Xen project Mailing List

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

To: Doug Goldstein <cardoe@xxxxxxxxxx>, Anshul Makkar <anshul.makkar@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Tue, 3 Jan 2017 13:20:13 -0500

Cc: ian.jackson@xxxxxxxxxxxxx, wei.liu2@xxxxxxxxxx

Delivery-date: Tue, 03 Jan 2017 18:20:38 +0000

Ironport-phdr: 9a23:y+TohxcPqSs1CSi0N4XqXwodlGMj4u6mDksu8pMizoh2WeGdxc27ZxSN2/xhgRfzUJnB7Loc0qyN4vymADdLuM7R+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG5oAnLq8Ubj4RuJrstxhbKv3BFZ/lYyWR0KFyJgh3y/N2w/Jlt8yRRv/Iu6ctNWrjkcqo7ULJVEi0oP3g668P3uxbDSxCP5mYHXWUNjhVIGQnF4wrkUZr3ryD3q/By2CiePc3xULA0RTGv5LplRRP0lCsKMSMy/XrJgcJskq1UvBOhpwR+w4HKZoGVKOF+db7Zcd8DWGZNQtpdWylHD4yydYsPC/cKM/heoYfzulACqQKyCRewCO/qzDJDm3340rAg0+k5EQ/IwRIuH9wJsHrXotv6OqgdXuKpw6fH1jjDc/Fb1C3h5ITUfB0so/eBVq9wf8rLzkkvEhvIgFuKpozjPjOayOANuHWV4eV+SOmhinQnpBtrrTih28whjZTGho0IxV/a+iV52pw6KMakSE97fdGkEJxQuzucN4ttWMwuWW5ouCEkyrAfv5OwYSsEyIw/yhLCZPGKfJKE7xL+WOqLPzt1i2xpdKiiixu07EOu0PfzVtOu31ZPtidFl97MuW0T2BHL8ciHT+d9/l+m2TaSywDf8uFELl4wlarcM5Mh3qQ/loASsUTeBS/6gln2ja+KeUUk/eik8eLnban9ppCALYN0jwD+MqA2lsy+B+Q3LBQOUnCG9emz27Dv5030TKhQgvEonaTVrorWKdkDqq68GQBV04Ij6xilDzeh1dQVhWQILF1Ydx2ZgIjpIUvBLevkDfa/n1uskDBry+rAPr36GJrBNHfDkLD/fbpl8U5T1BIzzcxD55JTErwOPOj8WlXsu9zfEBA0KBC7zPz9CNpg0YMRR3iDDbOeMKPXqVWI/P4gI/GQZI8JvzbwM+Iq5/j1jX85hF8debOl3Z4NZ3C7HfRpOV+ZbGHwjdcADWcKpAs+TePwhFKeVj5TYm64X7gg6TEjFIKmEYDDS5iigbOf2ie3B4BZaX5YCl+SFXflbIGEW/YXaCKOOc9tiDMFWqanS4M70hGurgD6waJ9LuXI4i0YqY7j1N9t6uzdix4y9CZ4D8Cc02GQUW15hX8HRz4q3KBloEx8xU2P3rR/g/xdDdZT/e9GUh8mNZ7AyOx3E9HyVRjHftuTSlapWMmpATIqTtI2xd8DeFhyG8i4gh/f3iqqH6UVl72EBZAu7q3c2H3xdI5BzCPq07Qux3YhRsdUKWCngOYr/AHJC4nEu06QjaqteOIX2yubsC+qy3GOoUUQdQdzUqzfFSQWYFDWsNC/40rBTLa0Ib8mLhFA2YiJLa4cLpX5gFMDSPr9NdD2Z2Oqh3z2FRuOgLSWY9nEYWIYiQnUDkkJl0g/8D6pLwE3CG/1r23SATN0HHrzckjs9q94s3r9QUgqmVLZJ3Z93qa4r0ZGzceXTOkei/dd4n8s

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 12/19/2016 11:03 PM, Doug Goldstein wrote:

On 12/19/16 10:02 AM, Doug Goldstein wrote:

On 12/14/16 3:09 PM, Daniel De Graaf wrote:

On 12/12/2016 09:00 AM, Anshul Makkar wrote:

During guest migrate allow permission to prevent
spurious page faults.
Prevents these errors:
d73: Non-privileged (73) attempt to map I/O space 00000000

avc: denied  { set_misc_info } for domid=0 target=11
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

GPU passthrough for hvm guest:
avc:  denied  { send_irq } for domid=0 target=10
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=hvm

Signed-off-by: Anshul Makkar <anshul.makkar@xxxxxxxxxx>


Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>


Daniel,

Should this be backported to 4.8?

Yes, I would consider this a candidate for backporting.

FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm?

I believe this is fixed now; my email server was changed while I was gone for the holiday and apparently the change was not tested properly. -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.