[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] xsm: correct AVC lookups for two sysctls


  • To: xen-devel@xxxxxxxxxxxxx
  • From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Date: Wed, 9 Aug 2017 12:56:39 -0400
  • Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Delivery-date: Wed, 09 Aug 2017 16:57:07 +0000
  • Ironport-phdr: 9a23:mAfYchU/fhHZjMEsMHTMW68/Hi7V8LGtZVwlr6E/grcLSJyIuqrYYxGEt8tkgFKBZ4jH8fUM07OQ6PGwHzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjSwbLdxIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KhlUh/ojDoMOSA//m/Zl8d8iLtXrAy9qxB6xYPffYObO+dkfq7Ffd0UW3dPUMhSWSJGGY6wc5cDAvAdMetCs4Xxu10Dpga+Cwm2A+PvzydFiHHs0q080uQuDwXG1xEuEd0QrX/arc/1O70IXuC70aLFyijMb/xL1jjj54jIaAourOqQXbNwbcXRyU4vGxnDjlWLs4PpJTyV1uMTs2WC6edrSOGhi3Y/pg1srTWiyd0gh4nUio4P1FzJ+jt1zJwoKdC+VUV1e8SrEIFKuCGfL4Z2R8QiTHx2tysi0b0GvIK7fDANyJQ62x7Tc/yHfJaM4hLkTOuRPS13hGhkeLKinBa+61Sgy+3gWcm011ZGtCxFncXXtn8RzRDT78mHSv9l8keg3zaAyRzT5/lZLU07mqfXMZ4szqMqmpYNvknPADX6lFjugK+TbEok++yo6+r9YrXho5+RL5J7ig7jPaswlcy/G/43PxMSX2mb5eu81Lrj8Vf/QLVRlPI6iKbZsJfEJcgDvK62HxdV0po/6xa4Fzqn38oXnX8eIF1YZh2HkZbmO1XVLfD8DPe/mEiskCxxy/HJILLhBI/BLn/ZkLfuLv5B7BtMxQx2wd1B6pZ8DrAaPOm1SkL38tvCAUwXKQuxlsruDtRw0ssyVCqgGKaQPuuGvVCE6+01KsGQdYQVv3D7MPFj6Pnw2yxq0WQBdLWkiMNEIEuzGe5rdgDDOXc=
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>

The current code was incorrectly using SECCLASS_XEN instead of
SECCLASS_XEN2, resulting in the wrong permission being checked.

GET_CPU_LEVELLING_CAPS was checking MTRR_DEL
GET_CPU_FEATURESET was checking MTRR_READ

The default XSM policy only allowed these permissions to dom0, so this
didn't result in a security issue there.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 xen/xsm/flask/hooks.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 819e25d3af..57be18d6d4 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -814,10 +814,12 @@ static int flask_sysctl(int cmd)
         return domain_has_xen(current->domain, XEN__TMEM_CONTROL);
 
     case XEN_SYSCTL_get_cpu_levelling_caps:
-        return domain_has_xen(current->domain, XEN2__GET_CPU_LEVELLING_CAPS);
+        return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
+                                    XEN2__GET_CPU_LEVELLING_CAPS);
 
     case XEN_SYSCTL_get_cpu_featureset:
-        return domain_has_xen(current->domain, XEN2__GET_CPU_FEATURESET);
+        return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
+                                    XEN2__GET_CPU_FEATURESET);
 
     case XEN_SYSCTL_livepatch_op:
         return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
-- 
2.13.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.