Re: [PATCH RFC] flask: move policy header sources into hypervisor

From: Dario Faggioli <dario.faggioli@citrix.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Marcus Granado <Marcus.Granado@eu.citrix.com>,
	"andre.przywara@amd.com" <andre.przywara@amd.com>,
	Ian Campbell <Ian.Campbell@citrix.com>,
	"anil@recoil.org" <anil@recoil.org>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Andrew Cooper <Andrew.Cooper3@citrix.com>,
	"juergen.gross@ts.fujitsu.com" <juergen.gross@ts.fujitsu.com>,
	Ian Jackson <Ian.Jackson@eu.citrix.com>,
	"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
	"JBeulich@suse.com" <JBeulich@suse.com>,
	"msw@amazon.com" <msw@amazon.com>,
	"Keir (Xen.org)" <keir@xen.org>
Subject: Re: [PATCH RFC] flask: move policy header sources into hypervisor
Date: Wed, 10 Oct 2012 15:39:48 +0100	[thread overview]
Message-ID: <1349879988.3610.194.camel@Abyss> (raw)
In-Reply-To: <50758038.6050009@tycho.nsa.gov>

[-- Attachment #1.1: Type: text/plain, Size: 2401 bytes --]

On Wed, 2012-10-10 at 15:03 +0100, Daniel De Graaf wrote: 
> Ah, in my distraction with fixing the autogeneration I neglected to 
> finish looking at the original patch.
>
:-)

> The XSM changes look good except
> for a missing implementation of the dummy_nodeaffinity() function in
> xen/xsm/dummy.c. However, since the implementation of xsm_nodeaffinity
> and xsm_vcpuaffinity are identical, it may be simpler to just merge them
> into a common xsm_affinity_domctl hook (as is implemented in
> xsm/flask/hooks.c) - in that case, just renaming the existing dummy hook
> will suffice.
> 
Ok, thanks. I will do that.

> A more general note on the topic of what XSM permissions to use: 
> normally, each domctl has its own permission, and so adding new domctls
> would be done by adding a new permission to the access_vectors file
> (which is the source of av_perm_to_string.h). However, for this case, it
> seems rather unlikely that one would want to allow access to vcpu
> affinity and deny node affinity, so using the same permission for both 
> accesses is the best solution.
> 
Yes, exactly.

Moreover, looking at xen/xsm/flask/include/av_permissions.h where
DOMAIN__{GET,SET}VCPUAFFINITY are, I got thee impression that there is
no more space left for DOMAIN__* permissions, as they already go from
0x00000001UL to 0x80000000UL... Is that so?

> When renaming a permission (such as getvcpuaffinity => getaffinity), the
> FLASK policy also needs to be changed - you can normally just grep for
> the permission being changed.
> 
Ok and thanks again. I will do that too...

> The dummy hook would be caught in a compilation with XSM enabled, but I
> notice that current xen-unstable will not build due to a patch being
> applied out of order (xsm/flask: add domain relabel support requires
> rcu_lock_domain_by_any_id which was added in the prior patch). Adding
> Keir to CC since he applied the patch.
> 
... As well as I will try to check for this for next round (hoping that
by that time the issue you're describing here would be fixed :-)).

Thanks a lot and Regards,
Dario

-- 
<<This happens because I choose it to happen!>> (Raistlin Majere)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://retis.sssup.it/people/faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel