[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH for-4.5] xsm/flask: add two missing domctls

On 25/11/14 16:57, Daniel De Graaf wrote:
> Reported-by: Michael Young <m.a.young@xxxxxxxxxxxx>
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

CC'd Konrad, as this should be accepted into Xen-4.5.  Without it,
migration/suspend fails with -EPERM in the default case when XSM is
compiled into Xen.

Daniel: there are 4 hypercalls for getting/setting bits of PV VCPU state:

XEN_DOMCTL_{get,set}vcpucontext
XEN_DOMCTL_{get,set}_ext_vcpucontext
XEN_DOMCTL_{get,set}vcpuextstate
XEN_DOMCTL_{get,set}_vcpu_msrs

I see no reason for these to have separate access vectors; you typically
either need to use all of them, or none, but I presume it is too late to
coalesce the vectors in a backwards compatible way?

~Andrew

> ---
>  xen/xsm/flask/hooks.c               | 2 ++
>  xen/xsm/flask/policy/access_vectors | 2 ++
>  2 files changed, 4 insertions(+)
>
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index 0ba2ce9..d48463f 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -672,9 +672,11 @@ static int flask_domctl(struct domain *d, int cmd)
>          return current_has_perm(d, SECCLASS_HVM, HVM__CACHEATTR);
>  
>      case XEN_DOMCTL_set_ext_vcpucontext:
> +    case XEN_DOMCTL_set_vcpu_msrs:
>          return current_has_perm(d, SECCLASS_DOMAIN, 
> DOMAIN__SETEXTVCPUCONTEXT);
>  
>      case XEN_DOMCTL_get_ext_vcpucontext:
> +    case XEN_DOMCTL_get_vcpu_msrs:
>          return current_has_perm(d, SECCLASS_DOMAIN, 
> DOMAIN__GETEXTVCPUCONTEXT);
>  
>      case XEN_DOMCTL_setvcpuextstate:
> diff --git a/xen/xsm/flask/policy/access_vectors 
> b/xen/xsm/flask/policy/access_vectors
> index 1cd451e..1da9f63 100644
> --- a/xen/xsm/flask/policy/access_vectors
> +++ b/xen/xsm/flask/policy/access_vectors
> @@ -151,8 +151,10 @@ class domain
>  # XEN_DOMCTL_sendtrigger
>      trigger
>  # XEN_DOMCTL_get_ext_vcpucontext
> +# XEN_DOMCTL_set_vcpu_msrs
>      getextvcpucontext
>  # XEN_DOMCTL_set_ext_vcpucontext
> +# XEN_DOMCTL_get_vcpu_msrs
>      setextvcpucontext
>  # XEN_DOMCTL_getvcpuextstate
>      getvcpuextstate



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.