From patchwork Sun Mar 19 13:41:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 9632561 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CC4D0601E9 for ; Sun, 19 Mar 2017 13:44:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BE501284CB for ; Sun, 19 Mar 2017 13:44:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B305F284CE; Sun, 19 Mar 2017 13:44:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RCVD_IN_SORBS_SPAM,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id B8AD5284CC for ; Sun, 19 Mar 2017 13:44:01 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cpb5P-0000Es-BA; Sun, 19 Mar 2017 13:41:31 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cpb5N-0000Dr-NZ for xen-devel@lists.xenproject.org; Sun, 19 Mar 2017 13:41:29 +0000 Received: from [193.109.254.147] by server-8.bemta-6.messagelabs.com id B5/E4-21675-98A8EC85; Sun, 19 Mar 2017 13:41:29 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDIsWRWlGSWpSXmKPExsVyMfTGId2OrnM RBre6BC2+b5nM5MDocfjDFZYAxijWzLyk/IoE1owv72exFNxSqDj5cBlTA2O7dBcjF4eQwExG ibkbWhlBHBaBDywSE6ftZwNxJASmsUp839bB0sXICeTESJz58oURwi6RmP1mHjuILSSgJLFl8 mNGiFG7mCQWfmpmBkkIC+hJTP52G6yBTUBf4unaa0BxDqBmN4lP17hAwiICgRLn9j0GK2cWSJ L4s2YKVGuYxPYVvUwg5SwCqhLTDlaBhHkFXCX6Dy5ihjhBTuLmuU4wmxNo4tJPM1kgznGVuP7 uHfsERqEFjAyrGNWLU4vKUot0LfWSijLTM0pyEzNzdA0NzPRyU4uLE9NTcxKTivWS83M3MQLD kAEIdjDe3RRwiFGSg0lJlPef+rkIIb6k/JTKjMTijPii0pzU4kOMMhwcShK8zp1AOcGi1PTUi rTMHGBEwKQlOHiURHglQdK8xQWJucWZ6RCpU4zGHA9O7XrDxPGp//AbJiGWvPy8VClxXg6QUg GQ0ozSPLhBsEi9xCgrJczLCHSaEE9BalFuZgmq/CtGcQ5GJWHeWpApPJl5JXD7XgGdwgR0yrI bZ0BOKUlESEk1MBYKqzWk6IfNXSIq7aS9rqjSetbcGxnbyg9PcjN+9WvCr91PL/OufHcg/GLy xtnMzmxr9krftO9dV7Zm+QfFlBs3tOYcK+xgqrhp2flpe/1sjT9/FPNXF7uyJW7mNRFpF/p/a cGt8k7psOVrPz+MevaR1XHS0x9iZj6/RXzjqqPbj+ysblnUu0yJpTgj0VCLuag4EQCFm2yKzw IAAA== X-Env-Sender: ketuzsezr@gmail.com X-Msg-Ref: server-5.tower-27.messagelabs.com!1489930887!87046311!1 X-Originating-IP: [209.85.216.194] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 63192 invoked from network); 19 Mar 2017 13:41:28 -0000 Received: from mail-qt0-f194.google.com (HELO mail-qt0-f194.google.com) (209.85.216.194) by server-5.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 19 Mar 2017 13:41:28 -0000 Received: by mail-qt0-f194.google.com with SMTP id n37so14519655qtb.3 for ; Sun, 19 Mar 2017 06:41:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=N0UI66Wg3IbNZmhTnIn31dBa/Eyo+0IzXru1mGl+IxQ=; b=b3HLB6HF3ZwV29cNSirhkb3tqKHhnVSQ7l/nMLmLTdqnrXD3MRn4X5W+TaqWYk1qkw DYSXQQiMdD5T2nrUqy4Vi8dzQk2P2XFYouEC/F7bTXOV8ikS/EkX/W4NfaX3gPwoQ5xF NKK7EtONbnoSA6Io3eeQc24k0IcMZG6/G44vKajiaTH78ra2Os4D7DVTFk6/cl0NPEwT PaUR++jV8MduxxaLccpWJYFTtSklEjtx2IX7RAXkT3R8or38UgWyIVWk0SeM5tz0SmQ9 9bZ2pXbemSfxmezpykKiVDETqnep7af1QrxSIu6MeEoYnD/ziMDzTE4c4YkGmuRI+SDO cuww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=N0UI66Wg3IbNZmhTnIn31dBa/Eyo+0IzXru1mGl+IxQ=; b=giCfn7rsrc+rSvVTMLptGTHYlSDM4Ynhca5SXIM8Si6J6K+zP2WYNfQSFyaHQA5LF6 ASb8bVNe1oPr1dYFNECqN/Nv1ErFN6HxHc8H222lCw241oH6+GM99FFtK/i+viIBP8ov GCCX9QtEOUYKK1/9kwGBbywtY5qIQrIaSzSiHzw2nYilILMZL3OxCzJTGBLYkLKxPIcA eHrs8OQ4aJ86KvzhFoHnuYsCCcMk2+KdQr4jcyNnbo5FsbT8aF5bVwG/kLfiBPp9y/by 7ghovPpL8OslyxmOs/JXK/tPVekLC59/unrL3JyCHYM6LKG5non8ZCswa3NyadoxPgi5 yEOA== X-Gm-Message-State: AFeK/H05rK81dgfbViqzKmOAiqAFfqn6JrEUj5zHCPZz3PPoO9XBW6QriRRO4xSbj4SjPQ== X-Received: by 10.200.1.6 with SMTP id e6mr393525qtg.21.1489930887113; Sun, 19 Mar 2017 06:41:27 -0700 (PDT) Received: from build-external.dumpdata.com (209-6-196-81.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com. [209.6.196.81]) by smtp.gmail.com with ESMTPSA id q31sm10286548qta.22.2017.03.19.06.41.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 19 Mar 2017 06:41:26 -0700 (PDT) From: Konrad Rzeszutek Wilk X-Google-Original-From: Konrad Rzeszutek Wilk To: xen-devel@lists.xenproject.org, ian.jackson@citrix.com, wei.liu2@citrix.com Date: Sun, 19 Mar 2017 09:41:10 -0400 Message-Id: <1489930872-7823-4-git-send-email-konrad.wilk@oracle.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1489930872-7823-1-git-send-email-konrad.wilk@oracle.com> References: <1489930872-7823-1-git-send-email-konrad.wilk@oracle.com> Cc: andrew.cooper3@citrix.com, jbeulich@suse.com Subject: [Xen-devel] [PATCH v1 3/5] tmem: By default to join an shared pool it must be authorized. X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP Having an off by default option allowing guests to join _any_ shared pool is not very secure. Lets eliminate tmem_shared_auth bootup option (which was disabled by default) and have the code force this by default. Signed-off-by: Konrad Rzeszutek Wilk --- docs/misc/tmem-internals.html | 6 ++---- docs/misc/xen-command-line.markdown | 3 --- xen/common/tmem.c | 4 ++-- xen/common/tmem_xen.c | 3 --- xen/include/xen/tmem_xen.h | 7 ------- 5 files changed, 4 insertions(+), 19 deletions(-) diff --git a/docs/misc/tmem-internals.html b/docs/misc/tmem-internals.html index 2d8635d..9b7e70e 100644 --- a/docs/misc/tmem-internals.html +++ b/docs/misc/tmem-internals.html @@ -715,11 +715,9 @@ Ocfs2 has only very limited security; it is assumed that anyone who can access the filesystem bits on the shared disk can mount the filesystem and use it. But in a virtualized data center, higher isolation requirements may apply. -As a result, a Xen boot option -- "tmem_shared_auth" -- was -added. The option defaults to disabled, -but when it is enabled, management tools must explicitly authenticate (or may +As a result, management tools must explicitly authenticate (or may explicitly deny) shared pool access to any client. -On Xen, this is done with the "xm +On Xen, this is done with the "xl tmem-shared-auth" command.

32-bit implementation. diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index bad20db..9c20dad 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -1543,9 +1543,6 @@ pages) must also be specified via the tbuf\_size parameter. ### tmem\_compress > `= ` -### tmem\_shared\_auth -> `= ` - ### tsc > `= unstable | skewed | stable:socket` diff --git a/xen/common/tmem.c b/xen/common/tmem.c index 504e9eb..ff74292 100644 --- a/xen/common/tmem.c +++ b/xen/common/tmem.c @@ -846,7 +846,6 @@ struct client *client_create(domid_t cli_id) client->info.version = TMEM_SPEC_VERSION; client->info.maxpools = MAX_POOLS_PER_DOMAIN; client->info.flags.u.compress = tmem_compression_enabled(); - client->shared_auth_required = tmem_shared_auth(); for ( i = 0; i < MAX_GLOBAL_SHARED_POOLS; i++) client->shared_auth_uuid[i][0] = client->shared_auth_uuid[i][1] = -1L; @@ -1530,7 +1529,8 @@ int do_tmem_new_pool(domid_t this_cli_id, pool->shared = 0; goto out; } - if ( client->shared_auth_required && !tmem_global.shared_auth ) + /* By default only join domains that are authorized by admin. */ + if ( !tmem_global.shared_auth ) { for ( i = 0; i < MAX_GLOBAL_SHARED_POOLS; i++) if ( (client->shared_auth_uuid[i][0] == uuid_lo) && diff --git a/xen/common/tmem_xen.c b/xen/common/tmem_xen.c index 7d60b71..06ce3ef 100644 --- a/xen/common/tmem_xen.c +++ b/xen/common/tmem_xen.c @@ -20,9 +20,6 @@ boolean_param("tmem", opt_tmem); bool_t __read_mostly opt_tmem_compress = 0; boolean_param("tmem_compress", opt_tmem_compress); -bool_t __read_mostly opt_tmem_shared_auth = 0; -boolean_param("tmem_shared_auth", opt_tmem_shared_auth); - atomic_t freeable_page_count = ATOMIC_INIT(0); /* these are a concurrency bottleneck, could be percpu and dynamically diff --git a/xen/include/xen/tmem_xen.h b/xen/include/xen/tmem_xen.h index 70cc108..dc5888c 100644 --- a/xen/include/xen/tmem_xen.h +++ b/xen/include/xen/tmem_xen.h @@ -41,12 +41,6 @@ static inline bool_t tmem_compression_enabled(void) return opt_tmem_compress; } -extern bool_t opt_tmem_shared_auth; -static inline bool_t tmem_shared_auth(void) -{ - return opt_tmem_shared_auth; -} - #ifdef CONFIG_TMEM extern bool_t opt_tmem; static inline bool_t tmem_enabled(void) @@ -291,7 +285,6 @@ struct client { long eph_count, eph_count_max; domid_t cli_id; xen_tmem_client_t info; - bool_t shared_auth_required; /* For save/restore/migration. */ bool_t was_frozen; struct list_head persistent_invalidated_list;