From patchwork Wed Jul 13 12:59:37 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anshul Makkar <anshul.makkar@citrix.com>
X-Patchwork-Id: 9227551
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	569A06086B for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 13 Jul 2016 13:03:53 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 474352522B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 13 Jul 2016 13:03:53 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3B461271FD; Wed, 13 Jul 2016 13:03:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 5476C2522B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 13 Jul 2016 13:03:51 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1bNJmd-0001h9-MW; Wed, 13 Jul 2016 13:00:59 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=9953eb7f0=anshul.makkar@citrix.com>)
	id 1bNJmc-0001h3-7J
	for xen-devel@lists.xen.org; Wed, 13 Jul 2016 13:00:58 +0000
Received: from [193.109.254.147] by server-5.bemta-14.messagelabs.com id
	A0/B4-08132-98B36875; Wed, 13 Jul 2016 13:00:57 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpikeJIrShJLcpLzFFi42JxWrrBXrfDui3
	c4N0rM4slHxezODB6HN39mymAMYo1My8pvyKBNaNzj3PBSY6KFeveMzcwbmXvYuTkkBDwl9g/
	4zoriM0moCdx5NYfsLiIgKzE6q45YDazQLLE8Ts3gGo4OIQFwiW+LrIECbMIqEq8XPaKBcTmF
	fCQuLr8IiPESDmJk8cmg40UAqrpfXaICaJGUOLkzCcsECMlJA6+eMEMMlJCgFvib7f9BEaeWU
	iqZiGpWsDItIpRozi1qCy1SNfQWC+pKDM9oyQ3MTNH19DQRC83tbg4MT01JzGpWC85P3cTIzA
	86hkYGHcw7trueYhRkoNJSZS3c25ruBBfUn5KZUZicUZ8UWlOavEhRhkODiUJ3jartnAhwaLU
	9NSKtMwcYKDCpCU4eJREeCeApHmLCxJzizPTIVKnGHU5tiy4sZZJiCUvPy9VSpz3OEiRAEhRR
	mke3AhY1FxilJUS5mVkYGAQ4ilILcrNLEGVf8UozsGoJMw7GWQKT2ZeCdymV0BHMAEdUevQDH
	JESSJCSqqB0ZFnguXfLczz9sbXrvz8vPt+xKwb+asVT/b1tL69d73/+toq2RW/JNu9jn1KLhb
	Z9fiRPMOHHzX16paVn19KiPBvYOSfO/P9jwXP9BZPORH2M/1GZO7SmR1K+e9Y2VZffVxddcHv
	xAn3lTKc6S/PdS+1NwzwjuDz0l55fLL1hTmcXh1JT6/dCFZiKc5INNRiLipOBABxZS1llQIAA
	A==
X-Env-Sender: prvs=9953eb7f0=anshul.makkar@citrix.com
X-Msg-Ref: server-14.tower-27.messagelabs.com!1468414855!41398329!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 8.77; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 6545 invoked from network); 13 Jul 2016 13:00:56 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-14.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
	13 Jul 2016 13:00:56 -0000
X-IronPort-AV: E=Sophos;i="5.28,357,1464652800"; d="scan'208";a="372925240"
From: Anshul Makkar <anshul.makkar@citrix.com>
To: <xen-devel@lists.xen.org>
Date: Wed, 13 Jul 2016 13:59:37 +0100
Message-ID: <1468414777-27129-1-git-send-email-anshul.makkar@citrix.com>
X-Mailer: git-send-email 1.9.1
MIME-Version: 1.0
X-DLP: MIA1
Cc: dgdegra@tycho.nsa.gov, ian.jackson@eu.citrix.com,
	Anshul Makkar <anshul.makkar@citrix.com>
Subject: [Xen-devel] [PATCH] XSM-Policy: allow source domain access to
	setpodtarget for ballooning.
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Access to setpodtarget is required by dom0 to set the balloon targets for
domU. The patch gives source domain (dom0) access to set this target for
domU and resolve the following permission denied error message during
ballooning :
avc:  denied  { setpodtarget } for domid=0 target=9
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
---
 tools/flask/policy/modules/xen.if | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index 8c43c28..8ae3c2e 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -83,7 +83,8 @@ define(`create_domain_build_label', `
 define(`manage_domain', `
 	allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
 			getaddrsize pause unpause trigger shutdown destroy
-			setaffinity setdomainmaxmem getscheduler resume };
+			setaffinity setdomainmaxmem getscheduler resume
+			setpodtarget };
     allow $1 $2:domain2 set_vnumainfo;
 ')