[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 03/19] arch/x86: add distinct XSM hooks for map/unmap
On 11/19/2012 03:59 AM, Jan Beulich wrote: >>>> On 16.11.12 at 19:28, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> wrote: >> -static int flask_irq_permission (struct domain *d, int irq, uint8_t access) >> +static int flask_unmap_domain_pirq (struct domain *d, int irq) >> { >> - u32 perm; >> - u32 rsid; >> + u32 sid; >> int rc = -EPERM; >> >> - struct domain_security_struct *ssec, *tsec; >> + struct domain_security_struct *ssec; >> struct avc_audit_data ad; >> >> - rc = domain_has_perm(current->domain, d, SECCLASS_RESOURCE, >> - resource_to_perm(access)); >> - >> + rc = domain_has_perm(current->domain, d, SECCLASS_RESOURCE, >> RESOURCE__REMOVE); >> if ( rc ) >> return rc; >> >> - if ( access ) >> - perm = RESOURCE__ADD_IRQ; >> - else >> - perm = RESOURCE__REMOVE_IRQ; >> - >> ssec = current->domain->ssid; >> - tsec = d->ssid; >> >> - rc = get_irq_sid(irq, &rsid, &ad); >> - if ( rc ) >> - return rc; >> - >> - rc = avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, &ad); >> + if ( irq >= nr_irqs_gsi ) { > > Isn't the use of nr_irqs_gsi x86-specific? > > Jan > It's defined in xen/include/xen/irq.h (not in an x86-specific file), so I hadn't assumed so. The check here is to avoid needing to allow access to the MSI IRQs by number since they are dynamic and therefore meaningless in a statically-defined policy. >> + /* TODO support for MSI here */ >> + return 0; >> + } else { >> + rc = get_irq_sid(irq, &sid, &ad); >> + } >> if ( rc ) >> return rc; >> >> - if ( access ) >> - rc = avc_has_perm(tsec->sid, rsid, SECCLASS_RESOURCE, >> - RESOURCE__USE, &ad); >> + rc = avc_has_perm(ssec->sid, sid, SECCLASS_RESOURCE, >> RESOURCE__REMOVE_IRQ, &ad); >> return rc; >> } > > > -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |