[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v10 5/6] xsm: add platform QoS related xsm policies
Add xsm policies for attach/detach pqos services and get CQM info hypercalls. Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> Signed-off-by: Dongxiao Xu <dongxiao.xu@xxxxxxxxx> --- tools/flask/policy/policy/modules/xen/xen.if | 2 +- tools/flask/policy/policy/modules/xen/xen.te | 5 ++++- xen/xsm/flask/hooks.c | 8 ++++++++ xen/xsm/flask/policy/access_vectors | 17 ++++++++++++++--- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index dedc035..1f683af 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -49,7 +49,7 @@ define(`create_domain_common', ` getdomaininfo hypercall setvcpucontext setextvcpucontext getscheduler getvcpuinfo getvcpuextstate getaddrsize getaffinity setaffinity }; - allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn }; + allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn pqos_op }; allow $1 $2:security check_context; allow $1 $2:shadow enable; allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op }; diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index bb59fe8..115fcfe 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -64,6 +64,9 @@ allow dom0_t xen_t:xen { getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op tmem_control getscheduler setscheduler }; +allow dom0_t xen_t:xen2 { + pqos_op +}; allow dom0_t xen_t:mmu memorymap; # Allow dom0 to use these domctls on itself. For domctls acting on other @@ -76,7 +79,7 @@ allow dom0_t dom0_t:domain { getpodtarget setpodtarget set_misc_info set_virq_handler }; allow dom0_t dom0_t:domain2 { - set_cpuid gettsc settsc setscheduler set_max_evtchn + set_cpuid gettsc settsc setscheduler set_max_evtchn pqos_op }; allow dom0_t dom0_t:resource { add remove }; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index ba719de..ef557f0 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -735,6 +735,10 @@ static int flask_domctl(struct domain *d, int cmd) case XEN_DOMCTL_cacheflush: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__CACHEFLUSH); + case XEN_DOMCTL_attach_pqos: + case XEN_DOMCTL_detach_pqos: + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__PQOS_OP); + default: printk("flask_domctl: Unknown op %d\n", cmd); return -EPERM; @@ -790,6 +794,10 @@ static int flask_sysctl(int cmd) case XEN_SYSCTL_numainfo: return domain_has_xen(current->domain, XEN__PHYSINFO); + case XEN_SYSCTL_getcqminfo: + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2, + XEN2__PQOS_OP, NULL); + default: printk("flask_sysctl: Unknown op %d\n", cmd); return -EPERM; diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index a0ed13d..6d2c1e0 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -3,9 +3,9 @@ # # class class_name { permission_name ... } -# Class xen consists of dom0-only operations dealing with the hypervisor itself. -# Unless otherwise specified, the source is the domain executing the hypercall, -# and the target is the xen initial sid (type xen_t). +# Class xen and xen2 consists of dom0-only operations dealing with the +# hypervisor itself. Unless otherwise specified, the source is the domain +# executing the hypercall, and the target is the xen initial sid (type xen_t). class xen { # XENPF_settime @@ -75,6 +75,14 @@ class xen setscheduler } +# This is a continuation of class xen, since only 32 permissions can be +# defined per class +class xen2 +{ +# XEN_SYSCTL_getcqminfo + pqos_op +} + # Classes domain and domain2 consist of operations that a domain performs on # another domain or on itself. Unless otherwise specified, the source is the # domain executing the hypercall, and the target is the domain being operated on @@ -198,6 +206,9 @@ class domain2 set_max_evtchn # XEN_DOMCTL_cacheflush cacheflush +# XEN_DOMCTL_attach_pqos +# XEN_DOMCTL_detach_pqos + pqos_op } # Similar to class domain, but primarily contains domctls related to HVM domains -- 1.7.9.5 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |