Migration and HVM domain creation both trigger AVC denials that should
be allowed in the default policy; add these rules.
Guest console writes need to be either allowed or denied without audit
depending on the decision of the local administrator; introduce a policy
boolean to switch between these possibilities.
Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
allow $1 $2:grant { query setup };
allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp mmuext_op };
allow $1 $2:hvm { getparam setparam };
+ allow $1 $2:domain2 get_vnumainfo;
')
# declare_domain(type, attrs...)
allow $1 $2:mmu { stat pageinfo map_read };
allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
allow $1 $2:domain2 gettsc;
+ allow $1 $2:shadow { enable disable logdirty };
')
################################################################################
# Allow all domains to use (unprivileged parts of) the tmem hypercall
allow domain_type xen_t:xen tmem_op;
+# Allow guest console output to the serial console. This is used by PV Linux
+# and stub domains for early boot output, so don't audit even when we deny it.
+# Without XSM, this is enabled only if the Xen was compiled in debug mode.
+gen_bool(guest_writeconsole, true)
+if (guest_writeconsole) {
+ allow domain_type xen_t : xen writeconsole;
+} else {
+ dontaudit domain_type xen_t : xen writeconsole;
+}
+
###############################################################################
#
# Domain creation
projects / people / liuw / libxenctrl-split / xen.git / commitdiff