[xen staging-4.19] xen/flask: Wire up XEN_DOMCTL_vuart_op

[patchbot@xxxxxxx]

commit 30a8d910ca97ba460236bce53fb8e3c3035ea8fe
Author:     Michal Orzel <michal.orzel@xxxxxxx>
AuthorDate: Tue Jan 21 09:20:42 2025 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jan 21 09:20:42 2025 +0100

    xen/flask: Wire up XEN_DOMCTL_vuart_op
    
    Addition of FLASK permission for this hypercall was overlooked in the
    original patch. Fix it. The only VUART operation is initialization that
    can occur only during domain creation.
    
    Fixes: 86039f2e8c20 ("xen/arm: vpl011: Add a new domctl API to initialize 
vpl011")
    Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
    Acked-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
    master commit: 29daa72e4019aae92f857cf6e7e0c3ca8fb1483e
    master date: 2025-01-08 13:05:38 +0100
---
 tools/flask/policy/modules/xen.if   | 2 +-
 xen/xsm/flask/hooks.c               | 3 +++
 xen/xsm/flask/policy/access_vectors | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/tools/flask/policy/modules/xen.if 
b/tools/flask/policy/modules/xen.if
index 11c1562aa5..ba9e91d302 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -54,7 +54,7 @@ define(`create_domain_common', `
        allow $1 $2:domain2 { set_cpu_policy settsc setscheduler setclaim
                        set_vnumainfo get_vnumainfo cacheflush
                        psr_cmt_op psr_alloc soft_reset
-                       resource_map get_cpu_policy };
+                       resource_map get_cpu_policy vuart_op };
        allow $1 $2:security check_context;
        allow $1 $2:shadow enable;
        allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage 
mmuext_op updatemp };
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 278ad38c2a..35237a00c4 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -829,6 +829,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned 
int cmd,
     case XEN_DOMCTL_soft_reset:
         return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SOFT_RESET);
 
+    case XEN_DOMCTL_vuart_op:
+        return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VUART_OP);
+
     case XEN_DOMCTL_get_cpu_policy:
         return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__GET_CPU_POLICY);
 
diff --git a/xen/xsm/flask/policy/access_vectors 
b/xen/xsm/flask/policy/access_vectors
index a35e3d4c51..7cbdb7ea64 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -251,6 +251,8 @@ class domain2
     resource_map
 # XEN_DOMCTL_get_cpu_policy
     get_cpu_policy
+# XEN_DOMCTL_vuart_op
+    vuart_op
 }
 
 # Similar to class domain, but primarily contains domctls related to HVM 
domains
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.19