[for-4.20,3/3] xen/flask: Wire up XEN_DOMCTL_set_llc_colors

Message ID	20250107092719.26401-4-michal.orzel@amd.com (mailing list archive)
State	New
Headers	show Return-Path: <xen-devel-bounces@lists.xenproject.org> Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org> Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB03.amd.com; pr=C From: Michal Orzel <michal.orzel@amd.com> To: <xen-devel@lists.xenproject.org> CC: Michal Orzel <michal.orzel@amd.com>, "Daniel P. Smith" <dpsmith@apertussolutions.com>, Anthony PERARD <anthony.perard@vates.tech>, <oleksii.kurochko@gmail.com> Subject: [for-4.20][PATCH 3/3] xen/flask: Wire up XEN_DOMCTL_set_llc_colors Date: Tue, 7 Jan 2025 10:27:19 +0100 Message-ID: <20250107092719.26401-4-michal.orzel@amd.com> In-Reply-To: <20250107092719.26401-1-michal.orzel@amd.com> References: <20250107092719.26401-1-michal.orzel@amd.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Received-SPF: None (SATLEXMB03.amd.com: michal.orzel@amd.com does not designate permitted sender hosts)
Series	xen/flask: Wire up missing hypercalls \| expand [for-4.20,0/3] xen/flask: Wire up missing hypercalls [for-4.20,1/3] xen/flask: Wire up XEN_DOMCTL_vuart_op [for-4.20,2/3] xen/flask: Wire up XEN_DOMCTL_dt_overlay [for-4.20,3/3] xen/flask: Wire up XEN_DOMCTL_set_llc_colors

Message ID

20250107092719.26401-4-michal.orzel@amd.com (mailing list archive)

State

New

Headers

Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB03.amd.com; pr=C
From: Michal Orzel <michal.orzel@amd.com>
To: <xen-devel@lists.xenproject.org>
CC: Michal Orzel <michal.orzel@amd.com>, "Daniel P. Smith"
	<dpsmith@apertussolutions.com>, Anthony PERARD <anthony.perard@vates.tech>,
	<oleksii.kurochko@gmail.com>
Subject: [for-4.20][PATCH 3/3] xen/flask: Wire up XEN_DOMCTL_set_llc_colors
Date: Tue, 7 Jan 2025 10:27:19 +0100
Message-ID: <20250107092719.26401-4-michal.orzel@amd.com>
In-Reply-To: <20250107092719.26401-1-michal.orzel@amd.com>
References: <20250107092719.26401-1-michal.orzel@amd.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Received-SPF: None (SATLEXMB03.amd.com: michal.orzel@amd.com does not
 designate permitted sender hosts)
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jan 2025 09:27:27.4519
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 507a51dd-1cd7-42f2-8d51-08dd2efd8094
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB03.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	SA2PEPF00003F66.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB8179

Series

xen/flask: Wire up missing hypercalls | expand

Commit Message

Michal Orzel Jan. 7, 2025, 9:27 a.m. UTC

Addition of FLASK permission for this hypercall was overlooked in the
original patch. Fix it. Setting LLC colors is only possible during domain
creation.

Fixes: 6985aa5e0c3c ("xen: extend domctl interface for cache coloring")
Signed-off-by: Michal Orzel <michal.orzel@amd.com>
---
 tools/flask/policy/modules/xen.if   | 2 +-
 xen/xsm/flask/hooks.c               | 3 +++
 xen/xsm/flask/policy/access_vectors | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)

Comments

Daniel P. Smith Jan. 8, 2025, 1:56 a.m. UTC | #1

On 1/7/25 04:27, Michal Orzel wrote:
> Addition of FLASK permission for this hypercall was overlooked in the
> original patch. Fix it. Setting LLC colors is only possible during domain
> creation.
> 
> Fixes: 6985aa5e0c3c ("xen: extend domctl interface for cache coloring")
> Signed-off-by: Michal Orzel <michal.orzel@amd.com>

Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>

diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index def60da88301..f7cf7c43c80b 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -54,7 +54,7 @@  define(`create_domain_common', `
 	allow $1 $2:domain2 { set_cpu_policy settsc setscheduler setclaim
 			set_vnumainfo get_vnumainfo cacheflush
 			psr_cmt_op psr_alloc soft_reset
-			resource_map get_cpu_policy vuart_op };
+			resource_map get_cpu_policy vuart_op set_llc_colors };
 	allow $1 $2:security check_context;
 	allow $1 $2:shadow enable;
 	allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index e263e745d441..14d84df9cad6 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -847,6 +847,9 @@  static int cf_check flask_domctl(struct domain *d, unsigned int cmd,
     case XEN_DOMCTL_dt_overlay:
         return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__DT_OVERLAY);
 
+    case XEN_DOMCTL_set_llc_colors:
+        return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_LLC_COLORS);
+
     default:
         return avc_unknown_permission("domctl", cmd);
     }
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index 78fe37583b18..320d77706dee 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -255,6 +255,8 @@  class domain2
     vuart_op
 # XEN_DOMCTL_dt_overlay
     dt_overlay
+# XEN_DOMCTL_set_llc_colors
+    set_llc_colors
 }
 
 # Similar to class domain, but primarily contains domctls related to HVM domains

[for-4.20,3/3] xen/flask: Wire up XEN_DOMCTL_set_llc_colors

Commit Message

Comments

Patch