From: Christopher Clark <christopher.w.clark@gmail.com>
To: xen-devel@lists.xenproject.org, Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
Ross Philipson <ross.philipson@gmail.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Jason Andryuk <jandryuk@gmail.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
Rich Persaud <persaur@gmail.com>, Tim Deegan <tim@xen.org>,
Daniel Smith <dpsmith@apertussolutions.com>,
Julien Grall <julien.grall@arm.com>,
Paul Durrant <paul.durrant@citrix.com>,
Jan Beulich <jbeulich@suse.com>,
James McKenzie <james@bromium.com>,
Eric Chanudet <eric.chanudet@gmail.com>,
Roger Pau Monne <roger.pau@citrix.com>
Subject: [PATCH v2 15/18] xsm, argo: XSM control for any access to argo by a domain
Date: Wed, 19 Dec 2018 22:39:12 -0800 [thread overview]
Message-ID: <1545287955-27684-16-git-send-email-christopher.w.clark@gmail.com> (raw)
In-Reply-To: <1545287955-27684-1-git-send-email-christopher.w.clark@gmail.com>
Will inhibit initialization of the domain's argo data structure to
prevent receiving any messages or notifications and access to any of
the argo hypercall operations.
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
---
Changes since v1:
v1 #5 (#17) feedback Paul: XSM control for any access: use currd
v1 #16 feedback Jan: apply const to function signatures
xen/common/argo.c | 4 ++--
xen/include/xsm/dummy.h | 5 +++++
xen/include/xsm/xsm.h | 6 ++++++
xen/xsm/dummy.c | 1 +
xen/xsm/flask/hooks.c | 7 +++++++
xen/xsm/flask/policy/access_vectors | 3 +++
6 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/xen/common/argo.c b/xen/common/argo.c
index 6fbd0a6..1f16872 100644
--- a/xen/common/argo.c
+++ b/xen/common/argo.c
@@ -1981,7 +1981,7 @@ do_argo_message_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg1,
argo_dprintk("->do_argo_message_op(%u,%p,%p,%d,%d)\n", cmd,
(void *)arg1.p, (void *)arg2.p, (int) arg3, (int) arg4);
- if ( unlikely(!opt_argo_enabled) )
+ if ( unlikely(!opt_argo_enabled || xsm_argo_enable(currd)) )
{
rc = -EOPNOTSUPP;
return rc;
@@ -2119,7 +2119,7 @@ argo_init(struct domain *d)
{
struct argo_domain *argo;
- if ( !opt_argo_enabled )
+ if ( !opt_argo_enabled || xsm_argo_enable(d) )
{
argo_dprintk("argo disabled, domid: %d\n", d->domain_id);
return 0;
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 05d10b5..91a21c3 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -721,6 +721,11 @@ static XSM_INLINE int xsm_dm_op(XSM_DEFAULT_ARG struct domain *d)
#endif /* CONFIG_X86 */
#ifdef CONFIG_ARGO
+static XSM_INLINE int xsm_argo_enable(struct domain *d)
+{
+ return 0;
+}
+
static XSM_INLINE int xsm_argo_register_single_source(struct domain *d,
struct domain *t)
{
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 4d4a60c..e300ebc 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -182,6 +182,7 @@ struct xsm_operations {
int (*xen_version) (uint32_t cmd);
int (*domain_resource_map) (struct domain *d);
#ifdef CONFIG_ARGO
+ int (*argo_enable) (const struct domain *d);
int (*argo_register_single_source) (const struct domain *d,
const struct domain *t);
int (*argo_register_any_source) (const struct domain *d);
@@ -705,6 +706,11 @@ static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d)
}
#ifdef CONFIG_ARGO
+static inline xsm_argo_enable(const struct domain *d)
+{
+ return xsm_ops->argo_enable(d);
+}
+
static inline xsm_argo_register_single_source(const struct domain *d,
const struct domain *t)
{
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index ffac774..1fe0e74 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -153,6 +153,7 @@ void __init xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, xen_version);
set_to_dummy_if_null(ops, domain_resource_map);
#ifdef CONFIG_ARGO
+ set_to_dummy_if_null(ops, argo_enable);
set_to_dummy_if_null(ops, argo_register_single_source);
set_to_dummy_if_null(ops, argo_register_any_source);
set_to_dummy_if_null(ops, argo_send);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 76c012c..3d00c74 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1720,6 +1720,12 @@ static int flask_domain_resource_map(struct domain *d)
}
#ifdef CONFIG_ARGO
+static int flask_argo_enable(const struct domain *d)
+{
+ return avc_has_perm(domain_sid(d), SECINITSID_XEN, SECCLASS_ARGO,
+ ARGO__ENABLE, NULL);
+}
+
static int flask_argo_register_single_source(const struct domain *d,
const struct domain *t)
{
@@ -1875,6 +1881,7 @@ static struct xsm_operations flask_ops = {
.xen_version = flask_xen_version,
.domain_resource_map = flask_domain_resource_map,
#ifdef CONFIG_ARGO
+ .argo_enable = flask_argo_enable,
.argo_register_single_source = flask_argo_register_single_source,
.argo_register_any_source = flask_argo_register_any_source,
.argo_send = flask_argo_send,
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index f6c5377..e00448b 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -535,6 +535,9 @@ class version
# Class argo is used to describe the Argo interdomain communication system.
class argo
{
+ # Enable initialization of a domain's argo subsystem and
+ # permission to access the argo hypercall operations.
+ enable
# Domain requesting registration of a communication ring
# to receive messages from a specific other domain.
register_single_source
--
2.7.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2018-12-20 6:40 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-20 6:38 [PATCH v2 00/18] Argo: hypervisor-mediated interdomain communication Christopher Clark
2018-12-20 6:38 ` [PATCH v2 01/18] argo: Introduce the Kconfig option to govern inclusion of Argo Christopher Clark
2018-12-20 9:00 ` Jan Beulich
2018-12-20 6:38 ` [PATCH v2 02/18] argo: introduce the argo_message_op hypercall boilerplate Christopher Clark
2018-12-20 15:18 ` Jan Beulich
2018-12-20 6:39 ` [PATCH v2 03/18] argo: define argo_dprintk for subsystem debugging Christopher Clark
2018-12-20 15:20 ` Jan Beulich
2018-12-20 6:39 ` [PATCH v2 04/18] argo: init, destroy and soft-reset, with enable command line opt Christopher Clark
2018-12-20 14:41 ` Lars Kurth
2018-12-20 6:39 ` [PATCH v2 05/18] xen: add simple errno-returning macros for copy from guest Christopher Clark
2018-12-20 6:39 ` [PATCH v2 06/18] xen: add XEN_GUEST_HANDLE_NULL macros for null XEN_GUEST_HANDLE Christopher Clark
2018-12-20 6:39 ` [PATCH v2 07/18] errno: add POSIX error codes EMSGSIZE, ECONNREFUSED to the ABI Christopher Clark
2018-12-20 15:22 ` Jan Beulich
2018-12-20 6:39 ` [PATCH v2 08/18] xen/arm: introduce guest_handle_for_field() Christopher Clark
2018-12-20 6:39 ` [PATCH v2 09/18] xsm, argo: XSM control for argo register; add argo_mac bootparam Christopher Clark
2018-12-20 15:29 ` Jan Beulich
2018-12-20 6:39 ` [PATCH v2 10/18] xsm, argo: XSM control for argo message send operation Christopher Clark
2018-12-20 6:39 ` [PATCH v2 11/18] argo: implement the register op Christopher Clark
2018-12-20 11:20 ` Julien Grall
2018-12-21 1:17 ` Christopher Clark
2018-12-21 12:21 ` Julien Grall
2018-12-20 6:39 ` [PATCH v2 12/18] argo: implement the unregister op Christopher Clark
2018-12-20 6:39 ` [PATCH v2 13/18] argo: implement the sendv op; evtchn: expose send_guest_global_virq Christopher Clark
2018-12-20 6:39 ` [PATCH v2 14/18] argo: implement the notify op Christopher Clark
2018-12-20 6:39 ` Christopher Clark [this message]
2018-12-20 6:39 ` [PATCH v2 16/18] xsm, argo: notify: don't describe rings that cannot be sent to Christopher Clark
2018-12-20 6:39 ` [PATCH v2 17/18] argo: validate hypercall arg structures via compat machinery Christopher Clark
2018-12-20 6:39 ` [PATCH v2 18/18] argo: unmap rings on suspend; signal ring-owners on resume Christopher Clark
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1545287955-27684-16-git-send-email-christopher.w.clark@gmail.com \
--to=christopher.w.clark@gmail.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=dpsmith@apertussolutions.com \
--cc=eric.chanudet@gmail.com \
--cc=ian.jackson@eu.citrix.com \
--cc=james@bromium.com \
--cc=jandryuk@gmail.com \
--cc=jbeulich@suse.com \
--cc=julien.grall@arm.com \
--cc=konrad.wilk@oracle.com \
--cc=paul.durrant@citrix.com \
--cc=persaur@gmail.com \
--cc=roger.pau@citrix.com \
--cc=ross.philipson@gmail.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.