[xen 4.12] Missing/incorrect flask rules

Description

Note: this ticket applies to the Xen 4.12 + v4v case. When Argo is added, the policy will have to be tweaked further.

domain2:

  • set_max_evtchn and set_gnttab_limits have been deprecated (more accurately are handled elsewhere), remove these

  • add new get_cpu_policy permission

dom0:

  • allow mca_op from dom0_t to xen_t

  • allow dom0 to access resource map of uivm and ndvm

Environment

None

Validation Steps

None

Activity

Show:
Nicholas Tsirakis
April 18, 2019, 4:57 PM

Note that I already have working changes in my tree that resolves this ticket

Chris Rogers
April 30, 2019, 4:31 PM

Modifying to track for 9.0 release epic, it's also not related to xen 4.11 anymore.

Nicholas Tsirakis
June 25, 2019, 2:58 PM

No flask denials seen on stable-9 rc1. Tested ssh/scp argo functionality and performed some general ad-hoc testing with UIVM and NDVM.

Fixed

Assignee

Unassigned

Reporter

Nicholas Tsirakis

Labels

None

QA Assignee

Nicholas Tsirakis

QA Image URL

None

Epic Link

Components

Fix versions

Affects versions

Priority

Major
Configure