Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2017-01-04 Thread Ian Jackson 
anshul makkar writes ("Re: [Xen-devel] [PATCH] xsm: allow relevant permission 
during migrate and gpu-passthrough."):
> Please backport the patch to stable-4.8. I have tested it.

Queued.

Ian.

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2017-01-04 Thread anshul makkar 



On 03/01/17 18:20, Daniel De Graaf wrote:

On 12/19/2016 11:03 PM, Doug Goldstein wrote:

On 12/19/16 10:02 AM, Doug Goldstein wrote:

On 12/14/16 3:09 PM, Daniel De Graaf wrote:

On 12/12/2016 09:00 AM, Anshul Makkar wrote:

During guest migrate allow permission to prevent
spurious page faults.
Prevents these errors:
d73: Non-privileged (73) attempt to map I/O space 

avc: denied  { set_misc_info } for domid=0 target=11
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

GPU passthrough for hvm guest:
avc:  denied  { send_irq } for domid=0 target=10
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=hvm

Signed-off-by: Anshul Makkar 


Acked-by: Daniel De Graaf 



Daniel,

Should this be backported to 4.8?



Yes, I would consider this a candidate for backporting.


FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm?


I believe this is fixed now; my email server was changed while I was gone
for the holiday and apparently the change was not tested properly.


Please backport the patch to stable-4.8. I have tested it.

Anshul

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2017-01-03 Thread Daniel De Graaf 

On 12/19/2016 11:03 PM, Doug Goldstein wrote:

On 12/19/16 10:02 AM, Doug Goldstein wrote:

On 12/14/16 3:09 PM, Daniel De Graaf wrote:

On 12/12/2016 09:00 AM, Anshul Makkar wrote:

During guest migrate allow permission to prevent
spurious page faults.
Prevents these errors:
d73: Non-privileged (73) attempt to map I/O space 

avc: denied  { set_misc_info } for domid=0 target=11
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

GPU passthrough for hvm guest:
avc:  denied  { send_irq } for domid=0 target=10
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=hvm

Signed-off-by: Anshul Makkar 


Acked-by: Daniel De Graaf 



Daniel,

Should this be backported to 4.8?



Yes, I would consider this a candidate for backporting.


FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm?


I believe this is fixed now; my email server was changed while I was gone
for the holiday and apparently the change was not tested properly.

--
Daniel De Graaf
National Security Agency

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2016-12-22 Thread Jan Beulich 
>>> On 22.12.16 at 16:28,  wrote:
> On 12/20/16 3:37 AM, Anshul Makkar wrote:
>> On 20/12/2016 04:03, Doug Goldstein wrote:
>>> On 12/19/16 10:02 AM, Doug Goldstein wrote:
 On 12/14/16 3:09 PM, Daniel De Graaf wrote:
> On 12/12/2016 09:00 AM, Anshul Makkar wrote:
>> During guest migrate allow permission to prevent
>> spurious page faults.
>> Prevents these errors:
>> d73: Non-privileged (73) attempt to map I/O space 
>>
>> avc: denied  { set_misc_info } for domid=0 target=11
>> scontext=system_u:system_r:dom0_t
>> tcontext=system_u:system_r:domU_t tclass=domain
>>
>> GPU passthrough for hvm guest:
>> avc:  denied  { send_irq } for domid=0 target=10
>> scontext=system_u:system_r:dom0_t
>> tcontext=system_u:system_r:domU_t tclass=hvm
>>
>> Signed-off-by: Anshul Makkar 
>
> Acked-by: Daniel De Graaf 
>

 Daniel,

 Should this be backported to 4.8?

>>>
>>> FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm?
>>>
>> 
>> Doug, yes, will backport and test.
>> 
>> Anshul
> 
> CCing Jan for the backport.

Well - I'll wait for the pending confirmation from Anshul (please
Cc me on that one). Or wait - this is under tools/, in which case
I'd rather leave this to Ian (so please Cc him when confirming).

Jan


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2016-12-22 Thread Doug Goldstein 
On 12/20/16 3:37 AM, Anshul Makkar wrote:
> On 20/12/2016 04:03, Doug Goldstein wrote:
>> On 12/19/16 10:02 AM, Doug Goldstein wrote:
>>> On 12/14/16 3:09 PM, Daniel De Graaf wrote:
 On 12/12/2016 09:00 AM, Anshul Makkar wrote:
> During guest migrate allow permission to prevent
> spurious page faults.
> Prevents these errors:
> d73: Non-privileged (73) attempt to map I/O space 
>
> avc: denied  { set_misc_info } for domid=0 target=11
> scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:domU_t tclass=domain
>
> GPU passthrough for hvm guest:
> avc:  denied  { send_irq } for domid=0 target=10
> scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:domU_t tclass=hvm
>
> Signed-off-by: Anshul Makkar 

 Acked-by: Daniel De Graaf 

>>>
>>> Daniel,
>>>
>>> Should this be backported to 4.8?
>>>
>>
>> FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm?
>>
> 
> Doug, yes, will backport and test.
> 
> Anshul

CCing Jan for the backport.

-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2016-12-20 Thread Anshul Makkar 

On 20/12/2016 04:03, Doug Goldstein wrote:

On 12/19/16 10:02 AM, Doug Goldstein wrote:

On 12/14/16 3:09 PM, Daniel De Graaf wrote:

On 12/12/2016 09:00 AM, Anshul Makkar wrote:

During guest migrate allow permission to prevent
spurious page faults.
Prevents these errors:
d73: Non-privileged (73) attempt to map I/O space 

avc: denied  { set_misc_info } for domid=0 target=11
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

GPU passthrough for hvm guest:
avc:  denied  { send_irq } for domid=0 target=10
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=hvm

Signed-off-by: Anshul Makkar 


Acked-by: Daniel De Graaf 



Daniel,

Should this be backported to 4.8?



FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm?



Doug, yes, will backport and test.

Anshul

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2016-12-19 Thread Doug Goldstein 
On 12/19/16 10:02 AM, Doug Goldstein wrote:
> On 12/14/16 3:09 PM, Daniel De Graaf wrote:
>> On 12/12/2016 09:00 AM, Anshul Makkar wrote:
>>> During guest migrate allow permission to prevent
>>> spurious page faults.
>>> Prevents these errors:
>>> d73: Non-privileged (73) attempt to map I/O space 
>>>
>>> avc: denied  { set_misc_info } for domid=0 target=11
>>> scontext=system_u:system_r:dom0_t
>>> tcontext=system_u:system_r:domU_t tclass=domain
>>>
>>> GPU passthrough for hvm guest:
>>> avc:  denied  { send_irq } for domid=0 target=10
>>> scontext=system_u:system_r:dom0_t
>>> tcontext=system_u:system_r:domU_t tclass=hvm
>>>
>>> Signed-off-by: Anshul Makkar 
>>
>> Acked-by: Daniel De Graaf 
>>
> 
> Daniel,
> 
> Should this be backported to 4.8?
> 

FWIW, Daniel's email is bouncing. Anshul, do you want to test/confirm?

-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2016-12-19 Thread Doug Goldstein 
On 12/14/16 3:09 PM, Daniel De Graaf wrote:
> On 12/12/2016 09:00 AM, Anshul Makkar wrote:
>> During guest migrate allow permission to prevent
>> spurious page faults.
>> Prevents these errors:
>> d73: Non-privileged (73) attempt to map I/O space 
>>
>> avc: denied  { set_misc_info } for domid=0 target=11
>> scontext=system_u:system_r:dom0_t
>> tcontext=system_u:system_r:domU_t tclass=domain
>>
>> GPU passthrough for hvm guest:
>> avc:  denied  { send_irq } for domid=0 target=10
>> scontext=system_u:system_r:dom0_t
>> tcontext=system_u:system_r:domU_t tclass=hvm
>>
>> Signed-off-by: Anshul Makkar 
> 
> Acked-by: Daniel De Graaf 
> 

Daniel,

Should this be backported to 4.8?

-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2016-12-16 Thread Wei Liu 
On Wed, Dec 14, 2016 at 04:09:00PM -0500, Daniel De Graaf wrote:
> On 12/12/2016 09:00 AM, Anshul Makkar wrote:
> >During guest migrate allow permission to prevent
> >spurious page faults.
> >Prevents these errors:
> >d73: Non-privileged (73) attempt to map I/O space 
> >
> >avc: denied  { set_misc_info } for domid=0 target=11
> >scontext=system_u:system_r:dom0_t
> >tcontext=system_u:system_r:domU_t tclass=domain
> >
> >GPU passthrough for hvm guest:
> >avc:  denied  { send_irq } for domid=0 target=10
> >scontext=system_u:system_r:dom0_t
> >tcontext=system_u:system_r:domU_t tclass=hvm
> >
> >Signed-off-by: Anshul Makkar 
> 
> Acked-by: Daniel De Graaf 
> 

Applied

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2016-12-14 Thread Daniel De Graaf 

On 12/12/2016 09:00 AM, Anshul Makkar wrote:

During guest migrate allow permission to prevent
spurious page faults.
Prevents these errors:
d73: Non-privileged (73) attempt to map I/O space 

avc: denied  { set_misc_info } for domid=0 target=11
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

GPU passthrough for hvm guest:
avc:  denied  { send_irq } for domid=0 target=10
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=hvm

Signed-off-by: Anshul Makkar 


Acked-by: Daniel De Graaf 


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[Xen-devel] [PATCH] xsm: allow relevant permission during migrate and gpu-passthrough.

2016-12-12 Thread Anshul Makkar 
During guest migrate allow permission to prevent
spurious page faults.
Prevents these errors:
d73: Non-privileged (73) attempt to map I/O space 

avc: denied  { set_misc_info } for domid=0 target=11
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

GPU passthrough for hvm guest:
avc:  denied  { send_irq } for domid=0 target=10
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=hvm

Signed-off-by: Anshul Makkar 
---

 tools/flask/policy/modules/xen.if |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/flask/policy/modules/xen.if 
b/tools/flask/policy/modules/xen.if
index eb646f5..1aca75d 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -49,7 +49,7 @@ define(`create_domain_common', `
allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
getdomaininfo hypercall setvcpucontext getscheduler
getvcpuinfo getaddrsize getaffinity setaffinity
-   settime setdomainhandle getvcpucontext };
+   settime setdomainhandle getvcpucontext set_misc_info };
allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
psr_cmt_op psr_cat_op soft_reset };
@@ -58,7 +58,7 @@ define(`create_domain_common', `
allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage 
mmuext_op updatemp };
allow $1 $2:grant setup;
allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
-   setparam pcilevel trackdirtyvram nested altp2mhvm 
altp2mhvm_op };
+   setparam pcilevel trackdirtyvram nested altp2mhvm 
altp2mhvm_op send_irq };
 ')
 
 # create_domain(priv, target)
-- 
1.7.10.4


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel