The following functions are invoked only under
XEN_DOMCTL_{irq_permission,iomem_permission} domctl-op, and shall be wrapped:
- xsm_irq_permission
- xsm_iomem_permission
Signed-off-by: Penny Zheng <penny.zh...@amd.com>
---
xen/include/xsm/dummy.h | 2 ++
xen/include/xsm/xsm.h | 4 ++++
xen/xsm/dummy.c | 2 ++
xen/xsm/flask/hooks.c | 4 ++++
4 files changed, 12 insertions(+)
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 12792c3a43..55521c012b 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -556,6 +556,7 @@ static XSM_INLINE int cf_check xsm_unmap_domain_irq(
return xsm_default_action(action, current->domain, d);
}
+#ifdef CONFIG_DOMCTL
static XSM_INLINE int cf_check xsm_irq_permission(
XSM_DEFAULT_ARG struct domain *d, int pirq, uint8_t allow)
{
@@ -569,6 +570,7 @@ static XSM_INLINE int cf_check xsm_iomem_permission(
XSM_ASSERT_ACTION(XSM_HOOK);
return xsm_default_action(action, current->domain, d);
}
+#endif /* CONFIG_DOMCTL */
static XSM_INLINE int cf_check xsm_iomem_mapping(
XSM_DEFAULT_ARG struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 6444f0677b..1759d49aaa 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -115,9 +115,11 @@ struct xsm_ops {
int (*unmap_domain_irq)(struct domain *d, int irq, const void *data);
int (*bind_pt_irq)(struct domain *d, struct xen_domctl_bind_pt_irq *bind);
int (*unbind_pt_irq)(struct domain *d, struct xen_domctl_bind_pt_irq
*bind);
+#ifdef CONFIG_DOMCTL
int (*irq_permission)(struct domain *d, int pirq, uint8_t allow);
int (*iomem_permission)(struct domain *d, uint64_t s, uint64_t e,
uint8_t allow);
+#endif
int (*iomem_mapping)(struct domain *d, uint64_t s, uint64_t e,
uint8_t allow);
int (*pci_config_permission)(struct domain *d, uint32_t machine_bdf,
@@ -511,6 +513,7 @@ static inline int xsm_unbind_pt_irq(
return alternative_call(xsm_ops.unbind_pt_irq, d, bind);
}
+#ifdef CONFIG_DOMCTL
static inline int xsm_irq_permission(
xsm_default_t def, struct domain *d, int pirq, uint8_t allow)
{
@@ -522,6 +525,7 @@ static inline int xsm_iomem_permission(
{
return alternative_call(xsm_ops.iomem_permission, d, s, e, allow);
}
+#endif /* CONFIG_DOMCTL */
static inline int xsm_iomem_mapping(
xsm_default_t def, struct domain *d, uint64_t s, uint64_t e, uint8_t allow)
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index b8a9b581b7..2798425de2 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -75,8 +75,10 @@ static const struct xsm_ops __initconst_cf_clobber dummy_ops
= {
.unmap_domain_irq = xsm_unmap_domain_irq,
.bind_pt_irq = xsm_bind_pt_irq,
.unbind_pt_irq = xsm_unbind_pt_irq,
+#ifdef CONFIG_DOMCTL
.irq_permission = xsm_irq_permission,
.iomem_permission = xsm_iomem_permission,
+#endif
.iomem_mapping = xsm_iomem_mapping,
.pci_config_permission = xsm_pci_config_permission,
.get_vnumainfo = xsm_get_vnumainfo,
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 55da0a5ff7..8361cf94f9 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1113,12 +1113,14 @@ static int cf_check flask_unbind_pt_irq(
return current_has_perm(d, SECCLASS_RESOURCE, RESOURCE__REMOVE);
}
+#ifdef CONFIG_DOMCTL
static int cf_check flask_irq_permission(
struct domain *d, int pirq, uint8_t access)
{
/* the PIRQ number is not useful; real IRQ is checked during mapping */
return current_has_perm(d, SECCLASS_RESOURCE, resource_to_perm(access));
}
+#endif /* CONFIG_DOMCTL */
struct iomem_has_perm_data {
uint32_t ssid;
@@ -1949,8 +1951,10 @@ static const struct xsm_ops __initconst_cf_clobber
flask_ops = {
.unmap_domain_irq = flask_unmap_domain_irq,
.bind_pt_irq = flask_bind_pt_irq,
.unbind_pt_irq = flask_unbind_pt_irq,
+#ifdef CONFIG_DOMCTL
.irq_permission = flask_irq_permission,
.iomem_permission = flask_iomem_permission,
+#endif
.iomem_mapping = flask_iomem_mapping,
.pci_config_permission = flask_pci_config_permission,
--
2.34.1
