From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Ian Campbell <Ian.Campbell@eu.citrix.com>
Cc: "paolo.valente@unimore.it" <paolo.valente@unimore.it>,
Keir Fraser <keir@xen.org>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
"xen.org" <Ian.Jackson@eu.citrix.com>,
Dario Faggioli <dario.faggioli@citrix.com>,
Julien Grall <julien.grall@linaro.org>, Tim Deegan <tim@xen.org>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Julien Grall <julien.grall@citrix.com>,
Eric Trudeau <etrudeau@broadcom.com>,
Jan Beulich <JBeulich@suse.com>,
Arianna Avanzini <avanzini.arianna@gmail.com>,
"viktor.kleinik@globallogic.com" <viktor.kleinik@globallogic.com>
Subject: Re: [PATCH v4 7/7] tools, libxl: handle the iomem parameter with the memory_mapping hcall
Date: Wed, 02 Apr 2014 10:14:47 -0400 [thread overview]
Message-ID: <533C1B57.9040201@tycho.nsa.gov> (raw)
In-Reply-To: <1396431945.8667.281.camel@kazak.uk.xensource.com>
On 04/02/2014 05:45 AM, Ian Campbell wrote:
> On Tue, 2014-04-01 at 16:52 -0400, Daniel De Graaf wrote:
>> Currently, XEN_DOMCTL_memory_mapping is allowed to device model domains
>> whereas XEN_DOMCTL_iomem_permission is restricted to dom0 only. This is
>> probably the reason why an iomem_access_permitted check is not present
>> in XEN_DOMCTL_iomem_permission.
>>
>> If FLASK is enabled, both domctls do the same permission checking based
>> on the security label of the memory range: that the current domain has
>> the RESOURCE__{ADD,REMOVE}_IOMEM permission, and the target domain has
>> the RESOURCE__USE permission. This prevents the sock-puppet method from
>> being used to permit arbitrary accesses to created domains, but requires
>> that these restrictions be done at the granularity of the security
>> labels, which may not be as flexible as preferred in some setups.
>
> So the builder domain would have permission per iomem_access_permitted
> to use the range, but would not actually be able to do so due to lack of
> RESOURCE__USE?
Without changes, the domain builder would not need to have permission per
the rangeset. Since the modification to the rangeset is what triggers the
RESOURCE__USE check, if the domain builder did not have USE then it would
not pass iomem_access_permitted. With the access check added, the USE
permission would be required to for the add/remove permissions to do
anything. The permission isn't a complete subset because any relabeling
of resources makes this more complicated.
> And it can give that access to someone else by virtue of
> RESOURCE__{ADD,REMOVE}_IOMEM?
Right.
>> While the current design does allow for a domain builder to manage
>> resources that it cannot directly use on its own, I don't think this was
>> ever really a design decision. There are few (if any) security gains
>> from being able to block a domain builder from accessing resources if it
>> can create domains that access these resources, since it can just create
>> sock-puppet domains or corrupt the domain with access.
>
> Right.
>
>> I think changing XEN_DOMCTL_iomem_permission to require the current
>> domain to pass an iomem_access_permitted check before permitting access
>> is reasonable. It will require some adjustments to my domain builder
>> series which currently relies on the old behavior, but those should be
>> fairly simple (cloning the rangesets instead of swapping). If this
>> change is made, I think similar changes to the other rangeset domctls
>> (irq, ioport) should be done at the same time.
>
> Yes, consistency here would be good.
>
> Ian.
--
Daniel De Graaf
National Security Agency
prev parent reply other threads:[~2014-04-02 14:14 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-25 2:02 [PATCH v4 0/7] Implement the XEN_DOMCTL_memory_mapping hypercall for ARM Arianna Avanzini
2014-03-25 2:02 ` [PATCH v4 1/7] arch, arm: domain build: let dom0 access I/O memory of mapped devices Arianna Avanzini
2014-03-25 12:37 ` Julien Grall
2014-03-25 2:02 ` [PATCH v4 2/7] arch, arm: add consistency checks to REMOVE p2m changes Arianna Avanzini
2014-03-25 12:18 ` Stefano Stabellini
2014-03-25 12:51 ` Julien Grall
2014-03-25 13:10 ` Julien Grall
2014-03-25 17:41 ` Ian Campbell
2014-03-25 2:02 ` [PATCH v4 3/7] arch, arm: let map_mmio_regions() take pfn as parameters Arianna Avanzini
2014-03-25 12:22 ` Stefano Stabellini
2014-03-25 12:54 ` Julien Grall
2014-03-28 12:51 ` Arianna Avanzini
2014-03-28 13:31 ` Julien Grall
2014-03-25 13:00 ` Julien Grall
2014-03-25 2:02 ` [PATCH v4 4/7] xen, common: add the XEN_DOMCTL_memory_mapping hypercall Arianna Avanzini
2014-03-25 9:33 ` Jan Beulich
2014-03-28 13:24 ` Arianna Avanzini
2014-03-28 13:30 ` Jan Beulich
2014-03-25 12:35 ` Stefano Stabellini
2014-03-25 14:10 ` Jan Beulich
2014-03-25 15:10 ` Stefano Stabellini
2014-03-25 15:36 ` Jan Beulich
2014-03-25 15:42 ` Stefano Stabellini
2014-04-01 15:01 ` Ian Campbell
2014-04-01 15:18 ` Jan Beulich
2014-04-01 15:37 ` Ian Campbell
2014-03-25 13:17 ` Julien Grall
2014-04-01 14:52 ` Ian Campbell
2014-04-01 15:16 ` Julien Grall
2014-04-01 15:39 ` Ian Campbell
2014-04-01 16:00 ` Julien Grall
2014-04-02 9:43 ` Ian Campbell
2014-04-02 10:06 ` Jan Beulich
2014-04-02 10:19 ` Ian Campbell
2014-04-02 10:53 ` Jan Beulich
2014-04-05 12:08 ` Arianna Avanzini
2014-04-06 16:23 ` Stefano Stabellini
2014-04-07 7:01 ` Jan Beulich
2014-03-25 2:02 ` [PATCH v4 5/7] tools, libxl: parse optional start gfn from the iomem config option Arianna Avanzini
2014-03-25 15:39 ` Julien Grall
2014-03-25 15:45 ` Julien Grall
2014-03-25 16:27 ` Ian Campbell
2014-03-25 2:02 ` [PATCH v4 6/7] tools, libxl: add helpers to establish if guest is auto-translated Arianna Avanzini
2014-03-25 2:02 ` [PATCH v4 7/7] tools, libxl: handle the iomem parameter with the memory_mapping hcall Arianna Avanzini
2014-04-01 15:13 ` Ian Campbell
2014-04-01 15:26 ` Julien Grall
2014-04-01 15:34 ` Ian Campbell
2014-04-01 20:52 ` Daniel De Graaf
2014-04-02 9:45 ` Ian Campbell
2014-04-02 14:14 ` Daniel De Graaf [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=533C1B57.9040201@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=Ian.Campbell@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=avanzini.arianna@gmail.com \
--cc=dario.faggioli@citrix.com \
--cc=etrudeau@broadcom.com \
--cc=julien.grall@citrix.com \
--cc=julien.grall@linaro.org \
--cc=keir@xen.org \
--cc=paolo.valente@unimore.it \
--cc=stefano.stabellini@eu.citrix.com \
--cc=tim@xen.org \
--cc=viktor.kleinik@globallogic.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.