Xen project Mailing List

[Xen-devel] [PATCH 3/3] flask/policy: add accesses used by newer dom0s

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Fri, 17 Aug 2012 12:23:27 -0400

Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx

Delivery-date: Fri, 17 Aug 2012 16:24:01 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- tools/flask/policy/policy/modules/xen/xen.if | 2 +- tools/flask/policy/policy/modules/xen/xen.te | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index 87ef165..3f58909 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -100,7 +100,7 @@ define(`use_device', ` # admin_device(domain, device) # Allow a device to be used and delegated by a domain define(`admin_device', ` - allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport }; + allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug }; allow $1 $2:hvm bind_irq; use_device($1, $2) ') diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 29885c4..e175d4b 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -55,8 +55,8 @@ type device_t, resource_type; allow xen_t dom0_t:domain { create }; allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del - scheduler physinfo heap quirk readconsole writeconsole settime - microcode cpupool_op sched_op }; + scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo + microcode cpupool_op sched_op pm_op }; allow dom0_t xen_t:mmu { memorymap }; allow dom0_t security_t:security { check_context compute_av compute_create compute_member load_policy compute_relabel compute_user setenforce -- 1.7.11.2 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.