diff options
| author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2013-01-11 10:46:43 +0000 |
|---|---|---|
| committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2013-01-11 10:46:43 +0000 |
| commit | a655abfd8a4bf03de9c9a8d820125be8323d64f8 (patch) | |
| tree | d88e4bae8739dce5e0fd4e5c030a1dd6b8ddb2b0 | |
| parent | 0d7f18b01f69c6b89aa3654bd2b11e24f41aaf71 (diff) | |
| download | xen-a655abfd8a4bf03de9c9a8d820125be8323d64f8.tar.gz xen-a655abfd8a4bf03de9c9a8d820125be8323d64f8.tar.bz2 xen-a655abfd8a4bf03de9c9a8d820125be8323d64f8.zip | |
tmem: add XSM hooks
This adds a pair of XSM hooks for tmem operations: xsm_tmem_op which
controls any use of tmem, and xsm_tmem_control which allows use of the
TMEM_CONTROL operations. By default, all domains can use tmem while
only IS_PRIV domains can use control operations.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Committed-by: Keir Fraser <keir@xen.org>
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 5 | ||||
| -rw-r--r-- | xen/common/tmem.c | 3 | ||||
| -rw-r--r-- | xen/include/xen/tmem_xen.h | 8 | ||||
| -rw-r--r-- | xen/include/xsm/dummy.h | 12 | ||||
| -rw-r--r-- | xen/include/xsm/xsm.h | 12 | ||||
| -rw-r--r-- | xen/xsm/dummy.c | 2 | ||||
| -rw-r--r-- | xen/xsm/flask/hooks.c | 12 | ||||
| -rw-r--r-- | xen/xsm/flask/policy/access_vectors | 2 |
8 files changed, 54 insertions, 2 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 8c77e6b1f6..c714dcb8e9 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -56,7 +56,7 @@ type device_t, resource_type; ################################################################################ allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo - microcode cpupool_op sched_op pm_op }; + microcode cpupool_op sched_op pm_op tmem_control }; allow dom0_t xen_t:mmu { memorymap }; allow dom0_t security_t:security { check_context compute_av compute_create compute_member load_policy compute_relabel compute_user setenforce @@ -74,6 +74,9 @@ domain_comms(dom0_t, dom0_t) auditallow dom0_t security_t:security { load_policy setenforce setbool }; +# Allow all domains to use (unprivileged parts of) the tmem hypercall +allow domain_type xen_t:xen tmem_op; + ############################################################################### # # Domain creation diff --git a/xen/common/tmem.c b/xen/common/tmem.c index 44e27721a2..ca70e86ae9 100644 --- a/xen/common/tmem.c +++ b/xen/common/tmem.c @@ -2644,6 +2644,9 @@ EXPORT long do_tmem_op(tmem_cli_op_t uops) if ( !tmem_initialized ) return -ENODEV; + if ( !tmh_current_permitted() ) + return -EPERM; + total_tmem_ops++; if ( tmh_lock_all ) diff --git a/xen/include/xen/tmem_xen.h b/xen/include/xen/tmem_xen.h index 36a8d9f9ed..ad1ddd5605 100644 --- a/xen/include/xen/tmem_xen.h +++ b/xen/include/xen/tmem_xen.h @@ -16,6 +16,7 @@ #include <xen/guest_access.h> /* copy_from_guest */ #include <xen/hash.h> /* hash_long */ #include <xen/domain_page.h> /* __map_domain_page */ +#include <xsm/xsm.h> /* xsm_tmem_control */ #include <public/tmem.h> #ifdef CONFIG_COMPAT #include <compat/tmem.h> @@ -326,9 +327,14 @@ static inline bool_t tmh_set_client_from_id( return rc; } +static inline bool_t tmh_current_permitted(void) +{ + return !xsm_tmem_op(XSM_HOOK); +} + static inline bool_t tmh_current_is_privileged(void) { - return IS_PRIV(current->domain); + return !xsm_tmem_control(XSM_PRIV); } static inline uint8_t tmh_get_first_byte(pfp_t *pfp) diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 4f75674da8..2c750de4f5 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -371,6 +371,18 @@ static XSM_INLINE int xsm_page_offline(XSM_DEFAULT_ARG uint32_t cmd) return xsm_default_action(action, current->domain, NULL); } +static XSM_INLINE int xsm_tmem_op(XSM_DEFAULT_VOID) +{ + XSM_ASSERT_ACTION(XSM_HOOK); + return xsm_default_action(action, current->domain, NULL); +} + +static XSM_INLINE int xsm_tmem_control(XSM_DEFAULT_VOID) +{ + XSM_ASSERT_ACTION(XSM_PRIV); + return xsm_default_action(action, current->domain, NULL); +} + static XSM_INLINE long xsm_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op) { return -ENOSYS; diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 17b08996c9..ce5ede8fac 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -119,6 +119,8 @@ struct xsm_operations { int (*resource_setup_misc) (void); int (*page_offline)(uint32_t cmd); + int (*tmem_op)(void); + int (*tmem_control)(void); long (*do_xsm_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op); @@ -441,6 +443,16 @@ static inline int xsm_page_offline(xsm_default_t def, uint32_t cmd) return xsm_ops->page_offline(cmd); } +static inline int xsm_tmem_op(xsm_default_t def) +{ + return xsm_ops->tmem_op(); +} + +static inline int xsm_tmem_control(xsm_default_t def) +{ + return xsm_ops->tmem_control(); +} + static inline long xsm_do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op) { return xsm_ops->do_xsm_op(op); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index e254251d15..22c66e534b 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -94,6 +94,8 @@ void xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, resource_setup_misc); set_to_dummy_if_null(ops, page_offline); + set_to_dummy_if_null(ops, tmem_op); + set_to_dummy_if_null(ops, tmem_control); set_to_dummy_if_null(ops, do_xsm_op); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index f7309fd760..222ab3e651 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1017,6 +1017,16 @@ static inline int flask_page_offline(uint32_t cmd) } } +static inline int flask_tmem_op(void) +{ + return domain_has_xen(current->domain, XEN__TMEM_OP); +} + +static inline int flask_tmem_control(void) +{ + return domain_has_xen(current->domain, XEN__TMEM_CONTROL); +} + #ifdef CONFIG_X86 static int flask_shadow_control(struct domain *d, uint32_t op) { @@ -1456,6 +1466,8 @@ static struct xsm_operations flask_ops = { .resource_setup_misc = flask_resource_setup_misc, .page_offline = flask_page_offline, + .tmem_op = flask_tmem_op, + .tmem_control = flask_tmem_control, .do_xsm_op = do_flask_op, diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index caf65d2d89..7a7e253a93 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -35,6 +35,8 @@ class xen lockprof cpupool_op sched_op + tmem_op + tmem_control } class domain |