On Mon, Nov 21, 2022 at 9:37 AM Andrew Cooper <andrew.coop...@citrix.com> wrote:
>
> These were overlooked in the original patch, and noticed by OSSTest which does
> run some Flask tests.
>
> Fixes: 22b20bd98c02 ("xen: Introduce non-broken hypercalls for the paging
> mempool size")
> Suggested-by: Daniel Smith <dpsm...@apertussolutions.com>
> Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com>
> ---
> CC: Daniel De Graaf <dgde...@tycho.nsa.gov>
> CC: Daniel Smith <dpsm...@apertussolutions.com>
> CC: Jason Andryuk <jandr...@gmail.com>
> CC: Henry Wang <henry.w...@arm.com>
Reviewed-by: Jason Andryuk <jandr...@gmail.com>
Thanks, Andrew. Though we might want a small tweak - possibly as a follow up?
> diff --git a/tools/flask/policy/modules/xen.if
> b/tools/flask/policy/modules/xen.if
> index 424daab6a022..6b7b7d403ab4 100644
> --- a/tools/flask/policy/modules/xen.if
> +++ b/tools/flask/policy/modules/xen.if
> @@ -92,7 +92,7 @@ define(`manage_domain', `
> allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
> getaddrsize pause unpause trigger shutdown destroy
> setaffinity setdomainmaxmem getscheduler resume
> - setpodtarget getpodtarget };
> + setpodtarget getpodtarget getpagingmempool
> setpagingmempool };
There is also create_domain_common which is for a dedicated "domain
builder" that creates but does not manage domains. I think that
should gain setpagingmempool permission?
Regards,
Jason
