diff options
| author | Keir Fraser <keir.fraser@citrix.com> | 2009-08-20 21:15:24 +0100 |
|---|---|---|
| committer | Keir Fraser <keir.fraser@citrix.com> | 2009-08-20 21:15:24 +0100 |
| commit | ce2fb297a8165963d47bc7eae5abbbf08399eef0 (patch) | |
| tree | 304a9c258361d6967787d5f2f42109b74d77ad3e /tools/flask/policy/policy/modules/xen/xen.te | |
| parent | 6d4af7fc297138f6af312170c900cb80f8659a26 (diff) | |
| download | xen-ce2fb297a8165963d47bc7eae5abbbf08399eef0.tar.gz xen-ce2fb297a8165963d47bc7eae5abbbf08399eef0.tar.bz2 xen-ce2fb297a8165963d47bc7eae5abbbf08399eef0.zip | |
tools/flask/policy: Updates to policy and policy build infrastructure
The original xen policy infrastructure was based off of an early
version of refpolicy. Because of this there was a lot of cruft that
does not apply to building a policy for xen. This patch does several
things. First it cleans up the makefile as to remove many unnecessary
build targets. Second it fixes an issue that the policy build process
wasn't handling interface files properly. Third it pulls in the MLS
suppport functions from current ref policy and makes use of
them. Finally it updates the xen policy with new rules to address
changes in xen since the policy was last worked on, and provides
several new abstractions for creating domains.
Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
Diffstat (limited to 'tools/flask/policy/policy/modules/xen/xen.te')
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 76 |
1 files changed, 28 insertions, 48 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 85651cf1fb..e72e4e6e57 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -2,10 +2,11 @@ attribute xen_type; attribute domain_type; attribute resource_type; attribute event_type; +attribute mls_priv; -type xen_t, xen_type, domain_type; +type xen_t, xen_type, domain_type, mls_priv; -type dom0_t, domain_type; +type dom0_t, domain_type, mls_priv; type domio_t, domain_type; @@ -22,47 +23,6 @@ type device_t, resource_type; ################################################################################ # -# create_domain(priv_dom, domain, channel) -# -################################################################################ -define(`create_domain', ` - type $2, domain_type; - allow $1 $2:domain {create max_vcpus setdomainmaxmem - setaddrsize getdomaininfo hypercall - setvcpucontext scheduler unpause - getvcpuinfo getaddrsize getvcpuaffinity}; - allow $1 $2:shadow {enable}; - allow $1 $2:mmu {map_read map_write memorymap adjust pinpage}; - allow $2 $2:mmu {map_read map_write adjust pinpage}; - allow $2 domio_t:mmu {map_read}; - allow $2 $2:grant {query setup}; - allow $1 $2:grant {map_read unmap}; - allow $1 $3:event {create}; -') - -################################################################################ -# -# manage_domain(priv_dom, domain) -# -################################################################################ -define(`manage_domain', ` - allow $1 $2:domain {pause destroy}; -') - -################################################################################ -# -# create_channel(caller, peer, channel) -# -################################################################################ -define(`create_channel', ` - type $3, event_type; - type_transition $1 $2:event $3; - allow $1 $3:event {create}; - allow $3 $2:event {bind}; -') - -################################################################################ -# # Boot the hypervisor and dom0 # ################################################################################ @@ -85,7 +45,9 @@ allow dom0_t ioport_t:resource {use}; allow xen_t iomem_t:resource {add_iomem remove_iomem}; allow dom0_t iomem_t:resource {use}; allow xen_t pirq_t:resource {add_irq remove_irq}; -allow dom0_t pirq_t:resource {use}; +allow dom0_t pirq_t:resource { add_irq remove_irq use}; +allow dom0_t dom0_t:resource { add remove }; +allow dom0_t xen_t:xen firmware; allow dom0_t security_t:security {compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool @@ -99,7 +61,7 @@ allow dom0_t evchn0-0_t:event {send}; # Create and manage a domU w/ dom0 IO # ################################################################################ -create_domain(dom0_t, domU_t, evchnU-0_t) +create_pv_dom(dom0_t, domU_t, evchnU-0_t, domio_t) create_channel(domU_t, domU_t, evchnU-U_t) allow domU_t evchnU-U_t:event {send}; @@ -118,6 +80,27 @@ manage_domain(dom0_t, domU_t) ################################################################################ # +# Create and manage an HVM domU w/ dom0 IO +# +################################################################################ +create_hvm_dom(dom0_t, domHU_t, evchnHU-0_t) +allow dom0_t evchn0-HU_t:event {send}; + +create_channel(domHU_t, domHU_t, evchnHU-HU_t) +allow domHU_t evchnU-U_t:event {send}; + +create_channel(dom0_t, domHU_t, evchn0-HU_t) +allow dom0_t evchn0-U_t:event {send}; + +create_channel(domHU_t, dom0_t, evchnHU-0_t) +allow domHU_t evchnU-0_t:event {send}; + +allow dom0_t dom0_t:event {send}; + +manage_domain(dom0_t, domHU_t) + +################################################################################ +# # # ################################################################################ @@ -134,6 +117,3 @@ sid ioport gen_context(system_u:object_r:ioport_t,s0) sid device gen_context(system_u:object_r:device_t,s0) role system_r types { xen_type domain_type }; -role user_r types { xen_type domain_type }; -role sysadm_r types { xen_type domain_type }; -role staff_r types { xen_type domain_type }; |