[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH for-4.5] xsm/flask: add two missing domctls

On Tue, Nov 25, 2014 at 06:19:05PM +0000, Andrew Cooper wrote:
> On 25/11/14 16:57, Daniel De Graaf wrote:
> > Reported-by: Michael Young <m.a.young@xxxxxxxxxxxx>
> > Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> 
> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> 
> CC'd Konrad, as this should be accepted into Xen-4.5.  Without it,
> migration/suspend fails with -EPERM in the default case when XSM is
> compiled into Xen.

Yup. Release-Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
> 
> Daniel: there are 4 hypercalls for getting/setting bits of PV VCPU state:
> 
> XEN_DOMCTL_{get,set}vcpucontext
> XEN_DOMCTL_{get,set}_ext_vcpucontext
> XEN_DOMCTL_{get,set}vcpuextstate
> XEN_DOMCTL_{get,set}_vcpu_msrs
> 
> I see no reason for these to have separate access vectors; you typically
> either need to use all of them, or none, but I presume it is too late to
> coalesce the vectors in a backwards compatible way?
> 
> ~Andrew
> 
> > ---
> >  xen/xsm/flask/hooks.c               | 2 ++
> >  xen/xsm/flask/policy/access_vectors | 2 ++
> >  2 files changed, 4 insertions(+)
> >
> > diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> > index 0ba2ce9..d48463f 100644
> > --- a/xen/xsm/flask/hooks.c
> > +++ b/xen/xsm/flask/hooks.c
> > @@ -672,9 +672,11 @@ static int flask_domctl(struct domain *d, int cmd)
> >          return current_has_perm(d, SECCLASS_HVM, HVM__CACHEATTR);
> >  
> >      case XEN_DOMCTL_set_ext_vcpucontext:
> > +    case XEN_DOMCTL_set_vcpu_msrs:
> >          return current_has_perm(d, SECCLASS_DOMAIN, 
> > DOMAIN__SETEXTVCPUCONTEXT);
> >  
> >      case XEN_DOMCTL_get_ext_vcpucontext:
> > +    case XEN_DOMCTL_get_vcpu_msrs:
> >          return current_has_perm(d, SECCLASS_DOMAIN, 
> > DOMAIN__GETEXTVCPUCONTEXT);
> >  
> >      case XEN_DOMCTL_setvcpuextstate:
> > diff --git a/xen/xsm/flask/policy/access_vectors 
> > b/xen/xsm/flask/policy/access_vectors
> > index 1cd451e..1da9f63 100644
> > --- a/xen/xsm/flask/policy/access_vectors
> > +++ b/xen/xsm/flask/policy/access_vectors
> > @@ -151,8 +151,10 @@ class domain
> >  # XEN_DOMCTL_sendtrigger
> >      trigger
> >  # XEN_DOMCTL_get_ext_vcpucontext
> > +# XEN_DOMCTL_set_vcpu_msrs
> >      getextvcpucontext
> >  # XEN_DOMCTL_set_ext_vcpucontext
> > +# XEN_DOMCTL_get_vcpu_msrs
> >      setextvcpucontext
> >  # XEN_DOMCTL_getvcpuextstate
> >      getvcpuextstate
> 
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.