From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jean Guyader Subject: [PATCH] xsm: Add support for HVMOP_track_dirty_vram. Date: Mon, 7 Nov 2011 19:53:55 +0000 Message-ID: <1320695635-4208-1-git-send-email-jean.guyader@eu.citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------true" Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com Cc: jwcart2@tycho.nsa.gov, Jean Guyader List-Id: xen-devel@lists.xenproject.org --------------true Content-Type: text/plain; charset="UTF-8"; format=fixed Content-Transfer-Encoding: 8bit Xen try to inforce the xsm policy when a HVMOP_track_dirty_vram is received (xen/arch/x86/hvm/hvm.c:3637). It was failing because in flask_hvmcontext, xsm didn't have any case for this operation. Signed-off-by: Jean Guyader --- tools/flask/policy/policy/flask/access_vectors | 1 + tools/flask/policy/policy/modules/xen/xen.if | 2 +- xen/xsm/flask/hooks.c | 3 +++ xen/xsm/flask/include/av_perm_to_string.h | 1 + xen/xsm/flask/include/av_permissions.h | 1 + 5 files changed, 7 insertions(+), 1 deletions(-) --------------true Content-Type: text/x-patch; name="0001-xsm-Add-support-for-HVMOP_track_dirty_vram.patch" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="0001-xsm-Add-support-for-HVMOP_track_dirty_vram.patch" diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index 27fb9d7..9d09c5b 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -90,6 +90,7 @@ class hvm pciroute bind_irq cacheattr + trackdirtyvram } class event diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index 99afad6..bf3b794 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -22,7 +22,7 @@ define(`create_domain', ` ################################################################################ define(`create_hvm_dom', ` create_domain($1, $2, $3) - allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel pcilevel }; + allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel pcilevel trackdirtyvram }; allow $2 $2:hvm setparam; ') diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 30c91e5..e70feda 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -816,6 +816,9 @@ static int flask_hvmcontext(struct domain *d, uint32_t cmd) case XEN_DOMCTL_gethvmcontext_partial: perm = HVM__GETHVMC; break; + case HVMOP_track_dirty_vram: + perm = HVM__TRACKDIRTYVRAM; + break; default: return -EPERM; } diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h index b10a252..c32488e 100644 --- a/xen/xsm/flask/include/av_perm_to_string.h +++ b/xen/xsm/flask/include/av_perm_to_string.h @@ -56,6 +56,7 @@ S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc") S_(SECCLASS_HVM, HVM__SETPARAM, "setparam") S_(SECCLASS_HVM, HVM__GETPARAM, "getparam") + S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram") S_(SECCLASS_HVM, HVM__PCILEVEL, "pcilevel") S_(SECCLASS_HVM, HVM__IRQLEVEL, "irqlevel") S_(SECCLASS_HVM, HVM__PCIROUTE, "pciroute") diff --git a/xen/xsm/flask/include/av_permissions.h b/xen/xsm/flask/include/av_permissions.h index 14bd053..f5dcc6f 100644 --- a/xen/xsm/flask/include/av_permissions.h +++ b/xen/xsm/flask/include/av_permissions.h @@ -63,6 +63,7 @@ #define HVM__PCIROUTE 0x00000040UL #define HVM__BIND_IRQ 0x00000080UL #define HVM__CACHEATTR 0x00000100UL +#define HVM__TRACKDIRTYVRAM 0x00000200UL #define EVENT__BIND 0x00000001UL #define EVENT__SEND 0x00000002UL --------------true Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --------------true--