'[xen master] xen/flask: Wire up XEN_DOMCTL_{get,set}_paging_mempool_size'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xen-cvs
Subject:    [xen master] xen/flask: Wire up XEN_DOMCTL_{get,set}_paging_mempool_size
From:       patchbot () xen ! org
Date:       2022-11-23 20:12:23
Message-ID: E1oxw6Z-00089q-8U () xenbits ! xenproject ! org
[Download RAW message or body]

commit 345135942bf9632eba1409ba432cfcae3b7649c7
Author:     Andrew Cooper <andrew.cooper3@citrix.com>
AuthorDate: Mon Nov 21 12:46:39 2022 +0000
Commit:     Andrew Cooper <andrew.cooper3@citrix.com>
CommitDate: Mon Nov 21 16:12:41 2022 +0000

    xen/flask: Wire up XEN_DOMCTL_{get,set}_paging_mempool_size
    
    These were overlooked in the original patch, and noticed by OSSTest which does
    run some Flask tests.
    
    Fixes: 22b20bd98c02 ("xen: Introduce non-broken hypercalls for the paging mempool size")
    Suggested-by: Daniel Smith <dpsmith@apertussolutions.com>
    Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
    Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
    Release-acked-by: Henry Wang <Henry.Wang@arm.com>
---
 tools/flask/policy/modules/dom0.te  | 3 ++-
 tools/flask/policy/modules/xen.if   | 5 +++--
 xen/xsm/flask/hooks.c               | 6 ++++++
 xen/xsm/flask/policy/access_vectors | 4 ++++
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
index f710ff9941..f1dcff48e2 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -35,7 +35,8 @@ allow dom0_t dom0_t:domain {
 	setvcpucontext max_vcpus setaffinity getaffinity getscheduler
 	getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
 	setdebugging hypercall settime setaddrsize getaddrsize trigger
-	getpodtarget setpodtarget set_misc_info set_virq_handler
+	getpodtarget setpodtarget getpagingmempool setpagingmempool set_misc_info
+	set_virq_handler
 };
 allow dom0_t dom0_t:domain2 {
 	set_cpu_policy gettsc settsc setscheduler set_vnumainfo
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index 424daab6a0..11c1562aa5 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -49,7 +49,8 @@ define(`create_domain_common', `
 	allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
 			getdomaininfo hypercall setvcpucontext getscheduler
 			getvcpuinfo getaddrsize getaffinity setaffinity
-			settime setdomainhandle getvcpucontext set_misc_info };
+			settime setdomainhandle getvcpucontext set_misc_info
+			getpagingmempool setpagingmempool };
 	allow $1 $2:domain2 { set_cpu_policy settsc setscheduler setclaim
 			set_vnumainfo get_vnumainfo cacheflush
 			psr_cmt_op psr_alloc soft_reset
@@ -92,7 +93,7 @@ define(`manage_domain', `
 	allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
 			getaddrsize pause unpause trigger shutdown destroy
 			setaffinity setdomainmaxmem getscheduler resume
-			setpodtarget getpodtarget };
+			setpodtarget getpodtarget getpagingmempool setpagingmempool };
     allow $1 $2:domain2 set_vnumainfo;
 ')
 
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 391aec4dc2..78225f68c1 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -822,6 +822,12 @@ static int cf_check flask_domctl(struct domain *d, int cmd)
     case XEN_DOMCTL_get_cpu_policy:
         return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__GET_CPU_POLICY);
 
+    case XEN_DOMCTL_get_paging_mempool_size:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETPAGINGMEMPOOL);
+
+    case XEN_DOMCTL_set_paging_mempool_size:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETPAGINGMEMPOOL);
+
     default:
         return avc_unknown_permission("domctl", cmd);
     }
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index 6359c7fc87..4e6710a63e 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -180,6 +180,10 @@ class domain
     set_misc_info
 # XEN_DOMCTL_set_virq_handler
     set_virq_handler
+# XEN_DOMCTL_get_paging_mempool_size
+    getpagingmempool
+# XEN_DOMCTL_set_paging_mempool_size
+    setpagingmempool
 }
 
 # This is a continuation of class domain, since only 32 permissions can be
--
generated by git-patchbot for /home/xen/git/xen.git#master

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic