Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
anshul makkar writes ("Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough."): > Please backport the patch to stable-4.8. I have tested it. Queued. Ian. ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
On 03/01/17 18:20, Daniel De Graaf wrote: On 12/19/2016 11:03 PM, Doug Goldstein wrote: On 12/19/16 10:02 AM, Doug Goldstein wrote: On 12/14/16 3:09 PM, Daniel De Graaf wrote: On 12/12/2016 09:00 AM, Anshul Makkar wrote: During guest migrate allow permission to prevent spurious page faults. Prevents these errors: d73: Non-privileged (73) attempt to map I/O space avc: denied { set_misc_info } for domid=0 target=11 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain GPU passthrough for hvm guest: avc: denied { send_irq } for domid=0 target=10 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=hvm Signed-off-by: Anshul MakkarAcked-by: Daniel De Graaf Daniel, Should this be backported to 4.8? Yes, I would consider this a candidate for backporting. FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? I believe this is fixed now; my email server was changed while I was gone for the holiday and apparently the change was not tested properly. Please backport the patch to stable-4.8. I have tested it. Anshul ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
On 12/19/2016 11:03 PM, Doug Goldstein wrote: On 12/19/16 10:02 AM, Doug Goldstein wrote: On 12/14/16 3:09 PM, Daniel De Graaf wrote: On 12/12/2016 09:00 AM, Anshul Makkar wrote: During guest migrate allow permission to prevent spurious page faults. Prevents these errors: d73: Non-privileged (73) attempt to map I/O space avc: denied { set_misc_info } for domid=0 target=11 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain GPU passthrough for hvm guest: avc: denied { send_irq } for domid=0 target=10 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=hvm Signed-off-by: Anshul MakkarAcked-by: Daniel De Graaf Daniel, Should this be backported to 4.8? Yes, I would consider this a candidate for backporting. FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? I believe this is fixed now; my email server was changed while I was gone for the holiday and apparently the change was not tested properly. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
>>> On 22.12.16 at 16:28,wrote: > On 12/20/16 3:37 AM, Anshul Makkar wrote: >> On 20/12/2016 04:03, Doug Goldstein wrote: >>> On 12/19/16 10:02 AM, Doug Goldstein wrote: On 12/14/16 3:09 PM, Daniel De Graaf wrote: > On 12/12/2016 09:00 AM, Anshul Makkar wrote: >> During guest migrate allow permission to prevent >> spurious page faults. >> Prevents these errors: >> d73: Non-privileged (73) attempt to map I/O space >> >> avc: denied { set_misc_info } for domid=0 target=11 >> scontext=system_u:system_r:dom0_t >> tcontext=system_u:system_r:domU_t tclass=domain >> >> GPU passthrough for hvm guest: >> avc: denied { send_irq } for domid=0 target=10 >> scontext=system_u:system_r:dom0_t >> tcontext=system_u:system_r:domU_t tclass=hvm >> >> Signed-off-by: Anshul Makkar > > Acked-by: Daniel De Graaf > Daniel, Should this be backported to 4.8? >>> >>> FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? >>> >> >> Doug, yes, will backport and test. >> >> Anshul > > CCing Jan for the backport. Well - I'll wait for the pending confirmation from Anshul (please Cc me on that one). Or wait - this is under tools/, in which case I'd rather leave this to Ian (so please Cc him when confirming). Jan ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
On 12/20/16 3:37 AM, Anshul Makkar wrote: > On 20/12/2016 04:03, Doug Goldstein wrote: >> On 12/19/16 10:02 AM, Doug Goldstein wrote: >>> On 12/14/16 3:09 PM, Daniel De Graaf wrote: On 12/12/2016 09:00 AM, Anshul Makkar wrote: > During guest migrate allow permission to prevent > spurious page faults. > Prevents these errors: > d73: Non-privileged (73) attempt to map I/O space > > avc: denied { set_misc_info } for domid=0 target=11 > scontext=system_u:system_r:dom0_t > tcontext=system_u:system_r:domU_t tclass=domain > > GPU passthrough for hvm guest: > avc: denied { send_irq } for domid=0 target=10 > scontext=system_u:system_r:dom0_t > tcontext=system_u:system_r:domU_t tclass=hvm > > Signed-off-by: Anshul MakkarAcked-by: Daniel De Graaf >>> >>> Daniel, >>> >>> Should this be backported to 4.8? >>> >> >> FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? >> > > Doug, yes, will backport and test. > > Anshul CCing Jan for the backport. -- Doug Goldstein signature.asc Description: OpenPGP digital signature ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
On 20/12/2016 04:03, Doug Goldstein wrote: On 12/19/16 10:02 AM, Doug Goldstein wrote: On 12/14/16 3:09 PM, Daniel De Graaf wrote: On 12/12/2016 09:00 AM, Anshul Makkar wrote: During guest migrate allow permission to prevent spurious page faults. Prevents these errors: d73: Non-privileged (73) attempt to map I/O space avc: denied { set_misc_info } for domid=0 target=11 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain GPU passthrough for hvm guest: avc: denied { send_irq } for domid=0 target=10 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=hvm Signed-off-by: Anshul MakkarAcked-by: Daniel De Graaf Daniel, Should this be backported to 4.8? FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? Doug, yes, will backport and test. Anshul ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
On 12/19/16 10:02 AM, Doug Goldstein wrote: > On 12/14/16 3:09 PM, Daniel De Graaf wrote: >> On 12/12/2016 09:00 AM, Anshul Makkar wrote: >>> During guest migrate allow permission to prevent >>> spurious page faults. >>> Prevents these errors: >>> d73: Non-privileged (73) attempt to map I/O space >>> >>> avc: denied { set_misc_info } for domid=0 target=11 >>> scontext=system_u:system_r:dom0_t >>> tcontext=system_u:system_r:domU_t tclass=domain >>> >>> GPU passthrough for hvm guest: >>> avc: denied { send_irq } for domid=0 target=10 >>> scontext=system_u:system_r:dom0_t >>> tcontext=system_u:system_r:domU_t tclass=hvm >>> >>> Signed-off-by: Anshul Makkar>> >> Acked-by: Daniel De Graaf >> > > Daniel, > > Should this be backported to 4.8? > FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm? -- Doug Goldstein signature.asc Description: OpenPGP digital signature ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
On 12/14/16 3:09 PM, Daniel De Graaf wrote: > On 12/12/2016 09:00 AM, Anshul Makkar wrote: >> During guest migrate allow permission to prevent >> spurious page faults. >> Prevents these errors: >> d73: Non-privileged (73) attempt to map I/O space >> >> avc: denied { set_misc_info } for domid=0 target=11 >> scontext=system_u:system_r:dom0_t >> tcontext=system_u:system_r:domU_t tclass=domain >> >> GPU passthrough for hvm guest: >> avc: denied { send_irq } for domid=0 target=10 >> scontext=system_u:system_r:dom0_t >> tcontext=system_u:system_r:domU_t tclass=hvm >> >> Signed-off-by: Anshul Makkar> > Acked-by: Daniel De Graaf > Daniel, Should this be backported to 4.8? -- Doug Goldstein signature.asc Description: OpenPGP digital signature ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
On Wed, Dec 14, 2016 at 04:09:00PM -0500, Daniel De Graaf wrote: > On 12/12/2016 09:00 AM, Anshul Makkar wrote: > >During guest migrate allow permission to prevent > >spurious page faults. > >Prevents these errors: > >d73: Non-privileged (73) attempt to map I/O space > > > >avc: denied { set_misc_info } for domid=0 target=11 > >scontext=system_u:system_r:dom0_t > >tcontext=system_u:system_r:domU_t tclass=domain > > > >GPU passthrough for hvm guest: > >avc: denied { send_irq } for domid=0 target=10 > >scontext=system_u:system_r:dom0_t > >tcontext=system_u:system_r:domU_t tclass=hvm > > > >Signed-off-by: Anshul Makkar> > Acked-by: Daniel De Graaf > Applied ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
On 12/12/2016 09:00 AM, Anshul Makkar wrote: During guest migrate allow permission to prevent spurious page faults. Prevents these errors: d73: Non-privileged (73) attempt to map I/O space avc: denied { set_misc_info } for domid=0 target=11 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain GPU passthrough for hvm guest: avc: denied { send_irq } for domid=0 target=10 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=hvm Signed-off-by: Anshul MakkarAcked-by: Daniel De Graaf ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
[Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.
During guest migrate allow permission to prevent spurious page faults. Prevents these errors: d73: Non-privileged (73) attempt to map I/O space avc: denied { set_misc_info } for domid=0 target=11 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain GPU passthrough for hvm guest: avc: denied { send_irq } for domid=0 target=10 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=hvm Signed-off-by: Anshul Makkar--- tools/flask/policy/modules/xen.if |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index eb646f5..1aca75d 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -49,7 +49,7 @@ define(`create_domain_common', ` allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize getdomaininfo hypercall setvcpucontext getscheduler getvcpuinfo getaddrsize getaffinity setaffinity - settime setdomainhandle getvcpucontext }; + settime setdomainhandle getvcpucontext set_misc_info }; allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo cacheflush psr_cmt_op psr_cat_op soft_reset }; @@ -58,7 +58,7 @@ define(`create_domain_common', ` allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp }; allow $1 $2:grant setup; allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc - setparam pcilevel trackdirtyvram nested altp2mhvm altp2mhvm_op }; + setparam pcilevel trackdirtyvram nested altp2mhvm altp2mhvm_op send_irq }; ') # create_domain(priv, target) -- 1.7.10.4 ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel