[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.19] xen/flask: Wire up XEN_DOMCTL_dt_overlay

commit e7f96aa3f3d8b1ad2f0475a627f62763261df743
Author:     Michal Orzel <michal.orzel@xxxxxxx>
AuthorDate: Tue Jan 21 09:20:51 2025 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jan 21 09:20:51 2025 +0100

    xen/flask: Wire up XEN_DOMCTL_dt_overlay
    
    Addition of FLASK permission for this hypercall was overlooked in the
    original patch. Fix it. The only dt overlay operation is attaching that can
    happen only after the domain is created. Dom0 can attach overlay to itself
    as well.
    
    Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device 
attachment to domains")
    Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
    Acked-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
    master commit: 7fa1411676150634b1d6ca030e53b94c26a949dd
    master date: 2025-01-08 13:05:50 +0100
---
 tools/flask/policy/modules/dom0.te  | 2 +-
 tools/flask/policy/modules/xen.if   | 2 +-
 xen/xsm/flask/hooks.c               | 3 +++
 xen/xsm/flask/policy/access_vectors | 2 ++
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/tools/flask/policy/modules/dom0.te 
b/tools/flask/policy/modules/dom0.te
index 16b8c9646d..f148bfbf27 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -40,7 +40,7 @@ allow dom0_t dom0_t:domain {
 };
 allow dom0_t dom0_t:domain2 {
        set_cpu_policy gettsc settsc setscheduler set_vnumainfo
-       get_vnumainfo psr_cmt_op psr_alloc get_cpu_policy
+       get_vnumainfo psr_cmt_op psr_alloc get_cpu_policy dt_overlay
 };
 allow dom0_t dom0_t:resource { add remove };
 
diff --git a/tools/flask/policy/modules/xen.if 
b/tools/flask/policy/modules/xen.if
index ba9e91d302..def60da883 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -94,7 +94,7 @@ define(`manage_domain', `
                        getaddrsize pause unpause trigger shutdown destroy
                        setaffinity setdomainmaxmem getscheduler resume
                        setpodtarget getpodtarget getpagingmempool 
setpagingmempool };
-    allow $1 $2:domain2 set_vnumainfo;
+    allow $1 $2:domain2 { set_vnumainfo dt_overlay };
 ')
 
 # migrate_domain_out(priv, target)
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 35237a00c4..415edee251 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -841,6 +841,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned 
int cmd,
     case XEN_DOMCTL_set_paging_mempool_size:
         return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETPAGINGMEMPOOL);
 
+    case XEN_DOMCTL_dt_overlay:
+        return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__DT_OVERLAY);
+
     default:
         return avc_unknown_permission("domctl", cmd);
     }
diff --git a/xen/xsm/flask/policy/access_vectors 
b/xen/xsm/flask/policy/access_vectors
index 7cbdb7ea64..78fe37583b 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -253,6 +253,8 @@ class domain2
     get_cpu_policy
 # XEN_DOMCTL_vuart_op
     vuart_op
+# XEN_DOMCTL_dt_overlay
+    dt_overlay
 }
 
 # Similar to class domain, but primarily contains domctls related to HVM 
domains
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.19

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.