[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.6] x86: enforce proper privilege when (un)mapping pIRQ-s



commit c5881c540fd27e12de2a2ac27504550527de6dde
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Oct 12 15:35:30 2017 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Oct 12 15:35:30 2017 +0200

    x86: enforce proper privilege when (un)mapping pIRQ-s
    
    (Un)mapping of IRQs, just like other RESOURCE__ADD* / RESOURCE__REMOVE*
    actions (in FLASK terms) should be XSM_DM_PRIV rather than XSM_TARGET.
    This in turn requires bypassing the XSM check in physdev_unmap_pirq()
    for the HVM emuirq case just like is being done in physdev_map_pirq().
    The primary goal security wise, however, is to no longer allow HVM
    guests, by specifying their own domain ID instead of DOMID_SELF, to
    enter code paths intended for PV guest and the control domains of HVM
    guests only.
    
    This is part of XSA-237.
    
    Reported-by: HW42 <hw42@xxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: George Dunlap <george.dunlap@xxxxxxxxxx>
    master commit: db72faf69c94513e180568006a9d899ed422ff90
    master date: 2017-10-12 14:36:30 +0200
---
 xen/arch/x86/physdev.c  | 7 ++++---
 xen/include/xsm/dummy.h | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
index 57b7800..da66099a 100644
--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -110,7 +110,7 @@ int physdev_map_pirq(domid_t domid, int type, int *index, 
int *pirq_p,
     if ( d == NULL )
         return -ESRCH;
 
-    ret = xsm_map_domain_pirq(XSM_TARGET, d);
+    ret = xsm_map_domain_pirq(XSM_DM_PRIV, d);
     if ( ret )
         goto free_domain;
 
@@ -255,13 +255,14 @@ int physdev_map_pirq(domid_t domid, int type, int *index, 
int *pirq_p,
 int physdev_unmap_pirq(domid_t domid, int pirq)
 {
     struct domain *d;
-    int ret;
+    int ret = 0;
 
     d = rcu_lock_domain_by_any_id(domid);
     if ( d == NULL )
         return -ESRCH;
 
-    ret = xsm_unmap_domain_pirq(XSM_TARGET, d);
+    if ( domid != DOMID_SELF || !is_hvm_domain(d) )
+        ret = xsm_unmap_domain_pirq(XSM_DM_PRIV, d);
     if ( ret )
         goto free_domain;
 
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 6f6ff58..c8fc051 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -446,7 +446,7 @@ static XSM_INLINE char *xsm_show_irq_sid(int irq)
 
 static XSM_INLINE int xsm_map_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
+    XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
@@ -458,7 +458,7 @@ static XSM_INLINE int xsm_map_domain_irq(XSM_DEFAULT_ARG 
struct domain *d, int i
 
 static XSM_INLINE int xsm_unmap_domain_pirq(XSM_DEFAULT_ARG struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_TARGET);
+    XSM_ASSERT_ACTION(XSM_DM_PRIV);
     return xsm_default_action(action, current->domain, d);
 }
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.