diff options
| author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-02 13:45:15 -0800 |
|---|---|---|
| committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-02 13:45:15 -0800 |
| commit | c9f7324e6c6f634bc0f7214fd0ab12fb9847c857 (patch) | |
| tree | ac9afc51243fa6cbedacbb821319bd59d2a2bdc5 | |
| parent | 64b8b98854e09202f420b8bb02cb915b8a03cd55 (diff) | |
| download | xen-c9f7324e6c6f634bc0f7214fd0ab12fb9847c857.tar.gz xen-c9f7324e6c6f634bc0f7214fd0ab12fb9847c857.tar.bz2 xen-c9f7324e6c6f634bc0f7214fd0ab12fb9847c857.zip | |
xsm: remove unused xsm_assign_vector check
The PHYSDEVOP_alloc_irq_vector hypercall is a noop, so its XSM check
is not useful. Remove it and the "event vector" FLASK permission.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
| -rw-r--r-- | tools/flask/policy/policy/flask/access_vectors | 1 | ||||
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.if | 1 | ||||
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 1 | ||||
| -rw-r--r-- | xen/arch/x86/physdev.c | 4 | ||||
| -rw-r--r-- | xen/include/xsm/xsm.h | 6 | ||||
| -rw-r--r-- | xen/xsm/dummy.c | 6 | ||||
| -rw-r--r-- | xen/xsm/flask/hooks.c | 13 | ||||
| -rw-r--r-- | xen/xsm/flask/include/av_perm_to_string.h | 3 | ||||
| -rw-r--r-- | xen/xsm/flask/include/av_permissions.h | 3 |
9 files changed, 2 insertions, 36 deletions
diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index 9d09c5bfce..1b2687a8f9 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -100,7 +100,6 @@ class event status notify create - vector reset } diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index bf3b794c8e..d12af740cf 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -67,7 +67,6 @@ define(`create_channel', ` ############################################################################### define(`create_passthrough_resource', ` type $3, resource_type; - allow $1 $3:event vector; allow $1 $2:resource {add remove}; allow $1 ioport_t:resource {add_ioport use}; allow $1 iomem_t:resource {add_iomem use}; diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index d95a7da9b7..8113467080 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -31,7 +31,6 @@ scheduler physinfo heap quirk readconsole writeconsole settime microcode}; allow dom0_t domio_t:mmu {map_read map_write}; allow dom0_t iomem_t:mmu {map_read map_write}; -allow dom0_t pirq_t:event {vector}; allow dom0_t xen_t:mmu {memorymap}; allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust updatemp}; diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c index cca56bb6f0..5c7ab68147 100644 --- a/xen/arch/x86/physdev.c +++ b/xen/arch/x86/physdev.c @@ -452,10 +452,6 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE(void) arg) if ( !IS_PRIV(v->domain) ) break; - ret = xsm_assign_vector(v->domain, irq_op.irq); - if ( ret ) - break; - /* Vector is only used by hypervisor, and dom0 shouldn't touch it in its world, return irq_op.irq as the vecotr, and make this hypercall dummy, and also defer the vector diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index d294f2a51d..fb152caef8 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -129,7 +129,6 @@ struct xsm_operations { int (*hvm_set_pci_link_route) (struct domain *d); int (*hvm_inject_msi) (struct domain *d); int (*apic) (struct domain *d, int cmd); - int (*assign_vector) (struct domain *d, uint32_t pirq); int (*xen_settime) (void); int (*memtype) (uint32_t access); int (*microcode) (void); @@ -536,11 +535,6 @@ static inline int xsm_apic (struct domain *d, int cmd) return xsm_call(apic(d, cmd)); } -static inline int xsm_assign_vector (struct domain *d, uint32_t pirq) -{ - return xsm_call(assign_vector(d, pirq)); -} - static inline int xsm_xen_settime (void) { return xsm_call(xen_settime()); diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 65369482c6..1b50d0e163 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -345,11 +345,6 @@ static int dummy_apic (struct domain *d, int cmd) return 0; } -static int dummy_assign_vector (struct domain *d, uint32_t pirq) -{ - return 0; -} - static int dummy_xen_settime (void) { return 0; @@ -560,7 +555,6 @@ void xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, hvm_set_isa_irq_level); set_to_dummy_if_null(ops, hvm_set_pci_link_route); set_to_dummy_if_null(ops, apic); - set_to_dummy_if_null(ops, assign_vector); set_to_dummy_if_null(ops, xen_settime); set_to_dummy_if_null(ops, memtype); set_to_dummy_if_null(ops, microcode); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 37b297e983..97ae4d9407 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -907,18 +907,6 @@ static int flask_apic(struct domain *d, int cmd) return domain_has_xen(d, perm); } -static int flask_assign_vector(struct domain *d, uint32_t pirq) -{ - u32 psid; - struct domain_security_struct *dsec; - dsec = d->ssid; - - if ( security_pirq_sid(pirq, &psid) ) - return -EPERM; - - return avc_has_perm(dsec->sid, psid, SECCLASS_EVENT, EVENT__VECTOR, NULL); -} - static int flask_xen_settime(void) { return domain_has_xen(current->domain, XEN__SETTIME); @@ -1306,7 +1294,6 @@ static struct xsm_operations flask_ops = { .hvm_set_isa_irq_level = flask_hvm_set_isa_irq_level, .hvm_set_pci_link_route = flask_hvm_set_pci_link_route, .apic = flask_apic, - .assign_vector = flask_assign_vector, .xen_settime = flask_xen_settime, .memtype = flask_memtype, .microcode = flask_microcode, diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h index c32488ee9b..70aa02d2da 100644 --- a/xen/xsm/flask/include/av_perm_to_string.h +++ b/xen/xsm/flask/include/av_perm_to_string.h @@ -56,18 +56,17 @@ S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc") S_(SECCLASS_HVM, HVM__SETPARAM, "setparam") S_(SECCLASS_HVM, HVM__GETPARAM, "getparam") - S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram") S_(SECCLASS_HVM, HVM__PCILEVEL, "pcilevel") S_(SECCLASS_HVM, HVM__IRQLEVEL, "irqlevel") S_(SECCLASS_HVM, HVM__PCIROUTE, "pciroute") S_(SECCLASS_HVM, HVM__BIND_IRQ, "bind_irq") S_(SECCLASS_HVM, HVM__CACHEATTR, "cacheattr") + S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram") S_(SECCLASS_EVENT, EVENT__BIND, "bind") S_(SECCLASS_EVENT, EVENT__SEND, "send") S_(SECCLASS_EVENT, EVENT__STATUS, "status") S_(SECCLASS_EVENT, EVENT__NOTIFY, "notify") S_(SECCLASS_EVENT, EVENT__CREATE, "create") - S_(SECCLASS_EVENT, EVENT__VECTOR, "vector") S_(SECCLASS_EVENT, EVENT__RESET, "reset") S_(SECCLASS_GRANT, GRANT__MAP_READ, "map_read") S_(SECCLASS_GRANT, GRANT__MAP_WRITE, "map_write") diff --git a/xen/xsm/flask/include/av_permissions.h b/xen/xsm/flask/include/av_permissions.h index f5dcc6f8fe..4c2ffb61e8 100644 --- a/xen/xsm/flask/include/av_permissions.h +++ b/xen/xsm/flask/include/av_permissions.h @@ -70,8 +70,7 @@ #define EVENT__STATUS 0x00000004UL #define EVENT__NOTIFY 0x00000008UL #define EVENT__CREATE 0x00000010UL -#define EVENT__VECTOR 0x00000020UL -#define EVENT__RESET 0x00000040UL +#define EVENT__RESET 0x00000020UL #define GRANT__MAP_READ 0x00000001UL #define GRANT__MAP_WRITE 0x00000002UL |