[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] [PATCH v6 05/10] xsm: add XENMEM_soft_reset support
- To: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
- From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
- Date: Thu, 21 May 2015 10:25:11 -0400
- Cc: Wei Liu <wei.liu2@xxxxxxxxxx>, Andrew Jones <drjones@xxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxxxxx>, Keir Fraser <keir@xxxxxxx>, Ian Campbell <ian.campbell@xxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Olaf Hering <olaf@xxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, David Vrabel <david.vrabel@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
- Delivery-date: Thu, 21 May 2015 14:26:12 +0000
- List-id: Xen developer discussion <xen-devel.lists.xen.org>
On 05/21/2015 05:49 AM, Vitaly Kuznetsov wrote:
Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> writes:
On 05/13/2015 05:49 AM, Vitaly Kuznetsov wrote:
Dummy policy just checks that the current domain is privileged,
in flask policy soft_reset is added to create_domain.
Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
I think the FLASK policy should also check that memory can be moved
from d1 to d2, independent of the check that the toolstack can move
the memory of d1 (or d2). While I would expect that the security
contexts of d1 and d2 would be identical in most cases (and only
allow that in the example policy), there may be reasons to change
the context along with the kexec operation. The best examples I
can think of are kexec from a bootloader domain of some kind, or
an installation that transitions into an active system that needs
access to a different network or set of peer domains.
For the example, policy, I'd add something like
allow $2 $2 : mmu reset_transfer;
to the create_domain interface.
Hi Daniel, thank you for your review!
Did I get you right and you suggest we use two new vectors in MMU class
for soft reset: the first one to check that the domain making the
hypercall is allowed to do it and the second one to check that that
memory can be moved from d1 to d2? In that case the FLASK-related part
of the patch would look like that I suppose:
diff --git a/tools/flask/policy/policy/modules/xen/xen.if
b/tools/flask/policy/policy/modules/xen/xen.if
index 620d151..ab4fe7d 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -54,10 +54,12 @@ define(`create_domain_common', `
psr_cmt_op };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
- allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage
mmuext_op updatemp };
+ allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage
+ mmuext_op updatemp soft_reset };
allow $1 $2:grant setup;
allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
setparam pcilevel trackdirtyvram nested };
+ allow $2 $2:mmu reset_transfer;
')
# create_domain(priv, target)
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 11b7453..547d55c 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -383,6 +383,21 @@ static int flask_memory_exchange(struct domain *d)
return current_has_perm(d, SECCLASS_MMU, MMU__EXCHANGE);
}
+static int flask_memory_soft_reset(struct domain *d1, struct domain *d2)
+{
+ int rc;
+
+ rc = current_has_perm(d1, SECCLASS_MMU, MMU__SOFT_RESET);
+ if (rc)
+ return rc;
+
+ rc = current_has_perm(d2, SECCLASS_MMU, MMU__SOFT_RESET);
+ if (rc)
+ return rc;
+
+ return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__RESET_TRANSFER);
+}
+
static int flask_memory_adjust_reservation(struct domain *d1, struct domain
*d2)
{
return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__ADJUST);
@@ -1617,6 +1632,7 @@ static struct xsm_operations flask_ops = {
.get_pod_target = flask_get_pod_target,
.set_pod_target = flask_set_pod_target,
.memory_exchange = flask_memory_exchange,
+ .memory_soft_reset = flask_memory_soft_reset,
.memory_adjust_reservation = flask_memory_adjust_reservation,
.memory_stat_reservation = flask_memory_stat_reservation,
.memory_pin_page = flask_memory_pin_page,
diff --git a/xen/xsm/flask/policy/access_vectors
b/xen/xsm/flask/policy/access_vectors
index ea556df..6872c1a 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -366,6 +366,13 @@ class mmu
# source = domain making the hypercall
# target = domain whose pages are being exchanged
exchange
+# XENMEM_soft_reset:
+# source = domain making the hypercall
+# target = domain being reset (source or destination)
+ soft_reset
+# source = source domain being reset
+# target = destination domain being reset
+ reset_transfer
# Allow a privileged domain to install a map of a page it does not own. Used
# for stub domain device models with the PV framebuffer.
target_hack
[...]
Yes, this is what I was looking for. When combined with the rest of the patch:
Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
