From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Date: Fri, 2 Nov 2018 17:46:11 +0000 (-0400)
Subject: flask/policy: allow dom0 to use PHYSDEVOP_pci_mmcfg_reserved
X-Git-Tag: archive/raspbian/4.14.0+80-gd101b417b7-1+rpi1^2~63^2~2974
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=011319e9ce110c70a3d52f2ea05e5eeb538c9e9e;p=xen.git

flask/policy: allow dom0 to use PHYSDEVOP_pci_mmcfg_reserved

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
index c7d565d3dc..a347d664f8 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -66,6 +66,9 @@ allow dom0_t security_t:security { load_policy setenforce setbool };
 # Audit policy change events even when they are allowed
 auditallow dom0_t security_t:security { load_policy setenforce setbool };
 
+# Allow dom0 to report platform configuration changes back to the hypervisor
+allow dom0_t xen_t:resource setup;
+
 admin_device(dom0_t, device_t)
 admin_device(dom0_t, irq_t)
 admin_device(dom0_t, ioport_t)