From: Keir Fraser <keir.xen@gmail.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>, xen-devel@lists.xen.org
Subject: Re: [PATCH 12/18] xsm: Add missing domctl and mem_sharing hooks
Date: Mon, 06 Aug 2012 19:53:49 +0100 [thread overview]
Message-ID: <CC45D14D.3A904%keir.xen@gmail.com> (raw)
In-Reply-To: <1344263550-3941-13-git-send-email-dgdegra@tycho.nsa.gov>
When someone wants to add a new domctl/sysctl, how many places will they
have to add things to ensure that xsm dtrt for a basic setup, allowing only
dom0 access to the new op? How big is the risk that we end up with new ops
that have no access control?
On 06/08/2012 15:32, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:
> This patch adds new XSM hooks to cover the 12 domctls that were not
> previously covered by an XSM hook, and splits up the mem_sharing and
> mem_event XSM hooks to better cover what the code is doing.
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> ---
> tools/flask/policy/policy/flask/access_vectors | 5 +
> tools/flask/policy/policy/modules/xen/xen.if | 2 +
> xen/arch/x86/domctl.c | 125
> +++++++++++++++----------
> xen/arch/x86/mm/mem_event.c | 45 ++++-----
> xen/arch/x86/mm/mem_sharing.c | 23 ++++-
> xen/include/asm-x86/mem_event.h | 1 -
> xen/include/xsm/dummy.h | 65 ++++++++++++-
> xen/include/xsm/xsm.h | 62 +++++++++++-
> xen/xsm/dummy.c | 11 ++-
> xen/xsm/flask/hooks.c | 62 +++++++++++-
> xen/xsm/flask/include/av_perm_to_string.h | 5 +
> xen/xsm/flask/include/av_permissions.h | 5 +
> 12 files changed, 318 insertions(+), 93 deletions(-)
>
> diff --git a/tools/flask/policy/policy/flask/access_vectors
> b/tools/flask/policy/policy/flask/access_vectors
> index 11d02da..28b8ada 100644
> --- a/tools/flask/policy/policy/flask/access_vectors
> +++ b/tools/flask/policy/policy/flask/access_vectors
> @@ -80,6 +80,9 @@ class domain2
> relabelself
> make_priv_for
> set_as_target
> + set_cpuid
> + gettsc
> + settsc
> }
>
> class hvm
> @@ -97,6 +100,8 @@ class hvm
> hvmctl
> mem_event
> mem_sharing
> + share_mem
> + audit_p2m
> }
>
> class event
> diff --git a/tools/flask/policy/policy/modules/xen/xen.if
> b/tools/flask/policy/policy/modules/xen/xen.if
> index 4de99c8..f9bd757 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.if
> +++ b/tools/flask/policy/policy/modules/xen/xen.if
> @@ -29,6 +29,7 @@ define(`create_domain_common', `
> getdomaininfo hypercall setvcpucontext setextvcpucontext
> scheduler getvcpuinfo getvcpuextstate getaddrsize
> getvcpuaffinity setvcpuaffinity };
> + allow $1 $2:domain2 { set_cpuid settsc };
> allow $1 $2:security check_context;
> allow $1 $2:shadow enable;
> allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage};
> @@ -67,6 +68,7 @@ define(`migrate_domain_out', `
> allow $1 $2:hvm { gethvmc getparam irqlevel };
> allow $1 $2:mmu { stat pageinfo map_read };
> allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext
> getvcpuextstate pause destroy };
> + allow $1 $2:domain2 gettsc;
> ')
>
>
> ##############################################################################
> ##
> diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
> index bcb5b2d..95f34d2 100644
> --- a/xen/arch/x86/domctl.c
> +++ b/xen/arch/x86/domctl.c
> @@ -54,26 +54,6 @@ long arch_do_domctl(
>
> switch ( domctl->cmd )
> {
> - /* TODO: the following do not have XSM hooks yet */
> - case XEN_DOMCTL_set_cpuid:
> - case XEN_DOMCTL_suppress_spurious_page_faults:
> - case XEN_DOMCTL_debug_op:
> - case XEN_DOMCTL_gettscinfo:
> - case XEN_DOMCTL_settscinfo:
> - case XEN_DOMCTL_audit_p2m:
> - case XEN_DOMCTL_gdbsx_guestmemio:
> - case XEN_DOMCTL_gdbsx_pausevcpu:
> - case XEN_DOMCTL_gdbsx_unpausevcpu:
> - case XEN_DOMCTL_gdbsx_domstatus:
> - /* getpageframeinfo[23] will leak XEN_DOMCTL_PFINFO_XTAB on target GFNs
> */
> - case XEN_DOMCTL_getpageframeinfo2:
> - case XEN_DOMCTL_getpageframeinfo3:
> - if ( !IS_PRIV(current->domain) )
> - return -EPERM;
