setparam altp2mhvm altp2mhvm_op dm };
')
+# xen_build_domain(target)
+# Allow a domain to be created at boot by the hypervisor
+define(`xen_build_domain', `
+ allow xenboot_t $1:domain create;
+ allow xenboot_t $1_channel:event create;
+')
+
# create_domain(priv, target)
# Allow a domain to be created directly
define(`create_domain', `
################################################################################
# The hypervisor itself
+type xenboot_t, xen_type, mls_priv;
type xen_t, xen_type, mls_priv;
# Domain 0
# objects created before the policy is loaded or for objects that do not have a
# label defined in some other manner.
+sid xenboot gen_context(system_u:system_r:xenboot_t,s0)
sid xen gen_context(system_u:system_r:xen_t,s0)
sid dom0 gen_context(system_u:system_r:dom0_t,s0)
sid domxen gen_context(system_u:system_r:domxen_t,s0)
switch ( d->domain_id )
{
case DOMID_IDLE:
- dsec->sid = SECINITSID_XEN;
+ dsec->sid = SECINITSID_XENBOOT;
break;
case DOMID_XEN:
dsec->sid = SECINITSID_DOMXEN;
static int cf_check flask_set_system_active(void)
{
+ struct domain_security_struct *dsec;
struct domain *d = current->domain;
+ dsec = d->ssid;
+
ASSERT(d->is_privileged);
+ ASSERT(dsec->sid == SECINITSID_XENBOOT);
+ ASSERT(dsec->self_sid == SECINITSID_XENBOOT);
if ( d->domain_id != DOMID_IDLE )
{
*/
d->is_privileged = false;
+ dsec->self_sid = dsec->sid = SECINITSID_XEN;
+
return 0;
}
#
# Define initial security identifiers
#
+sid xenboot
sid xen
sid dom0
sid domio
projects / xen.git / commitdiff