[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 09/11] xen: Add DOMCTL to limit the number of event channels a domain may use
On 10/04/2013 07:56 AM, David Vrabel wrote: On 02/10/13 18:06, David Vrabel wrote:On 02/10/13 17:35, David Vrabel wrote:--- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -727,6 +727,9 @@ static int flask_domctl(struct domain *d, int cmd) case XEN_DOMCTL_audit_p2m: return current_has_perm(d, SECCLASS_HVM, HVM__AUDIT_P2M); + case XEN_DOMCTL_set_max_evtchn: + return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SET_MAX_EVTCHN);#Sorry, I forgot to try a build with XSM and FLASK enabled. This should have been SECCLASS_DOMAIN2 and DOMAIN2__SET_MAX_EVTCHN.And here's a fixed version of the patch. Daniel, can you review the XSM parts of this, please? 8<----------------------------------- xen: Add DOMCTL to limit the number of event channels a domain may use Add XEN_DOMCTL_set_max_evtchn which may be used during domain creation to set the maximum event channel port a domain may use. This may be used to limit the amount of Xen resources (global mapping space and xenheap) that a domain may use for event channels. A domain that does not have a limit set may use all the event channels supported by the event channel ABI in use. Signed-off-by: David Vrabel <david.vrabel@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> With the policy changes tweaked so that it compiles (see below): Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- tools/flask/policy/policy/mls | 2 +- tools/flask/policy/policy/modules/xen/xen.if | 2 +- tools/flask/policy/policy/modules/xen/xen.te | 2 +- xen/common/domctl.c | 8 ++++++++ xen/common/event_channel.c | 7 ++++++- xen/include/public/domctl.h | 13 +++++++++++++ xen/include/xen/sched.h | 1 + xen/xsm/flask/hooks.c | 3 +++ xen/xsm/flask/policy/access_vectors | 2 ++ 9 files changed, 36 insertions(+), 4 deletions(-) diff --git a/tools/flask/policy/policy/mls b/tools/flask/policy/policy/mls index 9290a76..fb603cd 100644 --- a/tools/flask/policy/policy/mls +++ b/tools/flask/policy/policy/mls @@ -74,7 +74,7 @@ mlsconstrain domain { getaffinity getdomaininfo getvcpuinfo getvcpucontext getad ((l1 dom l2) or (t1 == mls_priv)); # all the domain "write" ops -mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus destroy setaffinity scheduler setdomainmaxmem setdomainhandle setdebugging hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext } +mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus destroy setaffinity scheduler setdomainmaxmem setdomainhandle setdebugging hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext set_max_evtchn } ((l1 eq l2) or (t1 == mls_priv)); # This is incomplete - similar constraints must be written for all classes diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index 97af0a8..63e40f0 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -48,7 +48,7 @@ define(`create_domain_common', ` allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize getdomaininfo hypercall setvcpucontext setextvcpucontext getscheduler getvcpuinfo getvcpuextstate getaddrsize - getaffinity setaffinity }; + getaffinity setaffinity set_max_evtchn }; allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim }; allow $1 $2:security check_context; allow $1 $2:shadow enable; diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index c89ce28..5f9de5c 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -73,7 +73,7 @@ allow dom0_t dom0_t:domain { getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle setdebugging hypercall settime setaddrsize getaddrsize trigger getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate - getpodtarget setpodtarget set_misc_info set_virq_handler + getpodtarget setpodtarget set_misc_info set_virq_handler set_max_evtchn }; allow dom0_t dom0_t:domain2 { set_cpuid gettsc settsc setscheduler With the set_max_evtchn permission moved to domain2, these files also need to be changed (just moving the addition down to domain2). The modification to mls can be dropped: the existing domain2 controls are not present in this file, there is already a comment noting that the constraints are incomplete, and the example XSM policy does not use MLS. You should be able to test the compilation using "make -C tools/flask/policy". [...] diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index fa0589a..b1e2593 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -727,6 +727,9 @@ static int flask_domctl(struct domain *d, int cmd) case XEN_DOMCTL_audit_p2m: return current_has_perm(d, SECCLASS_HVM, HVM__AUDIT_P2M); + case XEN_DOMCTL_set_max_evtchn: + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_MAX_EVTCHN); + default: printk("flask_domctl: Unknown op %d\n", cmd); return -EPERM; diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index 5dfe13b..1fbe241 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -194,6 +194,8 @@ class domain2 setscheduler # XENMEM_claim_pages setclaim +# XEN_DOMCTL_set_max_evtchn + set_max_evtchn } # Similar to class domain, but primarily contains domctls related to HVM domains -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |