[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 2/8] xsm: remove unused xsm_assign_vector check



The PHYSDEVOP_alloc_irq_vector hypercall is a noop, so its XSM check is
not useful. Remove it and the "event vector" FLASK permission.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 tools/flask/policy/policy/flask/access_vectors |    1 -
 tools/flask/policy/policy/modules/xen/xen.if   |    1 -
 tools/flask/policy/policy/modules/xen/xen.te   |    1 -
 xen/arch/x86/physdev.c                         |    4 ----
 xen/include/xsm/xsm.h                          |    6 ------
 xen/xsm/dummy.c                                |    6 ------
 xen/xsm/flask/hooks.c                          |   13 -------------
 xen/xsm/flask/include/av_perm_to_string.h      |    3 +--
 xen/xsm/flask/include/av_permissions.h         |    3 +--
 9 files changed, 2 insertions(+), 36 deletions(-)

diff --git a/tools/flask/policy/policy/flask/access_vectors 
b/tools/flask/policy/policy/flask/access_vectors
index 9d09c5b..1b2687a 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -100,7 +100,6 @@ class event
        status
        notify
        create
-    vector
     reset
 }
 
diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
b/tools/flask/policy/policy/modules/xen/xen.if
index bf3b794..d12af74 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -67,7 +67,6 @@ define(`create_channel', `
 ###############################################################################
 define(`create_passthrough_resource', `
         type $3, resource_type;
-        allow $1 $3:event vector;
         allow $1 $2:resource {add remove};
         allow $1 ioport_t:resource {add_ioport use};
         allow $1 iomem_t:resource {add_iomem use};
diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
b/tools/flask/policy/policy/modules/xen/xen.te
index d95a7da..8113467 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -31,7 +31,6 @@ scheduler physinfo heap quirk readconsole writeconsole 
settime microcode};
 
 allow dom0_t domio_t:mmu {map_read map_write};
 allow dom0_t iomem_t:mmu {map_read map_write};
-allow dom0_t pirq_t:event {vector};
 allow dom0_t xen_t:mmu {memorymap};
 
 allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust updatemp};
diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
index cca56bb..5c7ab68 100644
--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -452,10 +452,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE(void) arg)
         if ( !IS_PRIV(v->domain) )
             break;
 
-        ret = xsm_assign_vector(v->domain, irq_op.irq);
-        if ( ret )
-            break;
-
         /* Vector is only used by hypervisor, and dom0 shouldn't
            touch it in its world, return irq_op.irq as the vecotr,
            and make this hypercall dummy, and also defer the vector 
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 1f70e87..82f510d 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -129,7 +129,6 @@ struct xsm_operations {
     int (*hvm_set_pci_link_route) (struct domain *d);
     int (*hvm_inject_msi) (struct domain *d);
     int (*apic) (struct domain *d, int cmd);
-    int (*assign_vector) (struct domain *d, uint32_t pirq);
     int (*xen_settime) (void);
     int (*memtype) (uint32_t access);
     int (*microcode) (void);
@@ -535,11 +534,6 @@ static inline int xsm_apic (struct domain *d, int cmd)
     return xsm_call(apic(d, cmd));
 }
 
-static inline int xsm_assign_vector (struct domain *d, uint32_t pirq)
-{
-    return xsm_call(assign_vector(d, pirq));
-}
-
 static inline int xsm_xen_settime (void)
 {
     return xsm_call(xen_settime());
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 6536948..1b50d0e 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -345,11 +345,6 @@ static int dummy_apic (struct domain *d, int cmd)
     return 0;
 }
 
-static int dummy_assign_vector (struct domain *d, uint32_t pirq)
-{
-    return 0;
-}
-
 static int dummy_xen_settime (void)
 {
     return 0;
@@ -560,7 +555,6 @@ void xsm_fixup_ops (struct xsm_operations *ops)
     set_to_dummy_if_null(ops, hvm_set_isa_irq_level);
     set_to_dummy_if_null(ops, hvm_set_pci_link_route);
     set_to_dummy_if_null(ops, apic);
-    set_to_dummy_if_null(ops, assign_vector);
     set_to_dummy_if_null(ops, xen_settime);
     set_to_dummy_if_null(ops, memtype);
     set_to_dummy_if_null(ops, microcode);
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 37b297e..97ae4d9 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -907,18 +907,6 @@ static int flask_apic(struct domain *d, int cmd)
     return domain_has_xen(d, perm);
 }
 
-static int flask_assign_vector(struct domain *d, uint32_t pirq)
-{
-    u32 psid;
-    struct domain_security_struct *dsec;
-    dsec = d->ssid;
-
-    if ( security_pirq_sid(pirq, &psid) )
-        return -EPERM;
-
-    return avc_has_perm(dsec->sid, psid, SECCLASS_EVENT, EVENT__VECTOR, NULL);
-}
-
 static int flask_xen_settime(void)
 {
     return domain_has_xen(current->domain, XEN__SETTIME);
@@ -1306,7 +1294,6 @@ static struct xsm_operations flask_ops = {
     .hvm_set_isa_irq_level = flask_hvm_set_isa_irq_level,
     .hvm_set_pci_link_route = flask_hvm_set_pci_link_route,
     .apic = flask_apic,
-    .assign_vector = flask_assign_vector,
     .xen_settime = flask_xen_settime,
     .memtype = flask_memtype,
     .microcode = flask_microcode,
diff --git a/xen/xsm/flask/include/av_perm_to_string.h 
b/xen/xsm/flask/include/av_perm_to_string.h
index c32488e..70aa02d 100644
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ b/xen/xsm/flask/include/av_perm_to_string.h
@@ -56,18 +56,17 @@
    S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
    S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")
    S_(SECCLASS_HVM, HVM__GETPARAM, "getparam")
-   S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram")
    S_(SECCLASS_HVM, HVM__PCILEVEL, "pcilevel")
    S_(SECCLASS_HVM, HVM__IRQLEVEL, "irqlevel")
    S_(SECCLASS_HVM, HVM__PCIROUTE, "pciroute")
    S_(SECCLASS_HVM, HVM__BIND_IRQ, "bind_irq")
    S_(SECCLASS_HVM, HVM__CACHEATTR, "cacheattr")
+   S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram")
    S_(SECCLASS_EVENT, EVENT__BIND, "bind")
    S_(SECCLASS_EVENT, EVENT__SEND, "send")
    S_(SECCLASS_EVENT, EVENT__STATUS, "status")
    S_(SECCLASS_EVENT, EVENT__NOTIFY, "notify")
    S_(SECCLASS_EVENT, EVENT__CREATE, "create")
-   S_(SECCLASS_EVENT, EVENT__VECTOR, "vector")
    S_(SECCLASS_EVENT, EVENT__RESET, "reset")
    S_(SECCLASS_GRANT, GRANT__MAP_READ, "map_read")
    S_(SECCLASS_GRANT, GRANT__MAP_WRITE, "map_write")
diff --git a/xen/xsm/flask/include/av_permissions.h 
b/xen/xsm/flask/include/av_permissions.h
index f5dcc6f..4c2ffb6 100644
--- a/xen/xsm/flask/include/av_permissions.h
+++ b/xen/xsm/flask/include/av_permissions.h
@@ -70,8 +70,7 @@
 #define EVENT__STATUS                             0x00000004UL
 #define EVENT__NOTIFY                             0x00000008UL
 #define EVENT__CREATE                             0x00000010UL
-#define EVENT__VECTOR                             0x00000020UL
-#define EVENT__RESET                              0x00000040UL
+#define EVENT__RESET                              0x00000020UL
 
 #define GRANT__MAP_READ                           0x00000001UL
 #define GRANT__MAP_WRITE                          0x00000002UL
-- 
1.7.7.3


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.