From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [PATCH 16/18] arch/x86: use XSM hooks for
 get_pg_owner access checks
Date: Tue, 07 Aug 2012 09:44:06 -0400
Message-ID: <50211BA6.1040607@tycho.nsa.gov>
References: <1344263550-3941-1-git-send-email-dgdegra@tycho.nsa.gov>
	<1344263550-3941-17-git-send-email-dgdegra@tycho.nsa.gov>
	<501FFE560200007800092FBA@nat28.tlf.novell.com>
	<501FF0EB.1000900@tycho.nsa.gov>
	<5020D80402000078000931A4@nat28.tlf.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <5020D80402000078000931A4@nat28.tlf.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>
Cc: xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On 08/07/2012 02:55 AM, Jan Beulich wrote:
>>>> On 06.08.12 at 18:29, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
>> On 08/06/2012 11:26 AM, Jan Beulich wrote:
>>>>>> On 06.08.12 at 16:32, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
>>>> +static XSM_DEFAULT(int, mmuext_op) (struct domain *d, struct domain *f)
>>>> +{
>>>> +    if ( d != f && !IS_PRIV_FOR(d, f) )
>>>> +        return -EPERM;
>>>
>>> ... Dom0 is neither privileged for DOM_IO nor for DOM_XEN.
>>
>> Actually, it is. IS_PRIV_FOR returns true for any domain when called from an
>> IS_PRIV domain.
> 
> That's a side effect of the current way of handling this, not
> something that is either logical or designed to be that way (it
> certainly is bogus even now for DOM_XEN, and with
> disaggregation - afaiu your plans - it'll also become bogus for
> DOM_IO, where right now one could consider it half-way
> correct).
> 
> Jan
> 

In that case, I think it would make sense to modify these XSM hooks
when IS_PRIV_FOR is changed to not short-circuit on DOM_IO/DOM_XEN.
If you're suggesting changing the condition to something like
  ( d != f && !(IS_PRIV_FOR(d, f) || IS_PRIV(d)) )
I could do that, but I think that type of change would be best done
in another patch actually making IS_PRIV_FOR(dom0, DOM_XEN) == false.

-- 
Daniel De Graaf
National Security Agency