[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v6 13/15] xsm, argo: XSM control for any access to argo by a domain

To: Christopher Clark <christopher.w.clark@xxxxxxxxx>
From: Chris Patterson <cjp256@xxxxxxxxx>
Date: Fri, 25 Jan 2019 20:32:10 -0500
Cc: Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ross Philipson <ross.philipson@xxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jason Andryuk <jandryuk@xxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Rich Persaud <persaur@xxxxxxxxx>, Paul Durrant <paul.durrant@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, James McKenzie <james@xxxxxxxxxxx>, Eric Chanudet <eric.chanudet@xxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>
Delivery-date: Sat, 26 Jan 2019 01:32:27 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Jan 23, 2019 at 9:07 PM Christopher Clark
<christopher.w.clark@xxxxxxxxx> wrote:
>
> Will inhibit initialization of the domain's argo data structure to
> prevent receiving any messages or notifications and access to any of
> the argo hypercall operations.
>
> Signed-off-by: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx>
> Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
>
> v3 Daniel/Jan: add to the default xsm policy for enable
> v3 Add Daniel's Acked-by
> v3 #04 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set
> v2 self: fix xsm use in soft-reset prior to introduction
> v1 #5 (#17) feedback Paul: XSM control for any access: use currd
> v1 #16 feedback Jan: apply const to function signatures
> ---
>  tools/flask/policy/modules/guest_features.te |  4 ++--
>  xen/common/argo.c                            | 10 +++++-----
>  xen/include/xsm/dummy.h                      |  5 +++++
>  xen/include/xsm/xsm.h                        |  6 ++++++
>  xen/xsm/dummy.c                              |  1 +
>  xen/xsm/flask/hooks.c                        |  7 +++++++
>  xen/xsm/flask/policy/access_vectors          |  3 +++
>  7 files changed, 29 insertions(+), 7 deletions(-)
>
> diff --git a/tools/flask/policy/modules/guest_features.te 
> b/tools/flask/policy/modules/guest_features.te
> index ca52257..fe4835d 100644
> --- a/tools/flask/policy/modules/guest_features.te
> +++ b/tools/flask/policy/modules/guest_features.te
> @@ -5,11 +5,11 @@ allow domain_type xen_t:xen tmem_op;
>  # pmu_ctrl is for)
>  allow domain_type xen_t:xen2 pmu_use;
>
> -# Allow all domains:
> +# Allow all domains to enable the Argo interdomain communication hypercall;
>  # to register single-sender (unicast) rings to partner with any domain;
>  # to register any-sender (wildcard) rings that can be sent to by any domain;
>  # and send messages to rings.
> -allow domain_type xen_t:argo { register_any_source };
> +allow domain_type xen_t:argo { enable register_any_source };
>  allow domain_type domain_type:argo { send register_single_source };
>
>  # Allow guest console output to the serial console.  This is used by PV Linux
> diff --git a/xen/common/argo.c b/xen/common/argo.c
> index 8eabf99..ba9c1d6 100644
> --- a/xen/common/argo.c
> +++ b/xen/common/argo.c
> @@ -2091,7 +2091,7 @@ do_argo_op(unsigned int cmd, 
> XEN_GUEST_HANDLE_PARAM(void) arg1,
>      argo_dprintk("->do_argo_op(%u,%p,%p,%lu,0x%lx)\n", cmd,
>                   (void *)arg1.p, (void *)arg2.p, arg3, arg4);
>
> -    if ( unlikely(!opt_argo) )
> +    if ( unlikely(!opt_argo || xsm_argo_enable(currd)) )
>          return -EOPNOTSUPP;
>
>      switch (cmd)
> @@ -2242,7 +2242,7 @@ argo_init(struct domain *d)
>  {
>      struct argo_domain *argo;
>
> -    if ( !opt_argo )
> +    if ( !opt_argo || xsm_argo_enable(d) )
>      {
>          argo_dprintk("argo disabled, domid: %u\n", d->domain_id);
>          return 0;
> @@ -2299,9 +2299,9 @@ argo_soft_reset(struct domain *d)
>          wildcard_rings_pending_remove(d);
>
>          /*
> -         * Since opt_argo cannot change at runtime, if d->argo is true then
> -         * opt_argo must be true, and we can assume that init is allowed to
> -         * proceed again here.
> +         * Since neither opt_argo or xsm_argo_enable(d) can change at 
> runtime,
> +         * if d->argo is true then both opt_argo and xsm_argo_enable(d) must 
> be
> +         * true, and we can assume that init is allowed to proceed again 
> here.
>           */
>          argo_domain_init(d->argo);
>      }
> diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
> index 7daf1f0..56d7865 100644
> --- a/xen/include/xsm/dummy.h
> +++ b/xen/include/xsm/dummy.h
> @@ -721,6 +721,11 @@ static XSM_INLINE int xsm_dm_op(XSM_DEFAULT_ARG struct 
> domain *d)
>  #endif /* CONFIG_X86 */
>
>  #ifdef CONFIG_ARGO
> +static XSM_INLINE int xsm_argo_enable(struct domain *d)
> +{
> +    return 0;
> +}
> +
>  static XSM_INLINE int xsm_argo_register_single_source(struct domain *d,
>                                                        struct domain *t)
>  {
> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
> index 7c69efe..8daffae 100644
> --- a/xen/include/xsm/xsm.h
> +++ b/xen/include/xsm/xsm.h
> @@ -182,6 +182,7 @@ struct xsm_operations {
>      int (*xen_version) (uint32_t cmd);
>      int (*domain_resource_map) (struct domain *d);
>  #ifdef CONFIG_ARGO
> +    int (*argo_enable) (const struct domain *d);
>      int (*argo_register_single_source) (const struct domain *d,
>                                          const struct domain *t);
>      int (*argo_register_any_source) (const struct domain *d);
> @@ -705,6 +706,11 @@ static inline int xsm_domain_resource_map(xsm_default_t 
> def, struct domain *d)
>  }
>
>  #ifdef CONFIG_ARGO
> +static inline xsm_argo_enable(const struct domain *d)

missing return type, fails to compile with XSM enabled:
| /home/chris/git/xen/include/xsm/xsm.h:709:15: error: return type
defaults to 'int' [-Werror=implicit-int]
|  static inline xsm_argo_enable(const struct domain *d)

> +{
> +    return xsm_ops->argo_enable(d);
> +}
> +

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v6 13/15] xsm, argo: XSM control for any access to argo by a domain
  - From: Christopher Clark

References:
- [Xen-devel] [PATCH v6 00/15] Argo: hypervisor-mediated interdomain communication
  - From: Christopher Clark
- [Xen-devel] [PATCH v6 13/15] xsm, argo: XSM control for any access to argo by a domain
  - From: Christopher Clark

Prev by Date: Re: [Xen-devel] Backport candidate for Arm
Next by Date: Re: [Xen-devel] [PATCH v6 11/15] xsm, argo: XSM control for argo register
Previous by thread: [Xen-devel] [PATCH v6 13/15] xsm, argo: XSM control for any access to argo by a domain
Next by thread: Re: [Xen-devel] [PATCH v6 13/15] xsm, argo: XSM control for any access to argo by a domain
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.