From: Daniel De Graaf Date: Wed, 22 Aug 2012 21:15:36 +0000 (+0100) Subject: flask/policy: add accesses used by newer dom0s X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~8036 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/success//%22http:/www.example.com/cgi/success/?a=commitdiff_plain;h=7c3dea401c22be3041db63fb516836c065810b78;p=xen.git flask/policy: add accesses used by newer dom0s Signed-off-by: Daniel De Graaf Committed-by: Keir Fraser --- diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index 87ef1654f5..3f58909b55 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -100,7 +100,7 @@ define(`use_device', ` # admin_device(domain, device) # Allow a device to be used and delegated by a domain define(`admin_device', ` - allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport }; + allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug }; allow $1 $2:hvm bind_irq; use_device($1, $2) ') diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 29885c4a38..e175d4b358 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -55,8 +55,8 @@ type device_t, resource_type; allow xen_t dom0_t:domain { create }; allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del - scheduler physinfo heap quirk readconsole writeconsole settime - microcode cpupool_op sched_op }; + scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo + microcode cpupool_op sched_op pm_op }; allow dom0_t xen_t:mmu { memorymap }; allow dom0_t security_t:security { check_context compute_av compute_create compute_member load_policy compute_relabel compute_user setenforce