xsm: add remote_remap permission

The mmu_update hypercall can be used to manipulate the page tables of a remote domain. Add a check for this in the XSM hook in addition to the existing check on mapping pages of a remote domain. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
author: Daniel De Graaf <dgdegra@tycho.nsa.gov> 2011-12-18 14:33:19 +0000
committer: Daniel De Graaf <dgdegra@tycho.nsa.gov> 2011-12-18 14:33:19 +0000
commit: 4c1b911bbcd97fb68b4a9e0903a6644e50adda01 (patch)
tree: ced092f6dc59142d3362611e9acf117ffc250363 /xen/xsm
parent: d55b4c2dc629e9460d72c17bb2b0fa2028123199 (diff)
download: xen-4c1b911bbcd97fb68b4a9e0903a6644e50adda01.tar.gz
xen-4c1b911bbcd97fb68b4a9e0903a6644e50adda01.tar.bz2
xen-4c1b911bbcd97fb68b4a9e0903a6644e50adda01.zip
4 files changed, 11 insertions, 4 deletions
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index d6f2da023f..7066dfb5b1 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -399,8 +399,8 @@ static int dummy_domain_memory_map (struct domain *d)
     return 0;
 }
 
-static int dummy_mmu_normal_update (struct domain *d, struct domain *f, 
-                                                                intpte_t fpte)
+static int dummy_mmu_normal_update (struct domain *d, struct domain *t,
+                                    struct domain *f, intpte_t fpte)
 {
     return 0;
 }
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 1a3f3b30ac..04c2f687ad 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1008,8 +1008,8 @@ static int flask_domain_memory_map(struct domain *d)
     return domain_has_perm(current->domain, d, SECCLASS_MMU, MMU__MEMORYMAP);
 }
 
-static int flask_mmu_normal_update(struct domain *d, struct domain *f, 
-                                   intpte_t fpte)
+static int flask_mmu_normal_update(struct domain *d, struct domain *t,
+                                   struct domain *f, intpte_t fpte)
 {
     int rc = 0;
     u32 map_perms = MMU__MAP_READ;
@@ -1017,6 +1017,11 @@ static int flask_mmu_normal_update(struct domain *d, struct domain *f,
     struct domain_security_struct *dsec;
     u32 fsid;
 
+    if (d != t)
+        rc = domain_has_perm(d, t, SECCLASS_MMU, MMU__REMOTE_REMAP);
+    if ( rc )
+        return rc;
+
     if ( !(l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_PRESENT) )
         return 0;
 
diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h
index 70aa02d2da..56572a76b6 100644
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ b/xen/xsm/flask/include/av_perm_to_string.h
@@ -87,6 +87,7 @@
    S_(SECCLASS_MMU, MMU__PINPAGE, "pinpage")
    S_(SECCLASS_MMU, MMU__MFNLIST, "mfnlist")
    S_(SECCLASS_MMU, MMU__MEMORYMAP, "memorymap")
+   S_(SECCLASS_MMU, MMU__REMOTE_REMAP, "remote_remap")
    S_(SECCLASS_SHADOW, SHADOW__DISABLE, "disable")
    S_(SECCLASS_SHADOW, SHADOW__ENABLE, "enable")
    S_(SECCLASS_SHADOW, SHADOW__LOGDIRTY, "logdirty")
diff --git a/xen/xsm/flask/include/av_permissions.h b/xen/xsm/flask/include/av_permissions.h
index 4c2ffb61e8..67511adae5 100644
--- a/xen/xsm/flask/include/av_permissions.h
+++ b/xen/xsm/flask/include/av_permissions.h
@@ -92,6 +92,7 @@
 #define MMU__PINPAGE                              0x00000200UL
 #define MMU__MFNLIST                              0x00000400UL
 #define MMU__MEMORYMAP                            0x00000800UL
+#define MMU__REMOTE_REMAP                         0x00001000UL
 
 #define SHADOW__DISABLE                           0x00000001UL
 #define SHADOW__ENABLE                            0x00000002UL
author	Daniel De Graaf <dgdegra@tycho.nsa.gov>	2011-12-18 14:33:19 +0000
committer	Daniel De Graaf <dgdegra@tycho.nsa.gov>	2011-12-18 14:33:19 +0000
commit	4c1b911bbcd97fb68b4a9e0903a6644e50adda01 (patch)
tree	ced092f6dc59142d3362611e9acf117ffc250363 /xen/xsm
parent	d55b4c2dc629e9460d72c17bb2b0fa2028123199 (diff)
download	xen-4c1b911bbcd97fb68b4a9e0903a6644e50adda01.tar.gz xen-4c1b911bbcd97fb68b4a9e0903a6644e50adda01.tar.bz2 xen-4c1b911bbcd97fb68b4a9e0903a6644e50adda01.zip