From: Chao Peng <chao.p.peng@linux.intel.com>
To: xen-devel@lists.xen.org
Cc: keir@xen.org, Ian.Campbell@citrix.com,
stefano.stabellini@eu.citrix.com, andrew.cooper3@citrix.com,
dario.faggioli@citrix.com, Ian.Jackson@eu.citrix.com,
will.auld@intel.com, JBeulich@suse.com, wei.liu2@citrix.com,
dgdegra@tycho.nsa.gov
Subject: [PATCH v10 08/13] xsm: add CAT related xsm policies
Date: Fri, 26 Jun 2015 16:43:42 +0800 [thread overview]
Message-ID: <1435308227-30586-9-git-send-email-chao.p.peng@linux.intel.com> (raw)
In-Reply-To: <1435308227-30586-1-git-send-email-chao.p.peng@linux.intel.com>
Add xsm policies for Cache Allocation Technology(CAT) related hypercalls
to restrict the functions visibility to control domain only.
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/policy/policy/modules/xen/xen.if | 2 +-
tools/flask/policy/policy/modules/xen/xen.te | 4 +++-
xen/xsm/flask/hooks.c | 6 ++++++
xen/xsm/flask/policy/access_vectors | 4 ++++
4 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index f4cde11..da4c95b 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -52,7 +52,7 @@ define(`create_domain_common', `
getaffinity setaffinity setvcpuextstate };
allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
- psr_cmt_op };
+ psr_cmt_op psr_cat_op };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 51f59c5..50aacfe 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -67,6 +67,7 @@ allow dom0_t xen_t:xen {
allow dom0_t xen_t:xen2 {
resource_op
psr_cmt_op
+ psr_cat_op
};
allow dom0_t xen_t:mmu memorymap;
@@ -80,7 +81,8 @@ allow dom0_t dom0_t:domain {
getpodtarget setpodtarget set_misc_info set_virq_handler
};
allow dom0_t dom0_t:domain2 {
- set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo get_vnumainfo psr_cmt_op
+ set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo
+ get_vnumainfo psr_cmt_op psr_cat_op
};
allow dom0_t dom0_t:resource { add remove };
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 6e37d29..317f50f 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -735,6 +735,9 @@ static int flask_domctl(struct domain *d, int cmd)
case XEN_DOMCTL_psr_cmt_op:
return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__PSR_CMT_OP);
+ case XEN_DOMCTL_psr_cat_op:
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__PSR_CAT_OP);
+
default:
printk("flask_domctl: Unknown op %d\n", cmd);
return -EPERM;
@@ -794,6 +797,9 @@ static int flask_sysctl(int cmd)
case XEN_SYSCTL_psr_cmt_op:
return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
XEN2__PSR_CMT_OP, NULL);
+ case XEN_SYSCTL_psr_cat_op:
+ return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
+ XEN2__PSR_CAT_OP, NULL);
default:
printk("flask_sysctl: Unknown op %d\n", cmd);
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index 68284d5..e1a11b2 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -85,6 +85,8 @@ class xen2
resource_op
# XEN_SYSCTL_psr_cmt_op
psr_cmt_op
+# XEN_SYSCTL_psr_cat_op
+ psr_cat_op
}
# Classes domain and domain2 consist of operations that a domain performs on
@@ -230,6 +232,8 @@ class domain2
mem_paging
# XENMEM_sharing_op
mem_sharing
+# XEN_DOMCTL_psr_cat_op
+ psr_cat_op
}
# Similar to class domain, but primarily contains domctls related to HVM domains
--
1.9.1
next prev parent reply other threads:[~2015-06-26 8:43 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-26 8:43 [PATCH v10 00/13] enable Cache Allocation Technology (CAT) for VMs Chao Peng
2015-06-26 8:43 ` [PATCH v10 01/13] x86: add socket_cpumask Chao Peng
2015-07-07 22:32 ` Boris Ostrovsky
2015-07-08 2:43 ` Chao Peng
2015-07-08 7:42 ` Jan Beulich
2015-06-26 8:43 ` [PATCH v10 02/13] x86: detect and initialize Intel CAT feature Chao Peng
2015-07-07 10:25 ` Jan Beulich
2015-07-08 2:24 ` Chao Peng
2015-06-26 8:43 ` [PATCH v10 03/13] x86: maintain COS to CBM mapping for each socket Chao Peng
2015-06-26 8:43 ` [PATCH v10 04/13] x86: add COS information for each domain Chao Peng
2015-06-26 8:43 ` [PATCH v10 05/13] x86: expose CBM length and COS number information Chao Peng
2015-06-26 8:43 ` [PATCH v10 06/13] x86: dynamically get/set CBM for a domain Chao Peng
2015-06-26 8:43 ` [PATCH v10 07/13] x86: add scheduling support for Intel CAT Chao Peng
2015-06-26 8:43 ` Chao Peng [this message]
2015-06-26 8:43 ` [PATCH v10 09/13] tools/libxl: minor name changes for CMT commands Chao Peng
2015-06-26 8:43 ` [PATCH v10 10/13] tools/libxl: add command to show PSR hardware info Chao Peng
2015-06-26 8:43 ` [PATCH v10 11/13] tools/libxl: introduce some socket helpers Chao Peng
2015-06-26 8:43 ` [PATCH v10 12/13] tools: add tools support for Intel CAT Chao Peng
2015-06-26 8:43 ` [PATCH v10 13/13] docs: add xl-psr.markdown Chao Peng
2015-07-07 14:46 ` [PATCH v10 00/13] enable Cache Allocation Technology (CAT) for VMs Ian Campbell
2015-07-08 9:40 ` Chao Peng
2015-07-08 10:02 ` Wei Liu
2015-07-09 1:29 ` Chao Peng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1435308227-30586-9-git-send-email-chao.p.peng@linux.intel.com \
--to=chao.p.peng@linux.intel.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dario.faggioli@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=keir@xen.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=will.auld@intel.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.