diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2013-01-11 10:46:43 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2013-01-11 10:46:43 +0000 |
commit | a655abfd8a4bf03de9c9a8d820125be8323d64f8 (patch) | |
tree | d88e4bae8739dce5e0fd4e5c030a1dd6b8ddb2b0 /tools/flask | |
parent | 0d7f18b01f69c6b89aa3654bd2b11e24f41aaf71 (diff) | |
download | xen-a655abfd8a4bf03de9c9a8d820125be8323d64f8.tar.gz xen-a655abfd8a4bf03de9c9a8d820125be8323d64f8.tar.bz2 xen-a655abfd8a4bf03de9c9a8d820125be8323d64f8.zip |
tmem: add XSM hooks
This adds a pair of XSM hooks for tmem operations: xsm_tmem_op which
controls any use of tmem, and xsm_tmem_control which allows use of the
TMEM_CONTROL operations. By default, all domains can use tmem while
only IS_PRIV domains can use control operations.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Committed-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'tools/flask')
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 8c77e6b1f6..c714dcb8e9 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -56,7 +56,7 @@ type device_t, resource_type; ################################################################################ allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo - microcode cpupool_op sched_op pm_op }; + microcode cpupool_op sched_op pm_op tmem_control }; allow dom0_t xen_t:mmu { memorymap }; allow dom0_t security_t:security { check_context compute_av compute_create compute_member load_policy compute_relabel compute_user setenforce @@ -74,6 +74,9 @@ domain_comms(dom0_t, dom0_t) auditallow dom0_t security_t:security { load_policy setenforce setbool }; +# Allow all domains to use (unprivileged parts of) the tmem hypercall +allow domain_type xen_t:xen tmem_op; + ############################################################################### # # Domain creation |