xenbits.xensource.com Git - people/liuw/libxenctrl-split/xen.git/commit

tools/libs/*: Introduce APIs to restrict handles to a specific domain.

These are intended to allow user space processes (in particular QEMU)
to lock down all the handles at start of day and then drop the
privileges which would allow them to open any new unrestricted handles
(e.g. setuid or similar). This will reduce the privileges which taking
over such a process would gain an attacker wrt other domains in the
system.

These are currently unimplemented on all platforms, however the API
semantics are defined as the basis for discussion, and so that
consumers can rely on this interface always having been present rather
than requiring compile time API checks.

It is expected that these will be implemented by adding new ioctl
calls on the underlying driver and that the restrictions will be
enforced at the kernel interface layer (most likely by the kernel
itself).

For evtchn, foreignmemory, gnttab and gntshr this is hopefully
reasonably straightforward.

For call it is not so clear cut. Clearly the kernel cannot enforce
these restrictions for hypercalls which are not stable (domctl et al)
so they can never be on the whitelist. It may also be that potential
users would like to restrict the handle further than just a given
target domain, i.e. to a specific set of functionality (e.g. "things a
device model might reasonably do"). I think we will also need some way
to discover whether a given set of interfaces is available to a
restricted handle, in order to support the addition of new
functionality.

Notes:

- On many (all?) platforms libxencall and libxenforeignmemory are
  implemented by the same underlying privcmd driver. The platform
  level ioctl interface should support restricting the handle to only
  one or the other.
- On platforms with multiple privilege mapping ioctl variants should
  consider only allowing the newest/currently preferred one on a
  restricted handle. e.g. on Linux this would allow
  IOCTL_PRIVCMD_MMAPBATCH_V2 but not IOCTL_PRIVCMD_MMAPBATCH. (Of
  course any subsequently introduced _V3 would be subject to
  compatibility concerns)

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
---
v8: New

This applies on top of the Xen portion of "Begin to disentangle
libxenctrl and provide some stable libraries", v7, plus a couple of
minor fixes which will be in v8. All of this can be found in the
"vwip" branch of the tree referenced by that series at
git://xenbits.xen.org/people/ianc/libxenctrl-split/xen.git.

author	Ian Campbell <ian.campbell@citrix.com>
	Wed, 16 Dec 2015 16:49:17 +0000 (16:49 +0000)
committer	Ian Campbell <ian.campbell@citrix.com>
	Wed, 10 Feb 2016 12:45:24 +0000 (12:45 +0000)
commit	20cb51c39dccdbc23ba075030d7bb635e2883ece
tree	9c9a2aaae3c761fb431fb276db4d27b8b4c29783	tree
parent	01dfef3993bc51dd8432bd7868a6527f4599ca93	commit \| diff

tools/libs/call/core.c		diff \| blob \| blame \| history
tools/libs/call/include/xencall.h		diff \| blob \| blame \| history
tools/libs/call/libxencall.map		diff \| blob \| blame \| history
tools/libs/evtchn/core.c		diff \| blob \| blame \| history
tools/libs/evtchn/include/xenevtchn.h		diff \| blob \| blame \| history
tools/libs/evtchn/libxenevtchn.map		diff \| blob \| blame \| history
tools/libs/foreignmemory/core.c		diff \| blob \| blame \| history
tools/libs/foreignmemory/include/xenforeignmemory.h		diff \| blob \| blame \| history
tools/libs/foreignmemory/libxenforeignmemory.map		diff \| blob \| blame \| history
tools/libs/gnttab/gntshr_core.c		diff \| blob \| blame \| history
tools/libs/gnttab/gnttab_core.c		diff \| blob \| blame \| history
tools/libs/gnttab/include/xengnttab.h		diff \| blob \| blame \| history
tools/libs/gnttab/libxengnttab.map		diff \| blob \| blame \| history