11 13:33 ` [PATCH] xen/console: Add domain ID to output if VERBOSE Daniel De Graaf
2012-09-11 14:23 ` Jan Beulich
2012-09-11 14:26 ` Ian Campbell
2012-09-11 14:10 ` [PATCH 11/20] xen: use XSM instead of IS_PRIV where duplicated Daniel De Graaf
2012-09-10 19:49 ` [PATCH 12/20] xen: avoid calling rcu_lock_*target_domain when an XSM hook exists Daniel De Graaf
2012-09-11 7:36 ` Jan Beulich
2012-09-11 13:26 ` Daniel De Graaf
2012-09-11 14:15 ` Jan Beulich
2012-09-10 19:49 ` [PATCH 13/20] arch/x86: Add missing domctl and mem_sharing XSM hooks Daniel De Graaf
2012-09-10 19:49 ` [PATCH 14/20] tmem: Add access control check Daniel De Graaf
2012-09-11 7:40 ` Jan Beulich
2012-09-10 19:49 ` [PATCH 15/20] xsm: remove unneeded xsm_call macro Daniel De Graaf
2012-09-10 19:49 ` [PATCH 16/20] xsm/flask: add distinct SIDs for self/target access Daniel De Graaf
2012-09-10 19:49 ` [PATCH 17/20] arch/x86: use XSM hooks for get_pg_owner access checks Daniel De Graaf
2012-09-11 7:55 ` Jan Beulich
2012-09-11 13:40 ` Daniel De Graaf
2012-09-11 14:16 ` Jan Beulich
2012-09-11 14:33 ` Daniel De Graaf
2012-09-11 14:50 ` Jan Beulich
2012-09-10 19:49 ` [PATCH 18/20] xen: Add XSM hook for XENMEM_exchange Daniel De Graaf
2012-09-10 19:49 ` [PATCH 19/20] xen: remove rcu_lock_{remote_, }target_domain_by_id Daniel De Graaf
2012-09-11 7:59 ` Jan Beulich
2012-09-10 19:49 ` [PATCH 20/20] flask: add missing operations Daniel De Graaf
2012-09-10 20:51 ` [PATCH v2] Merge IS_PRIV checks into XSM hooks Keir Fraser
2012-09-10 21:10 ` Daniel De Graaf
2012-09-10 21:13 ` [PATCH 21/20] arch/arm: replace rcu_lock_target_domain_by_id with XSM Daniel De Graaf
2012-09-10 21:35 ` [PATCH v2] Merge IS_PRIV checks into XSM hooks Keir Fraser
2012-09-11 8:54 ` Ian Campbell
2012-09-11 13:49 ` Daniel De Graaf
2012-09-11 8:09 ` Jan Beulich
2012-09-11 13:21 ` Daniel De Graaf [this message]
2012-09-11 14:11 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=504F3ADF.8030402@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=JBeulich@suse.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.