Xen project Mailing List

[for-4.20][PATCH 3/3] xen/flask: Wire up XEN_DOMCTL_set_llc_colors

From: Michal Orzel <michal.orzel@xxxxxxx>

Date: Tue, 7 Jan 2025 10:27:19 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pwC+19C6KmOdNMx45oACNtAI5Dl8Ex+euKVyAOWXXBE=; b=sznEm9KC/AfJFNgUtx6u5e86U6y8I+KJXLJMAQvC/7SbCClzG31Uf4Wh2lbUgXXxyrMYEK6GIPoH0o3Wxf6QwOzgXM2PeZNyjDVOQAfUIabDWRN6uMm59+CzylYyhLKlq+qE+3BDSIun9FmvDCFsu+P2XtjxGcWBS/7XMul66I2UMCXvjSETKvxfisKBhTcaMjaOVqvB+I2+lrt58SHZGY6yTxkPc/YJYOfy1YdyKFCb5z9X45gZnUzbXrriKkQIPA1xvR+eqitXTGth98LFvtr4SA1kGou8D9zmNSKH3x+dR3YlCVX/Td3F+Mao8EWYs4g8vzVnzs/HwhMX8jT9bA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QhPP9zOtuulcME7pU598ReNk6V/w1ONqA/juioyQ0i0NbZ77iybXwdQQTzsmh5p90UzhqranKLimMk4NxlcRzuApud1TUxs+4ivleFyfB8qkbd2eTdJCzIfMGX2YrKcllpWoPUwPUcBGN+kIB1SXTGzf0TSKtZ+IxUWVDN2pYw5daRfcfUiX4Pp7yoFK7T15mlIefvzX2Q+0/ZTzNqTde4+24yVGZVl9tkkZa9RzPZ2GiYR1qd6YmRm+1Y+ISRCqH6CzoVGx2dPTA5wNQSxdq+lv7pz2ls+YFBUGX4Li6QgWtcunTDe+ccMbmJRfcCWABl8kLBNeiQxDB2zxNWb6kA==

Cc: Michal Orzel <michal.orzel@xxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, <oleksii.kurochko@xxxxxxxxx>

Delivery-date: Tue, 07 Jan 2025 09:27:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Addition of FLASK permission for this hypercall was overlooked in the original patch. Fix it. Setting LLC colors is only possible during domain creation. Fixes: 6985aa5e0c3c ("xen: extend domctl interface for cache coloring") Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx> --- tools/flask/policy/modules/xen.if | 2 +- xen/xsm/flask/hooks.c | 3 +++ xen/xsm/flask/policy/access_vectors | 2 ++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index def60da88301..f7cf7c43c80b 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -54,7 +54,7 @@ define(`create_domain_common', ` allow $1 $2:domain2 { set_cpu_policy settsc setscheduler setclaim set_vnumainfo get_vnumainfo cacheflush psr_cmt_op psr_alloc soft_reset - resource_map get_cpu_policy vuart_op }; + resource_map get_cpu_policy vuart_op set_llc_colors }; allow $1 $2:security check_context; allow $1 $2:shadow enable; allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp }; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index e263e745d441..14d84df9cad6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -847,6 +847,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_dt_overlay: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__DT_OVERLAY); + case XEN_DOMCTL_set_llc_colors: + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_LLC_COLORS); + default: return avc_unknown_permission("domctl", cmd); } diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index 78fe37583b18..320d77706dee 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -255,6 +255,8 @@ class domain2 vuart_op # XEN_DOMCTL_dt_overlay dt_overlay +# XEN_DOMCTL_set_llc_colors + set_llc_colors } # Similar to class domain, but primarily contains domctls related to HVM domains -- 2.25.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.