diff options
| author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-18 14:33:48 +0000 |
|---|---|---|
| committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-18 14:33:48 +0000 |
| commit | 875756ca34fabc7243c4a682ffd7008710a907e2 (patch) | |
| tree | c4992e378b41a03f691fe756a5c3343b62381db9 /tools/flask | |
| parent | 4c1b911bbcd97fb68b4a9e0903a6644e50adda01 (diff) | |
| download | xen-875756ca34fabc7243c4a682ffd7008710a907e2.tar.gz xen-875756ca34fabc7243c4a682ffd7008710a907e2.tar.bz2 xen-875756ca34fabc7243c4a682ffd7008710a907e2.zip | |
xsm: Add missing access checks
Actions requiring IS_PRIV should also require some XSM access control
in order for XSM to be useful in confining multiple privileged
domains. Add XSM hooks for new hypercalls and sub-commands that are
under IS_PRIV but not currently under any access checks.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Diffstat (limited to 'tools/flask')
| -rw-r--r-- | tools/flask/policy/policy/flask/access_vectors | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index 38036d0ef6..644f2e1789 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -45,6 +45,11 @@ class xen debug getcpuinfo heap + pm_op + mca_op + lockprof + cpupool_op + sched_op } class domain @@ -77,6 +82,9 @@ class domain setextvcpucontext getvcpuextstate setvcpuextstate + getpodtarget + setpodtarget + set_misc_info } class hvm @@ -91,6 +99,9 @@ class hvm bind_irq cacheattr trackdirtyvram + hvmctl + mem_event + mem_sharing } class event @@ -152,6 +163,9 @@ class resource stat_device add_device remove_device + plug + unplug + setup } class security |