[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v12 11/14] flask/policy: allow domU to use previously-mapped I/O-memory



On Sat, 2014-08-30 at 18:29 +0200, Arianna Avanzini wrote:
> From: Andrii Tseglytskyi <andrii.tseglytskyi@xxxxxxxxxxxxxxx>
> 
> This commit allows the domU to access previously-mapped I/O-memory
> even if XSM is enabled and FLASK is enforced.

CCing Daniel (XSM maintainer).

I think this is probably OK, but I'm no XSM expert.

(If I were writing the ocmmit message I would have said something like
"Update the example XSM policy to allow...")

> 
> Signed-off-by: Andrii Tseglytskyi <andrii.tseglytskyi@xxxxxxxxxxxxxxx>
> Signed-off-by: Arianna Avanzini <avanzini.arianna@xxxxxxxxx>
> Cc: Dario Faggioli <dario.faggioli@xxxxxxxxxx>
> Cc: Paolo Valente <paolo.valente@xxxxxxxxxx>
> Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
> Cc: Julien Grall <julien.grall@xxxxxxxxxx>
> Cc: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>
> Cc: Jan Beulich <JBeulich@xxxxxxxx>
> Cc: Keir Fraser <keir@xxxxxxx>
> Cc: Tim Deegan <tim@xxxxxxx>
> Cc: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Cc: Eric Trudeau <etrudeau@xxxxxxxxxxxx>
> Cc: Viktor Kleinik <viktor.kleinik@xxxxxxxxxxxxxxx>
> ---
>  tools/flask/policy/policy/modules/xen/xen.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
> b/tools/flask/policy/policy/modules/xen/xen.te
> index bb59fe8..34b5bfa 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -107,6 +107,7 @@ admin_device(dom0_t, device_t)
>  admin_device(dom0_t, irq_t)
>  admin_device(dom0_t, ioport_t)
>  admin_device(dom0_t, iomem_t)
> +admin_device(domU_t, iomem_t)
>  
>  domain_comms(dom0_t, dom0_t)
>  



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.