|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 09/11] xen: Add DOMCTL to limit the number of event channels a domain may use
>>> On 04.10.13 at 13:56, David Vrabel <david.vrabel@xxxxxxxxxx> wrote:
> On 02/10/13 18:06, David Vrabel wrote:
>> On 02/10/13 17:35, David Vrabel wrote:
>>>
>>> --- a/xen/xsm/flask/hooks.c
>>> +++ b/xen/xsm/flask/hooks.c
>>> @@ -727,6 +727,9 @@ static int flask_domctl(struct domain *d, int cmd)
>>> case XEN_DOMCTL_audit_p2m:
>>> return current_has_perm(d, SECCLASS_HVM, HVM__AUDIT_P2M);
>>>
>>> + case XEN_DOMCTL_set_max_evtchn:
>>> + return current_has_perm(d, SECCLASS_DOMAIN,
> DOMAIN__SET_MAX_EVTCHN);#
>>
>> Sorry, I forgot to try a build with XSM and FLASK enabled. This should
>> have been SECCLASS_DOMAIN2 and DOMAIN2__SET_MAX_EVTCHN.
>
> And here's a fixed version of the patch.
>
> Daniel, can you review the XSM parts of this, please?
>
> 8<-----------------------------------
> xen: Add DOMCTL to limit the number of event channels a domain may use
>
> Add XEN_DOMCTL_set_max_evtchn which may be used during domain creation to
> set the maximum event channel port a domain may use. This may be used to
> limit the amount of Xen resources (global mapping space and xenheap) that
> a domain may use for event channels.
>
> A domain that does not have a limit set may use all the event channels
> supported by the event channel ABI in use.
>
> Signed-off-by: David Vrabel <david.vrabel@xxxxxxxxxx>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Just to clarify once more: This is only for the non-XSM parts; I'm
relying on Daniel to do the review on that front.
Jan
> Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> ---
> tools/flask/policy/policy/mls | 2 +-
> tools/flask/policy/policy/modules/xen/xen.if | 2 +-
> tools/flask/policy/policy/modules/xen/xen.te | 2 +-
> xen/common/domctl.c | 8 ++++++++
> xen/common/event_channel.c | 7 ++++++-
> xen/include/public/domctl.h | 13 +++++++++++++
> xen/include/xen/sched.h | 1 +
> xen/xsm/flask/hooks.c | 3 +++
> xen/xsm/flask/policy/access_vectors | 2 ++
> 9 files changed, 36 insertions(+), 4 deletions(-)
>
> diff --git a/tools/flask/policy/policy/mls b/tools/flask/policy/policy/mls
> index 9290a76..fb603cd 100644
> --- a/tools/flask/policy/policy/mls
> +++ b/tools/flask/policy/policy/mls
> @@ -74,7 +74,7 @@ mlsconstrain domain { getaffinity getdomaininfo getvcpuinfo
> getvcpucontext getad
> ((l1 dom l2) or (t1 == mls_priv));
>
> # all the domain "write" ops
> -mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus
> destroy setaffinity scheduler setdomainmaxmem setdomainhandle setdebugging
> hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext }
> +mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus
> destroy setaffinity scheduler setdomainmaxmem setdomainhandle setdebugging
> hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext
> set_max_evtchn }
> ((l1 eq l2) or (t1 == mls_priv));
>
> # This is incomplete - similar constraints must be written for all classes
> diff --git a/tools/flask/policy/policy/modules/xen/xen.if
> b/tools/flask/policy/policy/modules/xen/xen.if
> index 97af0a8..63e40f0 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.if
> +++ b/tools/flask/policy/policy/modules/xen/xen.if
> @@ -48,7 +48,7 @@ define(`create_domain_common', `
> allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
> getdomaininfo hypercall setvcpucontext setextvcpucontext
> getscheduler getvcpuinfo getvcpuextstate getaddrsize
> - getaffinity setaffinity };
> + getaffinity setaffinity set_max_evtchn };
> allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim };
> allow $1 $2:security check_context;
> allow $1 $2:shadow enable;
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te
> b/tools/flask/policy/policy/modules/xen/xen.te
> index c89ce28..5f9de5c 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -73,7 +73,7 @@ allow dom0_t dom0_t:domain {
> getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
> setdebugging hypercall settime setaddrsize getaddrsize trigger
> getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate
> - getpodtarget setpodtarget set_misc_info set_virq_handler
> + getpodtarget setpodtarget set_misc_info set_virq_handler set_max_evtchn
> };
> allow dom0_t dom0_t:domain2 {
> set_cpuid gettsc settsc setscheduler
> diff --git a/xen/common/domctl.c b/xen/common/domctl.c
