[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC] flask: move policy header sources into hypervisor

To: Dario Faggioli <dario.faggioli@xxxxxxxxxx>
From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Date: Wed, 10 Oct 2012 11:32:59 -0400
Cc: Marcus Granado <Marcus.Granado@xxxxxxxxxxxxx>, "andre.przywara@xxxxxxx" <andre.przywara@xxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>, "anil@xxxxxxxxxx" <anil@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, "juergen.gross@xxxxxxxxxxxxxx" <juergen.gross@xxxxxxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, "JBeulich@xxxxxxxx" <JBeulich@xxxxxxxx>, "msw@xxxxxxxxxx" <msw@xxxxxxxxxx>, "Keir \(Xen.org\)" <keir@xxxxxxx>
Delivery-date: Wed, 10 Oct 2012 15:33:37 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 10/10/2012 10:39 AM, Dario Faggioli wrote:
[...]
>> A more general note on the topic of what XSM permissions to use: 
>> normally, each domctl has its own permission, and so adding new domctls
>> would be done by adding a new permission to the access_vectors file
>> (which is the source of av_perm_to_string.h). However, for this case, it
>> seems rather unlikely that one would want to allow access to vcpu
>> affinity and deny node affinity, so using the same permission for both 
>> accesses is the best solution.
>>
> Yes, exactly.
> 
> Moreover, looking at xen/xsm/flask/include/av_permissions.h where
> DOMAIN__{GET,SET}VCPUAFFINITY are, I got thee impression that there is
> no more space left for DOMAIN__* permissions, as they already go from
> 0x00000001UL to 0x80000000UL... Is that so?

Yes. My XSM patch series expands this by adding SECCLASS_DOMAIN2 to address
this (and that part is already in 4.3). This solution can be applied to any
XSM classes needing more than 32 permission bits.

-- 
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- Re: [Xen-devel] [PATCH 4 of 8] xen: allow for explicitly specifying node-affinity
  - From: Ian Campbell
- [Xen-devel] [PATCH RFC] flask: move policy header sources into hypervisor
  - From: Daniel De Graaf
- Re: [Xen-devel] [PATCH RFC] flask: move policy header sources into hypervisor
  - From: Dario Faggioli
- Re: [Xen-devel] [PATCH RFC] flask: move policy header sources into hypervisor
  - From: Daniel De Graaf
- Re: [Xen-devel] [PATCH RFC] flask: move policy header sources into hypervisor
  - From: Dario Faggioli

Prev by Date: Re: [Xen-devel] [xen-unstable test] 13944: regressions - FAIL
Next by Date: [Xen-devel] Kernel 3.7.0-pre-rc1: mcelog:4344 map pfn expected mapping type write-back for [mem 0x0009f000-0x000a0fff], got uncached-minus, WARNING: at arch/x86/mm/pat.c:774 untrack_pfn+0x8c/0xc0()
Previous by thread: Re: [Xen-devel] [PATCH RFC] flask: move policy header sources into hypervisor
Next by thread: Re: [Xen-devel] [PATCH 4 of 8] xen: allow for explicitly specifying node-affinity
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.