flask/policy: add accesses used by newer dom0s

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 87ef1654f51c7336fa32961a7d3c8c4928550550..3f58909b5568cd2d3818b7b44124aacae41598c9 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -100,7 +100,7 @@ define(`use_device', `
 # admin_device(domain, device)
 #   Allow a device to be used and delegated by a domain
 define(`admin_device', `
-    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport };
+    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug };
     allow $1 $2:hvm bind_irq;
     use_device($1, $2)
 ')

diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 29885c4a38f5be46aa648dc4aa69a93d5791a697..e175d4b3584aa4a0587a63bb8b423c2a13507928 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -55,8 +55,8 @@ type device_t, resource_type;
 allow xen_t dom0_t:domain { create };
 
 allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del
-       scheduler physinfo heap quirk readconsole writeconsole settime
-       microcode cpupool_op sched_op };
+       scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo
+       microcode cpupool_op sched_op pm_op };
 allow dom0_t xen_t:mmu { memorymap };
 allow dom0_t security_t:security { check_context compute_av compute_create
        compute_member load_policy compute_relabel compute_user setenforce