|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 16/18] arch/x86: use XSM hooks for get_pg_owner access checks
This requires introducing a new XSM hook for do_mmuext_op to validate
remote domain access there.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
tools/flask/policy/policy/flask/access_vectors | 1 +
tools/flask/policy/policy/modules/xen/xen.if | 4 ++--
xen/arch/x86/mm.c | 25 ++++++++-----------------
xen/include/xsm/dummy.h | 20 ++++++++++++++++++--
xen/include/xsm/xsm.h | 14 +++++++++++---
xen/xsm/dummy.c | 1 +
xen/xsm/flask/hooks.c | 9 ++++++++-
xen/xsm/flask/include/av_perm_to_string.h | 1 +
xen/xsm/flask/include/av_permissions.h | 1 +
9 files changed, 51 insertions(+), 25 deletions(-)
diff --git a/tools/flask/policy/policy/flask/access_vectors
b/tools/flask/policy/policy/flask/access_vectors
index 2986b40..5e897e2 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -141,6 +141,7 @@ class mmu
mfnlist
memorymap
remote_remap
+ mmuext_op
}
class shadow
diff --git a/tools/flask/policy/policy/modules/xen/xen.if
b/tools/flask/policy/policy/modules/xen/xen.if
index 796698b..78083c3 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -7,7 +7,7 @@
################################################################################
define(`declare_domain_common', `
allow $1 $2:grant { query setup };
- allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage
updatemp };
+ allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage
updatemp mmuext_op };
allow $1 $2:hvm { getparam setparam };
')
@@ -51,7 +51,7 @@ define(`create_domain_common', `
allow $1 $2:domain2 { set_cpuid settsc };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
- allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage};
+ allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage
mmuext_op };
allow $1 $2:grant setup;
allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
setparam pcilevel trackdirtyvram };
')
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 1b352df..4bc3ab5 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2882,11 +2882,6 @@ static struct domain *get_pg_owner(domid_t domid)
pg_owner = rcu_lock_domain(dom_io);
break;
case DOMID_XEN:
- if ( !IS_PRIV(curr) )
- {
- MEM_LOG("Cannot set foreign dom");
- break;
- }
pg_owner = rcu_lock_domain(dom_xen);
break;
default:
@@ -2895,12 +2890,6 @@ static struct domain *get_pg_owner(domid_t domid)
MEM_LOG("Unknown domain '%u'", domid);
break;
}
- if ( !IS_PRIV_FOR(curr, pg_owner) )
- {
- MEM_LOG("Cannot set foreign dom");
- rcu_unlock_domain(pg_owner);
- pg_owner = NULL;
- }
break;
}
@@ -3008,6 +2997,13 @@ int do_mmuext_op(
goto out;
}
+ rc = xsm_mmuext_op(d, pg_owner);
+ if ( rc )
+ {
+ rcu_unlock_domain(pg_owner);
+ goto out;
+ }
+
for ( i = 0; i < count; i++ )
{
if ( hypercall_preempt_check() )
@@ -3483,11 +3479,6 @@ int do_mmu_update(
rc = -EINVAL;
goto out;
}
- if ( !IS_PRIV_FOR(d, pt_owner) )
- {
- rc = -ESRCH;
- goto out;
- }
}
if ( (pg_owner = get_pg_owner((uint16_t)foreigndom)) == NULL )
@@ -3643,7 +3634,7 @@ int do_mmu_update(
mfn = req.ptr >> PAGE_SHIFT;
gpfn = req.val;
- rc = xsm_mmu_machphys_update(d, mfn);
+ rc = xsm_mmu_machphys_update(d, pg_owner, mfn);
if ( rc )
break;
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index d796a33..28e1d2b 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -803,19 +803,35 @@ static XSM_DEFAULT(int, domain_memory_map) (struct domain
*d)
}
static XSM_DEFAULT(int, mmu_normal_update) (struct domain *d, struct domain *t,
- struct domain *f, intpte_t fpte)
+ struct domain *f, intpte_t fpte)
{
+ if ( d != t && !IS_PRIV_FOR(d, t) )
+ return -EPERM;
+ if ( d != f && !IS_PRIV_FOR(d, f) )
+ return -EPERM;
return 0;
}
-static XSM_DEFAULT(int, mmu_machphys_update) (struct domain *d, unsigned long
mfn)
+static XSM_DEFAULT(int, mmu_machphys_update) (struct domain *d, struct domain
*f,
+ unsigned long mfn)
{
+ if ( d != f && !IS_PRIV_FOR(d, f) )
+ return -EPERM;
+ return 0;
+}
+
+static XSM_DEFAULT(int, mmuext_op) (struct domain *d, struct domain *f)
+{
+ if ( d != f && !IS_PRIV_FOR(d, f) )
+ return -EPERM;
return 0;
}
static XSM_DEFAULT(int, update_va_mapping) (struct domain *d, struct domain
*f,
l1_pgentry_t pte)
{
+ if ( d != f && !IS_PRIV_FOR(d, f) )
+ return -EPERM;
return 0;
}
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index fa9f50e..4134877 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -177,7 +177,9 @@ struct xsm_operations {
int (*domain_memory_map) (struct domain *d);
int (*mmu_normal_update) (struct domain *d, struct domain *t,
struct domain *f, intpte_t fpte);
- int (*mmu_machphys_update) (struct domain *d, unsigned long mfn);
+ int (*mmu_machphys_update) (struct domain *d, struct domain *f,
+ unsigned long mfn);
+ int (*mmuext_op) (struct domain *d, struct domain *f);
int (*update_va_mapping) (struct domain *d, struct domain *f,
l1_pgentry_t pte);
int (*add_to_physmap) (struct domain *d1, struct domain *d2);
@@ -797,9 +799,15 @@ static inline int xsm_mmu_normal_update (struct domain *d,
struct domain *t,
return xsm_ops->mmu_normal_update(d, t, f, fpte);
}
-static inline int xsm_mmu_machphys_update (struct domain *d, unsigned long mfn)
+static inline int xsm_mmu_machphys_update (struct domain *d, struct domain *f,
+ unsigned long mfn)
{
- return xsm_ops->mmu_machphys_update(d, mfn);
+ return xsm_ops->mmu_machphys_update(d, f, mfn);
+}
+
+static inline int xsm_mmuext_op (struct domain *d, struct domain *f)
+{
+ return xsm_ops->mmuext_op(d, f);
}
static inline int xsm_update_va_mapping(struct domain *d, struct domain *f,
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index aebe333..1bf9de9 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -161,6 +161,7 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, domain_memory_map);
set_to_dummy_if_null(ops, mmu_normal_update);
set_to_dummy_if_null(ops, mmu_machphys_update);
+ set_to_dummy_if_null(ops, mmuext_op);
set_to_dummy_if_null(ops, update_va_mapping);
set_to_dummy_if_null(ops, add_to_physmap);
set_to_dummy_if_null(ops, remove_from_physmap);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index dae587c..f743be1 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1385,7 +1385,8 @@ static int flask_mmu_normal_update(struct domain *d,
struct domain *t,
return avc_has_perm(dsid, fsid, SECCLASS_MMU, map_perms, &ad);
}
-static int flask_mmu_machphys_update(struct domain *d, unsigned long mfn)
+static int flask_mmu_machphys_update(struct domain *d, struct domain *f,
+ unsigned long mfn)
{
int rc = 0;
u32 dsid, psid;
@@ -1398,6 +1399,11 @@ static int flask_mmu_machphys_update(struct domain *d,
unsigned long mfn)
return avc_has_perm(dsid, psid, SECCLASS_MMU, MMU__UPDATEMP, NULL);
}
+static int flask_mmuext_op(struct domain *d, struct domain *f)
+{
+ return domain_has_perm(d, f, SECCLASS_MMU, MMU__MMUEXT_OP);
+}
+
static int flask_update_va_mapping(struct domain *d, struct domain *f,
l1_pgentry_t pte)
{
@@ -1707,6 +1713,7 @@ static struct xsm_operations flask_ops = {
.domain_memory_map = flask_domain_memory_map,
.mmu_normal_update = flask_mmu_normal_update,
.mmu_machphys_update = flask_mmu_machphys_update,
+ .mmuext_op = flask_mmuext_op,
.update_va_mapping = flask_update_va_mapping,
.add_to_physmap = flask_add_to_physmap,
.remove_from_physmap = flask_remove_from_physmap,
diff --git a/xen/xsm/flask/include/av_perm_to_string.h
b/xen/xsm/flask/include/av_perm_to_string.h
index 5d5a45a..5d4f316 100644
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ b/xen/xsm/flask/include/av_perm_to_string.h
@@ -111,6 +111,7 @@
S_(SECCLASS_MMU, MMU__MFNLIST, "mfnlist")
S_(SECCLASS_MMU, MMU__MEMORYMAP, "memorymap")
S_(SECCLASS_MMU, MMU__REMOTE_REMAP, "remote_remap")
+ S_(SECCLASS_MMU, MMU__MMUEXT_OP, "mmuext_op")
S_(SECCLASS_SHADOW, SHADOW__DISABLE, "disable")
S_(SECCLASS_SHADOW, SHADOW__ENABLE, "enable")
S_(SECCLASS_SHADOW, SHADOW__LOGDIRTY, "logdirty")
diff --git a/xen/xsm/flask/include/av_permissions.h
b/xen/xsm/flask/include/av_permissions.h
index e6d6a6d..f970b50 100644
--- a/xen/xsm/flask/include/av_permissions.h
+++ b/xen/xsm/flask/include/av_permissions.h
@@ -117,6 +117,7 @@
#define MMU__MFNLIST 0x00000400UL
#define MMU__MEMORYMAP 0x00000800UL
#define MMU__REMOTE_REMAP 0x00001000UL
+#define MMU__MMUEXT_OP 0x00002000UL
#define SHADOW__DISABLE 0x00000001UL
#define SHADOW__ENABLE 0x00000002UL
--
1.7.11.2
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |