diff options
| -rw-r--r-- | xen/arch/x86/mm.c | 2 | ||||
| -rw-r--r-- | xen/arch/x86/mm/p2m-pod.c | 3 | ||||
| -rw-r--r-- | xen/arch/x86/mm/shadow/multi.c | 19 | ||||
| -rw-r--r-- | xen/include/xsm/dummy.h | 6 | ||||
| -rw-r--r-- | xen/include/xsm/xsm.h | 6 | ||||
| -rw-r--r-- | xen/xsm/dummy.c | 1 | ||||
| -rw-r--r-- | xen/xsm/flask/hooks.c | 6 | ||||
| -rw-r--r-- | xen/xsm/flask/policy/access_vectors | 3 |
8 files changed, 34 insertions, 12 deletions
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 58e140203d..0cd4203b62 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -815,7 +815,7 @@ get_page_from_l1e( * minor hack can go away. */ if ( (real_pg_owner == NULL) || (pg_owner == l1e_owner) || - !IS_PRIV_FOR(pg_owner, real_pg_owner) ) + xsm_priv_mapping(XSM_TARGET, pg_owner, real_pg_owner) ) { MEM_LOG("pg_owner %d l1e_owner %d, but real_pg_owner %d", pg_owner->domain_id, l1e_owner->domain_id, diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index 55936c6e99..04ffbcb26e 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -1117,9 +1117,6 @@ guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn, mfn_t omfn; int rc = 0; - if ( !IS_PRIV_FOR(current->domain, d) ) - return -EPERM; - if ( !paging_mode_translate(d) ) return -EINVAL; diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index a593f762e3..a8ef75eb14 100644 --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -29,6 +29,7 @@ #include <xen/perfc.h> #include <xen/domain_page.h> #include <xen/iocap.h> +#include <xsm/xsm.h> #include <asm/page.h> #include <asm/current.h> #include <asm/shadow.h> @@ -849,14 +850,16 @@ shadow_get_page_from_l1e(shadow_l1e_t sl1e, struct domain *d, p2m_type_t type) !shadow_mode_translate(d) && mfn_valid(mfn = shadow_l1e_get_mfn(sl1e)) && (owner = page_get_owner(mfn_to_page(mfn))) && - (d != owner) && - IS_PRIV_FOR(d, owner)) - { - res = get_page_from_l1e(sl1e, d, owner); - SHADOW_PRINTK("privileged domain %d installs map of mfn %05lx " - "which is owned by domain %d: %s\n", - d->domain_id, mfn_x(mfn), owner->domain_id, - res >= 0 ? "success" : "failed"); + (d != owner) ) + { + res = xsm_priv_mapping(XSM_TARGET, d, owner); + if ( !res ) { + res = get_page_from_l1e(sl1e, d, owner); + SHADOW_PRINTK("privileged domain %d installs map of mfn %05lx " + "which is owned by domain %d: %s\n", + d->domain_id, mfn_x(mfn), owner->domain_id, + res >= 0 ? "success" : "failed"); + } } /* Okay, it might still be a grant mapping PTE. Try it. */ diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 191e493b43..9cae61cd5c 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -574,6 +574,12 @@ static XSM_INLINE int xsm_update_va_mapping(XSM_DEFAULT_ARG struct domain *d, st return xsm_default_action(action, d, f); } +static XSM_INLINE int xsm_priv_mapping(XSM_DEFAULT_ARG struct domain *d, struct domain *t) +{ + XSM_ASSERT_ACTION(XSM_TARGET); + return xsm_default_action(action, d, t); +} + static XSM_INLINE int xsm_bind_pt_irq(XSM_DEFAULT_ARG struct domain *d, struct xen_domctl_bind_pt_irq *bind) { XSM_ASSERT_ACTION(XSM_HOOK); diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index fdc7a650d6..5103070243 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -154,6 +154,7 @@ struct xsm_operations { struct domain *f, uint32_t flags); int (*mmuext_op) (struct domain *d, struct domain *f); int (*update_va_mapping) (struct domain *d, struct domain *f, l1_pgentry_t pte); + int (*priv_mapping) (struct domain *d, struct domain *t); int (*bind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind); int (*unbind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind); int (*ioport_permission) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow); @@ -582,6 +583,11 @@ static inline int xsm_update_va_mapping(xsm_default_t def, struct domain *d, str return xsm_ops->update_va_mapping(d, f, pte); } +static inline int xsm_priv_mapping(xsm_default_t def, struct domain *d, struct domain *t) +{ + return xsm_ops->priv_mapping(d, t); +} + static inline int xsm_bind_pt_irq(xsm_default_t def, struct domain *d, struct xen_domctl_bind_pt_irq *bind) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 21aef2add9..f7b0399c2c 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -124,6 +124,7 @@ void xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, mmu_update); set_to_dummy_if_null(ops, mmuext_op); set_to_dummy_if_null(ops, update_va_mapping); + set_to_dummy_if_null(ops, priv_mapping); set_to_dummy_if_null(ops, bind_pt_irq); set_to_dummy_if_null(ops, unbind_pt_irq); set_to_dummy_if_null(ops, ioport_permission); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 23c523386b..04c8a3913e 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1345,6 +1345,11 @@ static int flask_update_va_mapping(struct domain *d, struct domain *f, return domain_has_perm(d, f, SECCLASS_MMU, map_perms); } +static int flask_priv_mapping(struct domain *d, struct domain *t) +{ + return domain_has_perm(d, t, SECCLASS_MMU, MMU__TARGET_HACK); +} + static int flask_get_device_group(uint32_t machine_bdf) { u32 rsid; @@ -1534,6 +1539,7 @@ static struct xsm_operations flask_ops = { .mmu_update = flask_mmu_update, .mmuext_op = flask_mmuext_op, .update_va_mapping = flask_update_va_mapping, + .priv_mapping = flask_priv_mapping, .get_device_group = flask_get_device_group, .test_assign_device = flask_test_assign_device, .assign_device = flask_assign_device, diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index 36b8b2c271..c8ae8060cd 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -330,6 +330,9 @@ class mmu # source = domain making the hypercall # target = domain whose pages are being exchanged exchange +# Allow a privileged domain to install a map of a page it does not own. Used +# for stub domain device models with the PV framebuffer. + target_hack } # control of the paging_domctl split by subop |