|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xsm/flask: clean up auditing output
# HG changeset patch
# User Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
# Date 1334647867 -3600
# Node ID 6017afc7044265109d98098b3c3adf7f28081858
# Parent 3808ed41dfaaa1cb3f5e59d6d2b4b49e677b7817
xsm/flask: clean up auditing output
The audit data for normal MMU updates was incorrectly using the RANGE
type which presented the data badly in audit messages; add a MEMORY
type for this showing the correct names for the fields. This patch
also shows the target domain in event channel mapping checks to make
debugging those denials easier.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Committed-by: Keir Fraser <keir@xxxxxxx>
---
diff -r 3808ed41dfaa -r 6017afc70442 xen/xsm/flask/avc.c
--- a/xen/xsm/flask/avc.c Tue Apr 17 08:30:27 2012 +0100
+++ b/xen/xsm/flask/avc.c Tue Apr 17 08:31:07 2012 +0100
@@ -639,6 +639,9 @@ void avc_audit(u32 ssid, u32 tsid, u16 t
case AVC_AUDIT_DATA_RANGE:
avc_printk(&buf, "range=0x%lx-0x%lx ", a->range.start, a->range.end);
break;
+ case AVC_AUDIT_DATA_MEMORY:
+ avc_printk(&buf, "pte=0x%lx mfn=0x%lx", a->memory.pte, a->memory.mfn);
+ break;
}
avc_dump_query(&buf, ssid, tsid, tclass);
diff -r 3808ed41dfaa -r 6017afc70442 xen/xsm/flask/hooks.c
--- a/xen/xsm/flask/hooks.c Tue Apr 17 08:30:27 2012 +0100
+++ b/xen/xsm/flask/hooks.c Tue Apr 17 08:31:07 2012 +0100
@@ -186,6 +186,10 @@ static int flask_evtchn_interdomain(stru
int rc;
struct domain_security_struct *dsec, *dsec1, *dsec2;
struct evtchn_security_struct *esec1, *esec2;
+ struct avc_audit_data ad;
+ AVC_AUDIT_DATA_INIT(&ad, NONE);
+ ad.sdom = d1;
+ ad.tdom = d2;
dsec = current->domain->ssid;
dsec1 = d1->ssid;
@@ -203,15 +207,15 @@ static int flask_evtchn_interdomain(stru
return rc;
}
- rc = avc_has_perm(dsec->sid, newsid, SECCLASS_EVENT, EVENT__CREATE, NULL);
+ rc = avc_has_perm(dsec->sid, newsid, SECCLASS_EVENT, EVENT__CREATE, &ad);
if ( rc )
return rc;
- rc = avc_has_perm(newsid, dsec2->sid, SECCLASS_EVENT, EVENT__BIND, NULL);
+ rc = avc_has_perm(newsid, dsec2->sid, SECCLASS_EVENT, EVENT__BIND, &ad);
if ( rc )
return rc;
- rc = avc_has_perm(esec2->sid, dsec1->sid, SECCLASS_EVENT, EVENT__BIND,
NULL);
+ rc = avc_has_perm(esec2->sid, dsec1->sid, SECCLASS_EVENT, EVENT__BIND,
&ad);
if ( rc )
return rc;
@@ -1328,13 +1332,13 @@ static int flask_mmu_normal_update(struc
if ( l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_RW )
map_perms |= MMU__MAP_WRITE;
- AVC_AUDIT_DATA_INIT(&ad, RANGE);
+ AVC_AUDIT_DATA_INIT(&ad, MEMORY);
fmfn = get_gfn_untyped(f, l1e_get_pfn(l1e_from_intpte(fpte)));
ad.sdom = d;
ad.tdom = f;
- ad.range.start = fpte;
- ad.range.end = fmfn;
+ ad.memory.pte = fpte;
+ ad.memory.mfn = fmfn;
rc = get_mfn_sid(fmfn, &fsid);
diff -r 3808ed41dfaa -r 6017afc70442 xen/xsm/flask/include/avc.h
--- a/xen/xsm/flask/include/avc.h Tue Apr 17 08:30:27 2012 +0100
+++ b/xen/xsm/flask/include/avc.h Tue Apr 17 08:31:07 2012 +0100
@@ -42,6 +42,7 @@ struct avc_audit_data {
#define AVC_AUDIT_DATA_DEV 1
#define AVC_AUDIT_DATA_IRQ 2
#define AVC_AUDIT_DATA_RANGE 3
+#define AVC_AUDIT_DATA_MEMORY 4
struct domain *sdom;
struct domain *tdom;
union {
@@ -51,12 +52,13 @@ struct avc_audit_data {
unsigned long start;
unsigned long end;
} range;
+ struct {
+ unsigned long pte;
+ unsigned long mfn;
+ } memory;
};
};
-#define v4info fam.v4
-#define v6info fam.v6
-
/* Initialize an AVC audit data structure. */
#define AVC_AUDIT_DATA_INIT(_d,_t) \
{ memset((_d), 0, sizeof(struct avc_audit_data)); \
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |