diff options
author | Keir Fraser <keir.fraser@citrix.com> | 2009-11-13 22:00:19 +0000 |
---|---|---|
committer | Keir Fraser <keir.fraser@citrix.com> | 2009-11-13 22:00:19 +0000 |
commit | 3695303ba1539e57e5d8bdf4ee7ba1bc6e3edc81 (patch) | |
tree | 44cd05b2caf235afa0fd9bbaf71d1897d53efb13 /tools/flask/policy | |
parent | 4def0d9ca1ab8a1fdf4300f87118068e46e6491f (diff) | |
download | xen-3695303ba1539e57e5d8bdf4ee7ba1bc6e3edc81.tar.gz xen-3695303ba1539e57e5d8bdf4ee7ba1bc6e3edc81.tar.bz2 xen-3695303ba1539e57e5d8bdf4ee7ba1bc6e3edc81.zip |
xsm: Dynamic update to device ocontexts
Added the ability to add and delete ocontexts dynamically on a running
system. Two new commands have been added to the xsm hypercall, add
and delete ocontext. Twelve new library functions have been
implemented that use the hypercall commands to label and unlabel
pirqs, PCI devices, I/O ports and memory. The base policy has been
updated so dom0 has the ability to use the hypercall commands by
default. Items added to the list will not be present next time the
system reloads. They will need to be added to the static policy.
Signed-off-by : George Coker <gscoker@alpha.ncsc.mil>
Signed-off-by : Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
Diffstat (limited to 'tools/flask/policy')
-rw-r--r-- | tools/flask/policy/policy/flask/access_vectors | 2 | ||||
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index 0df71d0a46..f835eb5a32 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -163,4 +163,6 @@ class security setenforce setbool setsecparam + add_ocontext + del_ocontext } diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 851b0d6bd3..0977939146 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -51,7 +51,7 @@ allow dom0_t xen_t:xen firmware; allow dom0_t security_t:security {compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool -setsecparam}; +setsecparam add_ocontext del_ocontext}; create_channel(dom0_t, dom0_t, evchn0-0_t) allow dom0_t evchn0-0_t:event {send}; |