From: George Dunlap <george.dunlap@citrix.com>
To: xen-devel@lists.xenproject.org
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
Konrad Wilk <konrad.wilk@oracle.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Tim Deegan <tim@xen.org>,
George Dunlap <george.dunlap@citrix.com>,
Ross Lagerwall <ross.lagerwall@citrix.com>,
Julien Grall <julien.grall@arm.com>,
Jan Beulich <jbeulich@suse.com>,
Anthony Perard <anthony.perard@citrix.com>,
Ian Jackson <ian.jackson@citrix.com>
Subject: [PATCH v4 2/6] SUPPORT.md: Add qemu-depriv section
Date: Mon, 5 Nov 2018 18:07:07 +0000 [thread overview]
Message-ID: <20181105180711.20322-2-george.dunlap@citrix.com> (raw)
In-Reply-To: <20181105180711.20322-1-george.dunlap@citrix.com>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
---
Changes since v3:
- Moved from the qemu-depriv doc patches.
- Reword to include the possibility of having a non-dom0 "devicemodel"
domain which may want to be protected
- Specify `Linux dom0` as the currently-tech-supported window
CC: Ian Jackson <ian.jackson@citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Tim Deegan <tim@xen.org>
CC: Konrad Wilk <konrad.wilk@oracle.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien.grall@arm.com>
CC: Anthony Perard <anthony.perard@citrix.com>
CC: Ross Lagerwall <ross.lagerwall@citrix.com>
---
SUPPORT.md | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/SUPPORT.md b/SUPPORT.md
index 4f203da84a..1f0f5857a7 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -525,6 +525,26 @@ Vulnerabilities of a device model stub domain
to a hostile driver domain (either compromised or untrusted)
are excluded from security support.
+### Device Model Deprivileging
+
+ Status, Linux dom0: Tech Preview, with limited support
+
+This means adding extra restrictions to a device model in order to
+prevent a compromised device model from attack the rest of the domain
+it's running in (normally dom0).
+
+"Tech preview with limited support" means we will not issue XSAs for
+the _additional_ functionality provided by the feature; but we will
+issue XSAs in the event that enabling this feature opens up a security
+hole that would not be present without the feature disabled.
+
+For example, while this is classified as tech preview, a bug in libxl
+which failed to change the user ID of QEMU would not receive an XSA,
+since without this feature the user ID wouldn't be changed. But a
+change which made it possible for a compromised guest to read
+arbitrary files on the host filesystem without compromising QEMU would
+be issued an XSA, since that does weaken security.
+
### KCONFIG Expert
Status: Experimental
--
2.19.1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2018-11-05 18:08 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-05 18:07 [PATCH v4 1/6] docs/qemu-deprivilege: Revise and update with status and future plans George Dunlap
2018-11-05 18:07 ` George Dunlap [this message]
2018-11-06 9:08 ` [PATCH v4 2/6] SUPPORT.md: Add qemu-depriv section Paul Durrant
2018-11-06 12:14 ` George Dunlap
2018-11-06 11:50 ` Ian Jackson
2018-11-05 18:07 ` [PATCH v4 3/6] tools/dm_restrict: Ask QEMU to chroot George Dunlap
2018-11-06 9:14 ` Paul Durrant
2018-11-06 10:28 ` George Dunlap
2018-11-06 10:53 ` Paul Durrant
2018-11-06 11:11 ` Anthony PERARD
2018-11-06 11:12 ` Paul Durrant
2018-11-05 18:07 ` [PATCH v4 4/6] tools/dm_restrict: Unshare mount and IPC namespaces on Linux George Dunlap
2018-11-06 9:16 ` Paul Durrant
2018-11-06 10:29 ` George Dunlap
2018-11-05 18:07 ` [PATCH v4 5/6] tools/dm_depriv: Add first cut RLIMITs George Dunlap
2018-11-06 9:22 ` Paul Durrant
2018-11-06 10:39 ` George Dunlap
2018-11-06 11:52 ` Ian Jackson
2018-11-05 18:07 ` [PATCH v4 6/6] RFC: test/depriv: Add a tool to check process-level depriv George Dunlap
2018-11-06 9:34 ` Paul Durrant
2018-11-06 10:43 ` George Dunlap
2018-11-05 18:08 ` [PATCH v4 1/6] docs/qemu-deprivilege: Revise and update with status and future plans George Dunlap
2018-11-06 9:07 ` Paul Durrant
2018-11-06 11:06 ` Anthony PERARD
2018-11-06 11:50 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181105180711.20322-2-george.dunlap@citrix.com \
--to=george.dunlap@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=ian.jackson@citrix.com \
--cc=jbeulich@suse.com \
--cc=julien.grall@arm.com \
--cc=konrad.wilk@oracle.com \
--cc=ross.lagerwall@citrix.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).