[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] [PATCH 09/11] xen: Add DOMCTL to limit the number of event channels a domain may use
On 10/04/2013 07:56 AM, David Vrabel wrote:
On 02/10/13 18:06, David Vrabel wrote:
On 02/10/13 17:35, David Vrabel wrote:
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -727,6 +727,9 @@ static int flask_domctl(struct domain *d, int cmd)
case XEN_DOMCTL_audit_p2m:
return current_has_perm(d, SECCLASS_HVM, HVM__AUDIT_P2M);
+ case XEN_DOMCTL_set_max_evtchn:
+ return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SET_MAX_EVTCHN);#
Sorry, I forgot to try a build with XSM and FLASK enabled. This should
have been SECCLASS_DOMAIN2 and DOMAIN2__SET_MAX_EVTCHN.
And here's a fixed version of the patch.
Daniel, can you review the XSM parts of this, please?
8<-----------------------------------
xen: Add DOMCTL to limit the number of event channels a domain may use
Add XEN_DOMCTL_set_max_evtchn which may be used during domain creation to
set the maximum event channel port a domain may use. This may be used to
limit the amount of Xen resources (global mapping space and xenheap) that
a domain may use for event channels.
A domain that does not have a limit set may use all the event channels
supported by the event channel ABI in use.
Signed-off-by: David Vrabel <david.vrabel@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
With the policy changes tweaked so that it compiles (see below):
Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
tools/flask/policy/policy/mls | 2 +-
tools/flask/policy/policy/modules/xen/xen.if | 2 +-
tools/flask/policy/policy/modules/xen/xen.te | 2 +-
xen/common/domctl.c | 8 ++++++++
xen/common/event_channel.c | 7 ++++++-
xen/include/public/domctl.h | 13 +++++++++++++
xen/include/xen/sched.h | 1 +
xen/xsm/flask/hooks.c | 3 +++
xen/xsm/flask/policy/access_vectors | 2 ++
9 files changed, 36 insertions(+), 4 deletions(-)
diff --git a/tools/flask/policy/policy/mls b/tools/flask/policy/policy/mls
index 9290a76..fb603cd 100644
--- a/tools/flask/policy/policy/mls
+++ b/tools/flask/policy/policy/mls
@@ -74,7 +74,7 @@ mlsconstrain domain { getaffinity getdomaininfo getvcpuinfo
getvcpucontext getad
((l1 dom l2) or (t1 == mls_priv));
# all the domain "write" ops
-mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus
destroy setaffinity scheduler setdomainmaxmem setdomainhandle setdebugging
hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext }
+mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus
destroy setaffinity scheduler setdomainmaxmem setdomainhandle setdebugging
hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext
set_max_evtchn }
((l1 eq l2) or (t1 == mls_priv));
# This is incomplete - similar constraints must be written for all classes
diff --git a/tools/flask/policy/policy/modules/xen/xen.if
b/tools/flask/policy/policy/modules/xen/xen.if
index 97af0a8..63e40f0 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -48,7 +48,7 @@ define(`create_domain_common', `
allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
getdomaininfo hypercall setvcpucontext setextvcpucontext
getscheduler getvcpuinfo getvcpuextstate getaddrsize
- getaffinity setaffinity };
+ getaffinity setaffinity set_max_evtchn };
allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
diff --git a/tools/flask/policy/policy/modules/xen/xen.te
b/tools/flask/policy/policy/modules/xen/xen.te
index c89ce28..5f9de5c 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -73,7 +73,7 @@ allow dom0_t dom0_t:domain {
getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
setdebugging hypercall settime setaddrsize getaddrsize trigger
getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate
- getpodtarget setpodtarget set_misc_info set_virq_handler
+ getpodtarget setpodtarget set_misc_info set_virq_handler set_max_evtchn
};
allow dom0_t dom0_t:domain2 {
set_cpuid gettsc settsc setscheduler
With the set_max_evtchn permission moved to domain2, these files also need to
be changed (just moving the addition down to domain2). The modification to mls
can be dropped: the existing domain2 controls are not present in this file,
there
is already a comment noting that the constraints are incomplete, and the example
XSM policy does not use MLS.
You should be able to test the compilation using "make -C tools/flask/policy".
[...]
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index fa0589a..b1e2593 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -727,6 +727,9 @@ static int flask_domctl(struct domain *d, int cmd)
case XEN_DOMCTL_audit_p2m:
return current_has_perm(d, SECCLASS_HVM, HVM__AUDIT_P2M);
+ case XEN_DOMCTL_set_max_evtchn:
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_MAX_EVTCHN);
+
default:
printk("flask_domctl: Unknown op %d\n", cmd);
return -EPERM;
diff --git a/xen/xsm/flask/policy/access_vectors
b/xen/xsm/flask/policy/access_vectors
index 5dfe13b..1fbe241 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -194,6 +194,8 @@ class domain2
setscheduler
# XENMEM_claim_pages
setclaim
+# XEN_DOMCTL_set_max_evtchn
+ set_max_evtchn
}
# Similar to class domain, but primarily contains domctls related to HVM
domains
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
