[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] xen/flask: Wire up XEN_DOMCTL_vuart_op

commit 29daa72e4019aae92f857cf6e7e0c3ca8fb1483e
Author:     Michal Orzel <michal.orzel@xxxxxxx>
AuthorDate: Tue Jan 7 10:27:17 2025 +0100
Commit:     Michal Orzel <michal.orzel@xxxxxxx>
CommitDate: Wed Jan 8 13:05:38 2025 +0100

    xen/flask: Wire up XEN_DOMCTL_vuart_op
    
    Addition of FLASK permission for this hypercall was overlooked in the
    original patch. Fix it. The only VUART operation is initialization that
    can occur only during domain creation.
    
    Fixes: 86039f2e8c20 ("xen/arm: vpl011: Add a new domctl API to initialize 
vpl011")
    Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
    Release-Acked-By: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
    Acked-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
---
 tools/flask/policy/modules/xen.if   | 2 +-
 xen/xsm/flask/hooks.c               | 3 +++
 xen/xsm/flask/policy/access_vectors | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/tools/flask/policy/modules/xen.if 
b/tools/flask/policy/modules/xen.if
index 11c1562aa5..ba9e91d302 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -54,7 +54,7 @@ define(`create_domain_common', `
        allow $1 $2:domain2 { set_cpu_policy settsc setscheduler setclaim
                        set_vnumainfo get_vnumainfo cacheflush
                        psr_cmt_op psr_alloc soft_reset
-                       resource_map get_cpu_policy };
+                       resource_map get_cpu_policy vuart_op };
        allow $1 $2:security check_context;
        allow $1 $2:shadow enable;
        allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage 
mmuext_op updatemp };
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 2b4efde689..5118f86cf0 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -832,6 +832,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned 
int cmd,
     case XEN_DOMCTL_soft_reset:
         return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SOFT_RESET);
 
+    case XEN_DOMCTL_vuart_op:
+        return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VUART_OP);
+
     case XEN_DOMCTL_get_cpu_policy:
         return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__GET_CPU_POLICY);
 
diff --git a/xen/xsm/flask/policy/access_vectors 
b/xen/xsm/flask/policy/access_vectors
index a35e3d4c51..7cbdb7ea64 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -251,6 +251,8 @@ class domain2
     resource_map
 # XEN_DOMCTL_get_cpu_policy
     get_cpu_policy
+# XEN_DOMCTL_vuart_op
+    vuart_op
 }
 
 # Similar to class domain, but primarily contains domctls related to HVM 
domains
--
generated by git-patchbot for /home/xen/git/xen.git#master

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.