[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 20/20] flask: add missing operations

The hvm_inject_msi, machine_address_size, iomem_mapping, and
ioport_mapping security operations did not have FLASK operations
defined; define them now.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 tools/flask/policy/policy/flask/access_vectors |  1 +
 tools/flask/policy/policy/modules/xen/xen.if   |  2 +-
 xen/xsm/flask/hooks.c                          | 42 ++++++++++++++++++++++++--
 xen/xsm/flask/include/av_perm_to_string.h      |  1 +
 xen/xsm/flask/include/av_permissions.h         |  1 +
 5 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/tools/flask/policy/policy/flask/access_vectors 
b/tools/flask/policy/policy/flask/access_vectors
index 2736075..b394fc1 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -103,6 +103,7 @@ class hvm
     mem_sharing
        share_mem
        audit_p2m
+       send_irq
 }
 
 class event
diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
b/tools/flask/policy/policy/modules/xen/xen.if
index 8056f18..67f5daf 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -143,7 +143,7 @@ define(`device_model', `
 
        allow $1 $2_target:domain shutdown;
        allow $1 $2_target:mmu { map_read map_write adjust physmap };
-       allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl 
irqlevel pciroute cacheattr };
+       allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl 
irqlevel pciroute cacheattr send_irq };
 ')
 
 # make_device_model(priv, dm_dom, hvm_dom)
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 316e8ef..12638c4 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -814,8 +814,7 @@ static int flask_iomem_permission(struct domain *d, 
uint64_t start, uint64_t end
     struct iomem_has_perm_data data;
     int rc;
 
-    rc = current_has_perm(d, SECCLASS_RESOURCE,
-                         resource_to_perm(access));
+    rc = current_has_perm(d, SECCLASS_RESOURCE, resource_to_perm(access));
     if ( rc )
         return rc;
 
@@ -830,6 +829,11 @@ static int flask_iomem_permission(struct domain *d, 
uint64_t start, uint64_t end
     return security_iterate_iomem_sids(start, end, _iomem_has_perm, &data);
 }
 
+static int flask_iomem_mapping(struct domain *d, uint64_t start, uint64_t end, 
uint8_t access)
+{
+    return flask_iomem_permission(d, start, end, access);
+}
+
 static int flask_pci_config_permission(struct domain *d, uint32_t machine_bdf, 
uint16_t start, uint16_t end, uint8_t access)
 {
     u32 dsid, rsid;
@@ -1022,7 +1026,6 @@ static int _ioport_has_perm(void *v, u32 sid, unsigned 
long start, unsigned long
     return avc_has_perm(data->dsid, sid, SECCLASS_RESOURCE, RESOURCE__USE, 
&ad);
 }
 
-
 static int flask_ioport_permission(struct domain *d, uint32_t start, uint32_t 
end, uint8_t access)
 {
     int rc;
@@ -1045,6 +1048,11 @@ static int flask_ioport_permission(struct domain *d, 
uint32_t start, uint32_t en
     return security_iterate_ioport_sids(start, end, _ioport_has_perm, &data);
 }
 
+static int flask_ioport_mapping(struct domain *d, uint32_t start, uint32_t 
end, uint8_t access)
+{
+    return flask_ioport_permission(d, start, end, access);
+}
+
 static int flask_getpageframeinfo(struct domain *d)
 {
     return current_has_perm(d, SECCLASS_MMU, MMU__PAGEINFO);
@@ -1117,6 +1125,25 @@ static int flask_address_size(struct domain *d, uint32_t 
cmd)
     return current_has_perm(d, SECCLASS_DOMAIN, perm);
 }
 
+static int flask_machine_address_size(struct domain *d, uint32_t cmd)
+{
+    u32 perm;
+
+    switch ( cmd )
+    {
+    case XEN_DOMCTL_set_machine_address_size:
+        perm = DOMAIN__SETADDRSIZE;
+        break;
+    case XEN_DOMCTL_get_machine_address_size:
+        perm = DOMAIN__GETADDRSIZE;
+        break;
+    default:
+        return -EPERM;
+    }
+
+    return current_has_perm(d, SECCLASS_DOMAIN, perm);
+}
+
 static int flask_hvm_param(struct domain *d, unsigned long op)
 {
     u32 perm;
@@ -1154,6 +1181,11 @@ static int flask_hvm_set_pci_link_route(struct domain *d)
     return current_has_perm(d, SECCLASS_HVM, HVM__PCIROUTE);
 }
 
+static int flask_hvm_inject_msi(struct domain *d)
+{
+    return current_has_perm(d, SECCLASS_HVM, HVM__SEND_IRQ);
+}
+
 static int flask_mem_event_setup(struct domain *d)
 {
     return current_has_perm(d, SECCLASS_HVM, HVM__MEM_EVENT);
@@ -1578,6 +1610,7 @@ static struct xsm_operations flask_ops = {
     .unmap_domain_pirq = flask_unmap_domain_pirq,
     .irq_permission = flask_irq_permission,
     .iomem_permission = flask_iomem_permission,
+    .iomem_mapping = flask_iomem_mapping,
     .pci_config_permission = flask_pci_config_permission,
 
     .resource_plug_core = flask_resource_plug_core,
@@ -1606,10 +1639,12 @@ static struct xsm_operations flask_ops = {
     .hypercall_init = flask_hypercall_init,
     .hvmcontext = flask_hvmcontext,
     .address_size = flask_address_size,
+    .machine_address_size = flask_machine_address_size,
     .hvm_param = flask_hvm_param,
     .hvm_set_pci_intx_level = flask_hvm_set_pci_intx_level,
     .hvm_set_isa_irq_level = flask_hvm_set_isa_irq_level,
     .hvm_set_pci_link_route = flask_hvm_set_pci_link_route,
+    .hvm_inject_msi = flask_hvm_inject_msi,
     .mem_event_setup = flask_mem_event_setup,
     .mem_event_control = flask_mem_event_control,
     .mem_event_op = flask_mem_event_op,
@@ -1646,6 +1681,7 @@ static struct xsm_operations flask_ops = {
     .ext_vcpucontext = flask_ext_vcpucontext,
     .vcpuextstate = flask_vcpuextstate,
     .ioport_permission = flask_ioport_permission,
+    .ioport_mapping = flask_ioport_mapping,
 #endif
 };
 
diff --git a/xen/xsm/flask/include/av_perm_to_string.h 
b/xen/xsm/flask/include/av_perm_to_string.h
index b2c77b2..1b958fd 100644
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ b/xen/xsm/flask/include/av_perm_to_string.h
@@ -85,6 +85,7 @@
    S_(SECCLASS_HVM, HVM__MEM_SHARING, "mem_sharing")
    S_(SECCLASS_HVM, HVM__SHARE_MEM, "share_mem")
    S_(SECCLASS_HVM, HVM__AUDIT_P2M, "audit_p2m")
+   S_(SECCLASS_HVM, HVM__SEND_IRQ, "send_irq")
    S_(SECCLASS_EVENT, EVENT__BIND, "bind")
    S_(SECCLASS_EVENT, EVENT__SEND, "send")
    S_(SECCLASS_EVENT, EVENT__STATUS, "status")
diff --git a/xen/xsm/flask/include/av_permissions.h 
b/xen/xsm/flask/include/av_permissions.h
index acb0b1a..15a7eee 100644
--- a/xen/xsm/flask/include/av_permissions.h
+++ b/xen/xsm/flask/include/av_permissions.h
@@ -88,6 +88,7 @@
 #define HVM__MEM_SHARING                          0x00001000UL
 #define HVM__SHARE_MEM                            0x00002000UL
 #define HVM__AUDIT_P2M                            0x00004000UL
+#define HVM__SEND_IRQ                             0x00008000UL
 
 #define EVENT__BIND                               0x00000001UL
 #define EVENT__SEND                               0x00000002UL
-- 
1.7.11.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.