[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 09/11] xen: Add DOMCTL to limit the number of event channels a domain may use



On 10/04/2013 07:56 AM, David Vrabel wrote:
On 02/10/13 18:06, David Vrabel wrote:
On 02/10/13 17:35, David Vrabel wrote:

--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -727,6 +727,9 @@ static int flask_domctl(struct domain *d, int cmd)
      case XEN_DOMCTL_audit_p2m:
          return current_has_perm(d, SECCLASS_HVM, HVM__AUDIT_P2M);

+    case XEN_DOMCTL_set_max_evtchn:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SET_MAX_EVTCHN);#

Sorry, I forgot to try a build with XSM and FLASK enabled. This should
have been SECCLASS_DOMAIN2 and DOMAIN2__SET_MAX_EVTCHN.

And here's a fixed version of the patch.

Daniel, can you review the XSM parts of this, please?

8<-----------------------------------
xen: Add DOMCTL to limit the number of event channels a domain may use

Add XEN_DOMCTL_set_max_evtchn which may be used during domain creation to
set the maximum event channel port a domain may use.  This may be used to
limit the amount of Xen resources (global mapping space and xenheap) that
a domain may use for event channels.

A domain that does not have a limit set may use all the event channels
supported by the event channel ABI in use.

Signed-off-by: David Vrabel <david.vrabel@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

With the policy changes tweaked so that it compiles (see below):
Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

---
  tools/flask/policy/policy/mls                |    2 +-
  tools/flask/policy/policy/modules/xen/xen.if |    2 +-
  tools/flask/policy/policy/modules/xen/xen.te |    2 +-
  xen/common/domctl.c                          |    8 ++++++++
  xen/common/event_channel.c                   |    7 ++++++-
  xen/include/public/domctl.h                  |   13 +++++++++++++
  xen/include/xen/sched.h                      |    1 +
  xen/xsm/flask/hooks.c                        |    3 +++
  xen/xsm/flask/policy/access_vectors          |    2 ++
  9 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/tools/flask/policy/policy/mls b/tools/flask/policy/policy/mls
index 9290a76..fb603cd 100644
--- a/tools/flask/policy/policy/mls
+++ b/tools/flask/policy/policy/mls
@@ -74,7 +74,7 @@ mlsconstrain domain { getaffinity getdomaininfo getvcpuinfo 
getvcpucontext getad
        ((l1 dom l2) or (t1 == mls_priv));

  # all the domain "write" ops
-mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus 
destroy setaffinity scheduler setdomainmaxmem setdomainhandle setdebugging 
hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext }
+mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus 
destroy setaffinity scheduler setdomainmaxmem setdomainhandle setdebugging 
hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext 
set_max_evtchn }
        ((l1 eq l2) or (t1 == mls_priv));

  # This is incomplete - similar constraints must be written for all classes
diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
b/tools/flask/policy/policy/modules/xen/xen.if
index 97af0a8..63e40f0 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -48,7 +48,7 @@ define(`create_domain_common', `
        allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
                        getdomaininfo hypercall setvcpucontext setextvcpucontext
                        getscheduler getvcpuinfo getvcpuextstate getaddrsize
-                       getaffinity setaffinity };
+                       getaffinity setaffinity set_max_evtchn };
        allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim };
        allow $1 $2:security check_context;
        allow $1 $2:shadow enable;
diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
b/tools/flask/policy/policy/modules/xen/xen.te
index c89ce28..5f9de5c 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -73,7 +73,7 @@ allow dom0_t dom0_t:domain {
        getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
        setdebugging hypercall settime setaddrsize getaddrsize trigger
        getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate
-       getpodtarget setpodtarget set_misc_info set_virq_handler
+       getpodtarget setpodtarget set_misc_info set_virq_handler set_max_evtchn
  };
  allow dom0_t dom0_t:domain2 {
        set_cpuid gettsc settsc setscheduler

With the set_max_evtchn permission moved to domain2, these files also need to
be changed (just moving the addition down to domain2). The modification to mls
can be dropped: the existing domain2 controls are not present in this file, 
there
is already a comment noting that the constraints are incomplete, and the example
XSM policy does not use MLS.

You should be able to test the compilation using "make -C tools/flask/policy".

[...]
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index fa0589a..b1e2593 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -727,6 +727,9 @@ static int flask_domctl(struct domain *d, int cmd)
      case XEN_DOMCTL_audit_p2m:
          return current_has_perm(d, SECCLASS_HVM, HVM__AUDIT_P2M);

+    case XEN_DOMCTL_set_max_evtchn:
+        return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_MAX_EVTCHN);
+
      default:
          printk("flask_domctl: Unknown op %d\n", cmd);
          return -EPERM;
diff --git a/xen/xsm/flask/policy/access_vectors 
b/xen/xsm/flask/policy/access_vectors
index 5dfe13b..1fbe241 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -194,6 +194,8 @@ class domain2
      setscheduler
  # XENMEM_claim_pages
      setclaim
+# XEN_DOMCTL_set_max_evtchn
+    set_max_evtchn
  }

  # Similar to class domain, but primarily contains domctls related to HVM 
domains



--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.