On 26.02.2026 15:29, Bernhard Kaindl wrote: > Add a Flask security policy for the new XEN_DOMCTL_claim_memory hypercall > introduced in the previous commit. When Flask is enabled, this permission > controls whether a domain can stake memory claims for another domain. > > The permission is granted to: > - dom0_t: Dom0 needs this to claim memory for guest domains > - create_domain_common: Domain builders need this during domain creation > > Signed-off-by: Bernhard Kaindl <[email protected]> > --- > tools/flask/policy/modules/dom0.te | 1 + > tools/flask/policy/modules/xen.if | 1 + > xen/xsm/flask/hooks.c | 3 +++ > xen/xsm/flask/policy/access_vectors | 2 ++ > 4 files changed, 7 insertions(+)
Oh, here's the missing XSM/Flask change. First - this cannot come after the introduction of the sub-op. If it can be split and come first, fine. Else it needs to be folded in. > --- a/xen/xsm/flask/hooks.c > +++ b/xen/xsm/flask/hooks.c > @@ -820,6 +820,9 @@ static int cf_check flask_domctl(struct domain *d, > unsigned int cmd, > case XEN_DOMCTL_set_llc_colors: > return current_has_perm(d, SECCLASS_DOMAIN2, > DOMAIN2__SET_LLC_COLORS); > > + case XEN_DOMCTL_claim_memory: > + return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__CLAIM_MEMORY); You don't need two XSM checks, I don't think. As you use xsm_claim_pages(), all you need to do here should be to add a case label to the "These have individual XSM hooks (common/domctl.c)" block. Jan
