|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 2/2] hvm: convert access check for nested HVM to XSM
This adds an XSM hook for enabling nested HVM support, replacing an
IS_PRIV check. This hook is a partial duplicate with the xsm_hvm_param
hook, but using the existing hook would require adding the index to the
hook and would require the use of a custom hook for the xsm-disabled
case (using XSM_OTHER, which is less immediately readable) - whereas
adding a new hook retains the clarity of the existing code.
Defining this new permission allows a security policy writer to allow
only certain guest types to use nested HVM features, or to disable it
completely.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Cc: Ian Campbell <ian.campbell@xxxxxxxxxx>
Cc: Jan Beulich <JBeulich@xxxxxxxx>
Cc: Keir Fraser <keir@xxxxxxx>
---
tools/flask/policy/policy/modules/xen/xen.if | 3 ++-
xen/arch/x86/hvm/hvm.c | 6 ++----
xen/include/xsm/dummy.h | 6 ++++++
xen/include/xsm/xsm.h | 6 ++++++
xen/xsm/dummy.c | 1 +
xen/xsm/flask/hooks.c | 6 ++++++
xen/xsm/flask/policy/access_vectors | 2 ++
7 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.if
b/tools/flask/policy/policy/modules/xen/xen.if
index fbb329d..f6f24a5 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -54,7 +54,8 @@ define(`create_domain_common', `
allow $1 $2:shadow enable;
allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage
mmuext_op };
allow $1 $2:grant setup;
- allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
setparam pcilevel trackdirtyvram };
+ allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
+ setparam pcilevel trackdirtyvram nested };
')
# create_domain(priv, target)
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index ea7adf6..49b656e 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3911,11 +3911,9 @@ long do_hvm_op(unsigned long op,
XEN_GUEST_HANDLE_PARAM(void) arg)
rc = -EINVAL;
break;
case HVM_PARAM_NESTEDHVM:
- if ( !IS_PRIV(current->domain) )
- {
- rc = -EPERM;
+ rc = xsm_hvm_param_nested(XSM_PRIV, d);
+ if ( rc )
break;
- }
if ( a.value > 1 )
rc = -EINVAL;
/* Remove the check below once we have
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 7986cda..4d63cf1 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -491,6 +491,12 @@ static XSM_INLINE int xsm_hvm_param(XSM_DEFAULT_ARG struct
domain *d, unsigned l
return xsm_default_action(action, current->domain, d);
}
+static XSM_INLINE int xsm_hvm_param_nested(XSM_DEFAULT_ARG struct domain *d)
+{
+ XSM_ASSERT_ACTION(XSM_PRIV);
+ return xsm_default_action(action, current->domain, d);
+}
+
#ifdef CONFIG_X86
static XSM_INLINE int xsm_shadow_control(XSM_DEFAULT_ARG struct domain *d,
uint32_t op)
{
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index d8ee0c8..9d3f214 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -133,6 +133,7 @@ struct xsm_operations {
long (*do_xsm_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
int (*hvm_param) (struct domain *d, unsigned long op);
+ int (*hvm_param_nested) (struct domain *d);
#ifdef CONFIG_X86
int (*shadow_control) (struct domain *d, uint32_t op);
@@ -511,6 +512,11 @@ static inline int xsm_hvm_param (xsm_default_t def, struct
domain *d, unsigned l
return xsm_ops->hvm_param(d, op);
}
+static inline int xsm_hvm_param_nested (xsm_default_t def, struct domain *d)
+{
+ return xsm_ops->hvm_param_nested(d);
+}
+
#ifdef CONFIG_X86
static inline int xsm_shadow_control (xsm_default_t def, struct domain *d,
uint32_t op)
{
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 7235d82..49f4fb8 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -104,6 +104,7 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, tmem_op);
set_to_dummy_if_null(ops, tmem_control);
set_to_dummy_if_null(ops, hvm_param);
+ set_to_dummy_if_null(ops, hvm_param_nested);
set_to_dummy_if_null(ops, do_xsm_op);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index ca42891..7909ad5 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1107,6 +1107,11 @@ static int flask_hvm_param(struct domain *d, unsigned
long op)
return current_has_perm(d, SECCLASS_HVM, perm);
}
+static int flask_hvm_param_nested(struct domain *d)
+{
+ return current_has_perm(d, SECCLASS_HVM, HVM__NESTED);
+}
+
#ifdef CONFIG_X86
static int flask_shadow_control(struct domain *d, uint32_t op)
{
@@ -1524,6 +1529,7 @@ static struct xsm_operations flask_ops = {
.tmem_op = flask_tmem_op,
.tmem_control = flask_tmem_control,
.hvm_param = flask_hvm_param,
+ .hvm_param_nested = flask_hvm_param_nested,
.do_xsm_op = do_flask_op,
diff --git a/xen/xsm/flask/policy/access_vectors
b/xen/xsm/flask/policy/access_vectors
index 05bb52e..0b83fbb 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -242,6 +242,8 @@ class hvm
# source = domain whose memory is being shared
# target = client domain
share_mem
+# HVMOP_set_param setting HVM_PARAM_NESTEDHVM
+ nested
}
# Class event describes event channels. Interdomain event channels have their
--
1.8.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |