Addition of FLASK permission for this hypercall was overlooked in the
original patch. Fix it. The only dt overlay operation is attaching that can
happen only after the domain is created. Dom0 can attach overlay to itself
as well.
Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device attachment to domains")
Signed-off-by: Michal Orzel <michal.orzel@amd.com>
Release-Acked-By: Oleksii Kurochko <oleksii.kurochko@gmail.com>
Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
};
allow dom0_t dom0_t:domain2 {
set_cpu_policy gettsc settsc setscheduler set_vnumainfo
- get_vnumainfo psr_cmt_op psr_alloc get_cpu_policy
+ get_vnumainfo psr_cmt_op psr_alloc get_cpu_policy dt_overlay
};
allow dom0_t dom0_t:resource { add remove };
getaddrsize pause unpause trigger shutdown destroy
setaffinity setdomainmaxmem getscheduler resume
setpodtarget getpodtarget getpagingmempool setpagingmempool };
- allow $1 $2:domain2 set_vnumainfo;
+ allow $1 $2:domain2 { set_vnumainfo dt_overlay };
')
# migrate_domain_out(priv, target)
case XEN_DOMCTL_set_paging_mempool_size:
return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETPAGINGMEMPOOL);
+ case XEN_DOMCTL_dt_overlay:
+ return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__DT_OVERLAY);
+
default:
return avc_unknown_permission("domctl", cmd);
}
get_cpu_policy
# XEN_DOMCTL_vuart_op
vuart_op
+# XEN_DOMCTL_dt_overlay
+ dt_overlay
}
# Similar to class domain, but primarily contains domctls related to HVM domains
projects / xen.git / commitdiff