[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 2/8] xsm: remove unused xsm_assign_vector check
The PHYSDEVOP_alloc_irq_vector hypercall is a noop, so its XSM check is not useful. Remove it and the "event vector" FLASK permission. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- tools/flask/policy/policy/flask/access_vectors | 1 - tools/flask/policy/policy/modules/xen/xen.if | 1 - tools/flask/policy/policy/modules/xen/xen.te | 1 - xen/arch/x86/physdev.c | 4 ---- xen/include/xsm/xsm.h | 6 ------ xen/xsm/dummy.c | 6 ------ xen/xsm/flask/hooks.c | 13 ------------- xen/xsm/flask/include/av_perm_to_string.h | 3 +-- xen/xsm/flask/include/av_permissions.h | 3 +-- 9 files changed, 2 insertions(+), 36 deletions(-) diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index 9d09c5b..1b2687a 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -100,7 +100,6 @@ class event status notify create - vector reset } diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index bf3b794..d12af74 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -67,7 +67,6 @@ define(`create_channel', ` ############################################################################### define(`create_passthrough_resource', ` type $3, resource_type; - allow $1 $3:event vector; allow $1 $2:resource {add remove}; allow $1 ioport_t:resource {add_ioport use}; allow $1 iomem_t:resource {add_iomem use}; diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index d95a7da..8113467 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -31,7 +31,6 @@ scheduler physinfo heap quirk readconsole writeconsole settime microcode}; allow dom0_t domio_t:mmu {map_read map_write}; allow dom0_t iomem_t:mmu {map_read map_write}; -allow dom0_t pirq_t:event {vector}; allow dom0_t xen_t:mmu {memorymap}; allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust updatemp}; diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c index cca56bb..5c7ab68 100644 --- a/xen/arch/x86/physdev.c +++ b/xen/arch/x86/physdev.c @@ -452,10 +452,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE(void) arg) if ( !IS_PRIV(v->domain) ) break; - ret = xsm_assign_vector(v->domain, irq_op.irq); - if ( ret ) - break; - /* Vector is only used by hypervisor, and dom0 shouldn't touch it in its world, return irq_op.irq as the vecotr, and make this hypercall dummy, and also defer the vector diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 1f70e87..82f510d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -129,7 +129,6 @@ struct xsm_operations { int (*hvm_set_pci_link_route) (struct domain *d); int (*hvm_inject_msi) (struct domain *d); int (*apic) (struct domain *d, int cmd); - int (*assign_vector) (struct domain *d, uint32_t pirq); int (*xen_settime) (void); int (*memtype) (uint32_t access); int (*microcode) (void); @@ -535,11 +534,6 @@ static inline int xsm_apic (struct domain *d, int cmd) return xsm_call(apic(d, cmd)); } -static inline int xsm_assign_vector (struct domain *d, uint32_t pirq) -{ - return xsm_call(assign_vector(d, pirq)); -} - static inline int xsm_xen_settime (void) { return xsm_call(xen_settime()); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 6536948..1b50d0e 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -345,11 +345,6 @@ static int dummy_apic (struct domain *d, int cmd) return 0; } -static int dummy_assign_vector (struct domain *d, uint32_t pirq) -{ - return 0; -} - static int dummy_xen_settime (void) { return 0; @@ -560,7 +555,6 @@ void xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, hvm_set_isa_irq_level); set_to_dummy_if_null(ops, hvm_set_pci_link_route); set_to_dummy_if_null(ops, apic); - set_to_dummy_if_null(ops, assign_vector); set_to_dummy_if_null(ops, xen_settime); set_to_dummy_if_null(ops, memtype); set_to_dummy_if_null(ops, microcode); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 37b297e..97ae4d9 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -907,18 +907,6 @@ static int flask_apic(struct domain *d, int cmd) return domain_has_xen(d, perm); } -static int flask_assign_vector(struct domain *d, uint32_t pirq) -{ - u32 psid; - struct domain_security_struct *dsec; - dsec = d->ssid; - - if ( security_pirq_sid(pirq, &psid) ) - return -EPERM; - - return avc_has_perm(dsec->sid, psid, SECCLASS_EVENT, EVENT__VECTOR, NULL); -} - static int flask_xen_settime(void) { return domain_has_xen(current->domain, XEN__SETTIME); @@ -1306,7 +1294,6 @@ static struct xsm_operations flask_ops = { .hvm_set_isa_irq_level = flask_hvm_set_isa_irq_level, .hvm_set_pci_link_route = flask_hvm_set_pci_link_route, .apic = flask_apic, - .assign_vector = flask_assign_vector, .xen_settime = flask_xen_settime, .memtype = flask_memtype, .microcode = flask_microcode, diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h index c32488e..70aa02d 100644 --- a/xen/xsm/flask/include/av_perm_to_string.h +++ b/xen/xsm/flask/include/av_perm_to_string.h @@ -56,18 +56,17 @@ S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc") S_(SECCLASS_HVM, HVM__SETPARAM, "setparam") S_(SECCLASS_HVM, HVM__GETPARAM, "getparam") - S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram") S_(SECCLASS_HVM, HVM__PCILEVEL, "pcilevel") S_(SECCLASS_HVM, HVM__IRQLEVEL, "irqlevel") S_(SECCLASS_HVM, HVM__PCIROUTE, "pciroute") S_(SECCLASS_HVM, HVM__BIND_IRQ, "bind_irq") S_(SECCLASS_HVM, HVM__CACHEATTR, "cacheattr") + S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram") S_(SECCLASS_EVENT, EVENT__BIND, "bind") S_(SECCLASS_EVENT, EVENT__SEND, "send") S_(SECCLASS_EVENT, EVENT__STATUS, "status") S_(SECCLASS_EVENT, EVENT__NOTIFY, "notify") S_(SECCLASS_EVENT, EVENT__CREATE, "create") - S_(SECCLASS_EVENT, EVENT__VECTOR, "vector") S_(SECCLASS_EVENT, EVENT__RESET, "reset") S_(SECCLASS_GRANT, GRANT__MAP_READ, "map_read") S_(SECCLASS_GRANT, GRANT__MAP_WRITE, "map_write") diff --git a/xen/xsm/flask/include/av_permissions.h b/xen/xsm/flask/include/av_permissions.h index f5dcc6f..4c2ffb6 100644 --- a/xen/xsm/flask/include/av_permissions.h +++ b/xen/xsm/flask/include/av_permissions.h @@ -70,8 +70,7 @@ #define EVENT__STATUS 0x00000004UL #define EVENT__NOTIFY 0x00000008UL #define EVENT__CREATE 0x00000010UL -#define EVENT__VECTOR 0x00000020UL -#define EVENT__RESET 0x00000040UL +#define EVENT__RESET 0x00000020UL #define GRANT__MAP_READ 0x00000001UL #define GRANT__MAP_WRITE 0x00000002UL -- 1.7.7.3 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |