Once dom0 is running, the policy can be reloaded using "xl loadpolicy".
The example policy included with Xen demonstrates most of the features of FLASK
-that can be used without dom0 disaggregation. It has two main types for domUs:
+that can be used without dom0 disaggregation. The main types for domUs are:
- domU_t is a domain that can communicate with any other domU_t
- isolated_domU_t can only communicate with dom0
+ - prot_domU_t is a domain type whose creation can be disabled with a boolean
One disadvantage of using type enforcement to enforce isolation is that a new
type is needed for each group of domains. In addition, it is not possible to
domain_self_comms(dom0_t)
-auditallow dom0_t security_t:security { load_policy setenforce };
+auditallow dom0_t security_t:security { load_policy setenforce setbool };
###############################################################################
#
manage_domain(dom0_t, isolated_domU_t)
domain_comms(dom0_t, isolated_domU_t)
+gen_bool(prot_doms_locked, false)
+declare_domain(prot_domU_t)
+if (!prot_doms_locked) {
+ create_domain(dom0_t, prot_domU_t)
+}
+domain_comms(dom0_t, prot_domU_t)
+domain_comms(domU_t, prot_domU_t)
+
###############################################################################
#
# Device delegation
projects / xen.git / commitdiff