[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] xsm/flask: clean up auditing output
The audit data for normal MMU updates was incorrectly using the RANGE type which presented the data badly in audit messages; add a MEMORY type for this showing the correct names for the fields. This patch also shows the target domain in event channel mapping checks to make debugging those denials easier. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- xen/xsm/flask/avc.c | 3 +++ xen/xsm/flask/hooks.c | 16 ++++++++++------ xen/xsm/flask/include/avc.h | 8 +++++--- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c index b5486a3..95c928b 100644 --- a/xen/xsm/flask/avc.c +++ b/xen/xsm/flask/avc.c @@ -639,6 +639,9 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, case AVC_AUDIT_DATA_RANGE: avc_printk(&buf, "range=0x%lx-0x%lx ", a->range.start, a->range.end); break; + case AVC_AUDIT_DATA_MEMORY: + avc_printk(&buf, "pte=0x%lx mfn=0x%lx", a->memory.pte, a->memory.mfn); + break; } avc_dump_query(&buf, ssid, tsid, tclass); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 9948fca..c93b8d0 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -186,6 +186,10 @@ static int flask_evtchn_interdomain(struct domain *d1, struct evtchn *chn1, int rc; struct domain_security_struct *dsec, *dsec1, *dsec2; struct evtchn_security_struct *esec1, *esec2; + struct avc_audit_data ad; + AVC_AUDIT_DATA_INIT(&ad, NONE); + ad.sdom = d1; + ad.tdom = d2; dsec = current->domain->ssid; dsec1 = d1->ssid; @@ -203,15 +207,15 @@ static int flask_evtchn_interdomain(struct domain *d1, struct evtchn *chn1, return rc; } - rc = avc_has_perm(dsec->sid, newsid, SECCLASS_EVENT, EVENT__CREATE, NULL); + rc = avc_has_perm(dsec->sid, newsid, SECCLASS_EVENT, EVENT__CREATE, &ad); if ( rc ) return rc; - rc = avc_has_perm(newsid, dsec2->sid, SECCLASS_EVENT, EVENT__BIND, NULL); + rc = avc_has_perm(newsid, dsec2->sid, SECCLASS_EVENT, EVENT__BIND, &ad); if ( rc ) return rc; - rc = avc_has_perm(esec2->sid, dsec1->sid, SECCLASS_EVENT, EVENT__BIND, NULL); + rc = avc_has_perm(esec2->sid, dsec1->sid, SECCLASS_EVENT, EVENT__BIND, &ad); if ( rc ) return rc; @@ -1328,13 +1332,13 @@ static int flask_mmu_normal_update(struct domain *d, struct domain *t, if ( l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_RW ) map_perms |= MMU__MAP_WRITE; - AVC_AUDIT_DATA_INIT(&ad, RANGE); + AVC_AUDIT_DATA_INIT(&ad, MEMORY); fmfn = get_gfn_untyped(f, l1e_get_pfn(l1e_from_intpte(fpte))); ad.sdom = d; ad.tdom = f; - ad.range.start = fpte; - ad.range.end = fmfn; + ad.memory.pte = fpte; + ad.memory.mfn = fmfn; rc = get_mfn_sid(fmfn, &fsid); diff --git a/xen/xsm/flask/include/avc.h b/xen/xsm/flask/include/avc.h index 0f62891..42a5e4b 100644 --- a/xen/xsm/flask/include/avc.h +++ b/xen/xsm/flask/include/avc.h @@ -42,6 +42,7 @@ struct avc_audit_data { #define AVC_AUDIT_DATA_DEV 1 #define AVC_AUDIT_DATA_IRQ 2 #define AVC_AUDIT_DATA_RANGE 3 +#define AVC_AUDIT_DATA_MEMORY 4 struct domain *sdom; struct domain *tdom; union { @@ -51,12 +52,13 @@ struct avc_audit_data { unsigned long start; unsigned long end; } range; + struct { + unsigned long pte; + unsigned long mfn; + } memory; }; }; -#define v4info fam.v4 -#define v6info fam.v6 - /* Initialize an AVC audit data structure. */ #define AVC_AUDIT_DATA_INIT(_d,_t) \ { memset((_d), 0, sizeof(struct avc_audit_data)); \ -- 1.7.7.6 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |