From patchwork Tue Mar 22 20:39:30 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 8645201 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 0DBD49F294 for ; Tue, 22 Mar 2016 20:43:48 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 049E92021F for ; Tue, 22 Mar 2016 20:43:46 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id DF686201FA for ; Tue, 22 Mar 2016 20:43:43 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1aiT6p-0003wO-Ig; Tue, 22 Mar 2016 20:40:59 +0000 Received: from mail6.bemta6.messagelabs.com ([85.158.143.247]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1aiT6o-0003vo-9m for xen-devel@lists.xenproject.org; Tue, 22 Mar 2016 20:40:58 +0000 Received: from [85.158.143.35] by server-2.bemta-6.messagelabs.com id 71/75-09532-9DDA1F65; Tue, 22 Mar 2016 20:40:57 +0000 X-Env-Sender: konrad@char.us.oracle.com X-Msg-Ref: server-12.tower-21.messagelabs.com!1458679255!5473756!1 X-Originating-IP: [141.146.126.69] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogMTQxLjE0Ni4xMjYuNjkgPT4gMjc3MjE4\n X-StarScan-Received: X-StarScan-Version: 8.11; banners=-,-,- X-VirusChecked: Checked Received: (qmail 53339 invoked from network); 22 Mar 2016 20:40:56 -0000 Received: from aserp1040.oracle.com (HELO aserp1040.oracle.com) (141.146.126.69) by server-12.tower-21.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 22 Mar 2016 20:40:56 -0000 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u2MKdcpW023932 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 22 Mar 2016 20:39:39 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u2MKdcXY022857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 22 Mar 2016 20:39:38 GMT Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u2MKdb46003622; Tue, 22 Mar 2016 20:39:37 GMT Received: from char.us.oracle.com (/10.137.176.158) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 22 Mar 2016 13:39:31 -0700 Received: by char.us.oracle.com (Postfix, from userid 1000) id 50EC06A00B7; Tue, 22 Mar 2016 16:39:30 -0400 (EDT) Date: Tue, 22 Mar 2016 16:39:30 -0400 From: Konrad Rzeszutek Wilk To: Andrew Cooper Message-ID: <20160322203930.GA30388@char.us.oracle.com> References: <56E85478.5070408@citrix.com> <20160315201906.GA6211@localhost.localdomain> <20160317013852.GA22460@char.us.oracle.com> <56EC046302000078000DE54F@prv-mh.provo.novell.com> <20160318192224.GA11924@char.us.oracle.com> <56EFFAF802000078000DED1F@prv-mh.provo.novell.com> <20160322155251.GB20062@char.us.oracle.com> <56F17B8902000078000DF47F@prv-mh.provo.novell.com> <20160322185744.GA28711@char.us.oracle.com> <56F19CF9.7020007@citrix.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <56F19CF9.7020007@citrix.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Source-IP: userv0021.oracle.com [156.151.31.71] Cc: Wei Liu , Stefano Stabellini , Ian Jackson , mpohlack@amazon.de, ross.lagerwall@citrix.com, Julien Grall , Stefano Stabellini , Jan Beulich , xen-devel@lists.xenproject.org, Daniel De Graaf , Keir Fraser , sasha.levin@oracle.com Subject: Re: [Xen-devel] [PATCH v4 04/34] HYPERCALL_version_op. New hypercall mirroring XENVER_ but sane. X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Tue, Mar 22, 2016 at 07:28:57PM +0000, Andrew Cooper wrote: > On 22/03/16 18:57, Konrad Rzeszutek Wilk wrote: > >>>>> --- a/xen/include/xsm/dummy.h > >>>>> +++ b/xen/include/xsm/dummy.h > >>>>> @@ -751,3 +751,22 @@ static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG uint32_t op) > >>>>> return xsm_default_action(XSM_PRIV, current->domain, NULL); > >>>>> } > >>>>> } > >>>>> + > >>>>> +static XSM_INLINE int xsm_version_op (XSM_DEFAULT_ARG uint32_t op) > >>>>> +{ > >>>>> + XSM_ASSERT_ACTION(XSM_OTHER); > >>>>> + switch ( op ) > >>>>> + { > >>>>> + case XEN_VERSION_version: > >>>>> + case XEN_VERSION_extraversion: > >>>>> + case XEN_VERSION_capabilities: > >>>>> + case XEN_VERSION_platform_parameters: > >>>>> + case XEN_VERSION_get_features: > >>>>> + case XEN_VERSION_pagesize: > >>>>> + case XEN_VERSION_guest_handle: > >>>>> + /* These MUST always be accessible to any guest by default. */ > >>>>> + return xsm_default_action(XSM_HOOK, current->domain, NULL); > >>>>> + default: > >>>>> + return xsm_default_action(XSM_PRIV, current->domain, NULL); > >>>> Considering that we seem to have settled on some exceptions here > >>>> for the change adding XSM check to the legacy version op, do you > >>>> really think going with no exception at all here is the right approach? > >>>> Because if we do, that'll prevent guests getting fully converted over > >>>> to the new interface. Of course, we could also make this conversion > >>>> specifically a non-goal, and omit e.g. XEN_VERSION_VERSION from > >>>> this new interface. > >>> No no. I think convesion is the right long-term goal. > >>> > >>> However the nice thing about this hypercall is that it can return -EPERM. > >>> > >>> Making it always return an value for XEN_VERSION_version, > >>> XEN_VERSION_platform_parameters, XEN_VERSION_get_features means that > >>> there are some exceptions to this "can return -EPERM" as they will > >>> be guaranteed an postive return value. They can ignore the -EPERM > >>> case. > >>> > >>> And means that guest can still take shortcuts. > >>> > >>> I agree with you that guests need these hypercalls but at the same > >>> time I am not sure what can be done so they don't fall flat on their > >>> faces if they are presented with -EPERM. The Linux xenbus_init can be > >>> modified to deal with this returning -EPERM where it makes some assumptions. > >>> > >>> But in a likelyhood it is the bad assumption! > >> I'm afraid I can't conclude what you mean to say with all of the > >> above. > > That I am waffling. > > > > Andrew, what is your opinion? > > Nothing good can come from failing a XEN_VERSION_version hypercall. > There are a number easy ways for a guest to infer such information. > > XEN_VERSION_platform_parameters is only useful for 32bit PV guests, and > the toolstack. Given that it is returning a fixed number in the ABI, > nothing good can come of failing this either. > > get_features can effectively be failed for permission reasons by > returning 0. As such, explicitly failing with -EPERM is similarly > pointless. Allright. So here it is: From 0f82c5f4cd1537ab8555f2b94bb3fe738df69733 Mon Sep 17 00:00:00 2001 From: Konrad Rzeszutek Wilk Date: Tue, 22 Mar 2016 12:03:21 -0400 Subject: [PATCH] HYPERCALL_version_op. New hypercall mirroring XENVER_ but sane. This hypercall mirrors the XENVER_ in that it has similar functionality. However it is designed differently: - No compat layer. The data structures are the same size on 32 as on 64-bit. - The hypercall accepts three arguments - the command, pointer to an buffer, and the length of the buffer. - Each sub-ops can be "probed" for size by returning the size of buffer that will be needed - if the buffer is NULL. - Subops can complete even if the buffer is too small - truncated data will be filled and hypercall will return -ENOBUFS. - VERSION_commandline, VERSION_changeset are privileged. - There is no XENVER_compile_info equivalent. - The hypercall can return -EPERM and toolstack/OSes are expected to deal with. However there are three subops: XEN_VERSION_version, XEN_VERSION_platform_parameters and XEN_VERSION_get_features that will always return an value as guests cannot survive without them. While we combine some of the common code between XENVER_ and VERSION_ take the liberty of moving pae_extended_cr3 in x86 area. Suggested-by: Andrew Cooper Signed-off-by: Konrad Rzeszutek Wilk Acked-by: Daniel De Graaf [XSM bits] --- Cc: Daniel De Graaf Cc: Ian Jackson Cc: Stefano Stabellini Cc: Wei Liu Cc: Stefano Stabellini Cc: Julien Grall Cc: Keir Fraser Cc: Jan Beulich Cc: Andrew Cooper v1-v3: Was not part of the series. v4: New posting. v5: Remove memset and use {}. Tweak copy_to_guest and capabilities_info, add ASSERT(sz) per Andrew's review. Add cached=1 back in. Per Jan, s/VERSION_OP/VERSION/, squash size check with do_version_op, update the comments. Dropped Andrew's Review-by. Ate newlines. Added initcall to guard against garbage being set in cached data. --- --- tools/flask/policy/policy/modules/xen/xen.te | 7 +- xen/arch/arm/traps.c | 1 + xen/arch/x86/hvm/hvm.c | 1 + xen/arch/x86/x86_64/compat/entry.S | 2 + xen/arch/x86/x86_64/entry.S | 2 + xen/common/compat/kernel.c | 2 + xen/common/kernel.c | 228 ++++++++++++++++++++++----- xen/include/public/arch-arm.h | 2 + xen/include/public/version.h | 70 +++++++- xen/include/public/xen.h | 1 + xen/include/xen/hypercall.h | 4 + xen/include/xsm/dummy.h | 21 +++ xen/include/xsm/xsm.h | 6 + xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 35 ++++ xen/xsm/flask/policy/access_vectors | 21 ++- 16 files changed, 361 insertions(+), 43 deletions(-) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 18f49b5..b528797 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -74,11 +74,12 @@ allow dom0_t xen_t:xen2 { get_symbol }; -# Allow dom0 to use all XENVER_ subops that have checks. +# Allow dom0 to use all XENVER_ subops and VERSION subops that have checks. # Note that dom0 is part of domain_type so this has duplicates. allow dom0_t xen_t:version { xen_extraversion xen_compile_info xen_capabilities xen_changeset xen_pagesize xen_guest_handle xen_commandline + extraversion capabilities changeset pagesize guest_handle commandline }; allow dom0_t xen_t:mmu memorymap; @@ -145,10 +146,12 @@ if (guest_writeconsole) { # pmu_ctrl is for) allow domain_type xen_t:xen2 pmu_use; -# For normal guests all possible except XENVER_commandline. +# For normal guests all possible except XENVER_commandline, VERSION_changeset, +# and VERSION_commandline allow domain_type xen_t:version { xen_extraversion xen_compile_info xen_capabilities xen_changeset xen_pagesize xen_guest_handle + extraversion capabilities pagesize guest_handle }; ############################################################################### diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index 83744e8..31d2115 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -1235,6 +1235,7 @@ static arm_hypercall_t arm_hypercall_table[] = { HYPERCALL(multicall, 2), HYPERCALL(platform_op, 1), HYPERCALL_ARM(vcpu_op, 3), + HYPERCALL(version_op, 3), }; #ifndef NDEBUG diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 80d59ff..f16b590 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -5322,6 +5322,7 @@ static const struct { COMPAT_CALL(platform_op), COMPAT_CALL(mmuext_op), HYPERCALL(xenpmu_op), + HYPERCALL(version_op), HYPERCALL(arch_1) }; diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 33e2c12..fd25e84 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -394,6 +394,7 @@ ENTRY(compat_hypercall_table) .quad do_tmem_op .quad do_ni_hypercall /* reserved for XenClient */ .quad do_xenpmu_op /* 40 */ + .quad do_version_op .rept __HYPERVISOR_arch_0-((.-compat_hypercall_table)/8) .quad compat_ni_hypercall .endr @@ -445,6 +446,7 @@ ENTRY(compat_hypercall_args_table) .byte 1 /* do_tmem_op */ .byte 0 /* reserved for XenClient */ .byte 2 /* do_xenpmu_op */ /* 40 */ + .byte 3 /* do_version_op */ .rept __HYPERVISOR_arch_0-(.-compat_hypercall_args_table) .byte 0 /* compat_ni_hypercall */ .endr diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 07ef096..b0e7257 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -730,6 +730,7 @@ ENTRY(hypercall_table) .quad do_tmem_op .quad do_ni_hypercall /* reserved for XenClient */ .quad do_xenpmu_op /* 40 */ + .quad do_version_op .rept __HYPERVISOR_arch_0-((.-hypercall_table)/8) .quad do_ni_hypercall .endr @@ -781,6 +782,7 @@ ENTRY(hypercall_args_table) .byte 1 /* do_tmem_op */ .byte 0 /* reserved for XenClient */ .byte 2 /* do_xenpmu_op */ /* 40 */ + .byte 3 /* do_version_op */ .rept __HYPERVISOR_arch_0-(.-hypercall_args_table) .byte 0 /* do_ni_hypercall */ .endr diff --git a/xen/common/compat/kernel.c b/xen/common/compat/kernel.c index df93fdd..7a7ca53 100644 --- a/xen/common/compat/kernel.c +++ b/xen/common/compat/kernel.c @@ -39,6 +39,8 @@ CHECK_TYPE(capabilities_info); CHECK_TYPE(domain_handle); +CHECK_TYPE(version_op_val); + #define xennmi_callback compat_nmi_callback #define xennmi_callback_t compat_nmi_callback_t diff --git a/xen/common/kernel.c b/xen/common/kernel.c index a4a3c36..d614067 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -221,6 +221,47 @@ void __init do_initcalls(void) #endif +static int get_features(struct domain *d, xen_feature_info_t *fi) +{ + switch ( fi->submap_idx ) + { + case 0: + fi->submap = (1U << XENFEAT_memory_op_vnode_supported); + if ( paging_mode_translate(d) ) + fi->submap |= + (1U << XENFEAT_writable_page_tables) | + (1U << XENFEAT_auto_translated_physmap); + if ( is_hardware_domain(d) ) + fi->submap |= 1U << XENFEAT_dom0; +#ifdef CONFIG_X86 + if ( VM_ASSIST(d, pae_extended_cr3) ) + fi->submap |= (1U << XENFEAT_pae_pgdir_above_4gb); + switch ( d->guest_type ) + { + case guest_type_pv: + fi->submap |= (1U << XENFEAT_mmu_pt_update_preserve_ad) | + (1U << XENFEAT_highmem_assist) | + (1U << XENFEAT_gnttab_map_avail_bits); + break; + case guest_type_pvh: + fi->submap |= (1U << XENFEAT_hvm_safe_pvclock) | + (1U << XENFEAT_supervisor_mode_kernel) | + (1U << XENFEAT_hvm_callback_vector); + break; + case guest_type_hvm: + fi->submap |= (1U << XENFEAT_hvm_safe_pvclock) | + (1U << XENFEAT_hvm_callback_vector) | + (1U << XENFEAT_hvm_pirqs); + break; + } +#endif + break; + default: + return -EINVAL; + } + return 0; +} + /* * Simple hypercalls. */ @@ -298,47 +339,14 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) case XENVER_get_features: { xen_feature_info_t fi; - struct domain *d = current->domain; + int rc; if ( copy_from_guest(&fi, arg, 1) ) return -EFAULT; - switch ( fi.submap_idx ) - { - case 0: - fi.submap = (1U << XENFEAT_memory_op_vnode_supported); - if ( VM_ASSIST(d, pae_extended_cr3) ) - fi.submap |= (1U << XENFEAT_pae_pgdir_above_4gb); - if ( paging_mode_translate(d) ) - fi.submap |= - (1U << XENFEAT_writable_page_tables) | - (1U << XENFEAT_auto_translated_physmap); - if ( is_hardware_domain(d) ) - fi.submap |= 1U << XENFEAT_dom0; -#ifdef CONFIG_X86 - switch ( d->guest_type ) - { - case guest_type_pv: - fi.submap |= (1U << XENFEAT_mmu_pt_update_preserve_ad) | - (1U << XENFEAT_highmem_assist) | - (1U << XENFEAT_gnttab_map_avail_bits); - break; - case guest_type_pvh: - fi.submap |= (1U << XENFEAT_hvm_safe_pvclock) | - (1U << XENFEAT_supervisor_mode_kernel) | - (1U << XENFEAT_hvm_callback_vector); - break; - case guest_type_hvm: - fi.submap |= (1U << XENFEAT_hvm_safe_pvclock) | - (1U << XENFEAT_hvm_callback_vector) | - (1U << XENFEAT_hvm_pirqs); - break; - } -#endif - break; - default: - return -EINVAL; - } + rc = get_features(current->domain, &fi); + if ( rc ) + return rc; if ( __copy_to_guest(arg, &fi, 1) ) return -EFAULT; @@ -381,6 +389,137 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) return -ENOSYS; } +static const char *capabilities_info(unsigned int *len) +{ + static xen_capabilities_info_t __read_mostly cached_cap; + static unsigned int __read_mostly cached_cap_len; + static bool_t cached; + + if ( unlikely(!cached) ) + { + arch_get_xen_caps(&cached_cap); + cached_cap_len = strlen(cached_cap) + 1; + cached = 1; + } + + *len = cached_cap_len; + return cached_cap; +} + +/* + * Similar to HYPERVISOR_xen_version but with a sane interface + * (has a length, one can probe for the length) and with one less sub-ops: + * missing XENVER_compile_info. + */ +DO(version_op)(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg, + unsigned int len) +{ + union { + xen_version_op_val_t val; + xen_feature_info_t fi; + } u = {}; + unsigned int sz = 0; + const void *ptr = NULL; + int rc = xsm_version_op(XSM_OTHER, cmd); + + /* We can safely return -EPERM! */ + if ( rc ) + return rc; + + /* + * The HYPERVISOR_xen_version differs in that some return the value, + * and some copy it on back on argument. We follow the same rule for all + * sub-ops: return 0 on success, positive value of bytes returned, and + * always copy the result in arg. Yeey sanity! + */ + switch ( cmd ) + { + case XEN_VERSION_version: + sz = sizeof(xen_version_op_val_t); + u.val = (xen_major_version() << 16) | xen_minor_version(); + break; + + case XEN_VERSION_extraversion: + sz = strlen(xen_extra_version()) + 1; + ptr = xen_extra_version(); + break; + + case XEN_VERSION_capabilities: + ptr = capabilities_info(&sz); + break; + + case XEN_VERSION_changeset: + sz = strlen(xen_changeset()) + 1; + ptr = xen_changeset(); + break; + + case XEN_VERSION_platform_parameters: + sz = sizeof(xen_version_op_val_t); + u.val = HYPERVISOR_VIRT_START; + break; + + case XEN_VERSION_get_features: + sz = sizeof(xen_feature_info_t); + + if ( guest_handle_is_null(arg) ) + break; + + if ( copy_from_guest(&u.fi, arg, 1) ) + { + rc = -EFAULT; + break; + } + rc = get_features(current->domain, &u.fi); + break; + + case XEN_VERSION_pagesize: + sz = sizeof(xen_version_op_val_t); + u.val = PAGE_SIZE; + break; + + case XEN_VERSION_guest_handle: + sz = ARRAY_SIZE(current->domain->handle); + ptr = current->domain->handle; + break; + + case XEN_VERSION_commandline: + sz = strlen(saved_cmdline) + 1; + ptr = saved_cmdline; + break; + + default: + rc = -ENOSYS; + } + + if ( rc ) + return rc; + + /* + * This hypercall also allows the client to probe. If it provides + * a NULL arg we will return the size of the space it has to + * allocate for the specific sub-op. + */ + ASSERT(sz); + if ( guest_handle_is_null(arg) ) + return sz; + + if ( !rc ) + { + unsigned int bytes = min(sz, len); + + if ( copy_to_guest(arg, ptr ? : &u, bytes) ) + rc = -EFAULT; + + /* + * We return len (truncate) worth of data even if we fail. + */ + if ( !rc && sz > len ) + rc = -ENOBUFS; + } + + return rc == 0 ? sz : rc; +} + DO(nmi_op)(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) { struct xennmi_callback cb; @@ -418,6 +557,21 @@ DO(ni_hypercall)(void) return -ENOSYS; } +static int __init kernel_cache_init(void) +{ + unsigned int len; + + /* + * Pre-allocate the cache so we do not have to worry about + * simultaneous invocations on safe_strcat by guests and the cache + * data becoming garbage. + */ + (void)capabilities_info(&len); + + return 0; +} +__initcall(kernel_cache_init); + /* * Local variables: * mode: C diff --git a/xen/include/public/arch-arm.h b/xen/include/public/arch-arm.h index 870bc3b..5f90718 100644 --- a/xen/include/public/arch-arm.h +++ b/xen/include/public/arch-arm.h @@ -128,6 +128,8 @@ * * VCPUOP_register_vcpu_info * * VCPUOP_register_runstate_memory_area * + * HYPERVISOR_version_op + * All generic sub-operations * * Other notes on the ARM ABI: * diff --git a/xen/include/public/version.h b/xen/include/public/version.h index 24a582f..6e327bb 100644 --- a/xen/include/public/version.h +++ b/xen/include/public/version.h @@ -30,7 +30,14 @@ #include "xen.h" -/* NB. All ops return zero on success, except XENVER_{version,pagesize} */ +/* + * There are two hypercalls mentioned in here. The XENVER_ are for + * HYPERCALL_xen_version (17), while VERSION_ are for the + * HYPERCALL_version_op (41). + * + * The subops are very similar except that the later hypercall has a + * sane interface. + */ /* arg == NULL; returns major:minor (16:16). */ #define XENVER_version 0 @@ -87,6 +94,67 @@ typedef struct xen_feature_info xen_feature_info_t; #define XENVER_commandline 9 typedef char xen_commandline_t[1024]; +/* + * The HYPERCALL_version_op has a set of sub-ops which mirror the + * sub-ops of HYPERCALL_xen_version. However this hypercall differs + * radically from the former: + * - It returns the amount of bytes returned. + * - It will return -XEN_EPERM if the guest is not permitted + * (Albeit XEN_VERSION_version, XEN_VERSION_platform_parameters, and + * XEN_VERSION_get_features will always return an value as guest cannot + * survive without this information). + * - It will return the requested data in arg. + * - It requires an third argument (len) for the length of the + * arg. Naturally the arg has to fit the requested data otherwise + * -XEN_ENOBUFS is returned. + * + * It also offers an mechanism to probe for the amount of bytes an + * sub-op will require. Having the arg have an NULL handle will + * return the number of bytes requested for the operation. Or an + * negative value if an error is encountered. + */ + +typedef uint64_t xen_version_op_val_t; +DEFINE_XEN_GUEST_HANDLE(xen_version_op_val_t); + +/* + * arg == xen_version_op_val_t. Encoded as major:minor (31..16:15..0), while + * 63..32 are zero. + */ +#define XEN_VERSION_version 0 + +/* arg == char. Contains NUL terminated utf-8 string. */ +#define XEN_VERSION_extraversion 1 + +/* arg == char. Contains NUL terminated utf-8 string. */ +#define XEN_VERSION_capabilities 3 + +/* arg == char. Contains NUL terminated utf-8 string. */ +#define XEN_VERSION_changeset 4 + +/* arg == xen_version_op_val_t. */ +#define XEN_VERSION_platform_parameters 5 + +/* + * arg = xen_feature_info_t - shares the same structure + * as the XENVER_get_features. + */ +#define XEN_VERSION_get_features 6 + +/* arg == xen_version_op_val_t. */ +#define XEN_VERSION_pagesize 7 + +/* + * arg == void. + * + * The toolstack fills it out for guest consumption. It is intended to hold + * the UUID of the guest. + */ +#define XEN_VERSION_guest_handle 8 + +/* arg = char. Contains NUL terminated utf-8 string. */ +#define XEN_VERSION_commandline 9 + #endif /* __XEN_PUBLIC_VERSION_H__ */ /* diff --git a/xen/include/public/xen.h b/xen/include/public/xen.h index 64ba7ab..1a99929 100644 --- a/xen/include/public/xen.h +++ b/xen/include/public/xen.h @@ -115,6 +115,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_ulong_t); #define __HYPERVISOR_tmem_op 38 #define __HYPERVISOR_xc_reserved_op 39 /* reserved for XenClient */ #define __HYPERVISOR_xenpmu_op 40 +#define __HYPERVISOR_version_op 41 /* supersedes xen_version (17) */ /* Architecture-specific hypercall definitions. */ #define __HYPERVISOR_arch_0 48 diff --git a/xen/include/xen/hypercall.h b/xen/include/xen/hypercall.h index 0c8ae0e..e8d2b81 100644 --- a/xen/include/xen/hypercall.h +++ b/xen/include/xen/hypercall.h @@ -147,6 +147,10 @@ do_xenoprof_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg); extern long do_xenpmu_op(unsigned int op, XEN_GUEST_HANDLE_PARAM(xen_pmu_params_t) arg); +extern long +do_version_op(unsigned int cmd, + XEN_GUEST_HANDLE_PARAM(void) arg, unsigned int len); + #ifdef CONFIG_COMPAT extern int diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index abbe282..e5dad35 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -751,3 +751,24 @@ static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG uint32_t op) return xsm_default_action(XSM_PRIV, current->domain, NULL); } } + +static XSM_INLINE int xsm_version_op (XSM_DEFAULT_ARG uint32_t op) +{ + XSM_ASSERT_ACTION(XSM_OTHER); + switch ( op ) + { + case XEN_VERSION_version: + case XEN_VERSION_platform_parameters: + case XEN_VERSION_get_features: + /* These MUST always be accessible to any guest by default. */ + return 0; + case XEN_VERSION_extraversion: + case XEN_VERSION_capabilities: + case XEN_VERSION_pagesize: + case XEN_VERSION_guest_handle: + /* These can be accessible to a guest. */ + return xsm_default_action(XSM_HOOK, current->domain, NULL); + default: + return xsm_default_action(XSM_PRIV, current->domain, NULL); + } +} diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 5ecbee0..ac80472 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -194,6 +194,7 @@ struct xsm_operations { int (*pmu_op) (struct domain *d, unsigned int op); #endif int (*xen_version) (uint32_t cmd); + int (*version_op) (uint32_t cmd); }; #ifdef CONFIG_XSM @@ -737,6 +738,11 @@ static inline int xsm_xen_version (xsm_default_t def, uint32_t op) return xsm_ops->xen_version(op); } +static inline int xsm_version_op (xsm_default_t def, uint32_t op) +{ + return xsm_ops->version_op(op); +} + #endif /* XSM_NO_WRAPPERS */ #ifdef CONFIG_MULTIBOOT diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 9791ad4..776dd09 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -163,4 +163,5 @@ void xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, pmu_op); #endif set_to_dummy_if_null(ops, xen_version); + set_to_dummy_if_null(ops, version_op); } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 2069cb3..1eaec58 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1658,6 +1658,40 @@ static int flask_xen_version (uint32_t op) } } +static int flask_version_op (uint32_t op) +{ + u32 dsid = domain_sid(current->domain); + + switch ( op ) + { + case XEN_VERSION_version: + case XEN_VERSION_platform_parameters: + case XEN_VERSION_get_features: + /* These MUST always be accessible to any guest by default. */ + return 0; + case XEN_VERSION_extraversion: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__EXTRAVERSION, NULL); + case XEN_VERSION_capabilities: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__CAPABILITIES, NULL); + case XEN_VERSION_changeset: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__CHANGESET, NULL); + case XEN_VERSION_pagesize: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__PAGESIZE, NULL); + case XEN_VERSION_guest_handle: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__GUEST_HANDLE, NULL); + case XEN_VERSION_commandline: + return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION, + VERSION__COMMANDLINE, NULL); + default: + return -EPERM; + } +} + long do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op); int compat_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op); @@ -1797,6 +1831,7 @@ static struct xsm_operations flask_ops = { .pmu_op = flask_pmu_op, #endif .xen_version = flask_xen_version, + .version_op = flask_version_op, }; static __init void flask_init(void) diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index badcf1c..56600bb 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -496,12 +496,14 @@ class security del_ocontext } -# Class version is used to describe the XENVER_ hypercall. +# Class version is used to describe the XENVER_ and VERSION hypercall. # Almost all sub-ops are described here - in the default case all of them should -# be allowed except the XENVER_commandline. +# be allowed except the XENVER_commandline, VERSION_commandline, and +# VERSION_changeset. # # The ones that are omitted are XENVER_version, XENVER_platform_parameters, -# and XENVER_get_features - as they MUST always be returned to a guest. +# XENVER_get_features, XEN_VERSION_version, XEN_VERSION_platform_parameters, +# and XEN_VERSION_get_features - as they MUST always be returned to a guest. # class version { @@ -519,4 +521,17 @@ class version xen_guest_handle # Xen command line. xen_commandline +# --- VERSION hypercall --- +# Extra informations (-unstable). + extraversion +# Such as "xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64". + capabilities +# Source code changeset. + changeset +# Page size the hypervisor uses. + pagesize +# An value that the control stack can choose. + guest_handle +# Xen command line. + commandline }