tmem: add XSM hooks

This adds a pair of XSM hooks for tmem operations: xsm_tmem_op which
controls any use of tmem, and xsm_tmem_control which allows use of the
TMEM_CONTROL operations. By default, all domains can use tmem while
only IS_PRIV domains can use control operations.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Committed-by: Keir Fraser <keir@xen.org>

diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 8c77e6b1f65155354ab5afbb7c056c734987afdb..c714dcb8e99d74bf4a8da08beddde442ef44f110 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -56,7 +56,7 @@ type device_t, resource_type;
 ################################################################################
 allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del
        scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo
-       microcode cpupool_op sched_op pm_op };
+       microcode cpupool_op sched_op pm_op tmem_control };
 allow dom0_t xen_t:mmu { memorymap };
 allow dom0_t security_t:security { check_context compute_av compute_create
        compute_member load_policy compute_relabel compute_user setenforce
@@ -74,6 +74,9 @@ domain_comms(dom0_t, dom0_t)
 
 auditallow dom0_t security_t:security { load_policy setenforce setbool };
 
+# Allow all domains to use (unprivileged parts of) the tmem hypercall
+allow domain_type xen_t:xen tmem_op;
+
 ###############################################################################
 #
 # Domain creation

diff --git a/xen/common/tmem.c b/xen/common/tmem.c
index 44e27721a2d41899cb4b933d3140685ac5ed1ab2..ca70e86ae9cd0b550cb86e0e0e9456eb09ee4b91 100644 (file)
--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -2644,6 +2644,9 @@ EXPORT long do_tmem_op(tmem_cli_op_t uops)
     if ( !tmem_initialized )
         return -ENODEV;
 
+    if ( !tmh_current_permitted() )
+        return -EPERM;
+
     total_tmem_ops++;
 
     if ( tmh_lock_all )

diff --git a/xen/include/xen/tmem_xen.h b/xen/include/xen/tmem_xen.h
index 36a8d9f9ed62b47ba2bbc63458ee3feeea50c836..ad1ddd56058317defb1596ad12106384b256ff2b 100644 (file)
--- a/xen/include/xen/tmem_xen.h
+++ b/xen/include/xen/tmem_xen.h
@@ -16,6 +16,7 @@
 #include <xen/guest_access.h> /* copy_from_guest */
 #include <xen/hash.h> /* hash_long */
 #include <xen/domain_page.h> /* __map_domain_page */
+#include <xsm/xsm.h> /* xsm_tmem_control */
 #include <public/tmem.h>
 #ifdef CONFIG_COMPAT
 #include <compat/tmem.h>
@@ -326,9 +327,14 @@ static inline bool_t tmh_set_client_from_id(
     return rc;
 }
 
+static inline bool_t tmh_current_permitted(void)
+{
+    return !xsm_tmem_op(XSM_HOOK);
+}
+
 static inline bool_t tmh_current_is_privileged(void)
 {
-    return IS_PRIV(current->domain);
+    return !xsm_tmem_control(XSM_PRIV);
 }
 
 static inline uint8_t tmh_get_first_byte(pfp_t *pfp)

diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 4f75674da8fcfc0b3a294a523396e384740c465d..2c750de4f5156a56f7a9f264638abd24314c2f69 100644 (file)
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -371,6 +371,18 @@ static XSM_INLINE int xsm_page_offline(XSM_DEFAULT_ARG uint32_t cmd)
     return xsm_default_action(action, current->domain, NULL);
 }
 
+static XSM_INLINE int xsm_tmem_op(XSM_DEFAULT_VOID)
+{
+    XSM_ASSERT_ACTION(XSM_HOOK);
+    return xsm_default_action(action, current->domain, NULL);
+}
+
+static XSM_INLINE int xsm_tmem_control(XSM_DEFAULT_VOID)
+{
+    XSM_ASSERT_ACTION(XSM_PRIV);
+    return xsm_default_action(action, current->domain, NULL);
+}
+
 static XSM_INLINE long xsm_do_xsm_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 {
     return -ENOSYS;

diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 17b08996c90b623c7d778f0609ad4e2296908d56..ce5ede8fac568767aa365d5a6b67a5ebd8419383 100644 (file)
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -119,6 +119,8 @@ struct xsm_operations {
     int (*resource_setup_misc) (void);
 
     int (*page_offline)(uint32_t cmd);
+    int (*tmem_op)(void);
+    int (*tmem_control)(void);
 
     long (*do_xsm_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
 
@@ -441,6 +443,16 @@ static inline int xsm_page_offline(xsm_default_t def, uint32_t cmd)
     return xsm_ops->page_offline(cmd);
 }
 
+static inline int xsm_tmem_op(xsm_default_t def)
+{
+    return xsm_ops->tmem_op();
+}
+
+static inline int xsm_tmem_control(xsm_default_t def)
+{
+    return xsm_ops->tmem_control();
+}
+
 static inline long xsm_do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 {
     return xsm_ops->do_xsm_op(op);

diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index e254251d15df78bf288d6882b7d2295128df5015..22c66e534bf85a4f4646b644695b9377a9414c4e 100644 (file)
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -94,6 +94,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
     set_to_dummy_if_null(ops, resource_setup_misc);
 
     set_to_dummy_if_null(ops, page_offline);
+    set_to_dummy_if_null(ops, tmem_op);
+    set_to_dummy_if_null(ops, tmem_control);
 
     set_to_dummy_if_null(ops, do_xsm_op);
 

diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index f7309fd760b5b408b96fe318b788cf43c83f67f6..222ab3e65100ebc13c27fc388aa7ebdeec2b3458 100644 (file)
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1017,6 +1017,16 @@ static inline int flask_page_offline(uint32_t cmd)
     }
 }
 
+static inline int flask_tmem_op(void)
+{
+    return domain_has_xen(current->domain, XEN__TMEM_OP);
+}
+
+static inline int flask_tmem_control(void)
+{
+    return domain_has_xen(current->domain, XEN__TMEM_CONTROL);
+}
+
 #ifdef CONFIG_X86
 static int flask_shadow_control(struct domain *d, uint32_t op)
 {
@@ -1456,6 +1466,8 @@ static struct xsm_operations flask_ops = {
     .resource_setup_misc = flask_resource_setup_misc,
 
     .page_offline = flask_page_offline,
+    .tmem_op = flask_tmem_op,
+    .tmem_control = flask_tmem_control,
 
     .do_xsm_op = do_flask_op,
 

diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index caf65d2d89e8b0113e711f4ca4d15ce3a9b413b0..7a7e253a93cb5780b0b17ba9c6f7f38a8de743b3 100644 (file)
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -35,6 +35,8 @@ class xen
        lockprof
        cpupool_op
        sched_op
+       tmem_op
+       tmem_control
 }
 
 class domain