[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 17/20] arch/x86: use XSM hooks for get_pg_owner access checks
This requires introducing a new XSM hook for do_mmuext_op to validate remote domain access there. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> Cc: Keir Fraser <keir@xxxxxxx> Cc: Jan Beulich <jbeulich@xxxxxxxx> Cc: Tim Deegan <tim@xxxxxxx> --- tools/flask/policy/policy/flask/access_vectors | 1 + tools/flask/policy/policy/modules/xen/xen.if | 4 ++-- xen/arch/x86/mm.c | 23 +++++++---------------- xen/include/xsm/dummy.h | 15 +++++++++++++++ xen/include/xsm/xsm.h | 6 ++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 6 ++++++ xen/xsm/flask/include/av_perm_to_string.h | 1 + xen/xsm/flask/include/av_permissions.h | 1 + 9 files changed, 40 insertions(+), 18 deletions(-) diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index 2986b40..5e897e2 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -141,6 +141,7 @@ class mmu mfnlist memorymap remote_remap + mmuext_op } class shadow diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index 1847f23..e0c2d2d 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -7,7 +7,7 @@ ################################################################################ define(`declare_domain_common', ` allow $1 $2:grant { query setup }; - allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp }; + allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp mmuext_op }; allow $1 $2:hvm { getparam setparam }; ') @@ -51,7 +51,7 @@ define(`create_domain_common', ` allow $1 $2:domain2 { set_cpuid settsc }; allow $1 $2:security check_context; allow $1 $2:shadow enable; - allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage}; + allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op }; allow $1 $2:grant setup; allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc setparam pcilevel trackdirtyvram }; ') diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index f16b112..692d651 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2882,11 +2882,6 @@ static struct domain *get_pg_owner(domid_t domid) pg_owner = rcu_lock_domain(dom_io); break; case DOMID_XEN: - if ( !IS_PRIV(curr) ) - { - MEM_LOG("Cannot set foreign dom"); - break; - } pg_owner = rcu_lock_domain(dom_xen); break; default: @@ -2895,12 +2890,6 @@ static struct domain *get_pg_owner(domid_t domid) MEM_LOG("Unknown domain '%u'", domid); break; } - if ( !IS_PRIV_FOR(curr, pg_owner) ) - { - MEM_LOG("Cannot set foreign dom"); - rcu_unlock_domain(pg_owner); - pg_owner = NULL; - } break; } @@ -3008,6 +2997,13 @@ long do_mmuext_op( goto out; } + rc = xsm_mmuext_op(d, pg_owner); + if ( rc ) + { + rcu_unlock_domain(pg_owner); + goto out; + } + for ( i = 0; i < count; i++ ) { if ( hypercall_preempt_check() ) @@ -3483,11 +3479,6 @@ long do_mmu_update( rc = -EINVAL; goto out; } - if ( !IS_PRIV_FOR(d, pt_owner) ) - { - rc = -ESRCH; - goto out; - } } if ( (pg_owner = get_pg_owner((uint16_t)foreigndom)) == NULL ) diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index b26de57..a093734 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -803,18 +803,33 @@ static XSM_DEFAULT(int, domain_memory_map) (struct domain *d) static XSM_DEFAULT(int, mmu_normal_update) (struct domain *d, struct domain *t, struct domain *f, intpte_t fpte) { + if ( d != t && !IS_PRIV_FOR(d, t) ) + return -EPERM; + if ( d != f && !IS_PRIV_FOR(d, f) ) + return -EPERM; return 0; } static XSM_DEFAULT(int, mmu_machphys_update) (struct domain *d, struct domain *f, unsigned long mfn) { + if ( d != f && !IS_PRIV_FOR(d, f) ) + return -EPERM; + return 0; +} + +static XSM_DEFAULT(int, mmuext_op) (struct domain *d, struct domain *f) +{ + if ( d != f && !IS_PRIV_FOR(d, f) ) + return -EPERM; return 0; } static XSM_DEFAULT(int, update_va_mapping) (struct domain *d, struct domain *f, l1_pgentry_t pte) { + if ( d != f && !IS_PRIV_FOR(d, f) ) + return -EPERM; return 0; } diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 8226d93..cf2a7e5 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -177,6 +177,7 @@ struct xsm_operations { int (*mmu_normal_update) (struct domain *d, struct domain *t, struct domain *f, intpte_t fpte); int (*mmu_machphys_update) (struct domain *d1, struct domain *d2, unsigned long mfn); + int (*mmuext_op) (struct domain *d, struct domain *f); int (*update_va_mapping) (struct domain *d, struct domain *f, l1_pgentry_t pte); int (*add_to_physmap) (struct domain *d1, struct domain *d2); int (*sendtrigger) (struct domain *d); @@ -797,6 +798,11 @@ static inline int xsm_mmu_machphys_update (struct domain *d1, struct domain *d2, return xsm_ops->mmu_machphys_update(d1, d2, mfn); } +static inline int xsm_mmuext_op (struct domain *d, struct domain *f) +{ + return xsm_ops->mmuext_op(d, f); +} + static inline int xsm_update_va_mapping(struct domain *d, struct domain *f, l1_pgentry_t pte) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 0a18d50..954f97c 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -160,6 +160,7 @@ void xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, domain_memory_map); set_to_dummy_if_null(ops, mmu_normal_update); set_to_dummy_if_null(ops, mmu_machphys_update); + set_to_dummy_if_null(ops, mmuext_op); set_to_dummy_if_null(ops, update_va_mapping); set_to_dummy_if_null(ops, add_to_physmap); set_to_dummy_if_null(ops, remove_from_physmap); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 7da1754..dc5f67e 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1333,6 +1333,11 @@ static int flask_mmu_machphys_update(struct domain *d1, struct domain *d2, return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__UPDATEMP); } +static int flask_mmuext_op(struct domain *d, struct domain *f) +{ + return domain_has_perm(d, f, SECCLASS_MMU, MMU__MMUEXT_OP); +} + static int flask_update_va_mapping(struct domain *d, struct domain *f, l1_pgentry_t pte) { @@ -1620,6 +1625,7 @@ static struct xsm_operations flask_ops = { .domain_memory_map = flask_domain_memory_map, .mmu_normal_update = flask_mmu_normal_update, .mmu_machphys_update = flask_mmu_machphys_update, + .mmuext_op = flask_mmuext_op, .update_va_mapping = flask_update_va_mapping, .add_to_physmap = flask_add_to_physmap, .remove_from_physmap = flask_remove_from_physmap, diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h index 5d5a45a..5d4f316 100644 --- a/xen/xsm/flask/include/av_perm_to_string.h +++ b/xen/xsm/flask/include/av_perm_to_string.h @@ -111,6 +111,7 @@ S_(SECCLASS_MMU, MMU__MFNLIST, "mfnlist") S_(SECCLASS_MMU, MMU__MEMORYMAP, "memorymap") S_(SECCLASS_MMU, MMU__REMOTE_REMAP, "remote_remap") + S_(SECCLASS_MMU, MMU__MMUEXT_OP, "mmuext_op") S_(SECCLASS_SHADOW, SHADOW__DISABLE, "disable") S_(SECCLASS_SHADOW, SHADOW__ENABLE, "enable") S_(SECCLASS_SHADOW, SHADOW__LOGDIRTY, "logdirty") diff --git a/xen/xsm/flask/include/av_permissions.h b/xen/xsm/flask/include/av_permissions.h index e6d6a6d..f970b50 100644 --- a/xen/xsm/flask/include/av_permissions.h +++ b/xen/xsm/flask/include/av_permissions.h @@ -117,6 +117,7 @@ #define MMU__MFNLIST 0x00000400UL #define MMU__MEMORYMAP 0x00000800UL #define MMU__REMOTE_REMAP 0x00001000UL +#define MMU__MMUEXT_OP 0x00002000UL #define SHADOW__DISABLE 0x00000001UL #define SHADOW__ENABLE 0x00000002UL -- 1.7.11.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |