|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] xen/flask: Wire up XEN_DOMCTL_{get,set}_paging_mempool_size
commit 345135942bf9632eba1409ba432cfcae3b7649c7
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Mon Nov 21 12:46:39 2022 +0000
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Mon Nov 21 16:12:41 2022 +0000
xen/flask: Wire up XEN_DOMCTL_{get,set}_paging_mempool_size
These were overlooked in the original patch, and noticed by OSSTest which
does
run some Flask tests.
Fixes: 22b20bd98c02 ("xen: Introduce non-broken hypercalls for the paging
mempool size")
Suggested-by: Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jason Andryuk <jandryuk@xxxxxxxxx>
Acked-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Release-acked-by: Henry Wang <Henry.Wang@xxxxxxx>
---
tools/flask/policy/modules/dom0.te | 3 ++-
tools/flask/policy/modules/xen.if | 5 +++--
xen/xsm/flask/hooks.c | 6 ++++++
xen/xsm/flask/policy/access_vectors | 4 ++++
4 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/tools/flask/policy/modules/dom0.te
b/tools/flask/policy/modules/dom0.te
index f710ff9941..f1dcff48e2 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -35,7 +35,8 @@ allow dom0_t dom0_t:domain {
setvcpucontext max_vcpus setaffinity getaffinity getscheduler
getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
setdebugging hypercall settime setaddrsize getaddrsize trigger
- getpodtarget setpodtarget set_misc_info set_virq_handler
+ getpodtarget setpodtarget getpagingmempool setpagingmempool
set_misc_info
+ set_virq_handler
};
allow dom0_t dom0_t:domain2 {
set_cpu_policy gettsc settsc setscheduler set_vnumainfo
diff --git a/tools/flask/policy/modules/xen.if
b/tools/flask/policy/modules/xen.if
index 424daab6a0..11c1562aa5 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -49,7 +49,8 @@ define(`create_domain_common', `
allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
getdomaininfo hypercall setvcpucontext getscheduler
getvcpuinfo getaddrsize getaffinity setaffinity
- settime setdomainhandle getvcpucontext set_misc_info };
+ settime setdomainhandle getvcpucontext set_misc_info
+ getpagingmempool setpagingmempool };
allow $1 $2:domain2 { set_cpu_policy settsc setscheduler setclaim
set_vnumainfo get_vnumainfo cacheflush
psr_cmt_op psr_alloc soft_reset
@@ -92,7 +93,7 @@ define(`manage_domain', `
allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
getaddrsize pause unpause trigger shutdown destroy
setaffinity setdomainmaxmem getscheduler resume
- setpodtarget getpodtarget };
+ setpodtarget getpodtarget getpagingmempool
setpagingmempool };
allow $1 $2:domain2 set_vnumainfo;
')
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 391aec4dc2..78225f68c1 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -822,6 +822,12 @@ static int cf_check flask_domctl(struct domain *d, int cmd)
case XEN_DOMCTL_get_cpu_policy:
return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__GET_CPU_POLICY);
+ case XEN_DOMCTL_get_paging_mempool_size:
+ return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETPAGINGMEMPOOL);
+
+ case XEN_DOMCTL_set_paging_mempool_size:
+ return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETPAGINGMEMPOOL);
+
default:
return avc_unknown_permission("domctl", cmd);
}
diff --git a/xen/xsm/flask/policy/access_vectors
b/xen/xsm/flask/policy/access_vectors
index 6359c7fc87..4e6710a63e 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -180,6 +180,10 @@ class domain
set_misc_info
# XEN_DOMCTL_set_virq_handler
set_virq_handler
+# XEN_DOMCTL_get_paging_mempool_size
+ getpagingmempool
+# XEN_DOMCTL_set_paging_mempool_size
+ setpagingmempool
}
# This is a continuation of class domain, since only 32 permissions can be
--
generated by git-patchbot for /home/xen/git/xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |