From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel De Graaf Subject: Re: [PATCH 11/20] xen: use XSM instead of IS_PRIV where duplicated Date: Tue, 11 Sep 2012 10:10:10 -0400 Message-ID: <504F4642.2080608@tycho.nsa.gov> References: <1347306553-20980-1-git-send-email-dgdegra@tycho.nsa.gov> <1347306553-20980-12-git-send-email-dgdegra@tycho.nsa.gov> <504F045E020000780009A6B2@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <504F045E020000780009A6B2@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich Cc: Keir Fraser , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org On 09/11/2012 03:29 AM, Jan Beulich wrote: >>>> On 10.09.12 at 21:49, Daniel De Graaf wrote: >> Some checks are removed due to non-obvious duplicates in their callers: >> >> * acpi_enter_sleep is checked by its only caller >> * map_domain_pirq has IS_PRIV_FOR checked in physdev_map_pirq > > ... and ioapic_guest_write(). Please have this list complete, as it > is going to be necessary to fully validate this (now and > retrospectively once applied) for the absence of security holes. I'll check callers again when resubmitting; I didn't generate this list the first time I was doing the checks, so it has obviously missed a few. The ioapic_guest_write function is checked by PHYSDEVOP_apic_write, so it's also protected. > >> * PHYSDEVOP_alloc_irq_vector is a noop, does not need IS_PRIV > > NAK. This nevertheless is a privileged operation (i.e. must not > succeed for unprivileged guests). Do we depend on this behavior? Anyway, I'll revert this chunk or replace it with an xsm hook if there's an appropriate one. >> * Many PHYSDEVOP access checks are within the implementation functions > > For the above named reason, please fully document this. > Will do on resubmit. [snip remainder, addressed in the thread with Ian's reply]