diff options
Diffstat (limited to 'tools/flask')
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.if | 6 | ||||
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 5 |
2 files changed, 5 insertions, 6 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index d630f4756d..fda5cb5b26 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -7,7 +7,7 @@ ################################################################################ define(`declare_domain_common', ` allow $1 $2:grant { query setup }; - allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp }; + allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp mmuext_op }; allow $1 $2:hvm { getparam setparam }; ') @@ -51,7 +51,7 @@ define(`create_domain_common', ` allow $1 $2:domain2 { set_cpuid settsc }; allow $1 $2:security check_context; allow $1 $2:shadow enable; - allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage}; + allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op }; allow $1 $2:grant setup; allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc setparam pcilevel trackdirtyvram }; ') @@ -162,7 +162,7 @@ define(`make_device_model', ` # Allow a device to be used by a domain define(`use_device', ` allow $1 $2:resource use; - allow $1 $2:mmu { map_read map_write }; + allow $1 domio_t:mmu { map_read map_write }; ') # admin_device(domain, device) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 8d33285d73..8c77e6b1f6 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -29,10 +29,10 @@ type xen_t, xen_type, mls_priv; # Domain 0 declare_singleton_domain(dom0_t, mls_priv); -# Untracked I/O memory (pseudo-domain) +# I/O memory (DOMID_IO pseudo-domain) type domio_t, xen_type; -# Xen heap (pseudo-domain) +# Xen heap (DOMID_XEN pseudo-domain) type domxen_t, xen_type; # Unlabeled objects @@ -69,7 +69,6 @@ admin_device(dom0_t, device_t) admin_device(dom0_t, irq_t) admin_device(dom0_t, ioport_t) admin_device(dom0_t, iomem_t) -allow dom0_t domio_t:mmu { map_read map_write }; domain_comms(dom0_t, dom0_t) |