Message ID | 1481551205-18758-1-git-send-email-anshul.makkar@citrix.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On 12/12/2016 09:00 AM, Anshul Makkar wrote: > During guest migrate allow permission to prevent > spurious page faults. > Prevents these errors: > d73: Non-privileged (73) attempt to map I/O space 00000000 > > avc: denied { set_misc_info } for domid=0 target=11 > scontext=system_u:system_r:dom0_t > tcontext=system_u:system_r:domU_t tclass=domain > > GPU passthrough for hvm guest: > avc: denied { send_irq } for domid=0 target=10 > scontext=system_u:system_r:dom0_t > tcontext=system_u:system_r:domU_t tclass=hvm > > Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
On Wed, Dec 14, 2016 at 04:09:00PM -0500, Daniel De Graaf wrote: > On 12/12/2016 09:00 AM, Anshul Makkar wrote: > >During guest migrate allow permission to prevent > >spurious page faults. > >Prevents these errors: > >d73: Non-privileged (73) attempt to map I/O space 00000000 > > > >avc: denied { set_misc_info } for domid=0 target=11 > >scontext=system_u:system_r:dom0_t > >tcontext=system_u:system_r:domU_t tclass=domain > > > >GPU passthrough for hvm guest: > >avc: denied { send_irq } for domid=0 target=10 > >scontext=system_u:system_r:dom0_t > >tcontext=system_u:system_r:domU_t tclass=hvm > > > >Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> > > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Applied
On 12/14/16 3:09 PM, Daniel De Graaf wrote: > On 12/12/2016 09:00 AM, Anshul Makkar wrote: >> During guest migrate allow permission to prevent >> spurious page faults. >> Prevents these errors: >> d73: Non-privileged (73) attempt to map I/O space 00000000 >> >> avc: denied { set_misc_info } for domid=0 target=11 >> scontext=system_u:system_r:dom0_t >> tcontext=system_u:system_r:domU_t tclass=domain >> >> GPU passthrough for hvm guest: >> avc: denied { send_irq } for domid=0 target=10 >> scontext=system_u:system_r:dom0_t >> tcontext=system_u:system_r:domU_t tclass=hvm >> >> Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> > > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Daniel, Should this be backported to 4.8?
On 12/19/16 10:02 AM, Doug Goldstein wrote: > On 12/14/16 3:09 PM, Daniel De Graaf wrote: >> On 12/12/2016 09:00 AM, Anshul Makkar wrote: >>> During guest migrate allow permission to prevent >>> spurious page faults. >>> Prevents these errors: >>> d73: Non-privileged (73) attempt to map I/O space 00000000 >>> >>> avc: denied { set_misc_info } for domid=0 target=11 >>> scontext=system_u:system_r:dom0_t >>> tcontext=system_u:system_r:domU_t tclass=domain >>> >>> GPU passthrough for hvm guest: >>> avc: denied { send_irq } for domid=0 target=10 >>> scontext=system_u:system_r:dom0_t >>> tcontext=system_u:system_r:domU_t tclass=hvm >>> >>> Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> >> >> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> >> > > Daniel, > > Should this be backported to 4.8? > FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm?
On 20/12/2016 04:03, Doug Goldstein wrote: > On 12/19/16 10:02 AM, Doug Goldstein wrote: >> On 12/14/16 3:09 PM, Daniel De Graaf wrote: >>> On 12/12/2016 09:00 AM, Anshul Makkar wrote: >>>> During guest migrate allow permission to prevent >>>> spurious page faults. >>>> Prevents these errors: >>>> d73: Non-privileged (73) attempt to map I/O space 00000000 >>>> >>>> avc: denied { set_misc_info } for domid=0 target=11 >>>> scontext=system_u:system_r:dom0_t >>>> tcontext=system_u:system_r:domU_t tclass=domain >>>> >>>> GPU passthrough for hvm guest: >>>> avc: denied { send_irq } for domid=0 target=10 >>>> scontext=system_u:system_r:dom0_t >>>> tcontext=system_u:system_r:domU_t tclass=hvm >>>> >>>> Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> >>> >>> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> >>> >> >> Daniel, >> >> Should this be backported to 4.8? >> > > FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? > Doug, yes, will backport and test. Anshul
On 12/20/16 3:37 AM, Anshul Makkar wrote: > On 20/12/2016 04:03, Doug Goldstein wrote: >> On 12/19/16 10:02 AM, Doug Goldstein wrote: >>> On 12/14/16 3:09 PM, Daniel De Graaf wrote: >>>> On 12/12/2016 09:00 AM, Anshul Makkar wrote: >>>>> During guest migrate allow permission to prevent >>>>> spurious page faults. >>>>> Prevents these errors: >>>>> d73: Non-privileged (73) attempt to map I/O space 00000000 >>>>> >>>>> avc: denied { set_misc_info } for domid=0 target=11 >>>>> scontext=system_u:system_r:dom0_t >>>>> tcontext=system_u:system_r:domU_t tclass=domain >>>>> >>>>> GPU passthrough for hvm guest: >>>>> avc: denied { send_irq } for domid=0 target=10 >>>>> scontext=system_u:system_r:dom0_t >>>>> tcontext=system_u:system_r:domU_t tclass=hvm >>>>> >>>>> Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> >>>> >>>> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> >>>> >>> >>> Daniel, >>> >>> Should this be backported to 4.8? >>> >> >> FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? >> > > Doug, yes, will backport and test. > > Anshul CCing Jan for the backport.
>>> On 22.12.16 at 16:28, <cardoe@cardoe.com> wrote: > On 12/20/16 3:37 AM, Anshul Makkar wrote: >> On 20/12/2016 04:03, Doug Goldstein wrote: >>> On 12/19/16 10:02 AM, Doug Goldstein wrote: >>>> On 12/14/16 3:09 PM, Daniel De Graaf wrote: >>>>> On 12/12/2016 09:00 AM, Anshul Makkar wrote: >>>>>> During guest migrate allow permission to prevent >>>>>> spurious page faults. >>>>>> Prevents these errors: >>>>>> d73: Non-privileged (73) attempt to map I/O space 00000000 >>>>>> >>>>>> avc: denied { set_misc_info } for domid=0 target=11 >>>>>> scontext=system_u:system_r:dom0_t >>>>>> tcontext=system_u:system_r:domU_t tclass=domain >>>>>> >>>>>> GPU passthrough for hvm guest: >>>>>> avc: denied { send_irq } for domid=0 target=10 >>>>>> scontext=system_u:system_r:dom0_t >>>>>> tcontext=system_u:system_r:domU_t tclass=hvm >>>>>> >>>>>> Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> >>>>> >>>>> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> >>>>> >>>> >>>> Daniel, >>>> >>>> Should this be backported to 4.8? >>>> >>> >>> FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? >>> >> >> Doug, yes, will backport and test. >> >> Anshul > > CCing Jan for the backport. Well - I'll wait for the pending confirmation from Anshul (please Cc me on that one). Or wait - this is under tools/, in which case I'd rather leave this to Ian (so please Cc him when confirming). Jan
On 12/19/2016 11:03 PM, Doug Goldstein wrote: > On 12/19/16 10:02 AM, Doug Goldstein wrote: >> On 12/14/16 3:09 PM, Daniel De Graaf wrote: >>> On 12/12/2016 09:00 AM, Anshul Makkar wrote: >>>> During guest migrate allow permission to prevent >>>> spurious page faults. >>>> Prevents these errors: >>>> d73: Non-privileged (73) attempt to map I/O space 00000000 >>>> >>>> avc: denied { set_misc_info } for domid=0 target=11 >>>> scontext=system_u:system_r:dom0_t >>>> tcontext=system_u:system_r:domU_t tclass=domain >>>> >>>> GPU passthrough for hvm guest: >>>> avc: denied { send_irq } for domid=0 target=10 >>>> scontext=system_u:system_r:dom0_t >>>> tcontext=system_u:system_r:domU_t tclass=hvm >>>> >>>> Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> >>> >>> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> >>> >> >> Daniel, >> >> Should this be backported to 4.8? >> Yes, I would consider this a candidate for backporting. > FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? I believe this is fixed now; my email server was changed while I was gone for the holiday and apparently the change was not tested properly.
On 03/01/17 18:20, Daniel De Graaf wrote: > On 12/19/2016 11:03 PM, Doug Goldstein wrote: >> On 12/19/16 10:02 AM, Doug Goldstein wrote: >>> On 12/14/16 3:09 PM, Daniel De Graaf wrote: >>>> On 12/12/2016 09:00 AM, Anshul Makkar wrote: >>>>> During guest migrate allow permission to prevent >>>>> spurious page faults. >>>>> Prevents these errors: >>>>> d73: Non-privileged (73) attempt to map I/O space 00000000 >>>>> >>>>> avc: denied { set_misc_info } for domid=0 target=11 >>>>> scontext=system_u:system_r:dom0_t >>>>> tcontext=system_u:system_r:domU_t tclass=domain >>>>> >>>>> GPU passthrough for hvm guest: >>>>> avc: denied { send_irq } for domid=0 target=10 >>>>> scontext=system_u:system_r:dom0_t >>>>> tcontext=system_u:system_r:domU_t tclass=hvm >>>>> >>>>> Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> >>>> >>>> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> >>>> >>> >>> Daniel, >>> >>> Should this be backported to 4.8? >>> > > Yes, I would consider this a candidate for backporting. > >> FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? > > I believe this is fixed now; my email server was changed while I was gone > for the holiday and apparently the change was not tested properly. > Please backport the patch to stable-4.8. I have tested it. Anshul
anshul makkar writes ("Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough."):
> Please backport the patch to stable-4.8. I have tested it.
Queued.
Ian.
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index eb646f5..1aca75d 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -49,7 +49,7 @@ define(`create_domain_common', ` allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize getdomaininfo hypercall setvcpucontext getscheduler getvcpuinfo getaddrsize getaffinity setaffinity - settime setdomainhandle getvcpucontext }; + settime setdomainhandle getvcpucontext set_misc_info }; allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo cacheflush psr_cmt_op psr_cat_op soft_reset }; @@ -58,7 +58,7 @@ define(`create_domain_common', ` allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp }; allow $1 $2:grant setup; allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc - setparam pcilevel trackdirtyvram nested altp2mhvm altp2mhvm_op }; + setparam pcilevel trackdirtyvram nested altp2mhvm altp2mhvm_op send_irq }; ') # create_domain(priv, target)
During guest migrate allow permission to prevent spurious page faults. Prevents these errors: d73: Non-privileged (73) attempt to map I/O space 00000000 avc: denied { set_misc_info } for domid=0 target=11 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain GPU passthrough for hvm guest: avc: denied { send_irq } for domid=0 target=10 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=hvm Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> --- tools/flask/policy/modules/xen.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)