diff options
| author | Keir Fraser <keir.fraser@citrix.com> | 2009-10-27 12:52:57 +0000 |
|---|---|---|
| committer | Keir Fraser <keir.fraser@citrix.com> | 2009-10-27 12:52:57 +0000 |
| commit | 78942912c8a3ff303b910d4a179ff6be7e9b0477 (patch) | |
| tree | 10468e48843fbc769f0298b5bc52df3dfb63aa73 /tools/flask/policy/policy/modules/xen/xen.if | |
| parent | 16d8dcbfb346174e67a61134a45d40870d112cad (diff) | |
| download | xen-78942912c8a3ff303b910d4a179ff6be7e9b0477.tar.gz xen-78942912c8a3ff303b910d4a179ff6be7e9b0477.tar.bz2 xen-78942912c8a3ff303b910d4a179ff6be7e9b0477.zip | |
xsm: Add support for Xen device policies
Add support for Xen ocontext records to enable device polices. The
default policy will not be changed and instructions have been added to
enable the new functionality. Examples on how to use the new policy
language have been added but commented out. The newest version of
checkpolicy (>= 2.0.20) and libsepol (>= 2.0.39) is needed in order to
compile it. Devices can be labeled and enforced using the following
new commands; pirqcon, iomemcon, ioportcon and pcidevicecon.
Signed-off-by : George Coker <gscoker@alpha.ncsc.mil>
Signed-off-by : Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
Diffstat (limited to 'tools/flask/policy/policy/modules/xen/xen.if')
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.if | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index a4ab005087..99afad6f6b 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -60,3 +60,34 @@ define(`create_channel', ` allow $1 $3:event {create}; allow $3 $2:event {bind}; ') +############################################################################### +# +# create_passthrough_resource(priv_dom, domain, resource) +# +############################################################################### +define(`create_passthrough_resource', ` + type $3, resource_type; + allow $1 $3:event vector; + allow $1 $2:resource {add remove}; + allow $1 ioport_t:resource {add_ioport use}; + allow $1 iomem_t:resource {add_iomem use}; + allow $1 pirq_t:resource {add_irq use}; + allow $1 domio_t:mmu {map_read map_write}; + allow $2 domio_t:mmu {map_write}; + allow $2 pirq_t:resource {use}; + allow $1 $3:resource {add_irq add_iomem add_ioport remove_irq remove_iomem remove_ioport use add_device remove_device}; + allow $2 $3:resource {use add_ioport add_iomem remove_ioport remove_iomem}; + allow $2 $3:mmu {map_read map_write}; +') +############################################################################### +# +# create_hvm_resource(priv_dom, domain, resource) +# +############################################################################### +define(`create_hvm_resource', ` + type $3, resource_type; + allow $1 $2:resource {add remove}; + allow $1 $3:hvm {bind_irq}; + allow $1 $3:resource {stat_device add_device remove_device add_irq remove_irq add_iomem remove_iomem add_ioport remove_ioport}; + allow $2 $3:resource {use}; +') |