From: Ian Campbell <ian.campbell@citrix.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>,
Wei Liu <wei.liu2@citrix.com>,
Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: xen-devel <xen-devel@lists.xen.org>
Subject: Re: stubdom migration failure on merlot* XSM related (Was: [adhoc test] 65682: tolerable FAIL])
Date: Mon, 14 Dec 2015 10:14:10 +0000 [thread overview]
Message-ID: <1450088050.30975.113.camel@citrix.com> (raw)
In-Reply-To: <1449847013.30975.47.camel@citrix.com>
On Fri, 2015-12-11 at 15:16 +0000, Ian Campbell wrote:
>
> I have a new flight going on (65755) with flask=permissive instead of
> flask=enforcing (assuming I didn't botch the osstest modifications to
> support that setting via a runvar).
I did botch the mods, but luckily permissive is the default, so I got what
I wanted ;-)
> If that test passes, prints the AVC message but not the missing IRQ message
> then I think that would be our smoking gun.
http://logs.test-lab.xenproject.org/osstest/logs/65758/
From serial-merlot1.log:
Dec 11 18:01:57.001037 (XEN) Flask: 64 avtab hash slots, 236 rules.
Dec 11 18:01:57.009023 (XEN) Flask: 64 avtab hash slots, 236 rules.
Dec 11 18:01:57.017004 (XEN) Flask: 3 users, 3 roles, 36 types, 2 bools
Dec 11 18:01:57.017038 (XEN) Flask: 12 classes, 236 rules
Dec 11 18:01:57.025015 (XEN) Flask: Starting in permissive mode.
[...]
Dec 11 18:06:01.229194 (XEN) avc: denied { pcilevel } for domid=2 target=1 scontext=system_u:system_r:dm_dom_t tcontext=system_u:system_r:domU_t_target tclass=hvm
http://logs.test-lab.xenproject.org/osstest/logs/65758/test-amd64-amd64-xl-qemut-stubdom-debianhvm-amd64-xsm/merlot1---var-log-xen-qemu-dm-debianhvm.guest.osstest--incoming.log.10
i.e. no "uhci_hcd 0000:00:01.2: Unlink after no-IRQ? Controller is
probably using the wrong IRQ." and the test case has passed.
I've running a test with the following patch. I'm reasonably hopeful.
Ian.
From 3f14c5afedc0df360952364b93c2f04de00f00c4 Mon Sep 17 00:00:00 2001
From: Ian Campbell <ian.campbell@citrix.com>
Date: Mon, 14 Dec 2015 08:22:41 +0000
Subject: [PATCH] flask: Allow device model to raise PCI interrupts (pcilevel
capability)
Allows:
(XEN) avc: denied { pcilevel } for domid=2 target=1 scontext=system_u:system_r:dm_dom_t tcontext=system_u:system_r:domU_t_target tclass=hvm
Which otherwise leads to the following on resume after migrate (comparing
non-XSM to XSM):
ata2.00: configured for MWDMA2
usb 1-2: reset full-speed USB device number 2 using uhci_hcd
+PM: restore of devices complete after 3779.268 msecs
usb 1-2: USB disconnect, device number 2
-PM: restore of devices complete after 2342.528 msecs
usb 1-2: new full-speed USB device number 3 using uhci_hcd
usb 1-2: New USB device found, idVendor=0627, idProduct=0001
usb 1-2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb 1-2: Product: QEMU USB Tablet
usb 1-2: Manufacturer: QEMU 0.10.2
usb 1-2: SerialNumber: 1
input: QEMU 0.10.2 QEMU USB Tablet as /devices/pci0000:00/0000:00:01.2/usb1/1-2/1-2:1.0/input/input8
generic-usb 0003:0627:0001.0002: input,hidraw0: USB HID v0.01 Pointer [QEMU 0.10.2 QEMU USB Tablet] on usb-0000:00:01.2-2/input0
Restarting tasks ... done.
Setting capacity to 20480000
Setting capacity to 20480000
+uhci_hcd 0000:00:01.2: Unlink after no-IRQ? Controller is probably using the wrong IRQ.
And a glitch in the domU which is sufficient to disrupt the post migration
checks done by osstest.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/policy/policy/modules/xen/xen.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 32dd7b3..00d1bbb 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -150,7 +150,7 @@ define(`device_model', `
allow $1 $2_target:domain shutdown;
allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack };
- allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute cacheattr send_irq };
+ allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute pcilevel cacheattr send_irq };
')
# make_device_model(priv, dm_dom, hvm_dom)
--
2.6.1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2015-12-14 10:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <E1a77eF-00049f-Er@osstest.test-lab.xenproject.org>
2015-12-11 12:12 ` stubdom migration failure on merlot* XSM related (Was: [adhoc test] 65682: tolerable FAIL]) Ian Campbell
2015-12-11 14:05 ` Ian Campbell
2015-12-11 15:12 ` Ian Campbell
2015-12-11 15:16 ` Ian Campbell
2015-12-14 10:14 ` Ian Campbell [this message]
2015-12-14 11:11 ` George Dunlap
2015-12-14 11:30 ` Ian Campbell
2015-12-14 11:55 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1450088050.30975.113.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.