From: Jan Beulich Subject: domctl/XSM: drop shadow_control_op hook Integrate the checking with xsm_domctl(), now that it has the full op struct passed. As a positive side effect, permissions are then checked at the same early point with and without Flask. This is part of XSA-492. Signed-off-by: Jan Beulich Acked-by: Daniel P. Smith --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -709,10 +709,6 @@ int paging_domctl(struct domain *d, stru return -EBUSY; } - rc = xsm_shadow_control(XSM_HOOK, d, sc->op); - if ( rc ) - return rc; - /* Code to handle log-dirty. Note that some log dirty operations * piggy-back on shadow operations. For example, when * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -681,13 +681,6 @@ static XSM_INLINE int cf_check xsm_do_mc return xsm_default_action(action, current->domain, NULL); } -static XSM_INLINE int cf_check xsm_shadow_control( - XSM_DEFAULT_ARG struct domain *d, uint32_t op) -{ - XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); -} - static XSM_INLINE int cf_check xsm_mem_sharing_op( XSM_DEFAULT_ARG struct domain *d, struct domain *cd, int op) { --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -168,7 +168,6 @@ struct xsm_ops { #ifdef CONFIG_X86 int (*do_mca)(void); - int (*shadow_control)(struct domain *d, uint32_t op); int (*mem_sharing_op)(struct domain *d, struct domain *cd, int op); int (*apic)(struct domain *d, int cmd); int (*machine_memory_map)(void); @@ -656,12 +655,6 @@ static inline int xsm_do_mca(xsm_default return alternative_call(xsm_ops.do_mca); } -static inline int xsm_shadow_control( - xsm_default_t def, struct domain *d, uint32_t op) -{ - return alternative_call(xsm_ops.shadow_control, d, op); -} - static inline int xsm_mem_sharing_op( xsm_default_t def, struct domain *d, struct domain *cd, int op) { --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -124,7 +124,6 @@ static const struct xsm_ops __initconst_ .platform_op = xsm_platform_op, #ifdef CONFIG_X86 .do_mca = xsm_do_mca, - .shadow_control = xsm_shadow_control, .mem_sharing_op = xsm_mem_sharing_op, .apic = xsm_apic, .machine_memory_map = xsm_machine_memory_map, --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -40,6 +40,7 @@ #ifdef CONFIG_X86 #include +static int flask_shadow_control(struct domain *d, unsigned int op); #else #define pv_shim false #endif @@ -696,10 +697,6 @@ static int cf_check flask_domctl(struct /* These have individual XSM hooks (common/domctl.c) */ case XEN_DOMCTL_set_target: -#ifdef CONFIG_X86 - /* These have individual XSM hooks (arch/x86/domctl.c) */ - case XEN_DOMCTL_shadow_op: -#endif #ifdef CONFIG_HAS_PASSTHROUGH /* * These have individual XSM hooks @@ -784,6 +781,11 @@ static int cf_check flask_domctl(struct case XEN_DOMCTL_get_address_size: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE); +#ifdef CONFIG_X86 + case XEN_DOMCTL_shadow_op: + return flask_shadow_control(d, op->u.shadow_op.op); +#endif + case XEN_DOMCTL_mem_sharing_op: return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING); @@ -1594,7 +1596,7 @@ static int cf_check flask_do_mca(void) return domain_has_xen(current->domain, XEN__MCA_OP); } -static int cf_check flask_shadow_control(struct domain *d, uint32_t op) +static int flask_shadow_control(struct domain *d, unsigned int op) { uint32_t perm; @@ -1979,7 +1981,6 @@ static const struct xsm_ops __initconst_ .platform_op = flask_platform_op, #ifdef CONFIG_X86 .do_mca = flask_do_mca, - .shadow_control = flask_shadow_control, .mem_sharing_op = flask_mem_sharing_op, .apic = flask_apic, .machine_memory_map = flask_machine_memory_map,