[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 12/12] x86/altp2m: XSM hooks for altp2m HVM ops

To: Ed White <edmund.h.white@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxx
From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Date: Fri, 26 Jun 2015 15:24:00 -0400
Cc: Ravi Sahita <ravi.sahita@xxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, tlengyel@xxxxxxxxxxx
Delivery-date: Fri, 26 Jun 2015 19:24:56 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 06/22/2015 02:56 PM, Ed White wrote:

From: Ravi Sahita <ravi.sahita@xxxxxxxxx>

Signed-off-by: Ravi Sahita <ravi.sahita@xxxxxxxxx>


One comment, below.

[...]

diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
b/tools/flask/policy/policy/modules/xen/xen.if
index f4cde11..c95109f 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -8,7 +8,7 @@
  define(`declare_domain_common', `
        allow $1 $2:grant { query setup };
        allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage 
updatemp mmuext_op };
-       allow $1 $2:hvm { getparam setparam };
+       allow $1 $2:hvm { getparam setparam altp2mhvm altp2mhvm_op };
        allow $1 $2:domain2 get_vnumainfo;
  ')


This allows any domain to enable altp2m on itself; I think you meant to
only allow altp2mhvm_op here, requiring a privileged domain to first
enable the feature on a domain before anyone can use it.

Otherwise, this looks good, although if patch #10 is changed to expose
a single subop, the altp2mhvm_op XSM checks will need to be relocated.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v2 12/12] x86/altp2m: XSM hooks for altp2m HVM ops
  - From: Ed White

References:
- [Xen-devel] [PATCH v2 00/12] Alternate p2m: support multiple copies of host p2m
  - From: Ed White
- [Xen-devel] [PATCH v2 12/12] x86/altp2m: XSM hooks for altp2m HVM ops
  - From: Ed White

Prev by Date: Re: [Xen-devel] [PATCH] libxl: Add missing #include of <signal.h>
Next by Date: Re: [Xen-devel] [PATCH v7 5/9] PCI: Add pci_iomap_wc() variants
Previous by thread: [Xen-devel] [PATCH v2 12/12] x86/altp2m: XSM hooks for altp2m HVM ops
Next by thread: Re: [Xen-devel] [PATCH v2 12/12] x86/altp2m: XSM hooks for altp2m HVM ops
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.