Commit 7450d0d6 authored by Yathindra Naik's avatar Yathindra Naik

Demo Update:

Added more support for NFS shared filesystem specifically in
terms of parsing config files and handling Xenstore transactions.
Backend domain exports files to guest VMs. We can specify which
files a particular guest VM can access and the backend domain
that exports it. Rest of the changes were made in Linux to read
from Xenstore and setup LSM side of things.
parent 1ea26cd3
......@@ -39,6 +39,15 @@ int xc_cap_grant(xc_interface *xch,
return 1;
}
for (i=0;i<size;++i)
{
if (&list[i] == (struct capability *)NULL)
{
PERROR("Could not allocate memory for xc_get_caps_hypercall hypercall");
return 1;
}
}
cap_op.cmd = XEN_CAP_OP_cap_grant;
/*cap_op.domain = (domid_t)from_domid;*/
cap_op.u.cap_grant.to = (domid_t)to_domid;
......@@ -65,6 +74,8 @@ int xc_cap_check(xc_interface *xch,
{
DECLARE_CAP_OP;
DPRINTF("xc_cap_op: xc_cap_check().\n");
if (cap == NULL)
return 0;
cap_op.cmd = XEN_CAP_OP_cap_check;
cap_op.domain = (domid_t)domid;
cap_op.u.cap_check.cap = cap;
......
This diff is collapsed.
/*
* Copyright (C) 2010 Citrix Ltd.
* Author Vincent Hanquez <vincent.hanquez@eu.citrix.com>
......@@ -386,7 +385,7 @@ int libxl__domain_make(libxl__gc *gc, libxl_domain_create_info *info, libxl_capa
uint32_t *domid)
{
libxl_ctx *ctx = libxl__gc_owner(gc);
int flags, ret, rc, nb_vm;
int flags, ret, rc=1, nb_vm;
char *uuid_string;
char *dom_path, *vm_path, *libxl_path;
struct xs_permissions roperm[2];
......@@ -474,7 +473,7 @@ int libxl__domain_make(libxl__gc *gc, libxl_domain_create_info *info, libxl_capa
roperm[0].id = 0;
roperm[0].perms = XS_PERM_NONE;
roperm[1].id = *domid;
roperm[1].perms = XS_PERM_READ;
roperm[1].perms = XS_PERM_READ;
rwperm[0].id = *domid;
rwperm[0].perms = XS_PERM_NONE;
......@@ -495,13 +494,19 @@ retry_transaction:
#ifdef CONFIG_XENCAP
caps = xs_get_caps(ctx->xsh, t, libxl__sprintf(gc, "%s/vm", dom_path));
if (caps == NULL)
LOG(ERROR, "Caps for %s is NULL!\n",dom_path);
{
LOG(ERROR, "Caps for %s is NULL!\n",dom_path);
goto out;
}
if (!xc_cap_check(ctx->xch, *domid, &caps[0])) {
list[0] = caps[0];
LOG(DEBUG, "Granting caps for %s/vm\n",dom_path);
LOG(DEBUG, "caps[0]: %d caps[1]: %d\n",caps[0].magic, caps[1].magic);
if (xc_cap_grant(ctx->xch, *domid, list, 1))
{
LOG(ERROR, "Granting caps for %s/vm failed\n",dom_path);
goto out;
}
}
#endif
rc = libxl__domain_rename(gc, *domid, 0, info->name, t);
......@@ -534,13 +539,19 @@ retry_transaction:
#ifdef CONFIG_XENCAP
caps = xs_get_caps(ctx->xsh, t, libxl__sprintf(gc, "%s/device/suspend", dom_path));
if (caps == NULL)
LOG(ERROR, "Caps for %s/device/suspend is NULL!\n",dom_path);
{
LOG(ERROR, "Caps for %s/device/suspend is NULL!\n",dom_path);
goto out;
}
if (!xc_cap_check(ctx->xch, *domid, &caps[0])) {
list[0] = caps[0];
LOG(DEBUG, "Granting caps for %s/device/suspend\n",dom_path);
LOG(DEBUG, "caps[0]: %d caps[1]: %d\n",caps[0].magic, caps[1].magic);
if (xc_cap_grant(ctx->xch, *domid, list, 1))
LOG(ERROR, "Granting caps for %s/device/suspend failed\n",dom_path);
{
LOG(ERROR, "Granting caps for %s/device/suspend failed\n",dom_path);
goto out;
}
}
#endif
libxl__xs_mkdir(gc, t,
......@@ -594,24 +605,36 @@ retry_transaction:
#ifdef CONFIG_XENCAP
caps = xs_get_caps(ctx->xsh, t, libxl__sprintf(gc, "%s/uuid", vm_path));
if (caps == NULL)
LOG(ERROR, "Caps for %s/uuid is NULL!\n",vm_path);
{
LOG(ERROR, "Caps for %s/uuid is NULL!\n",vm_path);
goto out;
}
if (!xc_cap_check(ctx->xch, *domid, &caps[0])) {
list[0] = caps[0];
LOG(DEBUG, "Granting caps for %s/uuid\n",vm_path);
LOG(DEBUG, "caps[0]: %d caps[1]: %d\n",caps[0].magic, caps[1].magic);
if (xc_cap_grant(ctx->xch, *domid, list, 1))
{
LOG(ERROR, "Granting caps for %s/uuid failed\n",vm_path);
goto out;
}
}
caps = xs_get_caps(ctx->xsh, t, libxl__sprintf(gc, "%s/name", vm_path));
if (caps == NULL)
LOG(ERROR, "Caps for %s/name is NULL!\n",vm_path);
{
LOG(ERROR, "Caps for %s/name is NULL!\n",vm_path);
goto out;
}
if (!xc_cap_check(ctx->xch, *domid, &caps[0])) {
list[0] = caps[0];
LOG(DEBUG, "Granting caps for %s/name\n",vm_path);
LOG(DEBUG, "caps[0]: %d caps[1]: %d\n",caps[0].magic, caps[1].magic);
if (xc_cap_grant(ctx->xch, *domid, list, 1))
LOG(ERROR, "Granting caps for %s/name failed\n",vm_path);
{
LOG(ERROR, "Granting caps for %s/name failed\n",vm_path);
goto out;
}
}
#endif
#ifdef CONFIG_XENCAP
......@@ -626,24 +649,36 @@ retry_transaction:
#ifdef CONFIG_XENCAP
caps = xs_get_caps(ctx->xsh, t, libxl__sprintf(gc, "%s/control/platform-feature-multiprocessor-suspend", dom_path));
if (caps == NULL)
LOG(ERROR, "Caps for %s/control/platform-feature-multiprocessor-suspend is NULL", dom_path);
{
LOG(ERROR, "Caps for %s/control/platform-feature-multiprocessor-suspend is NULL", dom_path);
goto out;
}
if (!xc_cap_check(ctx->xch, *domid, &caps[0])) {
list[0] = caps[0];
LOG(DEBUG, "Granting caps for %s/control/platform-feature-multiprocessor-suspend", dom_path);
LOG(DEBUG, "caps[0]: %d caps[1]: %d\n",caps[0].magic, caps[1].magic);
if (xc_cap_grant(ctx->xch, *domid, list, 1))
{
LOG(ERROR, "Granting caps for %s/control/platform-feature-multiprocessor-suspend is NULL", dom_path);
goto out;
}
}
caps = xs_get_caps(ctx->xsh, t, libxl__sprintf(gc, "%s/control/platform-feature-xs_reset_watches", dom_path));
if (caps == NULL)
LOG(ERROR, "Caps for %s/control/platform-feature-xs_reset_watches is NULL", dom_path);
{
LOG(ERROR, "Caps for %s/control/platform-feature-xs_reset_watches is NULL", dom_path);
goto out;
}
if (!xc_cap_check(ctx->xch, *domid, &caps[0])) {
list[0] = caps[0];
LOG(DEBUG, "Granting caps for %s/control/platform-feature-xs_reset_watches", dom_path);
LOG(DEBUG, "caps[0]: %d caps[1]: %d\n",caps[0].magic, caps[1].magic);
if (xc_cap_grant(ctx->xch, *domid, list, 1))
{
LOG(ERROR, "Granting caps for %s/control/platform-feature-xs_reset_watches is NULL", dom_path);
goto out;
}
}
#endif
if (!xs_transaction_end(ctx->xsh, t, 0)) {
......
......@@ -202,21 +202,30 @@ int libxl__xs_write(libxl__gc *gc, xs_transaction_t t,
goto out;
caps = xs_get_caps(ctx->xsh, t, path);
if (caps == NULL)
{
LOG(ERROR, "Caps for %s is NULL!\n",path);
goto out;
}
if (perm == 'r' || perm == 'b') {
list[0] = caps[0];
if (!xc_cap_check(ctx->xch, domid, &caps[0])) {
LOG(DEBUG, "Granting caps for %s", path);
if (xc_cap_grant(ctx->xch, domid, list, 1))
{
LOG(ERROR, "Granting caps for %s failed\n",path);
goto out;
}
}
}
if (perm == 'w' && perm == 'b') {
if (perm == 'w' || perm == 'b') {
list[0] = caps[1];
if (!xc_cap_check(ctx->xch, domid, &caps[1])) {
LOG(DEBUG, "Granting caps for %s", path);
if (xc_cap_grant(ctx->xch, domid, list, 1))
{
LOG(ERROR, "Granting caps for %s failed\n",path);
goto out;
}
}
}
#endif
......
......@@ -698,15 +698,16 @@ struct node *get_node(struct connection *conn,
errno = EINVAL;
return NULL;
}
node = read_node(conn, name);
node = read_node(conn, name);
log("GET_NODE: %s with PERM %d, read_node returned node %p\n",name, perm, node);
#ifdef CONFIG_XENCAP
if ( conn != NULL && conn->cap_flag ) {
if (node) {
/* Note: This is to satisfy grant_caps */
if (perm == XS_PERM_NONE)
return node;
trace("caps_for_conn for node %s with perms %d\n",name, perm);
log("caps_for_conn for node %s with perms %d\n",name, perm);
if (!caps_for_conn(conn, node->caps, perm, (char*)name)) {
errno = EACCES;
node = NULL;
......@@ -973,6 +974,7 @@ bool xs_strings_to_caps(unsigned int num, struct node *node, const char *strings
p++;
owner_domid = strtol(p, &end, 0);
log("xs_strings_to_caps: owner_domid %d and node->name %s and node->caps[0]:0x%x node->caps[1]:0x%x\n",owner_domid,node->name,node->caps[0].magic,node->caps[1].magic);
if ( node->caps == NULL )
{
log("xs_strings_to_caps: caps is NULL!\n");
......@@ -1059,10 +1061,15 @@ bool xs_strings_to_caps(unsigned int num, struct node *node, const char *strings
else if (!flag && to_domid != 0)
{
/* Both the flags */
if ((xc_cap_grant(xch,to_domid,list,2)) == 1)
if ((xc_cap_grant(xch,to_domid,&list[0],1)) == 1)
{
log("xs_strings_to_caps: Error in xc_cap_grant.\n");
goto out;
}
if ((xc_cap_grant(xch,to_domid,&list[1],1)) == 1)
{
log("xs_strings_to_caps: Error in xc_cap_grant.\n");
goto out;
}
}
......@@ -1692,6 +1699,7 @@ static void do_set_perms(struct connection *conn, struct buffered_data *in)
num = xs_count_strings(in->buffer, in->used);
if (num < 2) {
log("do_set_perms num is < 2\n");
send_error(conn, EINVAL);
return;
}
......@@ -1701,6 +1709,7 @@ static void do_set_perms(struct connection *conn, struct buffered_data *in)
permstr = in->buffer + strlen(in->buffer) + 1;
num--;
log("do_set_perms for %s with perms %s\n",name,permstr);
/* We must own node to do this (tools can do this too). */
node = get_node(conn, name, XS_PERM_WRITE|XS_PERM_OWNER);
if (!node) {
......
......@@ -78,7 +78,7 @@ long do_cap_op(XEN_GUEST_HANDLE(xen_cap_op_t) u_cap_op)
to = rcu_lock_domain_by_id(op->u.cap_grant.to);
if ( to == NULL )
{
TT_ERR("Failed to rcu_lock_dom_by_id:%d\n", to->domain_id);
TT_ERR("Failed to rcu_lock_dom_by_id\n");
break;
}
......
......@@ -1562,7 +1562,7 @@ static int cap_evtchn_unbound (struct domain *d, struct evtchn *chn,
{
int ret = 0;
struct capability *cap;
struct domain *remote_domain;
// struct domain *remote_domain;
// if ( IS_PRIV(current->domain) )
// return 0;
......@@ -1593,15 +1593,15 @@ static int cap_evtchn_unbound (struct domain *d, struct evtchn *chn,
/* if the remote domain does not have caps
set then dont do anything. Simply return. */
#if 0
if (d->est_evtchn == NULL)
{
TT_ERR("remote domain %d does not have est_evtchn\n",id2);
//TT_ERR("remote domain %d does not have est_evtchn\n",id2);
return 0;
}
if ((remote_domain = get_domain_by_id(id2)) == NULL)
{
TT_ERR("could not get remote domain %d\n",id2);
//TT_ERR("could not get remote domain %d\n",id2);
return 1;
}
if (cap_check(remote_domain, d->est_evtchn) == 0)
......@@ -1609,11 +1609,12 @@ static int cap_evtchn_unbound (struct domain *d, struct evtchn *chn,
TT_ERR("remote domain %d does not have the cap to est evtchn\n",id2);
return 1;
}
#endif
return 0;
}
else
{
TT_DBG("cap_check failed!\nLeaving cap_evtchn_unbound()\n");
TT_ERR("cap_check failed!\nLeaving cap_evtchn_unbound()\n");
return 1;
}
......@@ -1634,28 +1635,30 @@ static int cap_evtchn_interdomain (struct domain *d1, struct evtchn
if ( current->domain->cap_flag == 0 || d1->cap_flag == 0 || d2->cap_flag == 0 )
return 0;
TT_DBG_ON(cap_debug,"In cap_evtchn_interdomain()\n");
//TT_DBG_ON(cap_debug,"In cap_evtchn_interdomain()\n");
cap = &(CAP_BOOT_INFO->cap_hypercalls[47]);
if ( (ret = cap_check(current->domain, cap)) == 1 )
{
TT_DBG_ON(cap_debug,"cap_check success\nLeaving cap_evtchn_interdomain()\n");
//TT_DBG_ON(cap_debug,"cap_check success\nLeaving cap_evtchn_interdomain()\n");
/* Check if this domain (d1) has the capability
to bind with the remote domain (d2) */
/* if the remote domain does not have est_evtchn
set then simply return. */
#if 0
if (d2->est_evtchn == NULL)
{
TT_ERR("remote domain %d est_evtchn is NULL\n",d2->domain_id);
//TT_ERR("remote domain %d est_evtchn is NULL\n",d2->domain_id);
return 0;
}
if (cap_check(d1, d2->est_evtchn) == 0)
{
TT_ERR("Not allowed to bind with remote domain %d\n",d2->domain_id);
//TT_ERR("Not allowed to bind with remote domain %d\n",d2->domain_id);
return 1;
}
#endif
return 0;
}
else
......@@ -1670,7 +1673,7 @@ static int cap_evtchn_interdomain (struct domain *d1, struct evtchn
static int cap_evtchn_send (struct domain *d, struct evtchn *chn)
{
int ret = 0;
struct domain *remote_domain = chn->u.interdomain.remote_dom;
//struct domain *remote_domain = chn->u.interdomain.remote_dom;
struct capability *cap;
if ( IS_PRIV(current->domain) )
......@@ -1686,20 +1689,22 @@ static int cap_evtchn_send (struct domain *d, struct evtchn *chn)
if ( (ret = cap_check(current->domain, cap)) == 1 )
{
//TT_DBG_ON(cap_debug,"cap_check success\nLeaving cap_evtchn_send()\n");
#if 0
if (chn->state == ECS_INTERDOMAIN)
{
if (remote_domain->est_evtchn == NULL)
{
TT_ERR("remoted domain %d est_evtchn is NULL\n",remote_domain->domain_id);
// TT_ERR("remoted domain %d est_evtchn is NULL\n",remote_domain->domain_id);
return 0;
}
if (cap_check(d,remote_domain->est_evtchn) == 0)
{
TT_ERR("Not allowed to send evt to remote domain\n");
// TT_ERR("Not allowed to send evt to remote domain\n");
return 1;
}
}
#endif
return 0;
}
else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment