diff options
| author | Juergen Gross <jgross@suse.com> | 2025-10-09 16:54:58 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-03-25 11:06:10 +0100 |
| commit | 1879319d790f7d57622cdc22807b60ea78b56b6d (patch) | |
| tree | c4b60d03cb587c035bc8be0940ae32e57311d484 /kernel/locking | |
| parent | 2cf5eff223fc9b720690c16ab763a00788e85c4b (diff) | |
xen/privcmd: restrict usage in unprivileged domU
commit 453b8fb68f3641fea970db88b7d9a153ed2a37e8 upstream.
The Xen privcmd driver allows to issue arbitrary hypercalls from
user space processes. This is normally no problem, as access is
usually limited to root and the hypervisor will deny any hypercalls
affecting other domains.
In case the guest is booted using secure boot, however, the privcmd
driver would be enabling a root user process to modify e.g. kernel
memory contents, thus breaking the secure boot feature.
The only known case where an unprivileged domU is really needing to
use the privcmd driver is the case when it is acting as the device
model for another guest. In this case all hypercalls issued via the
privcmd driver will target that other guest.
Fortunately the privcmd driver can already be locked down to allow
only hypercalls targeting a specific domain, but this mode can be
activated from user land only today.
The target domain can be obtained from Xenstore, so when not running
in dom0 restrict the privcmd driver to that target domain from the
beginning, resolving the potential problem of breaking secure boot.
This is XSA-482
Reported-by: Teddy Astie <teddy.astie@vates.tech>
Fixes: 1c5de1939c20 ("xen: add privcmd driver")
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'kernel/locking')
0 files changed, 0 insertions, 0 deletions