> - }
> -
> - switch ( domctl->cmd )
> - {
>
> case XEN_DOMCTL_shadow_op:
> {
> @@ -190,6 +170,13 @@ long arch_do_domctl(
> if ( unlikely((d = rcu_lock_domain_by_id(dom)) == NULL) )
> break;
>
> + ret = xsm_getpageframeinfo_domain(d);
> + if ( ret )
> + {
> + rcu_unlock_domain(d);
> + break;
> + }
> +
> if ( unlikely(num > 1024) ||
> unlikely(num != domctl->u.getpageframeinfo3.num) )
> {
> @@ -287,6 +274,13 @@ long arch_do_domctl(
> if ( unlikely((d = rcu_lock_domain_by_id(dom)) == NULL) )
> break;
>
> + ret = xsm_getpageframeinfo_domain(d);
> + if ( ret )
> + {
> + rcu_unlock_domain(d);
> + break;
> + }
> +
> if ( unlikely(num > 1024) )
> {
> ret = -E2BIG;
> @@ -1106,6 +1100,10 @@ long arch_do_domctl(
> if ( d == NULL )
> break;
>
> + ret = xsm_set_cpuid(d);
> + if ( ret )
> + goto set_cpuid_out;
> +
> for ( i = 0; i < MAX_CPUID_INPUT; i++ )
> {
> cpuid = &d->arch.cpuids[i];
> @@ -1129,6 +1127,7 @@ long arch_do_domctl(
> ret = 0;
> }
>
> + set_cpuid_out:
> rcu_unlock_domain(d);
> }
> break;
> @@ -1143,6 +1142,10 @@ long arch_do_domctl(
> if ( d == NULL )
> break;
>
> + ret = xsm_gettscinfo(d);
> + if ( ret )
> + goto gettscinfo_out;
> +
> domain_pause(d);
> tsc_get_info(d, &info.tsc_mode,
> &info.elapsed_nsec,
> @@ -1154,6 +1157,7 @@ long arch_do_domctl(
> ret = 0;
> domain_unpause(d);
>
> + gettscinfo_out:
> rcu_unlock_domain(d);
> }
> break;
> @@ -1167,15 +1171,20 @@ long arch_do_domctl(
> if ( d == NULL )
> break;
>
> + ret = xsm_settscinfo(d);
> + if ( ret )
> + goto settscinfo_out;
> +
> domain_pause(d);
> tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode,
> domctl->u.tsc_info.info.elapsed_nsec,
> domctl->u.tsc_info.info.gtsc_khz,
> domctl->u.tsc_info.info.incarnation);
> domain_unpause(d);
> + ret = 0;
>
> + settscinfo_out:
> rcu_unlock_domain(d);
> - ret = 0;
> }
> break;
>
> @@ -1187,9 +1196,10 @@ long arch_do_domctl(
> d = rcu_lock_domain_by_id(domctl->domain);
> if ( d != NULL )
> {
> - d->arch.suppress_spurious_page_faults = 1;
> + ret = xsm_domctl(d, domctl->cmd);
> + if ( !ret )
> + d->arch.suppress_spurious_page_faults = 1;
> rcu_unlock_domain(d);
> - ret = 0;
> }
> }
> break;
> @@ -1204,6 +1214,10 @@ long arch_do_domctl(
> if ( d == NULL )
> break;
>
> + ret = xsm_debug_op(d);
> + if ( ret )
> + goto debug_op_out;
> +
> ret = -EINVAL;
> if ( (domctl->u.debug_op.vcpu >= d->max_vcpus) ||
> ((v = d->vcpu[domctl->u.debug_op.vcpu]) == NULL) )
> @@ -1228,6 +1242,10 @@ long arch_do_domctl(
> if ( (d = rcu_lock_domain_by_id(domctl->domain)) == NULL )
> break;
>
> + ret = xsm_debug_op(d);
> + if ( ret )
> + goto gdbsx_guestmemio_out;
> +
> domctl->u.gdbsx_guest_memio.remain =
> domctl->u.gdbsx_guest_memio.len;
>
> @@ -1235,6 +1253,7 @@ long arch_do_domctl(
> if ( !ret && copy_to_guest(u_domctl, domctl, 1) )
> ret = -EFAULT;
>
> + gdbsx_guestmemio_out:
> rcu_unlock_domain(d);
> }
> break;
> @@ -1248,21 +1267,20 @@ long arch_do_domctl(
> if ( (d = rcu_lock_domain_by_id(domctl->domain)) == NULL )
> break;
>
> + ret = xsm_debug_op(d);
> + if ( ret )
> + goto gdbsx_pausevcpu_out;
> +
> ret = -EBUSY;
> if ( !d->is_paused_by_controller )
> - {
> - rcu_unlock_domain(d);
> - break;
> - }
> + goto gdbsx_pausevcpu_out;
> ret = -EINVAL;
> if ( domctl->u.gdbsx_pauseunp_vcpu.vcpu >= MAX_VIRT_CPUS ||
> (v = d->vcpu[domctl->u.gdbsx_pauseunp_vcpu.vcpu]) == NULL )
> - {
> - rcu_unlock_domain(d);
> - break;
> - }
> + goto gdbsx_pausevcpu_out;
> vcpu_pause(v);
> ret = 0;
> + gdbsx_pausevcpu_out:
> rcu_unlock_domain(d);
> }
> break;
> @@ -1276,23 +1294,22 @@ long arch_do_domctl(
> if ( (d = rcu_lock_domain_by_id(domctl->domain)) == NULL )
> break;
>
> + ret = xsm_debug_op(d);
> + if ( ret )
> + goto gdbsx_unpausevcpu_out;
> +
> ret = -EBUSY;
> if ( !d->is_paused_by_controller )
> - {
> - rcu_unlock_domain(d);
> - break;
> - }
> + goto gdbsx_unpausevcpu_out;
> ret = -EINVAL;
> if ( domctl->u.gdbsx_pauseunp_vcpu.vcpu >= MAX_VIRT_CPUS ||
