Re: [PATCH] xen: add gntdev

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Wed, Dec 05, 2012 at 11:20:06AM +0100, Roger Pau Monn? wrote:
> On 05/12/12 11:15, Manuel Bouyer wrote:
> > On Tue, Dec 04, 2012 at 03:07:39PM -0500, Thor Lancelot Simon wrote:
> >> On Tue, Dec 04, 2012 at 04:26:19PM +0100, Roger Pau Monn? wrote:
> >>>
> >>> Independently of what we end up doing as default for handling raw file
> >>> disks, could someone review this code?
> >>>
> >>> It's the first time I've done a device, so someone with more experience
> >>> should review it.
> >>
> >> I am not sure I entirely follow what this code's doing, but it seems to
> >> me it may allow arbitrary physical pages to be exposed to userspace
> >> processes in dom0 -- or in a domU, albeit only if dom0 userspace says so.
> >>
> >> Is that a correct understanding of one of its effects?  If so, there's
> >> a problem, since not being able to do precisely that is one important
> >> assumption of the 4.4BSD security model.
> > 
> > If I read it properly, It allows only to map pages that are part of a
> > grant. You provide the ioctl a grant reference, and this is what
> > the driver uses to find the physical pages. So it should be limited to
> > pages that are referenced by a grant.
> 
> Yes, it should be limited to grant pages, you are not able to map
> arbitrary mfns.

So, can dom0 give away arbitrary physical pages to a domU which can
then hand them back as a "grant", or is there other protection
against that?  That was my concern.  I'm sorry I don't understand
some of the fundamental terminology very well.

-- 
 Thor Lancelot Simon                                          
tls%panix.com@localhost

        It's very complicated.  It's very cumbersome.  There's a
        lot of numbers involved with it.