ia64/xen-unstable

changeset 15815:96f64f4c42f0

Xen Security Modules: XSM
Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>
author kfraser@localhost.localdomain
date Fri Aug 31 11:21:35 2007 +0100 (2007-08-31)
parents 0f196e11a143
children 6c8c934b235c
files Config.mk xen/Makefile xen/Rules.mk xen/arch/x86/domctl.c xen/arch/x86/hvm/hvm.c xen/arch/x86/mm.c xen/arch/x86/mm/paging.c xen/arch/x86/physdev.c xen/arch/x86/platform_hypercall.c xen/arch/x86/setup.c xen/arch/x86/sysctl.c xen/arch/x86/x86_32/entry.S xen/arch/x86/x86_32/xen.lds.S xen/arch/x86/x86_64/entry.S xen/common/domain.c xen/common/domctl.c xen/common/event_channel.c xen/common/grant_table.c xen/common/kexec.c xen/common/memory.c xen/common/schedule.c xen/common/sysctl.c xen/common/xenoprof.c xen/drivers/char/console.c xen/include/public/xen.h xen/include/xen/hypercall.h xen/include/xsm/xsm.h xen/xsm/Makefile xen/xsm/dummy.c xen/xsm/xsm_core.c xen/xsm/xsm_policy.c
line diff
     1.1 --- a/Config.mk	Fri Aug 31 11:12:57 2007 +0100
     1.2 +++ b/Config.mk	Fri Aug 31 11:21:35 2007 +0100
     1.3 @@ -78,10 +78,12 @@ CFLAGS     += $(call cc-option,$(CC),-Wd
     1.4  LDFLAGS += $(foreach i, $(EXTRA_LIB), -L$(i)) 
     1.5  CFLAGS += $(foreach i, $(EXTRA_INCLUDES), -I$(i))
     1.6  
     1.7 +# Enable XSM security module.  Enabling XSM requires selection of an 
     1.8 +# XSM security module.
     1.9 +XSM_ENABLE ?= n
    1.10 +
    1.11  # If ACM_SECURITY = y, then the access control module is compiled
    1.12  # into Xen and the policy type can be set by the boot policy file
    1.13 -#        y - Build the Xen ACM framework
    1.14 -#        n - Do not build the Xen ACM framework
    1.15  ACM_SECURITY ?= n
    1.16  
    1.17  # Optional components
     2.1 --- a/xen/Makefile	Fri Aug 31 11:12:57 2007 +0100
     2.2 +++ b/xen/Makefile	Fri Aug 31 11:21:35 2007 +0100
     2.3 @@ -56,6 +56,7 @@ build install debug clean distclean csco
     2.4  	$(MAKE) -f $(BASEDIR)/Rules.mk -C common clean
     2.5  	$(MAKE) -f $(BASEDIR)/Rules.mk -C drivers clean
     2.6  	$(MAKE) -f $(BASEDIR)/Rules.mk -C acm clean
     2.7 +	$(MAKE) -f $(BASEDIR)/Rules.mk -C xsm clean
     2.8  	$(MAKE) -f $(BASEDIR)/Rules.mk -C arch/$(TARGET_ARCH) clean
     2.9  	rm -f include/asm *.o $(TARGET)* *~ core
    2.10  	rm -f include/asm-*/asm-offsets.h
    2.11 @@ -122,7 +123,7 @@ include/asm-$(TARGET_ARCH)/asm-offsets.h
    2.12  build-headers:
    2.13  	$(MAKE) -C include/public/foreign
    2.14  
    2.15 -SUBDIRS = acm arch/$(TARGET_ARCH) common drivers 
    2.16 +SUBDIRS = xsm acm arch/$(TARGET_ARCH) common drivers
    2.17  define all_sources
    2.18      ( find include/asm-$(TARGET_ARCH) -name '*.h' -print; \
    2.19        find include -name 'asm-*' -prune -o -name '*.h' -print; \
     3.1 --- a/xen/Rules.mk	Fri Aug 31 11:12:57 2007 +0100
     3.2 +++ b/xen/Rules.mk	Fri Aug 31 11:21:35 2007 +0100
     3.3 @@ -52,10 +52,12 @@ HDRS  := $(filter-out %/asm-offsets.h,$(
     3.4  # Note that link order matters!
     3.5  ALL_OBJS-y               += $(BASEDIR)/common/built_in.o
     3.6  ALL_OBJS-y               += $(BASEDIR)/drivers/built_in.o
     3.7 +ALL_OBJS-y               += $(BASEDIR)/xsm/built_in.o
     3.8  ALL_OBJS-$(ACM_SECURITY) += $(BASEDIR)/acm/built_in.o
     3.9  ALL_OBJS-y               += $(BASEDIR)/arch/$(TARGET_ARCH)/built_in.o
    3.10  
    3.11  CFLAGS-y                += -g -D__XEN__
    3.12 +CFLAGS-$(XSM_ENABLE)    += -DXSM_ENABLE
    3.13  CFLAGS-$(ACM_SECURITY)  += -DACM_SECURITY
    3.14  CFLAGS-$(verbose)       += -DVERBOSE
    3.15  CFLAGS-$(crash_debug)   += -DCRASH_DEBUG
     4.1 --- a/xen/arch/x86/domctl.c	Fri Aug 31 11:12:57 2007 +0100
     4.2 +++ b/xen/arch/x86/domctl.c	Fri Aug 31 11:21:35 2007 +0100
     4.3 @@ -24,6 +24,7 @@
     4.4  #include <asm/hvm/hvm.h>
     4.5  #include <asm/hvm/support.h>
     4.6  #include <asm/processor.h>
     4.7 +#include <xsm/xsm.h>
     4.8  
     4.9  long arch_do_domctl(
    4.10      struct xen_domctl *domctl,
    4.11 @@ -64,6 +65,14 @@ long arch_do_domctl(
    4.12          if ( unlikely((d = rcu_lock_domain_by_id(domctl->domain)) == NULL) )
    4.13              break;
    4.14  
    4.15 +        ret = xsm_ioport_permission(d, fp, 
    4.16 +                                    domctl->u.ioport_permission.allow_access);
    4.17 +        if ( ret )
    4.18 +        {
    4.19 +            rcu_unlock_domain(d);
    4.20 +            break;
    4.21 +        }
    4.22 +
    4.23          if ( np == 0 )
    4.24              ret = 0;
    4.25          else if ( domctl->u.ioport_permission.allow_access )
    4.26 @@ -90,6 +99,13 @@ long arch_do_domctl(
    4.27  
    4.28          page = mfn_to_page(mfn);
    4.29  
    4.30 +        ret = xsm_getpageframeinfo(page);
    4.31 +        if ( ret )
    4.32 +        {
    4.33 +            rcu_unlock_domain(d);
    4.34 +            break;
    4.35 +        }
    4.36 +
    4.37          if ( likely(get_page(page, d)) )
    4.38          {
    4.39              ret = 0;
    4.40 @@ -173,6 +189,10 @@ long arch_do_domctl(
    4.41  
    4.42                  page = mfn_to_page(mfn);
    4.43  
    4.44 +                ret = xsm_getpageframeinfo(page);
    4.45 +                if ( ret )
    4.46 +                    continue;
    4.47 +
    4.48                  if ( likely(mfn_valid(mfn) && get_page(page, d)) ) 
    4.49                  {
    4.50                      unsigned long type = 0;
    4.51 @@ -230,6 +250,13 @@ long arch_do_domctl(
    4.52          ret = -EINVAL;
    4.53          if ( d != NULL )
    4.54          {
    4.55 +            ret = xsm_getmemlist(d);
    4.56 +            if ( ret )
    4.57 +            {
    4.58 +                rcu_unlock_domain(d);
    4.59 +                break;
    4.60 +            }
    4.61 +
    4.62              ret = 0;
    4.63  
    4.64              spin_lock(&d->page_alloc_lock);
    4.65 @@ -269,6 +296,13 @@ long arch_do_domctl(
    4.66          if ( unlikely(d == NULL) )
    4.67              break;
    4.68  
    4.69 +        ret = xsm_hypercall_init(d);
    4.70 +        if ( ret )
    4.71 +        {
    4.72 +            rcu_unlock_domain(d);
    4.73 +            break;
    4.74 +        }
    4.75 +
    4.76          mfn = gmfn_to_mfn(d, gmfn);
    4.77  
    4.78          ret = -EACCES;
    4.79 @@ -304,6 +338,10 @@ long arch_do_domctl(
    4.80          if ( (d = rcu_lock_domain_by_id(domctl->domain)) == NULL )
    4.81              break;
    4.82  
    4.83 +        ret = xsm_hvmcontext(d, domctl->cmd);
    4.84 +        if ( ret )
    4.85 +            goto sethvmcontext_out;
    4.86 +
    4.87          ret = -EINVAL;
    4.88          if ( !is_hvm_domain(d) ) 
    4.89              goto sethvmcontext_out;
    4.90 @@ -337,6 +375,10 @@ long arch_do_domctl(
    4.91          if ( (d = rcu_lock_domain_by_id(domctl->domain)) == NULL )
    4.92              break;
    4.93  
    4.94 +        ret = xsm_hvmcontext(d, domctl->cmd);
    4.95 +        if ( ret )
    4.96 +            goto gethvmcontext_out;
    4.97 +
    4.98          ret = -EINVAL;
    4.99          if ( !is_hvm_domain(d) ) 
   4.100              goto gethvmcontext_out;
   4.101 @@ -390,6 +432,13 @@ long arch_do_domctl(
   4.102          if ( (d = rcu_lock_domain_by_id(domctl->domain)) == NULL )
   4.103              break;
   4.104  
   4.105 +        ret = xsm_address_size(d, domctl->cmd);
   4.106 +        if ( ret )
   4.107 +        {
   4.108 +            rcu_unlock_domain(d);
   4.109 +            break;
   4.110 +        }
   4.111 +
   4.112          switch ( domctl->u.address_size.size )
   4.113          {
   4.114  #ifdef CONFIG_COMPAT
   4.115 @@ -417,6 +466,13 @@ long arch_do_domctl(
   4.116          if ( (d = rcu_lock_domain_by_id(domctl->domain)) == NULL )
   4.117              break;
   4.118  
   4.119 +        ret = xsm_address_size(d, domctl->cmd);
   4.120 +        if ( ret )
   4.121 +        {
   4.122 +            rcu_unlock_domain(d);
   4.123 +            break;
   4.124 +        }
   4.125 +
   4.126          domctl->u.address_size.size = BITS_PER_GUEST_LONG(d);
   4.127  
   4.128          ret = 0;
     5.1 --- a/xen/arch/x86/hvm/hvm.c	Fri Aug 31 11:12:57 2007 +0100
     5.2 +++ b/xen/arch/x86/hvm/hvm.c	Fri Aug 31 11:21:35 2007 +0100
     5.3 @@ -1069,6 +1069,10 @@ static int hvmop_set_pci_intx_level(
     5.4      if ( !is_hvm_domain(d) )
     5.5          goto out;
     5.6  
     5.7 +    rc = xsm_hvm_set_pci_intx_level(d);
     5.8 +    if ( rc )
     5.9 +        goto out;
    5.10 +
    5.11      rc = 0;
    5.12      switch ( op.level )
    5.13      {
    5.14 @@ -1112,6 +1116,10 @@ static int hvmop_set_isa_irq_level(
    5.15      if ( !is_hvm_domain(d) )
    5.16          goto out;
    5.17  
    5.18 +    rc = xsm_hvm_set_isa_irq_level(d);
    5.19 +    if ( rc )
    5.20 +        goto out;
    5.21 +
    5.22      rc = 0;
    5.23      switch ( op.level )
    5.24      {
    5.25 @@ -1155,6 +1163,10 @@ static int hvmop_set_pci_link_route(
    5.26      if ( !is_hvm_domain(d) )
    5.27          goto out;
    5.28  
    5.29 +    rc = xsm_hvm_set_pci_link_route(d);
    5.30 +    if ( rc )
    5.31 +        goto out;
    5.32 +
    5.33      rc = 0;
    5.34      hvm_set_pci_link_route(d, op.link, op.isa_irq);
    5.35  
    5.36 @@ -1204,6 +1216,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
    5.37          if ( !is_hvm_domain(d) )
    5.38              goto param_fail;
    5.39  
    5.40 +        rc = xsm_hvm_param(d, op);
    5.41 +        if ( rc )
    5.42 +            goto param_fail;
    5.43 +
    5.44          if ( op == HVMOP_set_param )
    5.45          {
    5.46              switch ( a.index )
     6.1 --- a/xen/arch/x86/mm.c	Fri Aug 31 11:12:57 2007 +0100
     6.2 +++ b/xen/arch/x86/mm.c	Fri Aug 31 11:21:35 2007 +0100
     6.3 @@ -110,6 +110,7 @@
     6.4  #include <asm/hypercall.h>
     6.5  #include <asm/shared.h>
     6.6  #include <public/memory.h>
     6.7 +#include <xsm/xsm.h>
     6.8  
     6.9  #define MEM_LOG(_f, _a...) gdprintk(XENLOG_WARNING , _f "\n" , ## _a)
    6.10  
    6.11 @@ -2048,6 +2049,10 @@ int do_mmuext_op(
    6.12              type = PGT_l4_page_table;
    6.13  
    6.14          pin_page:
    6.15 +            rc = xsm_memory_pin_page(current->domain, page);
    6.16 +            if ( rc )
    6.17 +                break;
    6.18 +
    6.19              /* Ignore pinning of invalid paging levels. */
    6.20              if ( (op.cmd - MMUEXT_PIN_L1_TABLE) > (CONFIG_PAGING_LEVELS - 1) )
    6.21                  break;
    6.22 @@ -2334,6 +2339,10 @@ int do_mmu_update(
    6.23               */
    6.24          case MMU_NORMAL_PT_UPDATE:
    6.25  
    6.26 +            rc = xsm_mmu_normal_update(current->domain, req.val);
    6.27 +            if ( rc )
    6.28 +                break;
    6.29 +
    6.30              gmfn = req.ptr >> PAGE_SHIFT;
    6.31              mfn = gmfn_to_mfn(d, gmfn);
    6.32  
    6.33 @@ -2424,6 +2433,10 @@ int do_mmu_update(
    6.34              mfn = req.ptr >> PAGE_SHIFT;
    6.35              gpfn = req.val;
    6.36  
    6.37 +            rc = xsm_mmu_machphys_update(current->domain, mfn);
    6.38 +            if ( rc )
    6.39 +                break;
    6.40 +
    6.41              if ( unlikely(!get_page_from_pagenr(mfn, FOREIGNDOM)) )
    6.42              {
    6.43                  MEM_LOG("Could not get page for mach->phys update");
    6.44 @@ -2802,6 +2815,10 @@ int do_update_va_mapping(unsigned long v
    6.45      if ( unlikely(!__addr_ok(va) && !paging_mode_external(d)) )
    6.46          return -EINVAL;
    6.47  
    6.48 +    rc = xsm_update_va_mapping(current->domain, val);
    6.49 +    if ( rc )
    6.50 +        return rc;
    6.51 +
    6.52      LOCK_BIGLOCK(d);
    6.53  
    6.54      pl1e = guest_map_l1e(v, va, &gl1mfn);
    6.55 @@ -3063,6 +3080,12 @@ long arch_memory_op(int op, XEN_GUEST_HA
    6.56          else if ( (d = rcu_lock_domain_by_id(xatp.domid)) == NULL )
    6.57              return -ESRCH;
    6.58  
    6.59 +        if ( xsm_add_to_physmap(current->domain, d) )
    6.60 +        {
    6.61 +            rcu_unlock_domain(d);
    6.62 +            return -EPERM;
    6.63 +        }
    6.64 +
    6.65          switch ( xatp.space )
    6.66          {
    6.67          case XENMAPSPACE_shared_info:
    6.68 @@ -3139,6 +3162,13 @@ long arch_memory_op(int op, XEN_GUEST_HA
    6.69          else if ( (d = rcu_lock_domain_by_id(fmap.domid)) == NULL )
    6.70              return -ESRCH;
    6.71  
    6.72 +        rc = xsm_domain_memory_map(d);
    6.73 +        if ( rc )
    6.74 +        {
    6.75 +            rcu_unlock_domain(d);
    6.76 +            return rc;
    6.77 +        }
    6.78 +
    6.79          rc = copy_from_guest(d->arch.e820, fmap.map.buffer,
    6.80                               fmap.map.nr_entries) ? -EFAULT : 0;
    6.81          d->arch.nr_e820 = fmap.map.nr_entries;
    6.82 @@ -3172,10 +3202,15 @@ long arch_memory_op(int op, XEN_GUEST_HA
    6.83          struct xen_memory_map memmap;
    6.84          XEN_GUEST_HANDLE(e820entry_t) buffer;
    6.85          int count;
    6.86 +        int rc;
    6.87  
    6.88          if ( !IS_PRIV(current->domain) )
    6.89              return -EINVAL;
    6.90  
    6.91 +        rc = xsm_machine_memory_map();
    6.92 +        if ( rc )
    6.93 +            return rc;
    6.94 +
    6.95          if ( copy_from_guest(&memmap, arg, 1) )
    6.96              return -EFAULT;
    6.97          if ( memmap.nr_entries < e820.nr_map + 1 )
     7.1 --- a/xen/arch/x86/mm/paging.c	Fri Aug 31 11:12:57 2007 +0100
     7.2 +++ b/xen/arch/x86/mm/paging.c	Fri Aug 31 11:21:35 2007 +0100
     7.3 @@ -26,6 +26,7 @@
     7.4  #include <asm/p2m.h>
     7.5  #include <asm/hap.h>
     7.6  #include <asm/guest_access.h>
     7.7 +#include <xsm/xsm.h>
     7.8  
     7.9  /* Xen command-line option to enable hardware-assisted paging */
    7.10  int opt_hap_enabled;
    7.11 @@ -402,6 +403,10 @@ int paging_domctl(struct domain *d, xen_
    7.12          return -EINVAL;
    7.13      }
    7.14  
    7.15 +    rc = xsm_shadow_control(d, sc->op);
    7.16 +    if ( rc )
    7.17 +        return rc;
    7.18 +
    7.19      /* Code to handle log-dirty. Note that some log dirty operations
    7.20       * piggy-back on shadow operations. For example, when
    7.21       * XEN_DOMCTL_SHADOW_OP_OFF is called, it first checks whether log dirty
     8.1 --- a/xen/arch/x86/physdev.c	Fri Aug 31 11:12:57 2007 +0100
     8.2 +++ b/xen/arch/x86/physdev.c	Fri Aug 31 11:21:35 2007 +0100
     8.3 @@ -12,6 +12,7 @@
     8.4  #include <asm/hypercall.h>
     8.5  #include <public/xen.h>
     8.6  #include <public/physdev.h>
     8.7 +#include <xsm/xsm.h>
     8.8  
     8.9  #ifndef COMPAT
    8.10  typedef long ret_t;
    8.11 @@ -73,6 +74,9 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
    8.12          ret = -EPERM;
    8.13          if ( !IS_PRIV(v->domain) )
    8.14              break;
    8.15 +        ret = xsm_apic(v->domain, cmd);
    8.16 +        if ( ret )
    8.17 +            break;
    8.18          ret = ioapic_guest_read(apic.apic_physbase, apic.reg, &apic.value);
    8.19          if ( copy_to_guest(arg, &apic, 1) != 0 )
    8.20              ret = -EFAULT;
    8.21 @@ -87,6 +91,9 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
    8.22          ret = -EPERM;
    8.23          if ( !IS_PRIV(v->domain) )
    8.24              break;
    8.25 +        ret = xsm_apic(v->domain, cmd);
    8.26 +        if ( ret )
    8.27 +            break;
    8.28          ret = ioapic_guest_write(apic.apic_physbase, apic.reg, apic.value);
    8.29          break;
    8.30      }
    8.31 @@ -102,6 +109,10 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
    8.32          if ( !IS_PRIV(v->domain) )
    8.33              break;
    8.34  
    8.35 +        ret = xsm_assign_vector(v->domain, irq_op.irq);
    8.36 +        if ( ret )
    8.37 +            break;
    8.38 +
    8.39          irq = irq_op.irq;
    8.40          ret = -EINVAL;
    8.41          if ( (irq < 0) || (irq >= NR_IRQS) )
     9.1 --- a/xen/arch/x86/platform_hypercall.c	Fri Aug 31 11:12:57 2007 +0100
     9.2 +++ b/xen/arch/x86/platform_hypercall.c	Fri Aug 31 11:21:35 2007 +0100
     9.3 @@ -24,6 +24,7 @@
     9.4  #include <asm/edd.h>
     9.5  #include <asm/mtrr.h>
     9.6  #include "cpu/mtrr/mtrr.h"
     9.7 +#include <xsm/xsm.h>
     9.8  
     9.9  extern uint16_t boot_edid_caps;
    9.10  extern uint8_t boot_edid_info[];
    9.11 @@ -59,6 +60,10 @@ ret_t do_platform_op(XEN_GUEST_HANDLE(xe
    9.12      {
    9.13      case XENPF_settime:
    9.14      {
    9.15 +        ret = xsm_xen_settime();
    9.16 +        if ( ret )
    9.17 +            break;
    9.18 +
    9.19          do_settime(op->u.settime.secs, 
    9.20                     op->u.settime.nsecs, 
    9.21                     op->u.settime.system_time);
    9.22 @@ -68,6 +73,10 @@ ret_t do_platform_op(XEN_GUEST_HANDLE(xe
    9.23  
    9.24      case XENPF_add_memtype:
    9.25      {
    9.26 +        ret = xsm_memtype(op->cmd);
    9.27 +        if ( ret )
    9.28 +            break;
    9.29 +
    9.30          ret = mtrr_add_page(
    9.31              op->u.add_memtype.mfn,
    9.32              op->u.add_memtype.nr_mfns,
    9.33 @@ -86,6 +95,10 @@ ret_t do_platform_op(XEN_GUEST_HANDLE(xe
    9.34  
    9.35      case XENPF_del_memtype:
    9.36      {
    9.37 +        ret = xsm_memtype(op->cmd);
    9.38 +        if ( ret )
    9.39 +            break;
    9.40 +
    9.41          if (op->u.del_memtype.handle == 0
    9.42              /* mtrr/main.c otherwise does a lookup */
    9.43              && (int)op->u.del_memtype.reg >= 0)
    9.44 @@ -105,6 +118,10 @@ ret_t do_platform_op(XEN_GUEST_HANDLE(xe
    9.45          unsigned int  nr_mfns;
    9.46          mtrr_type     type;
    9.47  
    9.48 +        ret = xsm_memtype(op->cmd);
    9.49 +        if ( ret )
    9.50 +            break;
    9.51 +
    9.52          ret = -EINVAL;
    9.53          if ( op->u.read_memtype.reg < num_var_ranges )
    9.54          {
    9.55 @@ -120,6 +137,11 @@ ret_t do_platform_op(XEN_GUEST_HANDLE(xe
    9.56      case XENPF_microcode_update:
    9.57      {
    9.58          extern int microcode_update(XEN_GUEST_HANDLE(void), unsigned long len);
    9.59 +
    9.60 +        ret = xsm_microcode();
    9.61 +        if ( ret )
    9.62 +            break;
    9.63 +
    9.64  #ifndef COMPAT
    9.65          ret = microcode_update(op->u.microcode.data,
    9.66                                 op->u.microcode.length);
    9.67 @@ -136,6 +158,11 @@ ret_t do_platform_op(XEN_GUEST_HANDLE(xe
    9.68      {
    9.69          extern int opt_noirqbalance;
    9.70          int quirk_id = op->u.platform_quirk.quirk_id;
    9.71 +
    9.72 +        ret = xsm_platform_quirk(quirk_id);
    9.73 +        if ( ret )
    9.74 +            break;
    9.75 +
    9.76          switch ( quirk_id )
    9.77          {
    9.78          case QUIRK_NOIRQBALANCING:
    10.1 --- a/xen/arch/x86/setup.c	Fri Aug 31 11:12:57 2007 +0100
    10.2 +++ b/xen/arch/x86/setup.c	Fri Aug 31 11:21:35 2007 +0100
    10.3 @@ -35,6 +35,7 @@
    10.4  #include <acm/acm_hooks.h>
    10.5  #include <xen/kexec.h>
    10.6  #include <asm/edd.h>
    10.7 +#include <xsm/xsm.h>
    10.8  
    10.9  #if defined(CONFIG_X86_64)
   10.10  #define BOOTSTRAP_DIRECTMAP_END (1UL << 32) /* 4GB */
   10.11 @@ -963,6 +964,8 @@ void __init __start_xen(unsigned long mb
   10.12  
   10.13      percpu_init_areas();
   10.14  
   10.15 +    xsm_init(&initrdidx, mbi, initial_images_start);
   10.16 +
   10.17      init_idle_domain();
   10.18  
   10.19      trap_init();
    11.1 --- a/xen/arch/x86/sysctl.c	Fri Aug 31 11:12:57 2007 +0100
    11.2 +++ b/xen/arch/x86/sysctl.c	Fri Aug 31 11:21:35 2007 +0100
    11.3 @@ -25,6 +25,7 @@
    11.4  #include <asm/processor.h>
    11.5  #include <asm/numa.h>
    11.6  #include <xen/nodemask.h>
    11.7 +#include <xsm/xsm.h>
    11.8  
    11.9  #define get_xen_guest_handle(val, hnd)  do { val = (hnd).p; } while (0)
   11.10  
   11.11 @@ -42,6 +43,10 @@ long arch_do_sysctl(
   11.12  
   11.13          xen_sysctl_physinfo_t *pi = &sysctl->u.physinfo;
   11.14  
   11.15 +        ret = xsm_physinfo();
   11.16 +        if ( ret )
   11.17 +            break;
   11.18 +
   11.19          pi->threads_per_core =
   11.20              cpus_weight(cpu_sibling_map[0]);
   11.21          pi->cores_per_socket =
    12.1 --- a/xen/arch/x86/x86_32/entry.S	Fri Aug 31 11:12:57 2007 +0100
    12.2 +++ b/xen/arch/x86/x86_32/entry.S	Fri Aug 31 11:21:35 2007 +0100
    12.3 @@ -676,6 +676,7 @@ ENTRY(hypercall_table)
    12.4          .long do_sysctl             /* 35 */
    12.5          .long do_domctl
    12.6          .long do_kexec_op
    12.7 +        .long do_xsm_op
    12.8          .rept NR_hypercalls-((.-hypercall_table)/4)
    12.9          .long do_ni_hypercall
   12.10          .endr
   12.11 @@ -719,6 +720,7 @@ ENTRY(hypercall_args_table)
   12.12          .byte 1 /* do_sysctl            */  /* 35 */
   12.13          .byte 1 /* do_domctl            */
   12.14          .byte 2 /* do_kexec_op          */
   12.15 +        .byte 1 /* do_xsm_op            */
   12.16          .rept NR_hypercalls-(.-hypercall_args_table)
   12.17          .byte 0 /* do_ni_hypercall      */
   12.18          .endr
    13.1 --- a/xen/arch/x86/x86_32/xen.lds.S	Fri Aug 31 11:12:57 2007 +0100
    13.2 +++ b/xen/arch/x86/x86_32/xen.lds.S	Fri Aug 31 11:21:35 2007 +0100
    13.3 @@ -63,6 +63,8 @@ SECTIONS
    13.4    __initcall_start = .;
    13.5    .initcall.init : { *(.initcall1.init) } :text
    13.6    __initcall_end = .;
    13.7 +   .xsm_initcall.init : { __xsm_initcall_start = .; 
    13.8 +   *(.xsm_initcall.init) __xsm_initcall_end = .; }
    13.9    . = ALIGN(PAGE_SIZE);
   13.10    __init_end = .;
   13.11  
    14.1 --- a/xen/arch/x86/x86_64/entry.S	Fri Aug 31 11:12:57 2007 +0100
    14.2 +++ b/xen/arch/x86/x86_64/entry.S	Fri Aug 31 11:21:35 2007 +0100
    14.3 @@ -612,6 +612,7 @@ ENTRY(hypercall_table)
    14.4          .quad do_sysctl             /* 35 */
    14.5          .quad do_domctl
    14.6          .quad do_kexec_op
    14.7 +        .quad do_xsm_op
    14.8          .rept NR_hypercalls-((.-hypercall_table)/8)
    14.9          .quad do_ni_hypercall
   14.10          .endr
   14.11 @@ -655,6 +656,7 @@ ENTRY(hypercall_args_table)
   14.12          .byte 1 /* do_sysctl            */  /* 35 */
   14.13          .byte 1 /* do_domctl            */
   14.14          .byte 2 /* do_kexec             */
   14.15 +        .byte 1 /* do_xsm_op            */
   14.16          .rept NR_hypercalls-(.-hypercall_args_table)
   14.17          .byte 0 /* do_ni_hypercall      */
   14.18          .endr
    15.1 --- a/xen/common/domain.c	Fri Aug 31 11:12:57 2007 +0100
    15.2 +++ b/xen/common/domain.c	Fri Aug 31 11:21:35 2007 +0100
    15.3 @@ -29,6 +29,7 @@
    15.4  #include <public/sched.h>
    15.5  #include <public/vcpu.h>
    15.6  #include <acm/acm_hooks.h>
    15.7 +#include <xsm/xsm.h>
    15.8  
    15.9  /* Protect updates/reads (resp.) of domain_list and domain_hash. */
   15.10  DEFINE_SPINLOCK(domlist_update_lock);
   15.11 @@ -57,6 +58,13 @@ struct domain *alloc_domain(domid_t domi
   15.12  
   15.13      memset(d, 0, sizeof(*d));
   15.14      d->domain_id = domid;
   15.15 +
   15.16 +    if ( xsm_alloc_security_domain(d) != 0 )
   15.17 +    {
   15.18 +        free_domain(d);
   15.19 +        return NULL;
   15.20 +    }
   15.21 +
   15.22      atomic_set(&d->refcnt, 1);
   15.23      spin_lock_init(&d->big_lock);
   15.24      spin_lock_init(&d->page_alloc_lock);
   15.25 @@ -69,6 +77,7 @@ struct domain *alloc_domain(domid_t domi
   15.26  
   15.27  void free_domain(struct domain *d)
   15.28  {
   15.29 +    xsm_free_security_domain(d);
   15.30      xfree(d);
   15.31  }
   15.32  
   15.33 @@ -193,6 +202,9 @@ struct domain *domain_create(
   15.34  
   15.35      if ( !is_idle_domain(d) )
   15.36      {
   15.37 +        if ( xsm_domain_create(d, ssidref) != 0 )
   15.38 +            goto fail;
   15.39 +
   15.40          d->is_paused_by_controller = 1;
   15.41          atomic_inc(&d->pause_count);
   15.42  
    16.1 --- a/xen/common/domctl.c	Fri Aug 31 11:12:57 2007 +0100
    16.2 +++ b/xen/common/domctl.c	Fri Aug 31 11:21:35 2007 +0100
    16.3 @@ -24,6 +24,7 @@
    16.4  #include <asm/current.h>
    16.5  #include <public/domctl.h>
    16.6  #include <acm/acm_hooks.h>
    16.7 +#include <xsm/xsm.h>
    16.8  
    16.9  extern long arch_do_domctl(
   16.10      struct xen_domctl *op, XEN_GUEST_HANDLE(xen_domctl_t) u_domctl);
   16.11 @@ -127,7 +128,9 @@ void getdomaininfo(struct domain *d, str
   16.12          info->ssidref = ((struct acm_ssid_domain *)d->ssid)->ssidref;
   16.13      else    
   16.14          info->ssidref = ACM_DEFAULT_SSID;
   16.15 -    
   16.16 +
   16.17 +    xsm_security_domaininfo(d, info);
   16.18 +
   16.19      info->tot_pages         = d->tot_pages;
   16.20      info->max_pages         = d->max_pages;
   16.21      info->shared_info_frame = mfn_to_gmfn(d, __pa(d->shared_info)>>PAGE_SHIFT);
   16.22 @@ -204,6 +207,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
   16.23          if ( d == NULL )
   16.24              break;
   16.25  
   16.26 +        ret = xsm_setvcpucontext(d);
   16.27 +        if ( ret )
   16.28 +            goto svc_out;
   16.29 +
   16.30          ret = -EINVAL;
   16.31          if ( (vcpu >= MAX_VIRT_CPUS) || ((v = d->vcpu[vcpu]) == NULL) )
   16.32              goto svc_out;
   16.33 @@ -251,12 +258,17 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
   16.34          ret = -ESRCH;
   16.35          if ( d != NULL )
   16.36          {
   16.37 +            ret = xsm_pausedomain(d);
   16.38 +            if ( ret )
   16.39 +                goto pausedomain_out;
   16.40 +
   16.41              ret = -EINVAL;
   16.42              if ( d != current->domain )
   16.43              {
   16.44                  domain_pause_by_systemcontroller(d);
   16.45                  ret = 0;
   16.46              }
   16.47 +        pausedomain_out:
   16.48              rcu_unlock_domain(d);
   16.49          }
   16.50      }
   16.51 @@ -270,6 +282,13 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
   16.52          if ( d == NULL )
   16.53              break;
   16.54  
   16.55 +        ret = xsm_unpausedomain(d);
   16.56 +        if ( ret )
   16.57 +        {
   16.58 +            rcu_unlock_domain(d);
   16.59 +            break;
   16.60 +        }
   16.61 +
   16.62          domain_unpause_by_systemcontroller(d);
   16.63          rcu_unlock_domain(d);
   16.64          ret = 0;
   16.65 @@ -284,6 +303,13 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
   16.66          if ( d == NULL )
   16.67              break;
   16.68  
   16.69 +        ret = xsm_resumedomain(d);
   16.70 +        if ( ret )
   16.71 +        {
   16.72 +            rcu_unlock_domain(d);
   16.73 +            break;
   16.74 +        }
   16.75 +
   16.76          domain_resume(d);
   16.77          rcu_unlock_domain(d);
   16.78          ret = 0;
   16.79 @@ -359,6 +385,13 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
   16.80          if ( (d = rcu_lock_domain_by_id(op->domain)) == NULL )
   16.81              break;
   16.82  
   16.83 +        ret = xsm_max_vcpus(d);
   16.84 +        if ( ret )
   16.85 +        {
   16.86 +            rcu_unlock_domain(d);
   16.87 +            break;
   16.88 +        }
   16.89 +
   16.90          /* Needed, for example, to ensure writable p.t. state is synced. */
   16.91          domain_pause(d);
   16.92  
   16.93 @@ -395,12 +428,18 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
   16.94          ret = -ESRCH;
   16.95          if ( d != NULL )
   16.96          {
   16.97 +            ret = xsm_destroydomain(d);
   16.98 +            if ( ret )
   16.99 +                goto destroydomain_out;
  16.100 +
  16.101              ret = -EINVAL;
  16.102              if ( d != current->domain )
  16.103              {
  16.104                  domain_kill(d);
  16.105                  ret = 0;
  16.106              }
  16.107 +
  16.108 +        destroydomain_out:
  16.109              rcu_unlock_domain(d);
  16.110          }
  16.111      }
  16.112 @@ -418,6 +457,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.113          if ( d == NULL )
  16.114              break;
  16.115  
  16.116 +        ret = xsm_vcpuaffinity(op->cmd, d);
  16.117 +        if ( ret )
  16.118 +            goto vcpuaffinity_out;
  16.119 +
  16.120          ret = -EINVAL;
  16.121          if ( op->u.vcpuaffinity.vcpu >= MAX_VIRT_CPUS )
  16.122              goto vcpuaffinity_out;
  16.123 @@ -452,10 +495,15 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.124          if ( (d = rcu_lock_domain_by_id(op->domain)) == NULL )
  16.125              break;
  16.126  
  16.127 +        ret = xsm_scheduler(d);
  16.128 +        if ( ret )
  16.129 +            goto scheduler_op_out;
  16.130 +
  16.131          ret = sched_adjust(d, &op->u.scheduler_op);
  16.132          if ( copy_to_guest(u_domctl, op, 1) )
  16.133              ret = -EFAULT;
  16.134  
  16.135 +    scheduler_op_out:
  16.136          rcu_unlock_domain(d);
  16.137      }
  16.138      break;
  16.139 @@ -478,12 +526,17 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.140              break;
  16.141          }
  16.142  
  16.143 +        ret = xsm_getdomaininfo(d);
  16.144 +        if ( ret )
  16.145 +            goto getdomaininfo_out;
  16.146 +
  16.147          getdomaininfo(d, &op->u.getdomaininfo);
  16.148  
  16.149          op->domain = op->u.getdomaininfo.domain;
  16.150          if ( copy_to_guest(u_domctl, op, 1) )
  16.151              ret = -EFAULT;
  16.152  
  16.153 +    getdomaininfo_out:
  16.154          rcu_read_unlock(&domlist_read_lock);
  16.155      }
  16.156      break;
  16.157 @@ -498,6 +551,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.158          if ( (d = rcu_lock_domain_by_id(op->domain)) == NULL )
  16.159              break;
  16.160  
  16.161 +        ret = xsm_getvcpucontext(d);
  16.162 +        if ( ret )
  16.163 +            goto getvcpucontext_out;
  16.164 +
  16.165          ret = -EINVAL;
  16.166          if ( op->u.vcpucontext.vcpu >= MAX_VIRT_CPUS )
  16.167              goto getvcpucontext_out;
  16.168 @@ -554,6 +611,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.169          if ( (d = rcu_lock_domain_by_id(op->domain)) == NULL )
  16.170              break;
  16.171  
  16.172 +        ret = xsm_getvcpuinfo(d);
  16.173 +        if ( ret )
  16.174 +            goto getvcpuinfo_out;
  16.175 +
  16.176          ret = -EINVAL;
  16.177          if ( op->u.getvcpuinfo.vcpu >= MAX_VIRT_CPUS )
  16.178              goto getvcpuinfo_out;
  16.179 @@ -589,6 +650,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.180          if ( d == NULL )
  16.181              break;
  16.182  
  16.183 +        ret = xsm_setdomainmaxmem(d);
  16.184 +        if ( ret )
  16.185 +            goto max_mem_out;
  16.186 +
  16.187          ret = -EINVAL;
  16.188          new_max = op->u.max_mem.max_memkb >> (PAGE_SHIFT-10);
  16.189  
  16.190 @@ -603,6 +668,7 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.191          }
  16.192          spin_unlock(&d->page_alloc_lock);
  16.193  
  16.194 +    max_mem_out:
  16.195          rcu_unlock_domain(d);
  16.196      }
  16.197      break;
  16.198 @@ -616,6 +682,13 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.199          if ( d == NULL )
  16.200              break;
  16.201  
  16.202 +        ret = xsm_setdomainhandle(d);
  16.203 +        if ( ret )
  16.204 +        {
  16.205 +            rcu_unlock_domain(d);
  16.206 +            break;
  16.207 +        }
  16.208 +
  16.209          memcpy(d->handle, op->u.setdomainhandle.handle,
  16.210                 sizeof(xen_domain_handle_t));
  16.211          rcu_unlock_domain(d);
  16.212 @@ -632,6 +705,13 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.213          if ( d == NULL )
  16.214              break;
  16.215  
  16.216 +        ret = xsm_setdebugging(d);
  16.217 +        if ( ret )
  16.218 +        {
  16.219 +            rcu_unlock_domain(d);
  16.220 +            break;
  16.221 +        }
  16.222 +
  16.223          domain_pause(d);
  16.224          d->debugger_attached = !!op->u.setdebugging.enable;
  16.225          domain_unpause(d); /* causes guest to latch new status */
  16.226 @@ -654,11 +734,16 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.227          if ( d == NULL )
  16.228              break;
  16.229  
  16.230 +        ret = xsm_irq_permission(d, pirq, op->u.irq_permission.allow_access);
  16.231 +        if ( ret )
  16.232 +            goto irq_permission_out;
  16.233 +        
  16.234          if ( op->u.irq_permission.allow_access )
  16.235              ret = irq_permit_access(d, pirq);
  16.236          else
  16.237              ret = irq_deny_access(d, pirq);
  16.238  
  16.239 +    irq_permission_out:
  16.240          rcu_unlock_domain(d);
  16.241      }
  16.242      break;
  16.243 @@ -678,11 +763,16 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.244          if ( d == NULL )
  16.245              break;
  16.246  
  16.247 +        ret = xsm_iomem_permission(d, mfn, op->u.iomem_permission.allow_access);
  16.248 +        if ( ret )
  16.249 +            goto iomem_permission_out;
  16.250 +
  16.251          if ( op->u.iomem_permission.allow_access )
  16.252              ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1);
  16.253          else
  16.254              ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1);
  16.255  
  16.256 +    iomem_permission_out:
  16.257          rcu_unlock_domain(d);
  16.258      }
  16.259      break;
  16.260 @@ -695,6 +785,13 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
  16.261          d = rcu_lock_domain_by_id(op->domain);
  16.262          if ( d != NULL )
  16.263          {
  16.264 +            ret = xsm_domain_settime(d);
  16.265 +            if ( ret )
  16.266 +            {
  16.267 +                rcu_unlock_domain(d);
  16.268 +                break;
  16.269 +            }
  16.270 +
  16.271              d->time_offset_seconds = op->u.settimeoffset.time_offset_seconds;
  16.272              rcu_unlock_domain(d);
  16.273              ret = 0;
    17.1 --- a/xen/common/event_channel.c	Fri Aug 31 11:12:57 2007 +0100
    17.2 +++ b/xen/common/event_channel.c	Fri Aug 31 11:21:35 2007 +0100
    17.3 @@ -30,6 +30,7 @@
    17.4  #include <public/xen.h>
    17.5  #include <public/event_channel.h>
    17.6  #include <acm/acm_hooks.h>
    17.7 +#include <xsm/xsm.h>
    17.8  
    17.9  #define bucket_from_port(d,p) \
   17.10      ((d)->evtchn[(p)/EVTCHNS_PER_BUCKET])
   17.11 @@ -78,6 +79,7 @@ static int get_free_port(struct domain *
   17.12  {
   17.13      struct evtchn *chn;
   17.14      int            port;
   17.15 +    int            i, j;
   17.16  
   17.17      if ( d->is_dying )
   17.18          return -EINVAL;
   17.19 @@ -95,6 +97,19 @@ static int get_free_port(struct domain *
   17.20      memset(chn, 0, EVTCHNS_PER_BUCKET * sizeof(*chn));
   17.21      bucket_from_port(d, port) = chn;
   17.22  
   17.23 +    for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
   17.24 +    {
   17.25 +        if ( xsm_alloc_security_evtchn(&chn[i]) )
   17.26 +        {
   17.27 +            for ( j = 0; j < i; j++ )
   17.28 +            {
   17.29 +                xsm_free_security_evtchn(&chn[j]);
   17.30 +            }        
   17.31 +            xfree(chn);
   17.32 +            return -ENOMEM;
   17.33 +        }
   17.34 +    }
   17.35 +
   17.36      return port;
   17.37  }
   17.38  
   17.39 @@ -124,6 +139,10 @@ static long evtchn_alloc_unbound(evtchn_
   17.40          ERROR_EXIT(port);
   17.41      chn = evtchn_from_port(d, port);
   17.42  
   17.43 +    rc = xsm_evtchn_unbound(d, chn, alloc->remote_dom);
   17.44 +    if ( rc )
   17.45 +        goto out;
   17.46 +
   17.47      chn->state = ECS_UNBOUND;
   17.48      if ( (chn->u.unbound.remote_domid = alloc->remote_dom) == DOMID_SELF )
   17.49          chn->u.unbound.remote_domid = current->domain->domain_id;
   17.50 @@ -180,6 +199,10 @@ static long evtchn_bind_interdomain(evtc
   17.51           (rchn->u.unbound.remote_domid != ld->domain_id) )
   17.52          ERROR_EXIT(-EINVAL);
   17.53  
   17.54 +    rc = xsm_evtchn_interdomain(ld, lchn, rd, rchn);
   17.55 +    if ( rc )
   17.56 +        goto out;
   17.57 +
   17.58      lchn->u.interdomain.remote_dom  = rd;
   17.59      lchn->u.interdomain.remote_port = (u16)rport;
   17.60      lchn->state                     = ECS_INTERDOMAIN;
   17.61 @@ -422,6 +445,8 @@ static long __evtchn_close(struct domain
   17.62      chn1->state          = ECS_FREE;
   17.63      chn1->notify_vcpu_id = 0;
   17.64  
   17.65 +    xsm_evtchn_close_post(chn1);
   17.66 +
   17.67   out:
   17.68      if ( d2 != NULL )
   17.69      {
   17.70 @@ -466,6 +491,10 @@ long evtchn_send(unsigned int lport)
   17.71          return -EINVAL;
   17.72      }
   17.73  
   17.74 +    ret = xsm_evtchn_send(ld, lchn);
   17.75 +    if ( ret )
   17.76 +        goto out;
   17.77 +
   17.78      switch ( lchn->state )
   17.79      {
   17.80      case ECS_INTERDOMAIN:
   17.81 @@ -495,6 +524,7 @@ long evtchn_send(unsigned int lport)
   17.82          ret = -EINVAL;
   17.83      }
   17.84  
   17.85 +out:
   17.86      spin_unlock(&ld->evtchn_lock);
   17.87  
   17.88      return ret;
   17.89 @@ -613,6 +643,11 @@ static long evtchn_status(evtchn_status_
   17.90      }
   17.91  
   17.92      chn = evtchn_from_port(d, port);
   17.93 +
   17.94 +    rc = xsm_evtchn_status(d, chn);
   17.95 +    if ( rc )
   17.96 +        goto out;
   17.97 +
   17.98      switch ( chn->state )
   17.99      {
  17.100      case ECS_FREE:
  17.101 @@ -743,6 +778,7 @@ static long evtchn_reset(evtchn_reset_t 
  17.102      domid_t dom = r->dom;
  17.103      struct domain *d;
  17.104      int i;
  17.105 +    int rc;
  17.106  
  17.107      if ( dom == DOMID_SELF )
  17.108          dom = current->domain->domain_id;
  17.109 @@ -752,6 +788,13 @@ static long evtchn_reset(evtchn_reset_t 
  17.110      if ( (d = rcu_lock_domain_by_id(dom)) == NULL )
  17.111          return -ESRCH;
  17.112  
  17.113 +    rc = xsm_evtchn_reset(current->domain, d);
  17.114 +    if ( rc )
  17.115 +    {
  17.116 +        rcu_unlock_domain(d);
  17.117 +        return rc;
  17.118 +    }
  17.119 +
  17.120      for ( i = 0; port_is_valid(d, i); i++ )
  17.121          (void)__evtchn_close(d, i);
  17.122  
  17.123 @@ -969,7 +1012,10 @@ void evtchn_destroy(struct domain *d)
  17.124      /* Free all event-channel buckets. */
  17.125      spin_lock(&d->evtchn_lock);
  17.126      for ( i = 0; i < NR_EVTCHN_BUCKETS; i++ )
  17.127 +    {
  17.128 +        xsm_free_security_evtchn(d->evtchn[i]);
  17.129          xfree(d->evtchn[i]);
  17.130 +    }
  17.131      spin_unlock(&d->evtchn_lock);
  17.132  }
  17.133  
    18.1 --- a/xen/common/grant_table.c	Fri Aug 31 11:12:57 2007 +0100
    18.2 +++ b/xen/common/grant_table.c	Fri Aug 31 11:21:35 2007 +0100
    18.3 @@ -33,6 +33,7 @@
    18.4  #include <xen/guest_access.h>
    18.5  #include <xen/domain_page.h>
    18.6  #include <acm/acm_hooks.h>
    18.7 +#include <xsm/xsm.h>
    18.8  
    18.9  #ifndef max_nr_grant_frames
   18.10  unsigned int max_nr_grant_frames = DEFAULT_MAX_NR_GRANT_FRAMES;
   18.11 @@ -224,6 +225,14 @@ static void
   18.12          return;
   18.13      }
   18.14  
   18.15 +    rc = xsm_grant_mapref(ld, rd, op->flags);
   18.16 +    if ( rc )
   18.17 +    {
   18.18 +        rcu_unlock_domain(rd);
   18.19 +        op->status = GNTST_permission_denied;
   18.20 +        return;
   18.21 +    }
   18.22 +
   18.23      if ( unlikely((handle = get_maptrack_handle(ld->grant_table)) == -1) )
   18.24      {
   18.25          rcu_unlock_domain(rd);
   18.26 @@ -451,6 +460,14 @@ static void
   18.27          return;
   18.28      }
   18.29  
   18.30 +    rc = xsm_grant_unmapref(ld, rd);
   18.31 +    if ( rc )
   18.32 +    {
   18.33 +        rcu_unlock_domain(rd);
   18.34 +        op->status = GNTST_permission_denied;
   18.35 +        return;
   18.36 +    }
   18.37 +
   18.38      TRACE_1D(TRC_MEM_PAGE_GRANT_UNMAP, dom);
   18.39  
   18.40      spin_lock(&rd->grant_table->lock);
   18.41 @@ -705,6 +722,13 @@ gnttab_setup_table(
   18.42          goto out;
   18.43      }
   18.44  
   18.45 +    if ( xsm_grant_setup(current->domain, d) )
   18.46 +    {
   18.47 +        rcu_unlock_domain(d);
   18.48 +        op.status = GNTST_permission_denied;
   18.49 +        goto out;
   18.50 +    }
   18.51 +
   18.52      spin_lock(&d->grant_table->lock);
   18.53  
   18.54      if ( (op.nr_frames > nr_grant_frames(d->grant_table)) &&
   18.55 @@ -745,6 +769,7 @@ gnttab_query_size(
   18.56      struct gnttab_query_size op;
   18.57      struct domain *d;
   18.58      domid_t        dom;
   18.59 +    int rc;
   18.60  
   18.61      if ( count != 1 )
   18.62          return -EINVAL;
   18.63 @@ -773,6 +798,14 @@ gnttab_query_size(
   18.64          goto query_out;
   18.65      }
   18.66  
   18.67 +    rc = xsm_grant_query_size(current->domain, d);
   18.68 +    if ( rc )
   18.69 +    {
   18.70 +        rcu_unlock_domain(d);
   18.71 +        op.status = GNTST_permission_denied;
   18.72 +        goto query_out;
   18.73 +    }
   18.74 +
   18.75      spin_lock(&d->grant_table->lock);
   18.76  
   18.77      op.nr_frames     = nr_grant_frames(d->grant_table);
   18.78 @@ -919,6 +952,13 @@ gnttab_transfer(
   18.79              goto copyback;
   18.80          }
   18.81  
   18.82 +        if ( xsm_grant_transfer(d, e) )
   18.83 +        {
   18.84 +            rcu_unlock_domain(e);
   18.85 +            gop.status = GNTST_permission_denied;
   18.86 +            goto copyback;
   18.87 +        }
   18.88 +
   18.89          spin_lock(&e->page_alloc_lock);
   18.90  
   18.91          /*
   18.92 @@ -1139,6 +1179,13 @@ static void
   18.93          PIN_FAIL(error_out, GNTST_bad_domain,
   18.94                   "couldn't find %d\n", op->dest.domid);
   18.95  
   18.96 +    rc = xsm_grant_copy(sd, dd);
   18.97 +    if ( rc )
   18.98 +    {
   18.99 +        rc = GNTST_permission_denied;
  18.100 +        goto error_out;
  18.101 +    }
  18.102 +
  18.103      if ( src_is_gref )
  18.104      {
  18.105          rc = __acquire_grant_for_copy(sd, op->source.u.ref, 1, &s_frame);
    19.1 --- a/xen/common/kexec.c	Fri Aug 31 11:12:57 2007 +0100
    19.2 +++ b/xen/common/kexec.c	Fri Aug 31 11:21:35 2007 +0100
    19.3 @@ -21,6 +21,7 @@
    19.4  #include <xen/version.h>
    19.5  #include <xen/console.h>
    19.6  #include <public/elfnote.h>
    19.7 +#include <xsm/xsm.h>
    19.8  
    19.9  #ifndef COMPAT
   19.10  
   19.11 @@ -367,6 +368,10 @@ ret_t do_kexec_op(unsigned long op, XEN_
   19.12      if ( !IS_PRIV(current->domain) )
   19.13          return -EPERM;
   19.14  
   19.15 +    ret = xsm_kexec();
   19.16 +    if ( ret )
   19.17 +        return ret;
   19.18 +
   19.19      switch ( op )
   19.20      {
   19.21      case KEXEC_CMD_kexec_get_range:
    20.1 --- a/xen/common/memory.c	Fri Aug 31 11:12:57 2007 +0100
    20.2 +++ b/xen/common/memory.c	Fri Aug 31 11:21:35 2007 +0100
    20.3 @@ -22,6 +22,7 @@
    20.4  #include <asm/current.h>
    20.5  #include <asm/hardirq.h>
    20.6  #include <public/memory.h>
    20.7 +#include <xsm/xsm.h>
    20.8  
    20.9  struct memop_args {
   20.10      /* INPUT */
   20.11 @@ -216,6 +217,7 @@ static long translate_gpfn_list(
   20.12      xen_pfn_t gpfn;
   20.13      xen_pfn_t mfn;
   20.14      struct domain *d;
   20.15 +    int rc;
   20.16  
   20.17      if ( copy_from_guest(&op, uop, 1) )
   20.18          return -EFAULT;
   20.19 @@ -259,6 +261,13 @@ static long translate_gpfn_list(
   20.20  
   20.21          mfn = gmfn_to_mfn(d, gpfn);
   20.22  
   20.23 +        rc = xsm_translate_gpfn_list(current->domain, mfn);
   20.24 +        if ( rc )
   20.25 +        {
   20.26 +            rcu_unlock_domain(d);
   20.27 +            return rc;
   20.28 +        }
   20.29 +
   20.30          if ( unlikely(__copy_to_guest_offset(op.mfn_list, i, &mfn, 1)) )
   20.31          {
   20.32              rcu_unlock_domain(d);
   20.33 @@ -538,6 +547,14 @@ long do_memory_op(unsigned long cmd, XEN
   20.34              return start_extent;
   20.35          args.domain = d;
   20.36  
   20.37 +        rc = xsm_memory_adjust_reservation(current->domain, d);
   20.38 +        if ( rc )
   20.39 +        {
   20.40 +            if ( reservation.domid != DOMID_SELF )
   20.41 +                rcu_unlock_domain(d);
   20.42 +            return rc;
   20.43 +        }
   20.44 +
   20.45          switch ( op )
   20.46          {
   20.47          case XENMEM_increase_reservation:
   20.48 @@ -584,6 +601,14 @@ long do_memory_op(unsigned long cmd, XEN
   20.49          else if ( (d = rcu_lock_domain_by_id(domid)) == NULL )
   20.50              return -ESRCH;
   20.51  
   20.52 +        rc = xsm_memory_stat_reservation(current->domain, d);
   20.53 +        if ( rc )
   20.54 +        {
   20.55 +            if ( domid != DOMID_SELF )
   20.56 +                rcu_unlock_domain(d);
   20.57 +            return rc;
   20.58 +        }
   20.59 +
   20.60          switch ( op )
   20.61          {
   20.62          case XENMEM_current_reservation:
    21.1 --- a/xen/common/schedule.c	Fri Aug 31 11:12:57 2007 +0100
    21.2 +++ b/xen/common/schedule.c	Fri Aug 31 11:21:35 2007 +0100
    21.3 @@ -32,6 +32,7 @@
    21.4  #include <xen/guest_access.h>
    21.5  #include <xen/multicall.h>
    21.6  #include <public/sched.h>
    21.7 +#include <xsm/xsm.h>
    21.8  
    21.9  /* opt_sched: scheduler - default to credit */
   21.10  static char opt_sched[10] = "credit";
   21.11 @@ -461,6 +462,13 @@ ret_t do_sched_op(int cmd, XEN_GUEST_HAN
   21.12          if ( d == NULL )
   21.13              break;
   21.14  
   21.15 +        ret = xsm_schedop_shutdown(current->domain, d);
   21.16 +        if ( ret )
   21.17 +        {
   21.18 +            rcu_unlock_domain(d);
   21.19 +            return ret;
   21.20 +        }
   21.21 +
   21.22          /* domain_pause() prevens any further execution in guest context. */
   21.23          domain_pause(d);
   21.24          domain_shutdown(d, (u8)sched_remote_shutdown.reason);
    22.1 --- a/xen/common/sysctl.c	Fri Aug 31 11:12:57 2007 +0100
    22.2 +++ b/xen/common/sysctl.c	Fri Aug 31 11:21:35 2007 +0100
    22.3 @@ -23,6 +23,7 @@
    22.4  #include <public/sysctl.h>
    22.5  #include <asm/numa.h>
    22.6  #include <xen/nodemask.h>
    22.7 +#include <xsm/xsm.h>
    22.8  
    22.9  extern long arch_do_sysctl(
   22.10      struct xen_sysctl *op, XEN_GUEST_HANDLE(xen_sysctl_t) u_sysctl);
   22.11 @@ -48,6 +49,10 @@ long do_sysctl(XEN_GUEST_HANDLE(xen_sysc
   22.12      {
   22.13      case XEN_SYSCTL_readconsole:
   22.14      {
   22.15 +        ret = xsm_readconsole(op->u.readconsole.clear);
   22.16 +        if ( ret )
   22.17 +            break;
   22.18 +
   22.19          ret = read_console_ring(
   22.20              guest_handle_cast(op->u.readconsole.buffer, char),
   22.21              &op->u.readconsole.count,
   22.22 @@ -59,6 +64,10 @@ long do_sysctl(XEN_GUEST_HANDLE(xen_sysc
   22.23  
   22.24      case XEN_SYSCTL_tbuf_op:
   22.25      {
   22.26 +        ret = xsm_tbufcontrol();
   22.27 +        if ( ret )
   22.28 +            break;
   22.29 +
   22.30          ret = tb_control(&op->u.tbuf_op);
   22.31          if ( copy_to_guest(u_sysctl, op, 1) )
   22.32              ret = -EFAULT;
   22.33 @@ -67,6 +76,10 @@ long do_sysctl(XEN_GUEST_HANDLE(xen_sysc
   22.34      
   22.35      case XEN_SYSCTL_sched_id:
   22.36      {
   22.37 +        ret = xsm_sched_id();
   22.38 +        if ( ret )
   22.39 +            break;
   22.40 +
   22.41          op->u.sched_id.sched_id = sched_id();
   22.42          if ( copy_to_guest(u_sysctl, op, 1) )
   22.43              ret = -EFAULT;
   22.44 @@ -90,6 +103,10 @@ long do_sysctl(XEN_GUEST_HANDLE(xen_sysc
   22.45              if ( num_domains == op->u.getdomaininfolist.max_domains )
   22.46                  break;
   22.47  
   22.48 +            ret = xsm_getdomaininfo(d);
   22.49 +            if ( ret )
   22.50 +                continue;
   22.51 +
   22.52              getdomaininfo(d, &info);
   22.53  
   22.54              if ( copy_to_guest_offset(op->u.getdomaininfolist.buffer,
   22.55 @@ -117,6 +134,10 @@ long do_sysctl(XEN_GUEST_HANDLE(xen_sysc
   22.56  #ifdef PERF_COUNTERS
   22.57      case XEN_SYSCTL_perfc_op:
   22.58      {
   22.59 +        ret = xsm_perfcontrol();
   22.60 +        if ( ret )
   22.61 +            break;
   22.62 +
   22.63          ret = perfc_control(&op->u.perfc_op);
   22.64          if ( copy_to_guest(u_sysctl, op, 1) )
   22.65              ret = -EFAULT;
    23.1 --- a/xen/common/xenoprof.c	Fri Aug 31 11:12:57 2007 +0100
    23.2 +++ b/xen/common/xenoprof.c	Fri Aug 31 11:21:35 2007 +0100
    23.3 @@ -14,6 +14,7 @@
    23.4  #include <xen/sched.h>
    23.5  #include <public/xenoprof.h>
    23.6  #include <xen/paging.h>
    23.7 +#include <xsm/xsm.h>
    23.8  
    23.9  /* Limit amount of pages used for shared buffer (per domain) */
   23.10  #define MAX_OPROF_SHARED_PAGES 32
   23.11 @@ -634,6 +635,10 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
   23.12          return -EPERM;
   23.13      }
   23.14  
   23.15 +    ret = xsm_profile(current->domain, op);
   23.16 +    if ( ret )
   23.17 +        return ret;
   23.18 +
   23.19      spin_lock(&xenoprof_lock);
   23.20      
   23.21      switch ( op )
    24.1 --- a/xen/drivers/char/console.c	Fri Aug 31 11:12:57 2007 +0100
    24.2 +++ b/xen/drivers/char/console.c	Fri Aug 31 11:21:35 2007 +0100
    24.3 @@ -32,6 +32,7 @@
    24.4  #include <asm/debugger.h>
    24.5  #include <asm/io.h>
    24.6  #include <asm/div64.h>
    24.7 +#include <xsm/xsm.h>
    24.8  
    24.9  /* console: comma-separated list of console outputs. */
   24.10  static char opt_console[30] = OPT_CONSOLE_STR;
   24.11 @@ -358,6 +359,10 @@ long do_console_io(int cmd, int count, X
   24.12          return -EPERM;
   24.13  #endif
   24.14  
   24.15 +    rc = xsm_console_io(current->domain, cmd);
   24.16 +    if ( rc )
   24.17 +        return rc;
   24.18 +
   24.19      switch ( cmd )
   24.20      {
   24.21      case CONSOLEIO_write:
    25.1 --- a/xen/include/public/xen.h	Fri Aug 31 11:12:57 2007 +0100
    25.2 +++ b/xen/include/public/xen.h	Fri Aug 31 11:21:35 2007 +0100
    25.3 @@ -80,6 +80,7 @@
    25.4  #define __HYPERVISOR_sysctl               35
    25.5  #define __HYPERVISOR_domctl               36
    25.6  #define __HYPERVISOR_kexec_op             37
    25.7 +#define __HYPERVISOR_xsm_op               38
    25.8  
    25.9  /* Architecture-specific hypercall definitions. */
   25.10  #define __HYPERVISOR_arch_0               48
    26.1 --- a/xen/include/xen/hypercall.h	Fri Aug 31 11:12:57 2007 +0100
    26.2 +++ b/xen/include/xen/hypercall.h	Fri Aug 31 11:21:35 2007 +0100
    26.3 @@ -15,6 +15,7 @@
    26.4  #include <public/acm_ops.h>
    26.5  #include <public/event_channel.h>
    26.6  #include <asm/hypercall.h>
    26.7 +#include <xsm/xsm.h>
    26.8  
    26.9  extern long
   26.10  do_ni_hypercall(
   26.11 @@ -125,4 +126,8 @@ compat_memory_op(
   26.12  
   26.13  #endif
   26.14  
   26.15 +extern long
   26.16 +do_xsm_op(
   26.17 +    XEN_GUEST_HANDLE(xsm_op_t) u_xsm_op);
   26.18 +
   26.19  #endif /* __XEN_HYPERCALL_H__ */
    27.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    27.2 +++ b/xen/include/xsm/xsm.h	Fri Aug 31 11:21:35 2007 +0100
    27.3 @@ -0,0 +1,537 @@
    27.4 +/*
    27.5 + *  This file contains the XSM hook definitions for Xen.
    27.6 + *
    27.7 + *  This work is based on the LSM implementation in Linux 2.6.13.4.
    27.8 + *
    27.9 + *  Author:  George Coker, <gscoker@alpha.ncsc.mil>
   27.10 + *
   27.11 + *  Contributors: Michael LeMay, <mdlemay@epoch.ncsc.mil>
   27.12 + *
   27.13 + *  This program is free software; you can redistribute it and/or modify
   27.14 + *  it under the terms of the GNU General Public License version 2,
   27.15 + *  as published by the Free Software Foundation.
   27.16 + */
   27.17 +
   27.18 +#ifndef __XSM_H__
   27.19 +#define __XSM_H__
   27.20 +
   27.21 +#include <xen/sched.h>
   27.22 +#include <xen/multiboot.h>
   27.23 +
   27.24 +typedef void xsm_op_t;
   27.25 +DEFINE_XEN_GUEST_HANDLE(xsm_op_t);
   27.26 +
   27.27 +extern long do_xsm_op (XEN_GUEST_HANDLE(xsm_op_t) op);
   27.28 +
   27.29 +#ifdef XSM_ENABLE
   27.30 +    #define xsm_call(fn) xsm_ops->fn
   27.31 +#else
   27.32 +    #define xsm_call(fn) 0
   27.33 +#endif
   27.34 +
   27.35 +/* policy magic number (defined by XSM_MAGIC) */
   27.36 +typedef u32 xsm_magic_t;
   27.37 +#ifndef XSM_MAGIC
   27.38 +#define XSM_MAGIC 0x00000000
   27.39 +#endif
   27.40 +
   27.41 +#ifdef XSM_ENABLE
   27.42 +
   27.43 +extern char *policy_buffer;
   27.44 +extern u32 policy_size;
   27.45 +
   27.46 +typedef int (*xsm_initcall_t)(void);
   27.47 +
   27.48 +extern xsm_initcall_t __xsm_initcall_start[], __xsm_initcall_end[];
   27.49 +
   27.50 +#define xsm_initcall(fn) \
   27.51 +    static xsm_initcall_t __initcall_##fn \
   27.52 +    __attribute_used__ __attribute__((__section__(".xsm_initcall.init"))) = fn
   27.53 +
   27.54 +struct xsm_operations {
   27.55 +    void (*security_domaininfo) (struct domain *d,
   27.56 +                                        struct xen_domctl_getdomaininfo *info);
   27.57 +    int (*setvcpucontext) (struct domain *d);
   27.58 +    int (*pausedomain) (struct domain *d);
   27.59 +    int (*unpausedomain) (struct domain *d);
   27.60 +    int (*resumedomain) (struct domain *d);
   27.61 +    int (*domain_create) (struct domain *d, u32 ssidref);
   27.62 +    int (*max_vcpus) (struct domain *d);
   27.63 +    int (*destroydomain) (struct domain *d);
   27.64 +    int (*vcpuaffinity) (int cmd, struct domain *d);
   27.65 +    int (*scheduler) (struct domain *d);
   27.66 +    int (*getdomaininfo) (struct domain *d);
   27.67 +    int (*getvcpucontext) (struct domain *d);
   27.68 +    int (*getvcpuinfo) (struct domain *d);
   27.69 +    int (*domain_settime) (struct domain *d);
   27.70 +    int (*tbufcontrol) (void);
   27.71 +    int (*readconsole) (uint32_t clear);
   27.72 +    int (*sched_id) (void);
   27.73 +    int (*setdomainmaxmem) (struct domain *d);
   27.74 +    int (*setdomainhandle) (struct domain *d);
   27.75 +    int (*setdebugging) (struct domain *d);
   27.76 +    int (*irq_permission) (struct domain *d, uint8_t pirq, uint8_t access);
   27.77 +    int (*iomem_permission) (struct domain *d, unsigned long mfn, 
   27.78 +                                                                uint8_t access);
   27.79 +    int (*perfcontrol) (void);
   27.80 +
   27.81 +    int (*evtchn_unbound) (struct domain *d, struct evtchn *chn, domid_t id2);
   27.82 +    int (*evtchn_interdomain) (struct domain *d1, struct evtchn *chn1,
   27.83 +                                        struct domain *d2, struct evtchn *chn2);
   27.84 +    void (*evtchn_close_post) (struct evtchn *chn);
   27.85 +    int (*evtchn_send) (struct domain *d, struct evtchn *chn);
   27.86 +    int (*evtchn_status) (struct domain *d, struct evtchn *chn);
   27.87 +    int (*evtchn_reset) (struct domain *d1, struct domain *d2);
   27.88 +
   27.89 +    int (*grant_mapref) (struct domain *d1, struct domain *d2, uint32_t flags);
   27.90 +    int (*grant_unmapref) (struct domain *d1, struct domain *d2);
   27.91 +    int (*grant_setup) (struct domain *d1, struct domain *d2);
   27.92 +    int (*grant_transfer) (struct domain *d1, struct domain *d2);
   27.93 +    int (*grant_copy) (struct domain *d1, struct domain *d2);
   27.94 +    int (*grant_query_size) (struct domain *d1, struct domain *d2);
   27.95 +
   27.96 +    int (*alloc_security_domain) (struct domain *d);
   27.97 +    void (*free_security_domain) (struct domain *d);
   27.98 +    int (*alloc_security_evtchn) (struct evtchn *chn);
   27.99 +    void (*free_security_evtchn) (struct evtchn *chn);
  27.100 +
  27.101 +    int (*translate_gpfn_list) (struct domain *d, unsigned long mfn);
  27.102 +    int (*memory_adjust_reservation) (struct domain *d1, struct domain *d2);
  27.103 +    int (*memory_stat_reservation) (struct domain *d1, struct domain *d2);
  27.104 +    int (*memory_pin_page) (struct domain *d, struct page_info *page);
  27.105 +    int (*update_va_mapping) (struct domain *d, l1_pgentry_t pte);
  27.106 +
  27.107 +    int (*console_io) (struct domain *d, int cmd);
  27.108 +
  27.109 +    int (*profile) (struct domain *d, int op);
  27.110 +
  27.111 +    int (*kexec) (void);
  27.112 +    int (*schedop_shutdown) (struct domain *d1, struct domain *d2);
  27.113 +
  27.114 +    long (*__do_xsm_op) (XEN_GUEST_HANDLE(xsm_op_t) op);
  27.115 +    void (*complete_init) (struct domain *d);
  27.116 +
  27.117 +#ifdef CONFIG_X86
  27.118 +    int (*shadow_control) (struct domain *d, uint32_t op);
  27.119 +    int (*ioport_permission) (struct domain *d, uint32_t ioport, 
  27.120 +                                                                uint8_t access);
  27.121 +    int (*getpageframeinfo) (struct page_info *page);
  27.122 +    int (*getmemlist) (struct domain *d);
  27.123 +    int (*hypercall_init) (struct domain *d);
  27.124 +    int (*hvmcontext) (struct domain *d, uint32_t op);
  27.125 +    int (*address_size) (struct domain *d, uint32_t op);
  27.126 +    int (*hvm_param) (struct domain *d, unsigned long op);
  27.127 +    int (*hvm_set_pci_intx_level) (struct domain *d);
  27.128 +    int (*hvm_set_isa_irq_level) (struct domain *d);
  27.129 +    int (*hvm_set_pci_link_route) (struct domain *d);
  27.130 +    int (*apic) (struct domain *d, int cmd);
  27.131 +    int (*assign_vector) (struct domain *d, uint32_t pirq);
  27.132 +    int (*xen_settime) (void);
  27.133 +    int (*memtype) (uint32_t access);
  27.134 +    int (*microcode) (void);
  27.135 +    int (*physinfo) (void);
  27.136 +    int (*platform_quirk) (uint32_t);
  27.137 +    int (*machine_memory_map) (void);
  27.138 +    int (*domain_memory_map) (struct domain *d);
  27.139 +    int (*mmu_normal_update) (struct domain *d, intpte_t fpte);
  27.140 +    int (*mmu_machphys_update) (struct domain *d, unsigned long mfn);
  27.141 +    int (*add_to_physmap) (struct domain *d1, struct domain *d2);
  27.142 +#endif
  27.143 +};
  27.144 +
  27.145 +#endif
  27.146 +
  27.147 +extern struct xsm_operations *xsm_ops;
  27.148 +
  27.149 +static inline void xsm_security_domaininfo (struct domain *d,
  27.150 +                                        struct xen_domctl_getdomaininfo *info)
  27.151 +{
  27.152 +    xsm_call(security_domaininfo(d, info));
  27.153 +}
  27.154 +
  27.155 +static inline int xsm_setvcpucontext(struct domain *d)
  27.156 +{
  27.157 +    return xsm_call(setvcpucontext(d));
  27.158 +}
  27.159 +
  27.160 +static inline int xsm_pausedomain (struct domain *d)
  27.161 +{
  27.162 +    return xsm_call(pausedomain(d));
  27.163 +}
  27.164 +
  27.165 +static inline int xsm_unpausedomain (struct domain *d)
  27.166 +{
  27.167 +    return xsm_call(unpausedomain(d));
  27.168 +}
  27.169 +
  27.170 +static inline int xsm_resumedomain (struct domain *d)
  27.171 +{
  27.172 +    return xsm_call(resumedomain(d));
  27.173 +}
  27.174 +
  27.175 +static inline int xsm_domain_create (struct domain *d, u32 ssidref)
  27.176 +{
  27.177 +    return xsm_call(domain_create(d, ssidref));
  27.178 +}
  27.179 +
  27.180 +static inline int xsm_max_vcpus(struct domain *d)
  27.181 +{
  27.182 +    return xsm_call(max_vcpus(d));
  27.183 +}
  27.184 +
  27.185 +static inline int xsm_destroydomain (struct domain *d)
  27.186 +{
  27.187 +    return xsm_call(destroydomain(d));
  27.188 +}
  27.189 +
  27.190 +static inline int xsm_vcpuaffinity (int cmd, struct domain *d)
  27.191 +{
  27.192 +    return xsm_call(vcpuaffinity(cmd, d));
  27.193 +}
  27.194 +
  27.195 +static inline int xsm_scheduler (struct domain *d)
  27.196 +{
  27.197 +    return xsm_call(scheduler(d));
  27.198 +}
  27.199 +
  27.200 +static inline int xsm_getdomaininfo (struct domain *d)
  27.201 +{
  27.202 +    return xsm_call(getdomaininfo(d));
  27.203 +}
  27.204 +
  27.205 +static inline int xsm_getvcpucontext (struct domain *d)
  27.206 +{
  27.207 +    return xsm_call(getvcpucontext(d));
  27.208 +}
  27.209 +
  27.210 +static inline int xsm_getvcpuinfo (struct domain *d)
  27.211 +{
  27.212 +    return xsm_call(getvcpuinfo(d));
  27.213 +}
  27.214 +
  27.215 +static inline int xsm_domain_settime (struct domain *d)
  27.216 +{
  27.217 +    return xsm_call(domain_settime(d));
  27.218 +}
  27.219 +
  27.220 +static inline int xsm_tbufcontrol (void)
  27.221 +{
  27.222 +    return xsm_call(tbufcontrol());
  27.223 +}
  27.224 +
  27.225 +static inline int xsm_readconsole (uint32_t clear)
  27.226 +{
  27.227 +    return xsm_call(readconsole(clear));
  27.228 +}
  27.229 +
  27.230 +static inline int xsm_sched_id (void)
  27.231 +{
  27.232 +    return xsm_call(sched_id());
  27.233 +}
  27.234 +
  27.235 +static inline int xsm_setdomainmaxmem (struct domain *d)
  27.236 +{
  27.237 +    return xsm_call(setdomainmaxmem(d));
  27.238 +}
  27.239 +
  27.240 +static inline int xsm_setdomainhandle (struct domain *d)
  27.241 +{
  27.242 +    return xsm_call(setdomainhandle(d));
  27.243 +}
  27.244 +
  27.245 +static inline int xsm_setdebugging (struct domain *d)
  27.246 +{
  27.247 +    return xsm_call(setdebugging(d));
  27.248 +}
  27.249 +
  27.250 +static inline int xsm_irq_permission (struct domain *d, uint8_t pirq,
  27.251 +                                                                uint8_t access)
  27.252 +{
  27.253 +    return xsm_call(irq_permission(d, pirq, access));
  27.254 +} 
  27.255 +
  27.256 +static inline int xsm_iomem_permission (struct domain *d, unsigned long mfn,
  27.257 +                                                                uint8_t access)
  27.258 +{
  27.259 +    return xsm_call(iomem_permission(d, mfn, access));
  27.260 +}
  27.261 +
  27.262 +static inline int xsm_perfcontrol (void)
  27.263 +{
  27.264 +    return xsm_call(perfcontrol());
  27.265 +}
  27.266 +
  27.267 +static inline int xsm_evtchn_unbound (struct domain *d1, struct evtchn *chn,
  27.268 +                                                                    domid_t id2)
  27.269 +{
  27.270 +    return xsm_call(evtchn_unbound(d1, chn, id2));
  27.271 +}
  27.272 +
  27.273 +static inline int xsm_evtchn_interdomain (struct domain *d1, 
  27.274 +                struct evtchn *chan1, struct domain *d2, struct evtchn *chan2)
  27.275 +{
  27.276 +    return xsm_call(evtchn_interdomain(d1, chan1, d2, chan2));
  27.277 +}
  27.278 +
  27.279 +static inline void xsm_evtchn_close_post (struct evtchn *chn)
  27.280 +{
  27.281 +    xsm_call(evtchn_close_post(chn));
  27.282 +}
  27.283 +
  27.284 +static inline int xsm_evtchn_send (struct domain *d, struct evtchn *chn)
  27.285 +{
  27.286 +    return xsm_call(evtchn_send(d, chn));
  27.287 +}
  27.288 +
  27.289 +static inline int xsm_evtchn_status (struct domain *d, struct evtchn *chn)
  27.290 +{
  27.291 +    return xsm_call(evtchn_status(d, chn));
  27.292 +}
  27.293 +
  27.294 +static inline int xsm_evtchn_reset (struct domain *d1, struct domain *d2)
  27.295 +{
  27.296 +    return xsm_call(evtchn_reset(d1, d2));
  27.297 +}
  27.298 +
  27.299 +static inline int xsm_grant_mapref (struct domain *d1, struct domain *d2,
  27.300 +                                                                uint32_t flags)
  27.301 +{
  27.302 +    return xsm_call(grant_mapref(d1, d2, flags));
  27.303 +}
  27.304 +
  27.305 +static inline int xsm_grant_unmapref (struct domain *d1, struct domain *d2)
  27.306 +{
  27.307 +    return xsm_call(grant_unmapref(d1, d2));
  27.308 +}
  27.309 +
  27.310 +static inline int xsm_grant_setup (struct domain *d1, struct domain *d2)
  27.311 +{
  27.312 +    return xsm_call(grant_setup(d1, d2));
  27.313 +}
  27.314 +
  27.315 +static inline int xsm_grant_transfer (struct domain *d1, struct domain *d2)
  27.316 +{
  27.317 +    return xsm_call(grant_transfer(d1, d2));
  27.318 +}
  27.319 +
  27.320 +static inline int xsm_grant_copy (struct domain *d1, struct domain *d2)
  27.321 +{
  27.322 +    return xsm_call(grant_copy(d1, d2));
  27.323 +}
  27.324 +
  27.325 +static inline int xsm_grant_query_size (struct domain *d1, struct domain *d2)
  27.326 +{
  27.327 +    return xsm_call(grant_query_size(d1, d2));
  27.328 +}
  27.329 +
  27.330 +static inline int xsm_alloc_security_domain (struct domain *d)
  27.331 +{
  27.332 +    return xsm_call(alloc_security_domain(d));
  27.333 +}
  27.334 +
  27.335 +static inline void xsm_free_security_domain (struct domain *d)
  27.336 +{
  27.337 +    xsm_call(free_security_domain(d));
  27.338 +}
  27.339 +
  27.340 +static inline int xsm_alloc_security_evtchn (struct evtchn *chn)
  27.341 +{
  27.342 +    return xsm_call(alloc_security_evtchn(chn));
  27.343 +}
  27.344 +
  27.345 +static inline void xsm_free_security_evtchn (struct evtchn *chn)
  27.346 +{
  27.347 +    xsm_call(free_security_evtchn(chn));
  27.348 +}
  27.349 +
  27.350 +static inline int xsm_translate_gpfn_list (struct domain *d, unsigned long mfn)
  27.351 +{
  27.352 +    return xsm_call(translate_gpfn_list(d, mfn));
  27.353 +}
  27.354 +
  27.355 +static inline int xsm_memory_adjust_reservation (struct domain *d1, struct
  27.356 +                                                                    domain *d2)
  27.357 +{
  27.358 +    return xsm_call(memory_adjust_reservation(d1, d2));
  27.359 +}
  27.360 +
  27.361 +static inline int xsm_memory_stat_reservation (struct domain *d1,
  27.362 +                                                            struct domain *d2)
  27.363 +{
  27.364 +    return xsm_call(memory_stat_reservation(d1, d2));
  27.365 +}
  27.366 +
  27.367 +static inline int xsm_memory_pin_page(struct domain *d, struct page_info *page)
  27.368 +{
  27.369 +    return xsm_call(memory_pin_page(d, page));
  27.370 +}
  27.371 +
  27.372 +static inline int xsm_update_va_mapping(struct domain *d, l1_pgentry_t pte)
  27.373 +{
  27.374 +    return xsm_call(update_va_mapping(d, pte));
  27.375 +}
  27.376 +
  27.377 +static inline int xsm_console_io (struct domain *d, int cmd)
  27.378 +{
  27.379 +    return xsm_call(console_io(d, cmd));
  27.380 +}
  27.381 +
  27.382 +static inline int xsm_profile (struct domain *d, int op)
  27.383 +{
  27.384 +    return xsm_call(profile(d, op));
  27.385 +}
  27.386 +
  27.387 +static inline int xsm_kexec (void)
  27.388 +{
  27.389 +    return xsm_call(kexec());
  27.390 +}
  27.391 +
  27.392 +static inline int xsm_schedop_shutdown (struct domain *d1, struct domain *d2)
  27.393 +{
  27.394 +    return xsm_call(schedop_shutdown(d1, d2));
  27.395 +}
  27.396 +
  27.397 +static inline long __do_xsm_op (XEN_GUEST_HANDLE(xsm_op_t) op)
  27.398 +{
  27.399 +    return xsm_call(__do_xsm_op(op));
  27.400 +}
  27.401 +
  27.402 +static inline void xsm_complete_init (struct domain *d)
  27.403 +{
  27.404 +    xsm_call(complete_init(d));
  27.405 +}
  27.406 +
  27.407 +#ifdef XSM_ENABLE
  27.408 +extern int xsm_init(unsigned int *initrdidx, const multiboot_info_t *mbi,
  27.409 +                                          unsigned long initial_images_start);
  27.410 +extern int xsm_policy_init(unsigned int *initrdidx, const multiboot_info_t *mbi,
  27.411 +                                           unsigned long initial_images_start);
  27.412 +extern int register_xsm(struct xsm_operations *ops);
  27.413 +extern int unregister_xsm(struct xsm_operations *ops);
  27.414 +#else
  27.415 +static inline int xsm_init (unsigned int *initrdidx,
  27.416 +                const multiboot_info_t *mbi, unsigned long initial_images_start)
  27.417 +{
  27.418 +    return 0;
  27.419 +}
  27.420 +#endif
  27.421 +
  27.422 +#ifdef CONFIG_X86
  27.423 +static inline int xsm_shadow_control (struct domain *d, uint32_t op)
  27.424 +{
  27.425 +    return xsm_call(shadow_control(d, op));
  27.426 +}
  27.427 +
  27.428 +static inline int xsm_ioport_permission (struct domain *d, uint32_t ioport,
  27.429 +                                                                uint8_t access)
  27.430 +{
  27.431 +    return xsm_call(ioport_permission(d, ioport, access));
  27.432 +}
  27.433 +
  27.434 +static inline int xsm_getpageframeinfo (struct page_info *page)
  27.435 +{
  27.436 +    return xsm_call(getpageframeinfo(page));
  27.437 +}
  27.438 +
  27.439 +static inline int xsm_getmemlist (struct domain *d)
  27.440 +{
  27.441 +    return xsm_call(getmemlist(d));
  27.442 +}
  27.443 +
  27.444 +static inline int xsm_hypercall_init (struct domain *d)
  27.445 +{
  27.446 +    return xsm_call(hypercall_init(d));
  27.447 +}
  27.448 +
  27.449 +static inline int xsm_hvmcontext (struct domain *d, uint32_t cmd)
  27.450 +{
  27.451 +    return xsm_call(hvmcontext(d, cmd));
  27.452 +}
  27.453 +
  27.454 +static inline int xsm_address_size (struct domain *d, uint32_t cmd)
  27.455 +{
  27.456 +    return xsm_call(address_size(d, cmd));
  27.457 +}
  27.458 +
  27.459 +static inline int xsm_hvm_param (struct domain *d, unsigned long op)
  27.460 +{
  27.461 +    return xsm_call(hvm_param(d, op));
  27.462 +}
  27.463 +
  27.464 +static inline int xsm_hvm_set_pci_intx_level (struct domain *d)
  27.465 +{
  27.466 +    return xsm_call(hvm_set_pci_intx_level(d));
  27.467 +}
  27.468 +
  27.469 +static inline int xsm_hvm_set_isa_irq_level (struct domain *d)
  27.470 +{
  27.471 +    return xsm_call(hvm_set_isa_irq_level(d));
  27.472 +}
  27.473 +
  27.474 +static inline int xsm_hvm_set_pci_link_route (struct domain *d)
  27.475 +{
  27.476 +    return xsm_call(hvm_set_pci_link_route(d));
  27.477 +}
  27.478 +
  27.479 +static inline int xsm_apic (struct domain *d, int cmd)
  27.480 +{
  27.481 +    return xsm_call(apic(d, cmd));
  27.482 +}
  27.483 +
  27.484 +static inline int xsm_assign_vector (struct domain *d, uint32_t pirq)
  27.485 +{
  27.486 +    return xsm_call(assign_vector(d, pirq));
  27.487 +}
  27.488 +
  27.489 +static inline int xsm_xen_settime (void)
  27.490 +{
  27.491 +    return xsm_call(xen_settime());
  27.492 +}
  27.493 +
  27.494 +static inline int xsm_memtype (uint32_t access)
  27.495 +{
  27.496 +    return xsm_call(memtype(access));
  27.497 +}
  27.498 +
  27.499 +static inline int xsm_microcode (void)
  27.500 +{
  27.501 +    return xsm_call(microcode());
  27.502 +}
  27.503 +
  27.504 +static inline int xsm_physinfo (void)
  27.505 +{
  27.506 +    return xsm_call(physinfo());
  27.507 +}
  27.508 +
  27.509 +static inline int xsm_platform_quirk (uint32_t quirk)
  27.510 +{
  27.511 +    return xsm_call(platform_quirk(quirk));
  27.512 +}
  27.513 +
  27.514 +static inline int xsm_machine_memory_map(void)
  27.515 +{
  27.516 +    return xsm_call(machine_memory_map());
  27.517 +}
  27.518 +
  27.519 +static inline int xsm_domain_memory_map(struct domain *d)
  27.520 +{
  27.521 +    return xsm_call(domain_memory_map(d));
  27.522 +}
  27.523 +
  27.524 +static inline int xsm_mmu_normal_update (struct domain *d, intpte_t fpte)
  27.525 +{
  27.526 +    return xsm_call(mmu_normal_update(d, fpte));
  27.527 +}
  27.528 +
  27.529 +static inline int xsm_mmu_machphys_update (struct domain *d, unsigned long mfn)
  27.530 +{
  27.531 +    return xsm_call(mmu_machphys_update(d, mfn));
  27.532 +}
  27.533 +
  27.534 +static inline int xsm_add_to_physmap(struct domain *d1, struct domain *d2)
  27.535 +{
  27.536 +    return xsm_call(add_to_physmap(d1, d2));
  27.537 +}
  27.538 +#endif /* CONFIG_X86 */
  27.539 +
  27.540 +#endif /* __XSM_H */
    28.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    28.2 +++ b/xen/xsm/Makefile	Fri Aug 31 11:21:35 2007 +0100
    28.3 @@ -0,0 +1,5 @@
    28.4 +obj-y += xsm_core.o
    28.5 +obj-y += xsm_policy.o
    28.6 +ifeq ($(XSM_ENABLE),y)
    28.7 +obj-y += dummy.o
    28.8 +endif
    29.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    29.2 +++ b/xen/xsm/dummy.c	Fri Aug 31 11:21:35 2007 +0100
    29.3 @@ -0,0 +1,488 @@
    29.4 +/*
    29.5 + *  This work is based on the LSM implementation in Linux 2.6.13.4.
    29.6 + *
    29.7 + *  Author:  George Coker, <gscoker@alpha.ncsc.mil>
    29.8 + *
    29.9 + *  Contributors: Michael LeMay, <mdlemay@epoch.ncsc.mil>
   29.10 + *
   29.11 + *  This program is free software; you can redistribute it and/or modify
   29.12 + *  it under the terms of the GNU General Public License version 2,
   29.13 + *  as published by the Free Software Foundation.
   29.14 + */
   29.15 +
   29.16 +#include <xen/sched.h>
   29.17 +#include <xsm/xsm.h>
   29.18 +
   29.19 +static void dummy_security_domaininfo(struct domain *d,
   29.20 +                                    struct xen_domctl_getdomaininfo *info)
   29.21 +{
   29.22 +    return;
   29.23 +}
   29.24 +
   29.25 +static int dummy_setvcpucontext(struct domain *d)
   29.26 +{
   29.27 +    return 0;
   29.28 +}
   29.29 +
   29.30 +static int dummy_pausedomain (struct domain *d)
   29.31 +{
   29.32 +    return 0;
   29.33 +}
   29.34 +
   29.35 +static int dummy_unpausedomain (struct domain *d)
   29.36 +{
   29.37 +    return 0;
   29.38 +}
   29.39 +
   29.40 +static int dummy_resumedomain (struct domain *d)
   29.41 +{
   29.42 +    return 0;
   29.43 +}
   29.44 +
   29.45 +static int dummy_domain_create(struct domain *d, u32 ssidref)
   29.46 +{
   29.47 +    return 0;
   29.48 +}
   29.49 +
   29.50 +static int dummy_max_vcpus(struct domain *d)
   29.51 +{
   29.52 +    return 0;
   29.53 +}
   29.54 +
   29.55 +static int dummy_destroydomain (struct domain *d)
   29.56 +{
   29.57 +    return 0;
   29.58 +}
   29.59 +
   29.60 +static int dummy_vcpuaffinity (int cmd, struct domain *d)
   29.61 +{
   29.62 +    return 0;
   29.63 +}
   29.64 +
   29.65 +static int dummy_scheduler (struct domain *d)
   29.66 +{
   29.67 +    return 0;
   29.68 +}
   29.69 +
   29.70 +static int dummy_getdomaininfo (struct domain *d)
   29.71 +{
   29.72 +    return 0;
   29.73 +}
   29.74 +
   29.75 +static int dummy_getvcpucontext (struct domain *d)
   29.76 +{
   29.77 +    return 0;
   29.78 +}
   29.79 +
   29.80 +static int dummy_getvcpuinfo (struct domain *d)
   29.81 +{
   29.82 +    return 0;
   29.83 +}
   29.84 +
   29.85 +static int dummy_domain_settime (struct domain *d)
   29.86 +{
   29.87 +    return 0;
   29.88 +}
   29.89 +
   29.90 +static int dummy_tbufcontrol (void)
   29.91 +{
   29.92 +    return 0;
   29.93 +}
   29.94 +
   29.95 +static int dummy_readconsole (uint32_t clear)
   29.96 +{
   29.97 +    return 0;
   29.98 +}
   29.99 +
  29.100 +static int dummy_sched_id (void)
  29.101 +{
  29.102 +    return 0;
  29.103 +}
  29.104 +
  29.105 +static int dummy_setdomainmaxmem (struct domain *d)
  29.106 +{
  29.107 +    return 0;
  29.108 +}
  29.109 +
  29.110 +static int dummy_setdomainhandle (struct domain *d)
  29.111 +{
  29.112 +    return 0;
  29.113 +}
  29.114 +
  29.115 +static int dummy_setdebugging (struct domain *d)
  29.116 +{
  29.117 +    return 0;
  29.118 +}
  29.119 +
  29.120 +static int dummy_irq_permission (struct domain *d, uint8_t pirq, uint8_t access)
  29.121 +{
  29.122 +    return 0;
  29.123 +}
  29.124 +
  29.125 +static int dummy_iomem_permission (struct domain *d, unsigned long mfn,
  29.126 +                                                                uint8_t access)
  29.127 +{
  29.128 +    return 0;
  29.129 +}
  29.130 +
  29.131 +static int dummy_perfcontrol (void)
  29.132 +{
  29.133 +    return 0;
  29.134 +}
  29.135 +
  29.136 +static int dummy_alloc_security_domain (struct domain *d)
  29.137 +{
  29.138 +    return 0;
  29.139 +}
  29.140 +
  29.141 +static void dummy_free_security_domain (struct domain *d)
  29.142 +{
  29.143 +    return;
  29.144 +}
  29.145 +
  29.146 +static int dummy_grant_mapref (struct domain *d1, struct domain *d2,
  29.147 +                                                                uint32_t flags)
  29.148 +{
  29.149 +    return 0;
  29.150 +}
  29.151 +
  29.152 +static int dummy_grant_unmapref (struct domain *d1, struct domain *d2)
  29.153 +{
  29.154 +    return 0;
  29.155 +}
  29.156 +
  29.157 +static int dummy_grant_setup (struct domain *d1, struct domain *d2)
  29.158 +{
  29.159 +    return 0;
  29.160 +}
  29.161 +
  29.162 +static int dummy_grant_transfer (struct domain *d1, struct domain *d2)
  29.163 +{
  29.164 +    return 0;
  29.165 +}
  29.166 +
  29.167 +static int dummy_grant_copy (struct domain *d1, struct domain *d2)
  29.168 +{
  29.169 +    return 0;
  29.170 +}
  29.171 +
  29.172 +static int dummy_grant_query_size (struct domain *d1, struct domain *d2)
  29.173 +{
  29.174 +    return 0;
  29.175 +}
  29.176 +
  29.177 +static int dummy_translate_gpfn_list (struct domain *d, unsigned long mfn)
  29.178 +{
  29.179 +    return 0;
  29.180 +}
  29.181 +
  29.182 +static int dummy_memory_adjust_reservation (struct domain *d1,
  29.183 +                                                            struct domain *d2)
  29.184 +{
  29.185 +    return 0;
  29.186 +}
  29.187 +
  29.188 +static int dummy_memory_stat_reservation (struct domain *d1, struct domain *d2)
  29.189 +{
  29.190 +    return 0;
  29.191 +}
  29.192 +
  29.193 +static int dummy_update_va_mapping (struct domain *d, l1_pgentry_t pte)
  29.194 +{
  29.195 +    return 0;
  29.196 +}
  29.197 +
  29.198 +static int dummy_console_io (struct domain *d, int cmd)
  29.199 +{
  29.200 +    return 0;
  29.201 +}
  29.202 +
  29.203 +static int dummy_profile (struct domain *d, int op)
  29.204 +{
  29.205 +    return 0;
  29.206 +}
  29.207 +
  29.208 +static int dummy_kexec (void)
  29.209 +{
  29.210 +    return 0;
  29.211 +}
  29.212 +
  29.213 +static int dummy_schedop_shutdown (struct domain *d1, struct domain *d2)
  29.214 +{
  29.215 +    return 0;
  29.216 +}
  29.217 +
  29.218 +static int dummy_memory_pin_page(struct domain *d, struct page_info *page)
  29.219 +{
  29.220 +    return 0;
  29.221 +}
  29.222 +
  29.223 +static int dummy_evtchn_unbound (struct domain *d, struct evtchn *chn,
  29.224 +                                                                    domid_t id2)
  29.225 +{
  29.226 +    return 0;
  29.227 +}
  29.228 +
  29.229 +static int dummy_evtchn_interdomain (struct domain *d1, struct evtchn
  29.230 +                                *chan1, struct domain *d2, struct evtchn *chan2)
  29.231 +{
  29.232 +    return 0;
  29.233 +}
  29.234 +
  29.235 +static void dummy_evtchn_close_post (struct evtchn *chn)
  29.236 +{
  29.237 +    return;
  29.238 +}
  29.239 +
  29.240 +static int dummy_evtchn_send (struct domain *d, struct evtchn *chn)
  29.241 +{
  29.242 +    return 0;
  29.243 +}
  29.244 +
  29.245 +static int dummy_evtchn_status (struct domain *d, struct evtchn *chn)
  29.246 +{
  29.247 +    return 0;
  29.248 +}
  29.249 +
  29.250 +static int dummy_evtchn_reset (struct domain *d1, struct domain *d2)
  29.251 +{
  29.252 +    return 0;
  29.253 +}
  29.254 +
  29.255 +static int dummy_alloc_security_evtchn (struct evtchn *chn)
  29.256 +{
  29.257 +    return 0;
  29.258 +}
  29.259 +
  29.260 +static void dummy_free_security_evtchn (struct evtchn *chn)
  29.261 +{
  29.262 +    return;
  29.263 +}
  29.264 +
  29.265 +static void dummy_complete_init (struct domain *d)
  29.266 +{
  29.267 +    return;
  29.268 +}
  29.269 +
  29.270 +static long dummy___do_xsm_op(XEN_GUEST_HANDLE(xsm_op_t) op)
  29.271 +{
  29.272 +    return -ENOSYS;
  29.273 +}
  29.274 +
  29.275 +#ifdef CONFIG_X86
  29.276 +static int dummy_shadow_control (struct domain *d, uint32_t op)
  29.277 +{
  29.278 +    return 0;
  29.279 +}
  29.280 +
  29.281 +static int dummy_ioport_permission (struct domain *d, uint32_t ioport, 
  29.282 +                                                                uint8_t access)
  29.283 +{
  29.284 +    return 0;
  29.285 +}
  29.286 +
  29.287 +static int dummy_getpageframeinfo (struct page_info *page)
  29.288 +{
  29.289 +    return 0;
  29.290 +}
  29.291 +
  29.292 +static int dummy_getmemlist (struct domain *d)
  29.293 +{
  29.294 +    return 0;
  29.295 +}
  29.296 +
  29.297 +static int dummy_hypercall_init (struct domain *d)
  29.298 +{
  29.299 +    return 0;
  29.300 +}
  29.301 +
  29.302 +static int dummy_hvmcontext (struct domain *d, uint32_t cmd)
  29.303 +{
  29.304 +    return 0;
  29.305 +}
  29.306 +
  29.307 +static int dummy_address_size (struct domain *d, uint32_t cmd)
  29.308 +{
  29.309 +    return 0;
  29.310 +}
  29.311 +
  29.312 +static int dummy_hvm_param (struct domain *d, unsigned long op)
  29.313 +{
  29.314 +    return 0;
  29.315 +}
  29.316 +
  29.317 +static int dummy_hvm_set_pci_intx_level (struct domain *d)
  29.318 +{
  29.319 +    return 0;
  29.320 +}
  29.321 +
  29.322 +static int dummy_hvm_set_isa_irq_level (struct domain *d)
  29.323 +{
  29.324 +    return 0;
  29.325 +}
  29.326 +
  29.327 +static int dummy_hvm_set_pci_link_route (struct domain *d)
  29.328 +{
  29.329 +    return 0;
  29.330 +}
  29.331 +
  29.332 +static int dummy_apic (struct domain *d, int cmd)
  29.333 +{
  29.334 +    return 0;
  29.335 +}
  29.336 +
  29.337 +static int dummy_assign_vector (struct domain *d, uint32_t pirq)
  29.338 +{
  29.339 +    return 0;
  29.340 +}
  29.341 +
  29.342 +static int dummy_xen_settime (void)
  29.343 +{
  29.344 +    return 0;
  29.345 +}
  29.346 +
  29.347 +static int dummy_memtype (uint32_t access)
  29.348 +{
  29.349 +    return 0;
  29.350 +}
  29.351 +
  29.352 +static int dummy_microcode (void)
  29.353 +{
  29.354 +    return 0;
  29.355 +}
  29.356 +
  29.357 +static int dummy_physinfo (void)
  29.358 +{
  29.359 +    return 0;
  29.360 +}
  29.361 +
  29.362 +static int dummy_platform_quirk (uint32_t quirk)
  29.363 +{
  29.364 +    return 0;
  29.365 +}
  29.366 +
  29.367 +static int dummy_machine_memory_map (void)
  29.368 +{
  29.369 +    return 0;
  29.370 +}
  29.371 +
  29.372 +static int dummy_domain_memory_map (struct domain *d)
  29.373 +{
  29.374 +    return 0;
  29.375 +}
  29.376 +
  29.377 +static int dummy_mmu_normal_update (struct domain *d, intpte_t fpte)
  29.378 +{
  29.379 +    return 0;
  29.380 +}
  29.381 +
  29.382 +static int dummy_mmu_machphys_update (struct domain *d, unsigned long mfn)
  29.383 +{
  29.384 +    return 0;
  29.385 +}
  29.386 +
  29.387 +static int dummy_add_to_physmap (struct domain *d1, struct domain *d2)
  29.388 +{
  29.389 +    return 0;
  29.390 +}
  29.391 +#endif
  29.392 +
  29.393 +struct xsm_operations dummy_xsm_ops;
  29.394 +
  29.395 +#define set_to_dummy_if_null(ops, function)                        \
  29.396 +    do {                                                           \
  29.397 +        if ( !ops->function )                                      \
  29.398 +        {                                                          \
  29.399 +            ops->function = dummy_##function;                      \
  29.400 +            dprintk(XENLOG_DEBUG, "Had to override the " #function \
  29.401 +                " security operation with the dummy one.\n");      \
  29.402 +        }                                                          \
  29.403 +    } while (0)
  29.404 +
  29.405 +void xsm_fixup_ops (struct xsm_operations *ops)
  29.406 +{
  29.407 +    set_to_dummy_if_null(ops, security_domaininfo);
  29.408 +    set_to_dummy_if_null(ops, setvcpucontext);
  29.409 +    set_to_dummy_if_null(ops, pausedomain);
  29.410 +    set_to_dummy_if_null(ops, unpausedomain);
  29.411 +    set_to_dummy_if_null(ops, resumedomain);
  29.412 +    set_to_dummy_if_null(ops, domain_create);
  29.413 +    set_to_dummy_if_null(ops, max_vcpus);
  29.414 +    set_to_dummy_if_null(ops, destroydomain);
  29.415 +    set_to_dummy_if_null(ops, vcpuaffinity);
  29.416 +    set_to_dummy_if_null(ops, scheduler);
  29.417 +    set_to_dummy_if_null(ops, getdomaininfo);
  29.418 +    set_to_dummy_if_null(ops, getvcpucontext);
  29.419 +    set_to_dummy_if_null(ops, getvcpuinfo);
  29.420 +    set_to_dummy_if_null(ops, domain_settime);
  29.421 +    set_to_dummy_if_null(ops, tbufcontrol);
  29.422 +    set_to_dummy_if_null(ops, readconsole);
  29.423 +    set_to_dummy_if_null(ops, sched_id);
  29.424 +    set_to_dummy_if_null(ops, setdomainmaxmem);
  29.425 +    set_to_dummy_if_null(ops, setdomainhandle);
  29.426 +    set_to_dummy_if_null(ops, setdebugging);
  29.427 +    set_to_dummy_if_null(ops, irq_permission);
  29.428 +    set_to_dummy_if_null(ops, iomem_permission);
  29.429 +    set_to_dummy_if_null(ops, perfcontrol);
  29.430 +
  29.431 +    set_to_dummy_if_null(ops, evtchn_unbound);
  29.432 +    set_to_dummy_if_null(ops, evtchn_interdomain);
  29.433 +    set_to_dummy_if_null(ops, evtchn_close_post);
  29.434 +    set_to_dummy_if_null(ops, evtchn_send);
  29.435 +    set_to_dummy_if_null(ops, evtchn_status);
  29.436 +    set_to_dummy_if_null(ops, evtchn_reset);
  29.437 +
  29.438 +    set_to_dummy_if_null(ops, grant_mapref);
  29.439 +    set_to_dummy_if_null(ops, grant_unmapref);
  29.440 +    set_to_dummy_if_null(ops, grant_setup);
  29.441 +    set_to_dummy_if_null(ops, grant_transfer);
  29.442 +    set_to_dummy_if_null(ops, grant_copy);
  29.443 +    set_to_dummy_if_null(ops, grant_query_size);
  29.444 +
  29.445 +    set_to_dummy_if_null(ops, alloc_security_domain);
  29.446 +    set_to_dummy_if_null(ops, free_security_domain);
  29.447 +    set_to_dummy_if_null(ops, alloc_security_evtchn);
  29.448 +    set_to_dummy_if_null(ops, free_security_evtchn);
  29.449 +
  29.450 +    set_to_dummy_if_null(ops, translate_gpfn_list);
  29.451 +    set_to_dummy_if_null(ops, memory_adjust_reservation);
  29.452 +    set_to_dummy_if_null(ops, memory_stat_reservation);
  29.453 +    set_to_dummy_if_null(ops, memory_pin_page);
  29.454 +    set_to_dummy_if_null(ops, update_va_mapping);
  29.455 +
  29.456 +    set_to_dummy_if_null(ops, console_io);
  29.457 +
  29.458 +    set_to_dummy_if_null(ops, profile);
  29.459 +
  29.460 +    set_to_dummy_if_null(ops, kexec);
  29.461 +    set_to_dummy_if_null(ops, schedop_shutdown);
  29.462 +
  29.463 +    set_to_dummy_if_null(ops, __do_xsm_op);
  29.464 +    set_to_dummy_if_null(ops, complete_init);
  29.465 +
  29.466 +#ifdef CONFIG_X86
  29.467 +    set_to_dummy_if_null(ops, shadow_control);
  29.468 +    set_to_dummy_if_null(ops, ioport_permission);
  29.469 +    set_to_dummy_if_null(ops, getpageframeinfo);
  29.470 +    set_to_dummy_if_null(ops, getmemlist);
  29.471 +    set_to_dummy_if_null(ops, hypercall_init);
  29.472 +    set_to_dummy_if_null(ops, hvmcontext);
  29.473 +    set_to_dummy_if_null(ops, address_size);
  29.474 +    set_to_dummy_if_null(ops, hvm_param);
  29.475 +    set_to_dummy_if_null(ops, hvm_set_pci_intx_level);
  29.476 +    set_to_dummy_if_null(ops, hvm_set_isa_irq_level);
  29.477 +    set_to_dummy_if_null(ops, hvm_set_pci_link_route);
  29.478 +    set_to_dummy_if_null(ops, apic);
  29.479 +    set_to_dummy_if_null(ops, assign_vector);
  29.480 +    set_to_dummy_if_null(ops, xen_settime);
  29.481 +    set_to_dummy_if_null(ops, memtype);
  29.482 +    set_to_dummy_if_null(ops, microcode);
  29.483 +    set_to_dummy_if_null(ops, physinfo);
  29.484 +    set_to_dummy_if_null(ops, platform_quirk);
  29.485 +    set_to_dummy_if_null(ops, machine_memory_map);
  29.486 +    set_to_dummy_if_null(ops, domain_memory_map);
  29.487 +    set_to_dummy_if_null(ops, mmu_normal_update);
  29.488 +    set_to_dummy_if_null(ops, mmu_machphys_update);
  29.489 +    set_to_dummy_if_null(ops, add_to_physmap);
  29.490 +#endif
  29.491 +}
    30.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    30.2 +++ b/xen/xsm/xsm_core.c	Fri Aug 31 11:21:35 2007 +0100
    30.3 @@ -0,0 +1,118 @@
    30.4 +/*
    30.5 + *  This work is based on the LSM implementation in Linux 2.6.13.4.
    30.6 + *
    30.7 + *  Author:  George Coker, <gscoker@alpha.ncsc.mil>
    30.8 + *
    30.9 + *  Contributors: Michael LeMay, <mdlemay@epoch.ncsc.mil>
   30.10 + *
   30.11 + *  This program is free software; you can redistribute it and/or modify
   30.12 + *  it under the terms of the GNU General Public License version 2,
   30.13 + *  as published by the Free Software Foundation.
   30.14 + */
   30.15 +
   30.16 +#include <xen/init.h>
   30.17 +#include <xen/errno.h>
   30.18 +#include <xen/lib.h>
   30.19 +
   30.20 +#include <xsm/xsm.h>
   30.21 +
   30.22 +#ifdef XSM_ENABLE
   30.23 +
   30.24 +#define XSM_FRAMEWORK_VERSION    "1.0.0"
   30.25 +
   30.26 +extern struct xsm_operations dummy_xsm_ops;
   30.27 +extern void xsm_fixup_ops(struct xsm_operations *ops);
   30.28 +
   30.29 +struct xsm_operations *xsm_ops;
   30.30 +
   30.31 +static inline int verify(struct xsm_operations *ops)
   30.32 +{
   30.33 +    /* verify the security_operations structure exists */
   30.34 +    if ( !ops )
   30.35 +        return -EINVAL;
   30.36 +    xsm_fixup_ops(ops);
   30.37 +    return 0;
   30.38 +}
   30.39 +
   30.40 +static void __init do_xsm_initcalls(void)
   30.41 +{
   30.42 +    xsm_initcall_t *call;
   30.43 +    call = __xsm_initcall_start;
   30.44 +    while ( call < __xsm_initcall_end )
   30.45 +    {
   30.46 +        (*call) ();
   30.47 +        call++;
   30.48 +    }
   30.49 +}
   30.50 +
   30.51 +int __init xsm_init(unsigned int *initrdidx, const multiboot_info_t *mbi,
   30.52 +                    unsigned long initial_images_start)
   30.53 +{
   30.54 +    int ret = 0;
   30.55 +
   30.56 +    printk("XSM Framework v" XSM_FRAMEWORK_VERSION " initialized\n");
   30.57 +
   30.58 +    if ( XSM_MAGIC )
   30.59 +    {
   30.60 +        ret = xsm_policy_init(initrdidx, mbi, initial_images_start);
   30.61 +        if ( ret )
   30.62 +        {
   30.63 +            printk("%s: Error initializing policy.\n", __FUNCTION__);
   30.64 +            return -EINVAL;
   30.65 +        }
   30.66 +    }
   30.67 +
   30.68 +    if ( verify(&dummy_xsm_ops) )
   30.69 +    {
   30.70 +        printk("%s could not verify "
   30.71 +               "dummy_xsm_ops structure.\n", __FUNCTION__);
   30.72 +        return -EIO;
   30.73 +    }
   30.74 +
   30.75 +    xsm_ops = &dummy_xsm_ops;
   30.76 +    do_xsm_initcalls();
   30.77 +
   30.78 +    return 0;
   30.79 +}
   30.80 +
   30.81 +int register_xsm(struct xsm_operations *ops)
   30.82 +{
   30.83 +    if ( verify(ops) )
   30.84 +    {
   30.85 +        printk("%s could not verify "
   30.86 +               "security_operations structure.\n", __FUNCTION__);
   30.87 +        return -EINVAL;
   30.88 +    }
   30.89 +
   30.90 +    if ( xsm_ops != &dummy_xsm_ops )
   30.91 +        return -EAGAIN;
   30.92 +
   30.93 +    xsm_ops = ops;
   30.94 +
   30.95 +    return 0;
   30.96 +}
   30.97 +
   30.98 +
   30.99 +int unregister_xsm(struct xsm_operations *ops)
  30.100 +{
  30.101 +    if ( ops != xsm_ops )
  30.102 +    {
  30.103 +        printk("%s: trying to unregister "
  30.104 +               "a security_opts structure that is not "
  30.105 +               "registered, failing.\n", __FUNCTION__);
  30.106 +        return -EINVAL;
  30.107 +    }
  30.108 +
  30.109 +    xsm_ops = &dummy_xsm_ops;
  30.110 +
  30.111 +    return 0;
  30.112 +}
  30.113 +
  30.114 +#endif
  30.115 +
  30.116 +long do_xsm_op (XEN_GUEST_HANDLE(xsm_op_t) op)
  30.117 +{
  30.118 +    return __do_xsm_op(op);
  30.119 +}
  30.120 +
  30.121 +
    31.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    31.2 +++ b/xen/xsm/xsm_policy.c	Fri Aug 31 11:21:35 2007 +0100
    31.3 @@ -0,0 +1,67 @@
    31.4 +/*
    31.5 + *  Copyright (C) 2005 IBM Corporation
    31.6 + *
    31.7 + *  Authors:
    31.8 + *  Reiner Sailer, <sailer@watson.ibm.com>
    31.9 + *  Stefan Berger, <stefanb@watson.ibm.com>
   31.10 + *
   31.11 + *  Contributors:
   31.12 + *  Michael LeMay, <mdlemay@epoch.ncsc.mil>
   31.13 + *  George Coker, <gscoker@alpha.ncsc.mil>
   31.14 + *  
   31.15 + *  This program is free software; you can redistribute it and/or modify
   31.16 + *  it under the terms of the GNU General Public License version 2,
   31.17 + *  as published by the Free Software Foundation.
   31.18 + *
   31.19 + *
   31.20 + *  This file contains the XSM policy init functions for Xen.
   31.21 + *  This file is based on the ACM functions of the same name.
   31.22 + *
   31.23 + */
   31.24 +
   31.25 +#include <xsm/xsm.h>
   31.26 +#include <xen/multiboot.h>
   31.27 +
   31.28 +char *policy_buffer = NULL;
   31.29 +u32 policy_size = 0;
   31.30 +
   31.31 +int xsm_policy_init(unsigned int *initrdidx, const multiboot_info_t *mbi,
   31.32 +                           unsigned long initial_images_start)
   31.33 +{
   31.34 +    int i;
   31.35 +    module_t *mod = (module_t *)__va(mbi->mods_addr);
   31.36 +    int rc = 0;
   31.37 +    u32 *_policy_start;
   31.38 +    unsigned long start, _policy_len;
   31.39 +
   31.40 +    /*
   31.41 +     * Try all modules and see whichever could be the binary policy.
   31.42 +     * Adjust the initrdidx if module[1] is the binary policy.
   31.43 +     */
   31.44 +    for ( i = mbi->mods_count-1; i >= 1; i-- )
   31.45 +    {
   31.46 +        start = initial_images_start + (mod[i].mod_start-mod[0].mod_start);
   31.47 +#if defined(__i386__)
   31.48 +        _policy_start = (u32 *)start;
   31.49 +#elif defined(__x86_64__)
   31.50 +        _policy_start = maddr_to_virt(start);
   31.51 +#endif
   31.52 +        _policy_len   = mod[i].mod_end - mod[i].mod_start;
   31.53 +
   31.54 +        if ( (xsm_magic_t)(*_policy_start) == XSM_MAGIC )
   31.55 +        {
   31.56 +            policy_buffer = (char *)_policy_start;
   31.57 +            policy_size = _policy_len;
   31.58 +
   31.59 +            printk("Policy len  0x%lx, start at %p.\n",
   31.60 +                   _policy_len,_policy_start);
   31.61 +
   31.62 +            if ( i == 1 )
   31.63 +                *initrdidx = (mbi->mods_count > 2) ? 2 : 0;
   31.64 +            break;
   31.65 +
   31.66 +        }
   31.67 +    }
   31.68 +
   31.69 +    return rc;
   31.70 +}