On 4/30/23 10:46, Juergen Gross wrote:
In case XSM is active, the handling of XEN_SYSCTL_getdomaininfolist can fail if the last domain scanned isn't allowed to be accessed by the calling domain (i.e. xsm_getdomaininfo(XSM_HOOK, d) is failing).Fix that by just ignoring scanned domains where xsm_getdomaininfo() is returning an error, like it is effectively done when such a situation occurs for a domain not being the last one scanned. Fixes: d046f361dc93 ("Xen Security Modules: XSM") Signed-off-by: Juergen Gross <jgr...@suse.com> --- xen/common/sysctl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/xen/common/sysctl.c b/xen/common/sysctl.c index 02505ab044..0cbfe8bd44 100644 --- a/xen/common/sysctl.c +++ b/xen/common/sysctl.c @@ -89,8 +89,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl) if ( num_domains == op->u.getdomaininfolist.max_domains ) break;- ret = xsm_getdomaininfo(XSM_HOOK, d);- if ( ret ) + if ( xsm_getdomaininfo(XSM_HOOK, d) ) continue;getdomaininfo(d, &info);
This change does not match the commit message. This says it fixes an issue, but unless I am totally missing something, this change is nothing more than formatting that drops the use of an intermediate variable. Please feel free to correct me if I am wrong here, otherwise I believe the commit message should be changed to reflect the code change.
Second, as far as the problem description goes. The *only* time the call to xsm_getdomaininfo() at this location will return anything other than 0, is when FLASK is being used and a domain whose type is not allowed getdomaininfo is making the call. XSM_HOOK signals a no-op check for the default/dummy policy, and the SILO policy does not override the default/dummy policy for this check.
V/r, Daniel P. Smith
