[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v3] Merge IS_PRIV checks into XSM hooks

To: xen-devel@xxxxxxxxxxxxx
From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Date: Wed, 12 Sep 2012 11:59:24 -0400
Cc: dgdegra@xxxxxxxxxxxxx
Delivery-date: Wed, 12 Sep 2012 16:00:13 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Changes from v2:
 * Added overall hooks for domctl, sysctl, and platform_hypercall so
   that new sub-operations are protected by IS_PRIV checks
 * Reorganized the IS_PRIV additions to dummy.h so they are added in the
   same patch that removes the IS_PRIV they are replacing
 * Reworked hooks in the MM hotpath to increase efficiency
 * Dropped some unneeded XSM hook additions due to do_domctl hook
 * Dropped the rcu_lock*target_domain_by_id function removal patch
 * Restore IS_PRIV check in PHYSDEVOP_alloc_irq_vector
 * Use the existing hook function structure for tmem

Overall, this series should not change the behavior of Xen when XSM is
not enabled; however, in some cases, the exact errors that are returned
will be different because security checks have been moved below validity
checks.

Background:

The Xen hypervisor has two basic access control function calls: IS_PRIV
and the xsm_* functions. Most privileged operations currently require
that both checks succeed, and many times the checks are at different
locations in the code.

When performing dom0 disaggregation, many of the functions normally
protected with IS_PRIV are handled by domains other than dom0. This
requires either making all such disaggregated domains privileged, or
allowing certain operations to be performed without an IS_PRIV check.
Because the privileged bit also short-circuits the IS_PRIV_FOR check,
and some IS_PRIV calls do not currently have an accompanying XSM call,
this series implements the second option.

Once applied, most IS_PRIV checks are isolated in the newly introduced
xen/include/xsm/dummy.h header. The remaining checks cover a few areas
that that have some reason to remain because they involve hardware
access or workarounds:

1. Overriding the IRQ and IO memory access checks (arch/x86/domctl.c).
   These overrides should not be needed, as dom0 should have access
   without needing the override.
2. Allow MAP_PIRQ_TYPE_GSI to ignore domain_pirq_to_irq negative return
3. The hack for device model framebuffers in get_page_from_l1e
4. Installing maps of non-owned pages in shadow_get_page_from_l1e
5. PCI configuration space (arch/x86/traps.c). Allowing a PV Linux domU
   to access the PCI configuration space is a good way to crash the
   system as it reconfigures PCI devices during boot, so this needs to
   remain to get a working system when FLASK is in permissive mode.
6. Various MSR accesses (arch/x86/traps.c)

The ARM architecture is not touched at all in these patches; however,
none of the changes should affect ARM. XSM hooks will need to be added
for the arch-specific controls in order for FLASK to be useful on ARM,
but those changes are outside the scope of this series.

Miscellaneous updates to FLASK:
    [PATCH 01/22] xsm/flask: remove inherited class attributes
    [PATCH 02/22] xsm/flask: remove unneeded create_sid field
    [PATCH 04/22] xsm/flask: add domain relabel support
    [PATCH 05/22] libxl: introduce XSM relabel on build
    [PATCH 06/22] flask/policy: Add domain relabel example
    [PATCH 08/22] xsm/flask: Add checks on the domain performing the

Preparatory new functions/hooks:
    [PATCH 03/22] xen: Add versions of rcu_lock_*_domain without IS_PRIV
    [PATCH 07/22] arch/x86: add distinct XSM hooks for map/unmap
    [PATCH 13/22] xen: lock target domain in do_domctl common code

IS_PRIV Refactoring:
    [PATCH 09/22] xsm: Use the dummy XSM module if XSM is disabled
    [PATCH 10/22] xen: use XSM instead of IS_PRIV where duplicated
    [PATCH 11/22] xen: avoid calling rcu_lock_*target_domain when an XSM
    [PATCH 12/22] arch/x86: convert platform_hypercall to use XSM
    [PATCH 14/22] xen: convert do_domctl to use XSM
    [PATCH 15/22] xen: convert do_sysctl to use XSM

Additional new/updated hooks:
    [PATCH 16/22] xsm/flask: add missing hooks
    [PATCH 17/22] xsm/flask: add distinct SIDs for self/target access
    [PATCH 18/22] arch/x86: Add missing mem_sharing XSM hooks
    [PATCH 19/22] arch/x86: check remote MMIO remap permissions
    [PATCH 20/22] arch/x86: use XSM hooks for get_pg_owner access checks
    [PATCH 21/22] xen: Add XSM hook for XENMEM_exchange
    [PATCH 22/22] tmem: add XSM hooks

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v3] Merge IS_PRIV checks into XSM hooks
  - From: Ian Jackson
- [Xen-devel] [PATCH 21/22] xen: Add XSM hook for XENMEM_exchange
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 17/22] xsm/flask: add distinct SIDs for self/target access
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 22/22] tmem: add XSM hooks
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 09/22] xsm: Use the dummy XSM module if XSM is disabled
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 13/22] xen: lock target domain in do_domctl common code
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 16/22] xsm/flask: add missing hooks
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 11/22] xen: avoid calling rcu_lock_*target_domain when an XSM hook exists
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 12/22] arch/x86: convert platform_hypercall to use XSM
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 14/22] xen: convert do_domctl to use XSM
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 10/22] xen: use XSM instead of IS_PRIV where duplicated
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 05/22] libxl: introduce XSM relabel on build
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 18/22] arch/x86: Add missing mem_sharing XSM hooks
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 20/22] arch/x86: use XSM hooks for get_pg_owner access checks
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 19/22] arch/x86: check remote MMIO remap permissions
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 15/22] xen: convert do_sysctl to use XSM
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 06/22] flask/policy: Add domain relabel example
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 07/22] arch/x86: add distinct XSM hooks for map/unmap
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 08/22] xsm/flask: Add checks on the domain performing the set_target operation
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 02/22] xsm/flask: remove unneeded create_sid field
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 04/22] xsm/flask: add domain relabel support
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 01/22] xsm/flask: remove inherited class attributes
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 03/22] xen: Add versions of rcu_lock_*_domain without IS_PRIV checks
  - From: Daniel De Graaf

Prev by Date: [Xen-devel] [PATCH 06/22] flask/policy: Add domain relabel example
Next by Date: [Xen-devel] [PATCH 15/22] xen: convert do_sysctl to use XSM
Previous by thread: [Xen-devel] [xen-4.1-testing test] 13690: trouble: blocked/broken/fail/pass
Next by thread: [Xen-devel] [PATCH 03/22] xen: Add versions of rcu_lock_*_domain without IS_PRIV checks
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.