Re: [Xen-devel] [PATCH] flask: add gcov_op check

[Daniel De Graaf]

On 10/13/2016 10:37 AM, Wei Liu wrote:

Signed-off-by: Wei Liu 


Acked-by: Daniel De Graaf 

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] flask: add gcov_op check

[Konrad Rzeszutek Wilk]

On Thu, Oct 13, 2016 at 03:37:13PM +0100, Wei Liu wrote:
> Signed-off-by: Wei Liu 
> ---
> Cc: Daniel De Graaf 
> Cc: Konrad Rzeszutek Wilk 

Reviewed-by: Konrad Rzeszutek Wilk 
> ---
>  tools/flask/policy/modules/dom0.te  | 2 +-
>  xen/xsm/flask/hooks.c   | 3 +++
>  xen/xsm/flask/policy/access_vectors | 2 ++
>  3 files changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/flask/policy/modules/dom0.te 
> b/tools/flask/policy/modules/dom0.te
> index 2d982d9..54c3572 100644
> --- a/tools/flask/policy/modules/dom0.te
> +++ b/tools/flask/policy/modules/dom0.te
> @@ -15,7 +15,7 @@ allow dom0_t xen_t:xen {
>  };
>  allow dom0_t xen_t:xen2 {
>   resource_op psr_cmt_op psr_cat_op pmu_ctrl get_symbol
> - get_cpu_levelling_caps get_cpu_featureset livepatch_op
> + get_cpu_levelling_caps get_cpu_featureset livepatch_op gcov_op
>  };
>  
>  # Allow dom0 to use all XENVER_ subops that have checks.
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index 177c11f..040a251 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -822,6 +822,9 @@ static int flask_sysctl(int cmd)
>  case XEN_SYSCTL_livepatch_op:
>  return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
>  XEN2__LIVEPATCH_OP, NULL);
> +case XEN_SYSCTL_gcov_op:
> +return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
> +XEN2__GCOV_OP, NULL);
>  
>  default:
>  return avc_unknown_permission("sysctl", cmd);
> diff --git a/xen/xsm/flask/policy/access_vectors 
> b/xen/xsm/flask/policy/access_vectors
> index 49c9a9e..92e6da9 100644
> --- a/xen/xsm/flask/policy/access_vectors
> +++ b/xen/xsm/flask/policy/access_vectors
> @@ -99,6 +99,8 @@ class xen2
>  get_cpu_featureset
>  # XEN_SYSCTL_livepatch_op
>  livepatch_op
> +# XEN_SYSCTL_gcov_op
> +gcov_op
>  }
>  
>  # Classes domain and domain2 consist of operations that a domain performs on
> -- 
> 2.1.4
> 

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[Xen-devel] [PATCH] flask: add gcov_op check

[Wei Liu]

Signed-off-by: Wei Liu 
---
Cc: Daniel De Graaf 
Cc: Konrad Rzeszutek Wilk 
---
 tools/flask/policy/modules/dom0.te  | 2 +-
 xen/xsm/flask/hooks.c   | 3 +++
 xen/xsm/flask/policy/access_vectors | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/tools/flask/policy/modules/dom0.te 
b/tools/flask/policy/modules/dom0.te
index 2d982d9..54c3572 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -15,7 +15,7 @@ allow dom0_t xen_t:xen {
 };
 allow dom0_t xen_t:xen2 {
resource_op psr_cmt_op psr_cat_op pmu_ctrl get_symbol
-   get_cpu_levelling_caps get_cpu_featureset livepatch_op
+   get_cpu_levelling_caps get_cpu_featureset livepatch_op gcov_op
 };
 
 # Allow dom0 to use all XENVER_ subops that have checks.
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 177c11f..040a251 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -822,6 +822,9 @@ static int flask_sysctl(int cmd)
 case XEN_SYSCTL_livepatch_op:
 return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
 XEN2__LIVEPATCH_OP, NULL);
+case XEN_SYSCTL_gcov_op:
+return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
+XEN2__GCOV_OP, NULL);
 
 default:
 return avc_unknown_permission("sysctl", cmd);
diff --git a/xen/xsm/flask/policy/access_vectors 
b/xen/xsm/flask/policy/access_vectors
index 49c9a9e..92e6da9 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -99,6 +99,8 @@ class xen2
 get_cpu_featureset
 # XEN_SYSCTL_livepatch_op
 livepatch_op
+# XEN_SYSCTL_gcov_op
+gcov_op
 }
 
 # Classes domain and domain2 consist of operations that a domain performs on
-- 
2.1.4


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel