diff mbox series

[v2,1/7] xen/xsm: make getdomaininfo xsm dummy checks more stringent

Message ID 20241206130221.17773-2-jgross@suse.com (mailing list archive)
State New
Headers show
Series remove libxenctrl usage from xenstored | expand

Commit Message

Jürgen Groß Dec. 6, 2024, 1:02 p.m. UTC
Today the dummy XSM privilege checks for getdomaininfo are less
stringent than possible: they basically rely on the general
sysctl/domctl entry check to do all tests and then do the test with
the XSM_HOOK privilege, which is an "allow all" default.

Instead of XSM_HOOK use XSM_XS_PRIV, which is the privilege really
wanted. Note that this test is still wider than the sysctl entry test,
but there is now easy way to make both domctl and sysctl happy at the
same time.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
V2:
- new patch
---
 xen/common/domctl.c     | 2 +-
 xen/common/sysctl.c     | 2 +-
 xen/include/xsm/dummy.h | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

Comments

Daniel P. Smith Dec. 6, 2024, 1:05 p.m. UTC | #1
On 12/6/24 08:02, Juergen Gross wrote:
> Today the dummy XSM privilege checks for getdomaininfo are less
> stringent than possible: they basically rely on the general
> sysctl/domctl entry check to do all tests and then do the test with
> the XSM_HOOK privilege, which is an "allow all" default.
> 
> Instead of XSM_HOOK use XSM_XS_PRIV, which is the privilege really
> wanted. Note that this test is still wider than the sysctl entry test,
> but there is now easy way to make both domctl and sysctl happy at the
> same time.
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>

Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
diff mbox series

Patch

diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index ea16b75910..444e072fdc 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -539,7 +539,7 @@  long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
         break;
 
     case XEN_DOMCTL_getdomaininfo:
-        ret = xsm_getdomaininfo(XSM_HOOK, d);
+        ret = xsm_getdomaininfo(XSM_XS_PRIV, d);
         if ( ret )
             break;
 
diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c
index d02f44fe3a..c2d99ae12e 100644
--- a/xen/common/sysctl.c
+++ b/xen/common/sysctl.c
@@ -89,7 +89,7 @@  long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
             if ( num_domains == op->u.getdomaininfolist.max_domains )
                 break;
 
-            if ( xsm_getdomaininfo(XSM_HOOK, d) )
+            if ( xsm_getdomaininfo(XSM_XS_PRIV, d) )
                 continue;
 
             getdomaininfo(d, &info);
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 7956f27a29..f8a3c4b81e 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -137,7 +137,7 @@  static XSM_INLINE int cf_check xsm_domain_create(
 static XSM_INLINE int cf_check xsm_getdomaininfo(
     XSM_DEFAULT_ARG struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
+    XSM_ASSERT_ACTION(XSM_XS_PRIV);
     return xsm_default_action(action, current->domain, d);
 }