diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-02-29 13:48:41 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-02-29 13:48:41 +0000 |
commit | 88683bd3730236b9b15afa602514a93691432870 (patch) | |
tree | 09c9e61e8884c59d97b596408e6f21ae2e61f520 /xen/xsm | |
parent | 42d446c595a99c0a57b3b597dd679da8b2e4ce74 (diff) | |
download | xen-88683bd3730236b9b15afa602514a93691432870.tar.gz xen-88683bd3730236b9b15afa602514a93691432870.tar.bz2 xen-88683bd3730236b9b15afa602514a93691432870.zip |
xsm: expose context of event channel peers
This hypercall allows a domain to identify the security context of a
domain that it is communicating with using the interdomain event
channel that it is using for the communication. This can be used to
augment Xen's security permissions with intra-domain security checks.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'xen/xsm')
-rw-r--r-- | xen/xsm/flask/flask_op.c | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c index 00a0af2ab6..bd4db3792c 100644 --- a/xen/xsm/flask/flask_op.c +++ b/xen/xsm/flask/flask_op.c @@ -9,6 +9,7 @@ */ #include <xen/errno.h> +#include <xen/event.h> #include <xsm/xsm.h> #include <xen/guest_access.h> @@ -44,6 +45,7 @@ integer_param("flask_enabled", flask_enabled); 1UL<<FLASK_AVC_HASHSTATS | \ 1UL<<FLASK_AVC_CACHESTATS | \ 1UL<<FLASK_MEMBER | \ + 1UL<<FLASK_GET_PEER_SID | \ 0) static DEFINE_SPINLOCK(sel_sem); @@ -541,6 +543,36 @@ static int flask_ocontext_add(struct xen_flask_ocontext *arg) return security_ocontext_add(arg->ocon, arg->low, arg->high, arg->sid); } +static int flask_get_peer_sid(struct xen_flask_peersid *arg) +{ + int rv = -EINVAL; + struct domain *d = current->domain; + struct domain *peer; + struct evtchn *chn; + struct domain_security_struct *dsec; + + spin_lock(&d->event_lock); + + if ( !port_is_valid(d, arg->evtchn) ) + goto out; + + chn = evtchn_from_port(d, arg->evtchn); + if ( chn->state != ECS_INTERDOMAIN ) + goto out; + + peer = chn->u.interdomain.remote_dom; + if ( !peer ) + goto out; + + dsec = peer->ssid; + arg->sid = dsec->sid; + rv = 0; + + out: + spin_unlock(&d->event_lock); + return rv; +} + long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op) { xen_flask_op_t op; @@ -644,6 +676,10 @@ long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op) rv = flask_ocontext_del(&op.u.ocontext); break; + case FLASK_GET_PEER_SID: + rv = flask_get_peer_sid(&op.u.peersid); + break; + default: rv = -ENOSYS; } |