From: Anshul Makkar <anshul.makkar@citrix.com>
Date: Thu, 7 Jul 2016 13:45:47 +0000 (+0100)
Subject: XSM/policy: Allow the source domain access to settime and setdomainhandle domctls... 
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~813
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=f755485cbd2a17c4e0069271ee930ad0972c1b9c;p=xen.git

XSM/policy: Allow the source domain access to settime and setdomainhandle domctls while creating domain.

This patch resolves the following permission denied scenarios while creating
new domU :
avc:  denied  { setdomainhandle } for domid=0 target=1
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain

avc:  denied  { settime } for domid=0 target=1 scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---

diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index fd96303be8..8c43c282e8 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -48,7 +48,8 @@ define(`declare_build_label', `
 define(`create_domain_common', `
 	allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
 			getdomaininfo hypercall setvcpucontext getscheduler
-			getvcpuinfo getaddrsize getaffinity setaffinity };
+			getvcpuinfo getaddrsize getaffinity setaffinity
+			settime setdomainhandle };
 	allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
 			set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
 			psr_cmt_op psr_cat_op soft_reset };