From: Chao Peng <chao.p.peng@linux.intel.com>
To: xen-devel@lists.xen.org
Cc: keir@xen.org, Ian.Campbell@citrix.com,
stefano.stabellini@eu.citrix.com, andrew.cooper3@citrix.com,
Ian.Jackson@eu.citrix.com, will.auld@intel.com,
JBeulich@suse.com, wei.liu2@citrix.com, dgdegra@tycho.nsa.gov
Subject: [PATCH 5/6] xsm: add CAT related xsm policies
Date: Fri, 13 Mar 2015 18:13:24 +0800 [thread overview]
Message-ID: <1426241605-4114-6-git-send-email-chao.p.peng@linux.intel.com> (raw)
In-Reply-To: <1426241605-4114-1-git-send-email-chao.p.peng@linux.intel.com>
Add xsm policies for Cache Allocation Technology(CAT) related hypercalls
to restrict the functions visibility to control domain only.
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
---
tools/flask/policy/policy/modules/xen/xen.if | 2 +-
tools/flask/policy/policy/modules/xen/xen.te | 4 +++-
xen/xsm/flask/hooks.c | 6 ++++++
xen/xsm/flask/policy/access_vectors | 6 ++++++
4 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 2d32e1c..8bb081a 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -51,7 +51,7 @@ define(`create_domain_common', `
getaffinity setaffinity setvcpuextstate };
allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
- psr_cmt_op configure_domain };
+ psr_cmt_op configure_domain psr_cat_op };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index c0128aa..d431aaf 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -67,6 +67,7 @@ allow dom0_t xen_t:xen {
allow dom0_t xen_t:xen2 {
resource_op
psr_cmt_op
+ psr_cat_op
};
allow dom0_t xen_t:mmu memorymap;
@@ -80,7 +81,8 @@ allow dom0_t dom0_t:domain {
getpodtarget setpodtarget set_misc_info set_virq_handler
};
allow dom0_t dom0_t:domain2 {
- set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo get_vnumainfo psr_cmt_op
+ set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo
+ get_vnumainfo psr_cmt_op psr_cat_op
};
allow dom0_t dom0_t:resource { add remove };
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 65094bb..12a3c61 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -729,6 +729,9 @@ static int flask_domctl(struct domain *d, int cmd)
case XEN_DOMCTL_psr_cmt_op:
return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__PSR_CMT_OP);
+ case XEN_DOMCTL_psr_cat_op:
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__PSR_CAT_OP);
+
case XEN_DOMCTL_arm_configure_domain:
return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__CONFIGURE_DOMAIN);
@@ -790,6 +793,9 @@ static int flask_sysctl(int cmd)
case XEN_SYSCTL_psr_cmt_op:
return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
XEN2__PSR_CMT_OP, NULL);
+ case XEN_SYSCTL_psr_cat_op:
+ return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
+ XEN2__PSR_CAT_OP, NULL);
default:
printk("flask_sysctl: Unknown op %d\n", cmd);
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index 8f44b9d..8cc1ef3 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -84,6 +84,9 @@ class xen2
resource_op
# XEN_SYSCTL_psr_cmt_op
psr_cmt_op
+# XEN_SYSCTL_psr_cat_op
+ psr_cat_op
+
}
# Classes domain and domain2 consist of operations that a domain performs on
@@ -221,6 +224,9 @@ class domain2
psr_cmt_op
# XEN_DOMCTL_configure_domain
configure_domain
+# XEN_DOMCTL_psr_cat_op
+ psr_cat_op
+
}
# Similar to class domain, but primarily contains domctls related to HVM domains
--
1.9.1
next prev parent reply other threads:[~2015-03-13 10:13 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-13 10:13 [PATCH 0/6] enable Cache Allocation Technology (CAT) for VMs Chao Peng
2015-03-13 10:13 ` [PATCH 1/6] x86: detect and initialize Intel CAT feature Chao Peng
2015-03-13 13:40 ` Konrad Rzeszutek Wilk
2015-03-13 13:43 ` Konrad Rzeszutek Wilk
2015-03-17 8:11 ` Chao Peng
2015-03-17 13:00 ` Konrad Rzeszutek Wilk
2015-03-18 8:31 ` Chao Peng
2015-03-16 13:47 ` Jan Beulich
2015-03-17 8:48 ` Chao Peng
2015-03-17 9:01 ` Jan Beulich
2015-03-13 10:13 ` [PATCH 2/6] x86: add support for COS/CBM manangement Chao Peng
2015-03-13 13:53 ` Konrad Rzeszutek Wilk
2015-03-17 8:57 ` Chao Peng
2015-03-16 17:10 ` Jan Beulich
2015-03-17 9:11 ` Chao Peng
2015-03-17 9:25 ` Jan Beulich
2015-03-17 10:06 ` Chao Peng
2015-03-13 10:13 ` [PATCH 3/6] X86: improve psr scheduling code Chao Peng
2015-03-16 16:53 ` Jan Beulich
2015-03-17 9:12 ` Chao Peng
2015-03-13 10:13 ` [PATCH 4/6] x86: add scheduling support for Intel CAT Chao Peng
2015-03-17 9:19 ` Jan Beulich
2015-03-17 9:33 ` Chao Peng
2015-03-13 10:13 ` Chao Peng [this message]
2015-03-13 16:45 ` [PATCH 5/6] xsm: add CAT related xsm policies Daniel De Graaf
2015-03-13 10:13 ` [PATCH 6/6] tools: add tools support for Intel CAT Chao Peng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1426241605-4114-6-git-send-email-chao.p.peng@linux.intel.com \
--to=chao.p.peng@linux.intel.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=keir@xen.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=will.auld@intel.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.