From: Ian Campbell Date: Wed, 16 Dec 2015 16:49:17 +0000 (+0000) Subject: tools/libs/*: Introduce APIs to restrict handles to a specific domain. X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=20cb51c39dccdbc23ba075030d7bb635e2883ece;p=people%2Fliuw%2Flibxenctrl-split%2Fxen.git tools/libs/*: Introduce APIs to restrict handles to a specific domain. These are intended to allow user space processes (in particular QEMU) to lock down all the handles at start of day and then drop the privileges which would allow them to open any new unrestricted handles (e.g. setuid or similar). This will reduce the privileges which taking over such a process would gain an attacker wrt other domains in the system. These are currently unimplemented on all platforms, however the API semantics are defined as the basis for discussion, and so that consumers can rely on this interface always having been present rather than requiring compile time API checks. It is expected that these will be implemented by adding new ioctl calls on the underlying driver and that the restrictions will be enforced at the kernel interface layer (most likely by the kernel itself). For evtchn, foreignmemory, gnttab and gntshr this is hopefully reasonably straightforward. For call it is not so clear cut. Clearly the kernel cannot enforce these restrictions for hypercalls which are not stable (domctl et al) so they can never be on the whitelist. It may also be that potential users would like to restrict the handle further than just a given target domain, i.e. to a specific set of functionality (e.g. "things a device model might reasonably do"). I think we will also need some way to discover whether a given set of interfaces is available to a restricted handle, in order to support the addition of new functionality. Notes: - On many (all?) platforms libxencall and libxenforeignmemory are implemented by the same underlying privcmd driver. The platform level ioctl interface should support restricting the handle to only one or the other. - On platforms with multiple privilege mapping ioctl variants should consider only allowing the newest/currently preferred one on a restricted handle. e.g. on Linux this would allow IOCTL_PRIVCMD_MMAPBATCH_V2 but not IOCTL_PRIVCMD_MMAPBATCH. (Of course any subsequently introduced _V3 would be subject to compatibility concerns) Signed-off-by: Ian Campbell --- v8: New This applies on top of the Xen portion of "Begin to disentangle libxenctrl and provide some stable libraries", v7, plus a couple of minor fixes which will be in v8. All of this can be found in the "vwip" branch of the tree referenced by that series at git://xenbits.xen.org/people/ianc/libxenctrl-split/xen.git. --- diff --git a/tools/libs/call/core.c b/tools/libs/call/core.c index 5ca037237f..00abac6c91 100644 --- a/tools/libs/call/core.c +++ b/tools/libs/call/core.c @@ -14,6 +14,7 @@ */ #include +#include #include "private.h" @@ -72,6 +73,12 @@ int xencall_close(xencall_handle *xcall) return rc; } +int xencall_restrict_target(xencall_handle *xcall, uint32_t domid) +{ + errno = ENOSYS; + return -1; +} + int xencall0(xencall_handle *xcall, unsigned int op) { privcmd_hypercall_t call = { diff --git a/tools/libs/call/include/xencall.h b/tools/libs/call/include/xencall.h index bafacdd2ba..db849ef176 100644 --- a/tools/libs/call/include/xencall.h +++ b/tools/libs/call/include/xencall.h @@ -73,6 +73,40 @@ xencall_handle *xencall_open(struct xentoollog_logger *logger, */ int xencall_close(xencall_handle *xcall); +/* + * Attempt to restrict the given xcall handle to only be able to + * target the given domain. + * + * On success returns 0, after which only hypercalls which are on a + * platform specific whitelist can be called and the arguments will be + * audited by the platform to ensure that the target domain is + * domid. + * + * Subsequent attempts to call any hypercall not on the platform + * specific whitelist will return -1 setting errno to ENOSYS. + * + * Subsequent attempts to call any hypercall on the platform specific + * whitelist with any other target domain return -1 setting errno to + * EPERM. + * + * These restrictions will be implemented by the platform in a way + * which cannot be circumvented by a userspace process. Further + * privilege drops (such as using setuid(2) etc) may also be required + * to prevent a compromised process from simply opening a second + * handle + * + * XXX which hypercalls are restricted, per platform list, do we need + * a way to probe? Do we want to be able to restrict to particular + * subsets of whitelisted hypercalls? + * + * On failure returns -1 and sets errno: + * ENOSYS: The platform is not able to support restricting the + * target domain. + * Other: The platform should be able to support restricting the + * target domain, but was unable to do so. + */ +int xencall_restrict_target(xencall_handle *xcall, uint32_t domid); + /* * Call hypercalls with varying numbers of arguments. * diff --git a/tools/libs/call/libxencall.map b/tools/libs/call/libxencall.map index 2f96144f40..d39f88e0b7 100644 --- a/tools/libs/call/libxencall.map +++ b/tools/libs/call/libxencall.map @@ -3,6 +3,8 @@ VERS_1.0 { xencall_open; xencall_close; + xencall_restrict_target; + xencall0; xencall1; xencall2; diff --git a/tools/libs/evtchn/core.c b/tools/libs/evtchn/core.c index c31e08ce3d..5f68f52c65 100644 --- a/tools/libs/evtchn/core.c +++ b/tools/libs/evtchn/core.c @@ -15,6 +15,7 @@ #include #include +#include #include "private.h" @@ -61,6 +62,12 @@ int xenevtchn_close(xenevtchn_handle *xce) return rc; } +int xenevtchn_restrict_target(xenevtchn_handle *xce, uint32_t domid) +{ + errno = ENOSYS; + return -1; +} + /* * Local variables: * mode: C diff --git a/tools/libs/evtchn/include/xenevtchn.h b/tools/libs/evtchn/include/xenevtchn.h index 93b80cb119..82d1ba10d8 100644 --- a/tools/libs/evtchn/include/xenevtchn.h +++ b/tools/libs/evtchn/include/xenevtchn.h @@ -74,6 +74,42 @@ xenevtchn_handle *xenevtchn_open(struct xentoollog_logger *logger, */ int xenevtchn_close(xenevtchn_handle *xce); +/* + * Attempt to restrict the given evtchn handle to only operate on the + * given domain. + * + * On success returns 0, after which: + * + * - Any operations which take a peer domain as an argument can only + * be called with the specified target domain. Subsequent attempts + * to call any such interface with another domain will return -1 + * setting errno to EPERM. + * + * - Any operations which take an evtchn_port_t are not restricted + * other than by the requirement to have previously bound that + * evtchn to the handle. Therefore users of the restrict interface + * should take care not to bind any event channels relating to other + * domains prior to enforcing the restriction. The restrictions on + * xenevtchn_bind_*() (which take a domain id, see previous point) + * suffice to prevent any new such bindings being created. + * + * - xenevtchn_bind_virq is not permitted and will return -1 setting + * errno to EPERM. + * + * These restrictions will be implemented by the platform in a way + * which cannot be circumvented by a userspace process. Further + * privilege drops (such as using setuid(2) etc) may also be required + * to prevent a compromised process from simply opening a second + * handle + * + * On failure returns -1 and sets errno: + * ENOSYS: The platform is not able to support restricting the + * target domain. + * Other: The platform should be able to support restricting the + * target domain, but was unable to do so. + */ +int xenevtchn_restrict_target(xenevtchn_handle *xce, uint32_t domid); + /* * Return an fd that can be select()ed on. * diff --git a/tools/libs/evtchn/libxenevtchn.map b/tools/libs/evtchn/libxenevtchn.map index 625a1e2b82..08e9dd51e1 100644 --- a/tools/libs/evtchn/libxenevtchn.map +++ b/tools/libs/evtchn/libxenevtchn.map @@ -3,6 +3,8 @@ VERS_1.0 { xenevtchn_open; xenevtchn_close; + xenevtchn_restrict_target; + xenevtchn_fd; xenevtchn_bind_unbound_port; diff --git a/tools/libs/foreignmemory/core.c b/tools/libs/foreignmemory/core.c index a872b9555d..657034b99d 100644 --- a/tools/libs/foreignmemory/core.c +++ b/tools/libs/foreignmemory/core.c @@ -63,6 +63,13 @@ int xenforeignmemory_close(xenforeignmemory_handle *fmem) return rc; } +int xenforeignmemory_restrict_target(xenforeignmemory_handle *fmem, + uint32_t domid) +{ + errno = ENOSYS; + return -1; +} + void *xenforeignmemory_map(xenforeignmemory_handle *fmem, uint32_t dom, int prot, size_t num, diff --git a/tools/libs/foreignmemory/include/xenforeignmemory.h b/tools/libs/foreignmemory/include/xenforeignmemory.h index 92b9277b75..ad6463eae5 100644 --- a/tools/libs/foreignmemory/include/xenforeignmemory.h +++ b/tools/libs/foreignmemory/include/xenforeignmemory.h @@ -73,6 +73,28 @@ xenforeignmemory_handle *xenforeignmemory_open(struct xentoollog_logger *logger, */ int xenforeignmemory_close(xenforeignmemory_handle *fmem); +/* + * Attempt to restrict the given handle to only target the given + * domain. + * + * On success returns 0, after which calls to xenforeignmemory_map + * which pass a domain other than the given domain will return -1 + * setting errno to EPERM. + * + * This restriction will be implemented by the platform in a way which + * cannot be circumvented by a userspace process. Further privilege + * drops (such as using setuid(2) etc) may also be required to prevent + * a compromised process from simply opening a second handle + * + * On failure returns -1 and sets errno: + * ENOSYS: The platform is not able to support restricting the + * target domain. + * Other: The platform should be able to support restricting the + * target domain, but was unable to do so. + */ +int xenforeignmemory_restrict_target(xenforeignmemory_handle *fmem, + uint32_t domid); + /* * Maps a range within one domain to a local address range. Mappings * must be unmapped with xenforeignmemory_unmap and should follow the diff --git a/tools/libs/foreignmemory/libxenforeignmemory.map b/tools/libs/foreignmemory/libxenforeignmemory.map index df206b3cfb..dc1e0a1aff 100644 --- a/tools/libs/foreignmemory/libxenforeignmemory.map +++ b/tools/libs/foreignmemory/libxenforeignmemory.map @@ -2,6 +2,9 @@ VERS_1.0 { global: xenforeignmemory_open; xenforeignmemory_close; + + xenforeignmemory_restrict_target; + xenforeignmemory_map; xenforeignmemory_unmap; local: *; /* Do not expose anything by default */ diff --git a/tools/libs/gnttab/gntshr_core.c b/tools/libs/gnttab/gntshr_core.c index 7f6bf9de6a..0347a165f1 100644 --- a/tools/libs/gnttab/gntshr_core.c +++ b/tools/libs/gnttab/gntshr_core.c @@ -19,6 +19,7 @@ */ #include +#include #include "private.h" @@ -64,6 +65,13 @@ int xengntshr_close(xengntshr_handle *xgs) free(xgs); return rc; } + +int xengntshr_restrict_target(xengntshr_handle *xgs, uint32_t domid) +{ + errno = ENOSYS; + return -1; +} + void *xengntshr_share_pages(xengntshr_handle *xcg, uint32_t domid, int count, uint32_t *refs, int writable) { diff --git a/tools/libs/gnttab/gnttab_core.c b/tools/libs/gnttab/gnttab_core.c index 5d0474ddf9..77ce167056 100644 --- a/tools/libs/gnttab/gnttab_core.c +++ b/tools/libs/gnttab/gnttab_core.c @@ -19,6 +19,7 @@ */ #include +#include #include "private.h" @@ -65,6 +66,12 @@ int xengnttab_close(xengnttab_handle *xgt) return rc; } +int xengnttab_restrict_target(xengnttab_handle *xgt, uint32_t domid) +{ + errno = ENOSYS; + return -1; +} + int xengnttab_set_max_grants(xengnttab_handle *xgt, uint32_t count) { return osdep_gnttab_set_max_grants(xgt, count); diff --git a/tools/libs/gnttab/include/xengnttab.h b/tools/libs/gnttab/include/xengnttab.h index 0431dcf45d..0d3fedfc36 100644 --- a/tools/libs/gnttab/include/xengnttab.h +++ b/tools/libs/gnttab/include/xengnttab.h @@ -149,6 +149,33 @@ xengnttab_handle *xengnttab_open(struct xentoollog_logger *logger, */ int xengnttab_close(xengnttab_handle *xgt); +/* + * Attempt to restrict the given handle to only target the given + * domain. + * + * On success returns 0, after which: + * + * - Calls to xengnttab_map_*() which are passed a domain other than + * the given domain (either as an argument or as any member of a + * domid array argument, regardless of the validity of other members + * of the array) will return -1 setting errno to EPERM. + * + * - Calls to xengnttab_set_max_grants() will return -1 having set + * errno to EPERM. + * + * This restriction will be implemented by the platform in a way which + * cannot be circumvented by a userspace process. Further privilege + * drops (such as using setuid(2) etc) may also be required to prevent + * a compromised process from simply opening a second handle + * + * On failure returns -1 and sets errno: + * ENOSYS: The platform is not able to support restricting the + * target domain. + * Other: The platform should be able to support restricting the + * target domain, but was unable to do so. + */ +int xengnttab_restrict_target(xengnttab_handle *xgt, uint32_t domid); + /** * Memory maps a grant reference from one domain to a local address range. * Mappings should be unmapped with xengnttab_unmap. Logs errors. @@ -306,6 +333,31 @@ xengntshr_handle *xengntshr_open(struct xentoollog_logger *logger, */ int xengntshr_close(xengntshr_handle *xgs); +/* + * Attempt to restrict the given handle to only target the given + * domain. + * + * On success returns 0, after which: + * + * - Calls to xengntshr_share_*() which are passed a domain other than + * the given domain will return -1 setting errno to EPERM. + * + * - Calls to xengnttab_set_max_grants() will return -1 having set + * errno to EPERM. + * + * This restriction will be implemented by the platform in a way which + * cannot be circumvented by a userspace process. Further privilege + * drops (such as using setuid(2) etc) may also be required to prevent + * a compromised process from simply opening a second handle + * + * On failure returns -1 and sets errno: + * ENOSYS: The platform is not able to support restricting the + * target domain. + * Other: The platform should be able to support restricting the + * target domain, but was unable to do so. + */ +int xengntshr_restrict_target(xengntshr_handle *xgs, uint32_t domid); + /** * Allocates and shares pages with another domain. * diff --git a/tools/libs/gnttab/libxengnttab.map b/tools/libs/gnttab/libxengnttab.map index dc737acc0c..8421723cd6 100644 --- a/tools/libs/gnttab/libxengnttab.map +++ b/tools/libs/gnttab/libxengnttab.map @@ -3,6 +3,8 @@ VERS_1.0 { xengnttab_open; xengnttab_close; + xengnttab_restrict_target; + xengnttab_set_max_grants; xengnttab_map_domain_grant_refs; @@ -15,6 +17,8 @@ VERS_1.0 { xengntshr_open; xengntshr_close; + xengntshr_restrict_target; + xengntshr_share_page_notify; xengntshr_share_pages;