diff options
| author | Christopher Clark <christopher.w.clark@gmail.com> | 2019-02-06 09:56:00 +0100 |
|---|---|---|
| committer | Jan Beulich <jbeulich@suse.com> | 2019-02-07 14:26:19 +0100 |
| commit | 789cab9d676341b260b540c23c29fab242b1747e (patch) | |
| tree | 8e78f8081c3ae08edbecf7fad53e8a67b8df4be5 /tools/flask | |
| parent | 4c0526b739975604d1c73cb3c3eb89281fda0aa4 (diff) | |
| download | xen-789cab9d676341b260b540c23c29fab242b1747e.tar.gz | |
xsm, argo: XSM control for any access to argo by a domain
Will inhibit initialization of the domain's argo data structure to
prevent receiving any messages or notifications and access to any of
the argo hypercall operations.
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Tested-by: Chris Patterson <pattersonc@ainfosec.com>
Release-acked-by: Juergen Gross <jgross@suse.com>
Diffstat (limited to 'tools/flask')
| -rw-r--r-- | tools/flask/policy/modules/guest_features.te | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/tools/flask/policy/modules/guest_features.te b/tools/flask/policy/modules/guest_features.te index ca52257ca4..fe4835db5b 100644 --- a/tools/flask/policy/modules/guest_features.te +++ b/tools/flask/policy/modules/guest_features.te @@ -5,11 +5,11 @@ allow domain_type xen_t:xen tmem_op; # pmu_ctrl is for) allow domain_type xen_t:xen2 pmu_use; -# Allow all domains: +# Allow all domains to enable the Argo interdomain communication hypercall; # to register single-sender (unicast) rings to partner with any domain; # to register any-sender (wildcard) rings that can be sent to by any domain; # and send messages to rings. -allow domain_type xen_t:argo { register_any_source }; +allow domain_type xen_t:argo { enable register_any_source }; allow domain_type domain_type:argo { send register_single_source }; # Allow guest console output to the serial console. This is used by PV Linux |