|
On 30/04/14 15:24, Jan Beulich wrote:
With proper permission (and, for the I/O port case, wrap-around) checks
added (note that for the I/O port case a count of zero is now being
disallowed, in line with I/O memory handling):
XEN_DOMCTL_irq_permission:
XEN_DOMCTL_ioport_permission:
Of both IRQs and I/O ports there is only a reasonably small amount, so
there's no excess resource consumption involved here. Additionally
they both have a specialized XSM hook associated.
XEN_DOMCTL_iomem_permission:
While this also has a specialized XSM hook associated (just like
XEN_DOMCTL_{irq,ioport}_permission), it's not clear whether it's
reasonable to expect XSM to restrict the number of ranges associated
with a domain via this hook (which is the main resource consumption
item here).
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -72,9 +72,7 @@ __HYPERVISOR_domctl (xen/include/public/
* XEN_DOMCTL_getvcpucontext
* XEN_DOMCTL_max_vcpus
* XEN_DOMCTL_scheduler_op
- * XEN_DOMCTL_irq_permission
* XEN_DOMCTL_iomem_permission
- * XEN_DOMCTL_ioport_permission
* XEN_DOMCTL_gethvmcontext
* XEN_DOMCTL_sethvmcontext
* XEN_DOMCTL_set_address_size
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -72,13 +72,11 @@ long arch_do_domctl(
unsigned int np = domctl->u.ioport_permission.nr_ports;
int allow = domctl->u.ioport_permission.allow_access;
- ret = -EINVAL;
- if ( (fp + np) > 65536 )
- break;
-
- if ( np == 0 )
- ret = 0;
- else if ( xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) )
+ if ( (fp + np - 1) < fp || (fp + np) > 0x10000 )
+ ret = -EINVAL;
+ else if ( !ioports_access_permitted(current->domain,
+ fp, fp + np - 1) ||
+ xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) )
I don't see what the ioport permissions of the current domain have
to do with whether a domain is permitted to change the permissions
for another domain.
I would expect that any domain builder domains would have no ioport
permissions at all, which would cause this hypercall to
unconditionally fail with -EPERM even if the domain builder domain
is permitted to assign ioport permissions to the domain it is
building.
~Andrew
ret = -EPERM;
else if ( allow )
ret = ioports_permit_access(d, fp, fp + np - 1);
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -790,7 +790,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
if ( pirq >= d->nr_pirqs )
ret = -EINVAL;
- else if ( xsm_irq_permission(XSM_HOOK, d, pirq, allow) )
+ else if ( !pirq_access_permitted(current->domain, pirq) ||
+ xsm_irq_permission(XSM_HOOK, d, pirq, allow) )
ret = -EPERM;
else if ( allow )
ret = pirq_permit_access(d, pirq);
@@ -809,7 +810,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */
break;
- if ( xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) )
+ if ( !iomem_access_permitted(current->domain,
+ mfn, mfn + nr_mfns - 1) ||
+ xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) )
ret = -EPERM;
else if ( allow )
ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1);
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
