[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v4 1/2] xsm: add Kconfig option for denied string
Add Kconfig option to make it possible to configure the string returned to non-privileged guests instead of the default "<denied>" which could propagate to UI / logs after the subsequent patch that hides detailed Xen version information from unprivileged guests. Introduce XENVER_denied_string to allow guests to set up UI / logs filtering which dependens on the new CONFIG_XSM_DENIED_STRING. Signed-off-by: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx> --- v3 --> v4: - Updated kconfig prompt description - Added XENVER_denied_string - Added #ifdef to fix build when CONFIG_XSM is not set v2 --> v3: - new patch --- xen/common/Kconfig | 8 ++++++++ xen/common/kernel.c | 11 +++++++++++ xen/common/version.c | 4 ++++ xen/include/public/version.h | 5 +++++ xen/include/xsm/dummy.h | 1 + 5 files changed, 29 insertions(+) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index a6914fcae9..4a1a9398cd 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -228,6 +228,14 @@ choice bool "SILO" if XSM_SILO endchoice +config XSM_DENIED_STRING + string "xen_version hypercall denied information replacement string" + default "<denied>" + depends on XSM + ---help--- + A string which substitutes sensitive information returned via + xen_version hypercall to non-privileged guests + config LATE_HWDOM bool "Dedicated hardware domain" default n diff --git a/xen/common/kernel.c b/xen/common/kernel.c index 22941cec94..1c22e5d167 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -561,6 +561,17 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) return sz; } + + case XENVER_denied_string: + { + xen_denied_string_t str; + + safe_strcpy(str, xen_deny()); + if ( copy_to_guest(arg, str, XEN_DENIED_STRING_LEN) ) + return -EFAULT; + + return 0; + } } return -ENOSYS; diff --git a/xen/common/version.c b/xen/common/version.c index 937eb1281c..fbd0ef4668 100644 --- a/xen/common/version.c +++ b/xen/common/version.c @@ -67,7 +67,11 @@ const char *xen_banner(void) const char *xen_deny(void) { +#ifdef CONFIG_XSM_DENIED_STRING + return CONFIG_XSM_DENIED_STRING; +#else return "<denied>"; +#endif } static const void *build_id_p __read_mostly; diff --git a/xen/include/public/version.h b/xen/include/public/version.h index 17a81e23cd..f65001d2d9 100644 --- a/xen/include/public/version.h +++ b/xen/include/public/version.h @@ -100,6 +100,11 @@ struct xen_build_id { }; typedef struct xen_build_id xen_build_id_t; +/* arg == xen_denied_string_t. */ +#define XENVER_denied_string 11 +typedef char xen_denied_string_t[64]; +#define XEN_DENIED_STRING_LEN (sizeof(xen_denied_string_t)) + #endif /* __XEN_PUBLIC_VERSION_H__ */ /* diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index b8e185e6fa..72a101b106 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -748,6 +748,7 @@ static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG uint32_t op) case XENVER_version: case XENVER_platform_parameters: case XENVER_get_features: + case XENVER_denied_string: /* These sub-ops ignore the permission checks and return data. */ return 0; case XENVER_extraversion: -- 2.17.1 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |