* Flask default policy mismatch vs dummy
@ 2018-10-11 8:05 Andrew Cooper
2018-10-11 11:40 ` Jan Beulich
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Cooper @ 2018-10-11 8:05 UTC (permalink / raw)
To: xen-devel
Hello,
Found while looking at some OSSTest logs.
Oct 9 14:03:09.579037 (XEN) avc: denied { setup } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:xen_t tclass=resource
Oct 9 14:03:09.590863 [ 0.522193] Failed to report MMCONFIG reservation state for PCI MMCONFIG 0000 [bus 00-7f] to hypervisor (-13)
If someone has some tuits, please feel free. If not, I'll see what I
can do when I've got some time.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Flask default policy mismatch vs dummy
2018-10-11 8:05 Flask default policy mismatch vs dummy Andrew Cooper
@ 2018-10-11 11:40 ` Jan Beulich
2018-10-26 11:16 ` Ping: " Jan Beulich
0 siblings, 1 reply; 3+ messages in thread
From: Jan Beulich @ 2018-10-11 11:40 UTC (permalink / raw)
To: Andrew Cooper; +Cc: Daniel de Graaf, xen-devel
>>> On 11.10.18 at 10:05, <andrew.cooper3@citrix.com> wrote:
> Found while looking at some OSSTest logs.
>
> Oct 9 14:03:09.579037 (XEN) avc: denied { setup } for domid=0
> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:xen_t
> tclass=resource
> Oct 9 14:03:09.590863 [ 0.522193] Failed to report MMCONFIG reservation
> state for PCI MMCONFIG 0000 [bus 00-7f] to hypervisor (-13)
>
> If someone has some tuits, please feel free. If not, I'll see what I
> can do when I've got some time.
How about this?
Jan
flask: PHYSDEVOP_pci_mmcfg_reserved uses Dom0 context
Andrew found
(XEN) avc: denied { setup } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:xen_t tclass=resource
[ 0.522193] Failed to report MMCONFIG reservation state for PCI MMCONFIG 0000 [bus 00-7f] to hypervisor (-13)
in some osstest log. The Xen side message made me guess that the wrong
SECINITSID_* value was used in the respective flask hook.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
Untested, solely based on looking at the code.
--- unstable.orig/xen/xsm/flask/hooks.c 2018-10-05 08:04:17.229109051 +0200
+++ unstable/xen/xsm/flask/hooks.c 2018-10-11 13:37:56.917898113 +0200
@@ -1155,7 +1155,8 @@ static int flask_resource_setup_gsi(int
static int flask_resource_setup_misc(void)
{
- return avc_current_has_perm(SECINITSID_XEN, SECCLASS_RESOURCE, RESOURCE__SETUP, NULL);
+ return avc_current_has_perm(SECINITSID_DOM0, SECCLASS_RESOURCE,
+ RESOURCE__SETUP, NULL);
}
static inline int flask_page_offline(uint32_t cmd)
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Ping: Re: Flask default policy mismatch vs dummy
2018-10-11 11:40 ` Jan Beulich
@ 2018-10-26 11:16 ` Jan Beulich
0 siblings, 0 replies; 3+ messages in thread
From: Jan Beulich @ 2018-10-26 11:16 UTC (permalink / raw)
To: Daniel de Graaf; +Cc: Andrew Cooper, xen-devel
>>> On 11.10.18 at 13:40, <JBeulich@suse.com> wrote:
>>>> On 11.10.18 at 10:05, <andrew.cooper3@citrix.com> wrote:
>> Found while looking at some OSSTest logs.
>>
>> Oct 9 14:03:09.579037 (XEN) avc: denied { setup } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:xen_t
>> tclass=resource
>> Oct 9 14:03:09.590863 [ 0.522193] Failed to report MMCONFIG reservation
>> state for PCI MMCONFIG 0000 [bus 00-7f] to hypervisor (-13)
>>
>> If someone has some tuits, please feel free. If not, I'll see what I
>> can do when I've got some time.
>
> How about this?
>
> Jan
Daniel, do you have any thoughts here?
Thanks, Jan
> flask: PHYSDEVOP_pci_mmcfg_reserved uses Dom0 context
>
> Andrew found
>
> (XEN) avc: denied { setup } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:xen_t tclass=resource
> [ 0.522193] Failed to report MMCONFIG reservation state for PCI MMCONFIG
> 0000 [bus 00-7f] to hypervisor (-13)
>
> in some osstest log. The Xen side message made me guess that the wrong
> SECINITSID_* value was used in the respective flask hook.
>
> Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> ---
> Untested, solely based on looking at the code.
>
> --- unstable.orig/xen/xsm/flask/hooks.c 2018-10-05 08:04:17.229109051 +0200
> +++ unstable/xen/xsm/flask/hooks.c 2018-10-11 13:37:56.917898113 +0200
> @@ -1155,7 +1155,8 @@ static int flask_resource_setup_gsi(int
>
> static int flask_resource_setup_misc(void)
> {
> - return avc_current_has_perm(SECINITSID_XEN, SECCLASS_RESOURCE,
> RESOURCE__SETUP, NULL);
> + return avc_current_has_perm(SECINITSID_DOM0, SECCLASS_RESOURCE,
> + RESOURCE__SETUP, NULL);
> }
>
> static inline int flask_page_offline(uint32_t cmd)
>
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xenproject.org
> https://lists.xenproject.org/mailman/listinfo/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-10-26 11:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-11 8:05 Flask default policy mismatch vs dummy Andrew Cooper
2018-10-11 11:40 ` Jan Beulich
2018-10-26 11:16 ` Ping: " Jan Beulich
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.