p***@xen.org
2018-11-06 15:55:14 UTC
commit 2c224f4c518113c6f38d583b5b3b1da0fc92d022
Author: George Dunlap <***@citrix.com>
AuthorDate: Tue Nov 6 15:41:22 2018 +0000
Commit: George Dunlap <***@citrix.com>
CommitDate: Tue Nov 6 15:41:22 2018 +0000
SUPPORT.md: Add qemu-depriv section
Signed-off-by: George Dunlap <***@citrix.com>
Acked-by: Ian Jackson <***@eu.citrix.com>
---
Changes since v4:
- Fix some grammar (s/attack/attacking/;)
Changes since v3:
- Moved from the qemu-depriv doc patches.
- Reword to include the possibility of having a non-dom0 "devicemodel"
domain which may want to be protected
- Specify `Linux dom0` as the currently-tech-supported window
CC: Ian Jackson <***@citrix.com>
CC: Wei Liu <***@citrix.com>
CC: Andrew Cooper <***@citrix.com>
CC: Jan Beulich <***@suse.com>
CC: Tim Deegan <***@xen.org>
CC: Konrad Wilk <***@oracle.com>
CC: Stefano Stabellini <***@kernel.org>
CC: Julien Grall <***@arm.com>
CC: Anthony Perard <***@citrix.com>
CC: Ross Lagerwall <***@citrix.com>
---
SUPPORT.md | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/SUPPORT.md b/SUPPORT.md
index b398976f5c..42577d0243 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -526,6 +526,26 @@ Vulnerabilities of a device model stub domain
to a hostile driver domain (either compromised or untrusted)
are excluded from security support.
+### Device Model Deprivileging
+
+ Status, Linux dom0: Tech Preview, with limited support
+
+This means adding extra restrictions to a device model in order to
+prevent a compromised device model from attacking the rest of the
+domain it's running in (normally dom0).
+
+"Tech preview with limited support" means we will not issue XSAs for
+the _additional_ functionality provided by the feature; but we will
+issue XSAs in the event that enabling this feature opens up a security
+hole that would not be present without the feature disabled.
+
+For example, while this is classified as tech preview, a bug in libxl
+which failed to change the user ID of QEMU would not receive an XSA,
+since without this feature the user ID wouldn't be changed. But a
+change which made it possible for a compromised guest to read
+arbitrary files on the host filesystem without compromising QEMU would
+be issued an XSA, since that does weaken security.
+
### KCONFIG Expert
Status: Experimental
--
generated by git-patchbot for /home/xen/git/xen.git#staging
Author: George Dunlap <***@citrix.com>
AuthorDate: Tue Nov 6 15:41:22 2018 +0000
Commit: George Dunlap <***@citrix.com>
CommitDate: Tue Nov 6 15:41:22 2018 +0000
SUPPORT.md: Add qemu-depriv section
Signed-off-by: George Dunlap <***@citrix.com>
Acked-by: Ian Jackson <***@eu.citrix.com>
---
Changes since v4:
- Fix some grammar (s/attack/attacking/;)
Changes since v3:
- Moved from the qemu-depriv doc patches.
- Reword to include the possibility of having a non-dom0 "devicemodel"
domain which may want to be protected
- Specify `Linux dom0` as the currently-tech-supported window
CC: Ian Jackson <***@citrix.com>
CC: Wei Liu <***@citrix.com>
CC: Andrew Cooper <***@citrix.com>
CC: Jan Beulich <***@suse.com>
CC: Tim Deegan <***@xen.org>
CC: Konrad Wilk <***@oracle.com>
CC: Stefano Stabellini <***@kernel.org>
CC: Julien Grall <***@arm.com>
CC: Anthony Perard <***@citrix.com>
CC: Ross Lagerwall <***@citrix.com>
---
SUPPORT.md | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/SUPPORT.md b/SUPPORT.md
index b398976f5c..42577d0243 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -526,6 +526,26 @@ Vulnerabilities of a device model stub domain
to a hostile driver domain (either compromised or untrusted)
are excluded from security support.
+### Device Model Deprivileging
+
+ Status, Linux dom0: Tech Preview, with limited support
+
+This means adding extra restrictions to a device model in order to
+prevent a compromised device model from attacking the rest of the
+domain it's running in (normally dom0).
+
+"Tech preview with limited support" means we will not issue XSAs for
+the _additional_ functionality provided by the feature; but we will
+issue XSAs in the event that enabling this feature opens up a security
+hole that would not be present without the feature disabled.
+
+For example, while this is classified as tech preview, a bug in libxl
+which failed to change the user ID of QEMU would not receive an XSA,
+since without this feature the user ID wouldn't be changed. But a
+change which made it possible for a compromised guest to read
+arbitrary files on the host filesystem without compromising QEMU would
+be issued an XSA, since that does weaken security.
+
### KCONFIG Expert
Status: Experimental
--
generated by git-patchbot for /home/xen/git/xen.git#staging