flask/policy: add device model types to example policy

This adds an example user for device_model_stubdomain_seclabel.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt
index 5b4297da85c19e12cc2baffd9686dfaf85121f9e..e2e415d5787729603b0af2a6d3e830c8bb4f7c79 100644 (file)
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -61,6 +61,10 @@ that can be used without dom0 disaggregation. The main types for domUs are:
  - isolated_domU_t can only communicate with dom0
  - prot_domU_t is a domain type whose creation can be disabled with a boolean
 
+HVM domains with stubdomain device models use two types (one per domain):
+ - domHVM_t is an HVM domain that uses a stubdomain device model
+ - dm_dom_t is the device model for a domain with type domHVM_t
+
 One disadvantage of using type enforcement to enforce isolation is that a new
 type is needed for each group of domains. In addition, it is not possible to
 allow isolated_domU_t cannot to create loopback event channels without allowing

diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index dde7f90e44bc0f38437c412d220c0a7dd3a600d5..87ef1654f51c7336fa32961a7d3c8c4928550550 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -25,7 +25,7 @@ define(`create_domain', `
        allow $1 $2:shadow enable;
        allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage};
        allow $1 $2:grant setup;
-       allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute setparam };
+       allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute setparam pcilevel trackdirtyvram };
        allow $1 $2_$1_channel:event create;
 ')
 
@@ -36,6 +36,7 @@ define(`manage_domain', `
                        getaddrsize pause unpause trigger shutdown destroy
                        setvcpuaffinity setdomainmaxmem };
 ')
+
 ################################################################################
 #
 # Inter-domain communication
@@ -75,6 +76,14 @@ define(`domain_self_comms', `
        allow $1 $1:grant { map_read map_write copy unmap };
 ')
 
+# device_model(dm_dom, hvm_dom)
+#   Define how a device model domain interacts with its target
+define(`device_model', `
+       domain_comms($1, $2)
+       allow $1 $2:domain { set_target shutdown };
+       allow $1 $2:mmu { map_read map_write adjust physmap };
+       allow $1 $2:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute };
+')
 ################################################################################
 #
 # Device types and delegation (PCI passthrough)

diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index f7343a2dd6da9d377d4822288dc6f11efb8f07fe..29885c4a38f5be46aa648dc4aa69a93d5791a697 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -100,6 +100,19 @@ if (!prot_doms_locked) {
 domain_comms(dom0_t, prot_domU_t)
 domain_comms(domU_t, prot_domU_t)
 
+# domHVM_t is meant to be paired with a qemu-dm stub domain of type dm_dom_t
+declare_domain(domHVM_t)
+create_domain(dom0_t, domHVM_t)
+manage_domain(dom0_t, domHVM_t)
+domain_comms(dom0_t, domHVM_t)
+domain_self_comms(domHVM_t)
+
+declare_domain(dm_dom_t)
+create_domain(dom0_t, dm_dom_t)
+manage_domain(dom0_t, dm_dom_t)
+domain_comms(dom0_t, dm_dom_t)
+device_model(dm_dom_t, domHVM_t)
+
 ###############################################################################
 #
 # Device delegation