| Message ID | 20250107092719.26401-2-michal.orzel@amd.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | xen/flask: Wire up missing hypercalls | expand |
On 1/7/25 04:27, Michal Orzel wrote: > Addition of FLASK permission for this hypercall was overlooked in the > original patch. Fix it. The only VUART operation is initialization that > can occur only during domain creation. > > Fixes: 86039f2e8c20 ("xen/arm: vpl011: Add a new domctl API to initialize vpl011") > Signed-off-by: Michal Orzel <michal.orzel@amd.com> Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index 11c1562aa5da..ba9e91d30201 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -54,7 +54,7 @@ define(`create_domain_common', ` allow $1 $2:domain2 { set_cpu_policy settsc setscheduler setclaim set_vnumainfo get_vnumainfo cacheflush psr_cmt_op psr_alloc soft_reset - resource_map get_cpu_policy }; + resource_map get_cpu_policy vuart_op }; allow $1 $2:security check_context; allow $1 $2:shadow enable; allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp }; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 2b4efde6896d..5118f86cf030 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -832,6 +832,9 @@ static int cf_check flask_domctl(struct domain *d, unsigned int cmd, case XEN_DOMCTL_soft_reset: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SOFT_RESET); + case XEN_DOMCTL_vuart_op: + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__VUART_OP); + case XEN_DOMCTL_get_cpu_policy: return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__GET_CPU_POLICY); diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index a35e3d4c51e1..7cbdb7ea6408 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -251,6 +251,8 @@ class domain2 resource_map # XEN_DOMCTL_get_cpu_policy get_cpu_policy +# XEN_DOMCTL_vuart_op + vuart_op } # Similar to class domain, but primarily contains domctls related to HVM domains
Addition of FLASK permission for this hypercall was overlooked in the original patch. Fix it. The only VUART operation is initialization that can occur only during domain creation. Fixes: 86039f2e8c20 ("xen/arm: vpl011: Add a new domctl API to initialize vpl011") Signed-off-by: Michal Orzel <michal.orzel@amd.com> --- tools/flask/policy/modules/xen.if | 2 +- xen/xsm/flask/hooks.c | 3 +++ xen/xsm/flask/policy/access_vectors | 2 ++ 3 files changed, 6 insertions(+), 1 deletion(-)