|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xsm/flask: add missing hooks
# HG changeset patch
# User Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
# Date 1357900667 0
# Node ID 5df501c84253e655838d3fc9a0dcd75a24ae9f25
# Parent f59daf1718864ff87caff2edf3809a437e6ec1b4
xsm/flask: add missing hooks
The FLASK module was missing implementations of some hooks and did not
have access vectors defined for 10 domctls; define these now.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Committed-by: Keir Fraser <keir@xxxxxxx>
---
diff -r f59daf171886 -r 5df501c84253
tools/flask/policy/policy/modules/xen/xen.if
--- a/tools/flask/policy/policy/modules/xen/xen.if Fri Jan 11 10:37:10
2013 +0000
+++ b/tools/flask/policy/policy/modules/xen/xen.if Fri Jan 11 10:37:47
2013 +0000
@@ -29,6 +29,7 @@ define(`create_domain_common', `
getdomaininfo hypercall setvcpucontext setextvcpucontext
scheduler getvcpuinfo getvcpuextstate getaddrsize
getvcpuaffinity setvcpuaffinity };
+ allow $1 $2:domain2 { set_cpuid settsc };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage};
@@ -67,6 +68,7 @@ define(`migrate_domain_out', `
allow $1 $2:hvm { gethvmc getparam irqlevel };
allow $1 $2:mmu { stat pageinfo map_read };
allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext
getvcpuextstate pause destroy };
+ allow $1 $2:domain2 gettsc;
')
################################################################################
@@ -112,7 +114,7 @@ define(`device_model', `
domain_comms($1, $2)
allow $1 $2:domain { set_target shutdown };
allow $1 $2:mmu { map_read map_write adjust physmap };
- allow $1 $2:hvm { getparam setparam trackdirtyvram hvmctl irqlevel
pciroute };
+ allow $1 $2:hvm { getparam setparam trackdirtyvram hvmctl irqlevel
pciroute cacheattr send_irq };
')
################################################################################
#
diff -r f59daf171886 -r 5df501c84253 xen/xsm/flask/hooks.c
--- a/xen/xsm/flask/hooks.c Fri Jan 11 10:37:10 2013 +0000
+++ b/xen/xsm/flask/hooks.c Fri Jan 11 10:37:47 2013 +0000
@@ -650,25 +650,32 @@ static int flask_domctl(struct domain *d
#endif
return 0;
+ case XEN_DOMCTL_debug_op:
+ case XEN_DOMCTL_gdbsx_guestmemio:
+ case XEN_DOMCTL_gdbsx_pausevcpu:
+ case XEN_DOMCTL_gdbsx_unpausevcpu:
+ case XEN_DOMCTL_gdbsx_domstatus:
+ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN,
+ DOMAIN__SETDEBUGGING);
+
case XEN_DOMCTL_subscribe:
case XEN_DOMCTL_disable_migrate:
+ case XEN_DOMCTL_suppress_spurious_page_faults:
return domain_has_perm(current->domain, d, SECCLASS_DOMAIN,
DOMAIN__SET_MISC_INFO);
case XEN_DOMCTL_set_cpuid:
- case XEN_DOMCTL_suppress_spurious_page_faults:
- case XEN_DOMCTL_debug_op:
+ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN2,
DOMAIN2__SET_CPUID);
+
case XEN_DOMCTL_gettscinfo:
+ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN2,
DOMAIN2__GETTSC);
+
case XEN_DOMCTL_settscinfo:
+ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN2,
DOMAIN2__SETTSC);
+
case XEN_DOMCTL_audit_p2m:
- case XEN_DOMCTL_gdbsx_guestmemio:
- case XEN_DOMCTL_gdbsx_pausevcpu:
- case XEN_DOMCTL_gdbsx_unpausevcpu:
- case XEN_DOMCTL_gdbsx_domstatus:
- /* TODO add per-subfunction hooks */
- if ( !IS_PRIV(current->domain) )
- return -EPERM;
- return 0;
+ return domain_has_perm(current->domain, d, SECCLASS_HVM,
HVM__AUDIT_P2M);
+
default:
printk("flask_domctl: Unknown op %d\n", cmd);
return -EPERM;
@@ -922,6 +929,11 @@ static int flask_iomem_permission(struct
return security_iterate_iomem_sids(start, end, _iomem_has_perm, &data);
}
+static int flask_iomem_mapping(struct domain *d, uint64_t start, uint64_t end,
uint8_t access)
+{
+ return flask_iomem_permission(d, start, end, access);
+}
+
static int flask_pci_config_permission(struct domain *d, uint32_t machine_bdf,
uint16_t start, uint16_t end, uint8_t access)
{
u32 rsid;
@@ -1129,7 +1141,6 @@ static int _ioport_has_perm(void *v, u32
return avc_has_perm(data->tsec->sid, sid, SECCLASS_RESOURCE,
RESOURCE__USE, &ad);
}
-
static int flask_ioport_permission(struct domain *d, uint32_t start, uint32_t
end, uint8_t access)
{
int rc;
@@ -1152,6 +1163,11 @@ static int flask_ioport_permission(struc
return security_iterate_ioport_sids(start, end, _ioport_has_perm, &data);
}
+static int flask_ioport_mapping(struct domain *d, uint32_t start, uint32_t
end, uint8_t access)
+{
+ return flask_ioport_permission(d, start, end, access);
+}
+
static int flask_getpageframeinfo(struct domain *d)
{
return domain_has_perm(current->domain, d, SECCLASS_MMU, MMU__PAGEINFO);
@@ -1210,6 +1226,25 @@ static int flask_address_size(struct dom
return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, perm);
}
+static int flask_machine_address_size(struct domain *d, uint32_t cmd)
+{
+ u32 perm;
+
+ switch ( cmd )
+ {
+ case XEN_DOMCTL_set_machine_address_size:
+ perm = DOMAIN__SETADDRSIZE;
+ break;
+ case XEN_DOMCTL_get_machine_address_size:
+ perm = DOMAIN__GETADDRSIZE;
+ break;
+ default:
+ return -EPERM;
+ }
+
+ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, perm);
+}
+
static int flask_hvm_param(struct domain *d, unsigned long op)
{
u32 perm;
@@ -1247,6 +1282,11 @@ static int flask_hvm_set_pci_link_route(
return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__PCIROUTE);
}
+static int flask_hvm_inject_msi(struct domain *d)
+{
+ return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__SEND_IRQ);
+}
+
static int flask_mem_event(struct domain *d)
{
return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__MEM_EVENT);
@@ -1690,6 +1730,7 @@ static struct xsm_operations flask_ops =
.unmap_domain_pirq = flask_unmap_domain_pirq,
.irq_permission = flask_irq_permission,
.iomem_permission = flask_iomem_permission,
+ .iomem_mapping = flask_iomem_mapping,
.pci_config_permission = flask_pci_config_permission,
.resource_plug_core = flask_resource_plug_core,
@@ -1714,10 +1755,12 @@ static struct xsm_operations flask_ops =
.hypercall_init = flask_hypercall_init,
.hvmcontext = flask_hvmcontext,
.address_size = flask_address_size,
+ .machine_address_size = flask_machine_address_size,
.hvm_param = flask_hvm_param,
.hvm_set_pci_intx_level = flask_hvm_set_pci_intx_level,
.hvm_set_isa_irq_level = flask_hvm_set_isa_irq_level,
.hvm_set_pci_link_route = flask_hvm_set_pci_link_route,
+ .hvm_inject_msi = flask_hvm_inject_msi,
.mem_event = flask_mem_event,
.mem_sharing = flask_mem_sharing,
.apic = flask_apic,
@@ -1750,6 +1793,7 @@ static struct xsm_operations flask_ops =
.ext_vcpucontext = flask_ext_vcpucontext,
.vcpuextstate = flask_vcpuextstate,
.ioport_permission = flask_ioport_permission,
+ .ioport_mapping = flask_ioport_mapping,
#endif
};
diff -r f59daf171886 -r 5df501c84253 xen/xsm/flask/policy/access_vectors
--- a/xen/xsm/flask/policy/access_vectors Fri Jan 11 10:37:10 2013 +0000
+++ b/xen/xsm/flask/policy/access_vectors Fri Jan 11 10:37:47 2013 +0000
@@ -80,6 +80,9 @@ class domain2
relabelself
make_priv_for
set_as_target
+ set_cpuid
+ gettsc
+ settsc
}
class hvm
@@ -97,6 +100,8 @@ class hvm
hvmctl
mem_event
mem_sharing
+ audit_p2m
+ send_irq
}
class event
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |