flask/policy: use declare_domain for dom0_t

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 30657189270664b94763f4cf20ff18a8fd1f688e..dde7f90e44bc0f38437c412d220c0a7dd3a600d5 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -5,10 +5,10 @@
 # Domain creation and setup
 #
 ################################################################################
-# declare_domain(type)
+# declare_domain(type, attrs...)
 #   Declare a type as a domain type, and allow basic domain setup
 define(`declare_domain', `
-       type $1, domain_type;
+       type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
        allow $1 $1:grant { query setup };
        allow $1 $1:mmu { adjust physmap map_read map_write stat pinpage };
        allow $1 $1:hvm { getparam setparam };

diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 67dd0dfa8896cf6641cc929f191a1eacb8b95473..fb71b757caaeedf871024ca503ce278a1d659b83 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -25,7 +25,7 @@ attribute mls_priv;
 type xen_t, xen_type, mls_priv;
 
 # Domain 0
-type dom0_t, domain_type, mls_priv;
+declare_domain(dom0_t, mls_priv);
 
 # Untracked I/O memory (pseudo-domain)
 type domio_t, xen_type;
@@ -63,8 +63,6 @@ allow dom0_t security_t:security { check_context compute_av compute_create
        setbool setsecparam add_ocontext del_ocontext };
 
 allow dom0_t dom0_t:domain { getdomaininfo getvcpuinfo getvcpuaffinity };
-allow dom0_t dom0_t:grant { query setup };
-allow dom0_t dom0_t:mmu { adjust physmap map_read map_write stat pinpage };
 allow dom0_t dom0_t:resource { add remove };
 
 admin_device(dom0_t, device_t)