From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: xen-devel@lists.xenproject.org
Cc: steve@zentific.com, Daniel De Graaf <dgdegra@tycho.nsa.gov>,
cardoe@cardoe.com
Subject: [PATCH 4/5] flask/policy: xenstore stubdom policy
Date: Mon, 23 May 2016 11:05:32 -0400 [thread overview]
Message-ID: <1464015933-26891-5-git-send-email-dgdegra@tycho.nsa.gov> (raw)
In-Reply-To: <1464015933-26891-1-git-send-email-dgdegra@tycho.nsa.gov>
This adds the xenstore_t type to the example policy for use by a
xenstore stub domain.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/policy/modules/modules.conf | 3 +++
tools/flask/policy/modules/xenstore.te | 21 +++++++++++++++++++++
2 files changed, 24 insertions(+)
create mode 100644 tools/flask/policy/modules/xenstore.te
diff --git a/tools/flask/policy/modules/modules.conf b/tools/flask/policy/modules/modules.conf
index 2dfc011..8ffd00e 100644
--- a/tools/flask/policy/modules/modules.conf
+++ b/tools/flask/policy/modules/modules.conf
@@ -33,6 +33,9 @@ nomigrate = on
# Example device policy. Also see policy/device_contexts.
nic_dev = on
+# Xenstore stub domain.
+xenstore = on
+
# Allow all domains to use system_u:system_r: instead of requiring explicit
# roles. This is not required for dom0_t, domU_t, and dm_dom_t.
default_role = on
diff --git a/tools/flask/policy/modules/xenstore.te b/tools/flask/policy/modules/xenstore.te
new file mode 100644
index 0000000..2ae7a1d
--- /dev/null
+++ b/tools/flask/policy/modules/xenstore.te
@@ -0,0 +1,21 @@
+################################################################################
+#
+# Xenstore stubdomain
+#
+################################################################################
+declare_singleton_domain(xenstore_t)
+create_domain(dom0_t, xenstore_t)
+manage_domain(dom0_t, xenstore_t)
+
+# Xenstore requires the global VIRQ for domain destroy operations
+allow dom0_t xenstore_t:domain set_virq_handler;
+# Current xenstore stubdom uses the hypervisor console, not "xl console"
+allow xenstore_t xen_t:xen writeconsole;
+# Xenstore queries domaininfo on all domains
+allow xenstore_t domain_type:domain getdomaininfo;
+
+# As a shortcut, the following 3 rules are used instead of adding a domain_comms
+# rule between xenstore_t and every domain type that talks to xenstore
+create_channel(xenstore_t, domain_type, xenstore_t_channel)
+allow event_type xenstore_t: event bind;
+allow xenstore_t domain_type:grant { map_read map_write unmap };
--
2.5.5
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-05-23 15:06 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-23 15:05 [PATCH 0/5] flask/policy: Updates for Xen 4.8 Daniel De Graaf
2016-05-23 15:05 ` [PATCH 1/5] flask/policy: split into modules Daniel De Graaf
2016-06-07 19:22 ` Konrad Rzeszutek Wilk
2016-06-07 19:39 ` Daniel De Graaf
2016-06-07 19:57 ` Konrad Rzeszutek Wilk
2016-05-23 15:05 ` [PATCH 2/5] flask/policy: move user definitions and constraints " Daniel De Graaf
2016-06-07 19:37 ` Konrad Rzeszutek Wilk
2016-05-23 15:05 ` [PATCH 3/5] flask/policy: Remove unused support for binary modules Daniel De Graaf
2016-06-07 19:41 ` Konrad Rzeszutek Wilk
2016-05-23 15:05 ` Daniel De Graaf [this message]
2016-06-07 19:44 ` [PATCH 4/5] flask/policy: xenstore stubdom policy Konrad Rzeszutek Wilk
2016-06-07 19:48 ` Daniel De Graaf
2016-06-07 20:02 ` Konrad Rzeszutek Wilk
2016-07-06 15:34 ` default XSM policy for PCI passthrough for unlabeled resources anshul makkar
2016-07-06 15:59 ` Daniel De Graaf
2016-07-06 16:19 ` anshul makkar
2016-07-07 15:36 ` Daniel De Graaf
2016-07-07 16:29 ` anshul makkar
2016-05-23 15:05 ` [PATCH 5/5] flask/policy: comment out unused xenstore example Daniel De Graaf
2016-06-07 19:45 ` Konrad Rzeszutek Wilk
2016-06-07 19:51 ` Daniel De Graaf
2016-06-07 20:02 ` Konrad Rzeszutek Wilk
2016-06-07 20:04 ` Daniel De Graaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1464015933-26891-5-git-send-email-dgdegra@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=cardoe@cardoe.com \
--cc=steve@zentific.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).