|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 03/19] arch/x86: add distinct XSM hooks for map/unmap
>>> On 19.11.12 at 15:53, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> wrote:
> On 11/19/2012 03:59 AM, Jan Beulich wrote:
>>>>> On 16.11.12 at 19:28, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> wrote:
>>> -static int flask_irq_permission (struct domain *d, int irq, uint8_t access)
>>> +static int flask_unmap_domain_pirq (struct domain *d, int irq)
>>> {
>>> - u32 perm;
>>> - u32 rsid;
>>> + u32 sid;
>>> int rc = -EPERM;
>>>
>>> - struct domain_security_struct *ssec, *tsec;
>>> + struct domain_security_struct *ssec;
>>> struct avc_audit_data ad;
>>>
>>> - rc = domain_has_perm(current->domain, d, SECCLASS_RESOURCE,
>>> - resource_to_perm(access));
>>> -
>>> + rc = domain_has_perm(current->domain, d, SECCLASS_RESOURCE,
> RESOURCE__REMOVE);
>>> if ( rc )
>>> return rc;
>>>
>>> - if ( access )
>>> - perm = RESOURCE__ADD_IRQ;
>>> - else
>>> - perm = RESOURCE__REMOVE_IRQ;
>>> -
>>> ssec = current->domain->ssid;
>>> - tsec = d->ssid;
>>>
>>> - rc = get_irq_sid(irq, &rsid, &ad);
>>> - if ( rc )
>>> - return rc;
>>> -
>>> - rc = avc_has_perm(ssec->sid, rsid, SECCLASS_RESOURCE, perm, &ad);
>>> + if ( irq >= nr_irqs_gsi ) {
>>
>> Isn't the use of nr_irqs_gsi x86-specific?
>
> It's defined in xen/include/xen/irq.h (not in an x86-specific file), so I
> hadn't assumed so. The check here is to avoid needing to allow access to
> the MSI IRQs by number since they are dynamic and therefore meaningless in
> a statically-defined policy.
Indeed, there are other uses in common code. We may need to
do something about this for ARM.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |