|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v6 05/10] xsm: add XENMEM_soft_reset support
Dummy policy just checks that the current domain is privileged,
in flask policy soft_reset is added to create_domain.
Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
---
tools/flask/policy/policy/modules/xen/xen.if | 2 +-
xen/common/memory.c | 4 ++++
xen/include/xsm/dummy.h | 7 +++++++
xen/include/xsm/xsm.h | 7 +++++++
xen/xsm/dummy.c | 1 +
xen/xsm/flask/hooks.c | 12 ++++++++++++
xen/xsm/flask/policy/access_vectors | 4 ++++
7 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.if
b/tools/flask/policy/policy/modules/xen/xen.if
index 620d151..05e1c86 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -54,7 +54,7 @@ define(`create_domain_common', `
psr_cmt_op };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
- allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage
mmuext_op updatemp };
+ allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage
mmuext_op updatemp soft_reset };
allow $1 $2:grant setup;
allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
setparam pcilevel trackdirtyvram nested };
diff --git a/xen/common/memory.c b/xen/common/memory.c
index 385218c..0d163d6 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -618,6 +618,10 @@ static long
memory_soft_reset(XEN_GUEST_HANDLE_PARAM(xen_memory_soft_reset_t) ar
goto fail;
}
+ rc = xsm_memory_soft_reset(XSM_PRIV, source_d, dest_d);
+ if ( rc )
+ goto fail;
+
if ( !source_d->is_dying )
{
/*
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index f044c0f..3aa5ba2 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -193,6 +193,13 @@ static XSM_INLINE int xsm_memory_exchange(XSM_DEFAULT_ARG
struct domain *d)
return xsm_default_action(action, current->domain, d);
}
+static XSM_INLINE int xsm_memory_soft_reset(XSM_DEFAULT_ARG struct domain *d1,
+ struct domain *d2)
+{
+ XSM_ASSERT_ACTION(XSM_PRIV);
+ return xsm_default_action(action, current->domain, NULL);
+}
+
static XSM_INLINE int xsm_memory_adjust_reservation(XSM_DEFAULT_ARG struct
domain *d1,
struct domain *d2)
{
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index c872d44..872b58e 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -87,6 +87,7 @@ struct xsm_operations {
int (*get_pod_target) (struct domain *d);
int (*set_pod_target) (struct domain *d);
int (*memory_exchange) (struct domain *d);
+ int (*memory_soft_reset) (struct domain *d1, struct domain *d2);
int (*memory_adjust_reservation) (struct domain *d1, struct domain *d2);
int (*memory_stat_reservation) (struct domain *d1, struct domain *d2);
int (*memory_pin_page) (struct domain *d1, struct domain *d2, struct
page_info *page);
@@ -351,6 +352,12 @@ static inline int xsm_memory_exchange (xsm_default_t def,
struct domain *d)
return xsm_ops->memory_exchange(d);
}
+static inline int xsm_memory_soft_reset (xsm_default_t def, struct domain *d1,
+ struct domain *d2)
+{
+ return xsm_ops->memory_soft_reset(d1, d2);
+}
+
static inline int xsm_memory_adjust_reservation (xsm_default_t def, struct
domain *d1, struct
domain *d2)
{
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index e84b0e4..98b47aa 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -64,6 +64,7 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, set_pod_target);
set_to_dummy_if_null(ops, memory_exchange);
+ set_to_dummy_if_null(ops, memory_soft_reset);
set_to_dummy_if_null(ops, memory_adjust_reservation);
set_to_dummy_if_null(ops, memory_stat_reservation);
set_to_dummy_if_null(ops, memory_pin_page);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 11b7453..a22b646 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -383,6 +383,17 @@ static int flask_memory_exchange(struct domain *d)
return current_has_perm(d, SECCLASS_MMU, MMU__EXCHANGE);
}
+static int flask_memory_soft_reset(struct domain *d1, struct domain *d2)
+{
+ int rc;
+
+ rc = current_has_perm(d1, SECCLASS_MMU, MMU__SOFT_RESET);
+ if (rc)
+ return rc;
+
+ return current_has_perm(d2, SECCLASS_MMU, MMU__SOFT_RESET);
+}
+
static int flask_memory_adjust_reservation(struct domain *d1, struct domain
*d2)
{
return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__ADJUST);
@@ -1617,6 +1628,7 @@ static struct xsm_operations flask_ops = {
.get_pod_target = flask_get_pod_target,
.set_pod_target = flask_set_pod_target,
.memory_exchange = flask_memory_exchange,
+ .memory_soft_reset = flask_memory_soft_reset,
.memory_adjust_reservation = flask_memory_adjust_reservation,
.memory_stat_reservation = flask_memory_stat_reservation,
.memory_pin_page = flask_memory_pin_page,
diff --git a/xen/xsm/flask/policy/access_vectors
b/xen/xsm/flask/policy/access_vectors
index ea556df..6b45b05 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -366,6 +366,10 @@ class mmu
# source = domain making the hypercall
# target = domain whose pages are being exchanged
exchange
+# XENMEM_soft_reset:
+# source = source soft reset domain
+# target = destination soft reset domain
+ soft_reset
# Allow a privileged domain to install a map of a page it does not own. Used
# for stub domain device models with the PV framebuffer.
target_hack
--
1.9.3
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |