[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen staging] xsm, argo: XSM control for any access to argo by a domain
commit 789cab9d676341b260b540c23c29fab242b1747e Author: Christopher Clark <christopher.w.clark@xxxxxxxxx> AuthorDate: Wed Feb 6 09:56:00 2019 +0100 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Thu Feb 7 14:26:19 2019 +0100 xsm, argo: XSM control for any access to argo by a domain Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx> Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> Tested-by: Chris Patterson <pattersonc@xxxxxxxxxxxx> Release-acked-by: Juergen Gross <jgross@xxxxxxxx> --- tools/flask/policy/modules/guest_features.te | 4 ++-- xen/common/argo.c | 16 ++++++++++++---- xen/include/xsm/dummy.h | 5 +++++ xen/include/xsm/xsm.h | 6 ++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 7 +++++++ xen/xsm/flask/policy/access_vectors | 3 +++ 7 files changed, 36 insertions(+), 6 deletions(-) diff --git a/tools/flask/policy/modules/guest_features.te b/tools/flask/policy/modules/guest_features.te index ca52257ca4..fe4835db5b 100644 --- a/tools/flask/policy/modules/guest_features.te +++ b/tools/flask/policy/modules/guest_features.te @@ -5,11 +5,11 @@ allow domain_type xen_t:xen tmem_op; # pmu_ctrl is for) allow domain_type xen_t:xen2 pmu_use; -# Allow all domains: +# Allow all domains to enable the Argo interdomain communication hypercall; # to register single-sender (unicast) rings to partner with any domain; # to register any-sender (wildcard) rings that can be sent to by any domain; # and send messages to rings. -allow domain_type xen_t:argo { register_any_source }; +allow domain_type xen_t:argo { enable register_any_source }; allow domain_type domain_type:argo { send register_single_source }; # Allow guest console output to the serial console. This is used by PV Linux diff --git a/xen/common/argo.c b/xen/common/argo.c index ce42e69d88..7523f32af5 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -2078,6 +2078,10 @@ do_argo_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg1, if ( unlikely(!opt_argo) ) return -EOPNOTSUPP; + rc = xsm_argo_enable(currd); + if ( rc ) + return rc; + switch ( cmd ) { case XEN_ARGO_OP_register_ring: @@ -2216,6 +2220,10 @@ compat_argo_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg1, if ( unlikely(!opt_argo) ) return -EOPNOTSUPP; + rc = xsm_argo_enable(currd); + if ( rc ) + return rc; + argo_dprintk("->compat_argo_op(%u,%p,%p,%lu,0x%lx)\n", cmd, (void *)arg1.p, (void *)arg2.p, arg3, arg4); @@ -2277,7 +2285,7 @@ argo_init(struct domain *d) { struct argo_domain *argo; - if ( !opt_argo ) + if ( !opt_argo || xsm_argo_enable(d) ) { argo_dprintk("argo disabled, domid: %u\n", d->domain_id); return 0; @@ -2334,9 +2342,9 @@ argo_soft_reset(struct domain *d) wildcard_rings_pending_remove(d); /* - * Since opt_argo cannot change at runtime, if d->argo is true then - * opt_argo must be true, and we can assume that init is allowed to - * proceed again here. + * Since neither opt_argo or xsm_argo_enable(d) can change at runtime, + * if d->argo is true then both opt_argo and xsm_argo_enable(d) must be + * true, and we can assume that init is allowed to proceed again here. */ argo_domain_init(d->argo); } diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 9ae69ccac5..e628b1c6af 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -721,6 +721,11 @@ static XSM_INLINE int xsm_dm_op(XSM_DEFAULT_ARG struct domain *d) #endif /* CONFIG_X86 */ #ifdef CONFIG_ARGO +static XSM_INLINE int xsm_argo_enable(const struct domain *d) +{ + return 0; +} + static XSM_INLINE int xsm_argo_register_single_source(const struct domain *d, const struct domain *t) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 4211892dc4..8a78d8abd3 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -182,6 +182,7 @@ struct xsm_operations { int (*xen_version) (uint32_t cmd); int (*domain_resource_map) (struct domain *d); #ifdef CONFIG_ARGO + int (*argo_enable) (const struct domain *d); int (*argo_register_single_source) (const struct domain *d, const struct domain *t); int (*argo_register_any_source) (const struct domain *d); @@ -705,6 +706,11 @@ static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d) } #ifdef CONFIG_ARGO +static inline int xsm_argo_enable(const struct domain *d) +{ + return xsm_ops->argo_enable(d); +} + static inline int xsm_argo_register_single_source(const struct domain *d, const struct domain *t) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index ffac774126..1fe0e746fa 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -153,6 +153,7 @@ void __init xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, xen_version); set_to_dummy_if_null(ops, domain_resource_map); #ifdef CONFIG_ARGO + set_to_dummy_if_null(ops, argo_enable); set_to_dummy_if_null(ops, argo_register_single_source); set_to_dummy_if_null(ops, argo_register_any_source); set_to_dummy_if_null(ops, argo_send); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 76c012c6e7..3d00c747f6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1720,6 +1720,12 @@ static int flask_domain_resource_map(struct domain *d) } #ifdef CONFIG_ARGO +static int flask_argo_enable(const struct domain *d) +{ + return avc_has_perm(domain_sid(d), SECINITSID_XEN, SECCLASS_ARGO, + ARGO__ENABLE, NULL); +} + static int flask_argo_register_single_source(const struct domain *d, const struct domain *t) { @@ -1875,6 +1881,7 @@ static struct xsm_operations flask_ops = { .xen_version = flask_xen_version, .domain_resource_map = flask_domain_resource_map, #ifdef CONFIG_ARGO + .argo_enable = flask_argo_enable, .argo_register_single_source = flask_argo_register_single_source, .argo_register_any_source = flask_argo_register_any_source, .argo_send = flask_argo_send, diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index f6c5377060..e00448b776 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -535,6 +535,9 @@ class version # Class argo is used to describe the Argo interdomain communication system. class argo { + # Enable initialization of a domain's argo subsystem and + # permission to access the argo hypercall operations. + enable # Domain requesting registration of a communication ring # to receive messages from a specific other domain. register_single_source -- generated by git-patchbot for /home/xen/git/xen.git#staging _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |