From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Wei Liu <wei.liu2@citrix.com>
Cc: Xen-devel <xen-devel@lists.xenproject.org>,
Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [PATCH] flask: add gcov_op check
Date: Thu, 13 Oct 2016 10:42:51 -0400 [thread overview]
Message-ID: <20161013144250.GB8682@x230.dumpdata.com> (raw)
In-Reply-To: <1476369433-8871-1-git-send-email-wei.liu2@citrix.com>
On Thu, Oct 13, 2016 at 03:37:13PM +0100, Wei Liu wrote:
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> ---
> Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> ---
> tools/flask/policy/modules/dom0.te | 2 +-
> xen/xsm/flask/hooks.c | 3 +++
> xen/xsm/flask/policy/access_vectors | 2 ++
> 3 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
> index 2d982d9..54c3572 100644
> --- a/tools/flask/policy/modules/dom0.te
> +++ b/tools/flask/policy/modules/dom0.te
> @@ -15,7 +15,7 @@ allow dom0_t xen_t:xen {
> };
> allow dom0_t xen_t:xen2 {
> resource_op psr_cmt_op psr_cat_op pmu_ctrl get_symbol
> - get_cpu_levelling_caps get_cpu_featureset livepatch_op
> + get_cpu_levelling_caps get_cpu_featureset livepatch_op gcov_op
> };
>
> # Allow dom0 to use all XENVER_ subops that have checks.
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index 177c11f..040a251 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -822,6 +822,9 @@ static int flask_sysctl(int cmd)
> case XEN_SYSCTL_livepatch_op:
> return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
> XEN2__LIVEPATCH_OP, NULL);
> + case XEN_SYSCTL_gcov_op:
> + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
> + XEN2__GCOV_OP, NULL);
>
> default:
> return avc_unknown_permission("sysctl", cmd);
> diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
> index 49c9a9e..92e6da9 100644
> --- a/xen/xsm/flask/policy/access_vectors
> +++ b/xen/xsm/flask/policy/access_vectors
> @@ -99,6 +99,8 @@ class xen2
> get_cpu_featureset
> # XEN_SYSCTL_livepatch_op
> livepatch_op
> +# XEN_SYSCTL_gcov_op
> + gcov_op
> }
>
> # Classes domain and domain2 consist of operations that a domain performs on
> --
> 2.1.4
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-10-13 14:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-13 14:37 [PATCH] flask: add gcov_op check Wei Liu
2016-10-13 14:42 ` Konrad Rzeszutek Wilk [this message]
2016-10-13 18:55 ` Daniel De Graaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161013144250.GB8682@x230.dumpdata.com \
--to=konrad.wilk@oracle.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.