From patchwork Thu Jul 14 14:46:12 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anshul Makkar X-Patchwork-Id: 9229983 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9390E607D0 for ; Thu, 14 Jul 2016 14:50:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8539827FB6 for ; Thu, 14 Jul 2016 14:50:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7A091281B7; Thu, 14 Jul 2016 14:50:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id AB35927FB6 for ; Thu, 14 Jul 2016 14:50:22 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bNhvR-0002F1-57; Thu, 14 Jul 2016 14:47:41 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bNhvP-0002Et-Nk for xen-devel@lists.xen.org; Thu, 14 Jul 2016 14:47:39 +0000 Received: from [193.109.254.147] by server-3.bemta-14.messagelabs.com id 10/4D-17627-B06A7875; Thu, 14 Jul 2016 14:47:39 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpikeJIrShJLcpLzFFi42JxWrrBXpdrWXu 4wdxtahZLPi5mcWD0OLr7N1MAYxRrZl5SfkUCa8atbcYF+zgrvsz9yt7AOJuji5GTQ0LAX+LC i89MIDabgJ7EkVt/2EFsEQFZidVdc8BsZoFkieN3brCC2MIC2RKfZs1gBrFZBFQlXq6dxwZi8 wq4S/z93MEMMVNO4uSxyWD1QkA1vc8OMUHUCEqcnPmEBWKmhMTBFy+A6jmA6rkl/nbbT2DkmY WkahaSqgWMTKsY1YtTi8pSi3Qt9ZKKMtMzSnITM3N0DQ1N9HJTi4sT01NzEpOK9ZLzczcxAsO DAQh2MPZPcT7EKMnBpCTKq93fFi7El5SfUpmRWJwRX1Sak1p8iFGGg0NJgvfikvZwIcGi1PTU irTMHGCgwqQlOHiURHg5lgKleYsLEnOLM9MhUqcYdTm2LLixlkmIJS8/L1VKnPcGyAwBkKKM0 jy4EbCoucQoKyXMywh0lBBPQWpRbmYJqvwrRnEORiVhXmmQVTyZeSVwm14BHcEEdIS1OdgRJY kIKakGxr74RMP33/3+n7Ve93HtxpMne2/sLTISufpz3oFV0T/P/Xjt2b829bLF9R1p8mYZ5m1 7eu90H0w/ze7Ioyip//LAA/ulj27z3lg3d6H8HdbHp53WP5kjqO1y+lad+2GvXzclTp1nXSns fk5i09bXsVPltj49Mzt98crLn6/ttuOKlZ+3/+BnnyQNJZbijERDLeai4kQATe0n/JUCAAA= X-Env-Sender: prvs=99653f9b4=anshul.makkar@citrix.com X-Msg-Ref: server-7.tower-27.messagelabs.com!1468507656!49199274!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 8.77; banners=-,-,- X-VirusChecked: Checked Received: (qmail 50078 invoked from network); 14 Jul 2016 14:47:38 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-7.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 14 Jul 2016 14:47:38 -0000 X-IronPort-AV: E=Sophos;i="5.28,363,1464652800"; d="scan'208";a="373204857" From: Anshul Makkar To: Date: Thu, 14 Jul 2016 15:46:12 +0100 Message-ID: <1468507572-1670-1-git-send-email-anshul.makkar@citrix.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-DLP: MIA1 Cc: dgdegra@tycho.nsa.gov, ian.jackson@eu.citrix.com, Anshul Makkar Subject: [Xen-devel] [PATCH v2] XSM-Policy: allow source domain access to setpodtarget and getpodtarget for ballooning. X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP Access to setpodtarget and getpodtarget is required by dom0 to set the balloon targets for domU. The patch gives source domain (dom0) access to set this target for domU and resolve the following permission denied erro message during ballooning : avc: denied { setpodtarget } for domid=0 target=9 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain Signed-off-by: Anshul Makkar Acked-by: Daniel De Graaf --- Changed Since V1: * added getpodtarget. tools/flask/policy/modules/xen.if | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index 8c43c28..dbefa1e 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -83,7 +83,8 @@ define(`create_domain_build_label', ` define(`manage_domain', ` allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity getaddrsize pause unpause trigger shutdown destroy - setaffinity setdomainmaxmem getscheduler resume }; + setaffinity setdomainmaxmem getscheduler resume + setpodtarget getpodtarget }; allow $1 $2:domain2 set_vnumainfo; ')