diff options
| author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-02-02 15:25:23 +0000 |
|---|---|---|
| committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-02-02 15:25:23 +0000 |
| commit | 21149fb130a38cb7625191f79917f2190f6cccec (patch) | |
| tree | 8b821f58ef29cf38bf93a57ad7d401e5f98480ce /tools/flask | |
| parent | 9e68bb1b66aafd6434bd737da77760570a5cc5c2 (diff) | |
| download | xen-21149fb130a38cb7625191f79917f2190f6cccec.tar.gz xen-21149fb130a38cb7625191f79917f2190f6cccec.tar.bz2 xen-21149fb130a38cb7625191f79917f2190f6cccec.zip | |
flask/policy: Add boolean example
This shows an example boolean (prot_doms_locked) which can be set at
runtime to prevent dom0 from mapping memory of domains of type
prot_domU_t.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'tools/flask')
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index fb71b757ca..f7343a2dd6 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -73,7 +73,7 @@ allow dom0_t domio_t:mmu { map_read map_write }; domain_self_comms(dom0_t) -auditallow dom0_t security_t:security { load_policy setenforce }; +auditallow dom0_t security_t:security { load_policy setenforce setbool }; ############################################################################### # @@ -92,6 +92,14 @@ create_domain(dom0_t, isolated_domU_t) manage_domain(dom0_t, isolated_domU_t) domain_comms(dom0_t, isolated_domU_t) +gen_bool(prot_doms_locked, false) +declare_domain(prot_domU_t) +if (!prot_doms_locked) { + create_domain(dom0_t, prot_domU_t) +} +domain_comms(dom0_t, prot_domU_t) +domain_comms(domU_t, prot_domU_t) + ############################################################################### # # Device delegation |