From mboxrd@z Thu Jan  1 00:00:00 1970
From: Keir Fraser <keir@xensource.com>
Subject: Re: [Xense-devel][PATCH][1/4] Xen Security Modules: XSM
Date: Fri, 11 May 2007 17:51:32 +0100
Message-ID: <C26A5DA4.EC67%keir@xensource.com>
References: <1178896208.6520.171.camel@moss-walleye.epoch.ncsc.mil>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <1178896208.6520.171.camel@moss-walleye.epoch.ncsc.mil>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: "George S. Coker, II" <gscoker@alpha.ncsc.mil>, Derek Murray <Derek.Murray@cl.cam.ac.uk>
Cc: xen-devel@lists.xensource.com, Keir Fraser <keir@xensource.com>, xense-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org




On 11/5/07 16:10, "George S. Coker, II" <gscoker@alpha.ncsc.mil> wrote:

>> The untidiest cases are where set_foreigndom() is involved. These
>> involve do_mmu_update(), do_update_va_otherdomain() and some
>> mmuext_ops. In particular, on the do_update_va_otherdomain() path,
>> IS_PRIV is checked twice. It would seem to me that the cleanest way
>> to do this is to have the permission check first (can domain X access
>> MFN Y of domain Z?), then carry out the set_foreigndom() logic.
>> 
> 
> I think I agree.

In this case you theoretically race reuse of the domid, don't you? Actually
you are saved by the RCU mechanism, but why is doing the check after
set_foreigndom() hard? The error path out of e.g., do_mmu_update() will
correctly give up the foreign reference.

 -- Keir