2 files changed, 58 insertions, 15 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 59ba17120f..d630f4756d 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -5,15 +5,34 @@
 # Domain creation and setup
 #
 ################################################################################
+define(`declare_domain_common', `
+	allow $1 $2:grant { query setup };
+	allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp };
+	allow $1 $2:hvm { getparam setparam };
+')
+
 # declare_domain(type, attrs...)
-#   Declare a type as a domain type, and allow basic domain setup
+#   Declare a domain type, along with associated _self and _channel types
+#   Allow the domain to perform basic operations on itself
 define(`declare_domain', `
 	type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
+	type $1_self, domain_type, domain_self_type;
+	type_transition $1 $1:domain $1_self;
+	type $1_channel, event_type;
+	type_transition $1 domain_type:event $1_channel;
+	declare_domain_common($1, $1_self)
+')
+
+# declare_singleton_domain(type, attrs...)
+#   Declare a domain type and associated _channel types.
+#   Note: Because the domain can perform basic operations on itself and any
+#   other domain of the same type, this constructor should be used for types
+#   containing at most one domain. This is not enforced by policy.
+define(`declare_singleton_domain', `
+	type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
 	type $1_channel, event_type;
 	type_transition $1 domain_type:event $1_channel;
-	allow $1 $1:grant { query setup };
-	allow $1 $1:mmu { adjust physmap map_read map_write stat pinpage };
-	allow $1 $1:hvm { getparam setparam };
+	declare_domain_common($1, $1)
 ')
 
 # declare_build_label(type)
@@ -51,6 +70,7 @@ define(`create_domain_build_label', `
 	allow $1 $2_channel:event create;
 	allow $1 $2_building:domain2 relabelfrom;
 	allow $1 $2:domain2 relabelto;
+	allow $2_building $2:domain transition;
 ')
 
 # manage_domain(priv, target)
@@ -101,20 +121,36 @@ define(`domain_comms', `
 ')
 
 # domain_self_comms(domain)
-#   Allow a domain types to communicate with others of its type using grants
-#   and event channels (this includes event channels to DOMID_SELF)
+#   Allow a non-singleton domain type to communicate with itself using grants
+#   and event channels
 define(`domain_self_comms', `
-	create_channel($1, $1, $1_channel)
-	allow $1 $1:grant { map_read map_write copy unmap };
+	create_channel($1, $1_self, $1_channel)
+	allow $1 $1_self:grant { map_read map_write copy unmap };
 ')
 
 # device_model(dm_dom, hvm_dom)
 #   Define how a device model domain interacts with its target
 define(`device_model', `
-	domain_comms($1, $2)
-	allow $1 $2:domain { set_target shutdown };
-	allow $1 $2:mmu { map_read map_write adjust physmap };
-	allow $1 $2:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute cacheattr send_irq };
+	type $2_target, domain_type, domain_target_type;
+	type_transition $2 $1:domain $2_target;
+	allow $1 $2:domain set_target;
+
+	type_transition $2_target domain_type:event $2_channel;
+	create_channel($1, $2_target, $1_channel)
+	create_channel($2, $1, $2_channel)
+	allow $1 $2_channel:event create;
+
+	allow $1 $2_target:domain shutdown;
+	allow $1 $2_target:mmu { map_read map_write adjust physmap };
+	allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute cacheattr send_irq };
+')
+
+# make_device_model(priv, dm_dom, hvm_dom)
+#   Allow creation of a device model and HVM domain pair
+define(`make_device_model', `
+	device_model($2, $3)
+	allow $1 $2:domain2 make_priv_for;
+	allow $1 $3:domain2 set_as_target;
 ')
 ################################################################################
 #
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 116215384b..8d33285d73 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -8,6 +8,8 @@
 ################################################################################
 attribute xen_type;
 attribute domain_type;
+attribute domain_self_type;
+attribute domain_target_type;
 attribute resource_type;
 attribute event_type;
 attribute mls_priv;
@@ -25,7 +27,7 @@ attribute mls_priv;
 type xen_t, xen_type, mls_priv;
 
 # Domain 0
-declare_domain(dom0_t, mls_priv);
+declare_singleton_domain(dom0_t, mls_priv);
 
 # Untracked I/O memory (pseudo-domain)
 type domio_t, xen_type;
@@ -69,7 +71,7 @@ admin_device(dom0_t, ioport_t)
 admin_device(dom0_t, iomem_t)
 allow dom0_t domio_t:mmu { map_read map_write };
 
-domain_self_comms(dom0_t)
+domain_comms(dom0_t, dom0_t)
 
 auditallow dom0_t security_t:security { load_policy setenforce setbool };
 
@@ -84,11 +86,14 @@ domain_self_comms(domU_t)
 create_domain(dom0_t, domU_t)
 manage_domain(dom0_t, domU_t)
 domain_comms(dom0_t, domU_t)
+domain_comms(domU_t, domU_t)
+domain_self_comms(domU_t)
 
 declare_domain(isolated_domU_t)
 create_domain(dom0_t, isolated_domU_t)
 manage_domain(dom0_t, isolated_domU_t)
 domain_comms(dom0_t, isolated_domU_t)
+domain_self_comms(isolated_domU_t)
 
 # Declare a boolean that denies creation of prot_domU_t domains
 gen_bool(prot_doms_locked, false)
@@ -98,6 +103,8 @@ if (!prot_doms_locked) {
 }
 domain_comms(dom0_t, prot_domU_t)
 domain_comms(domU_t, prot_domU_t)
+domain_comms(prot_domU_t, prot_domU_t)
+domain_self_comms(prot_domU_t)
 
 # domHVM_t is meant to be paired with a qemu-dm stub domain of type dm_dom_t
 declare_domain(domHVM_t)
@@ -110,7 +117,7 @@ declare_domain(dm_dom_t)
 create_domain(dom0_t, dm_dom_t)
 manage_domain(dom0_t, dm_dom_t)
 domain_comms(dom0_t, dm_dom_t)
-device_model(dm_dom_t, domHVM_t)
+make_device_model(dom0_t, dm_dom_t, domHVM_t)
 
 # nomigrate_t must be built via the nomigrate_t_building label; once built,
 # dom0 cannot read its memory.