[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] xsm/flask: clean up auditing output



The audit data for normal MMU updates was incorrectly using the RANGE
type which presented the data badly in audit messages; add a MEMORY type
for this showing the correct names for the fields. This patch also shows
the target domain in event channel mapping checks to make debugging
those denials easier.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 xen/xsm/flask/avc.c         |    3 +++
 xen/xsm/flask/hooks.c       |   16 ++++++++++------
 xen/xsm/flask/include/avc.h |    8 +++++---
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c
index b5486a3..95c928b 100644
--- a/xen/xsm/flask/avc.c
+++ b/xen/xsm/flask/avc.c
@@ -639,6 +639,9 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 
requested,
     case AVC_AUDIT_DATA_RANGE:
         avc_printk(&buf, "range=0x%lx-0x%lx ", a->range.start, a->range.end);
         break;
+    case AVC_AUDIT_DATA_MEMORY:
+        avc_printk(&buf, "pte=0x%lx mfn=0x%lx", a->memory.pte, a->memory.mfn);
+        break;
     }
 
     avc_dump_query(&buf, ssid, tsid, tclass);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 9948fca..c93b8d0 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -186,6 +186,10 @@ static int flask_evtchn_interdomain(struct domain *d1, 
struct evtchn *chn1,
     int rc;
     struct domain_security_struct *dsec, *dsec1, *dsec2;
     struct evtchn_security_struct *esec1, *esec2;
+    struct avc_audit_data ad;
+    AVC_AUDIT_DATA_INIT(&ad, NONE);
+    ad.sdom = d1;
+    ad.tdom = d2;
 
     dsec = current->domain->ssid;
     dsec1 = d1->ssid;
@@ -203,15 +207,15 @@ static int flask_evtchn_interdomain(struct domain *d1, 
struct evtchn *chn1,
         return rc;
     }
 
-    rc = avc_has_perm(dsec->sid, newsid, SECCLASS_EVENT, EVENT__CREATE, NULL);
+    rc = avc_has_perm(dsec->sid, newsid, SECCLASS_EVENT, EVENT__CREATE, &ad);
     if ( rc )
         return rc;
 
-    rc = avc_has_perm(newsid, dsec2->sid, SECCLASS_EVENT, EVENT__BIND, NULL);
+    rc = avc_has_perm(newsid, dsec2->sid, SECCLASS_EVENT, EVENT__BIND, &ad);
     if ( rc )
         return rc;
 
-    rc = avc_has_perm(esec2->sid, dsec1->sid, SECCLASS_EVENT, EVENT__BIND, 
NULL);
+    rc = avc_has_perm(esec2->sid, dsec1->sid, SECCLASS_EVENT, EVENT__BIND, 
&ad);
     if ( rc )
         return rc;
 
@@ -1328,13 +1332,13 @@ static int flask_mmu_normal_update(struct domain *d, 
struct domain *t,
     if ( l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_RW )
         map_perms |= MMU__MAP_WRITE;
 
-    AVC_AUDIT_DATA_INIT(&ad, RANGE);
+    AVC_AUDIT_DATA_INIT(&ad, MEMORY);
     fmfn = get_gfn_untyped(f, l1e_get_pfn(l1e_from_intpte(fpte)));
 
     ad.sdom = d;
     ad.tdom = f;
-    ad.range.start = fpte;
-    ad.range.end = fmfn;
+    ad.memory.pte = fpte;
+    ad.memory.mfn = fmfn;
 
     rc = get_mfn_sid(fmfn, &fsid);
 
diff --git a/xen/xsm/flask/include/avc.h b/xen/xsm/flask/include/avc.h
index 0f62891..42a5e4b 100644
--- a/xen/xsm/flask/include/avc.h
+++ b/xen/xsm/flask/include/avc.h
@@ -42,6 +42,7 @@ struct avc_audit_data {
 #define AVC_AUDIT_DATA_DEV   1
 #define AVC_AUDIT_DATA_IRQ   2
 #define AVC_AUDIT_DATA_RANGE 3
+#define AVC_AUDIT_DATA_MEMORY 4
     struct domain *sdom;
     struct domain *tdom;
     union {
@@ -51,12 +52,13 @@ struct avc_audit_data {
             unsigned long start;
             unsigned long end;
         } range;
+        struct {
+            unsigned long pte;
+            unsigned long mfn;
+        } memory;
     };
 };
 
-#define v4info fam.v4
-#define v6info fam.v6
-
 /* Initialize an AVC audit data structure. */
 #define AVC_AUDIT_DATA_INIT(_d,_t) \
         { memset((_d), 0, sizeof(struct avc_audit_data)); \
-- 
1.7.7.6


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.