diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-18 14:34:42 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-18 14:34:42 +0000 |
commit | 32103e04bed97da5c42a12d2d40cbdfff61e8cdb (patch) | |
tree | 4bf75215cdf821c41f61f0950ba9887f334a19d7 /xen/xsm | |
parent | f2271ccd4576e36a975a5648cee436b12e1d857a (diff) | |
download | xen-32103e04bed97da5c42a12d2d40cbdfff61e8cdb.tar.gz xen-32103e04bed97da5c42a12d2d40cbdfff61e8cdb.tar.bz2 xen-32103e04bed97da5c42a12d2d40cbdfff61e8cdb.zip |
xsm: add checks on PCI configuration access
PCI configuration access is allowed to any privileged domain
regardless of I/O port access restrictions; add XSM hooks for these
accesses.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Diffstat (limited to 'xen/xsm')
-rw-r--r-- | xen/xsm/dummy.c | 8 | ||||
-rw-r--r-- | xen/xsm/flask/hooks.c | 24 |
2 files changed, 32 insertions, 0 deletions
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index a4accb8fa1..4bbfbffb14 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -369,6 +369,13 @@ static int dummy_iomem_permission (struct domain *d, uint64_t s, uint64_t e, uin return 0; } +static int dummy_pci_config_permission (struct domain *d, uint32_t machine_bdf, + uint16_t start, uint16_t end, + uint8_t access) +{ + return 0; +} + #ifdef CONFIG_X86 static int dummy_shadow_control (struct domain *d, uint32_t op) { @@ -631,6 +638,7 @@ void xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, irq_permission); set_to_dummy_if_null(ops, iomem_permission); + set_to_dummy_if_null(ops, pci_config_permission); set_to_dummy_if_null(ops, test_assign_device); set_to_dummy_if_null(ops, assign_device); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index efe52bbc4b..0d35767821 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -762,6 +762,29 @@ static int flask_iomem_permission(struct domain *d, uint64_t start, uint64_t end return security_iterate_iomem_sids(start, end, _iomem_has_perm, &data); } +static int flask_pci_config_permission(struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access) +{ + u32 rsid; + int rc = -EPERM; + struct avc_audit_data ad; + struct domain_security_struct *ssec; + u32 perm = RESOURCE__USE; + + rc = security_device_sid(machine_bdf, &rsid); + if ( rc ) + return rc; + + /* Writes to the BARs count as setup */ + if ( access && (end >= 0x10 && start < 0x28) ) + perm = RESOURCE__SETUP; + + AVC_AUDIT_DATA_INIT(&ad, DEV); + ad.device = (unsigned long) machine_bdf; + ssec = d->ssid; + return avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, &ad); + +} + static int flask_resource_plug_core(void) { struct domain_security_struct *ssec; @@ -1481,6 +1504,7 @@ static struct xsm_operations flask_ops = { .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, + .pci_config_permission = flask_pci_config_permission, .resource_plug_core = flask_resource_plug_core, .resource_unplug_core = flask_resource_unplug_core, |