|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xen: use XSM instead of IS_PRIV where duplicated
# HG changeset patch
# User Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
# Date 1357898803 0
# Node ID bf1e34d665580679b02a67075f809d88f39646f8
# Parent 35a0556a7f76c9a6f616cfc9d5a82dccfe36b994
xen: use XSM instead of IS_PRIV where duplicated
The Xen hypervisor has two basic access control function calls:
IS_PRIV and the xsm_* functions. Most privileged operations currently
require that both checks succeed, and many times the checks are at
different locations in the code. This patch eliminates the explicit
and implicit IS_PRIV checks that are duplicated in XSM hooks.
When XSM_ENABLE is not defined or when the dummy XSM module is used,
this patch should not change any functionality. Because the locations
of privilege checks have sometimes moved below argument validation,
error returns of some functions may change from EPERM to EINVAL or
ESRCH if called with invalid arguments and from a domain without
permission to perform the operation.
Some checks are removed due to non-obvious duplicates in their
callers:
* acpi_enter_sleep is checked in XENPF_enter_acpi_sleep
* map_domain_pirq has IS_PRIV_FOR checked in its callers:
* physdev_map_pirq checks when acquiring the RCU lock
* ioapic_guest_write is checked in PHYSDEVOP_apic_write
* PHYSDEVOP_{manage_pci_add,manage_pci_add_ext,pci_device_add} are
checked by xsm_resource_plug_pci in pci_add_device
* PHYSDEVOP_manage_pci_remove is checked by xsm_resource_unplug_pci
in pci_remove_device
* PHYSDEVOP_{restore_msi,restore_msi_ext} are checked by
xsm_resource_setup_pci in pci_restore_msi_state
* do_console_io has changed to IS_PRIV from an explicit domid==0
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Acked-by: Jan Beulich <jbeulich@xxxxxxxx>
Committed-by: Keir Fraser <keir@xxxxxxx>
---
diff -r 35a0556a7f76 -r bf1e34d66558 xen/arch/x86/acpi/power.c
--- a/xen/arch/x86/acpi/power.c Thu Jan 10 17:32:10 2013 +0000
+++ b/xen/arch/x86/acpi/power.c Fri Jan 11 10:06:43 2013 +0000
@@ -239,7 +239,7 @@ static long enter_state_helper(void *dat
*/
int acpi_enter_sleep(struct xenpf_enter_acpi_sleep *sleep)
{
- if ( !IS_PRIV(current->domain) || !acpi_sinfo.pm1a_cnt_blk.address )
+ if ( !acpi_sinfo.pm1a_cnt_blk.address )
return -EPERM;
/* Sanity check */
diff -r 35a0556a7f76 -r bf1e34d66558 xen/arch/x86/cpu/mcheck/mce.c
--- a/xen/arch/x86/cpu/mcheck/mce.c Thu Jan 10 17:32:10 2013 +0000
+++ b/xen/arch/x86/cpu/mcheck/mce.c Fri Jan 11 10:06:43 2013 +0000
@@ -1293,9 +1293,6 @@ long do_mca(XEN_GUEST_HANDLE_PARAM(xen_m
struct xen_mc_msrinject *mc_msrinject;
struct xen_mc_mceinject *mc_mceinject;
- if (!IS_PRIV(v->domain) )
- return x86_mcerr(NULL, -EPERM);
-
ret = xsm_do_mca();
if ( ret )
return x86_mcerr(NULL, ret);
diff -r 35a0556a7f76 -r bf1e34d66558 xen/arch/x86/irq.c
--- a/xen/arch/x86/irq.c Thu Jan 10 17:32:10 2013 +0000
+++ b/xen/arch/x86/irq.c Fri Jan 11 10:06:43 2013 +0000
@@ -1853,8 +1853,7 @@ int map_domain_pirq(
ASSERT(spin_is_locked(&d->event_lock));
if ( !IS_PRIV(current->domain) &&
- !(IS_PRIV_FOR(current->domain, d) &&
- irq_access_permitted(current->domain, pirq)))
+ !irq_access_permitted(current->domain, pirq))
return -EPERM;
if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
diff -r 35a0556a7f76 -r bf1e34d66558 xen/arch/x86/mm.c
--- a/xen/arch/x86/mm.c Thu Jan 10 17:32:10 2013 +0000
+++ b/xen/arch/x86/mm.c Fri Jan 11 10:06:43 2013 +0000
@@ -4493,9 +4493,6 @@ long arch_memory_op(int op, XEN_GUEST_HA
XEN_GUEST_HANDLE_PARAM(e820entry_t) buffer_param;
unsigned int i;
- if ( !IS_PRIV(current->domain) )
- return -EINVAL;
-
rc = xsm_machine_memory_map();
if ( rc )
return rc;
diff -r 35a0556a7f76 -r bf1e34d66558 xen/arch/x86/physdev.c
--- a/xen/arch/x86/physdev.c Thu Jan 10 17:32:10 2013 +0000
+++ b/xen/arch/x86/physdev.c Fri Jan 11 10:06:43 2013 +0000
@@ -109,12 +109,6 @@ int physdev_map_pirq(domid_t domid, int
if ( ret )
return ret;
- if ( !IS_PRIV_FOR(current->domain, d) )
- {
- ret = -EPERM;
- goto free_domain;
- }
-
/* Verify or get irq. */
switch ( type )
{
@@ -238,10 +232,6 @@ int physdev_unmap_pirq(domid_t domid, in
goto free_domain;
}
- ret = -EPERM;
- if ( !IS_PRIV_FOR(current->domain, d) )
- goto free_domain;
-
ret = xsm_unmap_domain_pirq(d, domain_pirq_to_irq(d, pirq));
if ( ret )
goto free_domain;
@@ -433,9 +423,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
ret = -EFAULT;
if ( copy_from_guest(&apic, arg, 1) != 0 )
break;
- ret = -EPERM;
- if ( !IS_PRIV(v->domain) )
- break;
ret = xsm_apic(v->domain, cmd);
if ( ret )
break;
@@ -450,9 +437,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
ret = -EFAULT;
if ( copy_from_guest(&apic, arg, 1) != 0 )
break;
- ret = -EPERM;
- if ( !IS_PRIV(v->domain) )
- break;
ret = xsm_apic(v->domain, cmd);
if ( ret )
break;
@@ -467,8 +451,10 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
if ( copy_from_guest(&irq_op, arg, 1) != 0 )
break;
- ret = -EPERM;
- if ( !IS_PRIV(v->domain) )
+ /* Use the APIC check since this dummy hypercall should still only
+ * be called by the domain with access to program the ioapic */
+ ret = xsm_apic(v->domain, cmd);
+ if ( ret )
break;
/* Vector is only used by hypervisor, and dom0 shouldn't
@@ -517,9 +503,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
case PHYSDEVOP_manage_pci_add: {
struct physdev_manage_pci manage_pci;
- ret = -EPERM;
- if ( !IS_PRIV(v->domain) )
- break;
ret = -EFAULT;
if ( copy_from_guest(&manage_pci, arg, 1) != 0 )
break;
@@ -530,9 +513,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
case PHYSDEVOP_manage_pci_remove: {
struct physdev_manage_pci manage_pci;
- ret = -EPERM;
- if ( !IS_PRIV(v->domain) )
- break;
ret = -EFAULT;
if ( copy_from_guest(&manage_pci, arg, 1) != 0 )
break;
@@ -545,10 +525,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
struct physdev_manage_pci_ext manage_pci_ext;
struct pci_dev_info pdev_info;
- ret = -EPERM;
- if ( !IS_PRIV(current->domain) )
- break;
-
ret = -EFAULT;
if ( copy_from_guest(&manage_pci_ext, arg, 1) != 0 )
break;
@@ -571,10 +547,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
struct physdev_pci_device_add add;
struct pci_dev_info pdev_info;
- ret = -EPERM;
- if ( !IS_PRIV(current->domain) )
- break;
-
ret = -EFAULT;
if ( copy_from_guest(&add, arg, 1) != 0 )
break;
@@ -595,10 +567,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
case PHYSDEVOP_pci_device_remove: {
struct physdev_pci_device dev;
- ret = -EPERM;
- if ( !IS_PRIV(v->domain) )
- break;
-
ret = -EFAULT;
if ( copy_from_guest(&dev, arg, 1) != 0 )
break;
@@ -610,10 +578,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
case PHYSDEVOP_pci_mmcfg_reserved: {
struct physdev_pci_mmcfg_reserved info;
- ret = -EPERM;
- if ( !IS_PRIV(current->domain) )
- break;
-
ret = xsm_resource_setup_misc();
if ( ret )
break;
@@ -631,10 +595,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
struct physdev_restore_msi restore_msi;
struct pci_dev *pdev;
- ret = -EPERM;
- if ( !IS_PRIV(v->domain) )
- break;
-
ret = -EFAULT;
if ( copy_from_guest(&restore_msi, arg, 1) != 0 )
break;
@@ -650,10 +610,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
struct physdev_pci_device dev;
struct pci_dev *pdev;
- ret = -EPERM;
- if ( !IS_PRIV(v->domain) )
- break;
-
ret = -EFAULT;
if ( copy_from_guest(&dev, arg, 1) != 0 )
break;
@@ -668,10 +624,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
case PHYSDEVOP_setup_gsi: {
struct physdev_setup_gsi setup_gsi;
- ret = -EPERM;
- if ( !IS_PRIV(v->domain) )
- break;
-
ret = -EFAULT;
if ( copy_from_guest(&setup_gsi, arg, 1) != 0 )
break;
diff -r 35a0556a7f76 -r bf1e34d66558 xen/common/kexec.c
--- a/xen/common/kexec.c Thu Jan 10 17:32:10 2013 +0000
+++ b/xen/common/kexec.c Fri Jan 11 10:06:43 2013 +0000
@@ -852,9 +852,6 @@ static int do_kexec_op_internal(unsigned
unsigned long flags;
int ret = -EINVAL;
- if ( !IS_PRIV(current->domain) )
- return -EPERM;
-
ret = xsm_kexec();
if ( ret )
return ret;
diff -r 35a0556a7f76 -r bf1e34d66558 xen/common/schedule.c
--- a/xen/common/schedule.c Thu Jan 10 17:32:10 2013 +0000
+++ b/xen/common/schedule.c Fri Jan 11 10:06:43 2013 +0000
@@ -921,12 +921,6 @@ ret_t do_sched_op(int cmd, XEN_GUEST_HAN
if ( d == NULL )
break;
- if ( !IS_PRIV_FOR(current->domain, d) )
- {
- rcu_unlock_domain(d);
- return -EPERM;
- }
-
ret = xsm_schedop_shutdown(current->domain, d);
if ( ret )
{
diff -r 35a0556a7f76 -r bf1e34d66558 xen/drivers/char/console.c
--- a/xen/drivers/char/console.c Thu Jan 10 17:32:10 2013 +0000
+++ b/xen/drivers/char/console.c Fri Jan 11 10:06:43 2013 +0000
@@ -406,12 +406,6 @@ long do_console_io(int cmd, int count, X
long rc;
unsigned int idx, len;
-#ifndef VERBOSE
- /* Only domain 0 may access the emergency console. */
- if ( current->domain->domain_id != 0 )
- return -EPERM;
-#endif
-
rc = xsm_console_io(current->domain, cmd);
if ( rc )
return rc;
diff -r 35a0556a7f76 -r bf1e34d66558 xen/include/xsm/dummy.h
--- a/xen/include/xsm/dummy.h Thu Jan 10 17:32:10 2013 +0000
+++ b/xen/include/xsm/dummy.h Fri Jan 11 10:06:43 2013 +0000
@@ -161,6 +161,8 @@ static XSM_INLINE int xsm_pm_op(void)
static XSM_INLINE int xsm_do_mca(void)
{
+ if ( !IS_PRIV(current->domain) )
+ return -EPERM;
return 0;
}
@@ -223,6 +225,10 @@ static XSM_INLINE int xsm_memory_stat_re
static XSM_INLINE int xsm_console_io(struct domain *d, int cmd)
{
+#ifndef VERBOSE
+ if ( !IS_PRIV(current->domain) )
+ return -EPERM;
+#endif
return 0;
}
@@ -233,11 +239,15 @@ static XSM_INLINE int xsm_profile(struct
static XSM_INLINE int xsm_kexec(void)
{
+ if ( !IS_PRIV(current->domain) )
+ return -EPERM;
return 0;
}
static XSM_INLINE int xsm_schedop_shutdown(struct domain *d1, struct domain
*d2)
{
+ if ( !IS_PRIV_FOR(d1, d2) )
+ return -EPERM;
return 0;
}
@@ -336,26 +346,36 @@ static XSM_INLINE int xsm_resource_unplu
static XSM_INLINE int xsm_resource_plug_pci(uint32_t machine_bdf)
{
+ if ( !IS_PRIV(current->domain) )
+ return -EPERM;
return 0;
}
static XSM_INLINE int xsm_resource_unplug_pci(uint32_t machine_bdf)
{
+ if ( !IS_PRIV(current->domain) )
+ return -EPERM;
return 0;
}
static XSM_INLINE int xsm_resource_setup_pci(uint32_t machine_bdf)
{
+ if ( !IS_PRIV(current->domain) )
+ return -EPERM;
return 0;
}
static XSM_INLINE int xsm_resource_setup_gsi(int gsi)
{
+ if ( !IS_PRIV(current->domain) )
+ return -EPERM;
return 0;
}
static XSM_INLINE int xsm_resource_setup_misc(void)
{
+ if ( !IS_PRIV(current->domain) )
+ return -EPERM;
return 0;
}
@@ -396,6 +416,8 @@ static XSM_INLINE int xsm_map_domain_pir
static XSM_INLINE int xsm_unmap_domain_pirq(struct domain *d, int irq)
{
+ if ( !IS_PRIV_FOR(current->domain, d) )
+ return -EPERM;
return 0;
}
@@ -494,6 +516,8 @@ static XSM_INLINE int xsm_mem_sharing(st
static XSM_INLINE int xsm_apic(struct domain *d, int cmd)
{
+ if ( !IS_PRIV(d) )
+ return -EPERM;
return 0;
}
@@ -534,6 +558,8 @@ static XSM_INLINE int xsm_efi_call(void)
static XSM_INLINE int xsm_acpi_sleep(void)
{
+ if ( !IS_PRIV(current->domain) )
+ return -EPERM;
return 0;
}
@@ -549,6 +575,8 @@ static XSM_INLINE int xsm_getidletime(vo
static XSM_INLINE int xsm_machine_memory_map(void)
{
+ if ( !IS_PRIV(current->domain) )
+ return -EPERM;
return 0;
}
diff -r 35a0556a7f76 -r bf1e34d66558 xen/xsm/flask/hooks.c
--- a/xen/xsm/flask/hooks.c Thu Jan 10 17:32:10 2013 +0000
+++ b/xen/xsm/flask/hooks.c Fri Jan 11 10:06:43 2013 +0000
@@ -1141,10 +1141,11 @@ static int flask_apic(struct domain *d,
switch ( cmd )
{
- case PHYSDEVOP_APIC_READ:
+ case PHYSDEVOP_apic_read:
+ case PHYSDEVOP_alloc_irq_vector:
perm = XEN__READAPIC;
break;
- case PHYSDEVOP_APIC_WRITE:
+ case PHYSDEVOP_apic_write:
perm = XEN__WRITEAPIC;
break;
default:
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |