|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] xsm: correct AVC lookups for two sysctls
commit de834631b6f678cfdd7b0ec6259b1a679ea78814
Author: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
AuthorDate: Thu Aug 10 12:35:28 2017 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Aug 10 12:35:28 2017 +0200
xsm: correct AVC lookups for two sysctls
The current code was incorrectly using SECCLASS_XEN instead of
SECCLASS_XEN2, resulting in the wrong permission being checked.
GET_CPU_LEVELLING_CAPS was checking MTRR_DEL
GET_CPU_FEATURESET was checking MTRR_READ
The default XSM policy only allowed these permissions to dom0, so this
didn't result in a security issue there.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
xen/xsm/flask/hooks.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index fd84ac0..17560b1 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -814,10 +814,12 @@ static int flask_sysctl(int cmd)
return domain_has_xen(current->domain, XEN__TMEM_CONTROL);
case XEN_SYSCTL_get_cpu_levelling_caps:
- return domain_has_xen(current->domain, XEN2__GET_CPU_LEVELLING_CAPS);
+ return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
+ XEN2__GET_CPU_LEVELLING_CAPS);
case XEN_SYSCTL_get_cpu_featureset:
- return domain_has_xen(current->domain, XEN2__GET_CPU_FEATURESET);
+ return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
+ XEN2__GET_CPU_FEATURESET);
case XEN_SYSCTL_livepatch_op:
return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |