An XSM hook for get_dom0_console is currently missing. Using XSM with
a PVH dom0 shows:
(XEN) FLASK: Denying unknown platform_op: 64.
Wire up the hook, and allow it for dom0.
Fixes: 4dd160583c ("x86/platform: introduce hypercall to get initial video console settings")
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
---
tools/flask/policy/modules/dom0.te | 2 +-
xen/xsm/flask/hooks.c | 4 ++++
xen/xsm/flask/policy/access_vectors | 2 ++
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
index f1dcff48e2..16b8c9646d 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -16,7 +16,7 @@ allow dom0_t xen_t:xen {
allow dom0_t xen_t:xen2 {
resource_op psr_cmt_op psr_alloc pmu_ctrl get_symbol
get_cpu_levelling_caps get_cpu_featureset livepatch_op
- coverage_op
+ coverage_op get_dom0_console
};
# Allow dom0 to use all XENVER_ subops that have checks.
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 78225f68c1..5e88c71b8e 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1558,6 +1558,10 @@ static int cf_check flask_platform_op(uint32_t op)
return avc_has_perm(domain_sid(current->domain), SECINITSID_XEN,
SECCLASS_XEN2, XEN2__GET_SYMBOL, NULL);
+ case XENPF_get_dom0_console:
+ return avc_has_perm(domain_sid(current->domain), SECINITSID_XEN,
+ SECCLASS_XEN2, XEN2__GET_DOM0_CONSOLE, NULL);
+
default:
return avc_unknown_permission("platform_op", op);
}
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index 4e6710a63e..a35e3d4c51 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -99,6 +99,8 @@ class xen2
livepatch_op
# XEN_SYSCTL_coverage_op
coverage_op
+# XENPF_get_dom0_console
+ get_dom0_console
}
# Classes domain and domain2 consist of operations that a domain performs on
--
2.44.0