flask: add gcov_op check

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
index 2d982d94cdcc2c69f16dbadf175f6698c0806d81..d0a4d91ac09f4425b53641862b78f1396933d82c 100644 (file)
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -16,6 +16,7 @@ allow dom0_t xen_t:xen {
 allow dom0_t xen_t:xen2 {
        resource_op psr_cmt_op psr_cat_op pmu_ctrl get_symbol
        get_cpu_levelling_caps get_cpu_featureset livepatch_op
+       gcov_op
 };
 
 # Allow dom0 to use all XENVER_ subops that have checks.

diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 177c11f6ece5c41855d2bbc0278c3d04cbf84553..040a2513cd53e8665b175b15cdaf3accc2c1d546 100644 (file)
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -822,6 +822,9 @@ static int flask_sysctl(int cmd)
     case XEN_SYSCTL_livepatch_op:
         return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
                                     XEN2__LIVEPATCH_OP, NULL);
+    case XEN_SYSCTL_gcov_op:
+        return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
+                                    XEN2__GCOV_OP, NULL);
 
     default:
         return avc_unknown_permission("sysctl", cmd);

diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index 49c9a9ea9580846d4e54ae8dc8ed12d07915a220..92e6da93464ec12b465577a618d918d1eeb83758 100644 (file)
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -99,6 +99,8 @@ class xen2
     get_cpu_featureset
 # XEN_SYSCTL_livepatch_op
     livepatch_op
+# XEN_SYSCTL_gcov_op
+    gcov_op
 }
 
 # Classes domain and domain2 consist of operations that a domain performs on