xen/flask: Wire up XEN_DOMCTL_{get,set}_paging_mempool_size

These were overlooked in the original patch, and noticed by OSSTest which does
run some Flask tests.

Fixes: 22b20bd98c02 ("xen: Introduce non-broken hypercalls for the paging mempool size")
Suggested-by: Daniel Smith <dpsmith@apertussolutions.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Release-acked-by: Henry Wang <Henry.Wang@arm.com>

diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
index f710ff9941c06100fd9275a0da892cb067422134..f1dcff48e22735ddddf8c6c99d3ee8a842bda9d0 100644 (file)
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -35,7 +35,8 @@ allow dom0_t dom0_t:domain {
        setvcpucontext max_vcpus setaffinity getaffinity getscheduler
        getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
        setdebugging hypercall settime setaddrsize getaddrsize trigger
-       getpodtarget setpodtarget set_misc_info set_virq_handler
+       getpodtarget setpodtarget getpagingmempool setpagingmempool set_misc_info
+       set_virq_handler
 };
 allow dom0_t dom0_t:domain2 {
        set_cpu_policy gettsc settsc setscheduler set_vnumainfo

diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index 424daab6a02298c01b3ce94ae46ce64e1ab146be..11c1562aa5da1479c59b0c7c6d07ad894a244ec1 100644 (file)
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -49,7 +49,8 @@ define(`create_domain_common', `
        allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
                        getdomaininfo hypercall setvcpucontext getscheduler
                        getvcpuinfo getaddrsize getaffinity setaffinity
-                       settime setdomainhandle getvcpucontext set_misc_info };
+                       settime setdomainhandle getvcpucontext set_misc_info
+                       getpagingmempool setpagingmempool };
        allow $1 $2:domain2 { set_cpu_policy settsc setscheduler setclaim
                        set_vnumainfo get_vnumainfo cacheflush
                        psr_cmt_op psr_alloc soft_reset
@@ -92,7 +93,7 @@ define(`manage_domain', `
        allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
                        getaddrsize pause unpause trigger shutdown destroy
                        setaffinity setdomainmaxmem getscheduler resume
-                       setpodtarget getpodtarget };
+                       setpodtarget getpodtarget getpagingmempool setpagingmempool };
     allow $1 $2:domain2 set_vnumainfo;
 ')
 

diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 391aec4dc22123490e9e0c0f188c9f4016178f66..78225f68c15c1c81b6c16ffc9afeee5d9bb9bd91 100644 (file)
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -822,6 +822,12 @@ static int cf_check flask_domctl(struct domain *d, int cmd)
     case XEN_DOMCTL_get_cpu_policy:
         return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__GET_CPU_POLICY);
 
+    case XEN_DOMCTL_get_paging_mempool_size:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETPAGINGMEMPOOL);
+
+    case XEN_DOMCTL_set_paging_mempool_size:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETPAGINGMEMPOOL);
+
     default:
         return avc_unknown_permission("domctl", cmd);
     }

diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index 6359c7fc875763cd03dc4e03aaf37638deeaa5c6..4e6710a63e1b30cac14fb99f4d8e28d188cf2a0a 100644 (file)
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -180,6 +180,10 @@ class domain
     set_misc_info
 # XEN_DOMCTL_set_virq_handler
     set_virq_handler
+# XEN_DOMCTL_get_paging_mempool_size
+    getpagingmempool
+# XEN_DOMCTL_set_paging_mempool_size
+    setpagingmempool
 }
 
 # This is a continuation of class domain, since only 32 permissions can be