1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
|
/****************************************************************
* acm_hooks.h
*
* Copyright (C) 2005 IBM Corporation
*
* Author:
* Reiner Sailer <sailer@watson.ibm.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*
* acm header file implementing the global (policy-independent)
* sHype hooks that are called throughout Xen.
*
*/
#ifndef _ACM_HOOKS_H
#define _ACM_HOOKS_H
#include <xen/config.h>
#include <xen/errno.h>
#include <xen/types.h>
#include <xen/lib.h>
#include <xen/delay.h>
#include <xen/sched.h>
#include <public/acm.h>
#include <acm/acm_core.h>
#include <public/dom0_ops.h>
#include <public/event_channel.h>
#include <asm/current.h>
/* if ACM_TRACE_MODE defined, all hooks should
* print a short trace message */
/* #define ACM_TRACE_MODE */
#ifdef ACM_TRACE_MODE
# define traceprintk(fmt, args...) printk(fmt,## args)
#else
# define traceprintk(fmt, args...)
#endif
/* global variables */
extern struct acm_operations *acm_primary_ops;
extern struct acm_operations *acm_secondary_ops;
/**********************************************************************************************
* HOOK structure and meaning (justifies a few words about our model):
*
* General idea: every policy-controlled system operation is reflected in a
* transaction in the system's security state
*
* Keeping the security state consistent requires "atomic" transactions.
* The name of the hooks to place around policy-controlled transactions
* reflects this. If authorizations do not involve security state changes,
* then and only then POST and FAIL hooks remain empty since we don't care
* about the eventual outcome of the operation from a security viewpoint.
*
* PURPOSE of hook types:
* ======================
* PRE-Hooks
* a) general authorization to guard a controlled system operation
* b) prepare security state change (means: fail hook must be able to "undo" this)
*
* POST-Hooks
* a) commit prepared state change
*
* FAIL-Hooks
* a) roll-back prepared security state change from PRE-Hook
*
*
* PLACEMENT of hook types:
* ========================
* PRE-Hooks must be called:
* a) before a guarded/controlled system operation is started
* (return is ACM_ACCESS_PERMITTED or ACM_ACCESS_DENIED or error)
* --> operation must be aborted if return is != ACM_ACCESS_PERMITTED
*
* POST-Hooks must be called:
* a) after successful transaction (no return value; commit shall never fail)
*
* FAIL-Hooks must be called:
* a) if system transaction (operation) fails somewhen after calling the PRE-hook
* (obviously the POST-Hook is not called in this case)
* b) if another (secondary) policy denies access in its PRE-Hook
* (policy layering is useful but requires additional handling)
*
*
*
* Hook model from a security transaction viewpoint:
*
* start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
* (pre-hook) \ (post-hook)
* \
* fail
* \
* \
* roll-back
* (fail-hook)
* \
* sys-ops error
*
*************************************************************************************************/
struct acm_operations {
/* policy management functions (must always be defined!) */
int (*init_domain_ssid) (void **ssid, ssidref_t ssidref);
void (*free_domain_ssid) (void *ssid);
int (*dump_binary_policy) (u8 *buffer, u16 buf_size);
int (*set_binary_policy) (u8 *buffer, u16 buf_size);
int (*dump_statistics) (u8 *buffer, u16 buf_size);
/* domain management control hooks (can be NULL) */
int (*pre_domain_create) (void *subject_ssid, ssidref_t ssidref);
void (*post_domain_create) (domid_t domid, ssidref_t ssidref);
void (*fail_domain_create) (void *subject_ssid, ssidref_t ssidref);
void (*post_domain_destroy) (void *object_ssid, domid_t id);
/* event channel control hooks (can be NULL) */
int (*pre_eventchannel_unbound) (domid_t id);
void (*fail_eventchannel_unbound) (domid_t id);
int (*pre_eventchannel_interdomain) (domid_t id1, domid_t id2);
int (*fail_eventchannel_interdomain) (domid_t id1, domid_t id2);
/* grant table control hooks (can be NULL) */
int (*pre_grant_map_ref) (domid_t id);
void (*fail_grant_map_ref) (domid_t id);
int (*pre_grant_setup) (domid_t id);
void (*fail_grant_setup) (domid_t id);
};
static inline int acm_pre_domain_create (void *subject_ssid, ssidref_t ssidref)
{
if ((acm_primary_ops->pre_domain_create != NULL) &&
acm_primary_ops->pre_domain_create (subject_ssid, ssidref))
return ACM_ACCESS_DENIED;
else if ((acm_secondary_ops->pre_domain_create != NULL) &&
acm_secondary_ops->pre_domain_create (subject_ssid, ssidref)) {
/* roll-back primary */
if (acm_primary_ops->fail_domain_create != NULL)
acm_primary_ops->fail_domain_create (subject_ssid, ssidref);
return ACM_ACCESS_DENIED;
} else
return ACM_ACCESS_PERMITTED;
}
static inline void acm_post_domain_create (domid_t domid, ssidref_t ssidref)
{
if (acm_primary_ops->post_domain_create != NULL)
acm_primary_ops->post_domain_create (domid, ssidref);
if (acm_secondary_ops->post_domain_create != NULL)
acm_secondary_ops->post_domain_create (domid, ssidref);
}
static inline void acm_fail_domain_create (void *subject_ssid, ssidref_t ssidref)
{
if (acm_primary_ops->fail_domain_create != NULL)
acm_primary_ops->fail_domain_create (subject_ssid, ssidref);
if (acm_secondary_ops->fail_domain_create != NULL)
acm_secondary_ops->fail_domain_create (subject_ssid, ssidref);
}
static inline void acm_post_domain_destroy (void *object_ssid, domid_t id)
{
if (acm_primary_ops->post_domain_destroy != NULL)
acm_primary_ops->post_domain_destroy (object_ssid, id);
if (acm_secondary_ops->post_domain_destroy != NULL)
acm_secondary_ops->post_domain_destroy (object_ssid, id);
return;
}
/* event channel ops */
static inline int acm_pre_eventchannel_unbound (domid_t id)
{
if ((acm_primary_ops->pre_eventchannel_unbound != NULL) &&
acm_primary_ops->pre_eventchannel_unbound (id))
return ACM_ACCESS_DENIED;
else if ((acm_secondary_ops->pre_eventchannel_unbound != NULL) &&
acm_secondary_ops->pre_eventchannel_unbound (id)) {
/* roll-back primary */
if (acm_primary_ops->fail_eventchannel_unbound != NULL)
acm_primary_ops->fail_eventchannel_unbound (id);
return ACM_ACCESS_DENIED;
} else
return ACM_ACCESS_PERMITTED;
}
static inline int acm_pre_eventchannel_interdomain (domid_t id1, domid_t id2)
{
if ((acm_primary_ops->pre_eventchannel_interdomain != NULL) &&
acm_primary_ops->pre_eventchannel_interdomain (id1, id2))
return ACM_ACCESS_DENIED;
else if ((acm_secondary_ops->pre_eventchannel_interdomain != NULL) &&
acm_secondary_ops->pre_eventchannel_interdomain (id1, id2)) {
/* roll-back primary */
if (acm_primary_ops->fail_eventchannel_interdomain != NULL)
acm_primary_ops->fail_eventchannel_interdomain (id1, id2);
return ACM_ACCESS_DENIED;
} else
return ACM_ACCESS_PERMITTED;
}
/************ Xen inline hooks ***************/
/* small macro to make the hooks more readable
* (eliminates hooks if NULL policy is active)
*/
#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
static inline int acm_pre_dom0_op(dom0_op_t *op, void **ssid)
{ return 0; }
#else
static inline int acm_pre_dom0_op(dom0_op_t *op, void **ssid)
{
int ret = -EACCES;
struct domain *d;
switch(op->cmd) {
case DOM0_CREATEDOMAIN:
ret = acm_pre_domain_create(current->domain->ssid, op->u.createdomain.ssidref);
break;
case DOM0_DESTROYDOMAIN:
d = find_domain_by_id(op->u.destroydomain.domain);
if (d != NULL) {
*ssid = d->ssid; /* save for post destroy when d is gone */
/* no policy-specific hook */
put_domain(d);
ret = 0;
}
break;
default:
ret = 0; /* ok */
}
return ret;
}
#endif
#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
static inline void acm_post_dom0_op(dom0_op_t *op, void *ssid)
{ return; }
#else
static inline void acm_post_dom0_op(dom0_op_t *op, void *ssid)
{
switch(op->cmd) {
case DOM0_CREATEDOMAIN:
/* initialialize shared sHype security labels for new domain */
acm_init_domain_ssid(op->u.createdomain.domain, op->u.createdomain.ssidref);
acm_post_domain_create(op->u.createdomain.domain, op->u.createdomain.ssidref);
break;
case DOM0_DESTROYDOMAIN:
acm_post_domain_destroy(ssid, op->u.destroydomain.domain);
/* free security ssid for the destroyed domain (also if running null policy */
acm_free_domain_ssid((struct acm_ssid_domain *)ssid);
break;
}
}
#endif
#if (ACM_USE_SECURITY_POLICy == ACM_NULL_POLICY)
static inline void acm_fail_dom0_op(dom0_op_t *op, void *ssid)
{ return; }
#else
static inline void acm_fail_dom0_op(dom0_op_t *op, void *ssid)
{
switch(op->cmd) {
case DOM0_CREATEDOMAIN:
acm_fail_domain_create(current->domain->ssid, op->u.createdomain.ssidref);
break;
}
}
#endif
#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
static inline int acm_pre_event_channel(evtchn_op_t *op)
{ return 0; }
#else
static inline int acm_pre_event_channel(evtchn_op_t *op)
{
int ret = -EACCES;
switch(op->cmd) {
case EVTCHNOP_alloc_unbound:
ret = acm_pre_eventchannel_unbound(op->u.alloc_unbound.dom);
break;
case EVTCHNOP_bind_interdomain:
ret = acm_pre_eventchannel_interdomain(op->u.bind_interdomain.dom1, op->u.bind_interdomain.dom2);
break;
default:
ret = 0; /* ok */
}
return ret;
}
#endif
#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
static inline int acm_pre_grant_map_ref(domid_t id)
{ return 0; }
#else
static inline int acm_pre_grant_map_ref (domid_t id)
{
if ((acm_primary_ops->pre_grant_map_ref != NULL) &&
acm_primary_ops->pre_grant_map_ref (id))
return ACM_ACCESS_DENIED;
else if ((acm_secondary_ops->pre_grant_map_ref != NULL) &&
acm_secondary_ops->pre_grant_map_ref (id)) {
/* roll-back primary */
if (acm_primary_ops->fail_grant_map_ref != NULL)
acm_primary_ops->fail_grant_map_ref (id);
return ACM_ACCESS_DENIED;
} else
return ACM_ACCESS_PERMITTED;
}
#endif
#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
static inline int acm_pre_grant_setup(domid_t id)
{ return 0; }
#else
static inline int acm_pre_grant_setup (domid_t id)
{
if ((acm_primary_ops->pre_grant_setup != NULL) &&
acm_primary_ops->pre_grant_setup (id))
return ACM_ACCESS_DENIED;
else if ((acm_secondary_ops->pre_grant_setup != NULL) &&
acm_secondary_ops->pre_grant_setup (id)) {
/* roll-back primary */
if (acm_primary_ops->fail_grant_setup != NULL)
acm_primary_ops->fail_grant_setup (id);
return ACM_ACCESS_DENIED;
} else
return ACM_ACCESS_PERMITTED;
}
#endif
#endif
|
