[RFC,08/10] xsm-silo: convert silo over to domain roles

Message ID	20210514205437.13661-9-dpsmith@apertussolutions.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=zvGf=KJ=lists.xenproject.org=xen-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C56F961457 Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org> From: "Daniel P. Smith" <dpsmith@apertussolutions.com> To: xen-devel@lists.xenproject.org Cc: sstabellini@kernel.org, julien@xen.org, Volodymyr_Babchuk@epam.com, andrew.cooper3@citrix.com, george.dunlap@citrix.com, iwj@xenproject.org, jbeulich@suse.com, wl@xen.org, roger.pau@citrix.com, tamas@tklengyel.com, tim@xen.org, jgross@suse.com, aisaila@bitdefender.com, ppircalabu@bitdefender.com, dfaggioli@suse.com, paul@xen.org, kevin.tian@intel.com, dgdegra@tycho.nsa.gov, adam.schwalm@starlab.io, scott.davis@starlab.io Subject: [RFC PATCH 08/10] xsm-silo: convert silo over to domain roles Date: Fri, 14 May 2021 16:54:35 -0400 Message-Id: <20210514205437.13661-9-dpsmith@apertussolutions.com> In-Reply-To: <20210514205437.13661-1-dpsmith@apertussolutions.com> References: <20210514205437.13661-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	xsm: introducing domain roles \| expand [RFC,00/10] xsm: introducing domain roles [RFC,01/10] headers: introduce new default privilege model [RFC,02/10] control domain: refactor is_control_domain [RFC,03/10] xenstore: migrate to default privilege model [RFC,04/10] xsm: convert rewrite privilege check function [RFC,05/10] hardware domain: convert to domain roles [RFC,06/10] xsm-roles: covert the dummy system to roles [RFC,07/10] xsm-roles: adjusting core xsm [RFC,08/10] xsm-silo: convert silo over to domain roles [RFC,09/10] xsm-flask: clean up for domain roles conversion [RFC,10/10] common/Kconfig: updating Kconfig for domain roles

Message ID

20210514205437.13661-9-dpsmith@apertussolutions.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C56F961457
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
From: "Daniel P. Smith" <dpsmith@apertussolutions.com>
To: xen-devel@lists.xenproject.org
Cc: sstabellini@kernel.org,
	julien@xen.org,
	Volodymyr_Babchuk@epam.com,
	andrew.cooper3@citrix.com,
	george.dunlap@citrix.com,
	iwj@xenproject.org,
	jbeulich@suse.com,
	wl@xen.org,
	roger.pau@citrix.com,
	tamas@tklengyel.com,
	tim@xen.org,
	jgross@suse.com,
	aisaila@bitdefender.com,
	ppircalabu@bitdefender.com,
	dfaggioli@suse.com,
	paul@xen.org,
	kevin.tian@intel.com,
	dgdegra@tycho.nsa.gov,
	adam.schwalm@starlab.io,
	scott.davis@starlab.io
Subject: [RFC PATCH 08/10] xsm-silo: convert silo over to domain roles
Date: Fri, 14 May 2021 16:54:35 -0400
Message-Id: <20210514205437.13661-9-dpsmith@apertussolutions.com>
In-Reply-To: <20210514205437.13661-1-dpsmith@apertussolutions.com>
References: <20210514205437.13661-1-dpsmith@apertussolutions.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

xsm: introducing domain roles | expand

Commit Message

Daniel P. Smith May 14, 2021, 8:54 p.m. UTC

This converts the SILO XSM module to function as an extension to the domain
roles system to implement an extended enforcement policy.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 xen/xsm/silo.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

Comments

Jan Beulich July 8, 2021, 1:17 p.m. UTC | #1

On 14.05.2021 22:54, Daniel P. Smith wrote:
> --- a/xen/xsm/silo.c
> +++ b/xen/xsm/silo.c
> @@ -17,9 +17,11 @@
>   * You should have received a copy of the GNU General Public License along with
>   * this program; If not, see <http://www.gnu.org/licenses/>.
>   */
> -#define XSM_NO_WRAPPERS
> -#include <xsm/dummy.h>
>  
> +#include <xsm/xsm.h>
> +#include <xsm/roles.h>
> +
> +#define SILO_ALLOWED_ROLES ( XSM_DOM_SUPER | XSM_DEV_BACK )

Assuming XSM_DEV_BACK means (or at least may also mean) a backend outside
of Dom0 serving another domain's frontend, ...

> @@ -29,8 +31,10 @@ static bool silo_mode_dom_check(const struct domain *ldom,
>  {
>      const struct domain *currd = current->domain;
>  
> -    return (is_control_domain(currd) || is_control_domain(ldom) ||
> -            is_control_domain(rdom) || ldom == rdom);
> +    return ( currd->xsm_roles & SILO_ALLOWED_ROLES ||
> +            ldom->xsm_roles & SILO_ALLOWED_ROLES ||
> +            rdom->xsm_roles & SILO_ALLOWED_ROLES ||
> +            ldom == rdom );

... I don't think this is an appropriate conversion. Aiui a backend in
a driver domain is out of reach for a domain in SILO mode.

Jan

diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
index 4850756a3d..3b3ca8fb84 100644
--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -17,9 +17,11 @@ 
  * You should have received a copy of the GNU General Public License along with
  * this program; If not, see <http://www.gnu.org/licenses/>.
  */
-#define XSM_NO_WRAPPERS
-#include <xsm/dummy.h>
 
+#include <xsm/xsm.h>
+#include <xsm/roles.h>
+
+#define SILO_ALLOWED_ROLES ( XSM_DOM_SUPER | XSM_DEV_BACK )
 /*
  * Check if inter-domain communication is allowed.
  * Return true when pass check.
@@ -29,8 +31,10 @@  static bool silo_mode_dom_check(const struct domain *ldom,
 {
     const struct domain *currd = current->domain;
 
-    return (is_control_domain(currd) || is_control_domain(ldom) ||
-            is_control_domain(rdom) || ldom == rdom);
+    return ( currd->xsm_roles & SILO_ALLOWED_ROLES ||
+            ldom->xsm_roles & SILO_ALLOWED_ROLES ||
+            rdom->xsm_roles & SILO_ALLOWED_ROLES ||
+            ldom == rdom );
 }
 
 static int silo_evtchn_unbound(struct domain *d1, struct evtchn *chn,
@@ -44,7 +48,7 @@  static int silo_evtchn_unbound(struct domain *d1, struct evtchn *chn,
     else
     {
         if ( silo_mode_dom_check(d1, d2) )
-            rc = xsm_evtchn_unbound(d1, chn, id2);
+            rc = xsm_validate_role(TARGET_PRIVS, current->domain, d1);
         rcu_unlock_domain(d2);
     }
 
@@ -55,7 +59,7 @@  static int silo_evtchn_interdomain(struct domain *d1, struct evtchn *chan1,
                                    struct domain *d2, struct evtchn *chan2)
 {
     if ( silo_mode_dom_check(d1, d2) )
-        return xsm_evtchn_interdomain(d1, chan1, d2, chan2);
+        return xsm_validate_role(XSM_NONE, d1, d2);
     return -EPERM;
 }
 
@@ -63,21 +67,21 @@  static int silo_grant_mapref(struct domain *d1, struct domain *d2,
                              uint32_t flags)
 {
     if ( silo_mode_dom_check(d1, d2) )
-        return xsm_grant_mapref(d1, d2, flags);
+        return xsm_validate_role(XSM_NONE, d1, d2);
     return -EPERM;
 }
 
 static int silo_grant_transfer(struct domain *d1, struct domain *d2)
 {
     if ( silo_mode_dom_check(d1, d2) )
-        return xsm_grant_transfer(d1, d2);
+        return xsm_validate_role(XSM_NONE, d1, d2);
     return -EPERM;
 }
 
 static int silo_grant_copy(struct domain *d1, struct domain *d2)
 {
     if ( silo_mode_dom_check(d1, d2) )
-        return xsm_grant_copy(d1, d2);
+        return xsm_validate_role(XSM_NONE, d1, d2);
     return -EPERM;
 }

[RFC,08/10] xsm-silo: convert silo over to domain roles

Commit Message

Comments

Patch