On Mon, Jan 7, 2019 at 3:07 PM DeGraaf, Daniel G <dgde...@nsa.gov> wrote: > > > From: Christopher Clark <christopher.w.cl...@gmail.com> > > Subject: [PATCH v3 11/15] xsm, argo: XSM control for argo register > > > > XSM controls for argo ring registration with two distinct cases, where > > the ring being registered is: > > > > 1) Single source: registering a ring for communication to receive messages > > from a specified single other domain. > > Default policy: allow. > > > > 2) Any source: registering a ring for communication to receive messages > > from any, or all, other domains (ie. wildcard). > > Default policy: deny, with runtime policy configuration via bootparam. > > > > The existing argo-mac boot parameter indicates administrator preference for > > either permissive or strict access control, which will allow or deny > > registration of any-sender rings. > > > > This commit modifies the signature of core XSM hook functions in order to > > apply 'const' to arguments, needed in order for 'const' to be accepted in > > signature of functions that invoke them. > > > > Signed-off-by: Christopher Clark <christopher.cla...@baesystems.com> > > Acked-by: Daniel De Graaf <dgde...@tycho.nsa.gov> > > While it does not need to be a part of this patch, somewhere in the series > you should add a rule allowing these features to be used by guests in the > default XSM policy; tools/flask/policy/modules/guest_features.te is where > features like this have previously been handled. Since you're adding > permissions one at a time, you could add the rules all at once or as a part > of the patch adding the vector.
Thanks for the reviews, acks and pointer to the policy file. I will add to the default XSM policy in the next revision that I post. thanks, Christopher _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
