[Xen-devel] [PATCH v03 03/10] xsm: arm: create domU_rpc_t security label

[Andrii Tseglytskyi <andrii.tseglytskyi@xxxxxxxxxxxxxxx>]

The following security label will be used for domU, which
can access to MMU of remoteprocessors, such as IPU or GPU.

Signed-off-by: Andrii Tseglytskyi <andrii.tseglytskyi@xxxxxxxxxxxxxxx>
---
 tools/flask/policy/policy/modules/xen/xen.te | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
b/tools/flask/policy/policy/modules/xen/xen.te
index 999b351..d6184d7 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -110,6 +110,7 @@ admin_device(dom0_t, irq_t)
 admin_device(dom0_t, ioport_t)
 admin_device(dom0_t, iomem_t)
 admin_device(domU_t, iomem_t)
+admin_device(domU_rpc_t, iomem_t)
 
 domain_comms(dom0_t, dom0_t)
 
@@ -169,6 +170,18 @@ manage_domain(dom0_t, nomigrate_t)
 domain_comms(dom0_t, nomigrate_t)
 domain_self_comms(nomigrate_t)
 
+# declare domain which handles remoteprocessor
+declare_domain(domU_rpc_t)
+domain_self_comms(domU_rpc_t)
+create_domain(dom0_t, domU_rpc_t)
+manage_domain(dom0_t, domU_rpc_t)
+domain_comms(dom0_t, domU_rpc_t)
+domain_comms(domU_rpc_t, domU_rpc_t)
+domain_self_comms(domU_rpc_t)
+allow domU_rpc_t domU_rpc_t_self:resource add;
+allow dom0_t domU_rpc_t:domain2 access_remote_pagetable;
+allow domU_rpc_t domU_rpc_t_self:domain2 access_remote_pagetable;
+
 ###############################################################################
 #
 # Device delegation
@@ -181,6 +194,7 @@ admin_device(dom0_t, nic_dev_t)
 use_device(domU_t, nic_dev_t)
 
 delegate_devices(dom0_t, domU_t)
+delegate_devices(dom0_t, domU_rpc_t)
 
 ###############################################################################
 #
-- 
1.9.1


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel