xsm/flask: report memory and IO ranges in audit messages

This information is useful when determining the cause of an AVC denial
caused by missing label on device memory or IRQs.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c
index c47dd40f75d01eab1815e91c71e19e76db80067c..9475d926348cce2302d973db96217b7538f09396 100644 (file)
--- a/xen/xsm/flask/avc.c
+++ b/xen/xsm/flask/avc.c
@@ -568,8 +568,17 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
         d = a->d;
     if ( d )
         printk("domid=%d ", d->domain_id);
-    if ( a && a->device )
+    switch ( a ? a->type : 0 ) {
+    case AVC_AUDIT_DATA_DEV:
         printk("device=0x%lx ", a->device);
+        break;
+    case AVC_AUDIT_DATA_IRQ:
+        printk("irq=%d ", a->irq);
+        break;
+    case AVC_AUDIT_DATA_RANGE:
+        printk("range=0x%lx-0x%lx ", a->range.start, a->range.end);
+        break;
+    }
 
     avc_dump_query(ssid, tsid, tclass);
     printk("\n");

diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 0feb0702ca3f692cda11975d0d2e8891a392126d..1a3f3b30ac5790dba30931619c07c43ae0f698ee 100644 (file)
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -670,8 +670,8 @@ static int flask_irq_permission (struct domain *d, int pirq, uint8_t access)
     if ( rc )
         return rc;
 
-    AVC_AUDIT_DATA_INIT(&ad, DEV);
-    ad.device = (unsigned long) pirq;
+    AVC_AUDIT_DATA_INIT(&ad, IRQ);
+    ad.irq = pirq;
 
     rc = avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, &ad);
     if ( rc )
@@ -694,8 +694,9 @@ static int _iomem_has_perm(void *v, u32 sid, unsigned long start, unsigned long
     struct avc_audit_data ad;
     int rc = -EPERM;
 
-    AVC_AUDIT_DATA_INIT(&ad, DEV);
-    ad.device = start;
+    AVC_AUDIT_DATA_INIT(&ad, RANGE);
+    ad.range.start = start;
+    ad.range.end = end;
 
     rc = avc_has_perm(data->ssec->sid, sid, SECCLASS_RESOURCE, data->perm, &ad);
 
@@ -771,8 +772,9 @@ static int _ioport_has_perm(void *v, u32 sid, unsigned long start, unsigned long
     struct avc_audit_data ad;
     int rc;
 
-    AVC_AUDIT_DATA_INIT(&ad, DEV);
-    ad.device = start;
+    AVC_AUDIT_DATA_INIT(&ad, RANGE);
+    ad.range.start = start;
+    ad.range.end = end;
 
     rc = avc_has_perm(data->ssec->sid, sid, SECCLASS_RESOURCE, data->perm, &ad);
 
@@ -1155,8 +1157,8 @@ static int flask_bind_pt_irq (struct domain *d, struct xen_domctl_bind_pt_irq *b
     if ( rc )
         return rc;
 
-    AVC_AUDIT_DATA_INIT(&ad, DEV);
-    ad.device = (unsigned long)irq;
+    AVC_AUDIT_DATA_INIT(&ad, IRQ);
+    ad.irq = irq;
 
     ssec = current->domain->ssid;
     rc = avc_has_perm(ssec->sid, rsid, SECCLASS_HVM, HVM__BIND_IRQ, &ad);

diff --git a/xen/xsm/flask/include/avc.h b/xen/xsm/flask/include/avc.h
index 21685853732842f64ee3dc781961235b68bd4346..1b19189d6b65d51808bd4c5c02cddbfce78fa24e 100644 (file)
--- a/xen/xsm/flask/include/avc.h
+++ b/xen/xsm/flask/include/avc.h
@@ -38,9 +38,18 @@ struct sk_buff;
 /* Auxiliary data to use in generating the audit record. */
 struct avc_audit_data {
     char    type;
-#define AVC_AUDIT_DATA_DEV  1
+#define AVC_AUDIT_DATA_DEV   1
+#define AVC_AUDIT_DATA_IRQ   2
+#define AVC_AUDIT_DATA_RANGE 3
     struct domain *d;
-    unsigned long device;
+    union {
+        unsigned long device;
+        int irq;
+        struct {
+            unsigned long start;
+            unsigned long end;
+        } range;
+    };
 };
 
 #define v4info fam.v4