From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Grall Subject: Re: [PATCH v3 20/24] xen/passthrough: Extend XEN_DOMCTL_assign_device to support DT device Date: Wed, 11 Mar 2015 12:30:15 +0000 Message-ID: <55003557.3010206@linaro.org> References: <1421159133-31526-1-git-send-email-julien.grall@linaro.org> <1421159133-31526-21-git-send-email-julien.grall@linaro.org> <1424452643.30924.368.camel@citrix.com> <54EB5475.3060900@tycho.nsa.gov> <54FF214C.10508@linaro.org> <54FF7401.6070900@tycho.nsa.gov> <54FF793F.5050002@linaro.org> <54FF80A5.5060806@tycho.nsa.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVfmF-0007k8-Pp for xen-devel@lists.xenproject.org; Wed, 11 Mar 2015 12:30:19 +0000 Received: by wivr20 with SMTP id r20so38564484wiv.5 for ; Wed, 11 Mar 2015 05:30:18 -0700 (PDT) In-Reply-To: <54FF80A5.5060806@tycho.nsa.gov> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Daniel De Graaf , Ian Campbell Cc: Wei Liu , Ian Jackson , tim@xen.org, stefano.stabellini@citrix.com, Jan Beulich , Machon Gregory , xen-devel@lists.xenproject.org List-Id: xen-devel@lists.xenproject.org Hi Daniel, On 10/03/2015 23:39, Daniel De Graaf wrote: > On 03/10/2015 07:07 PM, Julien Grall wrote: >> Hi Daniel, >> >> On 10/03/2015 22:45, Daniel De Graaf wrote: >>>> BTW, do you have any pointer on how to write a policy for device/IRQ >>>> passthrough? >>> >>> There is a bit of documentation in xsm-flask.txt about device labeling, >>> which is the hard part of making passthrough work. Labels can be set >>> either statically in the security policy (as documented in the section >>> "Device Labeling") or dynamically using a tool like flask-label-pci >>> as documented in "Resource Policy". Once that is done, then rules to >>> allow the passthrough operation can be added, similar to the example >>> resource nic_dev_t in xen.te. >> >> I tried to follow xsm-flask.txt and uncomment one of the pirqcon line >> in the xsm policy. >> >> But I got the following error: >> >> policy/modules/xen/xen.te:199:ERROR 'syntax error' at token 'pirqcon' >> on line 1986: >> pirqcon 33 system_u:object_r:nic_dev_t >> >> Did I miss anything? > > No, this is an error in either the policy or the parser in checkpolicy. > The parser in checkpolicy is rather inflexible, and it currently requires > that the device labels be specified at the end of the policy.conf instead > of in the middle (as they are now). You should add the commented out > lines to the end of tools/flask/policy/policy/initial_sids for now; I will > be sending a patch to move them to another file tomorrow. It's working now. Thanks! >>> In order to do static labeling for device passthrough, the nodes in a >>> device tree need a 32-bit numeric identifier. IO memory uses the MFN, >>> PCI devices use SBDF, and IRQs and x86 legacy IOs just use the number. >> >> Why it's restricted to an integer? Would it be possible to use a >> string as it's done for the sid? > > The sid is not actually represented as a string internally: it is mapped > into a set of integers for the user/role/type and MLS range. I gave a look to the checkpolicy code and the ocontext can store pretty much anything. Currently for IOMEM, 2 32-bit number is stored to describe the range. AFAIU, in order to support DT device, I will have to update checkpolicy for adding a new token (smth like dtdevicecon). So I don't see why I couldn't use a string for purpose. Or maybe you had in mind to reuse pcidevicecon? Regards, -- Julien Grall