Xen project Mailing List

Re: [Xen-devel] [PATCH 07/18] arch/x86: add missing XSM checks to XENPF_ commands

To: "Daniel De Graaf" <dgdegra@xxxxxxxxxxxxx>

From: "Jan Beulich" <JBeulich@xxxxxxxx>

Date: Mon, 06 Aug 2012 15:57:49 +0100

Delivery-date: Mon, 06 Aug 2012 14:58:00 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 06.08.12 at 16:32, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> wrote: What's the point of doing XSM checks for Dom0-only interfaces anyway? I don't see how these can be subject to disaggregation... Jan > Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> > --- > tools/flask/policy/policy/modules/xen/xen.te | 4 ++-- > xen/arch/x86/platform_hypercall.c | 8 ++++++++ > 2 files changed, 10 insertions(+), 2 deletions(-) > > diff --git a/tools/flask/policy/policy/modules/xen/xen.te > b/tools/flask/policy/policy/modules/xen/xen.te > index 40c4c0a..1162153 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.te > +++ b/tools/flask/policy/policy/modules/xen/xen.te > @@ -53,8 +53,8 @@ type device_t, resource_type; > # > > ############################################################################# > ### > allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add > mtrr_del > - scheduler physinfo heap quirk readconsole writeconsole settime > - microcode cpupool_op sched_op }; > + scheduler physinfo heap quirk readconsole writeconsole settime > getcpuinfo > + microcode cpupool_op sched_op pm_op }; > allow dom0_t xen_t:mmu { memorymap }; > allow dom0_t security_t:security { check_context compute_av compute_create > compute_member load_policy compute_relabel compute_user setenforce > diff --git a/xen/arch/x86/platform_hypercall.c > b/xen/arch/x86/platform_hypercall.c > index 88880b0..c049db7 100644 > --- a/xen/arch/x86/platform_hypercall.c > +++ b/xen/arch/x86/platform_hypercall.c > @@ -501,6 +501,10 @@ ret_t do_platform_op(XEN_GUEST_HANDLE(xen_platform_op_t) > u_xenpf_op) > { > struct xenpf_pcpu_version *ver = &op->u.pcpu_version; > > + ret = xsm_getcpuinfo(); > + if ( ret ) > + break; > + > if ( !get_cpu_maps() ) > { > ret = -EBUSY; > @@ -618,6 +622,10 @@ ret_t do_platform_op(XEN_GUEST_HANDLE(xen_platform_op_t) > u_xenpf_op) > { > uint32_t idle_nums; > > + ret = xsm_pm_op(); > + if ( ret ) > + break; > + > switch(op->u.core_parking.type) > { > case XEN_CORE_PARKING_SET: > -- > 1.7.11.2 > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@xxxxxxxxxxxxx > http://lists.xen.org/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.