From mboxrd@z Thu Jan 1 00:00:00 1970 From: George Dunlap Subject: Re: [PATCH 20/22] xen/xsm: distinguish scheduler get/set operations Date: Tue, 15 Jan 2013 16:50:11 +0000 Message-ID: <50F588C3.5090402@eu.citrix.com> References: <1357832026-27659-1-git-send-email-dgdegra@tycho.nsa.gov> <1357832026-27659-21-git-send-email-dgdegra@tycho.nsa.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1357832026-27659-21-git-send-email-dgdegra@tycho.nsa.gov> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Daniel De Graaf Cc: "Keir (Xen.org)" , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org On 10/01/13 15:33, Daniel De Graaf wrote: > Add getscheduler and setscheduler permissions to replace the monolithic > scheduler permission in the scheduler_op domctl and sysctl. > > Signed-off-by: Daniel De Graaf > Cc: George Dunlap > Cc: Keir Fraser Haven't reviewed the code in detail, but in principle it sounds like a great idea: Acked-by: George Dunlap > --- > tools/flask/policy/policy/modules/xen/xen.if | 6 ++-- > tools/flask/policy/policy/modules/xen/xen.te | 4 +-- > xen/common/schedule.c | 10 ++++++- > xen/include/xsm/dummy.h | 12 ++++++++ > xen/include/xsm/xsm.h | 12 ++++++++ > xen/xsm/dummy.c | 2 ++ > xen/xsm/flask/hooks.c | 44 +++++++++++++++++++++++----- > xen/xsm/flask/policy/access_vectors | 7 +++-- > 8 files changed, 81 insertions(+), 16 deletions(-) > > diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if > index d9d5344..2ce2212 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.if > +++ b/tools/flask/policy/policy/modules/xen/xen.if > @@ -47,9 +47,9 @@ define(`declare_build_label', ` > define(`create_domain_common', ` > allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize > getdomaininfo hypercall setvcpucontext setextvcpucontext > - scheduler getvcpuinfo getvcpuextstate getaddrsize > + getscheduler getvcpuinfo getvcpuextstate getaddrsize > getvcpuaffinity setvcpuaffinity }; > - allow $1 $2:domain2 { set_cpuid settsc }; > + allow $1 $2:domain2 { set_cpuid settsc setscheduler }; > allow $1 $2:security check_context; > allow $1 $2:shadow enable; > allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op }; > @@ -79,7 +79,7 @@ define(`create_domain_build_label', ` > define(`manage_domain', ` > allow $1 $2:domain { getdomaininfo getvcpuinfo getvcpuaffinity > getaddrsize pause unpause trigger shutdown destroy > - setvcpuaffinity setdomainmaxmem }; > + setvcpuaffinity setdomainmaxmem getscheduler }; > ') > > # migrate_domain_out(priv, target) > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te > index c714dcb..955fd8b 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.te > +++ b/tools/flask/policy/policy/modules/xen/xen.te > @@ -55,8 +55,8 @@ type device_t, resource_type; > # > ################################################################################ > allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del > - scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo > - microcode cpupool_op sched_op pm_op tmem_control }; > + physinfo heap quirk readconsole writeconsole settime getcpuinfo > + microcode cpupool_op pm_op tmem_control getscheduler setscheduler }; > allow dom0_t xen_t:mmu { memorymap }; > allow dom0_t security_t:security { check_context compute_av compute_create > compute_member load_policy compute_relabel compute_user setenforce > diff --git a/xen/common/schedule.c b/xen/common/schedule.c > index 903f32d..f3fc6bc 100644 > --- a/xen/common/schedule.c > +++ b/xen/common/schedule.c > @@ -1006,7 +1006,11 @@ int sched_id(void) > long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op) > { > long ret; > - > + > + ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd); > + if ( ret ) > + return ret; > + > if ( (op->sched_id != DOM2OP(d)->sched_id) || > ((op->cmd != XEN_DOMCTL_SCHEDOP_putinfo) && > (op->cmd != XEN_DOMCTL_SCHEDOP_getinfo)) ) > @@ -1025,6 +1029,10 @@ long sched_adjust_global(struct xen_sysctl_scheduler_op *op) > struct cpupool *pool; > int rc; > > + rc = xsm_sysctl_scheduler_op(XSM_HOOK, op->cmd); > + if ( rc ) > + return rc; > + > if ( (op->cmd != XEN_DOMCTL_SCHEDOP_putinfo) && > (op->cmd != XEN_DOMCTL_SCHEDOP_getinfo) ) > return -EINVAL; > diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h > index 2c750de..18f36b2 100644 > --- a/xen/include/xsm/dummy.h > +++ b/xen/include/xsm/dummy.h > @@ -95,6 +95,18 @@ static XSM_INLINE int xsm_getdomaininfo(XSM_DEFAULT_ARG struct domain *d) > return xsm_default_action(action, current->domain, d); > } > > +static XSM_INLINE int xsm_domctl_scheduler_op(XSM_DEFAULT_ARG struct domain *d, int cmd) > +{ > + XSM_ASSERT_ACTION(XSM_HOOK); > + return xsm_default_action(action, current->domain, d); > +} > + > +static XSM_INLINE int xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd) > +{ > + XSM_ASSERT_ACTION(XSM_HOOK); > + return xsm_default_action(action, current->domain, NULL); > +} > + > static XSM_INLINE int xsm_set_target(XSM_DEFAULT_ARG struct domain *d, struct domain *e) > { > XSM_ASSERT_ACTION(XSM_HOOK); > diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h > index ce5ede8..8947372 100644 > --- a/xen/include/xsm/xsm.h > +++ b/xen/include/xsm/xsm.h > @@ -55,6 +55,8 @@ struct xsm_operations { > struct xen_domctl_getdomaininfo *info); > int (*domain_create) (struct domain *d, u32 ssidref); > int (*getdomaininfo) (struct domain *d); > + int (*domctl_scheduler_op) (struct domain *d, int op); > + int (*sysctl_scheduler_op) (int op); > int (*set_target) (struct domain *d, struct domain *e); > int (*domctl) (struct domain *d, int cmd); > int (*sysctl) (int cmd); > @@ -177,6 +179,16 @@ static inline int xsm_getdomaininfo (xsm_default_t def, struct domain *d) > return xsm_ops->getdomaininfo(d); > } > > +static inline int xsm_domctl_scheduler_op (xsm_default_t def, struct domain *d, int cmd) > +{ > + return xsm_ops->domctl_scheduler_op(d, cmd); > +} > + > +static inline int xsm_sysctl_scheduler_op (xsm_default_t def, int cmd) > +{ > + return xsm_ops->sysctl_scheduler_op(cmd); > +} > + > static inline int xsm_set_target (xsm_default_t def, struct domain *d, struct domain *e) > { > return xsm_ops->set_target(d, e); > diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c > index 22c66e5..529a724 100644 > --- a/xen/xsm/dummy.c > +++ b/xen/xsm/dummy.c > @@ -32,6 +32,8 @@ void xsm_fixup_ops (struct xsm_operations *ops) > set_to_dummy_if_null(ops, security_domaininfo); > set_to_dummy_if_null(ops, domain_create); > set_to_dummy_if_null(ops, getdomaininfo); > + set_to_dummy_if_null(ops, domctl_scheduler_op); > + set_to_dummy_if_null(ops, sysctl_scheduler_op); > set_to_dummy_if_null(ops, set_target); > set_to_dummy_if_null(ops, domctl); > set_to_dummy_if_null(ops, sysctl); > diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c > index 222ab3e..ba67502 100644 > --- a/xen/xsm/flask/hooks.c > +++ b/xen/xsm/flask/hooks.c > @@ -517,6 +517,38 @@ static int flask_getdomaininfo(struct domain *d) > return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO); > } > > +static int flask_domctl_scheduler_op(struct domain *d, int op) > +{ > + switch ( op ) > + { > + case XEN_DOMCTL_SCHEDOP_putinfo: > + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SETSCHEDULER); > + > + case XEN_DOMCTL_SCHEDOP_getinfo: > + return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETSCHEDULER); > + > + default: > + printk("flask_domctl_scheduler_op: Unknown op %d\n", op); > + return -EPERM; > + } > +} > + > +static int flask_sysctl_scheduler_op(int op) > +{ > + switch ( op ) > + { > + case XEN_DOMCTL_SCHEDOP_putinfo: > + return domain_has_xen(current->domain, XEN__SETSCHEDULER); > + > + case XEN_DOMCTL_SCHEDOP_getinfo: > + return domain_has_xen(current->domain, XEN__GETSCHEDULER); > + > + default: > + printk("flask_domctl_scheduler_op: Unknown op %d\n", op); > + return -EPERM; > + } > +} > + > static int flask_set_target(struct domain *d, struct domain *t) > { > int rc; > @@ -548,6 +580,7 @@ static int flask_domctl(struct domain *d, int cmd) > /* These have individual XSM hooks (common/domctl.c) */ > case XEN_DOMCTL_createdomain: > case XEN_DOMCTL_getdomaininfo: > + case XEN_DOMCTL_scheduler_op: > case XEN_DOMCTL_irq_permission: > case XEN_DOMCTL_iomem_permission: > case XEN_DOMCTL_set_target: > @@ -586,9 +619,6 @@ static int flask_domctl(struct domain *d, int cmd) > case XEN_DOMCTL_resumedomain: > return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__RESUME); > > - case XEN_DOMCTL_scheduler_op: > - return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SCHEDULER); > - > case XEN_DOMCTL_max_vcpus: > return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__MAX_VCPUS); > > @@ -704,6 +734,7 @@ static int flask_sysctl(int cmd) > case XEN_SYSCTL_readconsole: > case XEN_SYSCTL_getdomaininfolist: > case XEN_SYSCTL_page_offline_op: > + case XEN_SYSCTL_scheduler_op: > #ifdef CONFIG_X86 > case XEN_SYSCTL_cpu_hotplug: > #endif > @@ -713,7 +744,7 @@ static int flask_sysctl(int cmd) > return domain_has_xen(current->domain, XEN__TBUFCONTROL); > > case XEN_SYSCTL_sched_id: > - return domain_has_xen(current->domain, XEN__SCHEDULER); > + return domain_has_xen(current->domain, XEN__GETSCHEDULER); > > case XEN_SYSCTL_perfc_op: > return domain_has_xen(current->domain, XEN__PERFCONTROL); > @@ -739,9 +770,6 @@ static int flask_sysctl(int cmd) > case XEN_SYSCTL_cpupool_op: > return domain_has_xen(current->domain, XEN__CPUPOOL_OP); > > - case XEN_SYSCTL_scheduler_op: > - return domain_has_xen(current->domain, XEN__SCHED_OP); > - > case XEN_SYSCTL_physinfo: > case XEN_SYSCTL_topologyinfo: > case XEN_SYSCTL_numainfo: > @@ -1408,6 +1436,8 @@ static struct xsm_operations flask_ops = { > .security_domaininfo = flask_security_domaininfo, > .domain_create = flask_domain_create, > .getdomaininfo = flask_getdomaininfo, > + .domctl_scheduler_op = flask_domctl_scheduler_op, > + .sysctl_scheduler_op = flask_sysctl_scheduler_op, > .set_target = flask_set_target, > .domctl = flask_domctl, > .sysctl = flask_sysctl, > diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors > index 7a7e253..b982cf5 100644 > --- a/xen/xsm/flask/policy/access_vectors > +++ b/xen/xsm/flask/policy/access_vectors > @@ -5,7 +5,6 @@ > > class xen > { > - scheduler > settime > tbufcontrol > readconsole > @@ -34,9 +33,10 @@ class xen > mca_op > lockprof > cpupool_op > - sched_op > tmem_op > tmem_control > + getscheduler > + setscheduler > } > > class domain > @@ -51,7 +51,7 @@ class domain > destroy > setvcpuaffinity > getvcpuaffinity > - scheduler > + getscheduler > getdomaininfo > getvcpuinfo > getvcpucontext > @@ -85,6 +85,7 @@ class domain2 > set_cpuid > gettsc > settsc > + setscheduler > } > > class hvm