From patchwork Fri Apr 22 16:34:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel P. Smith" X-Patchwork-Id: 12823750 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BB908C433F5 for ; Fri, 22 Apr 2022 16:35:34 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.311090.528110 (Exim 4.92) (envelope-from ) id 1nhwFc-0002B4-0h; Fri, 22 Apr 2022 16:35:20 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 311090.528110; Fri, 22 Apr 2022 16:35:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nhwFb-0002At-U7; Fri, 22 Apr 2022 16:35:19 +0000 Received: by outflank-mailman (input) for mailman id 311090; Fri, 22 Apr 2022 16:35:18 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nhwFa-0001uU-L6 for xen-devel@lists.xenproject.org; Fri, 22 Apr 2022 16:35:18 +0000 Received: from sender4-of-o51.zoho.com (sender4-of-o51.zoho.com [136.143.188.51]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 30c786e5-c25a-11ec-a405-831a346695d4; Fri, 22 Apr 2022 18:35:17 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1650645308059975.7777187133837; Fri, 22 Apr 2022 09:35:08 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 30c786e5-c25a-11ec-a405-831a346695d4 ARC-Seal: i=1; a=rsa-sha256; t=1650645309; cv=none; d=zohomail.com; s=zohoarc; b=Wi9eAHTruENQ2BlsCjVccyQsDV0ZKS4S1aL4JqYqM6Scc88jyrdCbz2FxjHiwHwkZtPAgJcNgn0tIiSqDhmunFS7o31gZAhlogtjuyWqn1h0G3qcRKewYTD0Z8VNyO9OSm13mXan6dSVa39d0tMrIHHQ+YuDufDt0Y3jpsFMd+0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1650645309; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=2wRiekjzxthLjBV/DEn0NzrOAnSgS0vwehjI3eBZqCQ=; b=GTE1Ktq4K9ZNItIEBcV695E3auAl3AxovU0Xd2W5k8Spk63yNzPKG4qF1fdnTl1+F9VHOS7FNmUgrvR3U0rG+WhmIUHUwySg5BexbYym25uaMQ5jsjp34BV4AYX6I440VI5f4DoTk+DP0fP5fPlsk9y5wVKxwdJsVce+PJ8w16U= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1650645309; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=2wRiekjzxthLjBV/DEn0NzrOAnSgS0vwehjI3eBZqCQ=; b=Ry198MmZN4nkqDEvUe5YPzKm3fU/7J+igfaqBpS+rpDZGrr2f0ParuMRvHmG6eus GuqtQ9Pu2Ebo4vJGqGvCMZnirrgWs5C/Y8m5iKwRNH+q2zQWQ8gqz+IlBmjsayVMm81 l9e067rQ40Qs0E/WjbrY7ZTs0qYaR2mnvMvtoMmw= From: "Daniel P. Smith" To: xen-devel@lists.xenproject.org, Volodymyr Babchuk , Wei Liu , "Daniel P. Smith" Cc: scott.davis@starlab.io, jandryuk@gmail.com, Stefano Stabellini , Julien Grall , Bertrand Marquis , Jan Beulich , Andrew Cooper , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , George Dunlap , Dario Faggioli , Daniel De Graaf Subject: [PATCH v3 1/2] xsm: create idle domain privileged and demote after setup Date: Fri, 22 Apr 2022 12:34:57 -0400 Message-Id: <20220422163458.30170-2-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20220422163458.30170-1-dpsmith@apertussolutions.com> References: <20220422163458.30170-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 X-ZohoMailClient: External There are now instances where internal hypervisor logic needs to make resource allocation calls that are protected by XSM checks. The internal hypervisor logic is represented a number of system domains which by designed are represented by non-privileged struct domain instances. To enable these logic blocks to function correctly but in a controlled manner, this commit changes the idle domain to be created as a privileged domain under the default policy, which is inherited by the SILO policy, and demoted before transitioning to running. A new XSM hook, xsm_set_system_active, is introduced to allow each XSM policy type to demote the idle domain appropriately for that policy type. For flask a stub is added to ensure that flask policy system will function correctly with this patch until flask is extended with support for starting the idle domain privileged and properly demoting it on the call to xsm_set_system_active. Signed-off-by: Daniel P. Smith Reviewed-by: Jason Andryuk --- xen/arch/arm/setup.c | 3 +++ xen/arch/x86/setup.c | 3 +++ xen/common/sched/core.c | 7 ++++++- xen/include/xsm/dummy.h | 17 +++++++++++++++++ xen/include/xsm/xsm.h | 6 ++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 21 +++++++++++++++++++++ 7 files changed, 57 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index d5d0792ed4..e71fa3f860 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -1048,6 +1048,9 @@ void __init start_xen(unsigned long boot_phys_offset, /* Hide UART from DOM0 if we're using it */ serial_endboot(); + if ( xsm_set_system_active() != 0) + panic("xsm: unable to set hypervisor to SYSTEM_ACTIVE privilege\n"); + system_state = SYS_STATE_active; for_each_domain( d ) diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 6f20e17892..a3ce288ef9 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -621,6 +621,9 @@ static void noreturn init_done(void) void *va; unsigned long start, end; + if ( xsm_set_system_active() != 0) + panic("xsm: unable to set hypervisor to SYSTEM_ACTIVE privilege\n"); + system_state = SYS_STATE_active; domain_unpause_by_systemcontroller(dom0); diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 19ab678181..22a619e260 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -3021,7 +3021,12 @@ void __init scheduler_init(void) sched_ratelimit_us = SCHED_DEFAULT_RATELIMIT_US; } - idle_domain = domain_create(DOMID_IDLE, NULL, 0); + /* + * idle dom is created privileged to ensure unrestricted access during + * setup and will be demoted by xsm_transition_running when setup is + * complete + */ + idle_domain = domain_create(DOMID_IDLE, NULL, CDF_privileged); BUG_ON(IS_ERR(idle_domain)); BUG_ON(nr_cpu_ids > ARRAY_SIZE(idle_vcpu)); idle_domain->vcpu = idle_vcpu; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 58afc1d589..3291fb5396 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -101,6 +101,23 @@ static always_inline int xsm_default_action( } } +static XSM_INLINE int cf_check xsm_set_system_active(void) +{ + struct domain *d = current->domain; + + ASSERT(d->is_privileged); + + if ( d->domain_id != DOMID_IDLE ) + { + printk("xsm_set_system_active: should only be called by idle domain\n"); + return -EPERM; + } + + d->is_privileged = false; + + return 0; +} + static XSM_INLINE void cf_check xsm_security_domaininfo( struct domain *d, struct xen_domctl_getdomaininfo *info) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 3e2b7fe3db..8dad03fd3d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -52,6 +52,7 @@ typedef enum xsm_default xsm_default_t; * !!! WARNING !!! */ struct xsm_ops { + int (*set_system_active)(void); void (*security_domaininfo)(struct domain *d, struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); @@ -208,6 +209,11 @@ extern struct xsm_ops xsm_ops; #ifndef XSM_NO_WRAPPERS +static inline int xsm_set_system_active(void) +{ + return alternative_call(xsm_ops.set_system_active); +} + static inline void xsm_security_domaininfo( struct domain *d, struct xen_domctl_getdomaininfo *info) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 8c044ef615..e6ffa948f7 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -14,6 +14,7 @@ #include static const struct xsm_ops __initconst_cf_clobber dummy_ops = { + .set_system_active = xsm_set_system_active, .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 0bf63ffa84..8a62de2fd6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -186,6 +186,26 @@ static int cf_check flask_domain_alloc_security(struct domain *d) return 0; } +static int cf_check flask_set_system_active(void) +{ + struct domain *d = current->domain; + + if ( d->domain_id != DOMID_IDLE ) + { + printk("xsm_set_system_active should only be called by idle domain\n"); + return -EPERM; + } + + /* + * While is_privileged has no significant meaning under flask, set to false + * as there are times in hypervisor code privilege checks check this + * directly instead of going through XSM. + */ + d->is_privileged = false; + + return 0; +} + static void cf_check flask_domain_free_security(struct domain *d) { struct domain_security_struct *dsec = d->ssid; @@ -1766,6 +1786,7 @@ static int cf_check flask_argo_send( #endif static const struct xsm_ops __initconst_cf_clobber flask_ops = { + .set_system_active = flask_set_system_active, .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, From patchwork Fri Apr 22 16:34:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel P. Smith" X-Patchwork-Id: 12823751 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2AAFFC433F5 for ; Fri, 22 Apr 2022 16:35:53 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.311092.528121 (Exim 4.92) (envelope-from ) id 1nhwFy-0002nc-EB; Fri, 22 Apr 2022 16:35:42 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 311092.528121; Fri, 22 Apr 2022 16:35:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nhwFy-0002nV-Ar; Fri, 22 Apr 2022 16:35:42 +0000 Received: by outflank-mailman (input) for mailman id 311092; Fri, 22 Apr 2022 16:35:41 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nhwFx-0001uU-Kf for xen-devel@lists.xenproject.org; Fri, 22 Apr 2022 16:35:41 +0000 Received: from sender4-of-o51.zoho.com (sender4-of-o51.zoho.com [136.143.188.51]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 3e8b4b10-c25a-11ec-a405-831a346695d4; Fri, 22 Apr 2022 18:35:40 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 165064530941963.43325690543736; Fri, 22 Apr 2022 09:35:09 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 3e8b4b10-c25a-11ec-a405-831a346695d4 ARC-Seal: i=1; a=rsa-sha256; t=1650645311; cv=none; d=zohomail.com; s=zohoarc; b=oLqbNKpiqPiNQ5j07LT6UG3ZTC//M5oxdfEs5UvLbxSlQjl/QmPGVn7x17J7YcZ4uYwXcgnKQ3QKCTcINEtX8br2nxFETxZmwPabqaRD2FoLpANavOsFjw2tBs5Zee/sawySkdIau4Rb6NUNedlCNksXDAiLszEgcoTlgoTr21Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1650645311; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=dIZZxXRju0ki+6zOp/C2v1mFoGOokA/bwLqQioVO/ao=; b=LNdTzGeBakQRjAxgPyWXmKoJV8W9NR7oFbczw3nyNXg8MNIR4HrC+wFVWzW62Pf4CWb2VnVM5L6mlglj9Dz9QqWc/Rdq8W6xWT/+F4X4z3DfCzVEyaM6E8eDhP02YSgBFqsFWBXhV2GU83uvOKtyk5z74CNMPmcqP87fT1CpwV8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1650645311; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=dIZZxXRju0ki+6zOp/C2v1mFoGOokA/bwLqQioVO/ao=; b=DoZFpJylZ1DiowysRvd+6VMTpUxbM48G+WXVH6fPXb2hmGCRLqs3xfeT4qGFkY/5 IIZ0H/zHXC76tko7sIK3c8UQev7+FoXp81Is5FqQV/8b+5SQ0hY1BDsnip8TD2mUBHf /VTmilRwLCwSLQKS94VgtcFckHUHeatJdnGJjliU= From: "Daniel P. Smith" To: xen-devel@lists.xenproject.org, "Daniel P. Smith" Cc: scott.davis@starlab.io, jandryuk@gmail.com, Daniel De Graaf , Wei Liu , Anthony PERARD Subject: [PATCH v3 2/2] flask: implement xsm_set_system_active Date: Fri, 22 Apr 2022 12:34:58 -0400 Message-Id: <20220422163458.30170-3-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20220422163458.30170-1-dpsmith@apertussolutions.com> References: <20220422163458.30170-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 X-ZohoMailClient: External This commit implements full support for starting the idle domain privileged by introducing a new flask label xenboot_t which the idle domain is labeled with at creation. It then provides the implementation for the XSM hook xsm_set_system_active to relabel the idle domain to the existing xen_t flask label. In the reference flask policy a new macro, xen_build_domain(target), is introduced for creating policies for dom0less/hyperlaunch allowing the hypervisor to create and assign the necessary resources for domain construction. Signed-off-by: Daniel P. Smith Reviewed-by: Jason Andryuk --- tools/flask/policy/modules/xen.if | 6 ++++++ tools/flask/policy/modules/xen.te | 1 + tools/flask/policy/policy/initial_sids | 1 + xen/xsm/flask/hooks.c | 8 +++++++- xen/xsm/flask/policy/initial_sids | 1 + 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index 5e2aa472b6..4ec676fff1 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -62,6 +62,12 @@ define(`create_domain_common', ` setparam altp2mhvm altp2mhvm_op dm }; ') +# xen_build_domain(target) +# Allow a domain to be created at boot by the hypervisor +define(`xen_build_domain', ` + allow xenboot_t $1_channel:event create; +') + # create_domain(priv, target) # Allow a domain to be created directly define(`create_domain', ` diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te index 3dbf93d2b8..de98206fdd 100644 --- a/tools/flask/policy/modules/xen.te +++ b/tools/flask/policy/modules/xen.te @@ -24,6 +24,7 @@ attribute mls_priv; ################################################################################ # The hypervisor itself +type xenboot_t, xen_type, mls_priv; type xen_t, xen_type, mls_priv; # Domain 0 diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids index 6b7b7eff21..ec729d3ba3 100644 --- a/tools/flask/policy/policy/initial_sids +++ b/tools/flask/policy/policy/initial_sids @@ -2,6 +2,7 @@ # objects created before the policy is loaded or for objects that do not have a # label defined in some other manner. +sid xenboot gen_context(system_u:system_r:xenboot_t,s0) sid xen gen_context(system_u:system_r:xen_t,s0) sid dom0 gen_context(system_u:system_r:dom0_t,s0) sid domxen gen_context(system_u:system_r:domxen_t,s0) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 8a62de2fd6..4732ca4019 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -168,7 +168,7 @@ static int cf_check flask_domain_alloc_security(struct domain *d) switch ( d->domain_id ) { case DOMID_IDLE: - dsec->sid = SECINITSID_XEN; + dsec->sid = SECINITSID_XENBOOT; break; case DOMID_XEN: dsec->sid = SECINITSID_DOMXEN; @@ -188,8 +188,12 @@ static int cf_check flask_domain_alloc_security(struct domain *d) static int cf_check flask_set_system_active(void) { + struct domain_security_struct *dsec; struct domain *d = current->domain; + dsec = d->ssid; + ASSERT( dsec->sid == SECINITSID_XENBOOT); + if ( d->domain_id != DOMID_IDLE ) { printk("xsm_set_system_active should only be called by idle domain\n"); @@ -203,6 +207,8 @@ static int cf_check flask_set_system_active(void) */ d->is_privileged = false; + dsec->self_sid = dsec->sid = SECINITSID_XEN; + return 0; } diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids index 7eca70d339..e8b55b8368 100644 --- a/xen/xsm/flask/policy/initial_sids +++ b/xen/xsm/flask/policy/initial_sids @@ -3,6 +3,7 @@ # # Define initial security identifiers # +sid xenboot sid xen sid dom0 sid domio