xen/xsm: distinguish scheduler get/set operations

Add getscheduler and setscheduler permissions to replace the
monolithic scheduler permission in the scheduler_op domctl and sysctl.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

6 files changed, 76 insertions, 11 deletions

diff --git a/xen/common/schedule.c b/xen/common/schedule.c
index 903f32d57c..f3fc6bcc3e 100644
--- a/xen/common/schedule.c
+++ b/xen/common/schedule.c
@@ -1006,7 +1006,11 @@ int sched_id(void)
 long sched_adjust(struct domain *d, struct xen_domctl_scheduler_op *op)
 {
     long ret;
-    
+
+    ret = xsm_domctl_scheduler_op(XSM_HOOK, d, op->cmd);
+    if ( ret )
+        return ret;
+
     if ( (op->sched_id != DOM2OP(d)->sched_id) ||
          ((op->cmd != XEN_DOMCTL_SCHEDOP_putinfo) &&
           (op->cmd != XEN_DOMCTL_SCHEDOP_getinfo)) )
@@ -1025,6 +1029,10 @@ long sched_adjust_global(struct xen_sysctl_scheduler_op *op)
     struct cpupool *pool;
     int rc;
 
+    rc = xsm_sysctl_scheduler_op(XSM_HOOK, op->cmd);
+    if ( rc )
+        return rc;
+
     if ( (op->cmd != XEN_DOMCTL_SCHEDOP_putinfo) &&
          (op->cmd != XEN_DOMCTL_SCHEDOP_getinfo) )
         return -EINVAL;
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 2c750de4f5..18f36b22bf 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -95,6 +95,18 @@ static XSM_INLINE int xsm_getdomaininfo(XSM_DEFAULT_ARG struct domain *d)
     return xsm_default_action(action, current->domain, d);
 }
 
+static XSM_INLINE int xsm_domctl_scheduler_op(XSM_DEFAULT_ARG struct domain *d, int cmd)
+{
+    XSM_ASSERT_ACTION(XSM_HOOK);
+    return xsm_default_action(action, current->domain, d);
+}
+
+static XSM_INLINE int xsm_sysctl_scheduler_op(XSM_DEFAULT_ARG int cmd)
+{
+    XSM_ASSERT_ACTION(XSM_HOOK);
+    return xsm_default_action(action, current->domain, NULL);
+}
+
 static XSM_INLINE int xsm_set_target(XSM_DEFAULT_ARG struct domain *d, struct domain *e)
 {
     XSM_ASSERT_ACTION(XSM_HOOK);
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index ce5ede8fac..8947372062 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -55,6 +55,8 @@ struct xsm_operations {
                                         struct xen_domctl_getdomaininfo *info);
     int (*domain_create) (struct domain *d, u32 ssidref);
     int (*getdomaininfo) (struct domain *d);
+    int (*domctl_scheduler_op) (struct domain *d, int op);
+    int (*sysctl_scheduler_op) (int op);
     int (*set_target) (struct domain *d, struct domain *e);
     int (*domctl) (struct domain *d, int cmd);
     int (*sysctl) (int cmd);
@@ -177,6 +179,16 @@ static inline int xsm_getdomaininfo (xsm_default_t def, struct domain *d)
     return xsm_ops->getdomaininfo(d);
 }
 
+static inline int xsm_domctl_scheduler_op (xsm_default_t def, struct domain *d, int cmd)
+{
+    return xsm_ops->domctl_scheduler_op(d, cmd);
+}
+
+static inline int xsm_sysctl_scheduler_op (xsm_default_t def, int cmd)
+{
+    return xsm_ops->sysctl_scheduler_op(cmd);
+}
+
 static inline int xsm_set_target (xsm_default_t def, struct domain *d, struct domain *e)
 {
     return xsm_ops->set_target(d, e);
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 22c66e534b..529a724e71 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -32,6 +32,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
     set_to_dummy_if_null(ops, security_domaininfo);
     set_to_dummy_if_null(ops, domain_create);
     set_to_dummy_if_null(ops, getdomaininfo);
+    set_to_dummy_if_null(ops, domctl_scheduler_op);
+    set_to_dummy_if_null(ops, sysctl_scheduler_op);
     set_to_dummy_if_null(ops, set_target);
     set_to_dummy_if_null(ops, domctl);
     set_to_dummy_if_null(ops, sysctl);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 222ab3e651..ba67502927 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -517,6 +517,38 @@ static int flask_getdomaininfo(struct domain *d)
     return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO);
 }
 
+static int flask_domctl_scheduler_op(struct domain *d, int op)
+{
+    switch ( op )
+    {
+    case XEN_DOMCTL_SCHEDOP_putinfo:
+        return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SETSCHEDULER);
+
+    case XEN_DOMCTL_SCHEDOP_getinfo:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETSCHEDULER);
+
+    default:
+        printk("flask_domctl_scheduler_op: Unknown op %d\n", op);
+        return -EPERM;
+    }
+}
+
+static int flask_sysctl_scheduler_op(int op)
+{
+    switch ( op )
+    {
+    case XEN_DOMCTL_SCHEDOP_putinfo:
+        return domain_has_xen(current->domain, XEN__SETSCHEDULER);
+
+    case XEN_DOMCTL_SCHEDOP_getinfo:
+        return domain_has_xen(current->domain, XEN__GETSCHEDULER);
+
+    default:
+        printk("flask_domctl_scheduler_op: Unknown op %d\n", op);
+        return -EPERM;
+    }
+}
+
 static int flask_set_target(struct domain *d, struct domain *t)
 {
     int rc;
@@ -548,6 +580,7 @@ static int flask_domctl(struct domain *d, int cmd)
     /* These have individual XSM hooks (common/domctl.c) */
     case XEN_DOMCTL_createdomain:
     case XEN_DOMCTL_getdomaininfo:
+    case XEN_DOMCTL_scheduler_op:
     case XEN_DOMCTL_irq_permission:
     case XEN_DOMCTL_iomem_permission:
     case XEN_DOMCTL_set_target:
@@ -586,9 +619,6 @@ static int flask_domctl(struct domain *d, int cmd)
     case XEN_DOMCTL_resumedomain:
         return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__RESUME);
 
-    case XEN_DOMCTL_scheduler_op:
-        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SCHEDULER);
-
     case XEN_DOMCTL_max_vcpus:
         return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__MAX_VCPUS);
 
@@ -704,6 +734,7 @@ static int flask_sysctl(int cmd)
     case XEN_SYSCTL_readconsole:
     case XEN_SYSCTL_getdomaininfolist:
     case XEN_SYSCTL_page_offline_op:
+    case XEN_SYSCTL_scheduler_op:
 #ifdef CONFIG_X86
     case XEN_SYSCTL_cpu_hotplug:
 #endif
@@ -713,7 +744,7 @@ static int flask_sysctl(int cmd)
         return domain_has_xen(current->domain, XEN__TBUFCONTROL);
 
     case XEN_SYSCTL_sched_id:
-        return domain_has_xen(current->domain, XEN__SCHEDULER);
+        return domain_has_xen(current->domain, XEN__GETSCHEDULER);
 
     case XEN_SYSCTL_perfc_op:
         return domain_has_xen(current->domain, XEN__PERFCONTROL);
@@ -739,9 +770,6 @@ static int flask_sysctl(int cmd)
     case XEN_SYSCTL_cpupool_op:
         return domain_has_xen(current->domain, XEN__CPUPOOL_OP);
 
-    case XEN_SYSCTL_scheduler_op:
-        return domain_has_xen(current->domain, XEN__SCHED_OP);
-
     case XEN_SYSCTL_physinfo:
     case XEN_SYSCTL_topologyinfo:
     case XEN_SYSCTL_numainfo:
@@ -1408,6 +1436,8 @@ static struct xsm_operations flask_ops = {
     .security_domaininfo = flask_security_domaininfo,
     .domain_create = flask_domain_create,
     .getdomaininfo = flask_getdomaininfo,
+    .domctl_scheduler_op = flask_domctl_scheduler_op,
+    .sysctl_scheduler_op = flask_sysctl_scheduler_op,
     .set_target = flask_set_target,
     .domctl = flask_domctl,
     .sysctl = flask_sysctl,
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index 7a7e253a93..b982cf5c88 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -5,7 +5,6 @@
 
 class xen
 {
-	scheduler
 	settime
 	tbufcontrol
 	readconsole
@@ -34,9 +33,10 @@ class xen
 	mca_op
 	lockprof
 	cpupool_op
-	sched_op
 	tmem_op
 	tmem_control
+	getscheduler
+	setscheduler
 }
 
 class domain
@@ -51,7 +51,7 @@ class domain
     destroy
     setvcpuaffinity
 	getvcpuaffinity
-	scheduler
+	getscheduler
 	getdomaininfo
 	getvcpuinfo
 	getvcpucontext
@@ -85,6 +85,7 @@ class domain2
 	set_cpuid
 	gettsc
 	settsc
+	setscheduler
 }
 
 class hvm