* [PATCH v4 0/4] Rename/remove IS_PRIV
@ 2013-05-03 14:09 Daniel De Graaf
2013-05-03 14:09 ` [PATCH RESEND 1/4] xen/xsm: add hooks for claim Daniel De Graaf
` (3 more replies)
0 siblings, 4 replies; 11+ messages in thread
From: Daniel De Graaf @ 2013-05-03 14:09 UTC (permalink / raw)
To: xen-devel
This is mostly a resend from the v3 series, minus those already applied
and the patches merging is_hardware_domain and domid == 0 checks. The
removal of rcu_lock_target_domain_by_id has been split into two patches:
one for the ARM-specific code and one for the removal from common code.
[PATCH 1/4] xen/xsm: add hooks for claim
[PATCH 2/4] xen/arm: remove rcu_lock_target_domain_by_id users
[PATCH 3/4] xen/common: remove rcu_lock_target_domain_by_id
[PATCH 4/4] xen: rename IS_PRIV to is_hardware_domain
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH RESEND 1/4] xen/xsm: add hooks for claim
2013-05-03 14:09 [PATCH v4 0/4] Rename/remove IS_PRIV Daniel De Graaf
@ 2013-05-03 14:09 ` Daniel De Graaf
2013-05-03 15:46 ` Konrad Rzeszutek Wilk
2013-05-03 16:00 ` Keir Fraser
2013-05-03 14:09 ` [PATCH RESEND 2/4] xen/arm: remove rcu_lock_target_domain_by_id users Daniel De Graaf
` (2 subsequent siblings)
3 siblings, 2 replies; 11+ messages in thread
From: Daniel De Graaf @ 2013-05-03 14:09 UTC (permalink / raw)
To: xen-devel; +Cc: Daniel De Graaf, Keir Fraser, Dan Magenheimer
Adds XSM hooks for the recently introduced XENMEM_claim_pages and
XENMEM_get_outstanding_pages operations, and adds FLASK access vectors
for them. This makes the access control decisions for these operations
match those in the rest of the hypervisor.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
Cc: Dan Magenheimer <dan.magenheimer@oracle.com>
Cc: Keir Fraser <keir@xen.org>
---
tools/flask/policy/policy/modules/xen/xen.if | 2 +-
xen/common/memory.c | 15 ++++++++-------
xen/include/xsm/dummy.h | 12 ++++++++++++
xen/include/xsm/xsm.h | 12 ++++++++++++
xen/xsm/dummy.c | 2 ++
xen/xsm/flask/hooks.c | 13 +++++++++++++
xen/xsm/flask/policy/access_vectors | 4 +++-
7 files changed, 51 insertions(+), 9 deletions(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 3a59f38..c86a618 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -49,7 +49,7 @@ define(`create_domain_common', `
getdomaininfo hypercall setvcpucontext setextvcpucontext
getscheduler getvcpuinfo getvcpuextstate getaddrsize
getaffinity setaffinity };
- allow $1 $2:domain2 { set_cpuid settsc setscheduler };
+ allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
diff --git a/xen/common/memory.c b/xen/common/memory.c
index 68501d1..3239d53 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -712,9 +712,6 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
}
case XENMEM_claim_pages:
- if ( !IS_PRIV(current->domain) )
- return -EPERM;
-
if ( copy_from_guest(&reservation, arg, 1) )
return -EFAULT;
@@ -731,17 +728,21 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( d == NULL )
return -EINVAL;
- rc = domain_set_outstanding_pages(d, reservation.nr_extents);
+ rc = xsm_claim_pages(XSM_PRIV, d);
+
+ if ( !rc )
+ rc = domain_set_outstanding_pages(d, reservation.nr_extents);
rcu_unlock_domain(d);
break;
case XENMEM_get_outstanding_pages:
- if ( !IS_PRIV(current->domain) )
- return -EPERM;
+ rc = xsm_xenmem_get_outstanding_pages(XSM_PRIV);
+
+ if ( !rc )
+ rc = get_outstanding_claims();
- rc = get_outstanding_claims();
break;
default:
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 9cae61c..9bfe596 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -247,6 +247,18 @@ static XSM_INLINE int xsm_memory_pin_page(XSM_DEFAULT_ARG struct domain *d1, str
return xsm_default_action(action, d1, d2);
}
+static XSM_INLINE int xsm_claim_pages(XSM_DEFAULT_ARG struct domain *d)
+{
+ XSM_ASSERT_ACTION(XSM_PRIV);
+ return xsm_default_action(action, current->domain, d);
+}
+
+static XSM_INLINE int xsm_xenmem_get_outstanding_pages(XSM_DEFAULT_VOID)
+{
+ XSM_ASSERT_ACTION(XSM_PRIV);
+ return xsm_default_action(action, current->domain, NULL);
+}
+
static XSM_INLINE int xsm_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn,
domid_t id2)
{
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 5103070..69fe64a 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -92,6 +92,8 @@ struct xsm_operations {
int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct page_info *page);
int (*add_to_physmap) (struct domain *d1, struct domain *d2);
int (*remove_from_physmap) (struct domain *d1, struct domain *d2);
+ int (*claim_pages) (struct domain *d);
+ int (*xenmem_get_outstanding_pages) (void);
int (*console_io) (struct domain *d, int cmd);
@@ -350,6 +352,16 @@ static inline int xsm_remove_from_physmap(xsm_default_t def, struct domain *d1,
return xsm_ops->remove_from_physmap(d1, d2);
}
+static inline int xsm_claim_pages(xsm_default_t def, struct domain *d)
+{
+ return xsm_ops->claim_pages(d);
+}
+
+static inline int xsm_xenmem_get_outstanding_pages(xsm_default_t def)
+{
+ return xsm_ops->xenmem_get_outstanding_pages();
+}
+
static inline int xsm_console_io (xsm_default_t def, struct domain *d, int cmd)
{
return xsm_ops->console_io(d, cmd);
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index f7b0399..3d84e73 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -66,6 +66,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, memory_adjust_reservation);
set_to_dummy_if_null(ops, memory_stat_reservation);
set_to_dummy_if_null(ops, memory_pin_page);
+ set_to_dummy_if_null(ops, claim_pages);
+ set_to_dummy_if_null(ops, xenmem_get_outstanding_pages);
set_to_dummy_if_null(ops, console_io);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 04c8a39..3291aa2 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -417,6 +417,17 @@ static int flask_memory_pin_page(struct domain *d1, struct domain *d2,
return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__PINPAGE);
}
+static int flask_claim_pages(struct domain *d)
+{
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SETCLAIM);
+}
+
+static int flask_xenmem_get_outstanding_pages(void)
+{
+ return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN,
+ XEN__HEAP, NULL);
+}
+
static int flask_console_io(struct domain *d, int cmd)
{
u32 perm;
@@ -1485,6 +1496,8 @@ static struct xsm_operations flask_ops = {
.memory_adjust_reservation = flask_memory_adjust_reservation,
.memory_stat_reservation = flask_memory_stat_reservation,
.memory_pin_page = flask_memory_pin_page,
+ .claim_pages = flask_claim_pages,
+ .xenmem_get_outstanding_pages = flask_xenmem_get_outstanding_pages,
.console_io = flask_console_io,
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index c8ae806..544c3ba 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -54,7 +54,7 @@ class xen
debug
# XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo
getcpuinfo
-# XEN_SYSCTL_availheap
+# XEN_SYSCTL_availheap, XENMEM_get_outstanding_pages
heap
# XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo,
# XENPF_core_parking
@@ -192,6 +192,8 @@ class domain2
settsc
# XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
setscheduler
+# XENMEM_claim_pages
+ setclaim
}
# Similar to class domain, but primarily contains domctls related to HVM domains
--
1.8.1.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH RESEND 2/4] xen/arm: remove rcu_lock_target_domain_by_id users
2013-05-03 14:09 [PATCH v4 0/4] Rename/remove IS_PRIV Daniel De Graaf
2013-05-03 14:09 ` [PATCH RESEND 1/4] xen/xsm: add hooks for claim Daniel De Graaf
@ 2013-05-03 14:09 ` Daniel De Graaf
2013-05-03 14:26 ` Ian Campbell
2013-05-03 14:09 ` [PATCH RESEND 3/4] xen/common: remove rcu_lock_target_domain_by_id Daniel De Graaf
2013-05-03 14:09 ` [PATCH RESEND 4/4] xen: rename IS_PRIV to is_hardware_domain Daniel De Graaf
3 siblings, 1 reply; 11+ messages in thread
From: Daniel De Graaf @ 2013-05-03 14:09 UTC (permalink / raw)
To: xen-devel; +Cc: Tim Deegan, Daniel De Graaf, Stefano Stabellini, Ian Campbell
This function has been replaced with rcu_lock_domain_by_any_id and an
XSM check. Two callers already had an XSM check; add a check to the
third.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@citrix.com>
Cc: Tim Deegan <tim@xen.org>
---
xen/arch/arm/mm.c | 23 +++++++++++++++--------
xen/include/xsm/dummy.h | 8 ++++++++
xen/include/xsm/xsm.h | 11 +++++++++++
xen/xsm/dummy.c | 3 +++
xen/xsm/flask/hooks.c | 10 ++++++++++
5 files changed, 47 insertions(+), 8 deletions(-)
diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c
index 03492df..bd6d5f3 100644
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -753,9 +753,16 @@ static int xenmem_add_to_physmap_one(
{
paddr_t maddr;
struct domain *od;
- rc = rcu_lock_target_domain_by_id(foreign_domid, &od);
- if ( rc < 0 )
+ od = rcu_lock_domain_by_any_id(foreign_domid);
+ if ( od == NULL )
+ return -ESRCH;
+
+ rc = xsm_map_gmfn_foreign(XSM_TARGET, d, od);
+ if ( rc )
+ {
+ rcu_unlock_domain(od);
return rc;
+ }
maddr = p2m_lookup(od, idx << PAGE_SHIFT);
if ( maddr == INVALID_PADDR )
@@ -847,9 +854,9 @@ long arch_memory_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( xatp.space == XENMAPSPACE_gmfn_foreign )
return -EINVAL;
- rc = rcu_lock_target_domain_by_id(xatp.domid, &d);
- if ( rc != 0 )
- return rc;
+ d = rcu_lock_domain_by_any_id(xatp.domid);
+ if ( d == NULL )
+ return -ESRCH;
rc = xsm_add_to_physmap(XSM_TARGET, current->domain, d);
if ( rc )
@@ -878,9 +885,9 @@ long arch_memory_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
if ( xatpr.space == XENMAPSPACE_gmfn_range )
return -EINVAL;
- rc = rcu_lock_target_domain_by_id(xatpr.domid, &d);
- if ( rc != 0 )
- return rc;
+ d = rcu_lock_domain_by_any_id(xatpr.domid);
+ if ( d == NULL )
+ return -ESRCH;
rc = xsm_add_to_physmap(XSM_TARGET, current->domain, d);
if ( rc )
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 9bfe596..3912bd9 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -616,4 +616,12 @@ static XSM_INLINE int xsm_ioport_mapping(XSM_DEFAULT_ARG struct domain *d, uint3
return xsm_default_action(action, current->domain, d);
}
+#endif /* CONFIG_X86 */
+
+#ifdef CONFIG_ARM
+static XSM_INLINE int xsm_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
+{
+ XSM_ASSERT_ACTION(XSM_TARGET);
+ return xsm_default_action(action, d, t);
+}
#endif
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 69fe64a..58a4fbb 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -162,6 +162,9 @@ struct xsm_operations {
int (*ioport_permission) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
int (*ioport_mapping) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
#endif
+#ifdef CONFIG_ARM
+ int (*map_gmfn_foreign) (struct domain *d, struct domain *t);
+#endif
};
#ifdef XSM_ENABLE
@@ -622,6 +625,14 @@ static inline int xsm_ioport_mapping (xsm_default_t def, struct domain *d, uint3
return xsm_ops->ioport_mapping(d, s, e, allow);
}
#endif /* CONFIG_X86 */
+
+#ifdef CONFIG_ARM
+static inline int xsm_map_gmfn_foreign (struct domain *d, struct domain *t)
+{
+ return xsm_ops->map_gmfn_foreign(d, t);
+}
+#endif /* CONFIG_ARM */
+
#endif /* XSM_NO_WRAPPERS */
extern int xsm_init(unsigned long *module_map, const multiboot_info_t *mbi,
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 3d84e73..937761f 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -132,4 +132,7 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, ioport_permission);
set_to_dummy_if_null(ops, ioport_mapping);
#endif
+#ifdef CONFIG_ARM
+ set_to_dummy_if_null(ops, map_gmfn_foreign);
+#endif
}
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 3291aa2..bb10de3 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1454,6 +1454,13 @@ static int flask_unbind_pt_irq (struct domain *d, struct xen_domctl_bind_pt_irq
{
return current_has_perm(d, SECCLASS_RESOURCE, RESOURCE__REMOVE);
}
+#endif /* CONFIG_X86 */
+
+#ifdef CONFIG_ARM
+static int flask_map_gmfn_foreign(struct domain *d, struct domain *t)
+{
+ return domain_has_perm(d, t, SECCLASS_MMU, MMU__MAP_READ | MMU__MAP_WRITE);
+}
#endif
long do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op);
@@ -1562,6 +1569,9 @@ static struct xsm_operations flask_ops = {
.ioport_permission = flask_ioport_permission,
.ioport_mapping = flask_ioport_mapping,
#endif
+#ifdef CONFIG_ARM
+ .map_gmfn_foreign = flask_map_gmfn_foreign,
+#endif
};
static __init int flask_init(void)
--
1.8.1.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH RESEND 3/4] xen/common: remove rcu_lock_target_domain_by_id
2013-05-03 14:09 [PATCH v4 0/4] Rename/remove IS_PRIV Daniel De Graaf
2013-05-03 14:09 ` [PATCH RESEND 1/4] xen/xsm: add hooks for claim Daniel De Graaf
2013-05-03 14:09 ` [PATCH RESEND 2/4] xen/arm: remove rcu_lock_target_domain_by_id users Daniel De Graaf
@ 2013-05-03 14:09 ` Daniel De Graaf
2013-05-03 16:00 ` Keir Fraser
2013-05-03 14:09 ` [PATCH RESEND 4/4] xen: rename IS_PRIV to is_hardware_domain Daniel De Graaf
3 siblings, 1 reply; 11+ messages in thread
From: Daniel De Graaf @ 2013-05-03 14:09 UTC (permalink / raw)
To: xen-devel; +Cc: Daniel De Graaf, Keir Fraser
This function (and rcu_lock_remote_target_domain_by_id) has no remaining
users, having been replaced with XSM hooks and the other rcu_lock_*
functions. Remove it.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
Cc: Keir Fraser <keir@xen.org>
---
xen/common/domain.c | 34 ----------------------------------
xen/include/xen/sched.h | 14 --------------
2 files changed, 48 deletions(-)
diff --git a/xen/common/domain.c b/xen/common/domain.c
index b5d44d4..8adf00a 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -481,40 +481,6 @@ struct domain *rcu_lock_domain_by_any_id(domid_t dom)
return rcu_lock_domain_by_id(dom);
}
-int rcu_lock_target_domain_by_id(domid_t dom, struct domain **d)
-{
- if ( dom == DOMID_SELF )
- {
- *d = rcu_lock_current_domain();
- return 0;
- }
-
- if ( (*d = rcu_lock_domain_by_id(dom)) == NULL )
- return -ESRCH;
-
- if ( !IS_PRIV_FOR(current->domain, *d) )
- {
- rcu_unlock_domain(*d);
- return -EPERM;
- }
-
- return 0;
-}
-
-int rcu_lock_remote_target_domain_by_id(domid_t dom, struct domain **d)
-{
- if ( (*d = rcu_lock_domain_by_id(dom)) == NULL )
- return -ESRCH;
-
- if ( (*d == current->domain) || !IS_PRIV_FOR(current->domain, *d) )
- {
- rcu_unlock_domain(*d);
- return -EPERM;
- }
-
- return 0;
-}
-
int rcu_lock_remote_domain_by_id(domid_t dom, struct domain **d)
{
if ( (*d = rcu_lock_domain_by_id(dom)) == NULL )
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 41f749e..cb3baed 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -477,20 +477,6 @@ struct domain *rcu_lock_domain_by_id(domid_t dom);
struct domain *rcu_lock_domain_by_any_id(domid_t dom);
/*
- * As above function, but accounts for current domain context:
- * - Translates target DOMID_SELF into caller's domain id; and
- * - Checks that caller has permission to act on the target domain.
- */
-int rcu_lock_target_domain_by_id(domid_t dom, struct domain **d);
-
-/*
- * As rcu_lock_target_domain_by_id(), but will fail EPERM rather than resolve
- * to local domain. Successful return always resolves to a remote domain that
- * the local domain is privileged to control.
- */
-int rcu_lock_remote_target_domain_by_id(domid_t dom, struct domain **d);
-
-/*
* As rcu_lock_domain_by_id(), but will fail EPERM or ESRCH rather than resolve
* to local domain.
*/
--
1.8.1.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH RESEND 4/4] xen: rename IS_PRIV to is_hardware_domain
2013-05-03 14:09 [PATCH v4 0/4] Rename/remove IS_PRIV Daniel De Graaf
` (2 preceding siblings ...)
2013-05-03 14:09 ` [PATCH RESEND 3/4] xen/common: remove rcu_lock_target_domain_by_id Daniel De Graaf
@ 2013-05-03 14:09 ` Daniel De Graaf
2013-05-03 16:00 ` Keir Fraser
3 siblings, 1 reply; 11+ messages in thread
From: Daniel De Graaf @ 2013-05-03 14:09 UTC (permalink / raw)
To: xen-devel; +Cc: Daniel De Graaf, Keir Fraser, Jan Beulich
Since the remaining uses of IS_PRIV are actually concerned with the
domain having control of the hardware (i.e. being the initial domain),
clarify this by renaming IS_PRIV to is_hardware_domain. This also
removes IS_PRIV_FOR since the only remaining user was xsm/dummy.h.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
Cc: Keir Fraser <keir@xen.org>
Cc: Jan Beulich <jbeulich@suse.com>
---
xen/arch/x86/domctl.c | 6 +++---
xen/arch/x86/msi.c | 2 +-
xen/arch/x86/physdev.c | 4 ++--
xen/arch/x86/traps.c | 12 ++++++------
xen/include/xen/sched.h | 12 ++++++++++--
xen/include/xsm/dummy.h | 32 ++++++++++++++++++++------------
6 files changed, 42 insertions(+), 26 deletions(-)
diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 1f16ad2..c2a04c4 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -661,7 +661,7 @@ long arch_do_domctl(
while ( i-- )
clear_mmio_p2m_entry(d, gfn + i);
if ( iomem_deny_access(d, mfn, mfn + nr_mfns - 1) &&
- IS_PRIV(current->domain) )
+ is_hardware_domain(current->domain) )
printk(XENLOG_ERR
"memory_map: failed to deny dom%d access to [%lx,%lx]\n",
d->domain_id, mfn, mfn + nr_mfns - 1);
@@ -680,7 +680,7 @@ long arch_do_domctl(
ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1);
if ( !ret && add )
ret = -EIO;
- if ( ret && IS_PRIV(current->domain) )
+ if ( ret && is_hardware_domain(current->domain) )
printk(XENLOG_ERR
"memory_map: error %ld %s dom%d access to [%lx,%lx]\n",
ret, add ? "removing" : "denying", d->domain_id,
@@ -767,7 +767,7 @@ long arch_do_domctl(
break;
}
ret = ioports_deny_access(d, fmp, fmp + np - 1);
- if ( ret && IS_PRIV(current->domain) )
+ if ( ret && is_hardware_domain(current->domain) )
printk(XENLOG_ERR
"ioport_map: error %ld denying dom%d access to [%x,%x]\n",
ret, d->domain_id, fmp, fmp + np - 1);
diff --git a/xen/arch/x86/msi.c b/xen/arch/x86/msi.c
index 36bed29..a2ceea0 100644
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -812,7 +812,7 @@ static int msix_capability_init(struct pci_dev *dev,
break;
if ( d )
{
- if ( !IS_PRIV(d) && dev->msix_warned != d->domain_id )
+ if ( !is_hardware_domain(d) && dev->msix_warned != d->domain_id )
{
dev->msix_warned = d->domain_id;
printk(XENLOG_ERR
diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
index eb8a407..3733c7a 100644
--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -128,7 +128,7 @@ int physdev_map_pirq(domid_t domid, int type, int *index, int *pirq_p,
irq = domain_pirq_to_irq(current->domain, *index);
if ( irq <= 0 )
{
- if ( IS_PRIV(current->domain) )
+ if ( is_hardware_domain(current->domain) )
irq = *index;
else {
dprintk(XENLOG_G_ERR, "dom%d: map pirq with incorrect irq!\n",
@@ -691,7 +691,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
case PHYSDEVOP_dbgp_op: {
struct physdev_dbgp_op op;
- if ( !IS_PRIV(v->domain) )
+ if ( !is_hardware_domain(v->domain) )
ret = -EPERM;
else if ( copy_from_guest(&op, arg, 1) )
ret = -EFAULT;
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index fbbe31d..e0bc60d 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1303,7 +1303,7 @@ static int fixup_page_fault(unsigned long addr, struct cpu_user_regs *regs)
ptwr_do_page_fault(v, addr, regs) )
return EXCRET_fault_fixed;
- if ( IS_PRIV(d) && (regs->error_code & PFEC_page_present) &&
+ if ( is_hardware_domain(d) && (regs->error_code & PFEC_page_present) &&
mmio_ro_do_page_fault(v, addr, regs) )
return EXCRET_fault_fixed;
}
@@ -1623,7 +1623,7 @@ static int pci_cfg_ok(struct domain *d, int write, int size)
{
uint32_t machine_bdf;
uint16_t start, end;
- if (!IS_PRIV(d))
+ if (!is_hardware_domain(d))
return 0;
machine_bdf = (d->arch.pci_cf8 >> 8) & 0xFFFF;
@@ -2415,7 +2415,7 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
if ( boot_cpu_data.x86_vendor != X86_VENDOR_AMD ||
boot_cpu_data.x86 < 0x10 || boot_cpu_data.x86 > 0x17 )
goto fail;
- if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
+ if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
break;
if ( (rdmsr_safe(MSR_AMD64_NB_CFG, val) != 0) ||
(eax != (uint32_t)val) ||
@@ -2428,7 +2428,7 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
if ( boot_cpu_data.x86_vendor != X86_VENDOR_AMD ||
boot_cpu_data.x86 < 0x10 || boot_cpu_data.x86 > 0x17 )
goto fail;
- if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
+ if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
break;
if ( (rdmsr_safe(MSR_FAM10H_MMIO_CONF_BASE, val) != 0) )
goto fail;
@@ -2448,7 +2448,7 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
case MSR_IA32_UCODE_REV:
if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL )
goto fail;
- if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
+ if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
break;
if ( rdmsr_safe(regs->ecx, val) )
goto fail;
@@ -2484,7 +2484,7 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
case MSR_IA32_ENERGY_PERF_BIAS:
if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL )
goto fail;
- if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
+ if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
break;
if ( wrmsr_safe(regs->ecx, msr_content) != 0 )
goto fail;
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index cb3baed..5b55c09 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -716,8 +716,16 @@ uint64_t get_cpu_idle_time(unsigned int cpu);
void watchdog_domain_init(struct domain *d);
void watchdog_domain_destroy(struct domain *d);
-#define IS_PRIV(_d) ((_d)->is_privileged)
-#define IS_PRIV_FOR(_d, _t) (IS_PRIV(_d) || ((_d)->target && (_d)->target == (_t)))
+/*
+ * Use this check when the following are both true:
+ * - Using this feature or interface requires full access to the hardware
+ * (that is, this is would not be suitable for a driver domain)
+ * - There is never a reason to deny dom0 access to this
+ */
+#define is_hardware_domain(_d) ((_d)->is_privileged)
+
+/* This check is for functionality specific to a control domain */
+#define is_control_domain(_d) ((_d)->is_privileged)
#define VM_ASSIST(_d,_t) (test_bit((_t), &(_d)->vm_assist))
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 3912bd9..a872056 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -60,17 +60,23 @@ static always_inline int xsm_default_action(
case XSM_HOOK:
return 0;
case XSM_DM_PRIV:
- if ( !IS_PRIV_FOR(src, target) )
- return -EPERM;
- return 0;
+ if ( src->is_privileged )
+ return 0;
+ if ( target && src->target == target )
+ return 0;
+ return -EPERM;
case XSM_TARGET:
- if ( src != target && !IS_PRIV_FOR(src, target) )
- return -EPERM;
- return 0;
+ if ( src == target )
+ return 0;
+ if ( src->is_privileged )
+ return 0;
+ if ( target && src->target == target )
+ return 0;
+ return -EPERM;
case XSM_PRIV:
- if ( !IS_PRIV(src) )
- return -EPERM;
- return 0;
+ if ( src->is_privileged )
+ return 0;
+ return -EPERM;
default:
LINKER_BUG_ON(1);
return -EPERM;
@@ -567,10 +573,12 @@ static XSM_INLINE int xsm_domain_memory_map(XSM_DEFAULT_ARG struct domain *d)
static XSM_INLINE int xsm_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct domain *t,
struct domain *f, uint32_t flags)
{
+ int rc;
XSM_ASSERT_ACTION(XSM_TARGET);
- if ( t && d != t && !IS_PRIV_FOR(d, t) )
- return -EPERM;
- return xsm_default_action(action, d, f);
+ rc = xsm_default_action(action, d, f);
+ if ( t && !rc )
+ rc = xsm_default_action(action, d, t);
+ return rc;
}
static XSM_INLINE int xsm_mmuext_op(XSM_DEFAULT_ARG struct domain *d, struct domain *f)
--
1.8.1.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH RESEND 2/4] xen/arm: remove rcu_lock_target_domain_by_id users
2013-05-03 14:09 ` [PATCH RESEND 2/4] xen/arm: remove rcu_lock_target_domain_by_id users Daniel De Graaf
@ 2013-05-03 14:26 ` Ian Campbell
0 siblings, 0 replies; 11+ messages in thread
From: Ian Campbell @ 2013-05-03 14:26 UTC (permalink / raw)
To: Daniel De Graaf
Cc: Stefano Stabellini, Tim (Xen.org), xen-devel@lists.xen.org
On Fri, 2013-05-03 at 15:09 +0100, Daniel De Graaf wrote:
> This function has been replaced with rcu_lock_domain_by_any_id and an
> XSM check. Two callers already had an XSM check; add a check to the
> third.
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
For the ARM stuff:
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Since the bulk of the series is elsewhere I expect someone else will be
applying?
> Cc: Stefano Stabellini <stefano.stabellini@citrix.com>
> Cc: Tim Deegan <tim@xen.org>
> ---
> xen/arch/arm/mm.c | 23 +++++++++++++++--------
> xen/include/xsm/dummy.h | 8 ++++++++
> xen/include/xsm/xsm.h | 11 +++++++++++
> xen/xsm/dummy.c | 3 +++
> xen/xsm/flask/hooks.c | 10 ++++++++++
> 5 files changed, 47 insertions(+), 8 deletions(-)
>
> diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c
> index 03492df..bd6d5f3 100644
> --- a/xen/arch/arm/mm.c
> +++ b/xen/arch/arm/mm.c
> @@ -753,9 +753,16 @@ static int xenmem_add_to_physmap_one(
> {
> paddr_t maddr;
> struct domain *od;
> - rc = rcu_lock_target_domain_by_id(foreign_domid, &od);
> - if ( rc < 0 )
> + od = rcu_lock_domain_by_any_id(foreign_domid);
> + if ( od == NULL )
> + return -ESRCH;
> +
> + rc = xsm_map_gmfn_foreign(XSM_TARGET, d, od);
> + if ( rc )
> + {
> + rcu_unlock_domain(od);
> return rc;
> + }
>
> maddr = p2m_lookup(od, idx << PAGE_SHIFT);
> if ( maddr == INVALID_PADDR )
> @@ -847,9 +854,9 @@ long arch_memory_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
> if ( xatp.space == XENMAPSPACE_gmfn_foreign )
> return -EINVAL;
>
> - rc = rcu_lock_target_domain_by_id(xatp.domid, &d);
> - if ( rc != 0 )
> - return rc;
> + d = rcu_lock_domain_by_any_id(xatp.domid);
> + if ( d == NULL )
> + return -ESRCH;
>
> rc = xsm_add_to_physmap(XSM_TARGET, current->domain, d);
> if ( rc )
> @@ -878,9 +885,9 @@ long arch_memory_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
> if ( xatpr.space == XENMAPSPACE_gmfn_range )
> return -EINVAL;
>
> - rc = rcu_lock_target_domain_by_id(xatpr.domid, &d);
> - if ( rc != 0 )
> - return rc;
> + d = rcu_lock_domain_by_any_id(xatpr.domid);
> + if ( d == NULL )
> + return -ESRCH;
>
> rc = xsm_add_to_physmap(XSM_TARGET, current->domain, d);
> if ( rc )
> diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
> index 9bfe596..3912bd9 100644
> --- a/xen/include/xsm/dummy.h
> +++ b/xen/include/xsm/dummy.h
> @@ -616,4 +616,12 @@ static XSM_INLINE int xsm_ioport_mapping(XSM_DEFAULT_ARG struct domain *d, uint3
> return xsm_default_action(action, current->domain, d);
> }
>
> +#endif /* CONFIG_X86 */
> +
> +#ifdef CONFIG_ARM
> +static XSM_INLINE int xsm_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, struct domain *t)
> +{
> + XSM_ASSERT_ACTION(XSM_TARGET);
> + return xsm_default_action(action, d, t);
> +}
> #endif
> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
> index 69fe64a..58a4fbb 100644
> --- a/xen/include/xsm/xsm.h
> +++ b/xen/include/xsm/xsm.h
> @@ -162,6 +162,9 @@ struct xsm_operations {
> int (*ioport_permission) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
> int (*ioport_mapping) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow);
> #endif
> +#ifdef CONFIG_ARM
> + int (*map_gmfn_foreign) (struct domain *d, struct domain *t);
> +#endif
> };
>
> #ifdef XSM_ENABLE
> @@ -622,6 +625,14 @@ static inline int xsm_ioport_mapping (xsm_default_t def, struct domain *d, uint3
> return xsm_ops->ioport_mapping(d, s, e, allow);
> }
> #endif /* CONFIG_X86 */
> +
> +#ifdef CONFIG_ARM
> +static inline int xsm_map_gmfn_foreign (struct domain *d, struct domain *t)
> +{
> + return xsm_ops->map_gmfn_foreign(d, t);
> +}
> +#endif /* CONFIG_ARM */
> +
> #endif /* XSM_NO_WRAPPERS */
>
> extern int xsm_init(unsigned long *module_map, const multiboot_info_t *mbi,
> diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
> index 3d84e73..937761f 100644
> --- a/xen/xsm/dummy.c
> +++ b/xen/xsm/dummy.c
> @@ -132,4 +132,7 @@ void xsm_fixup_ops (struct xsm_operations *ops)
> set_to_dummy_if_null(ops, ioport_permission);
> set_to_dummy_if_null(ops, ioport_mapping);
> #endif
> +#ifdef CONFIG_ARM
> + set_to_dummy_if_null(ops, map_gmfn_foreign);
> +#endif
> }
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index 3291aa2..bb10de3 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -1454,6 +1454,13 @@ static int flask_unbind_pt_irq (struct domain *d, struct xen_domctl_bind_pt_irq
> {
> return current_has_perm(d, SECCLASS_RESOURCE, RESOURCE__REMOVE);
> }
> +#endif /* CONFIG_X86 */
> +
> +#ifdef CONFIG_ARM
> +static int flask_map_gmfn_foreign(struct domain *d, struct domain *t)
> +{
> + return domain_has_perm(d, t, SECCLASS_MMU, MMU__MAP_READ | MMU__MAP_WRITE);
> +}
> #endif
>
> long do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op);
> @@ -1562,6 +1569,9 @@ static struct xsm_operations flask_ops = {
> .ioport_permission = flask_ioport_permission,
> .ioport_mapping = flask_ioport_mapping,
> #endif
> +#ifdef CONFIG_ARM
> + .map_gmfn_foreign = flask_map_gmfn_foreign,
> +#endif
> };
>
> static __init int flask_init(void)
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH RESEND 1/4] xen/xsm: add hooks for claim
2013-05-03 14:09 ` [PATCH RESEND 1/4] xen/xsm: add hooks for claim Daniel De Graaf
@ 2013-05-03 15:46 ` Konrad Rzeszutek Wilk
2013-05-03 16:29 ` Daniel De Graaf
2013-05-03 16:00 ` Keir Fraser
1 sibling, 1 reply; 11+ messages in thread
From: Konrad Rzeszutek Wilk @ 2013-05-03 15:46 UTC (permalink / raw)
To: Daniel De Graaf; +Cc: Dan Magenheimer, Keir Fraser, xen-devel
On Fri, May 03, 2013 at 10:09:13AM -0400, Daniel De Graaf wrote:
> Adds XSM hooks for the recently introduced XENMEM_claim_pages and
> XENMEM_get_outstanding_pages operations, and adds FLASK access vectors
> for them. This makes the access control decisions for these operations
> match those in the rest of the hypervisor.
I am not that familiar with this, but it looks OK. However I am
going to post a patch soon that will eliminate one of the hypercalls
(xenmem_get_outstanding_pages).
Do you want to wait for this or would it be better if I posted
the patch along with some changes to xsm hooks to delete it and
you can Ack it?
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
> Cc: Dan Magenheimer <dan.magenheimer@oracle.com>
> Cc: Keir Fraser <keir@xen.org>
> ---
> tools/flask/policy/policy/modules/xen/xen.if | 2 +-
> xen/common/memory.c | 15 ++++++++-------
> xen/include/xsm/dummy.h | 12 ++++++++++++
> xen/include/xsm/xsm.h | 12 ++++++++++++
> xen/xsm/dummy.c | 2 ++
> xen/xsm/flask/hooks.c | 13 +++++++++++++
> xen/xsm/flask/policy/access_vectors | 4 +++-
> 7 files changed, 51 insertions(+), 9 deletions(-)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
> index 3a59f38..c86a618 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.if
> +++ b/tools/flask/policy/policy/modules/xen/xen.if
> @@ -49,7 +49,7 @@ define(`create_domain_common', `
> getdomaininfo hypercall setvcpucontext setextvcpucontext
> getscheduler getvcpuinfo getvcpuextstate getaddrsize
> getaffinity setaffinity };
> - allow $1 $2:domain2 { set_cpuid settsc setscheduler };
> + allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim };
> allow $1 $2:security check_context;
> allow $1 $2:shadow enable;
> allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
> diff --git a/xen/common/memory.c b/xen/common/memory.c
> index 68501d1..3239d53 100644
> --- a/xen/common/memory.c
> +++ b/xen/common/memory.c
> @@ -712,9 +712,6 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
> }
>
> case XENMEM_claim_pages:
> - if ( !IS_PRIV(current->domain) )
> - return -EPERM;
> -
> if ( copy_from_guest(&reservation, arg, 1) )
> return -EFAULT;
>
> @@ -731,17 +728,21 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
> if ( d == NULL )
> return -EINVAL;
>
> - rc = domain_set_outstanding_pages(d, reservation.nr_extents);
> + rc = xsm_claim_pages(XSM_PRIV, d);
> +
> + if ( !rc )
> + rc = domain_set_outstanding_pages(d, reservation.nr_extents);
>
> rcu_unlock_domain(d);
>
> break;
>
> case XENMEM_get_outstanding_pages:
> - if ( !IS_PRIV(current->domain) )
> - return -EPERM;
> + rc = xsm_xenmem_get_outstanding_pages(XSM_PRIV);
> +
> + if ( !rc )
> + rc = get_outstanding_claims();
>
> - rc = get_outstanding_claims();
> break;
>
> default:
> diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
> index 9cae61c..9bfe596 100644
> --- a/xen/include/xsm/dummy.h
> +++ b/xen/include/xsm/dummy.h
> @@ -247,6 +247,18 @@ static XSM_INLINE int xsm_memory_pin_page(XSM_DEFAULT_ARG struct domain *d1, str
> return xsm_default_action(action, d1, d2);
> }
>
> +static XSM_INLINE int xsm_claim_pages(XSM_DEFAULT_ARG struct domain *d)
> +{
> + XSM_ASSERT_ACTION(XSM_PRIV);
> + return xsm_default_action(action, current->domain, d);
> +}
> +
> +static XSM_INLINE int xsm_xenmem_get_outstanding_pages(XSM_DEFAULT_VOID)
> +{
> + XSM_ASSERT_ACTION(XSM_PRIV);
> + return xsm_default_action(action, current->domain, NULL);
> +}
> +
> static XSM_INLINE int xsm_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn,
> domid_t id2)
> {
> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
> index 5103070..69fe64a 100644
> --- a/xen/include/xsm/xsm.h
> +++ b/xen/include/xsm/xsm.h
> @@ -92,6 +92,8 @@ struct xsm_operations {
> int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct page_info *page);
> int (*add_to_physmap) (struct domain *d1, struct domain *d2);
> int (*remove_from_physmap) (struct domain *d1, struct domain *d2);
> + int (*claim_pages) (struct domain *d);
> + int (*xenmem_get_outstanding_pages) (void);
>
> int (*console_io) (struct domain *d, int cmd);
>
> @@ -350,6 +352,16 @@ static inline int xsm_remove_from_physmap(xsm_default_t def, struct domain *d1,
> return xsm_ops->remove_from_physmap(d1, d2);
> }
>
> +static inline int xsm_claim_pages(xsm_default_t def, struct domain *d)
> +{
> + return xsm_ops->claim_pages(d);
> +}
> +
> +static inline int xsm_xenmem_get_outstanding_pages(xsm_default_t def)
> +{
> + return xsm_ops->xenmem_get_outstanding_pages();
> +}
> +
> static inline int xsm_console_io (xsm_default_t def, struct domain *d, int cmd)
> {
> return xsm_ops->console_io(d, cmd);
> diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
> index f7b0399..3d84e73 100644
> --- a/xen/xsm/dummy.c
> +++ b/xen/xsm/dummy.c
> @@ -66,6 +66,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
> set_to_dummy_if_null(ops, memory_adjust_reservation);
> set_to_dummy_if_null(ops, memory_stat_reservation);
> set_to_dummy_if_null(ops, memory_pin_page);
> + set_to_dummy_if_null(ops, claim_pages);
> + set_to_dummy_if_null(ops, xenmem_get_outstanding_pages);
>
> set_to_dummy_if_null(ops, console_io);
>
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index 04c8a39..3291aa2 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -417,6 +417,17 @@ static int flask_memory_pin_page(struct domain *d1, struct domain *d2,
> return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__PINPAGE);
> }
>
> +static int flask_claim_pages(struct domain *d)
> +{
> + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SETCLAIM);
> +}
> +
> +static int flask_xenmem_get_outstanding_pages(void)
> +{
> + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN,
> + XEN__HEAP, NULL);
> +}
> +
> static int flask_console_io(struct domain *d, int cmd)
> {
> u32 perm;
> @@ -1485,6 +1496,8 @@ static struct xsm_operations flask_ops = {
> .memory_adjust_reservation = flask_memory_adjust_reservation,
> .memory_stat_reservation = flask_memory_stat_reservation,
> .memory_pin_page = flask_memory_pin_page,
> + .claim_pages = flask_claim_pages,
> + .xenmem_get_outstanding_pages = flask_xenmem_get_outstanding_pages,
>
> .console_io = flask_console_io,
>
> diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
> index c8ae806..544c3ba 100644
> --- a/xen/xsm/flask/policy/access_vectors
> +++ b/xen/xsm/flask/policy/access_vectors
> @@ -54,7 +54,7 @@ class xen
> debug
> # XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo
> getcpuinfo
> -# XEN_SYSCTL_availheap
> +# XEN_SYSCTL_availheap, XENMEM_get_outstanding_pages
> heap
> # XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo,
> # XENPF_core_parking
> @@ -192,6 +192,8 @@ class domain2
> settsc
> # XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
> setscheduler
> +# XENMEM_claim_pages
> + setclaim
> }
>
> # Similar to class domain, but primarily contains domctls related to HVM domains
> --
> 1.8.1.4
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH RESEND 3/4] xen/common: remove rcu_lock_target_domain_by_id
2013-05-03 14:09 ` [PATCH RESEND 3/4] xen/common: remove rcu_lock_target_domain_by_id Daniel De Graaf
@ 2013-05-03 16:00 ` Keir Fraser
0 siblings, 0 replies; 11+ messages in thread
From: Keir Fraser @ 2013-05-03 16:00 UTC (permalink / raw)
To: Daniel De Graaf, xen-devel; +Cc: Keir Fraser
On 03/05/2013 15:09, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:
> This function (and rcu_lock_remote_target_domain_by_id) has no remaining
> users, having been replaced with XSM hooks and the other rcu_lock_*
> functions. Remove it.
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
> Cc: Keir Fraser <keir@xen.org>
Acked-by: Keir Fraser <keir@xen.org>
> ---
> xen/common/domain.c | 34 ----------------------------------
> xen/include/xen/sched.h | 14 --------------
> 2 files changed, 48 deletions(-)
>
> diff --git a/xen/common/domain.c b/xen/common/domain.c
> index b5d44d4..8adf00a 100644
> --- a/xen/common/domain.c
> +++ b/xen/common/domain.c
> @@ -481,40 +481,6 @@ struct domain *rcu_lock_domain_by_any_id(domid_t dom)
> return rcu_lock_domain_by_id(dom);
> }
>
> -int rcu_lock_target_domain_by_id(domid_t dom, struct domain **d)
> -{
> - if ( dom == DOMID_SELF )
> - {
> - *d = rcu_lock_current_domain();
> - return 0;
> - }
> -
> - if ( (*d = rcu_lock_domain_by_id(dom)) == NULL )
> - return -ESRCH;
> -
> - if ( !IS_PRIV_FOR(current->domain, *d) )
> - {
> - rcu_unlock_domain(*d);
> - return -EPERM;
> - }
> -
> - return 0;
> -}
> -
> -int rcu_lock_remote_target_domain_by_id(domid_t dom, struct domain **d)
> -{
> - if ( (*d = rcu_lock_domain_by_id(dom)) == NULL )
> - return -ESRCH;
> -
> - if ( (*d == current->domain) || !IS_PRIV_FOR(current->domain, *d) )
> - {
> - rcu_unlock_domain(*d);
> - return -EPERM;
> - }
> -
> - return 0;
> -}
> -
> int rcu_lock_remote_domain_by_id(domid_t dom, struct domain **d)
> {
> if ( (*d = rcu_lock_domain_by_id(dom)) == NULL )
> diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
> index 41f749e..cb3baed 100644
> --- a/xen/include/xen/sched.h
> +++ b/xen/include/xen/sched.h
> @@ -477,20 +477,6 @@ struct domain *rcu_lock_domain_by_id(domid_t dom);
> struct domain *rcu_lock_domain_by_any_id(domid_t dom);
>
> /*
> - * As above function, but accounts for current domain context:
> - * - Translates target DOMID_SELF into caller's domain id; and
> - * - Checks that caller has permission to act on the target domain.
> - */
> -int rcu_lock_target_domain_by_id(domid_t dom, struct domain **d);
> -
> -/*
> - * As rcu_lock_target_domain_by_id(), but will fail EPERM rather than resolve
> - * to local domain. Successful return always resolves to a remote domain that
> - * the local domain is privileged to control.
> - */
> -int rcu_lock_remote_target_domain_by_id(domid_t dom, struct domain **d);
> -
> -/*
> * As rcu_lock_domain_by_id(), but will fail EPERM or ESRCH rather than
> resolve
> * to local domain.
> */
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH RESEND 4/4] xen: rename IS_PRIV to is_hardware_domain
2013-05-03 14:09 ` [PATCH RESEND 4/4] xen: rename IS_PRIV to is_hardware_domain Daniel De Graaf
@ 2013-05-03 16:00 ` Keir Fraser
0 siblings, 0 replies; 11+ messages in thread
From: Keir Fraser @ 2013-05-03 16:00 UTC (permalink / raw)
To: Daniel De Graaf, xen-devel; +Cc: Keir Fraser, Jan Beulich
On 03/05/2013 15:09, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:
> Since the remaining uses of IS_PRIV are actually concerned with the
> domain having control of the hardware (i.e. being the initial domain),
> clarify this by renaming IS_PRIV to is_hardware_domain. This also
> removes IS_PRIV_FOR since the only remaining user was xsm/dummy.h.
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
> Cc: Keir Fraser <keir@xen.org>
Acked-by: Keir Fraser <keir@xen.org>
> Cc: Jan Beulich <jbeulich@suse.com>
> ---
> xen/arch/x86/domctl.c | 6 +++---
> xen/arch/x86/msi.c | 2 +-
> xen/arch/x86/physdev.c | 4 ++--
> xen/arch/x86/traps.c | 12 ++++++------
> xen/include/xen/sched.h | 12 ++++++++++--
> xen/include/xsm/dummy.h | 32 ++++++++++++++++++++------------
> 6 files changed, 42 insertions(+), 26 deletions(-)
>
> diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
> index 1f16ad2..c2a04c4 100644
> --- a/xen/arch/x86/domctl.c
> +++ b/xen/arch/x86/domctl.c
> @@ -661,7 +661,7 @@ long arch_do_domctl(
> while ( i-- )
> clear_mmio_p2m_entry(d, gfn + i);
> if ( iomem_deny_access(d, mfn, mfn + nr_mfns - 1) &&
> - IS_PRIV(current->domain) )
> + is_hardware_domain(current->domain) )
> printk(XENLOG_ERR
> "memory_map: failed to deny dom%d access to
> [%lx,%lx]\n",
> d->domain_id, mfn, mfn + nr_mfns - 1);
> @@ -680,7 +680,7 @@ long arch_do_domctl(
> ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1);
> if ( !ret && add )
> ret = -EIO;
> - if ( ret && IS_PRIV(current->domain) )
> + if ( ret && is_hardware_domain(current->domain) )
> printk(XENLOG_ERR
> "memory_map: error %ld %s dom%d access to
> [%lx,%lx]\n",
> ret, add ? "removing" : "denying", d->domain_id,
> @@ -767,7 +767,7 @@ long arch_do_domctl(
> break;
> }
> ret = ioports_deny_access(d, fmp, fmp + np - 1);
> - if ( ret && IS_PRIV(current->domain) )
> + if ( ret && is_hardware_domain(current->domain) )
> printk(XENLOG_ERR
> "ioport_map: error %ld denying dom%d access to
> [%x,%x]\n",
> ret, d->domain_id, fmp, fmp + np - 1);
> diff --git a/xen/arch/x86/msi.c b/xen/arch/x86/msi.c
> index 36bed29..a2ceea0 100644
> --- a/xen/arch/x86/msi.c
> +++ b/xen/arch/x86/msi.c
> @@ -812,7 +812,7 @@ static int msix_capability_init(struct pci_dev *dev,
> break;
> if ( d )
> {
> - if ( !IS_PRIV(d) && dev->msix_warned != d->domain_id )
> + if ( !is_hardware_domain(d) && dev->msix_warned !=
> d->domain_id )
> {
> dev->msix_warned = d->domain_id;
> printk(XENLOG_ERR
> diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
> index eb8a407..3733c7a 100644
> --- a/xen/arch/x86/physdev.c
> +++ b/xen/arch/x86/physdev.c
> @@ -128,7 +128,7 @@ int physdev_map_pirq(domid_t domid, int type, int *index,
> int *pirq_p,
> irq = domain_pirq_to_irq(current->domain, *index);
> if ( irq <= 0 )
> {
> - if ( IS_PRIV(current->domain) )
> + if ( is_hardware_domain(current->domain) )
> irq = *index;
> else {
> dprintk(XENLOG_G_ERR, "dom%d: map pirq with incorrect
> irq!\n",
> @@ -691,7 +691,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void)
> arg)
> case PHYSDEVOP_dbgp_op: {
> struct physdev_dbgp_op op;
>
> - if ( !IS_PRIV(v->domain) )
> + if ( !is_hardware_domain(v->domain) )
> ret = -EPERM;
> else if ( copy_from_guest(&op, arg, 1) )
> ret = -EFAULT;
> diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
> index fbbe31d..e0bc60d 100644
> --- a/xen/arch/x86/traps.c
> +++ b/xen/arch/x86/traps.c
> @@ -1303,7 +1303,7 @@ static int fixup_page_fault(unsigned long addr, struct
> cpu_user_regs *regs)
> ptwr_do_page_fault(v, addr, regs) )
> return EXCRET_fault_fixed;
>
> - if ( IS_PRIV(d) && (regs->error_code & PFEC_page_present) &&
> + if ( is_hardware_domain(d) && (regs->error_code & PFEC_page_present)
> &&
> mmio_ro_do_page_fault(v, addr, regs) )
> return EXCRET_fault_fixed;
> }
> @@ -1623,7 +1623,7 @@ static int pci_cfg_ok(struct domain *d, int write, int
> size)
> {
> uint32_t machine_bdf;
> uint16_t start, end;
> - if (!IS_PRIV(d))
> + if (!is_hardware_domain(d))
> return 0;
>
> machine_bdf = (d->arch.pci_cf8 >> 8) & 0xFFFF;
> @@ -2415,7 +2415,7 @@ static int emulate_privileged_op(struct cpu_user_regs
> *regs)
> if ( boot_cpu_data.x86_vendor != X86_VENDOR_AMD ||
> boot_cpu_data.x86 < 0x10 || boot_cpu_data.x86 > 0x17 )
> goto fail;
> - if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
> + if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
> break;
> if ( (rdmsr_safe(MSR_AMD64_NB_CFG, val) != 0) ||
> (eax != (uint32_t)val) ||
> @@ -2428,7 +2428,7 @@ static int emulate_privileged_op(struct cpu_user_regs
> *regs)
> if ( boot_cpu_data.x86_vendor != X86_VENDOR_AMD ||
> boot_cpu_data.x86 < 0x10 || boot_cpu_data.x86 > 0x17 )
> goto fail;
> - if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
> + if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
> break;
> if ( (rdmsr_safe(MSR_FAM10H_MMIO_CONF_BASE, val) != 0) )
> goto fail;
> @@ -2448,7 +2448,7 @@ static int emulate_privileged_op(struct cpu_user_regs
> *regs)
> case MSR_IA32_UCODE_REV:
> if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL )
> goto fail;
> - if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
> + if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
> break;
> if ( rdmsr_safe(regs->ecx, val) )
> goto fail;
> @@ -2484,7 +2484,7 @@ static int emulate_privileged_op(struct cpu_user_regs
> *regs)
> case MSR_IA32_ENERGY_PERF_BIAS:
> if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL )
> goto fail;
> - if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
> + if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
> break;
> if ( wrmsr_safe(regs->ecx, msr_content) != 0 )
> goto fail;
> diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
> index cb3baed..5b55c09 100644
> --- a/xen/include/xen/sched.h
> +++ b/xen/include/xen/sched.h
> @@ -716,8 +716,16 @@ uint64_t get_cpu_idle_time(unsigned int cpu);
> void watchdog_domain_init(struct domain *d);
> void watchdog_domain_destroy(struct domain *d);
>
> -#define IS_PRIV(_d) ((_d)->is_privileged)
> -#define IS_PRIV_FOR(_d, _t) (IS_PRIV(_d) || ((_d)->target && (_d)->target ==
> (_t)))
> +/*
> + * Use this check when the following are both true:
> + * - Using this feature or interface requires full access to the hardware
> + * (that is, this is would not be suitable for a driver domain)
> + * - There is never a reason to deny dom0 access to this
> + */
> +#define is_hardware_domain(_d) ((_d)->is_privileged)
> +
> +/* This check is for functionality specific to a control domain */
> +#define is_control_domain(_d) ((_d)->is_privileged)
>
> #define VM_ASSIST(_d,_t) (test_bit((_t), &(_d)->vm_assist))
>
> diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
> index 3912bd9..a872056 100644
> --- a/xen/include/xsm/dummy.h
> +++ b/xen/include/xsm/dummy.h
> @@ -60,17 +60,23 @@ static always_inline int xsm_default_action(
> case XSM_HOOK:
> return 0;
> case XSM_DM_PRIV:
> - if ( !IS_PRIV_FOR(src, target) )
> - return -EPERM;
> - return 0;
> + if ( src->is_privileged )
> + return 0;
> + if ( target && src->target == target )
> + return 0;
> + return -EPERM;
> case XSM_TARGET:
> - if ( src != target && !IS_PRIV_FOR(src, target) )
> - return -EPERM;
> - return 0;
> + if ( src == target )
> + return 0;
> + if ( src->is_privileged )
> + return 0;
> + if ( target && src->target == target )
> + return 0;
> + return -EPERM;
> case XSM_PRIV:
> - if ( !IS_PRIV(src) )
> - return -EPERM;
> - return 0;
> + if ( src->is_privileged )
> + return 0;
> + return -EPERM;
> default:
> LINKER_BUG_ON(1);
> return -EPERM;
> @@ -567,10 +573,12 @@ static XSM_INLINE int
> xsm_domain_memory_map(XSM_DEFAULT_ARG struct domain *d)
> static XSM_INLINE int xsm_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct
> domain *t,
> struct domain *f, uint32_t flags)
> {
> + int rc;
> XSM_ASSERT_ACTION(XSM_TARGET);
> - if ( t && d != t && !IS_PRIV_FOR(d, t) )
> - return -EPERM;
> - return xsm_default_action(action, d, f);
> + rc = xsm_default_action(action, d, f);
> + if ( t && !rc )
> + rc = xsm_default_action(action, d, t);
> + return rc;
> }
>
> static XSM_INLINE int xsm_mmuext_op(XSM_DEFAULT_ARG struct domain *d, struct
> domain *f)
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH RESEND 1/4] xen/xsm: add hooks for claim
2013-05-03 14:09 ` [PATCH RESEND 1/4] xen/xsm: add hooks for claim Daniel De Graaf
2013-05-03 15:46 ` Konrad Rzeszutek Wilk
@ 2013-05-03 16:00 ` Keir Fraser
1 sibling, 0 replies; 11+ messages in thread
From: Keir Fraser @ 2013-05-03 16:00 UTC (permalink / raw)
To: Daniel De Graaf, xen-devel; +Cc: Dan Magenheimer, Keir Fraser
On 03/05/2013 15:09, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:
> Adds XSM hooks for the recently introduced XENMEM_claim_pages and
> XENMEM_get_outstanding_pages operations, and adds FLASK access vectors
> for them. This makes the access control decisions for these operations
> match those in the rest of the hypervisor.
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
> Cc: Dan Magenheimer <dan.magenheimer@oracle.com>
> Cc: Keir Fraser <keir@xen.org>
Acked-by: Keir Fraser <keir@xen.org>
> ---
> tools/flask/policy/policy/modules/xen/xen.if | 2 +-
> xen/common/memory.c | 15 ++++++++-------
> xen/include/xsm/dummy.h | 12 ++++++++++++
> xen/include/xsm/xsm.h | 12 ++++++++++++
> xen/xsm/dummy.c | 2 ++
> xen/xsm/flask/hooks.c | 13 +++++++++++++
> xen/xsm/flask/policy/access_vectors | 4 +++-
> 7 files changed, 51 insertions(+), 9 deletions(-)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.if
> b/tools/flask/policy/policy/modules/xen/xen.if
> index 3a59f38..c86a618 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.if
> +++ b/tools/flask/policy/policy/modules/xen/xen.if
> @@ -49,7 +49,7 @@ define(`create_domain_common', `
> getdomaininfo hypercall setvcpucontext setextvcpucontext
> getscheduler getvcpuinfo getvcpuextstate getaddrsize
> getaffinity setaffinity };
> - allow $1 $2:domain2 { set_cpuid settsc setscheduler };
> + allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim };
> allow $1 $2:security check_context;
> allow $1 $2:shadow enable;
> allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage
> mmuext_op };
> diff --git a/xen/common/memory.c b/xen/common/memory.c
> index 68501d1..3239d53 100644
> --- a/xen/common/memory.c
> +++ b/xen/common/memory.c
> @@ -712,9 +712,6 @@ long do_memory_op(unsigned long cmd,
> XEN_GUEST_HANDLE_PARAM(void) arg)
> }
>
> case XENMEM_claim_pages:
> - if ( !IS_PRIV(current->domain) )
> - return -EPERM;
> -
> if ( copy_from_guest(&reservation, arg, 1) )
> return -EFAULT;
>
> @@ -731,17 +728,21 @@ long do_memory_op(unsigned long cmd,
> XEN_GUEST_HANDLE_PARAM(void) arg)
> if ( d == NULL )
> return -EINVAL;
>
> - rc = domain_set_outstanding_pages(d, reservation.nr_extents);
> + rc = xsm_claim_pages(XSM_PRIV, d);
> +
> + if ( !rc )
> + rc = domain_set_outstanding_pages(d, reservation.nr_extents);
>
> rcu_unlock_domain(d);
>
> break;
>
> case XENMEM_get_outstanding_pages:
> - if ( !IS_PRIV(current->domain) )
> - return -EPERM;
> + rc = xsm_xenmem_get_outstanding_pages(XSM_PRIV);
> +
> + if ( !rc )
> + rc = get_outstanding_claims();
>
> - rc = get_outstanding_claims();
> break;
>
> default:
> diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
> index 9cae61c..9bfe596 100644
> --- a/xen/include/xsm/dummy.h
> +++ b/xen/include/xsm/dummy.h
> @@ -247,6 +247,18 @@ static XSM_INLINE int xsm_memory_pin_page(XSM_DEFAULT_ARG
> struct domain *d1, str
> return xsm_default_action(action, d1, d2);
> }
>
> +static XSM_INLINE int xsm_claim_pages(XSM_DEFAULT_ARG struct domain *d)
> +{
> + XSM_ASSERT_ACTION(XSM_PRIV);
> + return xsm_default_action(action, current->domain, d);
> +}
> +
> +static XSM_INLINE int xsm_xenmem_get_outstanding_pages(XSM_DEFAULT_VOID)
> +{
> + XSM_ASSERT_ACTION(XSM_PRIV);
> + return xsm_default_action(action, current->domain, NULL);
> +}
> +
> static XSM_INLINE int xsm_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d,
> struct evtchn *chn,
> domid_t id2)
> {
> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
> index 5103070..69fe64a 100644
> --- a/xen/include/xsm/xsm.h
> +++ b/xen/include/xsm/xsm.h
> @@ -92,6 +92,8 @@ struct xsm_operations {
> int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct
> page_info *page);
> int (*add_to_physmap) (struct domain *d1, struct domain *d2);
> int (*remove_from_physmap) (struct domain *d1, struct domain *d2);
> + int (*claim_pages) (struct domain *d);
> + int (*xenmem_get_outstanding_pages) (void);
>
> int (*console_io) (struct domain *d, int cmd);
>
> @@ -350,6 +352,16 @@ static inline int xsm_remove_from_physmap(xsm_default_t
> def, struct domain *d1,
> return xsm_ops->remove_from_physmap(d1, d2);
> }
>
> +static inline int xsm_claim_pages(xsm_default_t def, struct domain *d)
> +{
> + return xsm_ops->claim_pages(d);
> +}
> +
> +static inline int xsm_xenmem_get_outstanding_pages(xsm_default_t def)
> +{
> + return xsm_ops->xenmem_get_outstanding_pages();
> +}
> +
> static inline int xsm_console_io (xsm_default_t def, struct domain *d, int
> cmd)
> {
> return xsm_ops->console_io(d, cmd);
> diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
> index f7b0399..3d84e73 100644
> --- a/xen/xsm/dummy.c
> +++ b/xen/xsm/dummy.c
> @@ -66,6 +66,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
> set_to_dummy_if_null(ops, memory_adjust_reservation);
> set_to_dummy_if_null(ops, memory_stat_reservation);
> set_to_dummy_if_null(ops, memory_pin_page);
> + set_to_dummy_if_null(ops, claim_pages);
> + set_to_dummy_if_null(ops, xenmem_get_outstanding_pages);
>
> set_to_dummy_if_null(ops, console_io);
>
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index 04c8a39..3291aa2 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -417,6 +417,17 @@ static int flask_memory_pin_page(struct domain *d1,
> struct domain *d2,
> return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__PINPAGE);
> }
>
> +static int flask_claim_pages(struct domain *d)
> +{
> + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SETCLAIM);
> +}
> +
> +static int flask_xenmem_get_outstanding_pages(void)
> +{
> + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN,
> + XEN__HEAP, NULL);
> +}
> +
> static int flask_console_io(struct domain *d, int cmd)
> {
> u32 perm;
> @@ -1485,6 +1496,8 @@ static struct xsm_operations flask_ops = {
> .memory_adjust_reservation = flask_memory_adjust_reservation,
> .memory_stat_reservation = flask_memory_stat_reservation,
> .memory_pin_page = flask_memory_pin_page,
> + .claim_pages = flask_claim_pages,
> + .xenmem_get_outstanding_pages = flask_xenmem_get_outstanding_pages,
>
> .console_io = flask_console_io,
>
> diff --git a/xen/xsm/flask/policy/access_vectors
> b/xen/xsm/flask/policy/access_vectors
> index c8ae806..544c3ba 100644
> --- a/xen/xsm/flask/policy/access_vectors
> +++ b/xen/xsm/flask/policy/access_vectors
> @@ -54,7 +54,7 @@ class xen
> debug
> # XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo
> getcpuinfo
> -# XEN_SYSCTL_availheap
> +# XEN_SYSCTL_availheap, XENMEM_get_outstanding_pages
> heap
> # XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo,
> # XENPF_core_parking
> @@ -192,6 +192,8 @@ class domain2
> settsc
> # XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
> setscheduler
> +# XENMEM_claim_pages
> + setclaim
> }
>
> # Similar to class domain, but primarily contains domctls related to HVM
> domains
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH RESEND 1/4] xen/xsm: add hooks for claim
2013-05-03 15:46 ` Konrad Rzeszutek Wilk
@ 2013-05-03 16:29 ` Daniel De Graaf
0 siblings, 0 replies; 11+ messages in thread
From: Daniel De Graaf @ 2013-05-03 16:29 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk; +Cc: Dan Magenheimer, Keir Fraser, xen-devel
On 05/03/2013 11:46 AM, Konrad Rzeszutek Wilk wrote:
> On Fri, May 03, 2013 at 10:09:13AM -0400, Daniel De Graaf wrote:
>> Adds XSM hooks for the recently introduced XENMEM_claim_pages and
>> XENMEM_get_outstanding_pages operations, and adds FLASK access vectors
>> for them. This makes the access control decisions for these operations
>> match those in the rest of the hypervisor.
>
> I am not that familiar with this, but it looks OK. However I am
> going to post a patch soon that will eliminate one of the hypercalls
> (xenmem_get_outstanding_pages).
>
> Do you want to wait for this or would it be better if I posted
> the patch along with some changes to xsm hooks to delete it and
> you can Ack it?
Either way would be fine with me. I think re-posting may work better as
I just found a typo in patch 4 that will be fixed on repost.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2013-05-03 16:29 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-05-03 14:09 [PATCH v4 0/4] Rename/remove IS_PRIV Daniel De Graaf
2013-05-03 14:09 ` [PATCH RESEND 1/4] xen/xsm: add hooks for claim Daniel De Graaf
2013-05-03 15:46 ` Konrad Rzeszutek Wilk
2013-05-03 16:29 ` Daniel De Graaf
2013-05-03 16:00 ` Keir Fraser
2013-05-03 14:09 ` [PATCH RESEND 2/4] xen/arm: remove rcu_lock_target_domain_by_id users Daniel De Graaf
2013-05-03 14:26 ` Ian Campbell
2013-05-03 14:09 ` [PATCH RESEND 3/4] xen/common: remove rcu_lock_target_domain_by_id Daniel De Graaf
2013-05-03 16:00 ` Keir Fraser
2013-05-03 14:09 ` [PATCH RESEND 4/4] xen: rename IS_PRIV to is_hardware_domain Daniel De Graaf
2013-05-03 16:00 ` Keir Fraser
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.