[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] Add support for Xen device policies
Add support for Xen ocontext records to enable device polices. The default policy will not be changed and instructions have been added to enable the new functionality. Examples on how to use the new policy language have been added but commented out. The newest version of checkpolicy (>= 2.0.20) and libsepol (>= 2.0.39) is needed in order to compile it. Devices can be labeled and enforced using the following new commands; pirqcon, iomemcon, ioportcon and pcidevicecon. Signed-off-by : George Coker <gscoker@xxxxxxxxxxxxxx> Signed-off-by : Paul Nuzzi <pjnuzzi@xxxxxxxxxxxxxx> --- docs/misc/xsm-flask.txt | 64 ++++++++++++++++++++++++ tools/flask/policy/Makefile | 20 ++++++- tools/flask/policy/policy/modules/xen/xen.if | 31 +++++++++++ tools/flask/policy/policy/modules/xen/xen.te | 35 +++++++++++++ xen/xsm/flask/avc.c | 2 xen/xsm/flask/hooks.c | 31 ++++++++--- xen/xsm/flask/include/avc.h | 6 -- xen/xsm/flask/ss/policydb.c | 71 +++++++++++++++++++++++++-- xen/xsm/flask/ss/policydb.h | 23 ++++++-- xen/xsm/flask/ss/services.c | 9 +-- 10 files changed, 263 insertions(+), 29 deletions(-) Attachment:
device_ocontexts.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |