The access control for domU to read the console should be controlled via XSM. By moving it under XSM, FLASK will now be able to work correctly with the domU console read capability that was introduced recently.
To enable console read under XSM, the legacy is_console field in struct domain was collapsed with the new input_allowed field in struct domain_console. Having two fields over console was redundant. By merging them together under the permissions field in struct domain_console, this allows better alignment with the existing fine grained access controls under FLASK. Signed-off-by: Daniel P. Smith <[email protected]> --- xen/arch/arm/vpl011.c | 2 +- xen/arch/x86/pv/shim.c | 2 +- xen/common/device-tree/dom0less-build.c | 2 +- xen/common/domain.c | 1 - xen/drivers/char/console.c | 4 ++-- xen/include/xen/sched.h | 8 ++++---- xen/include/xsm/dummy.h | 17 ++++++++++++----- 7 files changed, 21 insertions(+), 15 deletions(-) diff --git a/xen/arch/arm/vpl011.c b/xen/arch/arm/vpl011.c index d0d17c76b72c..1461c27afed0 100644 --- a/xen/arch/arm/vpl011.c +++ b/xen/arch/arm/vpl011.c @@ -713,7 +713,7 @@ int domain_vpl011_init(struct domain *d, struct vpl011_init_info *info) } else { - d->console->input_allowed = true; + d->console->permissions = DOMAIN_CONSOLE_READ; vpl011->backend_in_domain = false; vpl011->backend.xen = xzalloc(struct vpl011_xen_backend); diff --git a/xen/arch/x86/pv/shim.c b/xen/arch/x86/pv/shim.c index bd29c53a2d34..03990dfc0e01 100644 --- a/xen/arch/x86/pv/shim.c +++ b/xen/arch/x86/pv/shim.c @@ -239,7 +239,7 @@ void __init pv_shim_setup_dom(struct domain *d, l4_pgentry_t *l4start, */ d->max_pages = domain_tot_pages(d); - d->console->input_allowed = true; + d->console->permissions = DOMAIN_CONSOLE_READ; } static void write_start_info(struct domain *d) diff --git a/xen/common/device-tree/dom0less-build.c b/xen/common/device-tree/dom0less-build.c index 840d14419da2..d144720fe195 100644 --- a/xen/common/device-tree/dom0less-build.c +++ b/xen/common/device-tree/dom0less-build.c @@ -871,7 +871,7 @@ void __init create_domUs(void) dt_node_name(node), rc); #endif /* CONFIG_HAS_LLC_COLORING */ - ki.bd.d->is_console = true; + ki.bd.d->console->permissions = DOMAIN_CONSOLE_WRITE; dt_device_set_used_by(node, ki.bd.d->domain_id); rc = construct_domU(&ki, node); diff --git a/xen/common/domain.c b/xen/common/domain.c index 2e46207d2db0..331c048e2f72 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -999,7 +999,6 @@ struct domain *domain_create(domid_t domid, goto fail; spin_lock_init(&d->console->lock); - d->console->input_allowed = is_hardware_domain(d); /* * This assertion helps static analysis tools infer that config cannot be diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index bcd6d261491b..909e0fdb8c08 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -554,7 +554,7 @@ struct domain *console_get_domain(void) if ( !d ) return NULL; - if ( d->console->input_allowed ) + if ( !xsm_console_io(XSM_OTHER, d, CONSOLEIO_read) ) return d; rcu_unlock_domain(d); @@ -595,7 +595,7 @@ static void console_switch_input(void) d = rcu_lock_domain_by_id(domid); if ( d ) { - if ( !d->console->input_allowed ) + if ( xsm_console_io(XSM_OTHER, d, CONSOLEIO_read) ) { rcu_unlock_domain(d); continue; diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 40a35fc15c65..3713664aaea5 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -377,8 +377,10 @@ struct evtchn_port_ops; /* Domain console settings. */ struct domain_console { - /* Permission to take ownership of the physical console input. */ - bool input_allowed; + /* XSM: permission to use HYPERCALL_console_io hypercall */ +#define DOMAIN_CONSOLE_READ (1u << 0) +#define DOMAIN_CONSOLE_WRITE (1u << 1) + unsigned int permissions; /* hvm_print_line() and guest_console_write() logging. */ unsigned int idx; @@ -528,8 +530,6 @@ struct domain bool auto_node_affinity; /* Is this guest fully privileged (aka dom0)? */ bool is_privileged; - /* XSM: permission to use HYPERCALL_console_io hypercall */ - bool is_console; /* Is this guest being debugged by dom0? */ bool debugger_attached; /* diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index b8fd7aeedd9e..129823b8d37b 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -269,12 +269,19 @@ static XSM_INLINE int cf_check xsm_console_io( XSM_DEFAULT_ARG struct domain *d, int cmd) { XSM_ASSERT_ACTION(XSM_OTHER); - if ( d->is_console ) - return xsm_default_action(XSM_HOOK, d, NULL); -#ifdef CONFIG_VERBOSE_DEBUG - if ( cmd == CONSOLEIO_write ) - return xsm_default_action(XSM_HOOK, d, NULL); + switch ( cmd ) + { + case CONSOLEIO_read: + if ( d->console->permissions & DOMAIN_CONSOLE_READ ) + return xsm_default_action(XSM_HOOK, d, NULL); + break; + case CONSOLEIO_write: +#ifndef CONFIG_VERBOSE_DEBUG + if ( d->console->permissions & DOMAIN_CONSOLE_WRITE ) #endif + return xsm_default_action(XSM_HOOK, d, NULL); + break; + } return xsm_default_action(XSM_PRIV, d, NULL); } -- 2.39.5
