From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: wei.liu2@citrix.com, ian.campbell@citrix.com,
andrew.cooper3@citrix.com, ian.jackson@eu.citrix.com,
mpohlack@amazon.de, xen-devel@lists.xenproject.org,
dgdegra@tycho.nsa.gov
Subject: Re: [PATCH v2 1/3] xsm/xen_version: Add XSM for the xen_version hypercall.
Date: Mon, 11 Jan 2016 11:01:46 -0500 [thread overview]
Message-ID: <20160111160146.GC10641@char.us.oracle.com> (raw)
In-Reply-To: <56937DCE02000078000C5516@prv-mh.provo.novell.com>
On Mon, Jan 11, 2016 at 02:02:54AM -0700, Jan Beulich wrote:
> >>> On 08.01.16 at 18:31, <konrad.wilk@oracle.com> wrote:
> >> >> > The rest: XENVER_[version|capabilities|
> >> >> > parameters|get_features|page_size|guest_handle] behave
> >> >> > as before - allowed by default for all guests.
> >> >> >
> >> >> > This is with the XSM default policy and with the dummy ones.
> >> >>
> >> >> And with a non-default policy you now ignore one of the latter
> >> >> ops to also get denied.
> >> >
> >> > No, but that is due to the 'deny' being only checked for certain subops.
> >>
> >> To me this reply seems contradictory in itself: The "no" doesn't
> >> seem to match up with the rest.
> >>
> >> > I think what you are saying is that for XENVER_[version|capabilities|
> >> > parameters|get_features|page_size|guest_handle] we should not have any
> >> > XSM checks as they serve no purpose (which is what I had in the earlier
> >> > versions of this patch). However Andrew mentioned that he would
> >> > like _ALL_ of the sub-ops to be checked for.
> >>
> >> And I agree with Andrew, hence my earlier comment above (with
> >> the reply I can't really make sense of).
> >
> > I am all confused now.
> >
> > There are two parts here:
> > a) The XSM checks - which allow the XENVER_version..XENVER_guest_handle
> > without any hinderance. For XENVER_commandline and XENVER_buildid
> > they are evaluated.
> >
> > b) Acting on the XSM check. For most of them we cannot actually return
> > -EFAULT and MUST return either an valid value or some form of a string.
> >
> > The ones for which we could return '<denied>' were changeset, compile_info,
> > commandline, extraversion. To make it simpler we only do it for
> > commandline.
> >
> > In essence we have an XSM check which is ignored by all XENVER_ subops
> > except commandline (and build_id in later patch).
> >
> > I think both of you are OK with that?
>
> Iirc Andrew's request was to honor XSM denies on any sub-op
> when a non-default policy is in place. Whereas in default mode
> only command line and build id are the ones clearly needing
> restricting. Which won't be possible if you ignore the return
> value of the XSM check in some of the cases.
That means we need two (as earlier patches had it) version labels.
One for the command_line and build_id (version_priv) and one for
the rest (version_use). By default version_use would be available
to every guest. If a non-default policy wants to mess with it - that is OK.
Now comes the big question - for the XENVER_[version|capabilities|
parameters|get_features|page_size|guest_handle] - if it is denied
(so non-default version_use policy) - what should we return?
I can return '<denied>' for the strings, but what should we do
for the page_size, capabilities and guest_handle ? -EPERM?
Or leave those out of the version_use check? (so do not act on
XSM check on those?)
>
> Jan
>
next prev parent reply other threads:[~2016-01-11 16:02 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-06 19:36 [PATCH v2] Add build-id to XENVER hypercall Konrad Rzeszutek Wilk
2015-11-06 19:36 ` [PATCH v2 1/3] xsm/xen_version: Add XSM for the xen_version hypercall Konrad Rzeszutek Wilk
2015-11-10 12:29 ` Jan Beulich
2016-01-06 17:41 ` Konrad Rzeszutek Wilk
2016-01-07 7:35 ` Jan Beulich
2016-01-08 17:31 ` Konrad Rzeszutek Wilk
2016-01-11 9:02 ` Jan Beulich
2016-01-11 16:01 ` Konrad Rzeszutek Wilk [this message]
2016-01-11 16:17 ` Jan Beulich
2016-01-12 16:37 ` Konrad Rzeszutek Wilk
2016-01-12 16:42 ` Jan Beulich
2015-11-10 19:51 ` Daniel De Graaf
2015-11-16 19:02 ` Konrad Rzeszutek Wilk
2016-01-06 17:49 ` Konrad Rzeszutek Wilk
2015-11-06 19:36 ` [PATCH v2 2/3] XENVER_build_id: Provide ld-embedded build-ids Konrad Rzeszutek Wilk
2015-11-09 17:26 ` Ross Lagerwall
2015-11-10 16:49 ` Jan Beulich
2016-01-06 17:27 ` Konrad Rzeszutek Wilk
2016-01-07 7:42 ` Jan Beulich
2015-11-06 19:36 ` [PATCH v2 3/3] libxl: info: Display build_id of the hypervisor Konrad Rzeszutek Wilk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160111160146.GC10641@char.us.oracle.com \
--to=konrad.wilk@oracle.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=mpohlack@amazon.de \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).