[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC] flask: move policy header sources into hypervisor



On 10/10/2012 10:39 AM, Dario Faggioli wrote:
[...]
>> A more general note on the topic of what XSM permissions to use: 
>> normally, each domctl has its own permission, and so adding new domctls
>> would be done by adding a new permission to the access_vectors file
>> (which is the source of av_perm_to_string.h). However, for this case, it
>> seems rather unlikely that one would want to allow access to vcpu
>> affinity and deny node affinity, so using the same permission for both 
>> accesses is the best solution.
>>
> Yes, exactly.
> 
> Moreover, looking at xen/xsm/flask/include/av_permissions.h where
> DOMAIN__{GET,SET}VCPUAFFINITY are, I got thee impression that there is
> no more space left for DOMAIN__* permissions, as they already go from
> 0x00000001UL to 0x80000000UL... Is that so?

Yes. My XSM patch series expands this by adding SECCLASS_DOMAIN2 to address
this (and that part is already in 4.3). This solution can be applied to any
XSM classes needing more than 32 permission bits.

-- 
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.