diff options
| author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-04-17 08:31:07 +0100 |
|---|---|---|
| committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-04-17 08:31:07 +0100 |
| commit | 8eee0a1a5f73085467e4a5e8ada94a3d9599cb4d (patch) | |
| tree | bd5128b83a8d59ff07e855fa57a1bd9869bb933f /xen/xsm | |
| parent | f5f061b681ba29850ca7b1905ae584d66da97ddf (diff) | |
| download | xen-8eee0a1a5f73085467e4a5e8ada94a3d9599cb4d.tar.gz xen-8eee0a1a5f73085467e4a5e8ada94a3d9599cb4d.tar.bz2 xen-8eee0a1a5f73085467e4a5e8ada94a3d9599cb4d.zip | |
xsm/flask: clean up auditing output
The audit data for normal MMU updates was incorrectly using the RANGE
type which presented the data badly in audit messages; add a MEMORY
type for this showing the correct names for the fields. This patch
also shows the target domain in event channel mapping checks to make
debugging those denials easier.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'xen/xsm')
| -rw-r--r-- | xen/xsm/flask/avc.c | 3 | ||||
| -rw-r--r-- | xen/xsm/flask/hooks.c | 16 | ||||
| -rw-r--r-- | xen/xsm/flask/include/avc.h | 8 |
3 files changed, 18 insertions, 9 deletions
diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c index b5486a3bd4..95c928b5bb 100644 --- a/xen/xsm/flask/avc.c +++ b/xen/xsm/flask/avc.c @@ -639,6 +639,9 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, case AVC_AUDIT_DATA_RANGE: avc_printk(&buf, "range=0x%lx-0x%lx ", a->range.start, a->range.end); break; + case AVC_AUDIT_DATA_MEMORY: + avc_printk(&buf, "pte=0x%lx mfn=0x%lx", a->memory.pte, a->memory.mfn); + break; } avc_dump_query(&buf, ssid, tsid, tclass); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 9948fca2a2..c93b8d09b3 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -186,6 +186,10 @@ static int flask_evtchn_interdomain(struct domain *d1, struct evtchn *chn1, int rc; struct domain_security_struct *dsec, *dsec1, *dsec2; struct evtchn_security_struct *esec1, *esec2; + struct avc_audit_data ad; + AVC_AUDIT_DATA_INIT(&ad, NONE); + ad.sdom = d1; + ad.tdom = d2; dsec = current->domain->ssid; dsec1 = d1->ssid; @@ -203,15 +207,15 @@ static int flask_evtchn_interdomain(struct domain *d1, struct evtchn *chn1, return rc; } - rc = avc_has_perm(dsec->sid, newsid, SECCLASS_EVENT, EVENT__CREATE, NULL); + rc = avc_has_perm(dsec->sid, newsid, SECCLASS_EVENT, EVENT__CREATE, &ad); if ( rc ) return rc; - rc = avc_has_perm(newsid, dsec2->sid, SECCLASS_EVENT, EVENT__BIND, NULL); + rc = avc_has_perm(newsid, dsec2->sid, SECCLASS_EVENT, EVENT__BIND, &ad); if ( rc ) return rc; - rc = avc_has_perm(esec2->sid, dsec1->sid, SECCLASS_EVENT, EVENT__BIND, NULL); + rc = avc_has_perm(esec2->sid, dsec1->sid, SECCLASS_EVENT, EVENT__BIND, &ad); if ( rc ) return rc; @@ -1328,13 +1332,13 @@ static int flask_mmu_normal_update(struct domain *d, struct domain *t, if ( l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_RW ) map_perms |= MMU__MAP_WRITE; - AVC_AUDIT_DATA_INIT(&ad, RANGE); + AVC_AUDIT_DATA_INIT(&ad, MEMORY); fmfn = get_gfn_untyped(f, l1e_get_pfn(l1e_from_intpte(fpte))); ad.sdom = d; ad.tdom = f; - ad.range.start = fpte; - ad.range.end = fmfn; + ad.memory.pte = fpte; + ad.memory.mfn = fmfn; rc = get_mfn_sid(fmfn, &fsid); diff --git a/xen/xsm/flask/include/avc.h b/xen/xsm/flask/include/avc.h index 0f62891154..42a5e4b1df 100644 --- a/xen/xsm/flask/include/avc.h +++ b/xen/xsm/flask/include/avc.h @@ -42,6 +42,7 @@ struct avc_audit_data { #define AVC_AUDIT_DATA_DEV 1 #define AVC_AUDIT_DATA_IRQ 2 #define AVC_AUDIT_DATA_RANGE 3 +#define AVC_AUDIT_DATA_MEMORY 4 struct domain *sdom; struct domain *tdom; union { @@ -51,12 +52,13 @@ struct avc_audit_data { unsigned long start; unsigned long end; } range; + struct { + unsigned long pte; + unsigned long mfn; + } memory; }; }; -#define v4info fam.v4 -#define v6info fam.v6 - /* Initialize an AVC audit data structure. */ #define AVC_AUDIT_DATA_INIT(_d,_t) \ { memset((_d), 0, sizeof(struct avc_audit_data)); \ |