Re: [Xen-devel] [PATCH v9.1 02/16] Rename PSR sysctl/domctl interfaces and xsm policy to make them be general

_get_l3_info -> XEN_SYSCTL_PSR_get_l3_info Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH for-next 8/9] xsm: add bodge when compiling with llvm coverage support

in production, introduce __xsm_action_mismatch_detected for llvm coverage builds. Signed-off-by: Roger Pau Monné <roger@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists

Re: [Xen-devel] [PATCH v3 2/7] xsm: flask: change the dummy xsm policy and flask hook for map_gmfn_foregin

On 10/20/2017 02:14 AM, Jan Beulich wrote: On 19.10.17 at 19:36, wrote: On 10/19/2017 07:58 AM, Jan Beulich wrote: On 19.10.17 at 04:36, wrote: --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -516,7 +516,8 @@ static XSM_INLINE int

Re: [Xen-devel] [PATCH v3 2/7] xsm: flask: change the dummy xsm policy and flask hook for map_gmfn_foregin

On 10/19/2017 08:55 PM, Zhongze Liu wrote: 2017-10-20 8:34 GMT+08:00 Zhongze Liu <blacksk...@gmail.com>: Hi Daniel, 2017-10-20 1:36 GMT+08:00 Daniel De Graaf <dgde...@tycho.nsa.gov>: On 10/18/2017 10:36 PM, Zhongze Liu wrote: The original dummy xsm_map_gmfn_foregin checks if s

Re: [Xen-devel] [PATCH v3 2/7] xsm: flask: change the dummy xsm policy and flask hook for map_gmfn_foregin

On 10/19/2017 07:58 AM, Jan Beulich wrote: On 19.10.17 at 04:36, wrote: --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -516,7 +516,8 @@ static XSM_INLINE int xsm_remove_from_physmap(XSM_DEFAULT_ARG struct domain *d1, static XSM_INLINE int

Re: [Xen-devel] [PATCH v3 2/7] xsm: flask: change the dummy xsm policy and flask hook for map_gmfn_foregin

domains that allow grant mapping/event channels. This is for the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <blacksk...@gmail.com> Cc:

Re: [Xen-devel] [PATCH v12 05/11] x86/mm: add HYPERVISOR_memory_op to acquire guest resources

the new op is not intrinsicly specific to the x86 architecture, I have no means to test it on an ARM platform and so cannot verify that it functions correctly. Signed-off-by: Paul Durrant <paul.durr...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tych

Re: [Xen-devel] [PATCH v7 02/16] Rename PSR sysctl/domctl interfaces and xsm policy to make them be general

_get_l3_info -> XEN_SYSCTL_PSR_get_l3_info Signed-off-by: Yi Sun <yi.y@linux.intel.com> Reviewed-by: Wei Liu <wei.l...@citrix.com> Reviewed-by: Roger Pau Monné <roger@citrix.com> Acked-by: Jan Beulich <jbeul...@suse.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> __

Re: [Xen-devel] [PATCH v6 04/12] xen: add new domctl hypercall to set grant table resource limits

jgr...@suse.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v4 6/8] xen: add new domctl hypercall to set grant table resource limits

On 09/07/2017 09:47 AM, Juergen Gross wrote: Add a domctl hypercall to set the domain's resource limits regarding grant tables. It is accepted only as long as neither gnttab_setup_table() has been called for the domain, nor the domain has started to run. Signed-off-by: Juergen Gross

Re: [Xen-devel] [PATCH v4 6/8] xen: add new domctl hypercall to set grant table resource limits

jgr...@suse.com> Reviewed-by: Paul Durrant <paul.durr...@citrix.com> Reviewed-by: Wei Liu <wei.l...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 4/6] xsm: flask: change the interface and default policy for xsm_map_gmfn_foregin

On 08/24/2017 08:39 AM, Jan Beulich wrote: On 24.08.17 at 13:33, wrote: Hi Jan, 2017-08-24 14:37 GMT+08:00 Jan Beulich : On 24.08.17 at 02:51, wrote: 2017-08-23 17:55 GMT+08:00 Jan Beulich : On 22.08.17 at

Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping

use the new primitives, with policy entries that do not require an active IOMMU. Signed-off-by: Christopher Clark <christopher.cla...@baesystems.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> To be honest, for this kind of a change I would have hoped for a Reviewed-by (by you o

Re: [Xen-devel] [PATCH 4/6] xsm: flask: change the interface and default policy for xsm_map_gmfn_foregin

; Cc: Jan Beulich <jbeul...@suse.com> Cc: Andrew Cooper <andrew.coop...@citrix.com> Cc: Daniel De Graaf <dgde...@tycho.nsa.gov> Cc: xen-devel@lists.xen.org --- xen/arch/arm/mm.c | 2 +- xen/arch/x86/mm/p2m.c | 2 +- xen/include/xsm/dummy.h | 6 -- xen/include/xsm/xs

Re: [Xen-devel] [PATCH] xsm: policy hooks to require an IOMMU and interrupt remapping

<christopher.cla...@baesystems.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> One additional note: if this type of permission expansion needs to be applied to more permissions based on hypervisor settings, it may be useful to look at other solutions (such as policy booleans) to im

Re: [Xen-devel] [PATCH v3] passthrough: give XEN_DOMCTL_test_assign_device more sane semantics

to a particular domain. Drop XSM's test_assign_{,dt}device hooks as no longer being individually useful. Signed-off-by: Jan Beulich <jbeul...@suse.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.x

Re: [Xen-devel] [PATCH v1 02/13] Rename PSR sysctl/domctl interfaces and xsm policy to make them be general

'. E.g.: 1. psr_cat_op -> psr_alloc_op 2. XEN_DOMCTL_psr_cat_op -> XEN_DOMCTL_psr_alloc_op 3. XEN_SYSCTL_psr_cat_op -> XEN_SYSCTL_psr_alloc_op The sysctl/domctl version numbers are bumped. Signed-off-by: Yi Sun <yi.y@linux.intel.com> Acked-by: Daniel De Graaf <dgd

Re: [Xen-devel] [PATCH v2 48/52] xen: add hypercall for setting parameters at runtime

On 08/14/2017 03:08 AM, Juergen Gross wrote: Add a sysctl hypercall to support setting parameters similar to command line parameters, but at runtime. The parameters to set are specified as a string, just like the boot parameters. Acked-by: Daniel De Graaf <dgde...@tycho.nsa.

Re: [Xen-devel] [PATCH v2 38/52] xen/xsm/flask/flask_op.c: let custom parameter parsing routines return errno

On 08/14/2017 03:08 AM, Juergen Gross wrote: Modify the custom parameter parsing routines in: xen/xsm/flask/flask_op.c to indicate whether the parameter value was parsed successfully. Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen

Re: [Xen-devel] [PATCH 2/4] xen/flask: Switch to using bool

On 06/28/2017 07:16 AM, Andrew Cooper wrote: Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm/flask: Fix build following "xsm: correct AVC lookups for two sysctls"

Thanks for catching this! Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

[Xen-devel] [PATCH] xsm: correct AVC lookups for two sysctls

result in a security issue there. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> --- xen/xsm/flask/hooks.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 819e25d3af..57be18d6d4 100644 --- a/xen/xsm/flask/h

Re: [Xen-devel] [PATCH 48/52] xen: add hypercall for setting parameters at runtime

On 08/09/2017 03:07 AM, Juergen Gross wrote: Add a sysctl hypercall to support setting parameters similar to command line parameters, but at runtime. The parameters to set are specified as a string, just like the boot parameters. Looks good, except for one thing: +case

Re: [Xen-devel] [PATCH 38/52] xen/xsm/flask/flask_op.c: let custom parameter parsing routines return errno

On 08/09/2017 03:06 AM, Juergen Gross wrote: Modify the custom parameter parsing routines in: xen/xsm/flask/flask_op.c to indicate whether the parameter value was parsed successfully. Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen

Re: [Xen-devel] [PATCH v2] passthrough: give XEN_DOMCTL_test_assign_device more sane semantics

On 06/23/2017 11:00 AM, Jan Beulich wrote: So far callers of the libxc interface passed in a domain ID which was then ignored in the hypervisor. Instead, make the hypervisor honor it (accepting DOMID_INVALID to obtain original behavior), allowing to query whether a device can be assigned to a

Re: [Xen-devel] [PATCH] passthrough: give XEN_DOMCTL_test_assign_device more sane semantics

o{port,mem,q}_permission functions too. Alternatively, you could assume that the PCI device and its associated resources all have the same label (which will be almost always be true in a properly configured system) and just use this as an early bail out to avoid user mistakes. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH for-4.9] xsm: fix clang 3.5 build after c47d1d

s long as it's done on occasional builds. Alternatively, it could be done by a static analysis tool, but I've not looked into how to do that with Coverity. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org

Re: [Xen-devel] [PATCH for-4.9 v3 1/3] xsm: fix clang 3.5 build after c47d1d

functionality. Signed-off-by: Roger Pau Monné <roger@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v6] altp2m: Introduce external-only and limited use-cases

-by: Tamas K Lengyel <tamas.leng...@zentific.com> Signed-off-by: Sergej Proskurin <prosku...@sec.in.tum.de> Acked-by: Wei Liu <wei.l...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-d

Re: [Xen-devel] [PATCH v5] altp2m: Allow specifying external-only use-case

enabling XSM effectively forces the value of this setting to "mixed", and "limited" is impossible to use with XSM. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 2/2] build/clang: fix XSM dummy policy when using clang 4.0

This also fixes the behavior of do_xenpmu_op, which will now return -EINVAL for unknown XENPMU_* operations, instead of -EPERM when called by a privileged domain. Signed-off-by: Roger Pau Monné <roger@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> This also looks like

Re: [Xen-devel] [PATCH] flask: fix build after the introduction of DMOP

On 01/25/2017 05:43 AM, Wei Liu wrote: In 58cbc034 send_irq permission was removed but there was still reference to it in policy file. Remove the stale reference. And now we also need dm permission. Add that. Signed-off-by: Wei Liu <wei.l...@citrix.com> Acked-by: Daniel De Graaf

Re: [Xen-devel] [PATCH] [incremental] xsm/build: Further build fixes following the DMop series

On 01/25/2017 09:24 AM, Andrew Cooper wrote: Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> --- CC: Jan Beulich <jbeul...@suse.com> CC: Daniel De Graaf <dgde...@tycho.nsa.gov> CC: Paul Durrant <paul.durr...@citrix.com> CC: Ian Jackson <ian.jack...@eu.c

Re: [Xen-devel] [PATCH v4 3/8] dm_op: convert HVMOP_track_dirty_vram

. In practice the value passed was always truncated to 32 bits. Suggested-by: Jan Beulich <jbeul...@suse.com> Signed-off-by: Paul Durrant <paul.durr...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-deve

Re: [Xen-devel] [PATCH v4 7/8] dm_op: convert HVMOP_inject_trap and HVMOP_inject_msi

<jbeul...@suse.com> Signed-off-by: Paul Durrant <paul.durr...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v4 6/8] dm_op: convert HVMOP_set_mem_type

was always truncated to 32 bits. Suggested-by: Jan Beulich <jbeul...@suse.com> Signed-off-by: Paul Durrant <paul.durr...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org htt

Re: [Xen-devel] [PATCH v4 5/8] dm_op: convert HVMOP_modified_memory

. Suggested-by: Jan Beulich <jbeul...@suse.com> Signed-off-by: Paul Durrant <paul.durr...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v4 4/8] dm_op: convert HVMOP_set_pci_intx_level, HVMOP_set_isa_irq_level, and...

Jan Beulich <jbeul...@suse.com> Cc: Daniel De Graaf <dgde...@tycho.nsa.gov> Cc: Ian Jackson <ian.jack...@eu.citrix.com> Acked-by: Wei Liu <wei.l...@citrix.com> Cc: Andrew Cooper <andrew.coop...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov>

Re: [Xen-devel] [PATCH v4 2/8] dm_op: convert HVMOP_*ioreq_server*

On 01/17/2017 12:29 PM, Paul Durrant wrote: The definitions of HVM_IOREQSRV_BUFIOREQ_* have to persist as they are already in use by callers of the libxc interface. Suggested-by: Jan Beulich <jbeul...@suse.com> Signed-off-by: Paul Durrant <paul.durr...@citrix.com> Acked-by: Dan

Re: [Xen-devel] [PATCH v4 1/8] public / x86: Introduce __HYPERCALL_dm_op...

nnifer.herb...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

On 12/19/2016 11:03 PM, Doug Goldstein wrote: On 12/19/16 10:02 AM, Doug Goldstein wrote: On 12/14/16 3:09 PM, Daniel De Graaf wrote: On 12/12/2016 09:00 AM, Anshul Makkar wrote: During guest migrate allow permission to prevent spurious page faults. Prevents these errors: d73: Non-privileged

Re: [Xen-devel] [PATCH v6 01/12] domctl: Add XEN_DOMCTL_acpi_access

On 01/03/2017 09:04 AM, Boris Ostrovsky wrote: This domctl will allow toolstack to read and write some ACPI registers. It will be available to both x86 and ARM but will be implemented first only for x86 Signed-off-by: Boris Ostrovsky <boris.ostrov...@oracle.com> Acked-by: Daniel De

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

=system_u:system_r:domU_t tclass=domain GPU passthrough for hvm guest: avc: denied { send_irq } for domid=0 target=10 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=hvm Signed-off-by: Anshul Makkar <anshul.mak...@citrix.com> Acked-by: Daniel De Graaf

Re: [Xen-devel] [PATCH 07/11] docs: move vtpm from misc to man

ook correct, though I have not compiled & looked at the resulting manpages. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] Fix misleading indentation warnings

On 11/10/2016 04:23 AM, Cédric Bosdonnat wrote: Gcc6 build reports misleading indentation as warnings. Fix a few warnings in stubdom. Signed-off-by: Cédric Bosdonnat <cbosdon...@suse.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___

Re: [Xen-devel] [PATCH 01/10] x86/domctl: Add XEN_DOMCTL_set_avail_vcpus

<boris.ostrov...@oracle.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

[Xen-devel] [PATCH] xsm: add missing permissions discovered in testing

(which results in an XSM check with the source xen_t). It does not make sense to deny these permissions; no domain should be using xen_t, and forbidding the hypervisor from performing cleanup is not useful. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> Cc: Andrew Cooper <an

Re: [Xen-devel] [PATCH for-4.8] flask: build policy in different locations

output file names with FLASK_BUILD_DIR. Hypervisor and tools build will set that variable to different directories, so that we can be safe from races. Adjust other bits of the build system as needed. Signed-off-by: Wei Liu <wei.l...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tych

Re: [Xen-devel] [PATCH] flask: add gcov_op check

On 10/13/2016 10:37 AM, Wei Liu wrote: Signed-off-by: Wei Liu <wei.l...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] XSM: drop pointless uses of __FUNCTION__

On 08/24/2016 04:06 AM, Jan Beulich wrote: Non-debugging message text should be (and is in the cases here) distinguishable without also logging function names. Signed-off-by: Jan Beulich <jbeul...@suse.com> Acked-by: Daniel De Graaf <dgde...@tych

Re: [Xen-devel] [PATCH v3 36/38] altp2m: Allow specifying external-only use-case

t more clear that it is required for all ops. Signed-off-by: Tamas K Lengyel <tamas.leng...@zentific.com> Signed-off-by: Sergej Proskurin <prosku...@sec.in.tum.de> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-deve

Re: [Xen-devel] [PATCH v2] domctl: relax getdomaininfo permissions

). This at once avoids a for_each_domain() loop when the ID of an existing domain gets passed in. Reported-by: Marek Marczykowski-Górecki <marma...@invisiblethingslab.com> Signed-off-by: Jan Beulich <jbeul...@suse.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> [...] I

Re: [Xen-devel] [PATCH v2 2/2] x86/altp2m: allow specifying external-only use-case

at it's clearer what the XSM check is inspecting to determine what to do, especially in this case where it changes what permissions are actually being enforced (in the non-FLASK case). -- Daniel De Graaf National Security Agency ___ Xen-devel mailing

Re: [Xen-devel] [PATCH] xsm: don't require configuring tools to build xen xsm blob

r Makefile will use Makefile.common to build xsm policy. Signed-off-by: Wei Liu <wei.l...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> Thanks for fixing this; I intended the build to remain separate but never actually de-configured a build tree to test. Using git-se

Re: [Xen-devel] [PATCH] XSM-docs: Flask operates on domain types and not on individual domain. Updated the documentation to reflect this.

er changes, I agree Doug's rewording is a bit clearer than the original. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

[Xen-devel] [PATCH v6 2/2] xsm: add a default policy to .init.data

-in policy. The XSM policy is not moved out of tools because that remains the primary location for installing and configuring the policy. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com> Reviewed-by: Jan Beulich <jb

[Xen-devel] [PATCH v6 1/2] xsm: rework policy_buffer globals

This makes the buffers function parameters instead of globals, in preparation for adding alternate locations for the policy. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> Reviewed-by: Jan Beulich <jbeul...@suse.com> --- Changes since v5: - Adjusted __init annotati

Re: [Xen-devel] [PATCH] XSM-Policy: allow source domain access to setpodtarget for ballooning.

Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.

On 07/06/2016 12:19 PM, anshul makkar wrote: On 06/07/16 16:59, Daniel De Graaf wrote: On 07/06/2016 11:34 AM, anshul makkar wrote: Hi, It allows the resource to be added and removed by the source domain to target domain, but its use by target domain is blocked. This rule only mandates

[Xen-devel] [PATCH v5 1/2] xsm: rework policy_buffer globals

This makes the buffers function parameters instead of globals, in preparation for adding alternate locations for the policy. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> --- This patch is new in v5. xen/include/xsm/xsm.h| 13 ++--- xen/xsm/flask/h

[Xen-devel] [PATCH v5 2/2] xsm: add a default policy to .init.data

-in policy. The XSM policy is not moved out of tools because that remains the primary location for installing and configuring the policy. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com> --- Changes since v4: - Fixed

Re: [Xen-devel] [PATCH] XSM/policy: Allow the source domain access to settime and setdomainhandle domctls while creating domain.

dom0_t tcontext=system_u:system_r:domU_t tclass=domain avc: denied { settime } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain Signed-off-by: Anshul Makkar <anshul.mak...@citrix.com> Acked-by: Daniel De Graaf <dgde..

Re: [Xen-devel] [PATCH v4] xsm: add a default policy to .init.data

passed to xfree() below (only in ARM); the cast would only be moved. The buffer is never modified, if that's what you are asking. The reason that xsm_init_policy is unsigned is to avoid compiler warnings resulting from assigning values such as 0xF3 to a signed character. -- Daniel De Graaf National

Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.

n't affect the basic functionalities, is this "neverallow" rule needed ? Thanks Anshul Makkar The neverallow rules are just there to ensure that the attributes are being used correctly. -- Daniel De Graaf National Security Agency ___ Xe

Re: [Xen-devel] [PATCH v2 10/11] hvmctl: convert HVMOP_*ioreq_server*

gt; Reviewed-by: Paul Durrant <paul.durr...@citrix.com> Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v2 09/11] hvmctl: convert HVMOP_inject_msi

On 06/24/2016 06:33 AM, Jan Beulich wrote: Signed-off-by: Jan Beulich <jbeul...@suse.com> Reviewed-by: Wei Liu <wei.l...@citrix.com> Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___

Re: [Xen-devel] [PATCH v2 08/11] hvmctl: convert HVMOP_inject_trap

On 06/24/2016 06:32 AM, Jan Beulich wrote: Signed-off-by: Jan Beulich <jbeul...@suse.com> Reviewed-by: Wei Liu <wei.l...@citrix.com> Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___

Re: [Xen-devel] [PATCH v2 07/11] hvmctl: convert HVMOP_set_mem_type

an Beulich <jbeul...@suse.com> Reviewed-by: Wei Liu <wei.l...@citrix.com> Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v2 06/11] hvmctl: convert HVMOP_modified_memory

ew Cooper <andrew.coop...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v2 05/11] hvmctl: convert HVMOP_track_dirty_vram

ew Cooper <andrew.coop...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v2 04/11] hvmctl: convert HVMOP_set_pci_link_route

com> Reviewed-by: Wei Liu <wei.l...@citrix.com> Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v2 03/11] hvmctl: convert HVMOP_set_isa_irq_level

com> Reviewed-by: Wei Liu <wei.l...@citrix.com> Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v2 01/11] public / x86: introduce hvmctl hypercall

d-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v2 2/5] xen/console: allow log level threshold adjustments

nsform from log level numbers to strings and vice verse. Lower and upper bounds are checked. Add XSM hook. Signed-off-by: Wei Liu <wei.l...@citrix.com> Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> ___ Xen-devel mailing list Xen-devel@l

[Xen-devel] [PATCH v4] xsm: add a default policy to .init.data

-in policy. The XSM policy is not moved out of tools because that remains the primary location for installing and configuring the policy. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> --- Changes from v3: - Make default Kconfig value depend on the presence of checkpolicy - Use

Re: [Xen-devel] [PATCH v3] xsm: add a default policy to .init.data

On 06/30/2016 09:45 AM, Konrad Rzeszutek Wilk wrote: On Wed, Jun 29, 2016 at 11:09:01AM -0400, Daniel De Graaf wrote: This adds a Kconfig option and support for including the XSM policy from tools/flask/policy in the hypervisor so that the bootloader does not need to provide a policy to get

Re: [Xen-devel] FW: vTPM detaching issue

bility to remove a vTPM without destroying the client domain (or the driver domain), so I don't think this ever got tested. I am guessing that the minios and/or Linux driver is missing a state change step. -- Daniel De Graaf National Security Agency ___ Xen

[Xen-devel] [PATCH v3] xsm: add a default policy to .init.data

-in policy. The XSM policy is not moved out of tools because that remains the primary location for installing and configuring the policy. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> --- Changes from v2 (dropped acks and reviewed-by): - Drop linker script changes, use python binar

Re: [Xen-devel] [xen-unstable test] 96330: regressions - trouble: blocked/broken/fail/pass

t answer. That's fine; I am planning on sending a v3 of this patch that drops the use of objcopy for a python script converting the policy to an array in a .c file. This also eliminates the linker script changes. -- Daniel De Graaf National Security Agency ___

Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data

of a problem. This would change if XSM were to be enabled by default, because I would then expect "xsm enabled, flask disabled" to become a more common case - and that does not require a policy. -- Daniel De Graaf National Security Agency ___

Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data

On 06/24/2016 01:40 PM, Konrad Rzeszutek Wilk wrote: On Fri, Jun 24, 2016 at 01:34:29PM -0400, Daniel De Graaf wrote: On 06/24/2016 12:50 PM, Konrad Rzeszutek Wilk wrote: On Fri, Jun 24, 2016 at 05:30:32PM +0100, Julien Grall wrote: Hello Daniel, Please try to CC relevant maintainers on your

Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data

On 06/24/2016 12:50 PM, Konrad Rzeszutek Wilk wrote: On Fri, Jun 24, 2016 at 05:30:32PM +0100, Julien Grall wrote: Hello Daniel, Please try to CC relevant maintainers on your patch. I would have missed it if Andrew did not ping me on IRC. On 20/06/16 15:04, Daniel De Graaf wrote: This adds

Re: [Xen-devel] PCI passthrough for HVM with stubdomain broken by "tools/libxl: handle the iomem parameter with the memory_mapping hcall"

On 06/23/2016 11:22 AM, Marek Marczykowski-Górecki wrote: On Thu, Jun 23, 2016 at 11:00:42AM -0400, Daniel De Graaf wrote: On 06/23/2016 09:25 AM, Marek Marczykowski-Górecki wrote: [...] Ok, after drawing a flowchart of the control in this function after your change, on a piece of paper

Re: [Xen-devel] PCI passthrough for HVM with stubdomain broken by "tools/libxl: handle the iomem parameter with the memory_mapping hcall"

t_action(XSM_DM_PRIV, current->domain, d); This makes it clear that xenstore is the special case, and removes the need for the one-off XSM_XS_PRIV constant. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel

Re: [Xen-devel] PCI passthrough for HVM with stubdomain broken by "tools/libxl: handle the iomem parameter with the memory_mapping hcall"

target_hack }; allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute pcilevel cacheattr send_irq }; ') Jan Yes, that is what I meant. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@l

Re: [Xen-devel] PCI passthrough for HVM with stubdomain broken by "tools/libxl: handle the iomem parameter with the memory_mapping hcall"

etdomaininfo permission will also need to be added to the device_model macro in xen.if. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel

[Xen-devel] [PATCH 13/17 v3] xen: move FLASK entry under XSM in Kconfig

Since enabling XSM is required to enable FLASK, place the option for FLASK below the one for XSM. In addition, since it does not make sense to enable XSM without any XSM providers, and FLASK is the only XSM provider, hide the option to disable FLASK under EXPERT. Signed-off-by: Daniel De Graaf

Re: [Xen-devel] [PATCH 13/17] xen: move FLASK entry under XSM in Kconfig

On 06/20/2016 10:46 AM, Doug Goldstein wrote: On 6/20/16 9:04 AM, Daniel De Graaf wrote: Since enabling XSM is required to enable FLASK, place the option for FLASK below the one for XSM. In addition, since it does not make sense to enable XSM without any XSM providers, and FLASK is the only

Re: [Xen-devel] [PATCH 10/17] flask: remove xen_flask_userlist operation

On 06/20/2016 10:35 AM, Doug Goldstein wrote: On 6/20/16 9:04 AM, Daniel De Graaf wrote: This operation has no known users, and is primarily useful when an MLS policy is in use (which has never been shipped with Xen). In addition, the information it provides does not actually depend

Re: [Xen-devel] [PATCH 07/17] flask: unify {get, set}vcpucontext permissions

On 06/20/2016 10:35 AM, Andrew Cooper wrote: On 20/06/16 15:27, Doug Goldstein wrote: On 6/20/16 9:04 AM, Daniel De Graaf wrote: These permissions were initially split because they were in separate domctls, but this split is very unlikely to actually provide security benefits: it would require

Re: [Xen-devel] [PATCH 02/11] hvmctl: convert HVMOP_set_pci_intx_level

refers to an overall check in the HVM operation hypercall, which does not exist. There is no reason to have an operation protected by two different access checks, so I think that both the previous and patched code are correct and the "also needs hvmctl" comment should be removed. With t

[Xen-devel] [PATCH 05/17] flask/policy: xenstore stubdom policy

This adds the xenstore_t type to the example policy for use by a xenstore stub domain; see the init-xenstore-domain tool for how this type needs to be used. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com> Revie

[Xen-devel] [PATCH 02/17] flask/policy: split out rules for system_r

When the all_system_role module is enabled, any domain type can be created using the system_r role, which was the default. When it is disabled, domains not using the default types (dom0_t and domU_t) must use another role such as vm_r. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.

[Xen-devel] [PATCH 07/17] flask: unify {get, set}vcpucontext permissions

accessing another type. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com> --- tools/flask/policy/modules/dom0.te | 1 - tools/flask/policy/modules/xen.if | 7 +++ xen/xsm/flask/hooks.c

[Xen-devel] [PATCH 12/17] xen/xsm: remove .xsm_initcall.init section

, and that can be placed in xsm_core.c. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> --- xen/arch/arm/xen.lds.S | 5 - xen/arch/x86/xen.lds.S | 5 - xen/include/xsm/xsm.h | 16 xen/xsm/flask/hooks.c | 4 +--- xen/xsm/xsm_core.c | 13 + 5

[Xen-devel] [PATCH 06/17] flask/policy: remove unused example

The access vectors defined here have never been used by xenstore. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com> Reviewed-by: Doug Goldstein <car...@cardoe.com> --- tools/flask/policy/policy/acc

[Xen-devel] [PATCH 15/17] xsm: clean up unregistration

The only possible value of original_ops was _xsm_ops, and unregister_xsm was never used. Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com> --- xen/include

[Xen-devel] [PATCH 04/17] flask/policy: remove unused support for binary modules

Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov> Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com> Reviewed-by: Doug Goldstein <car...@cardoe.com> --- .../policy/policy/support/loadable_module.spt | 166 - tools/flask/policy/policy/suppo

[Xen-devel] [PATCH v2 00/17] XSM/FLASK updates for 4.8

Changes from v1: - Change c->context and c->sid from arrays to fields when shrinking - Keep struct xen_flask_userlist in headers, but guard it with #ifs - Split off Kconfig changes into their own patches - Add patch 16 (AVC_STATS in Kconfig) - Prevent free() of static data in xsm_dt_init

[Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data

-in policy. Enabling this option only builds the policy if checkpolicy is available during compilation of the hypervisor; otherwise, it does nothing. The XSM policy is not moved out of tools because that remains the primary location for installing and configuring the policy. Signed-off-by: Daniel De

  1   2   3   4   >