[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 03/19] arch/x86: add distinct XSM hooks for map/unmap



On 11/19/2012 03:59 AM, Jan Beulich wrote:
>>>> On 16.11.12 at 19:28, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> wrote:
>> -static int flask_irq_permission (struct domain *d, int irq, uint8_t access)
>> +static int flask_unmap_domain_pirq (struct domain *d, int irq)
>>  {
>> -    u32 perm;
>> -    u32 rsid;
>> +    u32 sid;
>>      int rc = -EPERM;
>>  
>> -    struct domain_security_struct *ssec, *tsec;
>> +    struct domain_security_struct *ssec;
>>      struct avc_audit_data ad;
>>  
>> -    rc = domain_has_perm(current->domain, d, SECCLASS_RESOURCE,
>> -                         resource_to_perm(access));
>> -
>> +    rc = domain_has_perm(current->domain, d, SECCLASS_RESOURCE, 
>> RESOURCE__REMOVE);
>>      if ( rc )
>>          return rc;
>>  
>> -    if ( access )
>> -        perm = RESOURCE__ADD_IRQ;
>> -    else
>> -        perm = RESOURCE__REMOVE_IRQ;
>> -
>>      ssec = current->domain->ssid;
>> -    tsec = d->ssid;
>>  
>> -    rc = get_irq_sid(irq, &rsid, &ad);
>> -    if ( rc )
>> -        return rc;
>> -
>> -    rc = avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, &ad);
>> +    if ( irq >= nr_irqs_gsi ) {
> 
> Isn't the use of nr_irqs_gsi x86-specific?
> 
> Jan
> 

It's defined in xen/include/xen/irq.h (not in an x86-specific file), so I
hadn't assumed so. The check here is to avoid needing to allow access to
the MSI IRQs by number since they are dynamic and therefore meaningless in
a statically-defined policy.

>> +        /* TODO support for MSI here */
>> +        return 0;
>> +    } else {
>> +        rc = get_irq_sid(irq, &sid, &ad);
>> +    }
>>      if ( rc )
>>          return rc;
>>  
>> -    if ( access )
>> -        rc = avc_has_perm(tsec->sid, rsid, SECCLASS_RESOURCE, 
>> -                            RESOURCE__USE, &ad);
>> +    rc = avc_has_perm(ssec->sid, sid, SECCLASS_RESOURCE, 
>> RESOURCE__REMOVE_IRQ, &ad);
>>      return rc;
>>  }
> 
> 
> 


-- 
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.