diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-18 14:33:48 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-18 14:33:48 +0000 |
commit | 875756ca34fabc7243c4a682ffd7008710a907e2 (patch) | |
tree | c4992e378b41a03f691fe756a5c3343b62381db9 /xen/common/grant_table.c | |
parent | 4c1b911bbcd97fb68b4a9e0903a6644e50adda01 (diff) | |
download | xen-875756ca34fabc7243c4a682ffd7008710a907e2.tar.gz xen-875756ca34fabc7243c4a682ffd7008710a907e2.tar.bz2 xen-875756ca34fabc7243c4a682ffd7008710a907e2.zip |
xsm: Add missing access checks
Actions requiring IS_PRIV should also require some XSM access control
in order for XSM to be useful in confining multiple privileged
domains. Add XSM hooks for new hypercalls and sub-commands that are
under IS_PRIV but not currently under any access checks.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Diffstat (limited to 'xen/common/grant_table.c')
-rw-r--r-- | xen/common/grant_table.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index e2b103b5fb..fefa8383b2 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -2208,6 +2208,11 @@ gnttab_get_status_frames(XEN_GUEST_HANDLE(gnttab_get_status_frames_t) uop, op.status = GNTST_general_error; goto out1; } + rc = xsm_grant_setup(current->domain, d); + if ( rc ) { + op.status = GNTST_permission_denied; + goto out1; + } gt = d->grant_table; @@ -2259,6 +2264,11 @@ gnttab_get_version(XEN_GUEST_HANDLE(gnttab_get_version_t uop)) rcu_unlock_domain(d); return -EPERM; } + if ( xsm_grant_query_size(current->domain, d) ) + { + rcu_unlock_domain(d); + return -EPERM; + } spin_lock(&d->grant_table->lock); op.version = d->grant_table->gt_version; spin_unlock(&d->grant_table->lock); |