|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 8/8] xsm/flask: Improve domain ID auditing in AVCs
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
xen/xsm/flask/avc.c | 17 ++++++++++++-----
xen/xsm/flask/hooks.c | 18 ++++++++++++++++--
xen/xsm/flask/include/avc.h | 4 +++-
3 files changed, 31 insertions(+), 8 deletions(-)
diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c
index 9475d92..3a60a3a 100644
--- a/xen/xsm/flask/avc.c
+++ b/xen/xsm/flask/avc.c
@@ -539,7 +539,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16
tclass,
void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
struct av_decision *avd, int result, struct avc_audit_data *a)
{
- struct domain *d = current->domain;
+ struct domain *cdom = current->domain;
u32 denied, audited;
denied = requested & ~avd->allowed;
@@ -564,10 +564,17 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32
requested,
avc_dump_av(tclass, audited);
printk(" for ");
- if ( a && a->d )
- d = a->d;
- if ( d )
- printk("domid=%d ", d->domain_id);
+ if ( a && (a->sdom || a->tdom) )
+ {
+ if ( a->sdom && a->tdom && a->sdom != a->tdom )
+ printk("domid=%d target=%d ", a->sdom->domain_id,
a->tdom->domain_id);
+ else if ( a->sdom )
+ printk("domid=%d ", a->sdom->domain_id);
+ else
+ printk("target=%d ", a->tdom->domain_id);
+ }
+ else if ( cdom )
+ printk("domid=%d ", cdom->domain_id);
switch ( a ? a->type : 0 ) {
case AVC_AUDIT_DATA_DEV:
printk("device=0x%lx ", a->device);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index ad1013f..649c473 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -37,11 +37,15 @@ static int domain_has_perm(struct domain *dom1, struct
domain *dom2,
u16 class, u32 perms)
{
struct domain_security_struct *dsec1, *dsec2;
+ struct avc_audit_data ad;
+ AVC_AUDIT_DATA_INIT(&ad, NONE);
+ ad.sdom = dom1;
+ ad.tdom = dom2;
dsec1 = dom1->ssid;
dsec2 = dom2->ssid;
- return avc_has_perm(dsec1->sid, dsec2->sid, class, perms, NULL);
+ return avc_has_perm(dsec1->sid, dsec2->sid, class, perms, &ad);
}
static int domain_has_evtchn(struct domain *d, struct evtchn *chn, u32 perms)
@@ -1323,6 +1327,7 @@ static int flask_mmu_normal_update(struct domain *d,
struct domain *t,
unsigned long fmfn;
struct domain_security_struct *dsec;
u32 fsid;
+ struct avc_audit_data ad;
if (d != t)
rc = domain_has_perm(d, t, SECCLASS_MMU, MMU__REMOTE_REMAP);
@@ -1337,13 +1342,22 @@ static int flask_mmu_normal_update(struct domain *d,
struct domain *t,
if ( l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_RW )
map_perms |= MMU__MAP_WRITE;
+ AVC_AUDIT_DATA_INIT(&ad, RANGE);
fmfn = get_gfn_untyped(f, l1e_get_pfn(l1e_from_intpte(fpte)));
+ ad.sdom = d;
+ ad.tdom = f;
+ ad.range.start = fpte;
+ ad.range.end = fmfn;
+
rc = get_mfn_sid(fmfn, &fsid);
+
+ put_gfn(f, fmfn);
+
if ( rc )
return rc;
- return avc_has_perm(dsec->sid, fsid, SECCLASS_MMU, map_perms, NULL);
+ return avc_has_perm(dsec->sid, fsid, SECCLASS_MMU, map_perms, &ad);
}
static int flask_mmu_machphys_update(struct domain *d, unsigned long mfn)
diff --git a/xen/xsm/flask/include/avc.h b/xen/xsm/flask/include/avc.h
index 1b19189..8fffbb6 100644
--- a/xen/xsm/flask/include/avc.h
+++ b/xen/xsm/flask/include/avc.h
@@ -38,10 +38,12 @@ struct sk_buff;
/* Auxiliary data to use in generating the audit record. */
struct avc_audit_data {
char type;
+#define AVC_AUDIT_DATA_NONE 0
#define AVC_AUDIT_DATA_DEV 1
#define AVC_AUDIT_DATA_IRQ 2
#define AVC_AUDIT_DATA_RANGE 3
- struct domain *d;
+ struct domain *sdom;
+ struct domain *tdom;
union {
unsigned long device;
int irq;
--
1.7.7.6
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |