From 33c6a3d5487db7d3e884cebdefa20c2d861b2ecf Mon Sep 17 00:00:00 2001 From: Christopher Clark Date: Wed, 23 Jan 2019 18:05:01 -0800 Subject: [PATCH] xsm, argo: XSM control for any access to argo by a domain Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark Acked-by: Daniel De Graaf v3 Daniel/Jan: add to the default xsm policy for enable v3 Add Daniel's Acked-by v3 #04 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v2 self: fix xsm use in soft-reset prior to introduction v1 #5 (#17) feedback Paul: XSM control for any access: use currd v1 #16 feedback Jan: apply const to function signatures --- tools/flask/policy/modules/guest_features.te | 4 ++-- xen/common/argo.c | 10 +++++----- xen/include/xsm/dummy.h | 5 +++++ xen/include/xsm/xsm.h | 6 ++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 7 +++++++ xen/xsm/flask/policy/access_vectors | 3 +++ 7 files changed, 29 insertions(+), 7 deletions(-) diff --git a/tools/flask/policy/modules/guest_features.te b/tools/flask/policy/modules/guest_features.te index ca52257ca4a8..fe4835db5b46 100644 --- a/tools/flask/policy/modules/guest_features.te +++ b/tools/flask/policy/modules/guest_features.te @@ -5,11 +5,11 @@ allow domain_type xen_t:xen tmem_op; # pmu_ctrl is for) allow domain_type xen_t:xen2 pmu_use; -# Allow all domains: +# Allow all domains to enable the Argo interdomain communication hypercall; # to register single-sender (unicast) rings to partner with any domain; # to register any-sender (wildcard) rings that can be sent to by any domain; # and send messages to rings. -allow domain_type xen_t:argo { register_any_source }; +allow domain_type xen_t:argo { enable register_any_source }; allow domain_type domain_type:argo { send register_single_source }; # Allow guest console output to the serial console. This is used by PV Linux diff --git a/xen/common/argo.c b/xen/common/argo.c index 8eabf9994a36..ba9c1d6879b3 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -2091,7 +2091,7 @@ do_argo_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg1, argo_dprintk("->do_argo_op(%u,%p,%p,%lu,0x%lx)\n", cmd, (void *)arg1.p, (void *)arg2.p, arg3, arg4); - if ( unlikely(!opt_argo) ) + if ( unlikely(!opt_argo || xsm_argo_enable(currd)) ) return -EOPNOTSUPP; switch (cmd) @@ -2242,7 +2242,7 @@ argo_init(struct domain *d) { struct argo_domain *argo; - if ( !opt_argo ) + if ( !opt_argo || xsm_argo_enable(d) ) { argo_dprintk("argo disabled, domid: %u\n", d->domain_id); return 0; @@ -2299,9 +2299,9 @@ argo_soft_reset(struct domain *d) wildcard_rings_pending_remove(d); /* - * Since opt_argo cannot change at runtime, if d->argo is true then - * opt_argo must be true, and we can assume that init is allowed to - * proceed again here. + * Since neither opt_argo or xsm_argo_enable(d) can change at runtime, + * if d->argo is true then both opt_argo and xsm_argo_enable(d) must be + * true, and we can assume that init is allowed to proceed again here. */ argo_domain_init(d->argo); } diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7daf1f0b277a..56d7865a4b71 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -721,6 +721,11 @@ static XSM_INLINE int xsm_dm_op(XSM_DEFAULT_ARG struct domain *d) #endif /* CONFIG_X86 */ #ifdef CONFIG_ARGO +static XSM_INLINE int xsm_argo_enable(struct domain *d) +{ + return 0; +} + static XSM_INLINE int xsm_argo_register_single_source(struct domain *d, struct domain *t) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 7c69efe9c18c..8daffaecc981 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -182,6 +182,7 @@ struct xsm_operations { int (*xen_version) (uint32_t cmd); int (*domain_resource_map) (struct domain *d); #ifdef CONFIG_ARGO + int (*argo_enable) (const struct domain *d); int (*argo_register_single_source) (const struct domain *d, const struct domain *t); int (*argo_register_any_source) (const struct domain *d); @@ -705,6 +706,11 @@ static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d) } #ifdef CONFIG_ARGO +static inline xsm_argo_enable(const struct domain *d) +{ + return xsm_ops->argo_enable(d); +} + static inline xsm_argo_register_single_source(const struct domain *d, const struct domain *t) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index ffac774126ec..1fe0e746fa6f 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -153,6 +153,7 @@ void __init xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, xen_version); set_to_dummy_if_null(ops, domain_resource_map); #ifdef CONFIG_ARGO + set_to_dummy_if_null(ops, argo_enable); set_to_dummy_if_null(ops, argo_register_single_source); set_to_dummy_if_null(ops, argo_register_any_source); set_to_dummy_if_null(ops, argo_send); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 8c560b73a06a..04b706b2fe0b 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1720,6 +1720,12 @@ static int flask_domain_resource_map(struct domain *d) } #ifdef CONFIG_ARGO +static int flask_argo_enable(const struct domain *d) +{ + return avc_has_perm(domain_sid(d), SECINITSID_XEN, SECCLASS_ARGO, + ARGO__ENABLE, NULL); +} + static int flask_argo_register_single_source(const struct domain *d, const struct domain *t) { @@ -1875,6 +1881,7 @@ static struct xsm_operations flask_ops = { .xen_version = flask_xen_version, .domain_resource_map = flask_domain_resource_map, #ifdef CONFIG_ARGO + .argo_enable = flask_argo_enable, .argo_register_single_source = flask_argo_register_single_source, .argo_register_any_source = flask_argo_register_any_source, .argo_send = flask_argo_send, diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index f6c53770608d..e00448b77602 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -535,6 +535,9 @@ class version # Class argo is used to describe the Argo interdomain communication system. class argo { + # Enable initialization of a domain's argo subsystem and + # permission to access the argo hypercall operations. + enable # Domain requesting registration of a communication ring # to receive messages from a specific other domain. register_single_source