Re: [Xen-devel] [PATCH] flask: add gcov_op check
On 10/13/2016 10:37 AM, Wei Liu wrote: Signed-off-by: Wei LiuAcked-by: Daniel De Graaf ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] flask: add gcov_op check
On Thu, Oct 13, 2016 at 03:37:13PM +0100, Wei Liu wrote: > Signed-off-by: Wei Liu> --- > Cc: Daniel De Graaf > Cc: Konrad Rzeszutek Wilk Reviewed-by: Konrad Rzeszutek Wilk > --- > tools/flask/policy/modules/dom0.te | 2 +- > xen/xsm/flask/hooks.c | 3 +++ > xen/xsm/flask/policy/access_vectors | 2 ++ > 3 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/tools/flask/policy/modules/dom0.te > b/tools/flask/policy/modules/dom0.te > index 2d982d9..54c3572 100644 > --- a/tools/flask/policy/modules/dom0.te > +++ b/tools/flask/policy/modules/dom0.te > @@ -15,7 +15,7 @@ allow dom0_t xen_t:xen { > }; > allow dom0_t xen_t:xen2 { > resource_op psr_cmt_op psr_cat_op pmu_ctrl get_symbol > - get_cpu_levelling_caps get_cpu_featureset livepatch_op > + get_cpu_levelling_caps get_cpu_featureset livepatch_op gcov_op > }; > > # Allow dom0 to use all XENVER_ subops that have checks. > diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c > index 177c11f..040a251 100644 > --- a/xen/xsm/flask/hooks.c > +++ b/xen/xsm/flask/hooks.c > @@ -822,6 +822,9 @@ static int flask_sysctl(int cmd) > case XEN_SYSCTL_livepatch_op: > return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2, > XEN2__LIVEPATCH_OP, NULL); > +case XEN_SYSCTL_gcov_op: > +return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2, > +XEN2__GCOV_OP, NULL); > > default: > return avc_unknown_permission("sysctl", cmd); > diff --git a/xen/xsm/flask/policy/access_vectors > b/xen/xsm/flask/policy/access_vectors > index 49c9a9e..92e6da9 100644 > --- a/xen/xsm/flask/policy/access_vectors > +++ b/xen/xsm/flask/policy/access_vectors > @@ -99,6 +99,8 @@ class xen2 > get_cpu_featureset > # XEN_SYSCTL_livepatch_op > livepatch_op > +# XEN_SYSCTL_gcov_op > +gcov_op > } > > # Classes domain and domain2 consist of operations that a domain performs on > -- > 2.1.4 > ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
[Xen-devel] [PATCH] flask: add gcov_op check
Signed-off-by: Wei Liu--- Cc: Daniel De Graaf Cc: Konrad Rzeszutek Wilk --- tools/flask/policy/modules/dom0.te | 2 +- xen/xsm/flask/hooks.c | 3 +++ xen/xsm/flask/policy/access_vectors | 2 ++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te index 2d982d9..54c3572 100644 --- a/tools/flask/policy/modules/dom0.te +++ b/tools/flask/policy/modules/dom0.te @@ -15,7 +15,7 @@ allow dom0_t xen_t:xen { }; allow dom0_t xen_t:xen2 { resource_op psr_cmt_op psr_cat_op pmu_ctrl get_symbol - get_cpu_levelling_caps get_cpu_featureset livepatch_op + get_cpu_levelling_caps get_cpu_featureset livepatch_op gcov_op }; # Allow dom0 to use all XENVER_ subops that have checks. diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 177c11f..040a251 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -822,6 +822,9 @@ static int flask_sysctl(int cmd) case XEN_SYSCTL_livepatch_op: return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2, XEN2__LIVEPATCH_OP, NULL); +case XEN_SYSCTL_gcov_op: +return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2, +XEN2__GCOV_OP, NULL); default: return avc_unknown_permission("sysctl", cmd); diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index 49c9a9e..92e6da9 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -99,6 +99,8 @@ class xen2 get_cpu_featureset # XEN_SYSCTL_livepatch_op livepatch_op +# XEN_SYSCTL_gcov_op +gcov_op } # Classes domain and domain2 consist of operations that a domain performs on -- 2.1.4 ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel