From a655abfd8a4bf03de9c9a8d820125be8323d64f8 Mon Sep 17 00:00:00 2001 From: Daniel De Graaf Date: Fri, 11 Jan 2013 10:46:43 +0000 Subject: tmem: add XSM hooks This adds a pair of XSM hooks for tmem operations: xsm_tmem_op which controls any use of tmem, and xsm_tmem_control which allows use of the TMEM_CONTROL operations. By default, all domains can use tmem while only IS_PRIV domains can use control operations. Signed-off-by: Daniel De Graaf Acked-by: Dan Magenheimer Committed-by: Keir Fraser --- tools/flask/policy/policy/modules/xen/xen.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'tools/flask') diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 8c77e6b1f6..c714dcb8e9 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -56,7 +56,7 @@ type device_t, resource_type; ################################################################################ allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo - microcode cpupool_op sched_op pm_op }; + microcode cpupool_op sched_op pm_op tmem_control }; allow dom0_t xen_t:mmu { memorymap }; allow dom0_t security_t:security { check_context compute_av compute_create compute_member load_policy compute_relabel compute_user setenforce @@ -74,6 +74,9 @@ domain_comms(dom0_t, dom0_t) auditallow dom0_t security_t:security { load_policy setenforce setbool }; +# Allow all domains to use (unprivileged parts of) the tmem hypercall +allow domain_type xen_t:xen tmem_op; + ############################################################################### # # Domain creation -- cgit v1.2.3