xen/arch/x86: complete XSM hooks on irq/pirq mappings

Manipulation of a domain's pirq namespace was not fully protected by
XSM hooks because the XSM hooks for IRQs needed a physical IRQ.  Since
this may not apply to HVM domains, a complete solution needs to split
the XSM hook for this operation, using one hook for the PIRQ
manipulation and one for controlling access to the hardware IRQ.

This reworking has the advantage of providing the same MSI data to
remove_irq that is provided to add_irq, allowing the PCI device to be
determined in both functions.  It also eliminates the last callers of
rcu_lock_target_domain_by_id in x86 and common code in preparation for
this function's removal.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

1 files changed, 2 insertions, 3 deletions

diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index 2fdaede5e8..36cbacfa13 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -368,12 +368,11 @@ class resource
 #  target = resource's security label
 # also checked when using some core Xen devices (target xen_t)
     use
-# PHYSDEVOP_map_pirq and ioapic writes for dom0
+# PHYSDEVOP_map_pirq and ioapic writes for dom0, when acting on real IRQs
 #  For GSI interrupts, the IRQ's label is indexed by the IRQ number
 #  For MSI interrupts, the label of the PCI device is used
     add_irq
-# PHYSDEVOP_unmap_pirq:
-#  This is currently only checked for GSI interrupts
+# PHYSDEVOP_unmap_pirq (same as map, and only for real IRQs)
     remove_irq
 # XEN_DOMCTL_ioport_permission, XEN_DOMCTL_ioport_mapping
     add_ioport