[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 17/20] arch/x86: use XSM hooks for get_pg_owner access checks



This requires introducing a new XSM hook for do_mmuext_op to validate
remote domain access there.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Cc: Keir Fraser <keir@xxxxxxx>
Cc: Jan Beulich <jbeulich@xxxxxxxx>
Cc: Tim Deegan <tim@xxxxxxx>
---
 tools/flask/policy/policy/flask/access_vectors |  1 +
 tools/flask/policy/policy/modules/xen/xen.if   |  4 ++--
 xen/arch/x86/mm.c                              | 23 +++++++----------------
 xen/include/xsm/dummy.h                        | 15 +++++++++++++++
 xen/include/xsm/xsm.h                          |  6 ++++++
 xen/xsm/dummy.c                                |  1 +
 xen/xsm/flask/hooks.c                          |  6 ++++++
 xen/xsm/flask/include/av_perm_to_string.h      |  1 +
 xen/xsm/flask/include/av_permissions.h         |  1 +
 9 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/tools/flask/policy/policy/flask/access_vectors 
b/tools/flask/policy/policy/flask/access_vectors
index 2986b40..5e897e2 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -141,6 +141,7 @@ class mmu
     mfnlist
     memorymap
     remote_remap
+       mmuext_op
 }
 
 class shadow
diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
b/tools/flask/policy/policy/modules/xen/xen.if
index 1847f23..e0c2d2d 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -7,7 +7,7 @@
 
################################################################################
 define(`declare_domain_common', `
        allow $1 $2:grant { query setup };
-       allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage 
updatemp };
+       allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage 
updatemp mmuext_op };
        allow $1 $2:hvm { getparam setparam };
 ')
 
@@ -51,7 +51,7 @@ define(`create_domain_common', `
        allow $1 $2:domain2 { set_cpuid settsc };
        allow $1 $2:security check_context;
        allow $1 $2:shadow enable;
-       allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage};
+       allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage 
mmuext_op };
        allow $1 $2:grant setup;
        allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc 
setparam pcilevel trackdirtyvram };
 ')
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index f16b112..692d651 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2882,11 +2882,6 @@ static struct domain *get_pg_owner(domid_t domid)
         pg_owner = rcu_lock_domain(dom_io);
         break;
     case DOMID_XEN:
-        if ( !IS_PRIV(curr) )
-        {
-            MEM_LOG("Cannot set foreign dom");
-            break;
-        }
         pg_owner = rcu_lock_domain(dom_xen);
         break;
     default:
@@ -2895,12 +2890,6 @@ static struct domain *get_pg_owner(domid_t domid)
             MEM_LOG("Unknown domain '%u'", domid);
             break;
         }
-        if ( !IS_PRIV_FOR(curr, pg_owner) )
-        {
-            MEM_LOG("Cannot set foreign dom");
-            rcu_unlock_domain(pg_owner);
-            pg_owner = NULL;
-        }
         break;
     }
 
@@ -3008,6 +2997,13 @@ long do_mmuext_op(
         goto out;
     }
 
+    rc = xsm_mmuext_op(d, pg_owner);
+    if ( rc )
+    {
+        rcu_unlock_domain(pg_owner);
+        goto out;
+    }
+
     for ( i = 0; i < count; i++ )
     {
         if ( hypercall_preempt_check() )
@@ -3483,11 +3479,6 @@ long do_mmu_update(
             rc = -EINVAL;
             goto out;
         }
-        if ( !IS_PRIV_FOR(d, pt_owner) )
-        {
-            rc = -ESRCH;
-            goto out;
-        }
     }
 
     if ( (pg_owner = get_pg_owner((uint16_t)foreigndom)) == NULL )
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index b26de57..a093734 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -803,18 +803,33 @@ static XSM_DEFAULT(int, domain_memory_map) (struct domain 
*d)
 static XSM_DEFAULT(int, mmu_normal_update) (struct domain *d, struct domain *t,
                                             struct domain *f, intpte_t fpte)
 {
+    if ( d != t && !IS_PRIV_FOR(d, t) )
+        return -EPERM;
+    if ( d != f && !IS_PRIV_FOR(d, f) )
+        return -EPERM;
     return 0;
 }
 
 static XSM_DEFAULT(int, mmu_machphys_update) (struct domain *d, struct domain 
*f,
                                               unsigned long mfn)
 {
+    if ( d != f && !IS_PRIV_FOR(d, f) )
+        return -EPERM;
+    return 0;
+}
+
+static XSM_DEFAULT(int, mmuext_op) (struct domain *d, struct domain *f)
+{
+    if ( d != f && !IS_PRIV_FOR(d, f) )
+        return -EPERM;
     return 0;
 }
 
 static XSM_DEFAULT(int, update_va_mapping) (struct domain *d, struct domain 
*f, 
                                                             l1_pgentry_t pte)
 {
+    if ( d != f && !IS_PRIV_FOR(d, f) )
+        return -EPERM;
     return 0;
 }
 
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 8226d93..cf2a7e5 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -177,6 +177,7 @@ struct xsm_operations {
     int (*mmu_normal_update) (struct domain *d, struct domain *t,
                               struct domain *f, intpte_t fpte);
     int (*mmu_machphys_update) (struct domain *d1, struct domain *d2, unsigned 
long mfn);
+    int (*mmuext_op) (struct domain *d, struct domain *f);
     int (*update_va_mapping) (struct domain *d, struct domain *f, l1_pgentry_t 
pte);
     int (*add_to_physmap) (struct domain *d1, struct domain *d2);
     int (*sendtrigger) (struct domain *d);
@@ -797,6 +798,11 @@ static inline int xsm_mmu_machphys_update (struct domain 
*d1, struct domain *d2,
     return xsm_ops->mmu_machphys_update(d1, d2, mfn);
 }
 
+static inline int xsm_mmuext_op (struct domain *d, struct domain *f)
+{
+       return xsm_ops->mmuext_op(d, f);
+}
+
 static inline int xsm_update_va_mapping(struct domain *d, struct domain *f, 
                                                             l1_pgentry_t pte)
 {
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 0a18d50..954f97c 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -160,6 +160,7 @@ void xsm_fixup_ops (struct xsm_operations *ops)
     set_to_dummy_if_null(ops, domain_memory_map);
     set_to_dummy_if_null(ops, mmu_normal_update);
     set_to_dummy_if_null(ops, mmu_machphys_update);
+    set_to_dummy_if_null(ops, mmuext_op);
     set_to_dummy_if_null(ops, update_va_mapping);
     set_to_dummy_if_null(ops, add_to_physmap);
     set_to_dummy_if_null(ops, remove_from_physmap);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 7da1754..dc5f67e 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1333,6 +1333,11 @@ static int flask_mmu_machphys_update(struct domain *d1, 
struct domain *d2,
     return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__UPDATEMP);
 }
 
+static int flask_mmuext_op(struct domain *d, struct domain *f)
+{
+    return domain_has_perm(d, f, SECCLASS_MMU, MMU__MMUEXT_OP);
+}
+
 static int flask_update_va_mapping(struct domain *d, struct domain *f,
                                    l1_pgentry_t pte)
 {
@@ -1620,6 +1625,7 @@ static struct xsm_operations flask_ops = {
     .domain_memory_map = flask_domain_memory_map,
     .mmu_normal_update = flask_mmu_normal_update,
     .mmu_machphys_update = flask_mmu_machphys_update,
+    .mmuext_op = flask_mmuext_op,
     .update_va_mapping = flask_update_va_mapping,
     .add_to_physmap = flask_add_to_physmap,
     .remove_from_physmap = flask_remove_from_physmap,
diff --git a/xen/xsm/flask/include/av_perm_to_string.h 
b/xen/xsm/flask/include/av_perm_to_string.h
index 5d5a45a..5d4f316 100644
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ b/xen/xsm/flask/include/av_perm_to_string.h
@@ -111,6 +111,7 @@
    S_(SECCLASS_MMU, MMU__MFNLIST, "mfnlist")
    S_(SECCLASS_MMU, MMU__MEMORYMAP, "memorymap")
    S_(SECCLASS_MMU, MMU__REMOTE_REMAP, "remote_remap")
+   S_(SECCLASS_MMU, MMU__MMUEXT_OP, "mmuext_op")
    S_(SECCLASS_SHADOW, SHADOW__DISABLE, "disable")
    S_(SECCLASS_SHADOW, SHADOW__ENABLE, "enable")
    S_(SECCLASS_SHADOW, SHADOW__LOGDIRTY, "logdirty")
diff --git a/xen/xsm/flask/include/av_permissions.h 
b/xen/xsm/flask/include/av_permissions.h
index e6d6a6d..f970b50 100644
--- a/xen/xsm/flask/include/av_permissions.h
+++ b/xen/xsm/flask/include/av_permissions.h
@@ -117,6 +117,7 @@
 #define MMU__MFNLIST                              0x00000400UL
 #define MMU__MEMORYMAP                            0x00000800UL
 #define MMU__REMOTE_REMAP                         0x00001000UL
+#define MMU__MMUEXT_OP                            0x00002000UL
 
 #define SHADOW__DISABLE                           0x00000001UL
 #define SHADOW__ENABLE                            0x00000002UL
-- 
1.7.11.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.