[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH RESEND v9 14/14] xen/common: do not implicitly permit access to mapped I/O memory
Currently, the XEN_DOMCTL_memory_mapping hypercall implicitly grants to a domain access permission to the I/O memory areas mapped in its guest address space. This conflicts with the presence of a specific hypercall (XEN_DOMCTL_iomem_permission) used to grant such a permission to a domain. This commit separates the functions of the two hypercalls by having only the latter be able to permit I/O memory access to a domain, and the former just performing the mapping after a permissions check on both the granting and the grantee domains. Signed-off-by: Arianna Avanzini <avanzini.arianna@xxxxxxxxx> Cc: Dario Faggioli <dario.faggioli@xxxxxxxxxx> Cc: Paolo Valente <paolo.valente@xxxxxxxxxx> Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> Cc: Julien Grall <julien.grall@xxxxxxxxxx> Cc: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx> Cc: Jan Beulich <JBeulich@xxxxxxxx> Cc: Keir Fraser <keir@xxxxxxx> Cc: Tim Deegan <tim@xxxxxxx> Cc: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Cc: Eric Trudeau <etrudeau@xxxxxxxxxxxx> Cc: Viktor Kleinik <viktor.kleinik@xxxxxxxxxxxxxxx> --- v8: - Drop iomem_permission-related changes. - Conservatively check both the granting and the grantee domains' permissions in the memory_mapping DOMCTL. - Remove tentative phrases from commit description. v7: - Let iomem_permission check if the calling domain is allowed to access memory ranges to be mapped to a domain. Remove such a check from the memory_mapping hypercall. --- xen/common/domctl.c | 36 ++++++++++-------------------------- 1 file changed, 10 insertions(+), 26 deletions(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 80b7800..04ecd53 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -917,7 +917,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) break; ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) ) + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) break; ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add); @@ -930,40 +931,23 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map:add: dom%d gfn=%lx mfn=%lx nr=%lx\n", d->domain_id, gfn, mfn, nr_mfns); - ret = iomem_permit_access(d, mfn, mfn_end); - if ( !ret ) - { - ret = map_mmio_regions(d, gfn, nr_mfns, mfn); - if ( ret ) - { - printk(XENLOG_G_WARNING - "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", - d->domain_id, gfn, mfn, nr_mfns, ret); - if ( iomem_deny_access(d, mfn, mfn_end) && - is_hardware_domain(current->domain) ) - printk(XENLOG_ERR - "memory_map: failed to deny dom%d access to [%lx,%lx]\n", - d->domain_id, mfn, mfn_end); - } - } + ret = map_mmio_regions(d, gfn, nr_mfns, mfn); + if ( ret ) + printk(XENLOG_G_WARNING + "memory_map:fail: dom%d gfn=%lx mfn=%lx nr=%lx ret:%ld\n", + d->domain_id, gfn, mfn, nr_mfns, ret); } else { - int rc = 0; - printk(XENLOG_G_INFO "memory_map:remove: dom%d gfn=%lx mfn=%lx nr=%lx\n", d->domain_id, gfn, mfn, nr_mfns); - rc = unmap_mmio_regions(d, gfn, nr_mfns, mfn); - ret = iomem_deny_access(d, mfn, mfn_end); - if ( !ret ) - ret = rc; + ret = unmap_mmio_regions(d, gfn, nr_mfns, mfn); if ( ret && is_hardware_domain(current->domain) ) printk(XENLOG_ERR - "memory_map: error %ld %s dom%d access to [%lx,%lx]\n", - ret, rc ? "removing" : "denying", d->domain_id, - mfn, mfn_end); + "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", + ret, d->domain_id, mfn, mfn_end); } /* Do this unconditionally to cover errors on above failure paths. */ memory_type_changed(d); -- 1.9.3 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |