diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-18 14:33:19 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-18 14:33:19 +0000 |
commit | 4c1b911bbcd97fb68b4a9e0903a6644e50adda01 (patch) | |
tree | ced092f6dc59142d3362611e9acf117ffc250363 /xen/xsm/flask/hooks.c | |
parent | d55b4c2dc629e9460d72c17bb2b0fa2028123199 (diff) | |
download | xen-4c1b911bbcd97fb68b4a9e0903a6644e50adda01.tar.gz xen-4c1b911bbcd97fb68b4a9e0903a6644e50adda01.tar.bz2 xen-4c1b911bbcd97fb68b4a9e0903a6644e50adda01.zip |
xsm: add remote_remap permission
The mmu_update hypercall can be used to manipulate the page tables of
a remote domain. Add a check for this in the XSM hook in addition to
the existing check on mapping pages of a remote domain.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Diffstat (limited to 'xen/xsm/flask/hooks.c')
-rw-r--r-- | xen/xsm/flask/hooks.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 1a3f3b30ac..04c2f687ad 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1008,8 +1008,8 @@ static int flask_domain_memory_map(struct domain *d) return domain_has_perm(current->domain, d, SECCLASS_MMU, MMU__MEMORYMAP); } -static int flask_mmu_normal_update(struct domain *d, struct domain *f, - intpte_t fpte) +static int flask_mmu_normal_update(struct domain *d, struct domain *t, + struct domain *f, intpte_t fpte) { int rc = 0; u32 map_perms = MMU__MAP_READ; @@ -1017,6 +1017,11 @@ static int flask_mmu_normal_update(struct domain *d, struct domain *f, struct domain_security_struct *dsec; u32 fsid; + if (d != t) + rc = domain_has_perm(d, t, SECCLASS_MMU, MMU__REMOTE_REMAP); + if ( rc ) + return rc; + if ( !(l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_PRESENT) ) return 0; |