From patchwork Fri Feb 12 18:05:50 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 8294851 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 0F6E6C02AA for ; Fri, 12 Feb 2016 18:09:08 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 9D35C2041F for ; Fri, 12 Feb 2016 18:09:06 +0000 (UTC) Received: from lists.xen.org (lists.xenproject.org [50.57.142.19]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 17C0E20437 for ; Fri, 12 Feb 2016 18:09:05 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aUI7n-0006mN-84; Fri, 12 Feb 2016 18:07:23 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aUI7P-00063u-2C for xen-devel@lists.xen.org; Fri, 12 Feb 2016 18:06:59 +0000 Received: from [193.109.254.147] by server-7.bemta-14.messagelabs.com id 67/E4-29985-24F1EB65; Fri, 12 Feb 2016 18:06:58 +0000 X-Env-Sender: konrad@char.us.oracle.com X-Msg-Ref: server-6.tower-27.messagelabs.com!1455300416!23472164!1 X-Originating-IP: [156.151.31.81] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogMTU2LjE1MS4zMS44MSA9PiAyODgzMzk=\n X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 41068 invoked from network); 12 Feb 2016 18:06:57 -0000 Received: from userp1040.oracle.com (HELO userp1040.oracle.com) (156.151.31.81) by server-6.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2016 18:06:57 -0000 Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u1CI6hpO004461 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 12 Feb 2016 18:06:43 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id u1CI6goa023412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 12 Feb 2016 18:06:42 GMT Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u1CI6g7L024665; Fri, 12 Feb 2016 18:06:42 GMT Received: from char.us.oracle.com (/10.137.176.158) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 12 Feb 2016 10:06:42 -0800 Received: by char.us.oracle.com (Postfix, from userid 1000) id 59D9E6A4BF0; Fri, 12 Feb 2016 13:06:40 -0500 (EST) From: Konrad Rzeszutek Wilk To: xen-devel@lists.xenproject.org, andrew.cooper3@citrix.com, konrad@kernel.org, mpohlack@amazon.de, ross.lagerwall@citrix.com, sasha.levin@citrix.com, jinsong.liu@alibaba-inc.com, Daniel De Graaf , Ian Jackson , Stefano Stabellini , Ian Campbell , Wei Liu , xen-devel@lists.xen.org Date: Fri, 12 Feb 2016 13:05:50 -0500 Message-Id: <1455300361-13092-13-git-send-email-konrad.wilk@oracle.com> X-Mailer: git-send-email 2.1.0 In-Reply-To: <1455300361-13092-1-git-send-email-konrad.wilk@oracle.com> References: <1455300361-13092-1-git-send-email-konrad.wilk@oracle.com> X-Source-IP: aserv0022.oracle.com [141.146.126.234] Cc: Konrad Rzeszutek Wilk Subject: [Xen-devel] [PATCH v3 12/23] xsm/xen_version: Add XSM for the xen_version hypercall (v8). X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP All of XENVER_* have now an XSM check for their sub-ops. The subop for XENVER_commandline is now a priviliged operation. To not break guests we still return an string - but it is just '\0'. The rest: XENVER_[version|extraversion|capabilities| parameters|get_features|page_size|guest_handle|changeset| compile_info] behave as before - allowed by default for all guests if using the XSM default policy or with the dummy one. The admin can choose to change the sub-ops to be denied as they see fit. Signed-off-by: Konrad Rzeszutek Wilk Acked-by: Daniel De Graaf --- v2: Do XSM check for all the XENVER_ ops. v3: Add empty data conditions. v4: Return for priv subops. v5: Move extraversion from priv to normal. Drop the XSM check for the non-priv subops. v6: Add +1 for strlen(xen_deny()) to include NULL. Move changeset, compile_info to non-priv subops. v7: Remove the \0 on xen_deny() v8: Add new XSM domain for xenver hypercall. Add all subops to it. --- tools/flask/policy/policy/modules/xen/xen.te | 13 +++++++ xen/common/kernel.c | 53 +++++++++++++++++++++------- xen/common/version.c | 5 +++ xen/include/xen/version.h | 1 + xen/include/xsm/dummy.h | 22 ++++++++++++ xen/include/xsm/xsm.h | 5 +++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 44 +++++++++++++++++++++++ xen/xsm/flask/policy/access_vectors | 28 +++++++++++++++ xen/xsm/flask/policy/security_classes | 1 + 10 files changed, 161 insertions(+), 12 deletions(-) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 542c3e1..9ad648a 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -74,6 +74,14 @@ allow dom0_t xen_t:xen2 { get_symbol xsplice_op }; + +# Allow dom0 to use all XENVER_ subops +# Note that dom0 is part of domain_type so this has duplicates. +allow dom0_t xen_t:version { + version extraversion compile_info capabilities changeset + platform_parameters get_features pagesize guest_handle commandline +}; + allow dom0_t xen_t:mmu memorymap; # Allow dom0 to use these domctls on itself. For domctls acting on other @@ -138,6 +146,11 @@ if (guest_writeconsole) { # pmu_ctrl is for) allow domain_type xen_t:xen2 pmu_use; +# For normal guests all except XENVER_commandline +allow domain_type xen_t:version { + version extraversion compile_info capabilities changeset + platform_parameters get_features pagesize guest_handle +}; ############################################################################### # # Domain creation diff --git a/xen/common/kernel.c b/xen/common/kernel.c index 0618da2..a5e3f0e 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -223,12 +224,15 @@ void __init do_initcalls(void) /* * Simple hypercalls. */ - DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) { + bool_t deny = !!xsm_version_op(XSM_OTHER, cmd); + switch ( cmd ) { case XENVER_version: + if ( deny ) + return 0; return (xen_major_version() << 16) | xen_minor_version(); case XENVER_extraversion: @@ -236,7 +240,7 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) xen_extraversion_t extraversion; memset(extraversion, 0, sizeof(extraversion)); - safe_strcpy(extraversion, xen_extra_version()); + safe_strcpy(extraversion, deny ? xen_deny() : xen_extra_version()); if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) ) return -EFAULT; return 0; @@ -247,10 +251,10 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) xen_compile_info_t info; memset(&info, 0, sizeof(info)); - safe_strcpy(info.compiler, xen_compiler()); - safe_strcpy(info.compile_by, xen_compile_by()); - safe_strcpy(info.compile_domain, xen_compile_domain()); - safe_strcpy(info.compile_date, xen_compile_date()); + safe_strcpy(info.compiler, deny ? xen_deny() : xen_compiler()); + safe_strcpy(info.compile_by, deny ? xen_deny() : xen_compile_by()); + safe_strcpy(info.compile_domain, deny ? xen_deny() : xen_compile_domain()); + safe_strcpy(info.compile_date, deny ? xen_deny() : xen_compile_date()); if ( copy_to_guest(arg, &info, 1) ) return -EFAULT; return 0; @@ -261,7 +265,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) xen_capabilities_info_t info; memset(info, 0, sizeof(info)); - arch_get_xen_caps(&info); + if ( !deny ) + arch_get_xen_caps(&info); if ( copy_to_guest(arg, info, ARRAY_SIZE(info)) ) return -EFAULT; @@ -274,6 +279,9 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) .virt_start = HYPERVISOR_VIRT_START }; + if ( deny ) + params.virt_start = 0; + if ( copy_to_guest(arg, ¶ms, 1) ) return -EFAULT; return 0; @@ -285,7 +293,7 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) xen_changeset_info_t chgset; memset(chgset, 0, sizeof(chgset)); - safe_strcpy(chgset, xen_changeset()); + safe_strcpy(chgset, deny ? xen_deny() : xen_changeset()); if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) ) return -EFAULT; return 0; @@ -302,6 +310,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) switch ( fi.submap_idx ) { case 0: + if ( deny ) + break; fi.submap = (1U << XENFEAT_memory_op_vnode_supported); if ( VM_ASSIST(d, pae_extended_cr3) ) fi.submap |= (1U << XENFEAT_pae_pgdir_above_4gb); @@ -342,19 +352,38 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) } case XENVER_pagesize: + if ( deny ) + return 0; return (!guest_handle_is_null(arg) ? -EINVAL : PAGE_SIZE); case XENVER_guest_handle: - if ( copy_to_guest(arg, current->domain->handle, - ARRAY_SIZE(current->domain->handle)) ) + { + xen_domain_handle_t hdl; + ssize_t len; + + if ( deny ) + { + len = sizeof(hdl); + memset(&hdl, 0, len); + } else + len = ARRAY_SIZE(current->domain->handle); + + if ( copy_to_guest(arg, deny ? hdl : current->domain->handle, len ) ) return -EFAULT; return 0; - + } case XENVER_commandline: - if ( copy_to_guest(arg, saved_cmdline, ARRAY_SIZE(saved_cmdline)) ) + { + size_t len = ARRAY_SIZE(saved_cmdline); + + if ( deny ) + len = strlen(xen_deny()) + 1; + + if ( copy_to_guest(arg, deny ? xen_deny() : saved_cmdline, len) ) return -EFAULT; return 0; } + } return -ENOSYS; } diff --git a/xen/common/version.c b/xen/common/version.c index b152e27..786be4e 100644 --- a/xen/common/version.c +++ b/xen/common/version.c @@ -55,3 +55,8 @@ const char *xen_banner(void) { return XEN_BANNER; } + +const char *xen_deny(void) +{ + return ""; +} diff --git a/xen/include/xen/version.h b/xen/include/xen/version.h index 81a3c7d..2015c0b 100644 --- a/xen/include/xen/version.h +++ b/xen/include/xen/version.h @@ -12,5 +12,6 @@ unsigned int xen_minor_version(void); const char *xen_extra_version(void); const char *xen_changeset(void); const char *xen_banner(void); +const char *xen_deny(void); #endif /* __XEN_VERSION_H__ */ diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 1d13826..9fcc57a 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -727,3 +727,25 @@ static XSM_INLINE int xsm_pmu_op (XSM_DEFAULT_ARG struct domain *d, unsigned int } #endif /* CONFIG_X86 */ + +#include +static XSM_INLINE int xsm_version_op (XSM_DEFAULT_ARG uint32_t op) +{ + XSM_ASSERT_ACTION(XSM_OTHER); + switch ( op ) + { + case XENVER_version: + case XENVER_extraversion: + case XENVER_compile_info: + case XENVER_capabilities: + case XENVER_changeset: + case XENVER_platform_parameters: + case XENVER_get_features: + case XENVER_pagesize: + case XENVER_guest_handle: + /* These MUST always be accessible to any guest by default. */ + return xsm_default_action(XSM_HOOK, current->domain, NULL); + default: + return xsm_default_action(XSM_PRIV, current->domain, NULL); + } +} diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 3afed70..2c3b1c0 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -193,6 +193,7 @@ struct xsm_operations { int (*ioport_mapping) (struct domain *d, uint32_t s, uint32_t e, uint8_t allow); int (*pmu_op) (struct domain *d, unsigned int op); #endif + int (*version_op) (uint32_t cmd); }; #ifdef CONFIG_XSM @@ -731,6 +732,10 @@ static inline int xsm_pmu_op (xsm_default_t def, struct domain *d, unsigned int #endif /* CONFIG_X86 */ +static inline int xsm_version_op (xsm_default_t def, uint32_t op) +{ + return xsm_ops->version_op(op); +} #endif /* XSM_NO_WRAPPERS */ #ifdef CONFIG_MULTIBOOT diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 0f32636..1469dce 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -162,4 +162,5 @@ void xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, ioport_mapping); set_to_dummy_if_null(ops, pmu_op); #endif + set_to_dummy_if_null(ops, version_op); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c856e1e..7e3bcdd 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -26,6 +26,7 @@ #include #include #include +#include #include @@ -1626,6 +1627,48 @@ static int flask_pmu_op (struct domain *d, unsigned int op) } #endif /* CONFIG_X86 */ +static int flask_version_op (uint32_t op) +{ + u32 dsid = domain_sid(current->domain); + + switch ( op ) + { + case XENVER_version: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__VERSION, NULL); + case XENVER_extraversion: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__EXTRAVERSION, NULL); + case XENVER_compile_info: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__COMPILE_INFO, NULL); + case XENVER_capabilities: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__CAPABILITIES, NULL); + case XENVER_changeset: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__CHANGESET, NULL); + case XENVER_platform_parameters: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__PLATFORM_PARAMETERS, NULL); + case XENVER_get_features: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__GET_FEATURES, NULL); + case XENVER_pagesize: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__PAGESIZE, NULL); + case XENVER_guest_handle: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__GUEST_HANDLE, NULL); + return 0; /* These MUST always be accessible to guests. */ + case XENVER_commandline: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__COMMANDLINE, NULL); + default: + return -EPERM; + } +} + long do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op); int compat_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op); @@ -1764,6 +1807,7 @@ static struct xsm_operations flask_ops = { .ioport_mapping = flask_ioport_mapping, .pmu_op = flask_pmu_op, #endif + .version_op = flask_version_op, }; static __init void flask_init(void) diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index 5f08d05..7cb32de 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -497,3 +497,31 @@ class security # remove ocontext label definitions for resources del_ocontext } + +# Class version is used to describe the XENVER_ hypercall. +# Each sub-ops is described here - in the default case all of them should +# be allowed except the XENVER_commandline. +# +class version +{ +# Often called by PV kernels to force an callback. + version +# Extra informations (-unstable). + extraversion +# Compile information of the hypervisor. + compile_info +# Such as "xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64". + capabilities +# Such as the virtual address of where the hypervisor resides. + platform_parameters +# Source code changeset. + changeset +# The features the hypervisor supports. + get_features +# Page size the hypervisor uses. + pagesize +# An value that the control stack can choose. + guest_handle +# Xen command line. + commandline +} diff --git a/xen/xsm/flask/policy/security_classes b/xen/xsm/flask/policy/security_classes index ca191db..cde4e1a 100644 --- a/xen/xsm/flask/policy/security_classes +++ b/xen/xsm/flask/policy/security_classes @@ -18,5 +18,6 @@ class shadow class event class grant class security +class version # FLASK