[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 2/8] xsm/flask: report memory and IO ranges in audit messages
This information is useful when determining the cause of an AVC denial caused by missing label on device memory or IRQs. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- xen/xsm/flask/avc.c | 11 ++++++++++- xen/xsm/flask/hooks.c | 18 ++++++++++-------- xen/xsm/flask/include/avc.h | 13 +++++++++++-- 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c index c47dd40..9475d92 100644 --- a/xen/xsm/flask/avc.c +++ b/xen/xsm/flask/avc.c @@ -568,8 +568,17 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, d = a->d; if ( d ) printk("domid=%d ", d->domain_id); - if ( a && a->device ) + switch ( a ? a->type : 0 ) { + case AVC_AUDIT_DATA_DEV: printk("device=0x%lx ", a->device); + break; + case AVC_AUDIT_DATA_IRQ: + printk("irq=%d ", a->irq); + break; + case AVC_AUDIT_DATA_RANGE: + printk("range=0x%lx-0x%lx ", a->range.start, a->range.end); + break; + } avc_dump_query(ssid, tsid, tclass); printk("\n"); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 0feb070..1a3f3b3 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -670,8 +670,8 @@ static int flask_irq_permission (struct domain *d, int pirq, uint8_t access) if ( rc ) return rc; - AVC_AUDIT_DATA_INIT(&ad, DEV); - ad.device = (unsigned long) pirq; + AVC_AUDIT_DATA_INIT(&ad, IRQ); + ad.irq = pirq; rc = avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, &ad); if ( rc ) @@ -694,8 +694,9 @@ static int _iomem_has_perm(void *v, u32 sid, unsigned long start, unsigned long struct avc_audit_data ad; int rc = -EPERM; - AVC_AUDIT_DATA_INIT(&ad, DEV); - ad.device = start; + AVC_AUDIT_DATA_INIT(&ad, RANGE); + ad.range.start = start; + ad.range.end = end; rc = avc_has_perm(data->ssec->sid, sid, SECCLASS_RESOURCE, data->perm, &ad); @@ -771,8 +772,9 @@ static int _ioport_has_perm(void *v, u32 sid, unsigned long start, unsigned long struct avc_audit_data ad; int rc; - AVC_AUDIT_DATA_INIT(&ad, DEV); - ad.device = start; + AVC_AUDIT_DATA_INIT(&ad, RANGE); + ad.range.start = start; + ad.range.end = end; rc = avc_has_perm(data->ssec->sid, sid, SECCLASS_RESOURCE, data->perm, &ad); @@ -1155,8 +1157,8 @@ static int flask_bind_pt_irq (struct domain *d, struct xen_domctl_bind_pt_irq *b if ( rc ) return rc; - AVC_AUDIT_DATA_INIT(&ad, DEV); - ad.device = (unsigned long)irq; + AVC_AUDIT_DATA_INIT(&ad, IRQ); + ad.irq = irq; ssec = current->domain->ssid; rc = avc_has_perm(ssec->sid, rsid, SECCLASS_HVM, HVM__BIND_IRQ, &ad); diff --git a/xen/xsm/flask/include/avc.h b/xen/xsm/flask/include/avc.h index 2168585..1b19189 100644 --- a/xen/xsm/flask/include/avc.h +++ b/xen/xsm/flask/include/avc.h @@ -38,9 +38,18 @@ struct sk_buff; /* Auxiliary data to use in generating the audit record. */ struct avc_audit_data { char type; -#define AVC_AUDIT_DATA_DEV 1 +#define AVC_AUDIT_DATA_DEV 1 +#define AVC_AUDIT_DATA_IRQ 2 +#define AVC_AUDIT_DATA_RANGE 3 struct domain *d; - unsigned long device; + union { + unsigned long device; + int irq; + struct { + unsigned long start; + unsigned long end; + } range; + }; }; #define v4info fam.v4 -- 1.7.7.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |