diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-18 14:32:26 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-18 14:32:26 +0000 |
commit | 2132cbee537186dbd88917b9d69dce9857f86dbb (patch) | |
tree | a1123690523e013011f0ff9a1da00b1f0db04736 /xen/xsm/flask/hooks.c | |
parent | 94d160f1445d25b563d0dab259b8df2e783390ea (diff) | |
download | xen-2132cbee537186dbd88917b9d69dce9857f86dbb.tar.gz xen-2132cbee537186dbd88917b9d69dce9857f86dbb.tar.bz2 xen-2132cbee537186dbd88917b9d69dce9857f86dbb.zip |
xsm/flask: report memory and IO ranges in audit messages
This information is useful when determining the cause of an AVC denial
caused by missing label on device memory or IRQs.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Diffstat (limited to 'xen/xsm/flask/hooks.c')
-rw-r--r-- | xen/xsm/flask/hooks.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 0feb0702ca..1a3f3b30ac 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -670,8 +670,8 @@ static int flask_irq_permission (struct domain *d, int pirq, uint8_t access) if ( rc ) return rc; - AVC_AUDIT_DATA_INIT(&ad, DEV); - ad.device = (unsigned long) pirq; + AVC_AUDIT_DATA_INIT(&ad, IRQ); + ad.irq = pirq; rc = avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, &ad); if ( rc ) @@ -694,8 +694,9 @@ static int _iomem_has_perm(void *v, u32 sid, unsigned long start, unsigned long struct avc_audit_data ad; int rc = -EPERM; - AVC_AUDIT_DATA_INIT(&ad, DEV); - ad.device = start; + AVC_AUDIT_DATA_INIT(&ad, RANGE); + ad.range.start = start; + ad.range.end = end; rc = avc_has_perm(data->ssec->sid, sid, SECCLASS_RESOURCE, data->perm, &ad); @@ -771,8 +772,9 @@ static int _ioport_has_perm(void *v, u32 sid, unsigned long start, unsigned long struct avc_audit_data ad; int rc; - AVC_AUDIT_DATA_INIT(&ad, DEV); - ad.device = start; + AVC_AUDIT_DATA_INIT(&ad, RANGE); + ad.range.start = start; + ad.range.end = end; rc = avc_has_perm(data->ssec->sid, sid, SECCLASS_RESOURCE, data->perm, &ad); @@ -1155,8 +1157,8 @@ static int flask_bind_pt_irq (struct domain *d, struct xen_domctl_bind_pt_irq *b if ( rc ) return rc; - AVC_AUDIT_DATA_INIT(&ad, DEV); - ad.device = (unsigned long)irq; + AVC_AUDIT_DATA_INIT(&ad, IRQ); + ad.irq = irq; ssec = current->domain->ssid; rc = avc_has_perm(ssec->sid, rsid, SECCLASS_HVM, HVM__BIND_IRQ, &ad); |