From 875756ca34fabc7243c4a682ffd7008710a907e2 Mon Sep 17 00:00:00 2001
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Date: Sun, 18 Dec 2011 14:33:48 +0000
Subject: xsm: Add missing access checks

Actions requiring IS_PRIV should also require some XSM access control
in order for XSM to be useful in confining multiple privileged
domains. Add XSM hooks for new hypercalls and sub-commands that are
under IS_PRIV but not currently under any access checks.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
 tools/flask/policy/policy/flask/access_vectors | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'tools/flask')

diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors
index 38036d0ef6..644f2e1789 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -45,6 +45,11 @@ class xen
 	debug
 	getcpuinfo
 	heap
+	pm_op
+	mca_op
+	lockprof
+	cpupool_op
+	sched_op
 }
 
 class domain
@@ -77,6 +82,9 @@ class domain
 	setextvcpucontext
 	getvcpuextstate
 	setvcpuextstate
+	getpodtarget
+	setpodtarget
+	set_misc_info
 }
 
 class hvm
@@ -91,6 +99,9 @@ class hvm
 	bind_irq
 	cacheattr
     trackdirtyvram
+    hvmctl
+    mem_event
+    mem_sharing
 }
 
 class event
@@ -152,6 +163,9 @@ class resource
 	stat_device
 	add_device
 	remove_device
+	plug
+	unplug
+	setup
 }
 
 class security
-- 
cgit v1.2.3