From nobody Mon May 6 14:55:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1603720050; cv=none; d=zohomail.com; s=zohoarc; b=GElzfhpmQA5w17SDKZZ1cPeEQWpI/WcOrGvCfdDAkNAP2lo+8LVuVoAKyvup+TE87wplWcNC/+C8vIvCNAIehbEDNinAgussKvQatloEV1nGqOfdg7n1WSZxPnQsM3BPOHmvLBTRGUPifXC1AhkmJYtoIOY5yj49FLl9gcjnC4M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1603720050; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=f9KRZ9bVQua0OwnsqOAio9K9V42DH2ndT61btswgFso=; b=GKcQjsmEdYfK6JjLyP+IrjzRdNRBGPudhUq+h5N5FSPOMtcBkotFkjgxcWP1k3VD/UuW4iQKKdSnZVRW7fKtCV+lyj8DdMf1Tw3cWpF9skAX7IyFHvastmpsSLa25IHLrANWS449u53Bi04dJ1CEUcEcRcQ74T4G+zE/ClKKZ7c= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 160372005038214.154873227806434; Mon, 26 Oct 2020 06:47:30 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.12334.32138 (Exim 4.92) (envelope-from ) id 1kX2q2-0006uH-Jk; Mon, 26 Oct 2020 13:47:06 +0000 Received: by outflank-mailman (output) from mailman id 12334.32138; Mon, 26 Oct 2020 13:47:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kX2q2-0006uA-GT; Mon, 26 Oct 2020 13:47:06 +0000 Received: by outflank-mailman (input) for mailman id 12334; Mon, 26 Oct 2020 13:47:05 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kX2q1-0006u5-Dc for xen-devel@lists.xenproject.org; Mon, 26 Oct 2020 13:47:05 +0000 Received: from mail-qt1-x841.google.com (unknown [2607:f8b0:4864:20::841]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id c7492d56-ab58-428c-a0b8-707d243889e2; Mon, 26 Oct 2020 13:47:04 +0000 (UTC) Received: by mail-qt1-x841.google.com with SMTP id m14so646035qtc.12 for ; Mon, 26 Oct 2020 06:47:04 -0700 (PDT) Received: from pm2-ws13.praxislan02.com ([2001:470:8:67e:1145:a885:8e8f:3f60]) by smtp.gmail.com with ESMTPSA id o14sm6882324qto.16.2020.10.26.06.47.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Oct 2020 06:47:02 -0700 (PDT) Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kX2q1-0006u5-Dc for xen-devel@lists.xenproject.org; Mon, 26 Oct 2020 13:47:05 +0000 Received: from mail-qt1-x841.google.com (unknown [2607:f8b0:4864:20::841]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id c7492d56-ab58-428c-a0b8-707d243889e2; Mon, 26 Oct 2020 13:47:04 +0000 (UTC) Received: by mail-qt1-x841.google.com with SMTP id m14so646035qtc.12 for ; Mon, 26 Oct 2020 06:47:04 -0700 (PDT) Received: from pm2-ws13.praxislan02.com ([2001:470:8:67e:1145:a885:8e8f:3f60]) by smtp.gmail.com with ESMTPSA id o14sm6882324qto.16.2020.10.26.06.47.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Oct 2020 06:47:02 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: c7492d56-ab58-428c-a0b8-707d243889e2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=f9KRZ9bVQua0OwnsqOAio9K9V42DH2ndT61btswgFso=; b=C7VNL0Xq9AnuQnEflUVOeIxUOWx/9f6ZH/R2bkQsdLXe+gWIt8ZTMWXuyhLeNnpeLR +Jud2CQH4NzxtHFGKthI9cXw4AxSUsV03N0hAKLWirrc5aoF4Leguy/aMSjAzClc3hCy 8xenUSwRIxAJYHEqCe/q+Fr9PL2oaGVakTk6oF1rKxKPr+/onfJ5iN/o4/jkywGQ1AjK Hrb2W7RUjC4IUO/cmRwKymxDsbHRx5Ni9GqS4lnJ7IJpMMeMwtEm+faRJnQV7DaUIIdo IP0UjNPZTk1VA6N1MHuRGC1PB/LG3M2/3e3fUZ93cc6vusFeFPSpuxHiRYYb3APF4m4D Awcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=f9KRZ9bVQua0OwnsqOAio9K9V42DH2ndT61btswgFso=; b=MrvKHsQAEsvdkON/nAuLLcb4KmRG13lGPVUNywyvRP8ch+O4iLnLbx+IglL7TbvRqF Gm+O8+MWG1NqElOmtEGInmp5EThH/r6U5ur1ID7s4QfUTj/p/C3aGVQzMak7qyzt+LrC yNYFIQAqAJuU/IJFhOub6GCOowLnAAxHwNWWmitVpfPVJ/wYIo5dc++0ayWV6Rc7f8HK 7FcaF6220PY2UU5+e8mwYVeiOr3KJRFG+B0tw/fdDQlpdctTEz2X/MpBV9rNFTvezW0t cMJH/pYgmz0rndPQL/J4h4MBl09MA16H5+lO+H78kEVzL6bIPyuGTO85BJqTNxbQHkus 0mZA== X-Gm-Message-State: AOAM531kPlTvdEiHO+LRw/ylArVzoc04Vx4eIjLuivDlLDNUjD1JmciQ IktjO0HIHudxfWzT9wf5UhobPJDXJfc= X-Google-Smtp-Source: ABdhPJys3ry2LTW3BPWVb06qQqHt1emPhwO34Z8wtkGbI+CgBitwneTq4c9hiDja2ZIAxUWyVgsY0Q== X-Received: by 2002:aed:3325:: with SMTP id u34mr16888054qtd.263.1603720023188; Mon, 26 Oct 2020 06:47:03 -0700 (PDT) From: Jason Andryuk To: xen-devel@lists.xenproject.org, hx242@xen.org Cc: dpsmith@apertussolutions.com, Jason Andryuk , Andrew Cooper , Jan Beulich , Daniel De Graaf Subject: [RFC PATCH] xsm: Re-work domain_create and domain_alloc_security Date: Mon, 26 Oct 2020 09:46:51 -0400 Message-Id: <20201026134651.8162-1-jandryuk@gmail.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) Content-Type: text/plain; charset="utf-8" Untested! This only really matters for flask, but all of xsm is updated. flask_domain_create() and flask_domain_alloc_security() are a strange pair. flask_domain_create() serves double duty. It both assigns sid and self_sid values and checks if the calling domain has permission to create the target domain. It also has special casing for handling dom0. Meanwhile flask_domain_alloc_security() assigns some special sids, but waits for others to be assigned in flask_domain_create. This split seems to have come about so that the structures are allocated before calling flask_domain_create(). It also means flask_domain_create is called in the middle of domain_create. Re-arrange the two calls. Let flask_domain_create just check if current has permission to create ssidref. Then it can be moved out to do_domctl and gate entry into domain_create. This avoids doing partial domain creation before the permission check. Have flask_domain_alloc_security() take a ssidref argument. The ssidref was already permission checked earlier, so it can just be assigned. Then the self_sid can be calculated here as well rather than in flask_domain_create(). The dom0 special casing is moved into flask_domain_alloc_security(). Maybe this should be just a fall-through for the dom0 already created case. This code may not be needed any longer. Signed-off-by: Jason Andryuk --- xen/common/domain.c | 6 ++---- xen/common/domctl.c | 4 ++++ xen/include/xsm/dummy.h | 6 +++--- xen/include/xsm/xsm.h | 12 +++++------ xen/xsm/flask/hooks.c | 48 ++++++++++++++++------------------------- 5 files changed, 34 insertions(+), 42 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index f748806a45..6b1f5ed59d 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -407,7 +407,8 @@ struct domain *domain_create(domid_t domid, =20 lock_profile_register_struct(LOCKPROF_TYPE_PERDOM, d, domid); =20 - if ( (err =3D xsm_alloc_security_domain(d)) !=3D 0 ) + if ( (err =3D xsm_alloc_security_domain(d, config ? config->ssidref : + 0)) !=3D 0 ) goto fail; =20 atomic_set(&d->refcnt, 1); @@ -470,9 +471,6 @@ struct domain *domain_create(domid_t domid, if ( !d->iomem_caps || !d->irq_caps ) goto fail; =20 - if ( (err =3D xsm_domain_create(XSM_HOOK, d, config->ssidref)) != =3D 0 ) - goto fail; - d->controller_pause_count =3D 1; atomic_inc(&d->pause_count); =20 diff --git a/xen/common/domctl.c b/xen/common/domctl.c index af044e2eda..ffdc1a41cd 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -406,6 +406,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_= domctl) domid_t dom; static domid_t rover =3D 0; =20 + ret =3D xsm_domain_create(XSM_HOOK, op->u.createdomain.ssidref); + if (ret) + break; + dom =3D op->domain; if ( (dom > 0) && (dom < DOMID_FIRST_RESERVED) ) { diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 7ae3c40eb5..29c4ca9951 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -104,10 +104,10 @@ static XSM_INLINE void xsm_security_domaininfo(struct= domain *d, return; } =20 -static XSM_INLINE int xsm_domain_create(XSM_DEFAULT_ARG struct domain *d, = u32 ssidref) +static XSM_INLINE int xsm_domain_create(XSM_DEFAULT_ARG u32 ssidref) { XSM_ASSERT_ACTION(XSM_HOOK); - return xsm_default_action(action, current->domain, d); + return xsm_default_action(action, current->domain, NULL); } =20 static XSM_INLINE int xsm_getdomaininfo(XSM_DEFAULT_ARG struct domain *d) @@ -163,7 +163,7 @@ static XSM_INLINE int xsm_readconsole(XSM_DEFAULT_ARG u= int32_t clear) return xsm_default_action(action, current->domain, NULL); } =20 -static XSM_INLINE int xsm_alloc_security_domain(struct domain *d) +static XSM_INLINE int xsm_alloc_security_domain(struct domain *d, uint32_t= ssidref) { return 0; } diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 358ec13ba8..c1d2ef5832 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -46,7 +46,7 @@ typedef enum xsm_default xsm_default_t; struct xsm_operations { void (*security_domaininfo) (struct domain *d, struct xen_domctl_getdomaininfo *i= nfo); - int (*domain_create) (struct domain *d, u32 ssidref); + int (*domain_create) (u32 ssidref); int (*getdomaininfo) (struct domain *d); int (*domctl_scheduler_op) (struct domain *d, int op); int (*sysctl_scheduler_op) (int op); @@ -71,7 +71,7 @@ struct xsm_operations { int (*grant_copy) (struct domain *d1, struct domain *d2); int (*grant_query_size) (struct domain *d1, struct domain *d2); =20 - int (*alloc_security_domain) (struct domain *d); + int (*alloc_security_domain) (struct domain *d, uint32_t ssidref); void (*free_security_domain) (struct domain *d); int (*alloc_security_evtchn) (struct evtchn *chn); void (*free_security_evtchn) (struct evtchn *chn); @@ -202,9 +202,9 @@ static inline void xsm_security_domaininfo (struct doma= in *d, xsm_ops->security_domaininfo(d, info); } =20 -static inline int xsm_domain_create (xsm_default_t def, struct domain *d, = u32 ssidref) +static inline int xsm_domain_create (xsm_default_t def, u32 ssidref) { - return xsm_ops->domain_create(d, ssidref); + return xsm_ops->domain_create(ssidref); } =20 static inline int xsm_getdomaininfo (xsm_default_t def, struct domain *d) @@ -305,9 +305,9 @@ static inline int xsm_grant_query_size (xsm_default_t d= ef, struct domain *d1, st return xsm_ops->grant_query_size(d1, d2); } =20 -static inline int xsm_alloc_security_domain (struct domain *d) +static inline int xsm_alloc_security_domain (struct domain *d, uint32_t ss= idref) { - return xsm_ops->alloc_security_domain(d); + return xsm_ops->alloc_security_domain(d, ssidref); } =20 static inline void xsm_free_security_domain (struct domain *d) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index de050cc9fe..719fe90f22 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -156,9 +156,11 @@ static int avc_unknown_permission(const char *name, in= t id) return rc; } =20 -static int flask_domain_alloc_security(struct domain *d) +static int flask_domain_alloc_security(struct domain *d, u32 ssidref) { struct domain_security_struct *dsec; + static int dom0_created =3D 0; + int rc; =20 dsec =3D xzalloc(struct domain_security_struct); if ( !dsec ) @@ -175,14 +177,24 @@ static int flask_domain_alloc_security(struct domain = *d) case DOMID_IO: dsec->sid =3D SECINITSID_DOMIO; break; + case 0: + if ( !dom0_created ) { + dsec->sid =3D SECINITSID_DOM0; + dom0_created =3D 1; + } else { + dsec->sid =3D SECINITSID_UNLABELED; + } + break; default: - dsec->sid =3D SECINITSID_UNLABELED; + dsec->sid =3D ssidref; } =20 dsec->self_sid =3D dsec->sid; - d->ssid =3D dsec; =20 - return 0; + rc =3D security_transition_sid(dsec->sid, dsec->sid, SECCLASS_DOMAIN, + &dsec->self_sid); + + return rc; } =20 static void flask_domain_free_security(struct domain *d) @@ -507,32 +519,10 @@ static void flask_security_domaininfo(struct domain *= d, info->ssidref =3D domain_sid(d); } =20 -static int flask_domain_create(struct domain *d, u32 ssidref) +static int flask_domain_create(u32 ssidref) { - int rc; - struct domain_security_struct *dsec =3D d->ssid; - static int dom0_created =3D 0; - - if ( is_idle_domain(current->domain) && !dom0_created ) - { - dsec->sid =3D SECINITSID_DOM0; - dom0_created =3D 1; - } - else - { - rc =3D avc_current_has_perm(ssidref, SECCLASS_DOMAIN, - DOMAIN__CREATE, NULL); - if ( rc ) - return rc; - - dsec->sid =3D ssidref; - } - dsec->self_sid =3D dsec->sid; - - rc =3D security_transition_sid(dsec->sid, dsec->sid, SECCLASS_DOMAIN, - &dsec->self_sid); - - return rc; + return avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, + NULL); } =20 static int flask_getdomaininfo(struct domain *d) --=20 2.26.2