From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel De Graaf Subject: Re: [PATCH v2] Merge IS_PRIV checks into XSM hooks Date: Tue, 11 Sep 2012 09:21:35 -0400 Message-ID: <504F3ADF.8030402@tycho.nsa.gov> References: <504E5760.5070605@tycho.nsa.gov> <504F0DE3020000780009A727@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <504F0DE3020000780009A727@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich Cc: Keir Fraser , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org On 09/11/2012 04:09 AM, Jan Beulich wrote: >>>> On 10.09.12 at 23:10, Daniel De Graaf wrote: >> On 09/10/2012 04:51 PM, Keir Fraser wrote: >>> On 10/09/2012 20:48, "Daniel De Graaf" wrote: >>> >>>> Overall, this series should not change the behavior of Xen when XSM is >>>> not enabled; however, in some cases, the exact errors that are returned >>>> will be different because security checks have been moved below validity >>>> checks. Also, once applied, newly introduced domctls and sysctls will >>>> not automatically be guarded by IS_PRIV checks - they will need to add >>>> their own permission checking code. >>> >>> How do we guard against accidentally forgetting to do this? >> >> The same way you guard against it when adding a new hypercall: when adding >> new functionality that needs access checks, also add the access checks. > > Except that previously the access check was done centrally at the > top of do_domctl(), so newly added sub-functions didn't need to > worry. > > Jan > One addition I am considering is an extra XSM hook at the start of do_domctl and do_sysctl that takes only the command (and domain, for domctl); this could be used to restrict access to unknown domctl/sysctls, and would fix the issues of adding sub-functions without access checks. -- Daniel De Graaf National Security Agency