On Thu, Aug 01, 2024 at 01:36:16PM +0200, Jan Beulich wrote: > On 01.08.2024 13:06, Roger Pau Monné wrote: > > On Mon, Jul 08, 2024 at 07:41:21PM +0800, Jiqian Chen wrote: > >> Remaining comment @Daniel P . Smith: > >> + ret = -EPERM; > >> + if ( !irq_access_permitted(currd, irq) || > >> + xsm_irq_permission(XSM_HOOK, d, irq, access_flag) ) > >> + goto gsi_permission_out; > >> Is it okay to issue the XSM check using the translated value, > >> not the one that was originally passed into the hypercall? > > > > FWIW, I don't see the GSI -> IRQ translation much different from the > > pIRQ -> IRQ translation done by pirq_access_permitted(), which is also > > ahead of the xsm check. > > The question (which I raised originally) isn't an ordering one, but an > auditing one: Is it okay to pass the XSM hook a value that isn't what > was passed into the hypercall?
But that's also the case with the current XEN_DOMCTL_irq_permission implementation? As the hypercall parameter is a pIRQ, and the XSM check is done against the translated IRQ obtained from the pIRQ parameter. Not saying you question is not relevant, but we already have at least one very similar instance of doing the XSM check against a value derived from an hypercall parameter. Thanks, Roger.
