altp2m: XSM hooks for altp2m HVM ops

Daniel De Graaf Fri, 26 Jun 2015 12:26:02 -0700

On 06/22/2015 02:56 PM, Ed White wrote:

From: Ravi Sahita <ravi.sah...@intel.com>


Signed-off-by: Ravi Sahita <ravi.sah...@intel.com>


One comment, below.

[...]

diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
b/tools/flask/policy/policy/modules/xen/xen.if
index f4cde11..c95109f 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -8,7 +8,7 @@
  define(`declare_domain_common', `
        allow $1 $2:grant { query setup };
        allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage 
updatemp mmuext_op };
-       allow $1 $2:hvm { getparam setparam };
+       allow $1 $2:hvm { getparam setparam altp2mhvm altp2mhvm_op };
        allow $1 $2:domain2 get_vnumainfo;
  ')


This allows any domain to enable altp2m on itself; I think you meant to
only allow altp2mhvm_op here, requiring a privileged domain to first
enable the feature on a domain before anyone can use it.

Otherwise, this looks good, although if patch #10 is changed to expose
a single subop, the altp2mhvm_op XSM checks will need to be relocated.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v2 12/12] x86/altp2m: XSM hooks for altp2m HVM ops

Reply via email to