xsm: always allow setting non-present PTEs

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

1 files changed, 9 insertions, 3 deletions

diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 2cb3e169c0..80c1f7017f 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1016,6 +1016,9 @@ static int flask_mmu_normal_update(struct domain *d, struct domain *f,
     struct domain_security_struct *dsec;
     u32 fsid;
 
+    if ( !(l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_PRESENT) )
+        return 0;
+
     dsec = d->ssid;
 
     if ( l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_RW )
@@ -1053,6 +1056,12 @@ static int flask_update_va_mapping(struct domain *d, struct domain *f,
     unsigned long mfn;
     struct domain_security_struct *dsec;
 
+    if ( !(l1e_get_flags(pte) & _PAGE_PRESENT) )
+        return 0;
+
+    if ( l1e_get_flags(pte) & _PAGE_RW )
+        map_perms |= MMU__MAP_WRITE;
+
     dsec = d->ssid;
 
     mfn = get_gfn_untyped(f, l1e_get_pfn(pte));
@@ -1060,9 +1069,6 @@ static int flask_update_va_mapping(struct domain *d, struct domain *f,
     if ( rc )
         return rc;
 
-    if ( l1e_get_flags(pte) & _PAGE_RW )
-        map_perms |= MMU__MAP_WRITE;
-
     return avc_has_perm(dsec->sid, psid, SECCLASS_MMU, map_perms, NULL);
 }