|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 2/8] xsm/flask: report memory and IO ranges in audit messages
This information is useful when determining the cause of an AVC denial
caused by missing label on device memory or IRQs.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
xen/xsm/flask/avc.c | 11 ++++++++++-
xen/xsm/flask/hooks.c | 18 ++++++++++--------
xen/xsm/flask/include/avc.h | 13 +++++++++++--
3 files changed, 31 insertions(+), 11 deletions(-)
diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c
index c47dd40..9475d92 100644
--- a/xen/xsm/flask/avc.c
+++ b/xen/xsm/flask/avc.c
@@ -568,8 +568,17 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32
requested,
d = a->d;
if ( d )
printk("domid=%d ", d->domain_id);
- if ( a && a->device )
+ switch ( a ? a->type : 0 ) {
+ case AVC_AUDIT_DATA_DEV:
printk("device=0x%lx ", a->device);
+ break;
+ case AVC_AUDIT_DATA_IRQ:
+ printk("irq=%d ", a->irq);
+ break;
+ case AVC_AUDIT_DATA_RANGE:
+ printk("range=0x%lx-0x%lx ", a->range.start, a->range.end);
+ break;
+ }
avc_dump_query(ssid, tsid, tclass);
printk("\n");
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 0feb070..1a3f3b3 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -670,8 +670,8 @@ static int flask_irq_permission (struct domain *d, int
pirq, uint8_t access)
if ( rc )
return rc;
- AVC_AUDIT_DATA_INIT(&ad, DEV);
- ad.device = (unsigned long) pirq;
+ AVC_AUDIT_DATA_INIT(&ad, IRQ);
+ ad.irq = pirq;
rc = avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, &ad);
if ( rc )
@@ -694,8 +694,9 @@ static int _iomem_has_perm(void *v, u32 sid, unsigned long
start, unsigned long
struct avc_audit_data ad;
int rc = -EPERM;
- AVC_AUDIT_DATA_INIT(&ad, DEV);
- ad.device = start;
+ AVC_AUDIT_DATA_INIT(&ad, RANGE);
+ ad.range.start = start;
+ ad.range.end = end;
rc = avc_has_perm(data->ssec->sid, sid, SECCLASS_RESOURCE, data->perm,
&ad);
@@ -771,8 +772,9 @@ static int _ioport_has_perm(void *v, u32 sid, unsigned long
start, unsigned long
struct avc_audit_data ad;
int rc;
- AVC_AUDIT_DATA_INIT(&ad, DEV);
- ad.device = start;
+ AVC_AUDIT_DATA_INIT(&ad, RANGE);
+ ad.range.start = start;
+ ad.range.end = end;
rc = avc_has_perm(data->ssec->sid, sid, SECCLASS_RESOURCE, data->perm,
&ad);
@@ -1155,8 +1157,8 @@ static int flask_bind_pt_irq (struct domain *d, struct
xen_domctl_bind_pt_irq *b
if ( rc )
return rc;
- AVC_AUDIT_DATA_INIT(&ad, DEV);
- ad.device = (unsigned long)irq;
+ AVC_AUDIT_DATA_INIT(&ad, IRQ);
+ ad.irq = irq;
ssec = current->domain->ssid;
rc = avc_has_perm(ssec->sid, rsid, SECCLASS_HVM, HVM__BIND_IRQ, &ad);
diff --git a/xen/xsm/flask/include/avc.h b/xen/xsm/flask/include/avc.h
index 2168585..1b19189 100644
--- a/xen/xsm/flask/include/avc.h
+++ b/xen/xsm/flask/include/avc.h
@@ -38,9 +38,18 @@ struct sk_buff;
/* Auxiliary data to use in generating the audit record. */
struct avc_audit_data {
char type;
-#define AVC_AUDIT_DATA_DEV 1
+#define AVC_AUDIT_DATA_DEV 1
+#define AVC_AUDIT_DATA_IRQ 2
+#define AVC_AUDIT_DATA_RANGE 3
struct domain *d;
- unsigned long device;
+ union {
+ unsigned long device;
+ int irq;
+ struct {
+ unsigned long start;
+ unsigned long end;
+ } range;
+ };
};
#define v4info fam.v4
--
1.7.7.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |