From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: xen-devel@lists.xensource.com
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: [PATCH 02/10] xsm: Add security label to IRQ debug output
Date: Tue, 31 Jan 2012 16:26:10 -0500 [thread overview]
Message-ID: <1328045178-30665-3-git-send-email-dgdegra@tycho.nsa.gov> (raw)
In-Reply-To: <1328045178-30665-1-git-send-email-dgdegra@tycho.nsa.gov>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
xen/arch/x86/irq.c | 8 ++++++++
xen/include/xsm/xsm.h | 7 +++++++
xen/xsm/dummy.c | 7 ++++++-
xen/xsm/flask/hooks.c | 16 ++++++++++++++++
4 files changed, 37 insertions(+), 1 deletions(-)
diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c
index 058f89d..6d17ec0 100644
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -2001,6 +2001,7 @@ static void dump_irqs(unsigned char key)
struct domain *d;
const struct pirq *info;
unsigned long flags;
+ char *ssid;
printk("Guest interrupt information:\n");
@@ -2012,6 +2013,8 @@ static void dump_irqs(unsigned char key)
if ( !irq_desc_initialized(desc) || desc->handler == &no_irq_type )
continue;
+ ssid = xsm_show_irq_sid(irq);
+
spin_lock_irqsave(&desc->lock, flags);
cpumask_scnprintf(keyhandler_scratch, sizeof(keyhandler_scratch),
@@ -2021,6 +2024,9 @@ static void dump_irqs(unsigned char key)
irq, keyhandler_scratch, desc->arch.vector,
desc->handler->typename, desc->status);
+ if ( ssid )
+ printk("Z=%-25s ", ssid);
+
if ( !(desc->status & IRQ_GUEST) )
printk("mapped, unbound\n");
else
@@ -2053,6 +2059,8 @@ static void dump_irqs(unsigned char key)
}
spin_unlock_irqrestore(&desc->lock, flags);
+
+ xfree(ssid);
}
dump_ioapic_irq_info();
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 92204b3..6e3a8f0 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -113,6 +113,8 @@ struct xsm_operations {
int (*kexec) (void);
int (*schedop_shutdown) (struct domain *d1, struct domain *d2);
+
+ char *(*show_irq_sid) (int irq);
int (*irq_permission) (struct domain *d, int pirq, uint8_t allow);
int (*iomem_permission) (struct domain *d, uint64_t s, uint64_t e, uint8_t allow);
int (*pci_config_permission) (struct domain *d, uint32_t machine_bdf, uint16_t start, uint16_t end, uint8_t access);
@@ -477,6 +479,11 @@ static inline int xsm_schedop_shutdown (struct domain *d1, struct domain *d2)
return xsm_call(schedop_shutdown(d1, d2));
}
+static inline char *xsm_show_irq_sid (int irq)
+{
+ return xsm_call(show_irq_sid(irq));
+}
+
static inline int xsm_irq_permission (struct domain *d, int pirq, uint8_t allow)
{
return xsm_call(irq_permission(d, pirq, allow));
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index fca9d7b..83e5dba 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -365,12 +365,16 @@ static int dummy_sched_op (void)
return 0;
}
-
static long dummy___do_xsm_op(XEN_GUEST_HANDLE(xsm_op_t) op)
{
return -ENOSYS;
}
+static char *dummy_show_irq_sid (int irq)
+{
+ return NULL;
+}
+
static int dummy_irq_permission (struct domain *d, int pirq, uint8_t allow)
{
return 0;
@@ -655,6 +659,7 @@ void xsm_fixup_ops (struct xsm_operations *ops)
set_to_dummy_if_null(ops, kexec);
set_to_dummy_if_null(ops, schedop_shutdown);
+ set_to_dummy_if_null(ops, show_irq_sid);
set_to_dummy_if_null(ops, irq_permission);
set_to_dummy_if_null(ops, iomem_permission);
set_to_dummy_if_null(ops, pci_config_permission);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index d207b1d..d79405b 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -712,6 +712,20 @@ static inline u32 resource_to_perm(uint8_t access)
return RESOURCE__REMOVE;
}
+static char *flask_show_irq_sid (int irq)
+{
+ u32 sid, ctx_len;
+ char *ctx;
+ int rc = security_irq_sid(irq, &sid);
+ if ( rc )
+ return NULL;
+
+ if (security_sid_to_context(sid, &ctx, &ctx_len))
+ return NULL;
+
+ return ctx;
+}
+
static int flask_irq_permission (struct domain *d, int pirq, uint8_t access)
{
u32 perm;
@@ -1543,6 +1557,8 @@ static struct xsm_operations flask_ops = {
.kexec = flask_kexec,
.schedop_shutdown = flask_schedop_shutdown,
+ .show_irq_sid = flask_show_irq_sid,
+
.irq_permission = flask_irq_permission,
.iomem_permission = flask_iomem_permission,
.pci_config_permission = flask_pci_config_permission,
--
1.7.7.6
next prev parent reply other threads:[~2012-01-31 21:26 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-31 21:26 [PATCH 00/10] FLASK updates: MSI interrupts, cleanups Daniel De Graaf
2012-01-31 21:26 ` [PATCH 01/10] xsm: Add security labels to event-channel dump Daniel De Graaf
2012-01-31 21:26 ` Daniel De Graaf [this message]
2012-01-31 21:26 ` [PATCH 03/10] xsm/flask: Use PCI device label for PCI-MSI IRQs Daniel De Graaf
2012-01-31 21:26 ` [PATCH 04/10] xsm: Add xsm_map_domain_pirq hook Daniel De Graaf
2012-01-31 21:26 ` [PATCH 05/10] xsm: Use mapped IRQ not PIRQ in unmap_domain_pirq Daniel De Graaf
2012-01-31 21:26 ` [PATCH 06/10] xsm/flask: Improve error reporting for ocontexts Daniel De Graaf
2012-01-31 21:26 ` [PATCH 07/10] xsm/flask: Remove useless back pointers Daniel De Graaf
2012-01-31 21:26 ` [PATCH 08/10] flask/policy: Policy build updates Daniel De Graaf
2012-01-31 21:26 ` [PATCH 09/10] flask/policy: Add user and constraint examples Daniel De Graaf
2012-01-31 21:26 ` [PATCH 10/10] flask/policy: use declare_domain for dom0_t Daniel De Graaf
2012-02-01 19:09 ` [PATCH 0/8] XSM/FLASK updates part 2: booleans, stubdoms Daniel De Graaf
2012-02-01 19:09 ` [PATCH 1/8] xen/xsm: fix incorrect handling of XSM hook return Daniel De Graaf
2012-02-01 19:09 ` [PATCH 2/8] xsm/flask: allow policy booleans to be addressed by name Daniel De Graaf
2012-02-01 19:09 ` [PATCH 3/8] libflask: Add boolean manipulation functions Daniel De Graaf
2012-02-02 9:06 ` Ian Campbell
2012-02-02 14:28 ` Daniel De Graaf
2012-02-02 14:50 ` Ian Campbell
2012-02-02 15:22 ` Daniel De Graaf
2012-02-01 19:09 ` [PATCH 4/8] flask: add flask-{get,set}-bool tools Daniel De Graaf
2012-02-01 19:09 ` [PATCH 5/8] flask/policy: Add boolean example Daniel De Graaf
2012-02-01 19:09 ` [PATCH 6/8] libxl: Add device_model_stubdomain_seclabel Daniel De Graaf
2012-02-02 15:28 ` Keir Fraser
2012-02-09 18:25 ` Ian Jackson
2012-02-01 19:09 ` [PATCH 7/8] flask/policy: add device model types to example policy Daniel De Graaf
2012-02-09 18:25 ` Ian Jackson
2012-02-01 19:09 ` [PATCH 8/8] xsm/flask: Improve domain ID auditing in AVCs Daniel De Graaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1328045178-30665-3-git-send-email-dgdegra@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).