Xen project Mailing List

[Xen-devel] Ping: Re: Flask default policy mismatch vs dummy

To: "Daniel de Graaf" <dgdegra@xxxxxxxxxxxxx>

From: "Jan Beulich" <JBeulich@xxxxxxxx>

Date: Fri, 26 Oct 2018 05:16:23 -0600

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx

Delivery-date: Fri, 26 Oct 2018 11:16:33 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 11.10.18 at 13:40, <JBeulich@xxxxxxxx> wrote: >>>> On 11.10.18 at 10:05, <andrew.cooper3@xxxxxxxxxx> wrote: >> Found while looking at some OSSTest logs. >> >> Oct 9 14:03:09.579037 (XEN) avc: denied { setup } for domid=0 >> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:xen_t >> tclass=resource >> Oct 9 14:03:09.590863 [ 0.522193] Failed to report MMCONFIG reservation >> state for PCI MMCONFIG 0000 [bus 00-7f] to hypervisor (-13) >> >> If someone has some tuits, please feel free. If not, I'll see what I >> can do when I've got some time. > > How about this? > > Jan Daniel, do you have any thoughts here? Thanks, Jan > flask: PHYSDEVOP_pci_mmcfg_reserved uses Dom0 context > > Andrew found > > (XEN) avc: denied { setup } for domid=0 scontext=system_u:system_r:dom0_t > tcontext=system_u:system_r:xen_t tclass=resource > [ 0.522193] Failed to report MMCONFIG reservation state for PCI MMCONFIG > 0000 [bus 00-7f] to hypervisor (-13) > > in some osstest log. The Xen side message made me guess that the wrong > SECINITSID_* value was used in the respective flask hook. > > Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > --- > Untested, solely based on looking at the code. > > --- unstable.orig/xen/xsm/flask/hooks.c 2018-10-05 08:04:17.229109051 > +0200 > +++ unstable/xen/xsm/flask/hooks.c 2018-10-11 13:37:56.917898113 +0200 > @@ -1155,7 +1155,8 @@ static int flask_resource_setup_gsi(int > > static int flask_resource_setup_misc(void) > { > - return avc_current_has_perm(SECINITSID_XEN, SECCLASS_RESOURCE, > RESOURCE__SETUP, NULL); > + return avc_current_has_perm(SECINITSID_DOM0, SECCLASS_RESOURCE, > + RESOURCE__SETUP, NULL); > } > > static inline int flask_page_offline(uint32_t cmd) > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@xxxxxxxxxxxxxxxxxxxx > https://lists.xenproject.org/mailman/listinfo/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.