1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
################################################################################
#
# Attributes for types
#
# An attribute may be used in a rule as shorthand for all types with that
# attribute.
#
################################################################################
attribute xen_type;
attribute domain_type;
attribute domain_self_type;
attribute domain_target_type;
attribute resource_type;
attribute event_type;
attribute mls_priv;
################################################################################
#
# Types for the initial SIDs
#
# These types are used internally for objects created during Xen startup or for
# devices that have not yet been labeled
#
################################################################################
# The hypervisor itself
type xenboot_t, xen_type, mls_priv;
type xen_t, xen_type, mls_priv;
# Domain 0
declare_singleton_domain(dom0_t, mls_priv);
# I/O memory (DOMID_IO pseudo-domain)
type domio_t, xen_type;
# Xen heap (DOMID_XEN pseudo-domain)
type domxen_t, xen_type;
# Unlabeled objects
type unlabeled_t, xen_type;
# The XSM/FLASK security server
type security_t, xen_type;
# Unlabeled device resources
# Note: don't allow access to these types directly; see below for how to label
# devices and use that label for allow rules
type irq_t, resource_type;
type ioport_t, resource_type;
type iomem_t, resource_type;
type device_t, resource_type;
# Domain destruction can result in some access checks for actions performed by
# the hypervisor. These should always be allowed.
allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem };
################################################################################
#
# Policy constraints
#
# Neverallow rules will cause the policy build to fail if an allow rule exists
# that violates the expression. This is used to ensure proper labeling of
# objects.
#
################################################################################
# Domains must be declared using domain_type
neverallow * ~domain_type:domain { create transition };
# Resources must be declared using resource_type
neverallow * ~resource_type:resource { use use_iommu use_iommu_nointremap
use_noiommu };
# Events must use event_type (see create_channel for a template)
neverallow ~event_type *:event bind;
neverallow * ~event_type:event { create send status };
################################################################################
#
# Users and Roles
#
################################################################################
# The object role (object_r) is used for devices, resources, and event channels;
# it does not need to be defined here and should not be used for domains.
# The system user and role are used for utility domains and pseudo-domains. In
# systems where users and roles are not being used for separation, all domains
# can use the system user and role.
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh)
role system_r;
role system_r types { xen_type dom0_t };
|
