Xen project Mailing List

[Xen-devel] [PATCH 2/2] flask/policy: add missing manage_domain rules

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Wed, 4 Jan 2012 10:05:29 -0500

Cc: konrad@xxxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, keir@xxxxxxx, stefano.stabellini@xxxxxxxxxxxxx

Delivery-date: Wed, 04 Jan 2012 15:06:38 +0000

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

The updated example policy did not include rules to allow managing the created domains (pause, unpause, destroy); allow these actions. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- tools/flask/policy/policy/modules/xen/xen.if | 7 +++++++ tools/flask/policy/policy/modules/xen/xen.te | 2 ++ 2 files changed, 9 insertions(+), 0 deletions(-) diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index cd240d8..3065718 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -29,6 +29,13 @@ define(`create_domain', ` allow $1 $2_$1_channel:event create; ') +# manage_domain(priv, target) +# Allow managing a running domain +define(`manage_domain', ` + allow $1 $2:domain { getdomaininfo getvcpuinfo getvcpuaffinity + getaddrsize pause unpause trigger shutdown destroy + setvcpuaffinity setdomainmaxmem }; +') ################################################################################ # # Inter-domain communication diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 0fc31b5..c5e0883 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -86,10 +86,12 @@ auditallow dom0_t security_t:security { load_policy setenforce }; declare_domain(domU_t) domain_self_comms(domU_t) create_domain(dom0_t, domU_t) +manage_domain(dom0_t, domU_t) domain_comms(dom0_t, domU_t) declare_domain(isolated_domU_t) create_domain(dom0_t, isolated_domU_t) +manage_domain(dom0_t, isolated_domU_t) domain_comms(dom0_t, isolated_domU_t) ############################################################################### -- 1.7.7.5 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.