This patch adds securty checks for pci passthrough related hypercalls to
enforce that the current domain owns the resources that it is about to
remap.
It also adds a call to xc_assign_device to xend and removes the
PRIVILEGED_STUBDOMS flags.
Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
---
diff -r 3bbe9ab2202b tools/python/xen/xend/server/pciif.py
--- a/tools/python/xen/xend/server/pciif.py Wed Oct 21 09:23:10 2009 +0100
+++ b/tools/python/xen/xend/server/pciif.py Wed Oct 21 14:51:20 2009 +0100
@@ -444,7 +444,15 @@
# For hvm guest, (from c/s 19679 on) assigning device statically and
# dynamically both go through reconfigureDevice(), so HERE the
# setupOneDevice() is not necessary.
- if not self.vm.info.is_hvm():
+ if self.vm.info.is_hvm():
+ for pci_dev in pci_dev_list:
+ # Setup IOMMU device assignment
+ bdf = xc.assign_device(self.getDomid(),
pci_dict_to_xc_str(pci_dev))
+ pci_str = pci_dict_to_bdf_str(pci_dev)
+ if bdf > 0:
+ raise VmError("Failed to assign device to IOMMU (%s)" %
pci_str)
+ log.debug("pci: assign device %s" % pci_str)
+ else :
for d in pci_dev_list:
self.setupOneDevice(d)
wPath = '/local/domain/0/backend/pci/%u/0/aerState' % (self.getDomid())
diff -r 3bbe9ab2202b xen/Rules.mk
--- a/xen/Rules.mk Wed Oct 21 09:23:10 2009 +0100
+++ b/xen/Rules.mk Wed Oct 21 14:51:20 2009 +0100
@@ -10,9 +10,6 @@
crash_debug ?= n
gdbsx ?= n
frame_pointer ?= n
-
-# Allow some delicate passthrough related hypercalls to be made from a stubdom
-privileged_stubdoms ?= y
XEN_ROOT=$(BASEDIR)/..
include $(XEN_ROOT)/Config.mk
@@ -56,7 +53,6 @@
CFLAGS-$(perfc_arrays) += -DPERF_ARRAYS
CFLAGS-$(lock_profile) += -DLOCK_PROFILE
CFLAGS-$(frame_pointer) += -fno-omit-frame-pointer -DCONFIG_FRAME_POINTER
-CFLAGS-$(privileged_stubdoms) += -DPRIVILEGED_STUBDOMS
CFLAGS-$(gdbsx) += -DXEN_GDBSX_CONFIG
ifneq ($(max_phys_cpus),)
diff -r 3bbe9ab2202b xen/arch/x86/domctl.c
--- a/xen/arch/x86/domctl.c Wed Oct 21 09:23:10 2009 +0100
+++ b/xen/arch/x86/domctl.c Wed Oct 21 14:51:20 2009 +0100
@@ -796,6 +796,11 @@
if ( ret )
goto bind_out;
+ ret = -EPERM;
+ if ( !IS_PRIV(current->domain) &&
+ !irq_access_permitted(current->domain, bind->machine_irq) )
+ goto bind_out;
+
ret = -ESRCH;
if ( iommu_enabled )
{
@@ -820,6 +825,12 @@
if ( (d = rcu_lock_domain_by_id(domctl->domain)) == NULL )
break;
bind = &(domctl->u.bind_pt_irq);
+
+ ret = -EPERM;
+ if ( !IS_PRIV(current->domain) &&
+ !irq_access_permitted(current->domain, bind->machine_irq) )
+ goto bind_out;
+
if ( iommu_enabled )
{
spin_lock(&pcidevs_lock);
@@ -846,6 +857,11 @@
ret = -ESRCH;
if ( unlikely((d = rcu_lock_domain_by_id(domctl->domain)) == NULL) )
+ break;
+
+ ret = -EPERM;
+ if ( !IS_PRIV(current->domain) &&
+ !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) )
break;
ret=0;
@@ -894,6 +910,11 @@
fgp, fmp, np);
break;
}
+
+ ret = -EPERM;
+ if ( !IS_PRIV(current->domain) &&
+ !ioports_access_permitted(current->domain, fmp, fmp + np - 1) )
+ break;
ret = -ESRCH;
if ( unlikely((d = rcu_lock_domain_by_id(domctl->domain)) == NULL) )
diff -r 3bbe9ab2202b xen/arch/x86/irq.c
--- a/xen/arch/x86/irq.c Wed Oct 21 09:23:10 2009 +0100
+++ b/xen/arch/x86/irq.c Wed Oct 21 14:51:20 2009 +0100
@@ -1340,7 +1340,9 @@
ASSERT(spin_is_locked(&pcidevs_lock));
ASSERT(spin_is_locked(&d->event_lock));
- if ( !STUBDOM_IS_PRIV_FOR(current->domain, d) )
+ if ( !IS_PRIV(current->domain) &&
+ !(IS_PRIV_FOR(current->domain, d) &&
+ irq_access_permitted(current->domain, pirq)))
return -EPERM;
if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
diff -r 3bbe9ab2202b xen/arch/x86/physdev.c
--- a/xen/arch/x86/physdev.c Wed Oct 21 09:23:10 2009 +0100
+++ b/xen/arch/x86/physdev.c Wed Oct 21 14:51:20 2009 +0100
@@ -45,7 +45,7 @@
if ( d == NULL )
return -ESRCH;
- if ( !STUBDOM_IS_PRIV_FOR(current->domain, d) )
+ if ( !IS_PRIV_FOR(current->domain, d) )
{
ret = -EPERM;
goto free_domain;
@@ -169,7 +169,7 @@
return -ESRCH;
ret = -EPERM;
- if ( !STUBDOM_IS_PRIV_FOR(current->domain, d) )
+ if ( !IS_PRIV_FOR(current->domain, d) )
goto free_domain;
spin_lock(&pcidevs_lock);
diff -r 3bbe9ab2202b xen/common/domctl.c
--- a/xen/common/domctl.c Wed Oct 21 09:23:10 2009 +0100
+++ b/xen/common/domctl.c Wed Oct 21 14:51:20 2009 +0100
@@ -231,14 +231,12 @@
case XEN_DOMCTL_ioport_mapping:
case XEN_DOMCTL_memory_mapping:
case XEN_DOMCTL_bind_pt_irq:
- case XEN_DOMCTL_unbind_pt_irq:
- case XEN_DOMCTL_assign_device:
- case XEN_DOMCTL_deassign_device: {
+ case XEN_DOMCTL_unbind_pt_irq: {
struct domain *d;
bool_t is_priv = IS_PRIV(current->domain);
if ( !is_priv && ((d = rcu_lock_domain_by_id(op->domain)) != NULL) )
{
- is_priv = STUBDOM_IS_PRIV_FOR(current->domain, d);
+ is_priv = IS_PRIV_FOR(current->domain, d);
rcu_unlock_domain(d);
}
if ( !is_priv )
diff -r 3bbe9ab2202b xen/include/xen/config.h
--- a/xen/include/xen/config.h Wed Oct 21 09:23:10 2009 +0100
+++ b/xen/include/xen/config.h Wed Oct 21 14:51:20 2009 +0100
@@ -95,10 +95,4 @@
#define __cpuinitdata
#define __cpuinit
-#ifdef PRIVILEGED_STUBDOMS
-#define STUBDOM_IS_PRIV_FOR(x,y) IS_PRIV_FOR(x,y)
-#else
-#define STUBDOM_IS_PRIV_FOR(x,y) IS_PRIV(x)
-#endif
-
#endif /* __XEN_CONFIG_H__ */
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home