xsm: Add missing access checks

Actions requiring IS_PRIV should also require some XSM access control
in order for XSM to be useful in confining multiple privileged
domains. Add XSM hooks for new hypercalls and sub-commands that are
under IS_PRIV but not currently under any access checks.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

3 files changed, 248 insertions, 1 deletions

diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 04c2f687ad..efe52bbc4b 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -368,6 +368,16 @@ static int get_mfn_sid(unsigned long mfn, u32 *sid)
     return rc;    
 }
 
+static int flask_get_pod_target(struct domain *d)
+{
+    return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__GETPODTARGET);
+}
+
+static int flask_set_pod_target(struct domain *d)
+{
+    return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__SETPODTARGET);
+}
+
 static int flask_memory_adjust_reservation(struct domain *d1, struct domain *d2)
 {
     return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__ADJUST);
@@ -582,6 +592,11 @@ static int flask_set_target(struct domain *d, struct domain *e)
     return domain_has_perm(d, e, SECCLASS_DOMAIN, DOMAIN__SET_TARGET);
 }
 
+static int flask_domctl(struct domain *d, int cmd)
+{
+    return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO);
+}
+
 static int flask_tbufcontrol(void)
 {
     return domain_has_xen(current->domain, XEN__TBUFCONTROL);
@@ -635,6 +650,26 @@ static int flask_availheap(void)
     return domain_has_xen(current->domain, XEN__HEAP);
 }
 
+static int flask_get_pmstat(void)
+{
+    return domain_has_xen(current->domain, XEN__PM_OP);
+}
+
+static int flask_setpminfo(void)
+{
+    return domain_has_xen(current->domain, XEN__PM_OP);
+}
+
+static int flask_pm_op(void)
+{
+    return domain_has_xen(current->domain, XEN__PM_OP);
+}
+
+static int flask_do_mca(void)
+{
+    return domain_has_xen(current->domain, XEN__MCA_OP);
+}
+
 static inline u32 resource_to_perm(uint8_t access)
 {
     if ( access )
@@ -727,6 +762,135 @@ static int flask_iomem_permission(struct domain *d, uint64_t start, uint64_t end
     return security_iterate_iomem_sids(start, end, _iomem_has_perm, &data);
 }
 
+static int flask_resource_plug_core(void)
+{
+    struct domain_security_struct *ssec;
+
+    ssec = current->domain->ssid;
+    return avc_has_perm(ssec->sid, SECINITSID_DOMXEN, SECCLASS_RESOURCE, RESOURCE__PLUG, NULL);
+}
+
+static int flask_resource_unplug_core(void)
+{
+    struct domain_security_struct *ssec;
+
+    ssec = current->domain->ssid;
+    return avc_has_perm(ssec->sid, SECINITSID_DOMXEN, SECCLASS_RESOURCE, RESOURCE__UNPLUG, NULL);
+}
+
+static int flask_resource_use_core(void)
+{
+    struct domain_security_struct *ssec;
+
+    ssec = current->domain->ssid;
+    return avc_has_perm(ssec->sid, SECINITSID_DOMXEN, SECCLASS_RESOURCE, RESOURCE__USE, NULL);
+}
+
+static int flask_resource_plug_pci(uint32_t machine_bdf)
+{
+    u32 rsid;
+    int rc = -EPERM;
+    struct avc_audit_data ad;
+    struct domain_security_struct *ssec;
+
+    rc = security_device_sid(machine_bdf, &rsid);
+    if ( rc )
+        return rc;
+
+    AVC_AUDIT_DATA_INIT(&ad, DEV);
+    ad.device = (unsigned long) machine_bdf;
+    ssec = current->domain->ssid;
+    return avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, RESOURCE__PLUG, &ad);
+}
+
+static int flask_resource_unplug_pci(uint32_t machine_bdf)
+{
+    u32 rsid;
+    int rc = -EPERM;
+    struct avc_audit_data ad;
+    struct domain_security_struct *ssec;
+
+    rc = security_device_sid(machine_bdf, &rsid);
+    if ( rc )
+        return rc;
+
+    AVC_AUDIT_DATA_INIT(&ad, DEV);
+    ad.device = (unsigned long) machine_bdf;
+    ssec = current->domain->ssid;
+    return avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, RESOURCE__UNPLUG, &ad);
+}
+
+static int flask_resource_setup_pci(uint32_t machine_bdf)
+{
+    u32 rsid;
+    int rc = -EPERM;
+    struct avc_audit_data ad;
+    struct domain_security_struct *ssec;
+
+    rc = security_device_sid(machine_bdf, &rsid);
+    if ( rc )
+        return rc;
+
+    AVC_AUDIT_DATA_INIT(&ad, DEV);
+    ad.device = (unsigned long) machine_bdf;
+    ssec = current->domain->ssid;
+    return avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, RESOURCE__SETUP, &ad);
+}
+
+static int flask_resource_setup_gsi(int gsi)
+{
+    u32 rsid;
+    int rc = -EPERM;
+    struct avc_audit_data ad;
+    struct domain_security_struct *ssec;
+
+    rc = security_irq_sid(gsi, &rsid);
+    if ( rc )
+        return rc;
+
+    AVC_AUDIT_DATA_INIT(&ad, IRQ);
+    ad.irq = gsi;
+    ssec = current->domain->ssid;
+    return avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, RESOURCE__SETUP, &ad);
+}
+
+static int flask_resource_setup_misc(void)
+{
+    struct domain_security_struct *ssec;
+
+    ssec = current->domain->ssid;
+    return avc_has_perm(ssec->sid, SECINITSID_XEN, SECCLASS_RESOURCE, RESOURCE__SETUP, NULL);
+}
+
+static inline int flask_page_offline(uint32_t cmd)
+{
+    switch (cmd) {
+    case sysctl_page_offline:
+        return flask_resource_unplug_core();
+    case sysctl_page_online:
+        return flask_resource_plug_core();
+    case sysctl_query_page_offline:
+        return flask_resource_use_core();
+    default:
+        return -EPERM;
+    }
+}
+
+static inline int flask_lockprof(void)
+{
+    return domain_has_xen(current->domain, XEN__LOCKPROF);
+}
+
+static inline int flask_cpupool_op(void)
+{
+    return domain_has_xen(current->domain, XEN__CPUPOOL_OP);
+}
+
+static inline int flask_sched_op(void)
+{
+    return domain_has_xen(current->domain, XEN__SCHED_OP);
+}
+
 static int flask_perfcontrol(void)
 {
     return domain_has_xen(current->domain, XEN__PERFCONTROL);
@@ -887,8 +1051,11 @@ static int flask_hvm_param(struct domain *d, unsigned long op)
     case HVMOP_get_param:
         perm = HVM__GETPARAM;
         break;
+    case HVMOP_track_dirty_vram:
+        perm = HVM__TRACKDIRTYVRAM;
+        break;
     default:
-        return -EPERM;
+        perm = HVM__HVMCTL;
     }
 
     return domain_has_perm(current->domain, d, SECCLASS_HVM, perm);
@@ -909,6 +1076,16 @@ static int flask_hvm_set_pci_link_route(struct domain *d)
     return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__PCIROUTE);
 }
 
+static int flask_mem_event(struct domain *d)
+{
+    return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__MEM_EVENT);
+}
+
+static int flask_mem_sharing(struct domain *d)
+{
+    return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__MEM_SHARING);
+}
+
 static int flask_apic(struct domain *d, int cmd)
 {
     u32 perm;
@@ -1088,6 +1265,19 @@ static int flask_sendtrigger(struct domain *d)
     return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__TRIGGER);
 }
 
+static int flask_get_device_group(uint32_t machine_bdf)
+{
+    u32 rsid;
+    int rc = -EPERM;
+    struct domain_security_struct *ssec = current->domain->ssid;
+
+    rc = security_device_sid(machine_bdf, &rsid);
+    if ( rc )
+        return rc;
+
+    return avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, NULL);
+}
+
 static int flask_test_assign_device(uint32_t machine_bdf)
 {
     u32 rsid;
@@ -1174,6 +1364,11 @@ static int flask_bind_pt_irq (struct domain *d, struct xen_domctl_bind_pt_irq *b
     return avc_has_perm(tsec->sid, rsid, SECCLASS_RESOURCE, RESOURCE__USE, &ad);
 }
 
+static int flask_unbind_pt_irq (struct domain *d)
+{
+    return domain_has_perm(current->domain, d, SECCLASS_RESOURCE, RESOURCE__REMOVE);
+}
+
 static int flask_pin_mem_cacheattr (struct domain *d)
 {
     return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__CACHEATTR);
@@ -1236,6 +1431,7 @@ static struct xsm_operations flask_ops = {
     .getvcpuinfo = flask_getvcpuinfo,
     .domain_settime = flask_domain_settime,
     .set_target = flask_set_target,
+    .domctl = flask_domctl,
     .tbufcontrol = flask_tbufcontrol,
     .readconsole = flask_readconsole,
     .sched_id = flask_sched_id,
@@ -1246,6 +1442,10 @@ static struct xsm_operations flask_ops = {
     .debug_keys = flask_debug_keys,
     .getcpuinfo = flask_getcpuinfo,
     .availheap = flask_availheap,
+    .get_pmstat = flask_get_pmstat,
+    .setpminfo = flask_setpminfo,
+    .pm_op = flask_pm_op,
+    .do_mca = flask_do_mca,
 
     .evtchn_unbound = flask_evtchn_unbound,
     .evtchn_interdomain = flask_evtchn_interdomain,
@@ -1266,6 +1466,8 @@ static struct xsm_operations flask_ops = {
     .alloc_security_evtchn = flask_alloc_security_evtchn,
     .free_security_evtchn = flask_free_security_evtchn,
 
+    .get_pod_target = flask_get_pod_target,
+    .set_pod_target = flask_set_pod_target,
     .memory_adjust_reservation = flask_memory_adjust_reservation,
     .memory_stat_reservation = flask_memory_stat_reservation,
     .memory_pin_page = flask_memory_pin_page,
@@ -1280,6 +1482,19 @@ static struct xsm_operations flask_ops = {
     .irq_permission = flask_irq_permission,
     .iomem_permission = flask_iomem_permission,
 
+    .resource_plug_core = flask_resource_plug_core,
+    .resource_unplug_core = flask_resource_unplug_core,
+    .resource_plug_pci = flask_resource_plug_pci,
+    .resource_unplug_pci = flask_resource_unplug_pci,
+    .resource_setup_pci = flask_resource_setup_pci,
+    .resource_setup_gsi = flask_resource_setup_gsi,
+    .resource_setup_misc = flask_resource_setup_misc,
+
+    .page_offline = flask_page_offline,
+    .lockprof = flask_lockprof,
+    .cpupool_op = flask_cpupool_op,
+    .sched_op = flask_sched_op,
+
     .__do_xsm_op = do_flask_op,
 
 #ifdef CONFIG_X86
@@ -1293,6 +1508,8 @@ static struct xsm_operations flask_ops = {
     .hvm_set_pci_intx_level = flask_hvm_set_pci_intx_level,
     .hvm_set_isa_irq_level = flask_hvm_set_isa_irq_level,
     .hvm_set_pci_link_route = flask_hvm_set_pci_link_route,
+    .mem_event = flask_mem_event,
+    .mem_sharing = flask_mem_sharing,
     .apic = flask_apic,
     .xen_settime = flask_xen_settime,
     .memtype = flask_memtype,
@@ -1310,10 +1527,12 @@ static struct xsm_operations flask_ops = {
     .update_va_mapping = flask_update_va_mapping,
     .add_to_physmap = flask_add_to_physmap,
     .sendtrigger = flask_sendtrigger,
+    .get_device_group = flask_get_device_group,
     .test_assign_device = flask_test_assign_device,
     .assign_device = flask_assign_device,
     .deassign_device = flask_deassign_device,
     .bind_pt_irq = flask_bind_pt_irq,
+    .unbind_pt_irq = flask_unbind_pt_irq,
     .pin_mem_cacheattr = flask_pin_mem_cacheattr,
     .ext_vcpucontext = flask_ext_vcpucontext,
     .vcpuextstate = flask_vcpuextstate,
diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h
index 56572a76b6..85cbffc817 100644
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ b/xen/xsm/flask/include/av_perm_to_string.h
@@ -24,6 +24,11 @@
    S_(SECCLASS_XEN, XEN__DEBUG, "debug")
    S_(SECCLASS_XEN, XEN__GETCPUINFO, "getcpuinfo")
    S_(SECCLASS_XEN, XEN__HEAP, "heap")
+   S_(SECCLASS_XEN, XEN__PM_OP, "pm_op")
+   S_(SECCLASS_XEN, XEN__MCA_OP, "mca_op")
+   S_(SECCLASS_XEN, XEN__LOCKPROF, "lockprof")
+   S_(SECCLASS_XEN, XEN__CPUPOOL_OP, "cpupool_op")
+   S_(SECCLASS_XEN, XEN__SCHED_OP, "sched_op")
    S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUCONTEXT, "setvcpucontext")
    S_(SECCLASS_DOMAIN, DOMAIN__PAUSE, "pause")
    S_(SECCLASS_DOMAIN, DOMAIN__UNPAUSE, "unpause")
@@ -52,6 +57,9 @@
    S_(SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT, "setextvcpucontext")
    S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE, "getvcpuextstate")
    S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE, "setvcpuextstate")
+   S_(SECCLASS_DOMAIN, DOMAIN__GETPODTARGET, "getpodtarget")
+   S_(SECCLASS_DOMAIN, DOMAIN__SETPODTARGET, "setpodtarget")
+   S_(SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO, "set_misc_info")
    S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc")
    S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
    S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")
@@ -62,6 +70,9 @@
    S_(SECCLASS_HVM, HVM__BIND_IRQ, "bind_irq")
    S_(SECCLASS_HVM, HVM__CACHEATTR, "cacheattr")
    S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram")
+   S_(SECCLASS_HVM, HVM__HVMCTL, "hvmctl")
+   S_(SECCLASS_HVM, HVM__MEM_EVENT, "mem_event")
+   S_(SECCLASS_HVM, HVM__MEM_SHARING, "mem_sharing")
    S_(SECCLASS_EVENT, EVENT__BIND, "bind")
    S_(SECCLASS_EVENT, EVENT__SEND, "send")
    S_(SECCLASS_EVENT, EVENT__STATUS, "status")
@@ -103,6 +114,9 @@
    S_(SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, "stat_device")
    S_(SECCLASS_RESOURCE, RESOURCE__ADD_DEVICE, "add_device")
    S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_DEVICE, "remove_device")
+   S_(SECCLASS_RESOURCE, RESOURCE__PLUG, "plug")
+   S_(SECCLASS_RESOURCE, RESOURCE__UNPLUG, "unplug")
+   S_(SECCLASS_RESOURCE, RESOURCE__SETUP, "setup")
    S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
    S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
    S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
diff --git a/xen/xsm/flask/include/av_permissions.h b/xen/xsm/flask/include/av_permissions.h
index 67511adae5..9e55a863a4 100644
--- a/xen/xsm/flask/include/av_permissions.h
+++ b/xen/xsm/flask/include/av_permissions.h
@@ -24,6 +24,11 @@
 #define XEN__DEBUG                                0x00400000UL
 #define XEN__GETCPUINFO                           0x00800000UL
 #define XEN__HEAP                                 0x01000000UL
+#define XEN__PM_OP                                0x02000000UL
+#define XEN__MCA_OP                               0x04000000UL
+#define XEN__LOCKPROF                             0x08000000UL
+#define XEN__CPUPOOL_OP                           0x10000000UL
+#define XEN__SCHED_OP                             0x20000000UL
 
 #define DOMAIN__SETVCPUCONTEXT                    0x00000001UL
 #define DOMAIN__PAUSE                             0x00000002UL
@@ -53,6 +58,9 @@
 #define DOMAIN__SETEXTVCPUCONTEXT                 0x02000000UL
 #define DOMAIN__GETVCPUEXTSTATE                   0x04000000UL
 #define DOMAIN__SETVCPUEXTSTATE                   0x08000000UL
+#define DOMAIN__GETPODTARGET                      0x10000000UL
+#define DOMAIN__SETPODTARGET                      0x20000000UL
+#define DOMAIN__SET_MISC_INFO                     0x40000000UL
 
 #define HVM__SETHVMC                              0x00000001UL
 #define HVM__GETHVMC                              0x00000002UL
@@ -64,6 +72,9 @@
 #define HVM__BIND_IRQ                             0x00000080UL
 #define HVM__CACHEATTR                            0x00000100UL
 #define HVM__TRACKDIRTYVRAM                       0x00000200UL
+#define HVM__HVMCTL                               0x00000400UL
+#define HVM__MEM_EVENT                            0x00000800UL
+#define HVM__MEM_SHARING                          0x00001000UL
 
 #define EVENT__BIND                               0x00000001UL
 #define EVENT__SEND                               0x00000002UL
@@ -110,6 +121,9 @@
 #define RESOURCE__STAT_DEVICE                     0x00000200UL
 #define RESOURCE__ADD_DEVICE                      0x00000400UL
 #define RESOURCE__REMOVE_DEVICE                   0x00000800UL
+#define RESOURCE__PLUG                            0x00001000UL
+#define RESOURCE__UNPLUG                          0x00002000UL
+#define RESOURCE__SETUP                           0x00004000UL
 
 #define SECURITY__COMPUTE_AV                      0x00000001UL
 #define SECURITY__COMPUTE_CREATE                  0x00000002UL