From: Juergen Gross <jgross@suse.com>
Subject: xen/xsm: make getdomaininfo xsm dummy checks more stringent

Today the dummy XSM privilege checks for getdomaininfo are less
stringent than possible: they basically rely on the general
sysctl/domctl entry check to do all tests and then do the test with
the XSM_HOOK privilege, which is an "allow all" default.

Instead of XSM_HOOK use XSM_XS_PRIV, which is the privilege really
wanted. Note that this test is still wider than the sysctl entry test,
but there is no easy way to make both domctl and sysctl happy at the
same time.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
master commit: 5793b84c5e8fb268f94e7fde7816799e66945a73
master date: 2024-12-16 13:06:55 +0100

--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -535,7 +535,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
         break;
 
     case XEN_DOMCTL_getdomaininfo:
-        ret = xsm_getdomaininfo(XSM_HOOK, d);
+        ret = xsm_getdomaininfo(XSM_XS_PRIV, d);
         if ( ret )
             break;
 
--- a/xen/common/sysctl.c
+++ b/xen/common/sysctl.c
@@ -89,7 +89,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe
             if ( num_domains == op->u.getdomaininfolist.max_domains )
                 break;
 
-            if ( xsm_getdomaininfo(XSM_HOOK, d) )
+            if ( xsm_getdomaininfo(XSM_XS_PRIV, d) )
                 continue;
 
             getdomaininfo(d, &info);
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -137,7 +137,7 @@ static XSM_INLINE int cf_check xsm_domai
 static XSM_INLINE int cf_check xsm_getdomaininfo(
     XSM_DEFAULT_ARG struct domain *d)
 {
-    XSM_ASSERT_ACTION(XSM_HOOK);
+    XSM_ASSERT_ACTION(XSM_XS_PRIV);
     return xsm_default_action(action, current->domain, d);
 }