[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xsm_remove_from_physmap is (so far) only defined for X86 architecture, not for ARM

On 01/17/2013 12:05 PM, Ian Campbell wrote:
> On Tue, 2013-01-15 at 14:35 +0000, Daniel De Graaf wrote:
>> The rest of the changes look correct. The #ifdefs are a bit ugly, but
>> refactoring the MSI code into an arch-specific function should fix
>> that. 
> I've just sent out a new patch which takes are of only the build failure
> on ARM with XSM disabled.
> For fixing the flask build on ARM: what does security_device_sid return?
> If I want to refactor this:
>         #ifdef CONFIG_X86
>             if ( desc->msi_desc ) {
>                 struct pci_dev *dev = desc->msi_desc->dev;
>                 u32 sbdf = (dev->seg << 16) | (dev->bus << 8) | dev->devfn;
>                 if (ad) {
>                     AVC_AUDIT_DATA_INIT(ad, DEV);
>                     ad->device = sbdf;
>                 }
>                 return security_device_sid(sbdf, sid);
>             }
>         #endif
> into an arch specific function I need to be able to return something in
> the !desc->msi_desc case. Can a sid be any integer or could I return
> e.g. 0 in this case?
> Ian.

There are some reserved sids that might be useful here (SECINITSID_UNLABELED
if this case shouldn't be encountered). Zero might be the most suitable value,
since zero is not a valid sid and can be used to indicate "unable to resolve".
Zero will be treated as the unlabeled SID if passed to avc_has_perm.

security_device_sid returns either SECINITSID_DEVICE or the assigned SID of
the requested PCI device (as indexed by its sbdf number, and set either in
XSM policy or by flask-label-pci).

Daniel De Graaf
National Security Agency

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.