Skip to content

Commit

Permalink
xsm, argo: XSM control for any access to argo by a domain
Browse files Browse the repository at this point in the history
Will inhibit initialization of the domain's argo data structure to
prevent receiving any messages or notifications and access to any of
the argo hypercall operations.

Signed-off-by: Christopher Clark <[email protected]>
Acked-by: Daniel De Graaf <[email protected]>

v3 Daniel/Jan: add to the default xsm policy for enable
v3 Add Daniel's Acked-by
v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set
v2 self: fix xsm use in soft-reset prior to introduction
v1 xen-project#5 (#17) feedback Paul: XSM control for any access: use currd
v1 #16 feedback Jan: apply const to function signatures
  • Loading branch information
dozylynx authored and Eric Chanudet committed Jan 25, 2019
1 parent f211cb1 commit 33c6a3d
Show file tree
Hide file tree
Showing 7 changed files with 29 additions and 7 deletions.
4 changes: 2 additions & 2 deletions tools/flask/policy/modules/guest_features.te
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@ allow domain_type xen_t:xen tmem_op;
# pmu_ctrl is for)
allow domain_type xen_t:xen2 pmu_use;

# Allow all domains:
# Allow all domains to enable the Argo interdomain communication hypercall;
# to register single-sender (unicast) rings to partner with any domain;
# to register any-sender (wildcard) rings that can be sent to by any domain;
# and send messages to rings.
allow domain_type xen_t:argo { register_any_source };
allow domain_type xen_t:argo { enable register_any_source };
allow domain_type domain_type:argo { send register_single_source };

# Allow guest console output to the serial console. This is used by PV Linux
Expand Down
10 changes: 5 additions & 5 deletions xen/common/argo.c
Original file line number Diff line number Diff line change
Expand Up @@ -2091,7 +2091,7 @@ do_argo_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg1,
argo_dprintk("->do_argo_op(%u,%p,%p,%lu,0x%lx)\n", cmd,
(void *)arg1.p, (void *)arg2.p, arg3, arg4);

if ( unlikely(!opt_argo) )
if ( unlikely(!opt_argo || xsm_argo_enable(currd)) )
return -EOPNOTSUPP;

switch (cmd)
Expand Down Expand Up @@ -2242,7 +2242,7 @@ argo_init(struct domain *d)
{
struct argo_domain *argo;

if ( !opt_argo )
if ( !opt_argo || xsm_argo_enable(d) )
{
argo_dprintk("argo disabled, domid: %u\n", d->domain_id);
return 0;
Expand Down Expand Up @@ -2299,9 +2299,9 @@ argo_soft_reset(struct domain *d)
wildcard_rings_pending_remove(d);

/*
* Since opt_argo cannot change at runtime, if d->argo is true then
* opt_argo must be true, and we can assume that init is allowed to
* proceed again here.
* Since neither opt_argo or xsm_argo_enable(d) can change at runtime,
* if d->argo is true then both opt_argo and xsm_argo_enable(d) must be
* true, and we can assume that init is allowed to proceed again here.
*/
argo_domain_init(d->argo);
}
Expand Down
5 changes: 5 additions & 0 deletions xen/include/xsm/dummy.h
Original file line number Diff line number Diff line change
Expand Up @@ -721,6 +721,11 @@ static XSM_INLINE int xsm_dm_op(XSM_DEFAULT_ARG struct domain *d)
#endif /* CONFIG_X86 */

#ifdef CONFIG_ARGO
static XSM_INLINE int xsm_argo_enable(struct domain *d)
{
return 0;
}

static XSM_INLINE int xsm_argo_register_single_source(struct domain *d,
struct domain *t)
{
Expand Down
6 changes: 6 additions & 0 deletions xen/include/xsm/xsm.h
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ struct xsm_operations {
int (*xen_version) (uint32_t cmd);
int (*domain_resource_map) (struct domain *d);
#ifdef CONFIG_ARGO
int (*argo_enable) (const struct domain *d);
int (*argo_register_single_source) (const struct domain *d,
const struct domain *t);
int (*argo_register_any_source) (const struct domain *d);
Expand Down Expand Up @@ -705,6 +706,11 @@ static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d)
}

#ifdef CONFIG_ARGO
static inline xsm_argo_enable(const struct domain *d)
{
return xsm_ops->argo_enable(d);
}

static inline xsm_argo_register_single_source(const struct domain *d,
const struct domain *t)
{
Expand Down
1 change: 1 addition & 0 deletions xen/xsm/dummy.c
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ void __init xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, xen_version);
set_to_dummy_if_null(ops, domain_resource_map);
#ifdef CONFIG_ARGO
set_to_dummy_if_null(ops, argo_enable);
set_to_dummy_if_null(ops, argo_register_single_source);
set_to_dummy_if_null(ops, argo_register_any_source);
set_to_dummy_if_null(ops, argo_send);
Expand Down
7 changes: 7 additions & 0 deletions xen/xsm/flask/hooks.c
Original file line number Diff line number Diff line change
Expand Up @@ -1720,6 +1720,12 @@ static int flask_domain_resource_map(struct domain *d)
}

#ifdef CONFIG_ARGO
static int flask_argo_enable(const struct domain *d)
{
return avc_has_perm(domain_sid(d), SECINITSID_XEN, SECCLASS_ARGO,
ARGO__ENABLE, NULL);
}

static int flask_argo_register_single_source(const struct domain *d,
const struct domain *t)
{
Expand Down Expand Up @@ -1875,6 +1881,7 @@ static struct xsm_operations flask_ops = {
.xen_version = flask_xen_version,
.domain_resource_map = flask_domain_resource_map,
#ifdef CONFIG_ARGO
.argo_enable = flask_argo_enable,
.argo_register_single_source = flask_argo_register_single_source,
.argo_register_any_source = flask_argo_register_any_source,
.argo_send = flask_argo_send,
Expand Down
3 changes: 3 additions & 0 deletions xen/xsm/flask/policy/access_vectors
Original file line number Diff line number Diff line change
Expand Up @@ -535,6 +535,9 @@ class version
# Class argo is used to describe the Argo interdomain communication system.
class argo
{
# Enable initialization of a domain's argo subsystem and
# permission to access the argo hypercall operations.
enable
# Domain requesting registration of a communication ring
# to receive messages from a specific other domain.
register_single_source
Expand Down

0 comments on commit 33c6a3d

Please sign in to comment.