[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen staging] xsm, argo: XSM control for argo message send operation
commit 4c0526b739975604d1c73cb3c3eb89281fda0aa4 Author: Christopher Clark <christopher.w.clark@xxxxxxxxx> AuthorDate: Wed Feb 6 10:02:00 2019 +0100 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Thu Feb 7 14:26:11 2019 +0100 xsm, argo: XSM control for argo message send operation Default policy: allow. Signed-off-by: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx> Reviewed-by: Paul Durrant <paul.durrant@xxxxxxxxxx> Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> Tested-by: Chris Patterson <pattersonc@xxxxxxxxxxxx> Release-acked-by: Juergen Gross <jgross@xxxxxxxx> --- tools/flask/policy/modules/guest_features.te | 7 ++++--- xen/common/argo.c | 11 +++++++++++ xen/include/xsm/dummy.h | 6 ++++++ xen/include/xsm/xsm.h | 6 ++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 7 +++++++ xen/xsm/flask/policy/access_vectors | 2 ++ 7 files changed, 37 insertions(+), 3 deletions(-) diff --git a/tools/flask/policy/modules/guest_features.te b/tools/flask/policy/modules/guest_features.te index d00769e1d2..ca52257ca4 100644 --- a/tools/flask/policy/modules/guest_features.te +++ b/tools/flask/policy/modules/guest_features.te @@ -6,10 +6,11 @@ allow domain_type xen_t:xen tmem_op; allow domain_type xen_t:xen2 pmu_use; # Allow all domains: -# to register single-sender (unicast) rings to partner with any domain; and -# to register any-sender (wildcard) rings that can be sent to by any domain. +# to register single-sender (unicast) rings to partner with any domain; +# to register any-sender (wildcard) rings that can be sent to by any domain; +# and send messages to rings. allow domain_type xen_t:argo { register_any_source }; -allow domain_type domain_type:argo { register_single_source }; +allow domain_type domain_type:argo { send register_single_source }; # Allow guest console output to the serial console. This is used by PV Linux # and stub domains for early boot output, so don't audit even when we deny it. diff --git a/xen/common/argo.c b/xen/common/argo.c index 1a9a0e8013..ce42e69d88 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -1990,6 +1990,17 @@ sendv(struct domain *src_d, xen_argo_addr_t *src_addr, if ( !dst_d ) return -ESRCH; + ret = xsm_argo_send(src_d, dst_d); + if ( ret ) + { + gprintk(XENLOG_ERR, "argo: XSM REJECTED %i -> %i\n", + src_d->domain_id, dst_d->domain_id); + + put_domain(dst_d); + + return ret; + } + read_lock(&L1_global_argo_rwlock); if ( !src_d->argo ) diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 9abfd69762..9ae69ccac5 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -732,6 +732,12 @@ static XSM_INLINE int xsm_argo_register_any_source(const struct domain *d) return 0; } +static XSM_INLINE int xsm_argo_send(const struct domain *d, + const struct domain *t) +{ + return 0; +} + #endif /* CONFIG_ARGO */ #include <public/version.h> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 0b40714245..4211892dc4 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -185,6 +185,7 @@ struct xsm_operations { int (*argo_register_single_source) (const struct domain *d, const struct domain *t); int (*argo_register_any_source) (const struct domain *d); + int (*argo_send) (const struct domain *d, const struct domain *t); #endif }; @@ -715,6 +716,11 @@ static inline int xsm_argo_register_any_source(const struct domain *d) return xsm_ops->argo_register_any_source(d); } +static inline int xsm_argo_send(const struct domain *d, const struct domain *t) +{ + return xsm_ops->argo_send(d, t); +} + #endif /* CONFIG_ARGO */ #endif /* XSM_NO_WRAPPERS */ diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index ed236b09b3..ffac774126 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -155,5 +155,6 @@ void __init xsm_fixup_ops (struct xsm_operations *ops) #ifdef CONFIG_ARGO set_to_dummy_if_null(ops, argo_register_single_source); set_to_dummy_if_null(ops, argo_register_any_source); + set_to_dummy_if_null(ops, argo_send); #endif } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index fcb74871d9..76c012c6e7 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1732,6 +1732,12 @@ static int flask_argo_register_any_source(const struct domain *d) return avc_has_perm(domain_sid(d), SECINITSID_XEN, SECCLASS_ARGO, ARGO__REGISTER_ANY_SOURCE, NULL); } + +static int flask_argo_send(const struct domain *d, const struct domain *t) +{ + return domain_has_perm(d, t, SECCLASS_ARGO, ARGO__SEND); +} + #endif long do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op); @@ -1871,6 +1877,7 @@ static struct xsm_operations flask_ops = { #ifdef CONFIG_ARGO .argo_register_single_source = flask_argo_register_single_source, .argo_register_any_source = flask_argo_register_any_source, + .argo_send = flask_argo_send, #endif }; diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index fb95c97418..f6c5377060 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -541,4 +541,6 @@ class argo # Domain requesting registration of a communication ring # to receive messages from any other domain. register_any_source + # Domain sending a message to another domain. + send } -- generated by git-patchbot for /home/xen/git/xen.git#staging _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |