[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver



This patch modifies the blkback driver to perform a security check (via an ACM get_decision hypercall) before connecting a vbd to a domain. While the security checks performed in the xm tools are convenient for the users, the check added here is intended to strengthen the security guarantees.

Note that the security check in blkback is only enabled when ACM_SECURITY=y in Config.mk.

Signed-off-by: Bryan D. Payne <bdpayne@xxxxxxxxxx>
Signed-off-by: Reiner Sailer <sailer@xxxxxxxxxx>




---
 Makefile                                          |    4 +
 linux-2.6-xen-sparse/arch/i386/Makefile           |    1 
 linux-2.6-xen-sparse/arch/ia64/Makefile           |    1 
 linux-2.6-xen-sparse/arch/x86_64/Makefile         |    1 
 linux-2.6-xen-sparse/drivers/xen/blkback/Makefile |    1 
 linux-2.6-xen-sparse/drivers/xen/blkback/acm.c    |   83 ++++++++++++++++++++++
 linux-2.6-xen-sparse/drivers/xen/blkback/acm.h    |   59 +++++++++++++++
 linux-2.6-xen-sparse/drivers/xen/blkback/common.h |    3 
 linux-2.6-xen-sparse/drivers/xen/blkback/vbd.c    |   11 ++
 linux-2.6-xen-sparse/drivers/xen/blkback/xenbus.c |    6 +
 10 files changed, 167 insertions(+), 3 deletions(-)

Index: xen-unstable.hg-shype/Makefile
===================================================================
--- xen-unstable.hg-shype.orig/Makefile
+++ xen-unstable.hg-shype/Makefile
@@ -25,6 +25,10 @@ ifeq ($(XEN_TARGET_X86_PAE),y)
 export pae=y
 endif
 
+ifeq ($(ACM_SECURITY),y)
+export ACM_SECURITY=y
+endif
+
 # build and install everything into the standard system directories
 .PHONY: install
 install: install-xen install-kernels install-tools install-docs
Index: xen-unstable.hg-shype/linux-2.6-xen-sparse/arch/i386/Makefile
===================================================================
--- xen-unstable.hg-shype.orig/linux-2.6-xen-sparse/arch/i386/Makefile
+++ xen-unstable.hg-shype/linux-2.6-xen-sparse/arch/i386/Makefile
@@ -47,6 +47,7 @@ CFLAGS += $(cflags-y)
 
 cppflags-$(CONFIG_XEN) += \
        -D__XEN_INTERFACE_VERSION__=$(CONFIG_XEN_INTERFACE_VERSION)
+cppflags-$(ACM_SECURITY) += -DACM_SECURITY
 
 CPPFLAGS += $(cppflags-y)
 
Index: xen-unstable.hg-shype/linux-2.6-xen-sparse/arch/ia64/Makefile
===================================================================
--- xen-unstable.hg-shype.orig/linux-2.6-xen-sparse/arch/ia64/Makefile
+++ xen-unstable.hg-shype/linux-2.6-xen-sparse/arch/ia64/Makefile
@@ -45,6 +45,7 @@ CFLAGS += $(cflags-y)
 
 cppflags-$(CONFIG_XEN) += \
        -D__XEN_INTERFACE_VERSION__=$(CONFIG_XEN_INTERFACE_VERSION)
+cppflags-$(ACM_SECURITY) += -DACM_SECURITY
 
 CPPFLAGS += $(cppflags-y)
 
Index: xen-unstable.hg-shype/linux-2.6-xen-sparse/arch/x86_64/Makefile
===================================================================
--- xen-unstable.hg-shype.orig/linux-2.6-xen-sparse/arch/x86_64/Makefile
+++ xen-unstable.hg-shype/linux-2.6-xen-sparse/arch/x86_64/Makefile
@@ -33,6 +33,7 @@ CFLAGS += $(cflags-y)
 
 cppflags-$(CONFIG_XEN) += \
        -D__XEN_INTERFACE_VERSION__=$(CONFIG_XEN_INTERFACE_VERSION)
+cppflags-$(ACM_SECURITY) += -DACM_SECURITY
 CPPFLAGS += $(cppflags-y)
 
 CFLAGS += -m64
Index: xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/Makefile
===================================================================
--- xen-unstable.hg-shype.orig/linux-2.6-xen-sparse/drivers/xen/blkback/Makefile
+++ xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/Makefile
@@ -1,3 +1,4 @@
 obj-$(CONFIG_XEN_BLKDEV_BACKEND) := blkbk.o
 
 blkbk-y        := blkback.o xenbus.o interface.o vbd.o
+blkbk-$(ACM_SECURITY) += acm.o
Index: xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/acm.c
===================================================================
--- /dev/null
+++ xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/acm.c
@@ -0,0 +1,83 @@
+/******************************************************************************
+ * blkback/acm.c
+ *
+ * ACM security integration for virtual block devices.
+ *
+ * Copyright (c) 2006 IBM Corporation
+ *
+ * Author:
+ * Bryan D. Payne <bdpayne@xxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation; or, when distributed
+ * separately from the Linux kernel or incorporated into other
+ * software packages, subject to the following license:
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this source file (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy, modify,
+ * merge, publish, distribute, sublicense, and/or sell copies of the Software,
+ * and to permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#include <xen/xenbus.h>
+#include <xen/interface/acm.h>
+#include <xen/interface/acm_ops.h>
+#include <asm/mach-xen/asm/hypervisor.h>
+
+int acm_vbd_allowed(domid_t domid, ssidref_t acm_ssidref)
+{
+       struct acm_getdecision getdecision;
+       int retval = 1;
+       int err;
+
+       getdecision.interface_version = ACM_INTERFACE_VERSION;
+       getdecision.hook = ACMHOOK_sharing;
+       getdecision.get_decision_by1 = ACM_GETBY_domainid;
+       getdecision.id1.domainid = domid;
+       getdecision.get_decision_by2 = ACM_GETBY_ssidref;
+       getdecision.id2.ssidref = acm_ssidref;
+
+       err = HYPERVISOR_acm_op(ACMOP_getdecision, &getdecision);
+       if (0 != err) {
+               printk("acm_vbd_allowed: acm_getdecision failed, denying \
+                       access to device (domid = %d, acm_ssidref = %d).\n",
+                       domid, acm_ssidref);
+               retval = 0;
+               goto exit;
+       } else if (ACM_ACCESS_DENIED == getdecision.acm_decision){
+               printk("acm_vbd_allowed:: access denied for device (domid \
+                       = %d, acm_ssidref = %d).\n", domid, acm_ssidref);
+               retval = 0;
+               goto exit;
+       }
+
+exit:
+       return retval;
+}
+
+void acm_get_ssidref(struct xenbus_device *dev, ssidref_t *acm_ssidref)
+{
+       int err = 0;
+
+       err = xenbus_scanf(
+               XBT_NIL, dev->nodename, "acm_ssidref", "%d", acm_ssidref);
+       if (err != 1){
+               *acm_ssidref = 0;
+       }
+}
+
+/* ex: set ts=8 sw=8 noexpandtab: */
Index: xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/acm.h
===================================================================
--- /dev/null
+++ xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/acm.h
@@ -0,0 +1,59 @@
+/******************************************************************************
+ * blkback/acm.h
+ *
+ * ACM security integration for virtual block devices.
+ *
+ * Copyright (c) 2006 IBM Corporation
+ *
+ * Author:
+ * Bryan D. Payne <bdpayne@xxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation; or, when distributed
+ * separately from the Linux kernel or incorporated into other
+ * software packages, subject to the following license:
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this source file (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy, modify,
+ * merge, publish, distribute, sublicense, and/or sell copies of the Software,
+ * and to permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#include <xen/xenbus.h>
+#include <xen/interface/acm.h>
+
+
+#ifdef ACM_SECURITY
+int acm_vbd_allowed(domid_t domid, ssidref_t acm_ssidref);
+void acm_get_ssidref(struct xenbus_device *dev, ssidref_t *acm_ssidref);
+
+#else
+static inline int acm_vbd_allowed(domid_t domid, ssidref_t acm_ssidref)
+{
+       /* no security check needed if security is off, just allow */
+       return 1;
+}
+
+static inline void acm_get_ssidref(
+       struct xenbus_device *dev, ssidref_t *acm_ssidref)
+{
+       /* don't bother looking for the acm_ssidref if security is off */
+       *acm_ssidref = 0;
+}
+#endif
+
+/* ex: set ts=8 sw=8 noexpandtab: */
Index: xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/common.h
===================================================================
--- xen-unstable.hg-shype.orig/linux-2.6-xen-sparse/drivers/xen/blkback/common.h
+++ xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/common.h
@@ -40,6 +40,7 @@
 #include <asm/pgalloc.h>
 #include <xen/evtchn.h>
 #include <asm/hypervisor.h>
+#include <xen/interface/acm.h>
 #include <xen/interface/io/blkif.h>
 #include <xen/interface/io/ring.h>
 #include <xen/gnttab.h>
@@ -108,7 +109,7 @@ int blkif_map(blkif_t *blkif, unsigned l
 
 /* Create a vbd. */
 int vbd_create(blkif_t *blkif, blkif_vdev_t vdevice, unsigned major,
-              unsigned minor, int readonly);
+              unsigned minor, ssidref_t acm_ssidref, int readonly);
 void vbd_free(struct vbd *vbd);
 
 unsigned long vbd_size(struct vbd *vbd);
Index: xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/vbd.c
===================================================================
--- xen-unstable.hg-shype.orig/linux-2.6-xen-sparse/drivers/xen/blkback/vbd.c
+++ xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/vbd.c
@@ -31,6 +31,7 @@
  */
 
 #include "common.h"
+#include "acm.h"
 #include <xen/xenbus.h>
 
 #define vbd_sz(_v)   ((_v)->bdev->bd_part ?                            \
@@ -52,10 +53,11 @@ unsigned long vbd_secsize(struct vbd *vb
 }
 
 int vbd_create(blkif_t *blkif, blkif_vdev_t handle, unsigned major,
-              unsigned minor, int readonly)
+              unsigned minor, ssidref_t acm_ssidref, int readonly)
 {
        struct vbd *vbd;
        struct block_device *bdev;
+       int allowed;
 
        vbd = &blkif->vbd;
        vbd->handle   = handle; 
@@ -64,6 +66,13 @@ int vbd_create(blkif_t *blkif, blkif_vde
 
        vbd->pdevice  = MKDEV(major, minor);
 
+       allowed = acm_vbd_allowed(blkif->domid, acm_ssidref);
+       if (!allowed){
+               DPRINTK("vbd_create: ACM security denied for device %08x.\n",
+                       vbd->pdevice);
+               return -ENOENT;
+       }
+
        bdev = open_by_devnum(vbd->pdevice,
                              vbd->readonly ? FMODE_READ : FMODE_WRITE);
 
Index: xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/xenbus.c
===================================================================
--- xen-unstable.hg-shype.orig/linux-2.6-xen-sparse/drivers/xen/blkback/xenbus.c
+++ xen-unstable.hg-shype/linux-2.6-xen-sparse/drivers/xen/blkback/xenbus.c
@@ -22,6 +22,7 @@
 #include <linux/kthread.h>
 #include <xen/xenbus.h>
 #include "common.h"
+#include "acm.h"
 
 #undef DPRINTK
 #define DPRINTK(fmt, args...)                          \
@@ -225,6 +226,7 @@ static void backend_changed(struct xenbu
        int err;
        unsigned major;
        unsigned minor;
+       ssidref_t acm_ssidref;
        struct backend_info *be
                = container_of(watch, struct backend_info, backend_watch);
        struct xenbus_device *dev = be->dev;
@@ -261,6 +263,8 @@ static void backend_changed(struct xenbu
                return;
        }
 
+       acm_get_ssidref(dev, &acm_ssidref);
+
        if (be->major == 0 && be->minor == 0) {
                /* Front end dir is a number, which is used as the handle. */
 
@@ -270,7 +274,7 @@ static void backend_changed(struct xenbu
                be->major = major;
                be->minor = minor;
 
-               err = vbd_create(be->blkif, handle, major, minor,
+               err = vbd_create(be->blkif, handle, major, minor, acm_ssidref,
                                 (NULL == strchr(be->mode, 'w')));
                if (err) {
                        be->major = be->minor = 0;
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.