This is mostly a resend from the v3 series, minus those already applied and the patches merging is_hardware_domain and domid == 0 checks. The removal of rcu_lock_target_domain_by_id has been split into two patches: one for the ARM-specific code and one for the removal from common code. [PATCH 1/4] xen/xsm: add hooks for claim [PATCH 2/4] xen/arm: remove rcu_lock_target_domain_by_id users [PATCH 3/4] xen/common: remove rcu_lock_target_domain_by_id [PATCH 4/4] xen: rename IS_PRIV to is_hardware_domain
Adds XSM hooks for the recently introduced XENMEM_claim_pages and
XENMEM_get_outstanding_pages operations, and adds FLASK access vectors
for them. This makes the access control decisions for these operations
match those in the rest of the hypervisor.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
Cc: Dan Magenheimer <dan.magenheimer@oracle.com>
Cc: Keir Fraser <keir@xen.org>
---
tools/flask/policy/policy/modules/xen/xen.if | 2 +-
xen/common/memory.c | 15 ++++++++-------
xen/include/xsm/dummy.h | 12 ++++++++++++
xen/include/xsm/xsm.h | 12 ++++++++++++
xen/xsm/dummy.c | 2 ++
xen/xsm/flask/hooks.c | 13 +++++++++++++
xen/xsm/flask/policy/access_vectors | 4 +++-
7 files changed, 51 insertions(+), 9 deletions(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.if
b/tools/flask/policy/policy/modules/xen/xen.if
index 3a59f38..c86a618 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -49,7 +49,7 @@ define(`create_domain_common'', `
getdomaininfo hypercall setvcpucontext setextvcpucontext
getscheduler getvcpuinfo getvcpuextstate getaddrsize
getaffinity setaffinity };
- allow $1 $2:domain2 { set_cpuid settsc setscheduler };
+ allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage
mmuext_op };
diff --git a/xen/common/memory.c b/xen/common/memory.c
index 68501d1..3239d53 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -712,9 +712,6 @@ long do_memory_op(unsigned long cmd,
XEN_GUEST_HANDLE_PARAM(void) arg)
}
case XENMEM_claim_pages:
- if ( !IS_PRIV(current->domain) )
- return -EPERM;
-
if ( copy_from_guest(&reservation, arg, 1) )
return -EFAULT;
@@ -731,17 +728,21 @@ long do_memory_op(unsigned long cmd,
XEN_GUEST_HANDLE_PARAM(void) arg)
if ( d == NULL )
return -EINVAL;
- rc = domain_set_outstanding_pages(d, reservation.nr_extents);
+ rc = xsm_claim_pages(XSM_PRIV, d);
+
+ if ( !rc )
+ rc = domain_set_outstanding_pages(d, reservation.nr_extents);
rcu_unlock_domain(d);
break;
case XENMEM_get_outstanding_pages:
- if ( !IS_PRIV(current->domain) )
- return -EPERM;
+ rc = xsm_xenmem_get_outstanding_pages(XSM_PRIV);
+
+ if ( !rc )
+ rc = get_outstanding_claims();
- rc = get_outstanding_claims();
break;
default:
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 9cae61c..9bfe596 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -247,6 +247,18 @@ static XSM_INLINE int xsm_memory_pin_page(XSM_DEFAULT_ARG
struct domain *d1, str
return xsm_default_action(action, d1, d2);
}
+static XSM_INLINE int xsm_claim_pages(XSM_DEFAULT_ARG struct domain *d)
+{
+ XSM_ASSERT_ACTION(XSM_PRIV);
+ return xsm_default_action(action, current->domain, d);
+}
+
+static XSM_INLINE int xsm_xenmem_get_outstanding_pages(XSM_DEFAULT_VOID)
+{
+ XSM_ASSERT_ACTION(XSM_PRIV);
+ return xsm_default_action(action, current->domain, NULL);
+}
+
static XSM_INLINE int xsm_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d,
struct evtchn *chn,
domid_t id2)
{
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 5103070..69fe64a 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -92,6 +92,8 @@ struct xsm_operations {
int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct
page_info *page);
int (*add_to_physmap) (struct domain *d1, struct domain *d2);
int (*remove_from_physmap) (struct domain *d1, struct domain *d2);
+ int (*claim_pages) (struct domain *d);
+ int (*xenmem_get_outstanding_pages) (void);
int (*console_io) (struct domain *d, int cmd);
@@ -350,6 +352,16 @@ static inline int xsm_remove_from_physmap(xsm_default_t
def, struct domain *d1,
return xsm_ops->remove_from_physmap(d1, d2);
}
+static inline int xsm_claim_pages(xsm_default_t def, struct domain *d)
+{
+ return xsm_ops->claim_pages(d);
+}
+
+static inline int xsm_xenmem_get_outstanding_pages(xsm_default_t def)
+{
+ return xsm_ops->xenmem_get_outstanding_pages();
+}
+
static inline int xsm_console_io (xsm_default_t def, struct domain *d, int cmd)
{
return xsm_ops->console_io(d, cmd);
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index f7b0399..3d84e73 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -66,6 +66,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, memory_adjust_reservation);
set_to_dummy_if_null(ops, memory_stat_reservation);
set_to_dummy_if_null(ops, memory_pin_page);
+ set_to_dummy_if_null(ops, claim_pages);
+ set_to_dummy_if_null(ops, xenmem_get_outstanding_pages);
set_to_dummy_if_null(ops, console_io);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 04c8a39..3291aa2 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -417,6 +417,17 @@ static int flask_memory_pin_page(struct domain *d1, struct
domain *d2,
return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__PINPAGE);
}
+static int flask_claim_pages(struct domain *d)
+{
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SETCLAIM);
+}
+
+static int flask_xenmem_get_outstanding_pages(void)
+{
+ return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN,
+ XEN__HEAP, NULL);
+}
+
static int flask_console_io(struct domain *d, int cmd)
{
u32 perm;
@@ -1485,6 +1496,8 @@ static struct xsm_operations flask_ops = {
.memory_adjust_reservation = flask_memory_adjust_reservation,
.memory_stat_reservation = flask_memory_stat_reservation,
.memory_pin_page = flask_memory_pin_page,
+ .claim_pages = flask_claim_pages,
+ .xenmem_get_outstanding_pages = flask_xenmem_get_outstanding_pages,
.console_io = flask_console_io,
diff --git a/xen/xsm/flask/policy/access_vectors
b/xen/xsm/flask/policy/access_vectors
index c8ae806..544c3ba 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -54,7 +54,7 @@ class xen
debug
# XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo
getcpuinfo
-# XEN_SYSCTL_availheap
+# XEN_SYSCTL_availheap, XENMEM_get_outstanding_pages
heap
# XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo,
# XENPF_core_parking
@@ -192,6 +192,8 @@ class domain2
settsc
# XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
setscheduler
+# XENMEM_claim_pages
+ setclaim
}
# Similar to class domain, but primarily contains domctls related to HVM
domains
--
1.8.1.4
Daniel De Graaf
2013-May-03 14:09 UTC
[PATCH RESEND 2/4] xen/arm: remove rcu_lock_target_domain_by_id users
This function has been replaced with rcu_lock_domain_by_any_id and an
XSM check. Two callers already had an XSM check; add a check to the
third.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@citrix.com>
Cc: Tim Deegan <tim@xen.org>
---
xen/arch/arm/mm.c | 23 +++++++++++++++--------
xen/include/xsm/dummy.h | 8 ++++++++
xen/include/xsm/xsm.h | 11 +++++++++++
xen/xsm/dummy.c | 3 +++
xen/xsm/flask/hooks.c | 10 ++++++++++
5 files changed, 47 insertions(+), 8 deletions(-)
diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c
index 03492df..bd6d5f3 100644
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -753,9 +753,16 @@ static int xenmem_add_to_physmap_one(
{
paddr_t maddr;
struct domain *od;
- rc = rcu_lock_target_domain_by_id(foreign_domid, &od);
- if ( rc < 0 )
+ od = rcu_lock_domain_by_any_id(foreign_domid);
+ if ( od == NULL )
+ return -ESRCH;
+
+ rc = xsm_map_gmfn_foreign(XSM_TARGET, d, od);
+ if ( rc )
+ {
+ rcu_unlock_domain(od);
return rc;
+ }
maddr = p2m_lookup(od, idx << PAGE_SHIFT);
if ( maddr == INVALID_PADDR )
@@ -847,9 +854,9 @@ long arch_memory_op(int op, XEN_GUEST_HANDLE_PARAM(void)
arg)
if ( xatp.space == XENMAPSPACE_gmfn_foreign )
return -EINVAL;
- rc = rcu_lock_target_domain_by_id(xatp.domid, &d);
- if ( rc != 0 )
- return rc;
+ d = rcu_lock_domain_by_any_id(xatp.domid);
+ if ( d == NULL )
+ return -ESRCH;
rc = xsm_add_to_physmap(XSM_TARGET, current->domain, d);
if ( rc )
@@ -878,9 +885,9 @@ long arch_memory_op(int op, XEN_GUEST_HANDLE_PARAM(void)
arg)
if ( xatpr.space == XENMAPSPACE_gmfn_range )
return -EINVAL;
- rc = rcu_lock_target_domain_by_id(xatpr.domid, &d);
- if ( rc != 0 )
- return rc;
+ d = rcu_lock_domain_by_any_id(xatpr.domid);
+ if ( d == NULL )
+ return -ESRCH;
rc = xsm_add_to_physmap(XSM_TARGET, current->domain, d);
if ( rc )
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 9bfe596..3912bd9 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -616,4 +616,12 @@ static XSM_INLINE int xsm_ioport_mapping(XSM_DEFAULT_ARG
struct domain *d, uint3
return xsm_default_action(action, current->domain, d);
}
+#endif /* CONFIG_X86 */
+
+#ifdef CONFIG_ARM
+static XSM_INLINE int xsm_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d,
struct domain *t)
+{
+ XSM_ASSERT_ACTION(XSM_TARGET);
+ return xsm_default_action(action, d, t);
+}
#endif
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 69fe64a..58a4fbb 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -162,6 +162,9 @@ struct xsm_operations {
int (*ioport_permission) (struct domain *d, uint32_t s, uint32_t e, uint8_t
allow);
int (*ioport_mapping) (struct domain *d, uint32_t s, uint32_t e, uint8_t
allow);
#endif
+#ifdef CONFIG_ARM
+ int (*map_gmfn_foreign) (struct domain *d, struct domain *t);
+#endif
};
#ifdef XSM_ENABLE
@@ -622,6 +625,14 @@ static inline int xsm_ioport_mapping (xsm_default_t def,
struct domain *d, uint3
return xsm_ops->ioport_mapping(d, s, e, allow);
}
#endif /* CONFIG_X86 */
+
+#ifdef CONFIG_ARM
+static inline int xsm_map_gmfn_foreign (struct domain *d, struct domain *t)
+{
+ return xsm_ops->map_gmfn_foreign(d, t);
+}
+#endif /* CONFIG_ARM */
+
#endif /* XSM_NO_WRAPPERS */
extern int xsm_init(unsigned long *module_map, const multiboot_info_t *mbi,
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 3d84e73..937761f 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -132,4 +132,7 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, ioport_permission);
set_to_dummy_if_null(ops, ioport_mapping);
#endif
+#ifdef CONFIG_ARM
+ set_to_dummy_if_null(ops, map_gmfn_foreign);
+#endif
}
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 3291aa2..bb10de3 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1454,6 +1454,13 @@ static int flask_unbind_pt_irq (struct domain *d, struct
xen_domctl_bind_pt_irq
{
return current_has_perm(d, SECCLASS_RESOURCE, RESOURCE__REMOVE);
}
+#endif /* CONFIG_X86 */
+
+#ifdef CONFIG_ARM
+static int flask_map_gmfn_foreign(struct domain *d, struct domain *t)
+{
+ return domain_has_perm(d, t, SECCLASS_MMU, MMU__MAP_READ | MMU__MAP_WRITE);
+}
#endif
long do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op);
@@ -1562,6 +1569,9 @@ static struct xsm_operations flask_ops = {
.ioport_permission = flask_ioport_permission,
.ioport_mapping = flask_ioport_mapping,
#endif
+#ifdef CONFIG_ARM
+ .map_gmfn_foreign = flask_map_gmfn_foreign,
+#endif
};
static __init int flask_init(void)
--
1.8.1.4
Daniel De Graaf
2013-May-03 14:09 UTC
[PATCH RESEND 3/4] xen/common: remove rcu_lock_target_domain_by_id
This function (and rcu_lock_remote_target_domain_by_id) has no remaining
users, having been replaced with XSM hooks and the other rcu_lock_*
functions. Remove it.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
Cc: Keir Fraser <keir@xen.org>
---
xen/common/domain.c | 34 ----------------------------------
xen/include/xen/sched.h | 14 --------------
2 files changed, 48 deletions(-)
diff --git a/xen/common/domain.c b/xen/common/domain.c
index b5d44d4..8adf00a 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -481,40 +481,6 @@ struct domain *rcu_lock_domain_by_any_id(domid_t dom)
return rcu_lock_domain_by_id(dom);
}
-int rcu_lock_target_domain_by_id(domid_t dom, struct domain **d)
-{
- if ( dom == DOMID_SELF )
- {
- *d = rcu_lock_current_domain();
- return 0;
- }
-
- if ( (*d = rcu_lock_domain_by_id(dom)) == NULL )
- return -ESRCH;
-
- if ( !IS_PRIV_FOR(current->domain, *d) )
- {
- rcu_unlock_domain(*d);
- return -EPERM;
- }
-
- return 0;
-}
-
-int rcu_lock_remote_target_domain_by_id(domid_t dom, struct domain **d)
-{
- if ( (*d = rcu_lock_domain_by_id(dom)) == NULL )
- return -ESRCH;
-
- if ( (*d == current->domain) || !IS_PRIV_FOR(current->domain, *d) )
- {
- rcu_unlock_domain(*d);
- return -EPERM;
- }
-
- return 0;
-}
-
int rcu_lock_remote_domain_by_id(domid_t dom, struct domain **d)
{
if ( (*d = rcu_lock_domain_by_id(dom)) == NULL )
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 41f749e..cb3baed 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -477,20 +477,6 @@ struct domain *rcu_lock_domain_by_id(domid_t dom);
struct domain *rcu_lock_domain_by_any_id(domid_t dom);
/*
- * As above function, but accounts for current domain context:
- * - Translates target DOMID_SELF into caller''s domain id; and
- * - Checks that caller has permission to act on the target domain.
- */
-int rcu_lock_target_domain_by_id(domid_t dom, struct domain **d);
-
-/*
- * As rcu_lock_target_domain_by_id(), but will fail EPERM rather than resolve
- * to local domain. Successful return always resolves to a remote domain that
- * the local domain is privileged to control.
- */
-int rcu_lock_remote_target_domain_by_id(domid_t dom, struct domain **d);
-
-/*
* As rcu_lock_domain_by_id(), but will fail EPERM or ESRCH rather than resolve
* to local domain.
*/
--
1.8.1.4
Daniel De Graaf
2013-May-03 14:09 UTC
[PATCH RESEND 4/4] xen: rename IS_PRIV to is_hardware_domain
Since the remaining uses of IS_PRIV are actually concerned with the
domain having control of the hardware (i.e. being the initial domain),
clarify this by renaming IS_PRIV to is_hardware_domain. This also
removes IS_PRIV_FOR since the only remaining user was xsm/dummy.h.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)
Cc: Keir Fraser <keir@xen.org>
Cc: Jan Beulich <jbeulich@suse.com>
---
xen/arch/x86/domctl.c | 6 +++---
xen/arch/x86/msi.c | 2 +-
xen/arch/x86/physdev.c | 4 ++--
xen/arch/x86/traps.c | 12 ++++++------
xen/include/xen/sched.h | 12 ++++++++++--
xen/include/xsm/dummy.h | 32 ++++++++++++++++++++------------
6 files changed, 42 insertions(+), 26 deletions(-)
diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 1f16ad2..c2a04c4 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -661,7 +661,7 @@ long arch_do_domctl(
while ( i-- )
clear_mmio_p2m_entry(d, gfn + i);
if ( iomem_deny_access(d, mfn, mfn + nr_mfns - 1)
&&
- IS_PRIV(current->domain) )
+ is_hardware_domain(current->domain) )
printk(XENLOG_ERR
"memory_map: failed to deny dom%d access to
[%lx,%lx]\n",
d->domain_id, mfn, mfn + nr_mfns - 1);
@@ -680,7 +680,7 @@ long arch_do_domctl(
ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1);
if ( !ret && add )
ret = -EIO;
- if ( ret && IS_PRIV(current->domain) )
+ if ( ret && is_hardware_domain(current->domain) )
printk(XENLOG_ERR
"memory_map: error %ld %s dom%d access to
[%lx,%lx]\n",
ret, add ? "removing" : "denying",
d->domain_id,
@@ -767,7 +767,7 @@ long arch_do_domctl(
break;
}
ret = ioports_deny_access(d, fmp, fmp + np - 1);
- if ( ret && IS_PRIV(current->domain) )
+ if ( ret && is_hardware_domain(current->domain) )
printk(XENLOG_ERR
"ioport_map: error %ld denying dom%d access to
[%x,%x]\n",
ret, d->domain_id, fmp, fmp + np - 1);
diff --git a/xen/arch/x86/msi.c b/xen/arch/x86/msi.c
index 36bed29..a2ceea0 100644
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -812,7 +812,7 @@ static int msix_capability_init(struct pci_dev *dev,
break;
if ( d )
{
- if ( !IS_PRIV(d) && dev->msix_warned !=
d->domain_id )
+ if ( !is_hardware_domain(d) && dev->msix_warned !=
d->domain_id )
{
dev->msix_warned = d->domain_id;
printk(XENLOG_ERR
diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
index eb8a407..3733c7a 100644
--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -128,7 +128,7 @@ int physdev_map_pirq(domid_t domid, int type, int *index,
int *pirq_p,
irq = domain_pirq_to_irq(current->domain, *index);
if ( irq <= 0 )
{
- if ( IS_PRIV(current->domain) )
+ if ( is_hardware_domain(current->domain) )
irq = *index;
else {
dprintk(XENLOG_G_ERR, "dom%d: map pirq with incorrect
irq!\n",
@@ -691,7 +691,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void)
arg)
case PHYSDEVOP_dbgp_op: {
struct physdev_dbgp_op op;
- if ( !IS_PRIV(v->domain) )
+ if ( !is_hardware_domain(v->domain) )
ret = -EPERM;
else if ( copy_from_guest(&op, arg, 1) )
ret = -EFAULT;
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index fbbe31d..e0bc60d 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1303,7 +1303,7 @@ static int fixup_page_fault(unsigned long addr, struct
cpu_user_regs *regs)
ptwr_do_page_fault(v, addr, regs) )
return EXCRET_fault_fixed;
- if ( IS_PRIV(d) && (regs->error_code &
PFEC_page_present) &&
+ if ( is_hardware_domain(d) && (regs->error_code &
PFEC_page_present) &&
mmio_ro_do_page_fault(v, addr, regs) )
return EXCRET_fault_fixed;
}
@@ -1623,7 +1623,7 @@ static int pci_cfg_ok(struct domain *d, int write, int
size)
{
uint32_t machine_bdf;
uint16_t start, end;
- if (!IS_PRIV(d))
+ if (!is_hardware_domain(d))
return 0;
machine_bdf = (d->arch.pci_cf8 >> 8) & 0xFFFF;
@@ -2415,7 +2415,7 @@ static int emulate_privileged_op(struct cpu_user_regs
*regs)
if ( boot_cpu_data.x86_vendor != X86_VENDOR_AMD ||
boot_cpu_data.x86 < 0x10 || boot_cpu_data.x86 > 0x17 )
goto fail;
- if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
+ if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
break;
if ( (rdmsr_safe(MSR_AMD64_NB_CFG, val) != 0) ||
(eax != (uint32_t)val) ||
@@ -2428,7 +2428,7 @@ static int emulate_privileged_op(struct cpu_user_regs
*regs)
if ( boot_cpu_data.x86_vendor != X86_VENDOR_AMD ||
boot_cpu_data.x86 < 0x10 || boot_cpu_data.x86 > 0x17 )
goto fail;
- if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
+ if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
break;
if ( (rdmsr_safe(MSR_FAM10H_MMIO_CONF_BASE, val) != 0) )
goto fail;
@@ -2448,7 +2448,7 @@ static int emulate_privileged_op(struct cpu_user_regs
*regs)
case MSR_IA32_UCODE_REV:
if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL )
goto fail;
- if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
+ if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
break;
if ( rdmsr_safe(regs->ecx, val) )
goto fail;
@@ -2484,7 +2484,7 @@ static int emulate_privileged_op(struct cpu_user_regs
*regs)
case MSR_IA32_ENERGY_PERF_BIAS:
if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL )
goto fail;
- if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) )
+ if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) )
break;
if ( wrmsr_safe(regs->ecx, msr_content) != 0 )
goto fail;
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index cb3baed..5b55c09 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -716,8 +716,16 @@ uint64_t get_cpu_idle_time(unsigned int cpu);
void watchdog_domain_init(struct domain *d);
void watchdog_domain_destroy(struct domain *d);
-#define IS_PRIV(_d) ((_d)->is_privileged)
-#define IS_PRIV_FOR(_d, _t) (IS_PRIV(_d) || ((_d)->target &&
(_d)->target == (_t)))
+/*
+ * Use this check when the following are both true:
+ * - Using this feature or interface requires full access to the hardware
+ * (that is, this is would not be suitable for a driver domain)
+ * - There is never a reason to deny dom0 access to this
+ */
+#define is_hardware_domain(_d) ((_d)->is_privileged)
+
+/* This check is for functionality specific to a control domain */
+#define is_control_domain(_d) ((_d)->is_privileged)
#define VM_ASSIST(_d,_t) (test_bit((_t), &(_d)->vm_assist))
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 3912bd9..a872056 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -60,17 +60,23 @@ static always_inline int xsm_default_action(
case XSM_HOOK:
return 0;
case XSM_DM_PRIV:
- if ( !IS_PRIV_FOR(src, target) )
- return -EPERM;
- return 0;
+ if ( src->is_privileged )
+ return 0;
+ if ( target && src->target == target )
+ return 0;
+ return -EPERM;
case XSM_TARGET:
- if ( src != target && !IS_PRIV_FOR(src, target) )
- return -EPERM;
- return 0;
+ if ( src == target )
+ return 0;
+ if ( src->is_privileged )
+ return 0;
+ if ( target && src->target == target )
+ return 0;
+ return -EPERM;
case XSM_PRIV:
- if ( !IS_PRIV(src) )
- return -EPERM;
- return 0;
+ if ( src->is_privileged )
+ return 0;
+ return -EPERM;
default:
LINKER_BUG_ON(1);
return -EPERM;
@@ -567,10 +573,12 @@ static XSM_INLINE int
xsm_domain_memory_map(XSM_DEFAULT_ARG struct domain *d)
static XSM_INLINE int xsm_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct
domain *t,
struct domain *f, uint32_t flags)
{
+ int rc;
XSM_ASSERT_ACTION(XSM_TARGET);
- if ( t && d != t && !IS_PRIV_FOR(d, t) )
- return -EPERM;
- return xsm_default_action(action, d, f);
+ rc = xsm_default_action(action, d, f);
+ if ( t && !rc )
+ rc = xsm_default_action(action, d, t);
+ return rc;
}
static XSM_INLINE int xsm_mmuext_op(XSM_DEFAULT_ARG struct domain *d, struct
domain *f)
--
1.8.1.4
Ian Campbell
2013-May-03 14:26 UTC
Re: [PATCH RESEND 2/4] xen/arm: remove rcu_lock_target_domain_by_id users
On Fri, 2013-05-03 at 15:09 +0100, Daniel De Graaf wrote:> This function has been replaced with rcu_lock_domain_by_any_id and an > XSM check. Two callers already had an XSM check; add a check to the > third. > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release)For the ARM stuff: Acked-by: Ian Campbell <ian.campbell@citrix.com> Since the bulk of the series is elsewhere I expect someone else will be applying?> Cc: Stefano Stabellini <stefano.stabellini@citrix.com> > Cc: Tim Deegan <tim@xen.org> > --- > xen/arch/arm/mm.c | 23 +++++++++++++++-------- > xen/include/xsm/dummy.h | 8 ++++++++ > xen/include/xsm/xsm.h | 11 +++++++++++ > xen/xsm/dummy.c | 3 +++ > xen/xsm/flask/hooks.c | 10 ++++++++++ > 5 files changed, 47 insertions(+), 8 deletions(-) > > diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c > index 03492df..bd6d5f3 100644 > --- a/xen/arch/arm/mm.c > +++ b/xen/arch/arm/mm.c > @@ -753,9 +753,16 @@ static int xenmem_add_to_physmap_one( > { > paddr_t maddr; > struct domain *od; > - rc = rcu_lock_target_domain_by_id(foreign_domid, &od); > - if ( rc < 0 ) > + od = rcu_lock_domain_by_any_id(foreign_domid); > + if ( od == NULL ) > + return -ESRCH; > + > + rc = xsm_map_gmfn_foreign(XSM_TARGET, d, od); > + if ( rc ) > + { > + rcu_unlock_domain(od); > return rc; > + } > > maddr = p2m_lookup(od, idx << PAGE_SHIFT); > if ( maddr == INVALID_PADDR ) > @@ -847,9 +854,9 @@ long arch_memory_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg) > if ( xatp.space == XENMAPSPACE_gmfn_foreign ) > return -EINVAL; > > - rc = rcu_lock_target_domain_by_id(xatp.domid, &d); > - if ( rc != 0 ) > - return rc; > + d = rcu_lock_domain_by_any_id(xatp.domid); > + if ( d == NULL ) > + return -ESRCH; > > rc = xsm_add_to_physmap(XSM_TARGET, current->domain, d); > if ( rc ) > @@ -878,9 +885,9 @@ long arch_memory_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg) > if ( xatpr.space == XENMAPSPACE_gmfn_range ) > return -EINVAL; > > - rc = rcu_lock_target_domain_by_id(xatpr.domid, &d); > - if ( rc != 0 ) > - return rc; > + d = rcu_lock_domain_by_any_id(xatpr.domid); > + if ( d == NULL ) > + return -ESRCH; > > rc = xsm_add_to_physmap(XSM_TARGET, current->domain, d); > if ( rc ) > diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h > index 9bfe596..3912bd9 100644 > --- a/xen/include/xsm/dummy.h > +++ b/xen/include/xsm/dummy.h > @@ -616,4 +616,12 @@ static XSM_INLINE int xsm_ioport_mapping(XSM_DEFAULT_ARG struct domain *d, uint3 > return xsm_default_action(action, current->domain, d); > } > > +#endif /* CONFIG_X86 */ > + > +#ifdef CONFIG_ARM > +static XSM_INLINE int xsm_map_gmfn_foreign(XSM_DEFAULT_ARG struct domain *d, struct domain *t) > +{ > + XSM_ASSERT_ACTION(XSM_TARGET); > + return xsm_default_action(action, d, t); > +} > #endif > diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h > index 69fe64a..58a4fbb 100644 > --- a/xen/include/xsm/xsm.h > +++ b/xen/include/xsm/xsm.h > @@ -162,6 +162,9 @@ struct xsm_operations { > int (*ioport_permission) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow); > int (*ioport_mapping) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow); > #endif > +#ifdef CONFIG_ARM > + int (*map_gmfn_foreign) (struct domain *d, struct domain *t); > +#endif > }; > > #ifdef XSM_ENABLE > @@ -622,6 +625,14 @@ static inline int xsm_ioport_mapping (xsm_default_t def, struct domain *d, uint3 > return xsm_ops->ioport_mapping(d, s, e, allow); > } > #endif /* CONFIG_X86 */ > + > +#ifdef CONFIG_ARM > +static inline int xsm_map_gmfn_foreign (struct domain *d, struct domain *t) > +{ > + return xsm_ops->map_gmfn_foreign(d, t); > +} > +#endif /* CONFIG_ARM */ > + > #endif /* XSM_NO_WRAPPERS */ > > extern int xsm_init(unsigned long *module_map, const multiboot_info_t *mbi, > diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c > index 3d84e73..937761f 100644 > --- a/xen/xsm/dummy.c > +++ b/xen/xsm/dummy.c > @@ -132,4 +132,7 @@ void xsm_fixup_ops (struct xsm_operations *ops) > set_to_dummy_if_null(ops, ioport_permission); > set_to_dummy_if_null(ops, ioport_mapping); > #endif > +#ifdef CONFIG_ARM > + set_to_dummy_if_null(ops, map_gmfn_foreign); > +#endif > } > diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c > index 3291aa2..bb10de3 100644 > --- a/xen/xsm/flask/hooks.c > +++ b/xen/xsm/flask/hooks.c > @@ -1454,6 +1454,13 @@ static int flask_unbind_pt_irq (struct domain *d, struct xen_domctl_bind_pt_irq > { > return current_has_perm(d, SECCLASS_RESOURCE, RESOURCE__REMOVE); > } > +#endif /* CONFIG_X86 */ > + > +#ifdef CONFIG_ARM > +static int flask_map_gmfn_foreign(struct domain *d, struct domain *t) > +{ > + return domain_has_perm(d, t, SECCLASS_MMU, MMU__MAP_READ | MMU__MAP_WRITE); > +} > #endif > > long do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op); > @@ -1562,6 +1569,9 @@ static struct xsm_operations flask_ops = { > .ioport_permission = flask_ioport_permission, > .ioport_mapping = flask_ioport_mapping, > #endif > +#ifdef CONFIG_ARM > + .map_gmfn_foreign = flask_map_gmfn_foreign, > +#endif > }; > > static __init int flask_init(void)
