On 2025-07-30 11:19, Jan Beulich wrote:
> On 16.07.2025 23:14, Jason Andryuk wrote:
>> Untargetable domains are currently hidden from the control domain -
>> e.g. xl list will not show them. getdomaininfo fails on the
>> !is_hypercall_target() check in XSM_TARGET. Add control domain to the
>> XSM_XS_PRIV check so it can pass.
>
> This feels like a pretty gross abuse of XS_PRIV. It once again supports
> my take that the level of granularity you want will require Flask. Or of
> course you could also come up with a new access control mechanism, much
> lighter-weight than Flask, but still not dummy nor SILO.
I considered a new XSM module, but it just seemed so close to the dummy
policy. From my perspective the board permissions of
xsm_default_action() already implement the coarse permissions we need.
SILO works well because it builds on that and overrides a few hooks. A
new XSM module would need to re-implement ~every hook since
xsm_default_action() needs to change. So expanding xsm_default_action()
seemed like a better approach to try.
> As per my reply to an earlier patch - whether it is okay to prevent e.g.
> "xl list" to see all domains is questionable as well. I'm not seeing
> "interference" there.
Yes, hiding domains from xl list seemed like it was going too far. A
system administrator should be able to see everything running on the
system. That's why this patch allows it.
>> --- a/xen/include/xsm/dummy.h
>> +++ b/xen/include/xsm/dummy.h
>> @@ -87,7 +87,8 @@ static always_inline int xsm_default_action(
>> fallthrough;
>> case XSM_XS_PRIV:
>> if ( action == XSM_XS_PRIV &&
>> - evaluate_nospec(is_xenstore_domain(src)) )
>> + (evaluate_nospec(is_xenstore_domain(src)) ||
>> + is_control_domain(src)) )
>
> Like in patch 2 (in is_priv_domain()), I think this wants collapsing the
> two evaluate_nospec() into a single one.
Ok, thanks.
Regards,
Jason