[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 10/22] xsm/flask: add missing hooks



The FLASK module was missing implementations of some hooks and did not
have access vectors defined for 10 domctls; define these now.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 tools/flask/policy/policy/modules/xen/xen.if |  4 +-
 xen/xsm/flask/hooks.c                        | 66 +++++++++++++++++++++++-----
 xen/xsm/flask/policy/access_vectors          |  5 +++
 3 files changed, 63 insertions(+), 12 deletions(-)

diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
b/tools/flask/policy/policy/modules/xen/xen.if
index 2ad11b2..59ba171 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -29,6 +29,7 @@ define(`create_domain_common', `
                        getdomaininfo hypercall setvcpucontext setextvcpucontext
                        scheduler getvcpuinfo getvcpuextstate getaddrsize
                        getvcpuaffinity setvcpuaffinity };
+       allow $1 $2:domain2 { set_cpuid settsc };
        allow $1 $2:security check_context;
        allow $1 $2:shadow enable;
        allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage};
@@ -67,6 +68,7 @@ define(`migrate_domain_out', `
        allow $1 $2:hvm { gethvmc getparam irqlevel };
        allow $1 $2:mmu { stat pageinfo map_read };
        allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext 
getvcpuextstate pause destroy };
+       allow $1 $2:domain2 gettsc;
 ')
 
 
################################################################################
@@ -112,7 +114,7 @@ define(`device_model', `
        domain_comms($1, $2)
        allow $1 $2:domain { set_target shutdown };
        allow $1 $2:mmu { map_read map_write adjust physmap };
-       allow $1 $2:hvm { getparam setparam trackdirtyvram hvmctl irqlevel 
pciroute };
+       allow $1 $2:hvm { getparam setparam trackdirtyvram hvmctl irqlevel 
pciroute cacheattr send_irq };
 ')
 
################################################################################
 #
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index c2a1de0..fa62290 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -650,25 +650,32 @@ static int flask_domctl(struct domain *d, int cmd)
 #endif
         return 0;
 
+    case XEN_DOMCTL_debug_op:
+    case XEN_DOMCTL_gdbsx_guestmemio:
+    case XEN_DOMCTL_gdbsx_pausevcpu:
+    case XEN_DOMCTL_gdbsx_unpausevcpu:
+    case XEN_DOMCTL_gdbsx_domstatus:
+        return domain_has_perm(current->domain, d, SECCLASS_DOMAIN,
+                               DOMAIN__SETDEBUGGING);
+
     case XEN_DOMCTL_subscribe:
     case XEN_DOMCTL_disable_migrate:
+    case XEN_DOMCTL_suppress_spurious_page_faults:
         return domain_has_perm(current->domain, d, SECCLASS_DOMAIN,
                                DOMAIN__SET_MISC_INFO);
 
     case XEN_DOMCTL_set_cpuid:
-    case XEN_DOMCTL_suppress_spurious_page_faults:
-    case XEN_DOMCTL_debug_op:
+        return domain_has_perm(current->domain, d, SECCLASS_DOMAIN2, 
DOMAIN2__SET_CPUID);
+
     case XEN_DOMCTL_gettscinfo:
+        return domain_has_perm(current->domain, d, SECCLASS_DOMAIN2, 
DOMAIN2__GETTSC);
+
     case XEN_DOMCTL_settscinfo:
+        return domain_has_perm(current->domain, d, SECCLASS_DOMAIN2, 
DOMAIN2__SETTSC);
+
     case XEN_DOMCTL_audit_p2m:
-    case XEN_DOMCTL_gdbsx_guestmemio:
-    case XEN_DOMCTL_gdbsx_pausevcpu:
-    case XEN_DOMCTL_gdbsx_unpausevcpu:
-    case XEN_DOMCTL_gdbsx_domstatus:
-        /* TODO add per-subfunction hooks */
-        if ( !IS_PRIV(current->domain) )
-            return -EPERM;
-        return 0;
+        return domain_has_perm(current->domain, d, SECCLASS_HVM, 
HVM__AUDIT_P2M);
+
     default:
         printk("flask_domctl: Unknown op %d\n", cmd);
         return -EPERM;
@@ -922,6 +929,11 @@ static int flask_iomem_permission(struct domain *d, 
uint64_t start, uint64_t end
     return security_iterate_iomem_sids(start, end, _iomem_has_perm, &data);
 }
 
+static int flask_iomem_mapping(struct domain *d, uint64_t start, uint64_t end, 
uint8_t access)
+{
+    return flask_iomem_permission(d, start, end, access);
+}
+
 static int flask_pci_config_permission(struct domain *d, uint32_t machine_bdf, 
uint16_t start, uint16_t end, uint8_t access)
 {
     u32 rsid;
@@ -1129,7 +1141,6 @@ static int _ioport_has_perm(void *v, u32 sid, unsigned 
long start, unsigned long
     return avc_has_perm(data->tsec->sid, sid, SECCLASS_RESOURCE, 
RESOURCE__USE, &ad);
 }
 
-
 static int flask_ioport_permission(struct domain *d, uint32_t start, uint32_t 
end, uint8_t access)
 {
     int rc;
@@ -1152,6 +1163,11 @@ static int flask_ioport_permission(struct domain *d, 
uint32_t start, uint32_t en
     return security_iterate_ioport_sids(start, end, _ioport_has_perm, &data);
 }
 
+static int flask_ioport_mapping(struct domain *d, uint32_t start, uint32_t 
end, uint8_t access)
+{
+    return flask_ioport_permission(d, start, end, access);
+}
+
 static int flask_getpageframeinfo(struct domain *d)
 {
     return domain_has_perm(current->domain, d, SECCLASS_MMU, MMU__PAGEINFO);
@@ -1210,6 +1226,25 @@ static int flask_address_size(struct domain *d, uint32_t 
cmd)
     return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, perm);
 }
 
+static int flask_machine_address_size(struct domain *d, uint32_t cmd)
+{
+    u32 perm;
+
+    switch ( cmd )
+    {
+    case XEN_DOMCTL_set_machine_address_size:
+        perm = DOMAIN__SETADDRSIZE;
+        break;
+    case XEN_DOMCTL_get_machine_address_size:
+        perm = DOMAIN__GETADDRSIZE;
+        break;
+    default:
+        return -EPERM;
+    }
+
+    return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, perm);
+}
+
 static int flask_hvm_param(struct domain *d, unsigned long op)
 {
     u32 perm;
@@ -1247,6 +1282,11 @@ static int flask_hvm_set_pci_link_route(struct domain *d)
     return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__PCIROUTE);
 }
 
+static int flask_hvm_inject_msi(struct domain *d)
+{
+    return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__SEND_IRQ);
+}
+
 static int flask_mem_event(struct domain *d)
 {
     return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__MEM_EVENT);
@@ -1690,6 +1730,7 @@ static struct xsm_operations flask_ops = {
     .unmap_domain_pirq = flask_unmap_domain_pirq,
     .irq_permission = flask_irq_permission,
     .iomem_permission = flask_iomem_permission,
+    .iomem_mapping = flask_iomem_mapping,
     .pci_config_permission = flask_pci_config_permission,
 
     .resource_plug_core = flask_resource_plug_core,
@@ -1714,10 +1755,12 @@ static struct xsm_operations flask_ops = {
     .hypercall_init = flask_hypercall_init,
     .hvmcontext = flask_hvmcontext,
     .address_size = flask_address_size,
+    .machine_address_size = flask_machine_address_size,
     .hvm_param = flask_hvm_param,
     .hvm_set_pci_intx_level = flask_hvm_set_pci_intx_level,
     .hvm_set_isa_irq_level = flask_hvm_set_isa_irq_level,
     .hvm_set_pci_link_route = flask_hvm_set_pci_link_route,
+    .hvm_inject_msi = flask_hvm_inject_msi,
     .mem_event = flask_mem_event,
     .mem_sharing = flask_mem_sharing,
     .apic = flask_apic,
@@ -1750,6 +1793,7 @@ static struct xsm_operations flask_ops = {
     .ext_vcpucontext = flask_ext_vcpucontext,
     .vcpuextstate = flask_vcpuextstate,
     .ioport_permission = flask_ioport_permission,
+    .ioport_mapping = flask_ioport_mapping,
 #endif
 };
 
diff --git a/xen/xsm/flask/policy/access_vectors 
b/xen/xsm/flask/policy/access_vectors
index 11d02da..ea65e45 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -80,6 +80,9 @@ class domain2
        relabelself
        make_priv_for
        set_as_target
+       set_cpuid
+       gettsc
+       settsc
 }
 
 class hvm
@@ -97,6 +100,8 @@ class hvm
     hvmctl
     mem_event
     mem_sharing
+    audit_p2m
+    send_irq
 }
 
 class event
-- 
1.7.11.7


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.