Konrad Rzeszutek Wilk
2013-May-03 15:46 UTC
Re: [PATCH RESEND 1/4] xen/xsm: add hooks for claim
On Fri, May 03, 2013 at 10:09:13AM -0400, Daniel De Graaf wrote:> Adds XSM hooks for the recently introduced XENMEM_claim_pages and > XENMEM_get_outstanding_pages operations, and adds FLASK access vectors > for them. This makes the access control decisions for these operations > match those in the rest of the hypervisor.I am not that familiar with this, but it looks OK. However I am going to post a patch soon that will eliminate one of the hypercalls (xenmem_get_outstanding_pages). Do you want to wait for this or would it be better if I posted the patch along with some changes to xsm hooks to delete it and you can Ack it?> > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release) > Cc: Dan Magenheimer <dan.magenheimer@oracle.com> > Cc: Keir Fraser <keir@xen.org> > --- > tools/flask/policy/policy/modules/xen/xen.if | 2 +- > xen/common/memory.c | 15 ++++++++------- > xen/include/xsm/dummy.h | 12 ++++++++++++ > xen/include/xsm/xsm.h | 12 ++++++++++++ > xen/xsm/dummy.c | 2 ++ > xen/xsm/flask/hooks.c | 13 +++++++++++++ > xen/xsm/flask/policy/access_vectors | 4 +++- > 7 files changed, 51 insertions(+), 9 deletions(-) > > diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if > index 3a59f38..c86a618 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.if > +++ b/tools/flask/policy/policy/modules/xen/xen.if > @@ -49,7 +49,7 @@ define(`create_domain_common'', ` > getdomaininfo hypercall setvcpucontext setextvcpucontext > getscheduler getvcpuinfo getvcpuextstate getaddrsize > getaffinity setaffinity }; > - allow $1 $2:domain2 { set_cpuid settsc setscheduler }; > + allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim }; > allow $1 $2:security check_context; > allow $1 $2:shadow enable; > allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op }; > diff --git a/xen/common/memory.c b/xen/common/memory.c > index 68501d1..3239d53 100644 > --- a/xen/common/memory.c > +++ b/xen/common/memory.c > @@ -712,9 +712,6 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg) > } > > case XENMEM_claim_pages: > - if ( !IS_PRIV(current->domain) ) > - return -EPERM; > - > if ( copy_from_guest(&reservation, arg, 1) ) > return -EFAULT; > > @@ -731,17 +728,21 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg) > if ( d == NULL ) > return -EINVAL; > > - rc = domain_set_outstanding_pages(d, reservation.nr_extents); > + rc = xsm_claim_pages(XSM_PRIV, d); > + > + if ( !rc ) > + rc = domain_set_outstanding_pages(d, reservation.nr_extents); > > rcu_unlock_domain(d); > > break; > > case XENMEM_get_outstanding_pages: > - if ( !IS_PRIV(current->domain) ) > - return -EPERM; > + rc = xsm_xenmem_get_outstanding_pages(XSM_PRIV); > + > + if ( !rc ) > + rc = get_outstanding_claims(); > > - rc = get_outstanding_claims(); > break; > > default: > diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h > index 9cae61c..9bfe596 100644 > --- a/xen/include/xsm/dummy.h > +++ b/xen/include/xsm/dummy.h > @@ -247,6 +247,18 @@ static XSM_INLINE int xsm_memory_pin_page(XSM_DEFAULT_ARG struct domain *d1, str > return xsm_default_action(action, d1, d2); > } > > +static XSM_INLINE int xsm_claim_pages(XSM_DEFAULT_ARG struct domain *d) > +{ > + XSM_ASSERT_ACTION(XSM_PRIV); > + return xsm_default_action(action, current->domain, d); > +} > + > +static XSM_INLINE int xsm_xenmem_get_outstanding_pages(XSM_DEFAULT_VOID) > +{ > + XSM_ASSERT_ACTION(XSM_PRIV); > + return xsm_default_action(action, current->domain, NULL); > +} > + > static XSM_INLINE int xsm_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d, struct evtchn *chn, > domid_t id2) > { > diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h > index 5103070..69fe64a 100644 > --- a/xen/include/xsm/xsm.h > +++ b/xen/include/xsm/xsm.h > @@ -92,6 +92,8 @@ struct xsm_operations { > int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct page_info *page); > int (*add_to_physmap) (struct domain *d1, struct domain *d2); > int (*remove_from_physmap) (struct domain *d1, struct domain *d2); > + int (*claim_pages) (struct domain *d); > + int (*xenmem_get_outstanding_pages) (void); > > int (*console_io) (struct domain *d, int cmd); > > @@ -350,6 +352,16 @@ static inline int xsm_remove_from_physmap(xsm_default_t def, struct domain *d1, > return xsm_ops->remove_from_physmap(d1, d2); > } > > +static inline int xsm_claim_pages(xsm_default_t def, struct domain *d) > +{ > + return xsm_ops->claim_pages(d); > +} > + > +static inline int xsm_xenmem_get_outstanding_pages(xsm_default_t def) > +{ > + return xsm_ops->xenmem_get_outstanding_pages(); > +} > + > static inline int xsm_console_io (xsm_default_t def, struct domain *d, int cmd) > { > return xsm_ops->console_io(d, cmd); > diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c > index f7b0399..3d84e73 100644 > --- a/xen/xsm/dummy.c > +++ b/xen/xsm/dummy.c > @@ -66,6 +66,8 @@ void xsm_fixup_ops (struct xsm_operations *ops) > set_to_dummy_if_null(ops, memory_adjust_reservation); > set_to_dummy_if_null(ops, memory_stat_reservation); > set_to_dummy_if_null(ops, memory_pin_page); > + set_to_dummy_if_null(ops, claim_pages); > + set_to_dummy_if_null(ops, xenmem_get_outstanding_pages); > > set_to_dummy_if_null(ops, console_io); > > diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c > index 04c8a39..3291aa2 100644 > --- a/xen/xsm/flask/hooks.c > +++ b/xen/xsm/flask/hooks.c > @@ -417,6 +417,17 @@ static int flask_memory_pin_page(struct domain *d1, struct domain *d2, > return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__PINPAGE); > } > > +static int flask_claim_pages(struct domain *d) > +{ > + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SETCLAIM); > +} > + > +static int flask_xenmem_get_outstanding_pages(void) > +{ > + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN, > + XEN__HEAP, NULL); > +} > + > static int flask_console_io(struct domain *d, int cmd) > { > u32 perm; > @@ -1485,6 +1496,8 @@ static struct xsm_operations flask_ops = { > .memory_adjust_reservation = flask_memory_adjust_reservation, > .memory_stat_reservation = flask_memory_stat_reservation, > .memory_pin_page = flask_memory_pin_page, > + .claim_pages = flask_claim_pages, > + .xenmem_get_outstanding_pages = flask_xenmem_get_outstanding_pages, > > .console_io = flask_console_io, > > diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors > index c8ae806..544c3ba 100644 > --- a/xen/xsm/flask/policy/access_vectors > +++ b/xen/xsm/flask/policy/access_vectors > @@ -54,7 +54,7 @@ class xen > debug > # XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo > getcpuinfo > -# XEN_SYSCTL_availheap > +# XEN_SYSCTL_availheap, XENMEM_get_outstanding_pages > heap > # XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo, > # XENPF_core_parking > @@ -192,6 +192,8 @@ class domain2 > settsc > # XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo > setscheduler > +# XENMEM_claim_pages > + setclaim > } > > # Similar to class domain, but primarily contains domctls related to HVM domains > -- > 1.8.1.4 > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel >
Keir Fraser
2013-May-03 16:00 UTC
Re: [PATCH RESEND 3/4] xen/common: remove rcu_lock_target_domain_by_id
On 03/05/2013 15:09, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:> This function (and rcu_lock_remote_target_domain_by_id) has no remaining > users, having been replaced with XSM hooks and the other rcu_lock_* > functions. Remove it. > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release) > Cc: Keir Fraser <keir@xen.org>Acked-by: Keir Fraser <keir@xen.org>> --- > xen/common/domain.c | 34 ---------------------------------- > xen/include/xen/sched.h | 14 -------------- > 2 files changed, 48 deletions(-) > > diff --git a/xen/common/domain.c b/xen/common/domain.c > index b5d44d4..8adf00a 100644 > --- a/xen/common/domain.c > +++ b/xen/common/domain.c > @@ -481,40 +481,6 @@ struct domain *rcu_lock_domain_by_any_id(domid_t dom) > return rcu_lock_domain_by_id(dom); > } > > -int rcu_lock_target_domain_by_id(domid_t dom, struct domain **d) > -{ > - if ( dom == DOMID_SELF ) > - { > - *d = rcu_lock_current_domain(); > - return 0; > - } > - > - if ( (*d = rcu_lock_domain_by_id(dom)) == NULL ) > - return -ESRCH; > - > - if ( !IS_PRIV_FOR(current->domain, *d) ) > - { > - rcu_unlock_domain(*d); > - return -EPERM; > - } > - > - return 0; > -} > - > -int rcu_lock_remote_target_domain_by_id(domid_t dom, struct domain **d) > -{ > - if ( (*d = rcu_lock_domain_by_id(dom)) == NULL ) > - return -ESRCH; > - > - if ( (*d == current->domain) || !IS_PRIV_FOR(current->domain, *d) ) > - { > - rcu_unlock_domain(*d); > - return -EPERM; > - } > - > - return 0; > -} > - > int rcu_lock_remote_domain_by_id(domid_t dom, struct domain **d) > { > if ( (*d = rcu_lock_domain_by_id(dom)) == NULL ) > diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h > index 41f749e..cb3baed 100644 > --- a/xen/include/xen/sched.h > +++ b/xen/include/xen/sched.h > @@ -477,20 +477,6 @@ struct domain *rcu_lock_domain_by_id(domid_t dom); > struct domain *rcu_lock_domain_by_any_id(domid_t dom); > > /* > - * As above function, but accounts for current domain context: > - * - Translates target DOMID_SELF into caller''s domain id; and > - * - Checks that caller has permission to act on the target domain. > - */ > -int rcu_lock_target_domain_by_id(domid_t dom, struct domain **d); > - > -/* > - * As rcu_lock_target_domain_by_id(), but will fail EPERM rather than resolve > - * to local domain. Successful return always resolves to a remote domain that > - * the local domain is privileged to control. > - */ > -int rcu_lock_remote_target_domain_by_id(domid_t dom, struct domain **d); > - > -/* > * As rcu_lock_domain_by_id(), but will fail EPERM or ESRCH rather than > resolve > * to local domain. > */
Keir Fraser
2013-May-03 16:00 UTC
Re: [PATCH RESEND 4/4] xen: rename IS_PRIV to is_hardware_domain
On 03/05/2013 15:09, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:> Since the remaining uses of IS_PRIV are actually concerned with the > domain having control of the hardware (i.e. being the initial domain), > clarify this by renaming IS_PRIV to is_hardware_domain. This also > removes IS_PRIV_FOR since the only remaining user was xsm/dummy.h. > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release) > Cc: Keir Fraser <keir@xen.org>Acked-by: Keir Fraser <keir@xen.org>> Cc: Jan Beulich <jbeulich@suse.com> > --- > xen/arch/x86/domctl.c | 6 +++--- > xen/arch/x86/msi.c | 2 +- > xen/arch/x86/physdev.c | 4 ++-- > xen/arch/x86/traps.c | 12 ++++++------ > xen/include/xen/sched.h | 12 ++++++++++-- > xen/include/xsm/dummy.h | 32 ++++++++++++++++++++------------ > 6 files changed, 42 insertions(+), 26 deletions(-) > > diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c > index 1f16ad2..c2a04c4 100644 > --- a/xen/arch/x86/domctl.c > +++ b/xen/arch/x86/domctl.c > @@ -661,7 +661,7 @@ long arch_do_domctl( > while ( i-- ) > clear_mmio_p2m_entry(d, gfn + i); > if ( iomem_deny_access(d, mfn, mfn + nr_mfns - 1) && > - IS_PRIV(current->domain) ) > + is_hardware_domain(current->domain) ) > printk(XENLOG_ERR > "memory_map: failed to deny dom%d access to > [%lx,%lx]\n", > d->domain_id, mfn, mfn + nr_mfns - 1); > @@ -680,7 +680,7 @@ long arch_do_domctl( > ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); > if ( !ret && add ) > ret = -EIO; > - if ( ret && IS_PRIV(current->domain) ) > + if ( ret && is_hardware_domain(current->domain) ) > printk(XENLOG_ERR > "memory_map: error %ld %s dom%d access to > [%lx,%lx]\n", > ret, add ? "removing" : "denying", d->domain_id, > @@ -767,7 +767,7 @@ long arch_do_domctl( > break; > } > ret = ioports_deny_access(d, fmp, fmp + np - 1); > - if ( ret && IS_PRIV(current->domain) ) > + if ( ret && is_hardware_domain(current->domain) ) > printk(XENLOG_ERR > "ioport_map: error %ld denying dom%d access to > [%x,%x]\n", > ret, d->domain_id, fmp, fmp + np - 1); > diff --git a/xen/arch/x86/msi.c b/xen/arch/x86/msi.c > index 36bed29..a2ceea0 100644 > --- a/xen/arch/x86/msi.c > +++ b/xen/arch/x86/msi.c > @@ -812,7 +812,7 @@ static int msix_capability_init(struct pci_dev *dev, > break; > if ( d ) > { > - if ( !IS_PRIV(d) && dev->msix_warned != d->domain_id ) > + if ( !is_hardware_domain(d) && dev->msix_warned !> d->domain_id ) > { > dev->msix_warned = d->domain_id; > printk(XENLOG_ERR > diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c > index eb8a407..3733c7a 100644 > --- a/xen/arch/x86/physdev.c > +++ b/xen/arch/x86/physdev.c > @@ -128,7 +128,7 @@ int physdev_map_pirq(domid_t domid, int type, int *index, > int *pirq_p, > irq = domain_pirq_to_irq(current->domain, *index); > if ( irq <= 0 ) > { > - if ( IS_PRIV(current->domain) ) > + if ( is_hardware_domain(current->domain) ) > irq = *index; > else { > dprintk(XENLOG_G_ERR, "dom%d: map pirq with incorrect > irq!\n", > @@ -691,7 +691,7 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) > arg) > case PHYSDEVOP_dbgp_op: { > struct physdev_dbgp_op op; > > - if ( !IS_PRIV(v->domain) ) > + if ( !is_hardware_domain(v->domain) ) > ret = -EPERM; > else if ( copy_from_guest(&op, arg, 1) ) > ret = -EFAULT; > diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c > index fbbe31d..e0bc60d 100644 > --- a/xen/arch/x86/traps.c > +++ b/xen/arch/x86/traps.c > @@ -1303,7 +1303,7 @@ static int fixup_page_fault(unsigned long addr, struct > cpu_user_regs *regs) > ptwr_do_page_fault(v, addr, regs) ) > return EXCRET_fault_fixed; > > - if ( IS_PRIV(d) && (regs->error_code & PFEC_page_present) && > + if ( is_hardware_domain(d) && (regs->error_code & PFEC_page_present) > && > mmio_ro_do_page_fault(v, addr, regs) ) > return EXCRET_fault_fixed; > } > @@ -1623,7 +1623,7 @@ static int pci_cfg_ok(struct domain *d, int write, int > size) > { > uint32_t machine_bdf; > uint16_t start, end; > - if (!IS_PRIV(d)) > + if (!is_hardware_domain(d)) > return 0; > > machine_bdf = (d->arch.pci_cf8 >> 8) & 0xFFFF; > @@ -2415,7 +2415,7 @@ static int emulate_privileged_op(struct cpu_user_regs > *regs) > if ( boot_cpu_data.x86_vendor != X86_VENDOR_AMD || > boot_cpu_data.x86 < 0x10 || boot_cpu_data.x86 > 0x17 ) > goto fail; > - if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) ) > + if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) ) > break; > if ( (rdmsr_safe(MSR_AMD64_NB_CFG, val) != 0) || > (eax != (uint32_t)val) || > @@ -2428,7 +2428,7 @@ static int emulate_privileged_op(struct cpu_user_regs > *regs) > if ( boot_cpu_data.x86_vendor != X86_VENDOR_AMD || > boot_cpu_data.x86 < 0x10 || boot_cpu_data.x86 > 0x17 ) > goto fail; > - if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) ) > + if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) ) > break; > if ( (rdmsr_safe(MSR_FAM10H_MMIO_CONF_BASE, val) != 0) ) > goto fail; > @@ -2448,7 +2448,7 @@ static int emulate_privileged_op(struct cpu_user_regs > *regs) > case MSR_IA32_UCODE_REV: > if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL ) > goto fail; > - if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) ) > + if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) ) > break; > if ( rdmsr_safe(regs->ecx, val) ) > goto fail; > @@ -2484,7 +2484,7 @@ static int emulate_privileged_op(struct cpu_user_regs > *regs) > case MSR_IA32_ENERGY_PERF_BIAS: > if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL ) > goto fail; > - if ( !IS_PRIV(v->domain) || !is_pinned_vcpu(v) ) > + if ( !is_hardware_domain(v->domain) || !is_pinned_vcpu(v) ) > break; > if ( wrmsr_safe(regs->ecx, msr_content) != 0 ) > goto fail; > diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h > index cb3baed..5b55c09 100644 > --- a/xen/include/xen/sched.h > +++ b/xen/include/xen/sched.h > @@ -716,8 +716,16 @@ uint64_t get_cpu_idle_time(unsigned int cpu); > void watchdog_domain_init(struct domain *d); > void watchdog_domain_destroy(struct domain *d); > > -#define IS_PRIV(_d) ((_d)->is_privileged) > -#define IS_PRIV_FOR(_d, _t) (IS_PRIV(_d) || ((_d)->target && (_d)->target => (_t))) > +/* > + * Use this check when the following are both true: > + * - Using this feature or interface requires full access to the hardware > + * (that is, this is would not be suitable for a driver domain) > + * - There is never a reason to deny dom0 access to this > + */ > +#define is_hardware_domain(_d) ((_d)->is_privileged) > + > +/* This check is for functionality specific to a control domain */ > +#define is_control_domain(_d) ((_d)->is_privileged) > > #define VM_ASSIST(_d,_t) (test_bit((_t), &(_d)->vm_assist)) > > diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h > index 3912bd9..a872056 100644 > --- a/xen/include/xsm/dummy.h > +++ b/xen/include/xsm/dummy.h > @@ -60,17 +60,23 @@ static always_inline int xsm_default_action( > case XSM_HOOK: > return 0; > case XSM_DM_PRIV: > - if ( !IS_PRIV_FOR(src, target) ) > - return -EPERM; > - return 0; > + if ( src->is_privileged ) > + return 0; > + if ( target && src->target == target ) > + return 0; > + return -EPERM; > case XSM_TARGET: > - if ( src != target && !IS_PRIV_FOR(src, target) ) > - return -EPERM; > - return 0; > + if ( src == target ) > + return 0; > + if ( src->is_privileged ) > + return 0; > + if ( target && src->target == target ) > + return 0; > + return -EPERM; > case XSM_PRIV: > - if ( !IS_PRIV(src) ) > - return -EPERM; > - return 0; > + if ( src->is_privileged ) > + return 0; > + return -EPERM; > default: > LINKER_BUG_ON(1); > return -EPERM; > @@ -567,10 +573,12 @@ static XSM_INLINE int > xsm_domain_memory_map(XSM_DEFAULT_ARG struct domain *d) > static XSM_INLINE int xsm_mmu_update(XSM_DEFAULT_ARG struct domain *d, struct > domain *t, > struct domain *f, uint32_t flags) > { > + int rc; > XSM_ASSERT_ACTION(XSM_TARGET); > - if ( t && d != t && !IS_PRIV_FOR(d, t) ) > - return -EPERM; > - return xsm_default_action(action, d, f); > + rc = xsm_default_action(action, d, f); > + if ( t && !rc ) > + rc = xsm_default_action(action, d, t); > + return rc; > } > > static XSM_INLINE int xsm_mmuext_op(XSM_DEFAULT_ARG struct domain *d, struct > domain *f)
On 03/05/2013 15:09, "Daniel De Graaf" <dgdegra@tycho.nsa.gov> wrote:> Adds XSM hooks for the recently introduced XENMEM_claim_pages and > XENMEM_get_outstanding_pages operations, and adds FLASK access vectors > for them. This makes the access control decisions for these operations > match those in the rest of the hypervisor. > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (for 4.3 release) > Cc: Dan Magenheimer <dan.magenheimer@oracle.com> > Cc: Keir Fraser <keir@xen.org>Acked-by: Keir Fraser <keir@xen.org>> --- > tools/flask/policy/policy/modules/xen/xen.if | 2 +- > xen/common/memory.c | 15 ++++++++------- > xen/include/xsm/dummy.h | 12 ++++++++++++ > xen/include/xsm/xsm.h | 12 ++++++++++++ > xen/xsm/dummy.c | 2 ++ > xen/xsm/flask/hooks.c | 13 +++++++++++++ > xen/xsm/flask/policy/access_vectors | 4 +++- > 7 files changed, 51 insertions(+), 9 deletions(-) > > diff --git a/tools/flask/policy/policy/modules/xen/xen.if > b/tools/flask/policy/policy/modules/xen/xen.if > index 3a59f38..c86a618 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.if > +++ b/tools/flask/policy/policy/modules/xen/xen.if > @@ -49,7 +49,7 @@ define(`create_domain_common'', ` > getdomaininfo hypercall setvcpucontext setextvcpucontext > getscheduler getvcpuinfo getvcpuextstate getaddrsize > getaffinity setaffinity }; > - allow $1 $2:domain2 { set_cpuid settsc setscheduler }; > + allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim }; > allow $1 $2:security check_context; > allow $1 $2:shadow enable; > allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage > mmuext_op }; > diff --git a/xen/common/memory.c b/xen/common/memory.c > index 68501d1..3239d53 100644 > --- a/xen/common/memory.c > +++ b/xen/common/memory.c > @@ -712,9 +712,6 @@ long do_memory_op(unsigned long cmd, > XEN_GUEST_HANDLE_PARAM(void) arg) > } > > case XENMEM_claim_pages: > - if ( !IS_PRIV(current->domain) ) > - return -EPERM; > - > if ( copy_from_guest(&reservation, arg, 1) ) > return -EFAULT; > > @@ -731,17 +728,21 @@ long do_memory_op(unsigned long cmd, > XEN_GUEST_HANDLE_PARAM(void) arg) > if ( d == NULL ) > return -EINVAL; > > - rc = domain_set_outstanding_pages(d, reservation.nr_extents); > + rc = xsm_claim_pages(XSM_PRIV, d); > + > + if ( !rc ) > + rc = domain_set_outstanding_pages(d, reservation.nr_extents); > > rcu_unlock_domain(d); > > break; > > case XENMEM_get_outstanding_pages: > - if ( !IS_PRIV(current->domain) ) > - return -EPERM; > + rc = xsm_xenmem_get_outstanding_pages(XSM_PRIV); > + > + if ( !rc ) > + rc = get_outstanding_claims(); > > - rc = get_outstanding_claims(); > break; > > default: > diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h > index 9cae61c..9bfe596 100644 > --- a/xen/include/xsm/dummy.h > +++ b/xen/include/xsm/dummy.h > @@ -247,6 +247,18 @@ static XSM_INLINE int xsm_memory_pin_page(XSM_DEFAULT_ARG > struct domain *d1, str > return xsm_default_action(action, d1, d2); > } > > +static XSM_INLINE int xsm_claim_pages(XSM_DEFAULT_ARG struct domain *d) > +{ > + XSM_ASSERT_ACTION(XSM_PRIV); > + return xsm_default_action(action, current->domain, d); > +} > + > +static XSM_INLINE int xsm_xenmem_get_outstanding_pages(XSM_DEFAULT_VOID) > +{ > + XSM_ASSERT_ACTION(XSM_PRIV); > + return xsm_default_action(action, current->domain, NULL); > +} > + > static XSM_INLINE int xsm_evtchn_unbound(XSM_DEFAULT_ARG struct domain *d, > struct evtchn *chn, > domid_t id2) > { > diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h > index 5103070..69fe64a 100644 > --- a/xen/include/xsm/xsm.h > +++ b/xen/include/xsm/xsm.h > @@ -92,6 +92,8 @@ struct xsm_operations { > int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct > page_info *page); > int (*add_to_physmap) (struct domain *d1, struct domain *d2); > int (*remove_from_physmap) (struct domain *d1, struct domain *d2); > + int (*claim_pages) (struct domain *d); > + int (*xenmem_get_outstanding_pages) (void); > > int (*console_io) (struct domain *d, int cmd); > > @@ -350,6 +352,16 @@ static inline int xsm_remove_from_physmap(xsm_default_t > def, struct domain *d1, > return xsm_ops->remove_from_physmap(d1, d2); > } > > +static inline int xsm_claim_pages(xsm_default_t def, struct domain *d) > +{ > + return xsm_ops->claim_pages(d); > +} > + > +static inline int xsm_xenmem_get_outstanding_pages(xsm_default_t def) > +{ > + return xsm_ops->xenmem_get_outstanding_pages(); > +} > + > static inline int xsm_console_io (xsm_default_t def, struct domain *d, int > cmd) > { > return xsm_ops->console_io(d, cmd); > diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c > index f7b0399..3d84e73 100644 > --- a/xen/xsm/dummy.c > +++ b/xen/xsm/dummy.c > @@ -66,6 +66,8 @@ void xsm_fixup_ops (struct xsm_operations *ops) > set_to_dummy_if_null(ops, memory_adjust_reservation); > set_to_dummy_if_null(ops, memory_stat_reservation); > set_to_dummy_if_null(ops, memory_pin_page); > + set_to_dummy_if_null(ops, claim_pages); > + set_to_dummy_if_null(ops, xenmem_get_outstanding_pages); > > set_to_dummy_if_null(ops, console_io); > > diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c > index 04c8a39..3291aa2 100644 > --- a/xen/xsm/flask/hooks.c > +++ b/xen/xsm/flask/hooks.c > @@ -417,6 +417,17 @@ static int flask_memory_pin_page(struct domain *d1, > struct domain *d2, > return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__PINPAGE); > } > > +static int flask_claim_pages(struct domain *d) > +{ > + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SETCLAIM); > +} > + > +static int flask_xenmem_get_outstanding_pages(void) > +{ > + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN, > + XEN__HEAP, NULL); > +} > + > static int flask_console_io(struct domain *d, int cmd) > { > u32 perm; > @@ -1485,6 +1496,8 @@ static struct xsm_operations flask_ops = { > .memory_adjust_reservation = flask_memory_adjust_reservation, > .memory_stat_reservation = flask_memory_stat_reservation, > .memory_pin_page = flask_memory_pin_page, > + .claim_pages = flask_claim_pages, > + .xenmem_get_outstanding_pages = flask_xenmem_get_outstanding_pages, > > .console_io = flask_console_io, > > diff --git a/xen/xsm/flask/policy/access_vectors > b/xen/xsm/flask/policy/access_vectors > index c8ae806..544c3ba 100644 > --- a/xen/xsm/flask/policy/access_vectors > +++ b/xen/xsm/flask/policy/access_vectors > @@ -54,7 +54,7 @@ class xen > debug > # XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo > getcpuinfo > -# XEN_SYSCTL_availheap > +# XEN_SYSCTL_availheap, XENMEM_get_outstanding_pages > heap > # XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo, > # XENPF_core_parking > @@ -192,6 +192,8 @@ class domain2 > settsc > # XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo > setscheduler > +# XENMEM_claim_pages > + setclaim > } > > # Similar to class domain, but primarily contains domctls related to HVM > domains
On 05/03/2013 11:46 AM, Konrad Rzeszutek Wilk wrote:> On Fri, May 03, 2013 at 10:09:13AM -0400, Daniel De Graaf wrote: >> Adds XSM hooks for the recently introduced XENMEM_claim_pages and >> XENMEM_get_outstanding_pages operations, and adds FLASK access vectors >> for them. This makes the access control decisions for these operations >> match those in the rest of the hypervisor. > > I am not that familiar with this, but it looks OK. However I am > going to post a patch soon that will eliminate one of the hypercalls > (xenmem_get_outstanding_pages). > > Do you want to wait for this or would it be better if I posted > the patch along with some changes to xsm hooks to delete it and > you can Ack it?Either way would be fine with me. I think re-posting may work better as I just found a typo in patch 4 that will be fixed on repost.