[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v6 11/15] xsm, argo: XSM control for argo register

To: Christopher Clark <christopher.w.clark@xxxxxxxxx>
From: Chris Patterson <cjp256@xxxxxxxxx>
Date: Fri, 25 Jan 2019 20:34:36 -0500
Cc: Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ross Philipson <ross.philipson@xxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jason Andryuk <jandryuk@xxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Rich Persaud <persaur@xxxxxxxxx>, Paul Durrant <paul.durrant@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, James McKenzie <james@xxxxxxxxxxx>, Eric Chanudet <eric.chanudet@xxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>
Delivery-date: Sat, 26 Jan 2019 01:34:53 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Jan 23, 2019 at 9:07 PM Christopher Clark
<christopher.w.clark@xxxxxxxxx> wrote:
>
> XSM controls for argo ring registration with two distinct cases, where
> the ring being registered is:
>
> 1) Single source:  registering a ring for communication to receive messages
>                    from a specified single other domain.
>    Default policy: allow.
>
> 2) Any source:     registering a ring for communication to receive messages
>                    from any, or all, other domains (ie. wildcard).
>    Default policy: deny, with runtime policy configuration via bootparam.
>
> This commit modifies the signature of core XSM hook functions in order to
> apply 'const' to arguments, needed in order for 'const' to be accepted in
> signature of functions that invoke them.
>
> Signed-off-by: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx>
> Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
>
> v3 Daniel/Jan: add to the default xsm policy for the register op
> v3 hoist opt_argo_mac_permissive check to allow default policy to match 
> non-XSM
> v3 was: Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> v3 Add Daniel's Acked-by ; note minor changes required for v4
> v3 feedback #07 Roger: use opt_argo_mac_permissive : a boolean opt
> v2 feedback #9 Jan: refactor to use argo-mac bootparam at point of 
> introduction
> v1 feedback Paul: replace use of strncmp with strcmp
> v1 feedback #16 Jan: apply const to function signatures
> v1 feedback #14 Jan: add blank line before return in parse_argo_mac_param
> ---
>  tools/flask/policy/modules/guest_features.te |  6 ++++++
>  xen/common/argo.c                            | 11 +++++++++--
>  xen/include/xsm/dummy.h                      | 14 ++++++++++++++
>  xen/include/xsm/xsm.h                        | 19 +++++++++++++++++++
>  xen/xsm/dummy.c                              |  4 ++++
>  xen/xsm/flask/hooks.c                        | 27 ++++++++++++++++++++++++---
>  xen/xsm/flask/policy/access_vectors          | 11 +++++++++++
>  xen/xsm/flask/policy/security_classes        |  1 +
>  8 files changed, 88 insertions(+), 5 deletions(-)
>
> diff --git a/tools/flask/policy/modules/guest_features.te 
> b/tools/flask/policy/modules/guest_features.te
> index 9ac9780..d00769e 100644
> --- a/tools/flask/policy/modules/guest_features.te
> +++ b/tools/flask/policy/modules/guest_features.te
> @@ -5,6 +5,12 @@ allow domain_type xen_t:xen tmem_op;
>  # pmu_ctrl is for)
>  allow domain_type xen_t:xen2 pmu_use;
>
> +# Allow all domains:
> +# to register single-sender (unicast) rings to partner with any domain; and
> +# to register any-sender (wildcard) rings that can be sent to by any domain.
> +allow domain_type xen_t:argo { register_any_source };
> +allow domain_type domain_type:argo { register_single_source };
> +
>  # Allow guest console output to the serial console.  This is used by PV Linux
>  # and stub domains for early boot output, so don't audit even when we deny 
> it.
>  # Without XSM, this is enabled only if the Xen was compiled in debug mode.
> diff --git a/xen/common/argo.c b/xen/common/argo.c
> index 2844976..914061e 100644
> --- a/xen/common/argo.c
> +++ b/xen/common/argo.c
> @@ -26,6 +26,7 @@
>  #include <xen/nospec.h>
>  #include <xen/sched.h>
>  #include <xen/time.h>
> +#include <xsm/xsm.h>
>
>  #include <public/argo.h>
>
> @@ -1677,8 +1678,10 @@ register_ring(struct domain *currd,
>
>      if ( reg.partner_id == XEN_ARGO_DOMID_ANY )
>      {
> -        if ( !opt_argo_mac_permissive )
> -            return -EPERM;
> +        ret = opt_argo_mac_permissive ? xsm_argo_register_any_source(currd) :
> +                                        -EPERM;
> +        if ( ret )
> +            return ret;
>      }
>      else
>      {
> @@ -1689,6 +1692,10 @@ register_ring(struct domain *currd,
>              return -ESRCH;
>          }
>
> +        ret = xsm_argo_register_single_source(currd, dst_d);
> +        if ( ret )
> +            goto out;
> +
>          send_info = xzalloc(struct argo_send_info);
>          if ( !send_info )
>          {
> diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
> index a29d1ef..96118aa 100644
> --- a/xen/include/xsm/dummy.h
> +++ b/xen/include/xsm/dummy.h
> @@ -720,6 +720,20 @@ static XSM_INLINE int xsm_dm_op(XSM_DEFAULT_ARG struct 
> domain *d)
>
>  #endif /* CONFIG_X86 */
>
> +#ifdef CONFIG_ARGO
> +static XSM_INLINE int xsm_argo_register_single_source(struct domain *d,
> +                                                      struct domain *t)
> +{
> +    return 0;
> +}
> +
> +static XSM_INLINE int xsm_argo_register_any_source(struct domain *d)
> +{
> +    return 0;
> +}
> +
> +#endif /* CONFIG_ARGO */
> +
>  #include <public/version.h>
>  static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG uint32_t op)
>  {
> diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
> index 3b192b5..e32a645 100644
> --- a/xen/include/xsm/xsm.h
> +++ b/xen/include/xsm/xsm.h
> @@ -181,6 +181,11 @@ struct xsm_operations {
>  #endif
>      int (*xen_version) (uint32_t cmd);
>      int (*domain_resource_map) (struct domain *d);
> +#ifdef CONFIG_ARGO
> +    int (*argo_register_single_source) (const struct domain *d,
> +                                        const struct domain *t);
> +    int (*argo_register_any_source) (const struct domain *d);
> +#endif
>  };
>
>  #ifdef CONFIG_XSM
> @@ -698,6 +703,20 @@ static inline int xsm_domain_resource_map(xsm_default_t 
> def, struct domain *d)
>      return xsm_ops->domain_resource_map(d);
>  }
>
> +#ifdef CONFIG_ARGO
> +static inline xsm_argo_register_single_source(const struct domain *d,
> +                                              const struct domain *t)

missing return type

> +{
> +    return xsm_ops->argo_register_single_source(d, t);
> +}
> +
> +static inline xsm_argo_register_any_source(const struct domain *d)

missing return type

> +{
> +    return xsm_ops->argo_register_any_source(d);
> +}
> +

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v6 11/15] xsm, argo: XSM control for argo register
  - From: Christopher Clark

References:
- [Xen-devel] [PATCH v6 00/15] Argo: hypervisor-mediated interdomain communication
  - From: Christopher Clark
- [Xen-devel] [PATCH v6 11/15] xsm, argo: XSM control for argo register
  - From: Christopher Clark

Prev by Date: Re: [Xen-devel] [PATCH v6 13/15] xsm, argo: XSM control for any access to argo by a domain
Next by Date: Re: [Xen-devel] [PATCH v6 11/15] xsm, argo: XSM control for argo register
Previous by thread: [Xen-devel] [PATCH v6 11/15] xsm, argo: XSM control for argo register
Next by thread: Re: [Xen-devel] [PATCH v6 11/15] xsm, argo: XSM control for argo register
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.