diff options
| author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2013-04-23 11:54:01 +0200 |
|---|---|---|
| committer | Jan Beulich <jbeulich@suse.com> | 2013-04-23 11:54:01 +0200 |
| commit | 4bc22a50ebc1fb1695d59f69105797e208021edb (patch) | |
| tree | 6f01eb36d8f62b7f1d203c4e6bbd8067338a540d /xen/xsm | |
| parent | bb812101db5117e07de1b557b355c3855850cc95 (diff) | |
| download | xen-4bc22a50ebc1fb1695d59f69105797e208021edb.tar.gz xen-4bc22a50ebc1fb1695d59f69105797e208021edb.tar.bz2 xen-4bc22a50ebc1fb1695d59f69105797e208021edb.zip | |
x86/hvm: convert access check for nested HVM to XSM
This adds an XSM hook for enabling nested HVM support, replacing an
IS_PRIV check. This hook is a partial duplicate with the xsm_hvm_param
hook, but using the existing hook would require adding the index to the
hook and would require the use of a custom hook for the xsm-disabled
case (using XSM_OTHER, which is less immediately readable) - whereas
adding a new hook retains the clarity of the existing code.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com> (release perspective)
Diffstat (limited to 'xen/xsm')
| -rw-r--r-- | xen/xsm/dummy.c | 1 | ||||
| -rw-r--r-- | xen/xsm/flask/hooks.c | 6 | ||||
| -rw-r--r-- | xen/xsm/flask/policy/access_vectors | 2 |
3 files changed, 9 insertions, 0 deletions
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 6f1e0b4860..21aef2add9 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -101,6 +101,7 @@ void xsm_fixup_ops (struct xsm_operations *ops) set_to_dummy_if_null(ops, tmem_op); set_to_dummy_if_null(ops, tmem_control); set_to_dummy_if_null(ops, hvm_param); + set_to_dummy_if_null(ops, hvm_param_nested); set_to_dummy_if_null(ops, do_xsm_op); diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 247c8a393b..23c523386b 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1092,6 +1092,11 @@ static int flask_hvm_param(struct domain *d, unsigned long op) return current_has_perm(d, SECCLASS_HVM, perm); } +static int flask_hvm_param_nested(struct domain *d) +{ + return current_has_perm(d, SECCLASS_HVM, HVM__NESTED); +} + #ifdef CONFIG_X86 static int flask_shadow_control(struct domain *d, uint32_t op) { @@ -1506,6 +1511,7 @@ static struct xsm_operations flask_ops = { .tmem_op = flask_tmem_op, .tmem_control = flask_tmem_control, .hvm_param = flask_hvm_param, + .hvm_param_nested = flask_hvm_param_nested, .do_xsm_op = do_flask_op, diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index fdfc50245a..36b8b2c271 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -234,6 +234,8 @@ class hvm # source = domain whose memory is being shared # target = client domain share_mem +# HVMOP_set_param setting HVM_PARAM_NESTEDHVM + nested } # Class event describes event channels. Interdomain event channels have their |