| Message ID | 576BBC4C02000078000F7F1F@prv-mh.provo.novell.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 06/23/2016 04:39 AM, Jan Beulich wrote: >>>> On 23.06.16 at 10:32, <JBeulich@suse.com> wrote: >>>>> On 22.06.16 at 20:24, <dgdegra@tycho.nsa.gov> wrote: >>> Either method works, and I agree allowing DM to invoke this domctl is both >>> useful and not going to introduce problems. The getdomaininfo permission >>> will also need to be added to the device_model macro in xen.if. >> >> What exactly this last sentence means I need to add I'm not sure >> about. > > Perhaps this? > > --- unstable.orig/tools/flask/policy/policy/modules/xen/xen.if > +++ unstable/tools/flask/policy/policy/modules/xen/xen.if > @@ -148,7 +148,7 @@ define(`device_model', ` > create_channel($2, $1, $2_channel) > allow $1 $2_channel:event create; > > - allow $1 $2_target:domain shutdown; > + allow $1 $2_target:domain { getdomaininfo shutdown }; > allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack }; > allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute pcilevel cacheattr send_irq }; > ') > > Jan Yes, that is what I meant.
--- unstable.orig/tools/flask/policy/policy/modules/xen/xen.if +++ unstable/tools/flask/policy/policy/modules/xen/xen.if @@ -148,7 +148,7 @@ define(`device_model', ` create_channel($2, $1, $2_channel) allow $1 $2_channel:event create; - allow $1 $2_target:domain shutdown; + allow $1 $2_target:domain { getdomaininfo shutdown }; allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack }; allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute pcilevel cacheattr send_irq }; ')