Re: XSM dummy policy blocking event channel creation

[Ross Philipson <ross.philipson@citrix.com>]

[-- Attachment #1: Type: text/plain, Size: 3476 bytes --]

On 05/01/2013 04:50 PM, Daniel De Graaf wrote:
> On 05/01/2013 03:40 PM, Ross Philipson wrote:
>> I am working on the next set of V4V patches to post to the list. I
>> have pulled the very latest staging branch of Xen and I quickly ran
>> into a new problem. We are basically trying to create an event channel
>> during the creation of dom0. We have split up the
>> evtchn_alloc_unbound() function into two functions but the basic
>> problem is the same. The call to xsm_evtchn_unbound() is returning
>> -EPERM from the new code in xsm/dummy.h. This patch set added this
>> functionality:
>>
>> http://lists.xen.org/archives/html/xen-devel/2012-11/msg01920.html
>>
>> Specifically we are failing this part of the test return -EPERM:
>>
>> static always_inline int xsm_default_action(
>> xsm_default_t action, struct domain *src, struct domain *target)
>> {
>> ...
>> case XSM_TARGET:
>> if ( src != target && !IS_PRIV_FOR(src, target) )
>> return -EPERM;
>>
>> The src domain is the current->domain which is idle_domain and target
>> is dom0 which is in the process of being created. Neither of them is
>> privileged (dom0 is not set to privileged yet). And I have not gotten
>> past dom0 creation yet so I don't know what will happen when V4V tries
>> to initialize for domU's.
>>
>> I need some advice on how to proceed here. I am not terribly
>> conversant in the working of XSM and do not have a clear idea how to
>> proceed.
>>
>> Thanks,
>> Ross Philipson
>
> The answer for domUs is actually easier: the domain builder (dom0) will
> satisfy IS_PRIV_FOR(dom0, newdomU) and so the creation will be allowed.
> With FLASK, the remote domain will also be considered, so I presume you
> have set something valid there (it needs to have a struct domain* that
> rcu_lock_domain_by_any_id can be used to fetch).
>
> Event channels created by the hypervisor are normally allocated using
> alloc_unbound_xen_event_channel instead of evtchn_alloc_unbound; the
> former will not fail the creation of the event channel if the XSM hook
> denies, but will instead change the remote domain ID to DOMID_INVALID.
> Depending on what you intend the remote domid to be in this newly
> allocated event channel, this may or may not be useful behavior; the
> semantics of alloc_unbound_xen_event_channel are also different, so
> you would need to change your calling code with this in mind.
>
> If you want to use evtchn_alloc_unbound directly, you probably need to
> add logic to omit the XSM check during the creation of dom0 - and this
> likely belongs in the evtchn_alloc_unbound function rather than the
> dummy XSM hook. The XSM changes you referenced don't actually introduce
> this, since before the call to rcu_lock_target_domain_by_id would have
> failed because the idle domain does not satisfy IS_PRIV_FOR on dom0.
>
Thank you for getting back to me so quickly.

Perhaps I should share the new split up evtchn_alloc* functions since 
the way they are done is relevant to your answer. I attached a snippet 
with the split functions. We are directly calling 
evtchn_alloc_unbound_domain() which does not call 
rcu_lock_domain_by_any_id(). So the permissions block is related only to 
the changes in dummy.c I believe.

I am still digging through the history of the posts and responses to see 
how they settled on that configuration of the evtchn_alloc* functions 
but this might explain things for you a bit better (e.g. why it worked 
prior to the dummy.c changes).

Thanks,
Ross



[-- Attachment #2: evtchn_alloc_unbound_split_functions.c --]
[-- Type: text/x-csrc, Size: 1138 bytes --]


static long evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc)
{
    struct domain *d;
    long           rc;

    d = rcu_lock_domain_by_any_id(alloc->dom);
    if ( d == NULL )
        return -ESRCH;

    rc = evtchn_alloc_unbound_domain(d, &alloc->port, alloc->remote_dom);
    if ( rc )
        ERROR_EXIT_DOM((int)rc, d);

 out:
    rcu_unlock_domain(d);

    return rc;
}

int evtchn_alloc_unbound_domain(struct domain *d, evtchn_port_t *port,
                                domid_t remote_domid)
{
    struct evtchn *chn;
    int           rc;
    int           free_port;

    spin_lock(&d->event_lock);

    rc = free_port = get_free_port(d);
    if ( free_port < 0 )
        goto out;

    chn = evtchn_from_port(d, free_port);
    rc = xsm_evtchn_unbound(XSM_TARGET, d, chn, remote_domid);
    if ( rc )
        goto out;

    chn->state = ECS_UNBOUND;
    if ( (chn->u.unbound.remote_domid = remote_domid) == DOMID_SELF )
        chn->u.unbound.remote_domid = current->domain->domain_id;

    *port = free_port;
    /* Everything is fine, returns 0 */
    rc = 0;

 out:
    spin_unlock(&d->event_lock);

    return rc;
}


[-- Attachment #3: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel