xsm: Dynamic update to device ocontexts

Added the ability to add and delete ocontexts dynamically on a running
system.  Two new commands have been added to the xsm hypercall, add
and delete ocontext.  Twelve new library functions have been
implemented that use the hypercall commands to label and unlabel
pirqs, PCI devices, I/O ports and memory.  The base policy has been
updated so dom0 has the ability to use the hypercall commands by
default.  Items added to the list will not be present next time the
system reloads.  They will need to be added to the static policy.

Signed-off-by : George Coker <gscoker@alpha.ncsc.mil>
Signed-off-by : Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>

2 files changed, 3 insertions, 1 deletions

diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors
index 0df71d0a46..f835eb5a32 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -163,4 +163,6 @@ class security
 	setenforce
 	setbool
 	setsecparam
+        add_ocontext
+        del_ocontext
 }
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 851b0d6bd3..0977939146 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -51,7 +51,7 @@ allow dom0_t xen_t:xen firmware;
 
 allow dom0_t security_t:security {compute_av compute_create compute_member 
 check_context load_policy compute_relabel compute_user setenforce setbool
-setsecparam};
+setsecparam add_ocontext del_ocontext};
 
 create_channel(dom0_t, dom0_t, evchn0-0_t)
 allow dom0_t evchn0-0_t:event {send};