From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Ian Campbell <Ian.Campbell@citrix.com>
Cc: Keir Fraser <keir@xen.org>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: [PATCH v2] Merge IS_PRIV checks into XSM hooks
Date: Tue, 11 Sep 2012 09:49:01 -0400 [thread overview]
Message-ID: <504F414D.5070504@tycho.nsa.gov> (raw)
In-Reply-To: <1347353677.5305.130.camel@zakaz.uk.xensource.com>
On 09/11/2012 04:54 AM, Ian Campbell wrote:
> On Mon, 2012-09-10 at 22:35 +0100, Keir Fraser wrote:
>> On 10/09/2012 22:10, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:
>>
>>> On 09/10/2012 04:51 PM, Keir Fraser wrote:
>>>> On 10/09/2012 20:48, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:
>>>>
>>>>> Overall, this series should not change the behavior of Xen when XSM is
>>>>> not enabled; however, in some cases, the exact errors that are returned
>>>>> will be different because security checks have been moved below validity
>>>>> checks. Also, once applied, newly introduced domctls and sysctls will
>>>>> not automatically be guarded by IS_PRIV checks - they will need to add
>>>>> their own permission checking code.
>>>>
>>>> How do we guard against accidentally forgetting to do this?
>>>
>>> The same way you guard against it when adding a new hypercall: when adding
>>> new functionality that needs access checks, also add the access checks.
>>
>> So... We just shouldn't accidentally forget. That will work well. ;)
>> Historically XSM has not been top of many committers' checklists.
>
> Can we play tricks like
>
> int did_priv_check;
>
> switch(op)
> case FOO:
> if (xsm_check_foo(&did_priv_check))
> ....
> break;
> }
> ASSERT(did_priv_check)
>
> I'd expect the compiler to catch missing checks due to the use of the
> uninitialised var, although that relies somewhat on the switch not being
> too big and confusing it.
This is almost certainly going to confuse the compiler, since often the
XSM hook is after some minimal parameter validation which will break on
failure. Using an initialized variable would work, but I like the other
option better.
> The other option might be to define domctl_do_perm_check, which has a
> similar switch over op but an explicit default: return -EPERM. Then call
> that from the top of do_domctl instead of scattering the priv checks
> throughout the main switch statement? That way if you forget to add the
> perm check it simply won't work and you'll see that the first time you
> try and test it...
Or even just default back to IS_PRIV, and a FLASK unknown_domctl permission
that is documented as only for development (or just -EPERM in FLASK, since
most developers who would turn that on would also be interested in adding
the full XSM hook).
> Or an array of do_perm_check function pointers of NR_DOMCTL in size and
> a NULL check? The differing prototypes probably make this one a
> non-starter without loads of per op helper functions.
>
> Ian.
--
Daniel De Graaf
National Security Agency
next prev parent reply other threads:[~2012-09-11 13:49 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-10 19:48 [PATCH v2] Merge IS_PRIV checks into XSM hooks Daniel De Graaf
2012-09-10 19:48 ` [PATCH 01/20] xsm/flask: remove inherited class attributes Daniel De Graaf
2012-09-10 19:48 ` [PATCH 02/20] xsm/flask: remove unneeded create_sid field Daniel De Graaf
2012-09-10 19:48 ` [PATCH 03/20] xen: Add versions of rcu_lock_*_domain without IS_PRIV checks Daniel De Graaf
2012-09-10 19:48 ` [PATCH 04/20] xsm/flask: add domain relabel support Daniel De Graaf
2012-09-10 19:48 ` [PATCH 05/20] libxl: introduce XSM relabel on build Daniel De Graaf
2012-09-10 19:48 ` [PATCH 06/20] flask/policy: Add domain relabel example Daniel De Graaf
2012-09-10 19:49 ` [PATCH 07/20] arch/x86: add distinct XSM hooks for map/unmap Daniel De Graaf
2012-09-10 19:49 ` [PATCH 08/20] arch/x86: add missing XSM checks to XENPF_ commands Daniel De Graaf
2012-09-10 19:49 ` [PATCH 09/20] xsm/flask: Add checks on the domain performing the set_target operation Daniel De Graaf
2012-09-10 19:49 ` [PATCH 10/20] xsm: Add IS_PRIV checks to dummy XSM module Daniel De Graaf
2012-09-11 7:44 ` Jan Beulich
2012-09-11 13:24 ` Daniel De Graaf
2012-09-10 19:49 ` [PATCH 11/20] xen: use XSM instead of IS_PRIV where duplicated Daniel De Graaf
2012-09-11 7:29 ` Jan Beulich
2012-09-11 9:05 ` Ian Campbell
2012-09-11 13:33 ` Daniel De Graaf
2012-09-11 13:33 ` [PATCH] xen/console: Add domain ID to output if VERBOSE Daniel De Graaf
2012-09-11 14:23 ` Jan Beulich
2012-09-11 14:26 ` Ian Campbell
2012-09-11 14:10 ` [PATCH 11/20] xen: use XSM instead of IS_PRIV where duplicated Daniel De Graaf
2012-09-10 19:49 ` [PATCH 12/20] xen: avoid calling rcu_lock_*target_domain when an XSM hook exists Daniel De Graaf
2012-09-11 7:36 ` Jan Beulich
2012-09-11 13:26 ` Daniel De Graaf
2012-09-11 14:15 ` Jan Beulich
2012-09-10 19:49 ` [PATCH 13/20] arch/x86: Add missing domctl and mem_sharing XSM hooks Daniel De Graaf
2012-09-10 19:49 ` [PATCH 14/20] tmem: Add access control check Daniel De Graaf
2012-09-11 7:40 ` Jan Beulich
2012-09-10 19:49 ` [PATCH 15/20] xsm: remove unneeded xsm_call macro Daniel De Graaf
2012-09-10 19:49 ` [PATCH 16/20] xsm/flask: add distinct SIDs for self/target access Daniel De Graaf
2012-09-10 19:49 ` [PATCH 17/20] arch/x86: use XSM hooks for get_pg_owner access checks Daniel De Graaf
2012-09-11 7:55 ` Jan Beulich
2012-09-11 13:40 ` Daniel De Graaf
2012-09-11 14:16 ` Jan Beulich
2012-09-11 14:33 ` Daniel De Graaf
2012-09-11 14:50 ` Jan Beulich
2012-09-10 19:49 ` [PATCH 18/20] xen: Add XSM hook for XENMEM_exchange Daniel De Graaf
2012-09-10 19:49 ` [PATCH 19/20] xen: remove rcu_lock_{remote_, }target_domain_by_id Daniel De Graaf
2012-09-11 7:59 ` Jan Beulich
2012-09-10 19:49 ` [PATCH 20/20] flask: add missing operations Daniel De Graaf
2012-09-10 20:51 ` [PATCH v2] Merge IS_PRIV checks into XSM hooks Keir Fraser
2012-09-10 21:10 ` Daniel De Graaf
2012-09-10 21:13 ` [PATCH 21/20] arch/arm: replace rcu_lock_target_domain_by_id with XSM Daniel De Graaf
2012-09-10 21:35 ` [PATCH v2] Merge IS_PRIV checks into XSM hooks Keir Fraser
2012-09-11 8:54 ` Ian Campbell
2012-09-11 13:49 ` Daniel De Graaf [this message]
2012-09-11 8:09 ` Jan Beulich
2012-09-11 13:21 ` Daniel De Graaf
2012-09-11 14:11 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=504F414D.5070504@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=Ian.Campbell@citrix.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.