From 88683bd3730236b9b15afa602514a93691432870 Mon Sep 17 00:00:00 2001 From: Daniel De Graaf Date: Wed, 29 Feb 2012 13:48:41 +0000 Subject: xsm: expose context of event channel peers This hypercall allows a domain to identify the security context of a domain that it is communicating with using the interdomain event channel that it is using for the communication. This can be used to augment Xen's security permissions with intra-domain security checks. Signed-off-by: Daniel De Graaf Committed-by: Keir Fraser --- xen/xsm/flask/flask_op.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'xen/xsm') diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c index 00a0af2ab6..bd4db3792c 100644 --- a/xen/xsm/flask/flask_op.c +++ b/xen/xsm/flask/flask_op.c @@ -9,6 +9,7 @@ */ #include +#include #include #include @@ -44,6 +45,7 @@ integer_param("flask_enabled", flask_enabled); 1UL<ocon, arg->low, arg->high, arg->sid); } +static int flask_get_peer_sid(struct xen_flask_peersid *arg) +{ + int rv = -EINVAL; + struct domain *d = current->domain; + struct domain *peer; + struct evtchn *chn; + struct domain_security_struct *dsec; + + spin_lock(&d->event_lock); + + if ( !port_is_valid(d, arg->evtchn) ) + goto out; + + chn = evtchn_from_port(d, arg->evtchn); + if ( chn->state != ECS_INTERDOMAIN ) + goto out; + + peer = chn->u.interdomain.remote_dom; + if ( !peer ) + goto out; + + dsec = peer->ssid; + arg->sid = dsec->sid; + rv = 0; + + out: + spin_unlock(&d->event_lock); + return rv; +} + long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op) { xen_flask_op_t op; @@ -644,6 +676,10 @@ long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op) rv = flask_ocontext_del(&op.u.ocontext); break; + case FLASK_GET_PEER_SID: + rv = flask_get_peer_sid(&op.u.peersid); + break; + default: rv = -ENOSYS; } -- cgit v1.2.3