> index 9760d50..870eef1 100644
> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -863,6 +863,14 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t)
> u_domctl)
> }
> break;
>
> + case XEN_DOMCTL_set_max_evtchn:
> + {
> + d->max_evtchn_port = min_t(unsigned int,
> + op->u.set_max_evtchn.max_port,
> + INT_MAX);
> + }
> + break;
> +
> default:
> ret = arch_do_domctl(op, d, u_domctl);
> break;
> diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
> index 0c0bbe4..34efd24 100644
> --- a/xen/common/event_channel.c
> +++ b/xen/common/event_channel.c
> @@ -168,10 +168,14 @@ static int get_free_port(struct domain *d)
> return -EINVAL;
>
> for ( port = 0; port_is_valid(d, port); port++ )
> + {
> + if ( port > d->max_evtchn_port )
> + return -ENOSPC;
> if ( evtchn_from_port(d, port)->state == ECS_FREE )
> return port;
> + }
>
> - if ( port == d->max_evtchns )
> + if ( port == d->max_evtchns || port > d->max_evtchn_port )
> return -ENOSPC;
>
> if ( !group_from_port(d, port) )
> @@ -1230,6 +1234,7 @@ void evtchn_check_pollers(struct domain *d, unsigned
> int port)
> int evtchn_init(struct domain *d)
> {
> evtchn_2l_init(d);
> + d->max_evtchn_port = INT_MAX;
>
> d->evtchn = alloc_evtchn_bucket(d, 0);
> if ( !d->evtchn )
> diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h
> index 4c5b2bb..d4e479f 100644
> --- a/xen/include/public/domctl.h
> +++ b/xen/include/public/domctl.h
> @@ -852,6 +852,17 @@ struct xen_domctl_set_broken_page_p2m {
> typedef struct xen_domctl_set_broken_page_p2m
> xen_domctl_set_broken_page_p2m_t;
> DEFINE_XEN_GUEST_HANDLE(xen_domctl_set_broken_page_p2m_t);
>
> +/*
> + * XEN_DOMCTL_set_max_evtchn: sets the maximum event channel port
> + * number the guest may use. Use this limit the amount of resources
> + * (global mapping space, xenheap) a guest may use for event channels.
> + */
> +struct xen_domctl_set_max_evtchn {
> + uint32_t max_port;
> +};
> +typedef struct xen_domctl_set_max_evtchn xen_domctl_set_max_evtchn_t;
> +DEFINE_XEN_GUEST_HANDLE(xen_domctl_set_max_evtchn_t);
> +
> struct xen_domctl {
> uint32_t cmd;
> #define XEN_DOMCTL_createdomain 1
> @@ -920,6 +931,7 @@ struct xen_domctl {
> #define XEN_DOMCTL_set_broken_page_p2m 67
> #define XEN_DOMCTL_setnodeaffinity 68
> #define XEN_DOMCTL_getnodeaffinity 69
> +#define XEN_DOMCTL_set_max_evtchn 70
> #define XEN_DOMCTL_gdbsx_guestmemio 1000
> #define XEN_DOMCTL_gdbsx_pausevcpu 1001
> #define XEN_DOMCTL_gdbsx_unpausevcpu 1002
> @@ -975,6 +987,7 @@ struct xen_domctl {
> struct xen_domctl_set_access_required access_required;
> struct xen_domctl_audit_p2m audit_p2m;
> struct xen_domctl_set_virq_handler set_virq_handler;
> + struct xen_domctl_set_max_evtchn set_max_evtchn;
> struct xen_domctl_gdbsx_memio gdbsx_guest_memio;
> struct xen_domctl_set_broken_page_p2m set_broken_page_p2m;
> struct xen_domctl_gdbsx_pauseunp_vcpu gdbsx_pauseunp_vcpu;
> diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
> index ab7be82..0da0096 100644
> --- a/xen/include/xen/sched.h
> +++ b/xen/include/xen/sched.h
> @@ -291,6 +291,7 @@ struct domain
> struct evtchn *evtchn; /* first bucket only
> */
> struct evtchn **evtchn_group[NR_EVTCHN_GROUPS]; /* all other buckets
> */
> unsigned int max_evtchns;
> + unsigned int max_evtchn_port;
> spinlock_t event_lock;
> const struct evtchn_port_ops *evtchn_port_ops;
> struct evtchn_fifo_domain *evtchn_fifo;
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index fa0589a..b1e2593 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -727,6 +727,9 @@ static int flask_domctl(struct domain *d, int cmd)
> case XEN_DOMCTL_audit_p2m:
> return current_has_perm(d, SECCLASS_HVM, HVM__AUDIT_P2M);
>
> + case XEN_DOMCTL_set_max_evtchn:
> + return current_has_perm(d, SECCLASS_DOMAIN2,
> DOMAIN2__SET_MAX_EVTCHN);
> +
> default:
> printk("flask_domctl: Unknown op %d\n", cmd);
> return -EPERM;
> diff --git a/xen/xsm/flask/policy/access_vectors
> b/xen/xsm/flask/policy/access_vectors
> index 5dfe13b..1fbe241 100644
> --- a/xen/xsm/flask/policy/access_vectors
> +++ b/xen/xsm/flask/policy/access_vectors
> @@ -194,6 +194,8 @@ class domain2
> setscheduler
> # XENMEM_claim_pages
> setclaim
> +# XEN_DOMCTL_set_max_evtchn
> + set_max_evtchn
> }
>
> # Similar to class domain, but primarily contains domctls related to HVM
> domains
> --
> 1.7.2.5
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |