📄 hooks.c
字号:
}static int flask_getvcpucontext(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__GETVCPUCONTEXT);}static int flask_getvcpuinfo(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__GETVCPUINFO);}static int flask_domain_settime(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__SETTIME);}static int flask_tbufcontrol(void){ return domain_has_xen(current->domain, SECCLASS_XEN);}static int flask_readconsole(uint32_t clear){ u32 perms = XEN__READCONSOLE; if ( clear ) perms |= XEN__CLEARCONSOLE; return domain_has_xen(current->domain, perms);}static int flask_sched_id(void){ return domain_has_xen(current->domain, XEN__SCHEDULER);}static int flask_setdomainmaxmem(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINMAXMEM);}static int flask_setdomainhandle(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE);}static int flask_setdebugging(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__SETDEBUGGING);}static inline u32 resource_to_perm(uint8_t access){ if ( access ) return RESOURCE__ADD; else return RESOURCE__REMOVE;}static int flask_irq_permission(struct domain *d, uint8_t pirq, uint8_t access){ u32 perm; u32 rsid; int rc = -EPERM; struct domain_security_struct *ssec, *tsec; rc = domain_has_perm(current->domain, d, SECCLASS_RESOURCE, resource_to_perm(access)); if ( rc ) return rc; if ( access ) perm = RESOURCE__ADD_IRQ; else perm = RESOURCE__REMOVE_IRQ; ssec = current->domain->ssid; tsec = d->ssid; rc = security_pirq_sid(pirq, &rsid); if ( rc ) return rc; rc = avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, NULL); if ( rc ) return rc; return avc_has_perm(tsec->sid, rsid, SECCLASS_RESOURCE, RESOURCE__USE, NULL);}static int flask_iomem_permission(struct domain *d, unsigned long mfn, uint8_t access){ u32 perm; u32 rsid; int rc = -EPERM; struct domain_security_struct *ssec, *tsec; rc = domain_has_perm(current->domain, d, SECCLASS_RESOURCE, resource_to_perm(access)); if ( rc ) return rc; if ( access ) perm = RESOURCE__ADD_IOMEM; else perm = RESOURCE__REMOVE_IOMEM; ssec = current->domain->ssid; tsec = d->ssid; rc = security_iomem_sid(mfn, &rsid); if ( rc ) return rc; rc = avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, NULL); if ( rc ) return rc; return avc_has_perm(tsec->sid, rsid, SECCLASS_RESOURCE, RESOURCE__USE, NULL);}static int flask_perfcontrol(void){ return domain_has_xen(current->domain, XEN__PERFCONTROL);}#ifdef CONFIG_X86static int flask_shadow_control(struct domain *d, uint32_t op){ u32 perm; switch ( op ) { case XEN_DOMCTL_SHADOW_OP_OFF: perm = SHADOW__DISABLE; break; case XEN_DOMCTL_SHADOW_OP_ENABLE: case XEN_DOMCTL_SHADOW_OP_ENABLE_TEST: case XEN_DOMCTL_SHADOW_OP_ENABLE_TRANSLATE: case XEN_DOMCTL_SHADOW_OP_GET_ALLOCATION: case XEN_DOMCTL_SHADOW_OP_SET_ALLOCATION: perm = SHADOW__ENABLE; break; case XEN_DOMCTL_SHADOW_OP_ENABLE_LOGDIRTY: case XEN_DOMCTL_SHADOW_OP_PEEK: case XEN_DOMCTL_SHADOW_OP_CLEAN: perm = SHADOW__LOGDIRTY; break; default: return -EPERM; } return domain_has_perm(current->domain, d, SECCLASS_SHADOW, perm);}static int flask_ioport_permission(struct domain *d, uint32_t ioport, uint8_t access){ u32 perm; u32 rsid; int rc = -EPERM; struct domain_security_struct *ssec, *tsec; rc = domain_has_perm(current->domain, d, SECCLASS_RESOURCE, resource_to_perm(access)); if ( rc ) return rc; if ( access ) perm = RESOURCE__ADD_IOPORT; else perm = RESOURCE__REMOVE_IOPORT; ssec = current->domain->ssid; tsec = d->ssid; rc = security_ioport_sid(ioport, &rsid); if ( rc ) return rc; rc = avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, NULL); if ( rc ) return rc; return avc_has_perm(tsec->sid, rsid, SECCLASS_RESOURCE, RESOURCE__USE, NULL); }static int flask_getpageframeinfo(struct page_info *page){ int rc = 0; u32 tsid; struct domain_security_struct *dsec; dsec = current->domain->ssid; rc = get_page_sid(page, &tsid); if ( rc ) return rc; return avc_has_perm(dsec->sid, tsid, SECCLASS_MMU, MMU__PAGEINFO, NULL); }static int flask_getmemlist(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_MMU, MMU__PAGELIST);}static int flask_hypercall_init(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, DOMAIN__HYPERCALL);}static int flask_hvmcontext(struct domain *d, uint32_t cmd){ u32 perm; switch ( cmd ) { case XEN_DOMCTL_sethvmcontext: perm = HVM__SETHVMC; break; case XEN_DOMCTL_gethvmcontext: perm = HVM__GETHVMC; break; default: return -EPERM; } return domain_has_perm(current->domain, d, SECCLASS_HVM, perm);}static int flask_address_size(struct domain *d, uint32_t cmd){ u32 perm; switch ( cmd ) { case XEN_DOMCTL_set_address_size: perm = DOMAIN__SETADDRSIZE; break; case XEN_DOMCTL_get_address_size: perm = DOMAIN__GETADDRSIZE; break; default: return -EPERM; } return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, perm);}static int flask_hvm_param(struct domain *d, unsigned long op){ u32 perm; switch ( op ) { case HVMOP_set_param: perm = HVM__SETPARAM; break; case HVMOP_get_param: perm = HVM__GETPARAM; break; default: return -EPERM; } return domain_has_perm(current->domain, d, SECCLASS_HVM, perm);}static int flask_hvm_set_pci_intx_level(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__PCILEVEL);}static int flask_hvm_set_isa_irq_level(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__IRQLEVEL);}static int flask_hvm_set_pci_link_route(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_HVM, HVM__PCIROUTE);}static int flask_apic(struct domain *d, int cmd){ u32 perm; switch ( cmd ) { case PHYSDEVOP_APIC_READ: perm = XEN__READAPIC; break; case PHYSDEVOP_APIC_WRITE: perm = XEN__WRITEAPIC; break; default: return -EPERM; } return domain_has_xen(d, perm);}static int flask_assign_vector(struct domain *d, uint32_t pirq){ u32 psid; struct domain_security_struct *dsec; dsec = d->ssid; if ( security_pirq_sid(pirq, &psid) ) return -EPERM; return avc_has_perm(dsec->sid, psid, SECCLASS_EVENT, EVENT__VECTOR, NULL);}static int flask_xen_settime(void){ return domain_has_xen(current->domain, XEN__SETTIME);}static int flask_memtype(uint32_t access){ u32 perm; switch ( access ) { case XENPF_add_memtype: perm = XEN__MTRR_ADD; break; case XENPF_del_memtype: perm = XEN__MTRR_DEL; break; case XENPF_read_memtype: perm = XEN__MTRR_READ; break; default: return -EPERM; } return domain_has_xen(current->domain, perm);}static int flask_microcode(void){ return domain_has_xen(current->domain, XEN__MICROCODE);}static int flask_physinfo(void){ return domain_has_xen(current->domain, XEN__PHYSINFO);}static int flask_platform_quirk(uint32_t quirk){ struct domain_security_struct *dsec; dsec = current->domain->ssid; return avc_has_perm(dsec->sid, SECINITSID_XEN, SECCLASS_XEN, XEN__QUIRK, NULL);}static int flask_machine_memory_map(void){ struct domain_security_struct *dsec; dsec = current->domain->ssid; return avc_has_perm(dsec->sid, SECINITSID_XEN, SECCLASS_MMU, MMU__MEMORYMAP, NULL);}static int flask_domain_memory_map(struct domain *d){ return domain_has_perm(current->domain, d, SECCLASS_MMU, MMU__MEMORYMAP);}static int flask_mmu_normal_update(struct domain *d, intpte_t fpte){ int rc = 0; u32 map_perms = MMU__MAP_READ; unsigned long fmfn; struct domain_security_struct *dsec; u32 fsid; dsec = d->ssid; if ( l1e_get_flags(l1e_from_intpte(fpte)) & _PAGE_RW ) map_perms |= MMU__MAP_WRITE; fmfn = gmfn_to_mfn(FOREIGNDOM, l1e_get_pfn(l1e_from_intpte(fpte))); rc = get_mfn_sid(fmfn, &fsid); if ( rc ) return rc; return avc_has_perm(dsec->sid, fsid, SECCLASS_MMU, map_perms, NULL);}static int flask_mmu_machphys_update(struct domain *d, unsigned long mfn){ int rc = 0; u32 psid; struct domain_security_struct *dsec; dsec = d->ssid; rc = get_mfn_sid(mfn, &psid); if ( rc ) return rc; return avc_has_perm(dsec->sid, psid, SECCLASS_MMU, MMU__UPDATEMP, NULL);}static int flask_update_va_mapping(struct domain *d, l1_pgentry_t pte){ int rc = 0; u32 psid; u32 map_perms = MMU__MAP_READ; unsigned long mfn; struct domain_security_struct *dsec; dsec = d->ssid; mfn = gmfn_to_mfn(FOREIGNDOM, l1e_get_pfn(pte)); rc = get_mfn_sid(mfn, &psid); if ( rc ) return rc; if ( l1e_get_flags(pte) & _PAGE_RW ) map_perms |= MMU__MAP_WRITE; return avc_has_perm(dsec->sid, psid, SECCLASS_MMU, map_perms, NULL);}static int flask_add_to_physmap(struct domain *d1, struct domain *d2){ return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__PHYSMAP);}#endiflong do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op);static struct xsm_operations flask_ops = { .security_domaininfo = flask_security_domaininfo, .setvcpucontext = flask_setvcpucontext, .pausedomain = flask_pausedomain, .unpausedomain = flask_unpausedomain, .resumedomain = flask_resumedomain, .domain_create = flask_domain_create, .max_vcpus = flask_max_vcpus, .destroydomain = flask_destroydomain, .vcpuaffinity = flask_vcpuaffinity, .scheduler = flask_scheduler, .getdomaininfo = flask_getdomaininfo, .getvcpucontext = flask_getvcpucontext, .getvcpuinfo = flask_getvcpuinfo, .domain_settime = flask_domain_settime, .tbufcontrol = flask_tbufcontrol, .readconsole = flask_readconsole, .sched_id = flask_sched_id, .setdomainmaxmem = flask_setdomainmaxmem, .setdomainhandle = flask_setdomainhandle, .setdebugging = flask_setdebugging, .irq_permission = flask_irq_permission, .iomem_permission = flask_iomem_permission, .perfcontrol = flask_perfcontrol, .evtchn_unbound = flask_evtchn_unbound, .evtchn_interdomain = flask_evtchn_interdomain, .evtchn_close_post = flask_evtchn_close_post, .evtchn_send = flask_evtchn_send, .evtchn_status = flask_evtchn_status, .evtchn_reset = flask_evtchn_reset, .grant_mapref = flask_grant_mapref, .grant_unmapref = flask_grant_unmapref, .grant_setup = flask_grant_setup, .grant_transfer = flask_grant_transfer, .grant_copy = flask_grant_copy, .grant_query_size = flask_grant_query_size, .alloc_security_domain = flask_domain_alloc_security, .free_security_domain = flask_domain_free_security, .alloc_security_evtchn = flask_alloc_security_evtchn, .free_security_evtchn = flask_free_security_evtchn, .translate_gpfn_list = flask_translate_gpfn_list, .memory_adjust_reservation = flask_memory_adjust_reservation, .memory_stat_reservation = flask_memory_stat_reservation, .memory_pin_page = flask_memory_pin_page, .console_io = flask_console_io, .profile = flask_profile, .kexec = flask_kexec, .schedop_shutdown = flask_schedop_shutdown, .__do_xsm_op = do_flask_op,#ifdef CONFIG_X86 .shadow_control = flask_shadow_control, .ioport_permission = flask_ioport_permission, .getpageframeinfo = flask_getpageframeinfo, .getmemlist = flask_getmemlist, .hypercall_init = flask_hypercall_init, .hvmcontext = flask_hvmcontext, .address_size = flask_address_size, .hvm_param = flask_hvm_param, .hvm_set_pci_intx_level = flask_hvm_set_pci_intx_level, .hvm_set_isa_irq_level = flask_hvm_set_isa_irq_level, .hvm_set_pci_link_route = flask_hvm_set_pci_link_route, .apic = flask_apic, .assign_vector = flask_assign_vector, .xen_settime = flask_xen_settime, .memtype = flask_memtype, .microcode = flask_microcode, .physinfo = flask_physinfo, .platform_quirk = flask_platform_quirk, .machine_memory_map = flask_machine_memory_map, .domain_memory_map = flask_domain_memory_map, .mmu_normal_update = flask_mmu_normal_update, .mmu_machphys_update = flask_mmu_machphys_update, .update_va_mapping = flask_update_va_mapping, .add_to_physmap = flask_add_to_physmap,#endif};static __init int flask_init(void){ int ret = 0; if ( !flask_enabled ) { printk("Flask: Disabled at boot.\n"); return 0; } printk("Flask: Initializing.\n"); avc_init(); original_ops = xsm_ops; if ( register_xsm(&flask_ops) ) panic("Flask: Unable to register with XSM.\n"); ret = security_load_policy(policy_buffer, policy_size); if ( flask_enforcing ) printk("Flask: Starting in enforcing mode.\n"); else printk("Flask: Starting in permissive mode.\n"); return ret;}xsm_initcall(flask_init);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -