[Xen-changelog] [xen-unstable] xsm/flask: Add checks on the domain performing the set_target operation

[Xen patchbot-unstable <patchbot@xxxxxxx>]

# HG changeset patch
# User Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
# Date 1357900630 0
# Node ID f59daf1718864ff87caff2edf3809a437e6ec1b4
# Parent  e391d7de856c629fb19625d68e888d618b5a374d
xsm/flask: Add checks on the domain performing the set_target operation

The existing domain__set_target check only verifies that the source
and target domains can be associated. We also need to check that the
privileged domain making this association is allowed to do so.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Committed-by: Keir Fraser <keir@xxxxxxx>
---


diff -r e391d7de856c -r f59daf171886 xen/xsm/flask/hooks.c
--- a/xen/xsm/flask/hooks.c     Fri Jan 11 10:36:06 2013 +0000
+++ b/xen/xsm/flask/hooks.c     Fri Jan 11 10:37:10 2013 +0000
@@ -577,6 +577,13 @@ static int flask_domain_settime(struct d
 
 static int flask_set_target(struct domain *d, struct domain *e)
 {
+    int rc;
+    rc = domain_has_perm(current->domain, d, SECCLASS_DOMAIN2, 
DOMAIN2__MAKE_PRIV_FOR);
+    if ( rc )
+        return rc;
+    rc = domain_has_perm(current->domain, e, SECCLASS_DOMAIN2, 
DOMAIN2__SET_AS_TARGET);
+    if ( rc )
+        return rc;
     return domain_has_perm(d, e, SECCLASS_DOMAIN, DOMAIN__SET_TARGET);
 }
 
diff -r e391d7de856c -r f59daf171886 xen/xsm/flask/policy/access_vectors
--- a/xen/xsm/flask/policy/access_vectors       Fri Jan 11 10:36:06 2013 +0000
+++ b/xen/xsm/flask/policy/access_vectors       Fri Jan 11 10:37:10 2013 +0000
@@ -78,6 +78,8 @@ class domain2
        relabelfrom
        relabelto
        relabelself
+       make_priv_for
+       set_as_target
 }
 
 class hvm

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog