search for: domain_type

...ailed to open raw socket: %d=%s\n", errno, strerror(errno)); } else { printf("Socket opened successfully\n"); close(fd); } return 0; } SElinux .te file policy_module(rawsox,1.0.0) ######################################## # Declarations type rawsox_t; type rawsox_exec_t; domain_type(rawsox_t) domain_entry_file(rawsox_t, rawsox_exec_t) domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t) ######################################## # Rawsox local policy # these two didn't help #corenet_raw_sendrecv_all_if( rawsox_t ); #corenet_raw_sendrecv_all_nodes( rawsox_t ); require {...

This patch set adds XSM security labels to useful debugging output locations, and fixes some assumptions that all interrupts behaved like GSI interrupts (which had useful non-dynamic IDs). It also cleans up the policy build process and adds an example of how to use the user field in the security context. Debug output: [PATCH 01/10] xsm: Add security labels to event-channel dump [PATCH 02/10] xsm:

Hi all, we have discovered a segfault in nsd-patch when renaming slave zone in nsd config file if some data for this zone still exists in the IXFR diff database. In my case, the zone "black" was renamed to "blackinwhite": > root at ggd115:/cage/nsd/var/nsd/zones#nsd-patch -c > /cage/nsd/etc/nsd-dns-slave.conf > reading database > reading updates to database >

This version of the patch includes feedback from jboggs at redhat.com, including fixes to the BuildRequires and Requires in the spec file.

This patch obsoletes any previous ones. This is an upstream candidate, so I'm looking for feedback so we can push this and start using it.

This version fixes a few bugs found by jboggs. It also includes some logging facilities that need to be fleshed out more.

This patch is ready for pushing upstream.

The previous patch was missing this file. Resending.

...e(fd); >> } >> return 0; >> } >> >> >> SElinux .te file >> >> policy_module(rawsox,1.0.0) >> >> ######################################## >> # Declarations >> >> type rawsox_t; >> type rawsox_exec_t; >> domain_type(rawsox_t) >> domain_entry_file(rawsox_t, rawsox_exec_t) >> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t) >> >> ######################################## >> # Rawsox local policy >> >> # these two didn't help >> #corenet_raw_sendrecv_all_if...

...just looking for some feedback on the direction I'm going. The code won't get all the way to the define stage since I'm in the middle of retrofitting it to use virtinst instead of a home spun node definition.

Renato, If one creates an HVM domain (say domain 1) and then does echo 1 > /dev/oprofile/passive_domains one then gets the following on the Xen serial console: (XEN) xenoprof.c:143:d0 xenoprof/x86 with autotranslated mode enabledisn''t supported yet (XEN) xenoprof.c:143:d0 xenoprof/x86 with autotranslated mode enabledisn''t supported yet (XEN) xenoprof.c:143:d0

These patches update the example FLASK policy shipped with Xen and enable its build if the required tools are present. The third patch requires rerunning autoconf to update tools/configure. [PATCH 1/3] flask/policy: sort dom0 accesses [PATCH 2/3] flask/policy: rework policy build system [PATCH 3/3] tools/flask: add FLASK policy to build

iommufd follows the same design as KVM and uses memory cgroups to limit the amount of kernel memory a iommufd file descriptor can pin down. The various internal data structures already use GFP_KERNEL_ACCOUNT to charge its own memory. However, one of the biggest consumers of kernel memory is the IOPTEs stored under the iommu_domain and these allocations are not tracked. This series is the first

iommufd follows the same design as KVM and uses memory cgroups to limit the amount of kernel memory a iommufd file descriptor can pin down. The various internal data structures already use GFP_KERNEL_ACCOUNT to charge its own memory. However, one of the biggest consumers of kernel memory is the IOPTEs stored under the iommu_domain and these allocations are not tracked. This series is the first

iommufd follows the same design as KVM and uses memory cgroups to limit the amount of kernel memory a iommufd file descriptor can pin down. The various internal data structures already use GFP_KERNEL_ACCOUNT to charge its own memory. However, one of the biggest consumers of kernel memory is the IOPTEs stored under the iommu_domain and these allocations are not tracked. This series is the first

iommufd follows the same design as KVM and uses memory cgroups to limit the amount of kernel memory a iommufd file descriptor can pin down. The various internal data structures already use GFP_KERNEL_ACCOUNT to charge its own memory. However, one of the biggest consumers of kernel memory is the IOPTEs stored under the iommu_domain and these allocations are not tracked. This series is the first

iommufd follows the same design as KVM and uses memory cgroups to limit the amount of kernel memory a iommufd file descriptor can pin down. The various internal data structures already use GFP_KERNEL_ACCOUNT to charge its own memory. However, one of the biggest consumers of kernel memory is the IOPTEs stored under the iommu_domain and these allocations are not tracked. This series is the first

iommufd follows the same design as KVM and uses memory cgroups to limit the amount of kernel memory a iommufd file descriptor can pin down. The various internal data structures already use GFP_KERNEL_ACCOUNT to charge its own memory. However, one of the biggest consumers of kernel memory is the IOPTEs stored under the iommu_domain and these allocations are not tracked. This series is the first

I''ve addressed all (I think/hope) of the review comments. The main change is to expose the guest virtual platform (e.g. memory layout and interrupt usage etc) to the toolstack via the public interface. This is then used during FDT generation. I have just codified the current defacto standard layout, it''s probably not the best layout but any change can be a separate patch/series.

First off, Apologies for the massive patch series... This series boots a 32-bit dom0 kernel to a command prompt on an ARMv8 (AArch64) model. The kernel is the same one as I am currently using with the 32 bit hypervisor I haven''t yet tried starting a guest or anything super advanced like that ;-). Also there is not real support for 64-bit domains at all, although in one or two places I