@@ -82,7 +82,7 @@ allow dom0_t xen_t:version {
xen_changeset xen_platform_parameters xen_get_features xen_pagesize
xen_guest_handle xen_commandline
version extraversion capabilities changeset platform_parameters
- get_features pagesize guest_handle commandline
+ get_features pagesize guest_handle commandline build_id
};
allow dom0_t xen_t:mmu memorymap;
@@ -150,7 +150,7 @@ if (guest_writeconsole) {
allow domain_type xen_t:xen2 pmu_use;
# For normal guests all except XENVER_commandline, VERSION_OP_changeset,
-# and VERSION_OP_commandline
+# VERSION_OP_commandline, and VERSION_OP_build_info
allow domain_type xen_t:version {
xen_version xen_extraversion xen_compile_info xen_capabilities
xen_changeset xen_platform_parameters xen_get_features xen_pagesize
@@ -390,6 +390,7 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
return -EFAULT;
return 0;
}
+
}
return -ENOSYS;
@@ -455,6 +456,13 @@ static int size_of_subops_data(unsigned int cmd, ssize_t *sz)
*sz = ARRAY_SIZE(saved_cmdline);
break;
+ case XEN_VERSION_OP_build_id:
+ {
+ const void *p;
+ rc = xen_build_id(&p, sz);
+ break;
+ }
+
default:
rc = -ENOSYS;
}
@@ -549,6 +557,12 @@ DO(version_op)(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg,
ptr = saved_cmdline;
break;
+ case XEN_VERSION_OP_build_id:
+ {
+ rc = xen_build_id(&ptr, &sz);
+ break;
+ }
+
default:
rc = -ENOSYS;
}
@@ -157,6 +157,9 @@ DEFINE_XEN_GUEST_HANDLE(xen_version_op_buf_t);
/* arg = version_op_buf */
#define XEN_VERSION_OP_commandline 9
+/* arg = version_op_buf */
+#define XEN_VERSION_OP_build_id 10
+
#endif /* __XEN_PUBLIC_VERSION_H__ */
/*
@@ -1701,6 +1701,9 @@ static int flask_version_op (uint32_t op)
case XEN_VERSION_OP_commandline:
return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION,
VERSION__COMMANDLINE, NULL);
+ case XEN_VERSION_OP_build_id:
+ return avc_has_perm(dsid, SECINITSID_XEN, SECCLASS_VERSION,
+ VERSION__BUILD_ID, NULL);
default:
return -EPERM;
}
@@ -544,4 +544,6 @@ class version
guest_handle
# Xen command line.
commandline
+# Build id of the hypervisor
+ build_id
}
The VERSION_OP hypercall provides the flexibility to expose the size of the build-id (so the callers can allocate the proper size before trying to retrieve it). It also allows in one nice swoop to retrieve the hypervisor build-id in the provided buffer. Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> --- Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> --- --- tools/flask/policy/policy/modules/xen/xen.te | 4 ++-- xen/common/kernel.c | 14 ++++++++++++++ xen/include/public/version.h | 3 +++ xen/xsm/flask/hooks.c | 3 +++ xen/xsm/flask/policy/access_vectors | 2 ++ 5 files changed, 24 insertions(+), 2 deletions(-)