> (v = d->vcpu[domctl->u.gdbsx_pauseunp_vcpu.vcpu]) == NULL )
> - {
> - rcu_unlock_domain(d);
> - break;
> - }
> + goto gdbsx_unpausevcpu_out;
> if ( !atomic_read(&v->pause_count) )
> printk("WARN: Unpausing vcpu:%d which is not paused\n",
> v->vcpu_id);
> vcpu_unpause(v);
> ret = 0;
> + gdbsx_unpausevcpu_out:
> rcu_unlock_domain(d);
> }
> break;
> @@ -1306,6 +1323,10 @@ long arch_do_domctl(
> if ( (d = rcu_lock_domain_by_id(domctl->domain)) == NULL )
> break;
>
> + ret = xsm_debug_op(d);
> + if ( ret )
> + goto gdbsx_domstatus_out;
> +
> domctl->u.gdbsx_domstatus.vcpu_id = -1;
> domctl->u.gdbsx_domstatus.paused = d->is_paused_by_controller;
> if ( domctl->u.gdbsx_domstatus.paused )
> @@ -1325,6 +1346,7 @@ long arch_do_domctl(
> ret = 0;
> if ( copy_to_guest(u_domctl, domctl, 1) )
> ret = -EFAULT;
> + gdbsx_domstatus_out:
> rcu_unlock_domain(d);
> }
> break;
> @@ -1464,10 +1486,8 @@ long arch_do_domctl(
> d = rcu_lock_domain_by_id(domctl->domain);
> if ( d != NULL )
> {
> - ret = xsm_mem_event(d);
> - if ( !ret )
> - ret = mem_event_domctl(d, &domctl->u.mem_event_op,
> - guest_handle_cast(u_domctl, void));
> + ret = mem_event_domctl(d, &domctl->u.mem_event_op,
> + guest_handle_cast(u_domctl, void));
> rcu_unlock_domain(d);
> copy_to_guest(u_domctl, domctl, 1);
> }
> @@ -1496,16 +1516,19 @@ long arch_do_domctl(
> {
> struct domain *d;
>
> - ret = rcu_lock_remote_target_domain_by_id(domctl->domain, &d);
> - if ( ret != 0 )
> + d = rcu_lock_domain_by_id(domctl->domain);
> + if ( d == NULL )
> break;
>
> - audit_p2m(d,
> - &domctl->u.audit_p2m.orphans,
> - &domctl->u.audit_p2m.m2p_bad,
> - &domctl->u.audit_p2m.p2m_bad);
> + ret = xsm_audit_p2m(d);
> + if ( !ret )
> + audit_p2m(d,
> + &domctl->u.audit_p2m.orphans,
> + &domctl->u.audit_p2m.m2p_bad,
> + &domctl->u.audit_p2m.p2m_bad);
> +
> rcu_unlock_domain(d);
> - if ( copy_to_guest(u_domctl, domctl, 1) )
> + if ( !ret && copy_to_guest(u_domctl, domctl, 1) )
> ret = -EFAULT;
> }
> break;
> @@ -1524,7 +1547,7 @@ long arch_do_domctl(
> d = rcu_lock_domain_by_id(domctl->domain);
> if ( d != NULL )
> {
> - ret = xsm_mem_event(d);
> + ret = xsm_mem_event_setup(d);
> if ( !ret ) {
> p2m = p2m_get_hostp2m(d);
> p2m->access_required =
> domctl->u.access_required.access_required;
> diff --git a/xen/arch/x86/mm/mem_event.c b/xen/arch/x86/mm/mem_event.c
> index d728889..a5b02d9 100644
> --- a/xen/arch/x86/mm/mem_event.c
> +++ b/xen/arch/x86/mm/mem_event.c
> @@ -29,6 +29,7 @@
> #include <asm/mem_paging.h>
> #include <asm/mem_access.h>
> #include <asm/mem_sharing.h>
> +#include <xsm/xsm.h>
>
> /* for public/io/ring.h macros */
> #define xen_mb() mb()
> @@ -439,34 +440,22 @@ static void mem_sharing_notification(struct vcpu *v,
> unsigned int port)
> mem_sharing_sharing_resume(v->domain);
> }
>
> -struct domain *get_mem_event_op_target(uint32_t domain, int *rc)
> -{
> - struct domain *d;
> -
> - /* Get the target domain */
> - *rc = rcu_lock_remote_target_domain_by_id(domain, &d);
> - if ( *rc != 0 )
> - return NULL;
> -
> - /* Not dying? */
> - if ( d->is_dying )
> - {
> - rcu_unlock_domain(d);
> - *rc = -EINVAL;
> - return NULL;
> - }
> -
> - return d;
> -}
> -
> int do_mem_event_op(int op, uint32_t domain, void *arg)
> {
> int ret;
> struct domain *d;
>
> - d = get_mem_event_op_target(domain, &ret);
> + d = rcu_lock_domain_by_id(domain);
> if ( !d )
> - return ret;
> + return -ESRCH;
> +
> + ret = -EINVAL;
> + if ( d->is_dying || d == current->domain )
> + goto out;
> +
> + ret = xsm_mem_event_op(d, op);
> + if ( ret )
> + goto out;
>
> switch (op)
> {
> @@ -483,6 +472,7 @@ int do_mem_event_op(int op, uint32_t domain, void *arg)
> ret = -ENOSYS;
> }
>
> + out:
> rcu_unlock_domain(d);
> return ret;
> }
> @@ -516,6 +506,10 @@ int mem_event_domctl(struct domain *d,
> xen_domctl_mem_event_op_t *mec,
> {
> int rc;
>
> + rc = xsm_mem_event_control(d, mec->mode, mec->op);
> + if ( rc )
> + return rc;
> +
> if ( unlikely(d == current->domain) )
> {
> gdprintk(XENLOG_INFO, "Tried to do a memory event op on itself.\n");
> @@ -537,13 +531,6 @@ int mem_event_domctl(struct domain *d,
> xen_domctl_mem_event_op_t *mec,
> return -EINVAL;
> }
>
> - /* TODO: XSM hook */
> -#if 0
> - rc = xsm_mem_event_control(d, mec->op);
> - if ( rc )
> - return rc;
> -#endif
> -
> rc = -ENOSYS;
>
> switch ( mec->mode )
> diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c
> index 5103285..a7e6c5c 100644
> --- a/xen/arch/x86/mm/mem_sharing.c
> +++ b/xen/arch/x86/mm/mem_sharing.c
> @@ -34,6 +34,7 @@
> #include <asm/atomic.h>
> #include <xen/rcupdate.h>
> #include <asm/event.h>
> +#include <xsm/xsm.h>
>
> #include "mm-locks.h"
>
> @@ -1345,11 +1346,18 @@ int mem_sharing_memop(struct domain *d,
> xen_mem_sharing_op_t *mec)
> if ( !mem_sharing_enabled(d) )
> return -EINVAL;
>
> - cd = get_mem_event_op_target(mec->u.share.client_domain, &rc);
> + cd = rcu_lock_domain_by_id(mec->u.share.client_domain);
> if ( !cd )
> + return -ESRCH;
> +
> + rc = xsm_mem_sharing_op(d, cd, mec->op);
> + if ( rc )
> + {
> + rcu_unlock_domain(cd);
> return rc;
> + }
>
> - if ( !mem_sharing_enabled(cd) )
> + if ( cd == current->domain || !mem_sharing_enabled(cd) )
> {
> rcu_unlock_domain(cd);
> return -EINVAL;
> @@ -1401,11 +1409,18 @@ int mem_sharing_memop(struct domain *d,
> xen_mem_sharing_op_t *mec)
> if ( !mem_sharing_enabled(d) )
> return -EINVAL;
>
> - cd = get_mem_event_op_target(mec->u.share.client_domain, &rc);
> + cd = rcu_lock_domain_by_id(mec->u.share.client_domain);
> if ( !cd )
> + return -ESRCH;
> +
> + rc = xsm_mem_sharing_op(d, cd, mec->op);
> + if ( rc )
> + {
> + rcu_unlock_domain(cd);
> return rc;
> + }
>
> - if ( !mem_sharing_enabled(cd) )
> + if ( cd == current->domain || !mem_sharing_enabled(cd) )
> {
> rcu_unlock_domain(cd);
> return -EINVAL;
> diff --git a/xen/include/asm-x86/mem_event.h b/xen/include/asm-x86/mem_event.h
> index 23d71c1..448be4f 100644
> --- a/xen/include/asm-x86/mem_event.h
> +++ b/xen/include/asm-x86/mem_event.h
> @@ -62,7 +62,6 @@ void mem_event_put_request(struct domain *d, struct
> mem_event_domain *med,
> int mem_event_get_response(struct domain *d, struct mem_event_domain *med,
> mem_event_response_t *rsp);
>
> -struct domain *get_mem_event_op_target(uint32_t domain, int *rc);
> int do_mem_event_op(int op, uint32_t domain, void *arg);
> int mem_event_domctl(struct domain *d, xen_domctl_mem_event_op_t *mec,
> XEN_GUEST_HANDLE(void) u_domctl);
> diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
> index 0d849cc..c71c08b 100644
> --- a/xen/include/xsm/dummy.h
> +++ b/xen/include/xsm/dummy.h
> @@ -171,6 +171,13 @@ static XSM_DEFAULT(int, setdebugging) (struct domain *d)
> return 0;
> }
>
> +static XSM_DEFAULT(int, debug_op) (struct domain *d)
> +{
> + if ( !IS_PRIV(current->domain) )
> + return -EPERM;
> + return 0;
> +}
> +
> static XSM_DEFAULT(int, perfcontrol) (void)
> {
> if ( !IS_PRIV(current->domain) )
> @@ -557,6 +564,34 @@ static XSM_DEFAULT(int, getpageframeinfo) (struct
> page_info *page)
> return 0;
> }
>
> +static XSM_DEFAULT(int, getpageframeinfo_domain) (struct domain *d)
> +{
> + if ( !IS_PRIV(current->domain) )
> + return -EPERM;
> + return 0;
> +}
> +
> +static XSM_DEFAULT(int, set_cpuid) (struct domain *d)
> +{
> + if ( !IS_PRIV(current->domain) )
> + return -EPERM;
> + return 0;
> +}
> +
> +static XSM_DEFAULT(int, gettscinfo) (struct domain *d)
> +{
> + if ( !IS_PRIV(current->domain) )
> + return -EPERM;
> + return 0;
> +}
> +
> +static XSM_DEFAULT(int, settscinfo) (struct domain *d)
> +{
> + if ( !IS_PRIV(current->domain) )
> + return -EPERM;
> + return 0;
> +}
> +
> static XSM_DEFAULT(int, getmemlist) (struct domain *d)
> {
> if ( !IS_PRIV(current->domain) )
> @@ -627,13 +662,27 @@ static XSM_DEFAULT(int, hvm_inject_msi) (struct domain
> *d)
> return 0;
> }
>
> -static XSM_DEFAULT(int, mem_event) (struct domain *d)
> +static XSM_DEFAULT(int, mem_event_setup) (struct domain *d)
> {
> if ( !IS_PRIV(current->domain) )
> return -EPERM;
> return 0;
> }
>
> +static XSM_DEFAULT(int, mem_event_control) (struct domain *d, int mode, int
> op)
> +{
> + if ( !IS_PRIV(current->domain) )
> + return -EPERM;
> + return 0;
> +}
> +
> +static XSM_DEFAULT(int, mem_event_op) (struct domain *d, int op)
> +{
> + if ( !IS_PRIV_FOR(current->domain, d) )
> + return -EPERM;
> + return 0;
> +}
> +
> static XSM_DEFAULT(int, mem_sharing) (struct domain *d)
> {
> if ( !IS_PRIV(current->domain) )
> @@ -641,6 +690,20 @@ static XSM_DEFAULT(int, mem_sharing) (struct domain *d)
> return 0;
> }
>
> +static XSM_DEFAULT(int, mem_sharing_op) (struct domain *d, struct domain *cd,
> int op)
> +{
> + if ( !IS_PRIV_FOR(current->domain, cd) )
> + return -EPERM;
> + return 0;
> +}
> +
> +static XSM_DEFAULT(int, audit_p2m) (struct domain *d)
> +{
> + if ( !IS_PRIV(current->domain) )
> + return -EPERM;
> + return 0;
> +}
> +
> static XSM_DEFAULT(int, apic) (struct domain *d, int cmd)
> {
> if ( !IS_PRIV(current->domain) )
> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
> index 1a9f35b..b473b54 100644
> --- a/xen/include/xsm/xsm.h
> +++ b/xen/include/xsm/xsm.h
> @@ -67,6 +67,7 @@ struct xsm_operations {
> int (*setdomainmaxmem) (struct domain *d);
> int (*setdomainhandle) (struct domain *d);
> int (*setdebugging) (struct domain *d);
> + int (*debug_op) (struct domain *d);
> int (*perfcontrol) (void);
> int (*debug_keys) (void);
> int (*getcpuinfo) (void);
> @@ -142,6 +143,10 @@ struct xsm_operations {
> #ifdef CONFIG_X86
> int (*shadow_control) (struct domain *d, uint32_t op);
> int (*getpageframeinfo) (struct page_info *page);
> + int (*getpageframeinfo_domain) (struct domain *d);
> + int (*set_cpuid) (struct domain *d);
> + int (*gettscinfo) (struct domain *d);
> + int (*settscinfo) (struct domain *d);
> int (*getmemlist) (struct domain *d);
> int (*hypercall_init) (struct domain *d);
> int (*hvmcontext) (struct domain *d, uint32_t op);
> @@ -152,8 +157,12 @@ struct xsm_operations {
> int (*hvm_set_isa_irq_level) (struct domain *d);
> int (*hvm_set_pci_link_route) (struct domain *d);
> int (*hvm_inject_msi) (struct domain *d);
> - int (*mem_event) (struct domain *d);
> + int (*mem_event_setup) (struct domain *d);
> + int (*mem_event_control) (struct domain *d, int mode, int op);
> + int (*mem_event_op) (struct domain *d, int op);
> int (*mem_sharing) (struct domain *d);
> + int (*mem_sharing_op) (struct domain *d, struct domain *cd, int op);
> + int (*audit_p2m) (struct domain *d);
> int (*apic) (struct domain *d, int cmd);
> int (*xen_settime) (void);
> int (*memtype) (uint32_t access);
> @@ -302,6 +311,11 @@ static inline int xsm_setdebugging (struct domain *d)
> return xsm_call(setdebugging(d));
> }
>
> +static inline int xsm_debug_op (struct domain *d)
> +{
> + return xsm_call(debug_op(d));
> +}
> +
> static inline int xsm_perfcontrol (void)
> {
> return xsm_call(perfcontrol());
> @@ -329,7 +343,7 @@ static inline int xsm_get_pmstat(void)
>
> static inline int xsm_setpminfo(void)
> {
> - return xsm_call(setpminfo());
> + return xsm_call(setpminfo());
> }
>
> static inline int xsm_pm_op(void)
> @@ -608,6 +622,26 @@ static inline int xsm_getpageframeinfo (struct page_info
> *page)
> return xsm_call(getpageframeinfo(page));
> }
>
> +static inline int xsm_getpageframeinfo_domain (struct domain *d)
> +{
> + return xsm_call(getpageframeinfo_domain(d));
> +}
> +
> +static inline int xsm_set_cpuid (struct domain *d)
> +{
> + return xsm_call(set_cpuid(d));
> +}
> +
> +static inline int xsm_gettscinfo (struct domain *d)
> +{
> + return xsm_call(gettscinfo(d));
> +}
> +
> +static inline int xsm_settscinfo (struct domain *d)
> +{
> + return xsm_call(settscinfo(d));
> +}
> +
> static inline int xsm_getmemlist (struct domain *d)
> {
> return xsm_call(getmemlist(d));
> @@ -658,9 +692,19 @@ static inline int xsm_hvm_inject_msi (struct domain *d)
> return xsm_call(hvm_inject_msi(d));
> }
>
> -static inline int xsm_mem_event (struct domain *d)
> +static inline int xsm_mem_event_setup (struct domain *d)
> +{
> + return xsm_call(mem_event_setup(d));
> +}
> +
> +static inline int xsm_mem_event_control (struct domain *d, int mode, int op)
> +{
> + return xsm_call(mem_event_control(d, mode, op));
> +}
> +
> +static inline int xsm_mem_event_op (struct domain *d, int op)
> {
> - return xsm_call(mem_event(d));
> + return xsm_call(mem_event_op(d, op));
> }
>
> static inline int xsm_mem_sharing (struct domain *d)
> @@ -668,6 +712,16 @@ static inline int xsm_mem_sharing (struct domain *d)
> return xsm_call(mem_sharing(d));
> }
>
> +static inline int xsm_mem_sharing_op (struct domain *d, struct domain *cd,
> int op)
> +{
> + return xsm_call(mem_sharing_op(d, cd, op));
> +}
> +
> +static inline int xsm_audit_p2m (struct domain *d)
> +{
> + return xsm_call(audit_p2m(d));
> +}
> +
> static inline int xsm_apic (struct domain *d, int cmd)
> {
> return xsm_call(apic(d, cmd));
> diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
> index af532b8..09935d8 100644
> --- a/xen/xsm/dummy.c
> +++ b/xen/xsm/dummy.c
> @@ -51,6 +51,7 @@ void xsm_fixup_ops (struct xsm_operations *ops)
> set_to_dummy_if_null(ops, setdomainmaxmem);
> set_to_dummy_if_null(ops, setdomainhandle);
> set_to_dummy_if_null(ops, setdebugging);
> + set_to_dummy_if_null(ops, debug_op);
> set_to_dummy_if_null(ops, perfcontrol);
> set_to_dummy_if_null(ops, debug_keys);
> set_to_dummy_if_null(ops, getcpuinfo);
> @@ -124,6 +125,10 @@ void xsm_fixup_ops (struct xsm_operations *ops)
> #ifdef CONFIG_X86
> set_to_dummy_if_null(ops, shadow_control);
> set_to_dummy_if_null(ops, getpageframeinfo);
> + set_to_dummy_if_null(ops, getpageframeinfo_domain);
> + set_to_dummy_if_null(ops, set_cpuid);
> + set_to_dummy_if_null(ops, gettscinfo);
> + set_to_dummy_if_null(ops, settscinfo);
> set_to_dummy_if_null(ops, getmemlist);
> set_to_dummy_if_null(ops, hypercall_init);
> set_to_dummy_if_null(ops, hvmcontext);
> @@ -134,8 +139,12 @@ void xsm_fixup_ops (struct xsm_operations *ops)
> set_to_dummy_if_null(ops, hvm_set_isa_irq_level);
> set_to_dummy_if_null(ops, hvm_set_pci_link_route);
> set_to_dummy_if_null(ops, hvm_inject_msi);
> - set_to_dummy_if_null(ops, mem_event);
> + set_to_dummy_if_null(ops, mem_event_setup);
> + set_to_dummy_if_null(ops, mem_event_control);
> + set_to_dummy_if_null(ops, mem_event_op);
> set_to_dummy_if_null(ops, mem_sharing);
> + set_to_dummy_if_null(ops, mem_sharing_op);
> + set_to_dummy_if_null(ops, audit_p2m);
> set_to_dummy_if_null(ops, apic);
> set_to_dummy_if_null(ops, xen_settime);
> set_to_dummy_if_null(ops, memtype);
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index f8aff14..4f71604 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -695,6 +695,12 @@ static int flask_setdebugging(struct domain *d)
> DOMAIN__SETDEBUGGING);
> }
>
> +static int flask_debug_op(struct domain *d)
> +{
> + return domain_has_perm(current->domain, d, SECCLASS_DOMAIN,
> + DOMAIN__SETDEBUGGING);
> +}
> +
> static int flask_debug_keys(void)
> {
> return domain_has_xen(current->domain, XEN__DEBUG);
> @@ -1111,6 +1117,26 @@ static int flask_getpageframeinfo(struct page_info
> *page)
> return avc_has_perm(dsec->sid, tsid, SECCLASS_MMU, MMU__PAGEINFO, NULL);
> }
>
> +static int flask_getpageframeinfo_domain(struct domain *d)
> +{
> + return domain_has_perm(current->domain, d, SECCLASS_MMU, MMU__PAGEINFO);
> +}
> +
> +static int flask_set_cpuid(struct domain *d)
> +{
> + return domain_has_perm(current->domain, d, SECCLASS_DOMAIN2,
> DOMAIN2__SET_CPUID);
> +}
> +
> +static int flask_gettscinfo(struct domain *d)
> +{
> + return domain_has_perm(current->domain, d, SECCLASS_DOMAIN2,
> DOMAIN2__GETTSC);
> +}
> +
> +static int flask_settscinfo(struct domain *d)
> +{
> + return domain_has_perm(current->domain, d, SECCLASS_DOMAIN2,
> DOMAIN2__SETTSC);
> +}
> +
> static int flask_getmemlist(struct domain *d)
> {
> return domain_has_perm(current->domain, d, SECCLASS_MMU, MMU__PAGELIST);
> @@ -1201,7 +1227,17 @@ static int flask_hvm_set_pci_link_route(struct domain
> *d)
> return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__PCIROUTE);
> }
>
> -static int flask_mem_event(struct domain *d)
> +static int flask_mem_event_setup(struct domain *d)
> +{
> + return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__MEM_EVENT);
> +}
> +
> +static int flask_mem_event_control(struct domain *d, int mode, int op)
> +{
> + return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__MEM_EVENT);
> +}
> +
> +static int flask_mem_event_op(struct domain *d, int op)
> {
> return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__MEM_EVENT);
> }
> @@ -1211,6 +1247,19 @@ static int flask_mem_sharing(struct domain *d)
> return domain_has_perm(current->domain, d, SECCLASS_HVM,
> HVM__MEM_SHARING);
> }
>
> +static int flask_mem_sharing_op(struct domain *d, struct domain *cd, int op)
> +{
> + int rc = domain_has_perm(current->domain, cd, SECCLASS_HVM,
> HVM__MEM_SHARING);
> + if ( rc )
> + return rc;
> + return domain_has_perm(d, cd, SECCLASS_HVM, HVM__SHARE_MEM);
> +}
> +
> +static int flask_audit_p2m(struct domain *d)
> +{
> + return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__AUDIT_P2M);
> +}
> +
> static int flask_apic(struct domain *d, int cmd)
> {
> u32 perm;
> @@ -1586,6 +1635,7 @@ static struct xsm_operations flask_ops = {
> .setdomainmaxmem = flask_setdomainmaxmem,
> .setdomainhandle = flask_setdomainhandle,
> .setdebugging = flask_setdebugging,
> + .debug_op = flask_debug_op,
> .perfcontrol = flask_perfcontrol,
> .debug_keys = flask_debug_keys,
> .getcpuinfo = flask_getcpuinfo,
> @@ -1654,6 +1704,10 @@ static struct xsm_operations flask_ops = {
> #ifdef CONFIG_X86
> .shadow_control = flask_shadow_control,
> .getpageframeinfo = flask_getpageframeinfo,
> + .getpageframeinfo_domain = flask_getpageframeinfo_domain,
> + .set_cpuid = flask_set_cpuid,
> + .gettscinfo = flask_gettscinfo,
> + .settscinfo = flask_settscinfo,
> .getmemlist = flask_getmemlist,
> .hypercall_init = flask_hypercall_init,
> .hvmcontext = flask_hvmcontext,
> @@ -1662,8 +1716,12 @@ static struct xsm_operations flask_ops = {
> .hvm_set_pci_intx_level = flask_hvm_set_pci_intx_level,
> .hvm_set_isa_irq_level = flask_hvm_set_isa_irq_level,
> .hvm_set_pci_link_route = flask_hvm_set_pci_link_route,
> - .mem_event = flask_mem_event,
> + .mem_event_setup = flask_mem_event_setup,
> + .mem_event_control = flask_mem_event_control,
> + .mem_event_op = flask_mem_event_op,
> .mem_sharing = flask_mem_sharing,
> + .mem_sharing_op = flask_mem_sharing_op,
> + .audit_p2m = flask_audit_p2m,
> .apic = flask_apic,
> .xen_settime = flask_xen_settime,
> .memtype = flask_memtype,
> diff --git a/xen/xsm/flask/include/av_perm_to_string.h
> b/xen/xsm/flask/include/av_perm_to_string.h
> index 10f8e80..997f098 100644
> --- a/xen/xsm/flask/include/av_perm_to_string.h
> +++ b/xen/xsm/flask/include/av_perm_to_string.h
> @@ -66,6 +66,9 @@
> S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, "relabelself")
> S_(SECCLASS_DOMAIN2, DOMAIN2__MAKE_PRIV_FOR, "make_priv_for")
> S_(SECCLASS_DOMAIN2, DOMAIN2__SET_AS_TARGET, "set_as_target")
> + S_(SECCLASS_DOMAIN2, DOMAIN2__SET_CPUID, "set_cpuid")
> + S_(SECCLASS_DOMAIN2, DOMAIN2__GETTSC, "gettsc")
> + S_(SECCLASS_DOMAIN2, DOMAIN2__SETTSC, "settsc")
> S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc")
> S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
> S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")
> @@ -79,6 +82,8 @@
> S_(SECCLASS_HVM, HVM__HVMCTL, "hvmctl")
> S_(SECCLASS_HVM, HVM__MEM_EVENT, "mem_event")
> S_(SECCLASS_HVM, HVM__MEM_SHARING, "mem_sharing")
> + S_(SECCLASS_HVM, HVM__SHARE_MEM, "share_mem")
> + S_(SECCLASS_HVM, HVM__AUDIT_P2M, "audit_p2m")
> S_(SECCLASS_EVENT, EVENT__BIND, "bind")
> S_(SECCLASS_EVENT, EVENT__SEND, "send")
> S_(SECCLASS_EVENT, EVENT__STATUS, "status")
> diff --git a/xen/xsm/flask/include/av_permissions.h
> b/xen/xsm/flask/include/av_permissions.h
> index f7cfee1..8596a55 100644
> --- a/xen/xsm/flask/include/av_permissions.h
> +++ b/xen/xsm/flask/include/av_permissions.h
> @@ -68,6 +68,9 @@
> #define DOMAIN2__RELABELSELF 0x00000004UL
> #define DOMAIN2__MAKE_PRIV_FOR 0x00000008UL
> #define DOMAIN2__SET_AS_TARGET 0x00000010UL
> +#define DOMAIN2__SET_CPUID 0x00000020UL
> +#define DOMAIN2__GETTSC 0x00000040UL
> +#define DOMAIN2__SETTSC 0x00000080UL
>
> #define HVM__SETHVMC 0x00000001UL
> #define HVM__GETHVMC 0x00000002UL
> @@ -82,6 +85,8 @@
> #define HVM__HVMCTL 0x00000400UL
> #define HVM__MEM_EVENT 0x00000800UL
> #define HVM__MEM_SHARING 0x00001000UL
> +#define HVM__SHARE_MEM 0x00002000UL
> +#define HVM__AUDIT_P2M 0x00004000UL
>
> #define EVENT__BIND 0x00000001UL
> #define EVENT__SEND 0x00000002UL
next prev parent reply other threads:[~2012-08-06 18:53 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 14:32 [PATCH 00/18] RFC: Merge IS_PRIV checks into XSM hooks Daniel De Graaf
2012-08-06 14:32 ` [PATCH 01/18] xsm/flask: remove inherited class attributes Daniel De Graaf
2012-08-06 14:32 ` [PATCH 02/18] xsm/flask: remove unneeded create_sid field Daniel De Graaf
2012-08-06 14:32 ` [PATCH 03/18] xsm/flask: add domain relabel support Daniel De Graaf
2012-08-06 14:32 ` [PATCH 04/18] libxl: introduce XSM relabel on build Daniel De Graaf
2012-08-06 14:32 ` [PATCH 05/18] flask/policy: Add domain relabel example Daniel De Graaf
2012-08-06 14:32 ` [PATCH 06/18] xsm, arch/x86: add distinct XSM hooks for map/unmap Daniel De Graaf
2012-08-06 14:32 ` [PATCH 07/18] arch/x86: add missing XSM checks to XENPF_ commands Daniel De Graaf
2012-08-06 14:57 ` Jan Beulich
2012-08-06 15:06 ` Daniel De Graaf
2012-08-06 14:32 ` [PATCH 08/18] xen: Add DOMID_SELF support to rcu_lock_domain_by_id Daniel De Graaf
2012-08-06 15:07 ` Jan Beulich
2012-08-06 15:19 ` Daniel De Graaf
2012-08-06 15:50 ` Jan Beulich
2012-08-06 16:38 ` Daniel De Graaf
2012-08-07 7:00 ` Jan Beulich
2012-08-06 14:32 ` [PATCH 09/18] xsm/flask: Add checks on the domain performing the set_target operation Daniel De Graaf
2012-08-06 14:32 ` [PATCH 10/18] xsm: Add IS_PRIV checks to dummy XSM module Daniel De Graaf
2012-08-06 14:32 ` [PATCH 11/18] xen: use XSM instead of IS_PRIV where duplicated Daniel De Graaf
2012-08-06 15:18 ` Jan Beulich
2012-08-06 15:25 ` Daniel De Graaf
2012-08-06 15:53 ` Jan Beulich
2012-08-06 14:32 ` [PATCH 12/18] xsm: Add missing domctl and mem_sharing hooks Daniel De Graaf
2012-08-06 18:53 ` Keir Fraser [this message]
2012-08-06 19:30 ` Daniel De Graaf
2012-08-06 14:32 ` [PATCH 13/18] tmem: Add access control check Daniel De Graaf
2012-08-06 14:32 ` [PATCH 14/18] xsm: remove unneeded xsm_call macro Daniel De Graaf
2012-08-06 14:32 ` [PATCH 15/18] xsm/flask: add distinct SIDs for self/target access Daniel De Graaf
2012-08-06 14:32 ` [PATCH 16/18] arch/x86: use XSM hooks for get_pg_owner access checks Daniel De Graaf
2012-08-06 15:26 ` Jan Beulich
2012-08-06 16:29 ` Daniel De Graaf
2012-08-07 6:55 ` Jan Beulich
2012-08-07 13:44 ` Daniel De Graaf
2012-08-07 13:56 ` Jan Beulich
2012-08-06 14:32 ` [PATCH 17/18] xen: Add XSM hook for XENMEM_exchange Daniel De Graaf
2012-08-06 14:32 ` [PATCH 18/18] xen: remove rcu_lock_target_domain_by_id Daniel De Graaf
2012-08-07 5:12 ` [PATCH 00/18] RFC: Merge IS_PRIV checks into XSM hooks Shakeel Butt
2012-08-07 17:46 ` Daniel De Graaf
2012-08-07 18:07 ` Shakeel Butt
2012-08-07 18:06 ` Konrad Rzeszutek Wilk
2012-08-07 18:20 ` Daniel De Graaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CC45D14D.3A904%keir.xen@gmail.com \
--to=keir.xen@gmail.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.