|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Flask default policy mismatch vs dummy
>>> On 11.10.18 at 10:05, <andrew.cooper3@xxxxxxxxxx> wrote:
> Found while looking at some OSSTest logs.
>
> Oct 9 14:03:09.579037 (XEN) avc: denied { setup } for domid=0
> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:xen_t
> tclass=resource
> Oct 9 14:03:09.590863 [ 0.522193] Failed to report MMCONFIG reservation
> state for PCI MMCONFIG 0000 [bus 00-7f] to hypervisor (-13)
>
> If someone has some tuits, please feel free. If not, I'll see what I
> can do when I've got some time.
How about this?
Jan
flask: PHYSDEVOP_pci_mmcfg_reserved uses Dom0 context
Andrew found
(XEN) avc: denied { setup } for domid=0 scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:xen_t tclass=resource
[ 0.522193] Failed to report MMCONFIG reservation state for PCI MMCONFIG
0000 [bus 00-7f] to hypervisor (-13)
in some osstest log. The Xen side message made me guess that the wrong
SECINITSID_* value was used in the respective flask hook.
Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
Untested, solely based on looking at the code.
--- unstable.orig/xen/xsm/flask/hooks.c 2018-10-05 08:04:17.229109051 +0200
+++ unstable/xen/xsm/flask/hooks.c 2018-10-11 13:37:56.917898113 +0200
@@ -1155,7 +1155,8 @@ static int flask_resource_setup_gsi(int
static int flask_resource_setup_misc(void)
{
- return avc_current_has_perm(SECINITSID_XEN, SECCLASS_RESOURCE,
RESOURCE__SETUP, NULL);
+ return avc_current_has_perm(SECINITSID_DOM0, SECCLASS_RESOURCE,
+ RESOURCE__SETUP, NULL);
}
static inline int flask_page_offline(uint32_t cmd)
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |