From: Chao Peng <chao.p.peng@linux.intel.com>
To: xen-devel@lists.xen.org
Cc: keir@xen.org, Ian.Campbell@citrix.com,
stefano.stabellini@eu.citrix.com, andrew.cooper3@citrix.com,
dario.faggioli@citrix.com, Ian.Jackson@eu.citrix.com,
will.auld@intel.com, JBeulich@suse.com, wei.liu2@citrix.com,
dgdegra@tycho.nsa.gov
Subject: [PATCH v8 08/13] xsm: add CAT related xsm policies
Date: Thu, 21 May 2015 16:41:39 +0800 [thread overview]
Message-ID: <1432197704-20816-9-git-send-email-chao.p.peng@linux.intel.com> (raw)
In-Reply-To: <1432197704-20816-1-git-send-email-chao.p.peng@linux.intel.com>
Add xsm policies for Cache Allocation Technology(CAT) related hypercalls
to restrict the functions visibility to control domain only.
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/policy/policy/modules/xen/xen.if | 2 +-
tools/flask/policy/policy/modules/xen/xen.te | 4 +++-
xen/xsm/flask/hooks.c | 6 ++++++
xen/xsm/flask/policy/access_vectors | 4 ++++
4 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 620d151..aa5eb72 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -51,7 +51,7 @@ define(`create_domain_common', `
getaffinity setaffinity setvcpuextstate };
allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
- psr_cmt_op };
+ psr_cmt_op psr_cat_op };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index e555d11..6dcf953 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -67,6 +67,7 @@ allow dom0_t xen_t:xen {
allow dom0_t xen_t:xen2 {
resource_op
psr_cmt_op
+ psr_cat_op
};
allow dom0_t xen_t:mmu memorymap;
@@ -80,7 +81,8 @@ allow dom0_t dom0_t:domain {
getpodtarget setpodtarget set_misc_info set_virq_handler
};
allow dom0_t dom0_t:domain2 {
- set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo get_vnumainfo psr_cmt_op
+ set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo
+ get_vnumainfo psr_cmt_op psr_cat_op
};
allow dom0_t dom0_t:resource { add remove };
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 11b7453..c08d502 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -737,6 +737,9 @@ static int flask_domctl(struct domain *d, int cmd)
case XEN_DOMCTL_psr_cmt_op:
return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__PSR_CMT_OP);
+ case XEN_DOMCTL_psr_cat_op:
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__PSR_CAT_OP);
+
default:
printk("flask_domctl: Unknown op %d\n", cmd);
return -EPERM;
@@ -796,6 +799,9 @@ static int flask_sysctl(int cmd)
case XEN_SYSCTL_psr_cmt_op:
return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
XEN2__PSR_CMT_OP, NULL);
+ case XEN_SYSCTL_psr_cat_op:
+ return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
+ XEN2__PSR_CAT_OP, NULL);
default:
printk("flask_sysctl: Unknown op %d\n", cmd);
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index ea556df..939bb1a 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -85,6 +85,8 @@ class xen2
resource_op
# XEN_SYSCTL_psr_cmt_op
psr_cmt_op
+# XEN_SYSCTL_psr_cat_op
+ psr_cat_op
}
# Classes domain and domain2 consist of operations that a domain performs on
@@ -230,6 +232,8 @@ class domain2
mem_paging
# XENMEM_sharing_op
mem_sharing
+# XEN_DOMCTL_psr_cat_op
+ psr_cat_op
}
# Similar to class domain, but primarily contains domctls related to HVM domains
--
1.9.1
next prev parent reply other threads:[~2015-05-21 8:41 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-21 8:41 [PATCH v8 00/13] enable Cache Allocation Technology (CAT) for VMs Chao Peng
2015-05-21 8:41 ` [PATCH v8 01/13] x86: add socket_cpumask Chao Peng
2015-05-28 12:38 ` Jan Beulich
2015-05-29 2:35 ` Chao Peng
2015-05-29 8:01 ` Jan Beulich
2015-05-29 8:28 ` Chao Peng
2015-05-29 8:52 ` Jan Beulich
2015-06-02 6:35 ` Chao Peng
2015-06-02 6:57 ` Jan Beulich
2015-06-02 7:19 ` Chao Peng
2015-05-21 8:41 ` [PATCH v8 02/13] x86: detect and initialize Intel CAT feature Chao Peng
2015-05-28 12:54 ` Jan Beulich
2015-05-29 2:40 ` Chao Peng
2015-05-29 8:03 ` Jan Beulich
2015-05-21 8:41 ` [PATCH v8 03/13] x86: maintain COS to CBM mapping for each socket Chao Peng
2015-05-28 13:17 ` Jan Beulich
2015-05-29 2:43 ` Chao Peng
2015-05-29 8:06 ` Jan Beulich
2015-05-29 8:38 ` Chao Peng
2015-06-01 8:05 ` Chao Peng
2015-06-01 8:36 ` Jan Beulich
2015-06-01 8:56 ` Chao Peng
2015-05-21 8:41 ` [PATCH v8 04/13] x86: add COS information for each domain Chao Peng
2015-05-21 8:41 ` [PATCH v8 05/13] x86: expose CBM length and COS number information Chao Peng
2015-05-28 13:26 ` Jan Beulich
2015-05-28 15:46 ` Dario Faggioli
2015-05-29 2:47 ` Chao Peng
2015-05-29 8:07 ` Jan Beulich
2015-05-29 9:23 ` Dario Faggioli
2015-05-29 9:29 ` Jan Beulich
2015-05-21 8:41 ` [PATCH v8 06/13] x86: dynamically get/set CBM for a domain Chao Peng
2015-05-21 8:41 ` [PATCH v8 07/13] x86: add scheduling support for Intel CAT Chao Peng
2015-05-21 8:41 ` Chao Peng [this message]
2015-05-21 8:41 ` [PATCH v8 09/13] tools/libxl: minor name changes for CMT commands Chao Peng
2015-05-21 8:41 ` [PATCH v8 10/13] tools/libxl: add command to show PSR hardware info Chao Peng
2015-05-21 8:41 ` [PATCH v8 11/13] tools/libxl: introduce some socket helpers Chao Peng
2015-05-21 8:41 ` [PATCH v8 12/13] tools: add tools support for Intel CAT Chao Peng
2015-05-21 8:41 ` [PATCH v8 13/13] docs: add xl-psr.markdown Chao Peng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432197704-20816-9-git-send-email-chao.p.peng@linux.intel.com \
--to=chao.p.peng@linux.intel.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dario.faggioli@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=keir@xen.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=will.auld@intel.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.