[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 09/11] xen: Add DOMCTL to limit the number of event channels a domain may use



>>> On 04.10.13 at 13:56, David Vrabel <david.vrabel@xxxxxxxxxx> wrote:
> On 02/10/13 18:06, David Vrabel wrote:
>> On 02/10/13 17:35, David Vrabel wrote:
>>>
>>> --- a/xen/xsm/flask/hooks.c
>>> +++ b/xen/xsm/flask/hooks.c
>>> @@ -727,6 +727,9 @@ static int flask_domctl(struct domain *d, int cmd)
>>>      case XEN_DOMCTL_audit_p2m:
>>>          return current_has_perm(d, SECCLASS_HVM, HVM__AUDIT_P2M);
>>>  
>>> +    case XEN_DOMCTL_set_max_evtchn:
>>> +        return current_has_perm(d, SECCLASS_DOMAIN, 
> DOMAIN__SET_MAX_EVTCHN);#
>> 
>> Sorry, I forgot to try a build with XSM and FLASK enabled. This should
>> have been SECCLASS_DOMAIN2 and DOMAIN2__SET_MAX_EVTCHN.
> 
> And here's a fixed version of the patch.
> 
> Daniel, can you review the XSM parts of this, please?
> 
> 8<-----------------------------------
> xen: Add DOMCTL to limit the number of event channels a domain may use
> 
> Add XEN_DOMCTL_set_max_evtchn which may be used during domain creation to
> set the maximum event channel port a domain may use.  This may be used to
> limit the amount of Xen resources (global mapping space and xenheap) that
> a domain may use for event channels.
> 
> A domain that does not have a limit set may use all the event channels
> supported by the event channel ABI in use.
> 
> Signed-off-by: David Vrabel <david.vrabel@xxxxxxxxxx>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

Just to clarify once more: This is only for the non-XSM parts; I'm
relying on Daniel to do the review on that front.

Jan

> Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> ---
>  tools/flask/policy/policy/mls                |    2 +-
>  tools/flask/policy/policy/modules/xen/xen.if |    2 +-
>  tools/flask/policy/policy/modules/xen/xen.te |    2 +-
>  xen/common/domctl.c                          |    8 ++++++++
>  xen/common/event_channel.c                   |    7 ++++++-
>  xen/include/public/domctl.h                  |   13 +++++++++++++
>  xen/include/xen/sched.h                      |    1 +
>  xen/xsm/flask/hooks.c                        |    3 +++
>  xen/xsm/flask/policy/access_vectors          |    2 ++
>  9 files changed, 36 insertions(+), 4 deletions(-)
> 
> diff --git a/tools/flask/policy/policy/mls b/tools/flask/policy/policy/mls
> index 9290a76..fb603cd 100644
> --- a/tools/flask/policy/policy/mls
> +++ b/tools/flask/policy/policy/mls
> @@ -74,7 +74,7 @@ mlsconstrain domain { getaffinity getdomaininfo getvcpuinfo 
> getvcpucontext getad
>       ((l1 dom l2) or (t1 == mls_priv));
>  
>  # all the domain "write" ops
> -mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus 
> destroy setaffinity scheduler setdomainmaxmem setdomainhandle setdebugging 
> hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext }
> +mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus 
> destroy setaffinity scheduler setdomainmaxmem setdomainhandle setdebugging 
> hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext 
> set_max_evtchn }
>       ((l1 eq l2) or (t1 == mls_priv));
>  
>  # This is incomplete - similar constraints must be written for all classes
> diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
> b/tools/flask/policy/policy/modules/xen/xen.if
> index 97af0a8..63e40f0 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.if
> +++ b/tools/flask/policy/policy/modules/xen/xen.if
> @@ -48,7 +48,7 @@ define(`create_domain_common', `
>       allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
>                       getdomaininfo hypercall setvcpucontext setextvcpucontext
>                       getscheduler getvcpuinfo getvcpuextstate getaddrsize
> -                     getaffinity setaffinity };
> +                     getaffinity setaffinity set_max_evtchn };
>       allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim };
>       allow $1 $2:security check_context;
>       allow $1 $2:shadow enable;
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
> b/tools/flask/policy/policy/modules/xen/xen.te
> index c89ce28..5f9de5c 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -73,7 +73,7 @@ allow dom0_t dom0_t:domain {
>       getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
>       setdebugging hypercall settime setaddrsize getaddrsize trigger
>       getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate
> -     getpodtarget setpodtarget set_misc_info set_virq_handler
> +     getpodtarget setpodtarget set_misc_info set_virq_handler set_max_evtchn
>  };
>  allow dom0_t dom0_t:domain2 {
>       set_cpuid gettsc settsc setscheduler
> diff --git a/xen/common/domctl.c b/xen/common/domctl.c
> index 9760d50..870eef1 100644
> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -863,6 +863,14 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
> u_domctl)
>      }
>      break;
>  
> +    case XEN_DOMCTL_set_max_evtchn:
> +    {
> +        d->max_evtchn_port = min_t(unsigned int,
> +                                   op->u.set_max_evtchn.max_port,
> +                                   INT_MAX);
> +    }
> +    break;
> +
>      default:
>          ret = arch_do_domctl(op, d, u_domctl);
>          break;
> diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
> index 0c0bbe4..34efd24 100644
> --- a/xen/common/event_channel.c
> +++ b/xen/common/event_channel.c
> @@ -168,10 +168,14 @@ static int get_free_port(struct domain *d)
>          return -EINVAL;
>  
>      for ( port = 0; port_is_valid(d, port); port++ )
> +    {
> +        if ( port > d->max_evtchn_port )
> +            return -ENOSPC;
>          if ( evtchn_from_port(d, port)->state == ECS_FREE )
>              return port;
> +    }
>  
> -    if ( port == d->max_evtchns )
> +    if ( port == d->max_evtchns || port > d->max_evtchn_port )
>          return -ENOSPC;
>  
>      if ( !group_from_port(d, port) )
> @@ -1230,6 +1234,7 @@ void evtchn_check_pollers(struct domain *d, unsigned 
> int port)
>  int evtchn_init(struct domain *d)
>  {
>      evtchn_2l_init(d);
> +    d->max_evtchn_port = INT_MAX;
>  
>      d->evtchn = alloc_evtchn_bucket(d, 0);
>      if ( !d->evtchn )
> diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h
> index 4c5b2bb..d4e479f 100644
> --- a/xen/include/public/domctl.h
> +++ b/xen/include/public/domctl.h
> @@ -852,6 +852,17 @@ struct xen_domctl_set_broken_page_p2m {
>  typedef struct xen_domctl_set_broken_page_p2m 
> xen_domctl_set_broken_page_p2m_t;
>  DEFINE_XEN_GUEST_HANDLE(xen_domctl_set_broken_page_p2m_t);
>  
> +/*
> + * XEN_DOMCTL_set_max_evtchn: sets the maximum event channel port
> + * number the guest may use.  Use this limit the amount of resources
> + * (global mapping space, xenheap) a guest may use for event channels.
> + */
> +struct xen_domctl_set_max_evtchn {
> +    uint32_t max_port;
> +};
> +typedef struct xen_domctl_set_max_evtchn xen_domctl_set_max_evtchn_t;
> +DEFINE_XEN_GUEST_HANDLE(xen_domctl_set_max_evtchn_t);
> +
>  struct xen_domctl {
>      uint32_t cmd;
>  #define XEN_DOMCTL_createdomain                   1
> @@ -920,6 +931,7 @@ struct xen_domctl {
>  #define XEN_DOMCTL_set_broken_page_p2m           67
>  #define XEN_DOMCTL_setnodeaffinity               68
>  #define XEN_DOMCTL_getnodeaffinity               69
> +#define XEN_DOMCTL_set_max_evtchn                70
>  #define XEN_DOMCTL_gdbsx_guestmemio            1000
>  #define XEN_DOMCTL_gdbsx_pausevcpu             1001
>  #define XEN_DOMCTL_gdbsx_unpausevcpu           1002
> @@ -975,6 +987,7 @@ struct xen_domctl {
>          struct xen_domctl_set_access_required access_required;
>          struct xen_domctl_audit_p2m         audit_p2m;
>          struct xen_domctl_set_virq_handler  set_virq_handler;
> +        struct xen_domctl_set_max_evtchn    set_max_evtchn;
>          struct xen_domctl_gdbsx_memio       gdbsx_guest_memio;
>          struct xen_domctl_set_broken_page_p2m set_broken_page_p2m;
>          struct xen_domctl_gdbsx_pauseunp_vcpu gdbsx_pauseunp_vcpu;
> diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
> index ab7be82..0da0096 100644
> --- a/xen/include/xen/sched.h
> +++ b/xen/include/xen/sched.h
> @@ -291,6 +291,7 @@ struct domain
>      struct evtchn   *evtchn;                         /* first bucket only 
> */
>      struct evtchn  **evtchn_group[NR_EVTCHN_GROUPS]; /* all other buckets 
> */
>      unsigned int     max_evtchns;
> +    unsigned int     max_evtchn_port;
>      spinlock_t       event_lock;
>      const struct evtchn_port_ops *evtchn_port_ops;
>      struct evtchn_fifo_domain *evtchn_fifo;
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index fa0589a..b1e2593 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -727,6 +727,9 @@ static int flask_domctl(struct domain *d, int cmd)
>      case XEN_DOMCTL_audit_p2m:
>          return current_has_perm(d, SECCLASS_HVM, HVM__AUDIT_P2M);
>  
> +    case XEN_DOMCTL_set_max_evtchn:
> +        return current_has_perm(d, SECCLASS_DOMAIN2, 
> DOMAIN2__SET_MAX_EVTCHN);
> +
>      default:
>          printk("flask_domctl: Unknown op %d\n", cmd);
>          return -EPERM;
> diff --git a/xen/xsm/flask/policy/access_vectors 
> b/xen/xsm/flask/policy/access_vectors
> index 5dfe13b..1fbe241 100644
> --- a/xen/xsm/flask/policy/access_vectors
> +++ b/xen/xsm/flask/policy/access_vectors
> @@ -194,6 +194,8 @@ class domain2
>      setscheduler
>  # XENMEM_claim_pages
>      setclaim
> +# XEN_DOMCTL_set_max_evtchn
> +    set_max_evtchn
>  }
>  
>  # Similar to class domain, but primarily contains domctls related to HVM 
> domains
> -- 
> 1.7.2.5



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.