[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 12/12] x86/altp2m: XSM hooks for altp2m HVM ops



On 06/22/2015 02:56 PM, Ed White wrote:
From: Ravi Sahita <ravi.sahita@xxxxxxxxx>

Signed-off-by: Ravi Sahita <ravi.sahita@xxxxxxxxx>

One comment, below.

[...]
diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
b/tools/flask/policy/policy/modules/xen/xen.if
index f4cde11..c95109f 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -8,7 +8,7 @@
  define(`declare_domain_common', `
        allow $1 $2:grant { query setup };
        allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage 
updatemp mmuext_op };
-       allow $1 $2:hvm { getparam setparam };
+       allow $1 $2:hvm { getparam setparam altp2mhvm altp2mhvm_op };
        allow $1 $2:domain2 get_vnumainfo;
  ')

This allows any domain to enable altp2m on itself; I think you meant to
only allow altp2mhvm_op here, requiring a privileged domain to first
enable the feature on a domain before anyone can use it.

Otherwise, this looks good, although if patch #10 is changed to expose
a single subop, the altp2mhvm_op XSM checks will need to be relocated.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.