Skip to content

Commit

Permalink
Merge pull request #6 from stephensmalley/stable-6-oxt666
Browse files Browse the repository at this point in the history 
xsm-policy: Define and allow v4v use permission where appropriate
  • Loading branch information
@jean-edouard
jean-edouard authored Jul 28, 2016
2 parents 8e11090 + 537a7ad commit 8ac915d
Show file tree
Hide file tree
Showing 7 changed files with 10 additions and 20 deletions.
1 change: 1 addition & 0 deletions policy/flask/access_vectors
View file
Original file line number Diff line number Diff line change
Expand Up @@ -458,4 +458,5 @@ class security
class v4v
{
send
use
}
2 changes: 2 additions & 0 deletions policy/modules/xen/dom0.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ interface(`dom0_send_v4v',`
type dom0_t;
')

allow $1 self:v4v use;
allow $1 dom0_t:v4v send;
')
########################################
Expand All @@ -122,6 +123,7 @@ interface(`dom0_recv_v4v',`
type dom0_t;
')

allow dom0_t self:v4v use;
allow dom0_t $1:v4v send;
')
########################################
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/xen/dom0.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ allow dom0_t self:domain2 { setscheduler iommu_map_batch iommu_x_mapping apertur

allow dom0_t self:event { bind create };
allow dom0_t self:resource { add remove setup };
allow dom0_t self:v4v send;
dom0_send_v4v(dom0_t)

allow dom0_t evchn0-0_t:event send;

Expand Down
5 changes: 3 additions & 2 deletions policy/modules/xen/guesthvm.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ nilfvm_use(hvm_guest_t)
dom0_copy_grant(hvm_guest_t)
dom0_map_write_grant_guest(hvm_guest_t)
dom0_pt_guest(hvm_guest_t)
dom0_send_v4v(hvm_guest_t)
dom0_recv_v4v(hvm_guest_t)
# Uncomment these if you wish to allow guests to use v4v.
#dom0_send_v4v(hvm_guest_t)
#dom0_recv_v4v(hvm_guest_t)
stubdom_ioemu(hvm_guest_t)
1 change: 1 addition & 0 deletions policy/modules/xen/ndvm.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ interface(`ndvm_send_v4v',`
type ndvm_t;
')

allow $1 self:v4v use;
allow $1 ndvm_t:v4v send;
')
########################################
Expand Down
1 change: 1 addition & 0 deletions policy/modules/xen/stubdom.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ interface(`stubdom_send_v4v',`
type stubdom_t;
')

allow $1 self:v4v use;
allow $1 stubdom_t:v4v send;
')
########################################
Expand Down
18 changes: 1 addition & 17 deletions policy/modules/xen/uivm.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,26 +34,10 @@ interface(`uivm_send_v4v',`
type uivm_t;
')

allow $1 self:v4v use;
allow $1 uivm_t:v4v send;
')
########################################
## <summary>
## Allow the specified domain to
## send data to the UIVM via v4v.
## </summary>
## <param name="type">
## <summary>
## Type of the domain allowe access.
## </summary>
## </param>
#
interface(`uivm_send_v4v',`
gen_require(`
type uivm_t;
')

allow $1 uivm_t:v4v send;
')
########################################
## <summary>
## Allow the specified type to map write uivm grants.
Expand Down

0 comments on commit 8ac915d

Please sign in to comment.