x86/hvm: convert access check for nested HVM to XSM

This adds an XSM hook for enabling nested HVM support, replacing an
IS_PRIV check.  This hook is a partial duplicate with the xsm_hvm_param
hook, but using the existing hook would require adding the index to the
hook and would require the use of a custom hook for the xsm-disabled
case (using XSM_OTHER, which is less immediately readable) - whereas
adding a new hook retains the clarity of the existing code.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (release perspective)

diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 18647c9327888add21e84685288b8f725383606a..3a59f385671d349e96f572a97f0a6dac565fb1ee 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -54,7 +54,8 @@ define(`create_domain_common', `
        allow $1 $2:shadow enable;
        allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
        allow $1 $2:grant setup;
-       allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc setparam pcilevel trackdirtyvram };
+       allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
+                       setparam pcilevel trackdirtyvram nested };
 ')
 
 # create_domain(priv, target)

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 38e87ce3af14c3e1469b218c23f8ad9e4f698677..8522963cb06be75c7788ab396eab694ab3ceca46 100644 (file)
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3909,11 +3909,9 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
                     rc = -EINVAL;
                 break;
             case HVM_PARAM_NESTEDHVM:
-                if ( !IS_PRIV(current->domain) )
-                {
-                    rc = -EPERM;
+                rc = xsm_hvm_param_nested(XSM_PRIV, d);
+                if ( rc )
                     break;
-                }
                 if ( a.value > 1 )
                     rc = -EINVAL;
                 /* Remove the check below once we have

diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 025936a5a1f9649a7431ad1c3b2e32e39b0e2348..191e493b436cd4d7a87e49bf0c774a3665b1361a 100644 (file)
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -473,6 +473,12 @@ static XSM_INLINE int xsm_hvm_param(XSM_DEFAULT_ARG struct domain *d, unsigned l
     return xsm_default_action(action, current->domain, d);
 }
 
+static XSM_INLINE int xsm_hvm_param_nested(XSM_DEFAULT_ARG struct domain *d)
+{
+    XSM_ASSERT_ACTION(XSM_PRIV);
+    return xsm_default_action(action, current->domain, d);
+}
+
 #ifdef CONFIG_X86
 static XSM_INLINE int xsm_shadow_control(XSM_DEFAULT_ARG struct domain *d, uint32_t op)
 {

diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index cba744ce1acb4a2252df5855ae0de23e069613e0..fdc7a650d686c274b01c7216076de15c97342fbe 100644 (file)
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -130,6 +130,7 @@ struct xsm_operations {
     long (*do_xsm_op) (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op);
 
     int (*hvm_param) (struct domain *d, unsigned long op);
+    int (*hvm_param_nested) (struct domain *d);
 
 #ifdef CONFIG_X86
     int (*shadow_control) (struct domain *d, uint32_t op);
@@ -493,6 +494,11 @@ static inline int xsm_hvm_param (xsm_default_t def, struct domain *d, unsigned l
     return xsm_ops->hvm_param(d, op);
 }
 
+static inline int xsm_hvm_param_nested (xsm_default_t def, struct domain *d)
+{
+    return xsm_ops->hvm_param_nested(d);
+}
+
 #ifdef CONFIG_X86
 static inline int xsm_shadow_control (xsm_default_t def, struct domain *d, uint32_t op)
 {

diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 6f1e0b4860a5c3635a5150e7a73bef1347815d3e..21aef2add916f4b9725deb756359fa39b983ba22 100644 (file)
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -101,6 +101,7 @@ void xsm_fixup_ops (struct xsm_operations *ops)
     set_to_dummy_if_null(ops, tmem_op);
     set_to_dummy_if_null(ops, tmem_control);
     set_to_dummy_if_null(ops, hvm_param);
+    set_to_dummy_if_null(ops, hvm_param_nested);
 
     set_to_dummy_if_null(ops, do_xsm_op);
 

diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 247c8a393b235326e0a4c36f9efb03699282be60..23c523386ba2229b7bebf1f52332311921ab3d0d 100644 (file)
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1092,6 +1092,11 @@ static int flask_hvm_param(struct domain *d, unsigned long op)
     return current_has_perm(d, SECCLASS_HVM, perm);
 }
 
+static int flask_hvm_param_nested(struct domain *d)
+{
+    return current_has_perm(d, SECCLASS_HVM, HVM__NESTED);
+}
+
 #ifdef CONFIG_X86
 static int flask_shadow_control(struct domain *d, uint32_t op)
 {
@@ -1506,6 +1511,7 @@ static struct xsm_operations flask_ops = {
     .tmem_op = flask_tmem_op,
     .tmem_control = flask_tmem_control,
     .hvm_param = flask_hvm_param,
+    .hvm_param_nested = flask_hvm_param_nested,
 
     .do_xsm_op = do_flask_op,
 

diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index fdfc50245a500c12e6f68e36145c9583574bdf7a..36b8b2c271160fcd669f7440572c8bd39cfe8b17 100644 (file)
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -234,6 +234,8 @@ class hvm
 #  source = domain whose memory is being shared
 #  target = client domain
     share_mem
+# HVMOP_set_param setting HVM_PARAM_NESTEDHVM
+    nested
 }
 
 # Class event describes event channels.  Interdomain event channels have their