On 01.08.2024 14:41, Roger Pau Monné wrote: > On Thu, Aug 01, 2024 at 01:36:16PM +0200, Jan Beulich wrote: >> On 01.08.2024 13:06, Roger Pau Monné wrote: >>> On Mon, Jul 08, 2024 at 07:41:21PM +0800, Jiqian Chen wrote: >>>> Remaining comment @Daniel P . Smith: >>>> + ret = -EPERM; >>>> + if ( !irq_access_permitted(currd, irq) || >>>> + xsm_irq_permission(XSM_HOOK, d, irq, access_flag) ) >>>> + goto gsi_permission_out; >>>> Is it okay to issue the XSM check using the translated value, >>>> not the one that was originally passed into the hypercall? >>> >>> FWIW, I don't see the GSI -> IRQ translation much different from the >>> pIRQ -> IRQ translation done by pirq_access_permitted(), which is also >>> ahead of the xsm check. >> >> The question (which I raised originally) isn't an ordering one, but an >> auditing one: Is it okay to pass the XSM hook a value that isn't what >> was passed into the hypercall? > > But that's also the case with the current XEN_DOMCTL_irq_permission > implementation? As the hypercall parameter is a pIRQ, and the XSM > check is done against the translated IRQ obtained from the pIRQ > parameter.
In a way you're right, but in a way there's also a meaningful difference: There we translate between internal numbering spaces. Here we first translate a quantity in a numbering space superimposed onto us to an internal representation. Flask, otoh, in such a situation may prefer to see the external representation of the resource. Jan