From patchwork Mon Dec 12 14:00:05 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anshul Makkar X-Patchwork-Id: 9470757 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3375C60760 for ; Mon, 12 Dec 2016 14:05:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1D5F32849D for ; Mon, 12 Dec 2016 14:05:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0FEC3284A4; Mon, 12 Dec 2016 14:05:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=2.0 tests=BAYES_00,LONGWORDS, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 91BE32849D for ; Mon, 12 Dec 2016 14:05:06 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cGRBU-0003yz-4y; Mon, 12 Dec 2016 14:02:28 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cGRBT-0003yt-Fg for xen-devel@lists.xen.org; Mon, 12 Dec 2016 14:02:27 +0000 Received: from [193.109.254.147] by server-5.bemta-6.messagelabs.com id 51/4A-19272-2FDAE485; Mon, 12 Dec 2016 14:02:26 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPLMWRWlGSWpSXmKPExsXitHSDve6ntX4 RBtPPiVos+biYxYHR4+ju30wBjFGsmXlJ+RUJrBkrnjxiLjjNW7H2xRnWBsaH3F2MnBwSAv4S q6fNYQax2QT0JI7c+sMOYosIyEqs7poDZjMLVEm8b97KBGILCwRLXN7xCyzOIqAqsflXKyuIz SvgIfF38hVGiJmKEt3PJrCB2EJANb3PDjFB1AhKnJz5hAVipoTEwRcvmCcwcs9CkpqFJLWAkW kVo0ZxalFZapGuoZleUlFmekZJbmJmjq6hgZlebmpxcWJ6ak5iUrFecn7uJkZgMDAAwQ7G+xs DDjFKcjApifL+8PaLEOJLyk+pzEgszogvKs1JLT7EKMPBoSTB27gGKCdYlJqeWpGWmQMMS5i0 BAePkgivOkiat7ggMbc4Mx0idYrRmGPas8VPmThW3Fj3lEmIJS8/L1VKnHctSKkASGlGaR7cI Fi8XGKUlRLmZQQ6TYinILUoN7MEVf4VozgHo5Iw7xSQKTyZeSVw+14BncIEdMrzfd4gp5QkIq SkGhhnJP/eJLfzDO/llB6Xt0u92jeGOD8+sW7DMuEnwRJTWQu3P75yj6v/3+WOiK1LVGT32DB 431/3hmlu2+uJ2g8UwnyfxVx/PjtqmkrvXFu/q9suhG3jLz9a5NXeZyld81l/4ummmQ/WlWke cNt9WJP/ns0RX2NtH7nXp5J2KCjyXNC+aXb99F09JZbijERDLeai4kQAqApk65ICAAA= X-Env-Sender: prvs=1478a4bda=anshul.makkar@citrix.com X-Msg-Ref: server-10.tower-27.messagelabs.com!1481551344!53699128!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.1.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 689 invoked from network); 12 Dec 2016 14:02:25 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-10.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 12 Dec 2016 14:02:25 -0000 X-IronPort-AV: E=Sophos;i="5.33,336,1477958400"; d="scan'208";a="403102394" From: Anshul Makkar To: Date: Mon, 12 Dec 2016 14:00:05 +0000 Message-ID: <1481551205-18758-1-git-send-email-anshul.makkar@citrix.com> X-Mailer: git-send-email 1.7.10.4 MIME-Version: 1.0 Cc: ian.jackson@eu.citrix.com, dgdegra@tycho.nsa.gov, wei.liu2@citrix.com, Anshul Makkar Subject: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough. X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP During guest migrate allow permission to prevent spurious page faults. Prevents these errors: d73: Non-privileged (73) attempt to map I/O space 00000000 avc: denied { set_misc_info } for domid=0 target=11 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain GPU passthrough for hvm guest: avc: denied { send_irq } for domid=0 target=10 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=hvm Signed-off-by: Anshul Makkar Acked-by: Daniel De Graaf --- tools/flask/policy/modules/xen.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index eb646f5..1aca75d 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -49,7 +49,7 @@ define(`create_domain_common', ` allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize getdomaininfo hypercall setvcpucontext getscheduler getvcpuinfo getaddrsize getaffinity setaffinity - settime setdomainhandle getvcpucontext }; + settime setdomainhandle getvcpucontext set_misc_info }; allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo cacheflush psr_cmt_op psr_cat_op soft_reset }; @@ -58,7 +58,7 @@ define(`create_domain_common', ` allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp }; allow $1 $2:grant setup; allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc - setparam pcilevel trackdirtyvram nested altp2mhvm altp2mhvm_op }; + setparam pcilevel trackdirtyvram nested altp2mhvm altp2mhvm_op send_irq }; ') # create_domain(priv, target)