diff options
| author | Keir Fraser <keir.fraser@citrix.com> | 2009-08-20 21:15:24 +0100 |
|---|---|---|
| committer | Keir Fraser <keir.fraser@citrix.com> | 2009-08-20 21:15:24 +0100 |
| commit | ce2fb297a8165963d47bc7eae5abbbf08399eef0 (patch) | |
| tree | 304a9c258361d6967787d5f2f42109b74d77ad3e /tools/flask/policy/policy/modules/xen/xen.if | |
| parent | 6d4af7fc297138f6af312170c900cb80f8659a26 (diff) | |
| download | xen-ce2fb297a8165963d47bc7eae5abbbf08399eef0.tar.gz xen-ce2fb297a8165963d47bc7eae5abbbf08399eef0.tar.bz2 xen-ce2fb297a8165963d47bc7eae5abbbf08399eef0.zip | |
tools/flask/policy: Updates to policy and policy build infrastructure
The original xen policy infrastructure was based off of an early
version of refpolicy. Because of this there was a lot of cruft that
does not apply to building a policy for xen. This patch does several
things. First it cleans up the makefile as to remove many unnecessary
build targets. Second it fixes an issue that the policy build process
wasn't handling interface files properly. Third it pulls in the MLS
suppport functions from current ref policy and makes use of
them. Finally it updates the xen policy with new rules to address
changes in xen since the policy was last worked on, and provides
several new abstractions for creating domains.
Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
Diffstat (limited to 'tools/flask/policy/policy/modules/xen/xen.if')
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.if | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index 792d600548..a4ab005087 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -1 +1,62 @@ +############################################################################### # +# create_domain(priv_dom, domain, channel) +# +################################################################################ +define(`create_domain', ` + type $2, domain_type; + allow $1 $2:domain {create max_vcpus setdomainmaxmem + setaddrsize getdomaininfo hypercall + setvcpucontext scheduler unpause + getvcpuinfo getaddrsize getvcpuaffinity}; + allow $1 $2:shadow {enable}; + allow $1 $2:mmu {map_read map_write adjust physmap}; + allow $2 $2:mmu {adjust physmap}; + allow $1 $3:event {create}; +') + +############################################################################### +# +# create_hvm_dom(priv_dom, domain, channel) +# +################################################################################ +define(`create_hvm_dom', ` + create_domain($1, $2, $3) + allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel pcilevel }; + allow $2 $2:hvm setparam; +') + +############################################################################### +# +# create_pv_dom(priv_dom, domain, channel, iodomain) +# +################################################################################ +define(`create_pv_dom', ` + create_domain($1, $2, $3) + allow $1 $2:mmu {memorymap pinpage}; + allow $2 $2:mmu {map_read map_write pinpage}; + allow $2 $4:mmu {map_read}; + + allow $2 $2:grant {query setup}; + allow $1 $2:grant {map_read unmap}; +') +################################################################################ +# +# manage_domain(priv_dom, domain) +# +################################################################################ +define(`manage_domain', ` + allow $1 $2:domain {pause destroy}; +') + +################################################################################ +# +# create_channel(caller, peer, channel) +# +################################################################################ +define(`create_channel', ` + type $3, event_type; + type_transition $1 $2:event $3; + allow $1 $3:event {create}; + allow $3 $2:event {bind}; +') |