From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Keir Fraser <keir.xen@gmail.com>
Cc: xen-devel@lists.xen.org
Subject: Re: [PATCH 12/18] xsm: Add missing domctl and mem_sharing hooks
Date: Mon, 06 Aug 2012 15:30:43 -0400 [thread overview]
Message-ID: <50201B63.20408@tycho.nsa.gov> (raw)
In-Reply-To: <CC45D14D.3A904%keir.xen@gmail.com>
On 08/06/2012 02:53 PM, Keir Fraser wrote:
> When someone wants to add a new domctl/sysctl, how many places will they
> have to add things to ensure that xsm dtrt for a basic setup, allowing only
> dom0 access to the new op? How big is the risk that we end up with new ops
> that have no access control?
Short answer: 3 files (xsm.h, dummy.h, dummy.c); 13 lines including whitespace.
Long answer: there are a couple ways to add access controls:
1. Add an explicit IS_PRIV check. That's pretty much what occurs before this
series, only the IS_PRIV is at the top of the hypercall for domctl and sysctl.
This is the least preferred, but is trivially correct for the new patch and
fairly easy to wire up as an XSM hook in the future.
2. Reuse an existing XSM hook. This requires no changes required except at the
caller, but requires that a suitable hook exist to reuse. There are generic
hooks like xsm_domctl(), but it's best not to just create dumping grounds
for permissions if we ever want to allow subsets of them to different domains.
This is probably best for incremental modifications or trivial features.
3. Add a new XSM hook. This requires adding a hook function in xsm.h and a
default implementation in dummy.h/dummy.c. The changes made in this patch
to FLASK would not be required, as XSM will fall back to the dummy
implementation when the FLASK module doesn't provide its own hook.
Patch #13 (tmem) is a good example of adding a single hook; all changes with
/flask/ could be done in a later patch implementing new FLASK permissions.
If you're adding a new function, the only way to compile both with and without
XSM enabled is to add functions in dummy.h, dummy.c, and xsm.h; incomplete
implementations will yield a compilation error in one of those cases.
One patch I haven't included in this series is adding automatic generation of
the xen/xsm/flask/include/av_*.h files from tools/flask/policy/policy/flask/*;
this simplifies adding the FLASK part of the XSM hook. The auto-generation
is in tools/flask/policy/policy/flask/Makefile, just not wired in to the xen
build.
--
Daniel De Graaf
National Security Agency
next prev parent reply other threads:[~2012-08-06 19:30 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 14:32 [PATCH 00/18] RFC: Merge IS_PRIV checks into XSM hooks Daniel De Graaf
2012-08-06 14:32 ` [PATCH 01/18] xsm/flask: remove inherited class attributes Daniel De Graaf
2012-08-06 14:32 ` [PATCH 02/18] xsm/flask: remove unneeded create_sid field Daniel De Graaf
2012-08-06 14:32 ` [PATCH 03/18] xsm/flask: add domain relabel support Daniel De Graaf
2012-08-06 14:32 ` [PATCH 04/18] libxl: introduce XSM relabel on build Daniel De Graaf
2012-08-06 14:32 ` [PATCH 05/18] flask/policy: Add domain relabel example Daniel De Graaf
2012-08-06 14:32 ` [PATCH 06/18] xsm, arch/x86: add distinct XSM hooks for map/unmap Daniel De Graaf
2012-08-06 14:32 ` [PATCH 07/18] arch/x86: add missing XSM checks to XENPF_ commands Daniel De Graaf
2012-08-06 14:57 ` Jan Beulich
2012-08-06 15:06 ` Daniel De Graaf
2012-08-06 14:32 ` [PATCH 08/18] xen: Add DOMID_SELF support to rcu_lock_domain_by_id Daniel De Graaf
2012-08-06 15:07 ` Jan Beulich
2012-08-06 15:19 ` Daniel De Graaf
2012-08-06 15:50 ` Jan Beulich
2012-08-06 16:38 ` Daniel De Graaf
2012-08-07 7:00 ` Jan Beulich
2012-08-06 14:32 ` [PATCH 09/18] xsm/flask: Add checks on the domain performing the set_target operation Daniel De Graaf
2012-08-06 14:32 ` [PATCH 10/18] xsm: Add IS_PRIV checks to dummy XSM module Daniel De Graaf
2012-08-06 14:32 ` [PATCH 11/18] xen: use XSM instead of IS_PRIV where duplicated Daniel De Graaf
2012-08-06 15:18 ` Jan Beulich
2012-08-06 15:25 ` Daniel De Graaf
2012-08-06 15:53 ` Jan Beulich
2012-08-06 14:32 ` [PATCH 12/18] xsm: Add missing domctl and mem_sharing hooks Daniel De Graaf
2012-08-06 18:53 ` Keir Fraser
2012-08-06 19:30 ` Daniel De Graaf [this message]
2012-08-06 14:32 ` [PATCH 13/18] tmem: Add access control check Daniel De Graaf
2012-08-06 14:32 ` [PATCH 14/18] xsm: remove unneeded xsm_call macro Daniel De Graaf
2012-08-06 14:32 ` [PATCH 15/18] xsm/flask: add distinct SIDs for self/target access Daniel De Graaf
2012-08-06 14:32 ` [PATCH 16/18] arch/x86: use XSM hooks for get_pg_owner access checks Daniel De Graaf
2012-08-06 15:26 ` Jan Beulich
2012-08-06 16:29 ` Daniel De Graaf
2012-08-07 6:55 ` Jan Beulich
2012-08-07 13:44 ` Daniel De Graaf
2012-08-07 13:56 ` Jan Beulich
2012-08-06 14:32 ` [PATCH 17/18] xen: Add XSM hook for XENMEM_exchange Daniel De Graaf
2012-08-06 14:32 ` [PATCH 18/18] xen: remove rcu_lock_target_domain_by_id Daniel De Graaf
2012-08-07 5:12 ` [PATCH 00/18] RFC: Merge IS_PRIV checks into XSM hooks Shakeel Butt
2012-08-07 17:46 ` Daniel De Graaf
2012-08-07 18:07 ` Shakeel Butt
2012-08-07 18:06 ` Konrad Rzeszutek Wilk
2012-08-07 18:20 ` Daniel De Graaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50201B63.20408@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=keir.xen@gmail.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).