From mboxrd@z Thu Jan  1 00:00:00 1970
From: Julien Grall <julien.grall@linaro.org>
Subject: Re: [PATCH v3 20/24] xen/passthrough: Extend
 XEN_DOMCTL_assign_device to support DT device
Date: Tue, 10 Mar 2015 23:07:43 +0000
Message-ID: <54FF793F.5050002@linaro.org>
References: <1421159133-31526-1-git-send-email-julien.grall@linaro.org>	
	<1421159133-31526-21-git-send-email-julien.grall@linaro.org>
	<1424452643.30924.368.camel@citrix.com>
	<54EB5475.3060900@tycho.nsa.gov> <54FF214C.10508@linaro.org>
	<54FF7401.6070900@tycho.nsa.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <julien.grall@linaro.org>) id 1YVTFb-0001vO-Ty
	for xen-devel@lists.xenproject.org; Tue, 10 Mar 2015 23:07:48 +0000
Received: by wevk48 with SMTP id k48so5241179wev.5
	for <xen-devel@lists.xenproject.org>;
	Tue, 10 Mar 2015 16:07:46 -0700 (PDT)
In-Reply-To: <54FF7401.6070900@tycho.nsa.gov>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>, Ian Campbell <ian.campbell@citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>, Ian Jackson <ian.jackson@eu.citrix.com>, tim@xen.org, stefano.stabellini@citrix.com, Jan Beulich <jbeulich@suse.com>, Machon Gregory <mbgrego@tycho.ncsc.mil>, xen-devel@lists.xenproject.org
List-Id: xen-devel@lists.xenproject.org

Hi Daniel,

On 10/03/2015 22:45, Daniel De Graaf wrote:
>> BTW, do you have any pointer on how to write a policy for device/IRQ
>> passthrough?
>
> There is a bit of documentation in xsm-flask.txt about device labeling,
> which is the hard part of making passthrough work.  Labels can be set
> either statically in the security policy (as documented in the section
> "Device Labeling") or dynamically using a tool like flask-label-pci
> as documented in "Resource Policy".  Once that is done, then rules to
> allow the passthrough operation can be added, similar to the example
> resource nic_dev_t in xen.te.

I tried to follow xsm-flask.txt and uncomment one of the pirqcon line in 
the xsm policy.

But I got the following error:

policy/modules/xen/xen.te:199:ERROR 'syntax error' at token 'pirqcon' on 
line 1986:
pirqcon 33 system_u:object_r:nic_dev_t

Did I miss anything?

> In order to do static labeling for device passthrough, the nodes in a
> device tree need a 32-bit numeric identifier.  IO memory uses the MFN,
> PCI devices use SBDF, and IRQs and x86 legacy IOs just use the number.

Why it's restricted to an integer? Would it be possible to use a string 
as it's done for the sid?

Regards,


-- 
Julien Grall