[PATCH] flask/policy: allow configure_domain call during domain creation

[PATCH] flask/policy: allow configure_domain call during domain creation

[Andrii Tseglytskyi]

If XSM is enabled XEN_DOMCTL_configure_domain call should be allowed
during domU creation, otherwise domain will not be created.

Signed-off-by: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>
---
 tools/flask/policy/policy/modules/xen/xen.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index dedc035..e598772 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -49,7 +49,7 @@ define(`create_domain_common', `
 			getdomaininfo hypercall setvcpucontext setextvcpucontext
 			getscheduler getvcpuinfo getvcpuextstate getaddrsize
 			getaffinity setaffinity };
-	allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim  set_max_evtchn };
+	allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim  set_max_evtchn configure_domain };
 	allow $1 $2:security check_context;
 	allow $1 $2:shadow enable;
 	allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
-- 
1.9.1

Re: [PATCH] flask/policy: allow configure_domain call during domain creation

[Andrii Tseglytskyi]

Hi Julien,

Could you please verify, looks like this is needed for your series ->
http://lists.xen.org/archives/html/xen-devel/2014-07/msg04101.html
([PATCH v2 08/21] xen/arm: Initialize the virtual GIC  later)

Without this I see an error during domU creation:

avc:  denied  { configure_domain } for domid=0 target=1
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t
tclass=domain2


Regards,
Andrii

On Fri, Aug 29, 2014 at 3:41 PM, Andrii Tseglytskyi
<andrii.tseglytskyi@globallogic.com> wrote:
> If XSM is enabled XEN_DOMCTL_configure_domain call should be allowed
> during domU creation, otherwise domain will not be created.
>
> Signed-off-by: Andrii Tseglytskyi <andrii.tseglytskyi@globallogic.com>
> ---
>  tools/flask/policy/policy/modules/xen/xen.if | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
> index dedc035..e598772 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.if
> +++ b/tools/flask/policy/policy/modules/xen/xen.if
> @@ -49,7 +49,7 @@ define(`create_domain_common', `
>                         getdomaininfo hypercall setvcpucontext setextvcpucontext
>                         getscheduler getvcpuinfo getvcpuextstate getaddrsize
>                         getaffinity setaffinity };
> -       allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim  set_max_evtchn };
> +       allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim  set_max_evtchn configure_domain };
>         allow $1 $2:security check_context;
>         allow $1 $2:shadow enable;
>         allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
> --
> 1.9.1
>



-- 

Andrii Tseglytskyi | Embedded Dev
GlobalLogic
www.globallogic.com

Re: [PATCH] flask/policy: allow configure_domain call during domain creation

[Julien Grall]

On 29/08/14 08:46, Andrii Tseglytskyi wrote:
> Hi Julien,

Hi Andrii,

> Could you please verify, looks like this is needed for your series ->
> http://lists.xen.org/archives/html/xen-devel/2014-07/msg04101.html

Good catch. As the series will need few more round of review I plan to 
merge this patch in patch #8 and add your signed-off-by. Is it fine for you?

Regards,

-- 
Julien Grall

Re: [PATCH] flask/policy: allow configure_domain call during domain creation

[Andrii Tseglytskyi]

On Fri, Aug 29, 2014 at 10:02 PM, Julien Grall <julien.grall@linaro.org> wrote:
> On 29/08/14 08:46, Andrii Tseglytskyi wrote:
>>
>> Hi Julien,
>
>
> Hi Andrii,
>
>
>> Could you please verify, looks like this is needed for your series ->
>> http://lists.xen.org/archives/html/xen-devel/2014-07/msg04101.html
>
>
> Good catch. As the series will need few more round of review I plan to merge
> this patch in patch #8 and add your signed-off-by. Is it fine for you?
>


Sure. This is fine with me

Regards,
Andrii


> Regards,
>
> --
> Julien Grall



-- 

Andrii Tseglytskyi | Embedded Dev
GlobalLogic
www.globallogic.com

Re: [PATCH] flask/policy: allow configure_domain call during domain creation

[Julien Grall]

On 29/08/14 15:45, Andrii Tseglytskyi wrote:
> On Fri, Aug 29, 2014 at 10:02 PM, Julien Grall <julien.grall@linaro.org> wrote:
>> Good catch. As the series will need few more round of review I plan to merge
>> this patch in patch #8 and add your signed-off-by. Is it fine for you?
>>
>
>
> Sure. This is fine with me

I've pushed a new version on my tree. It's has been updated with the new 
version of Arianna's series (v11) and your 2 patches squashed (+ your 
signed-off-by).

git://xenbits.xen.org/people/julieng/xen-unstable.git

branch passthrough-v2.2

I've tested the compilation with both XSM_ENABLE={n,y}, but I didn't 
tried to boot as I don't have an accessible board right now.

Let me know if you found other issues.

Regards,

-- 
Julien Grall