################################################################################
#
# Allow dom0 access to all sysctls, devices, and the security server.
#
# While this could be written more briefly using wildcards, the permissions are
# listed out to make removing specific permissions simpler.
#
################################################################################
allow dom0_t xen_t:xen {
	settime tbufcontrol readconsole clearconsole perfcontrol mtrr_add
	mtrr_del mtrr_read microcode physinfo quirk writeconsole readapic
	writeapic privprofile nonprivprofile kexec firmware sleep frequency
	getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op
	tmem_control getscheduler setscheduler
};
allow dom0_t xen_t:xen2 {
	resource_op psr_cmt_op psr_cat_op pmu_ctrl get_symbol
	get_cpu_levelling_caps get_cpu_featureset livepatch_op
	gcov_op set_parameter
};

# Allow dom0 to use all XENVER_ subops that have checks.
# Note that dom0 is part of domain_type so this has duplicates.
allow dom0_t xen_t:version {
	xen_extraversion xen_compile_info xen_capabilities
	xen_changeset xen_pagesize xen_guest_handle xen_commandline
	xen_build_id
};

allow dom0_t xen_t:mmu memorymap;

# Allow dom0 to use these domctls on itself. For domctls acting on other
# domains, see the definitions of create_domain and manage_domain.
allow dom0_t dom0_t:domain {
	setvcpucontext max_vcpus setaffinity getaffinity getscheduler
	getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
	setdebugging hypercall settime setaddrsize getaddrsize trigger
	getpodtarget setpodtarget set_misc_info set_virq_handler
};
allow dom0_t dom0_t:domain2 {
	set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo
	get_vnumainfo psr_cmt_op psr_cat_op set_gnttab_limits
};
allow dom0_t dom0_t:resource { add remove };

# These permissions allow using the FLASK security server to compute access
# checks locally, which could be used by a domain or service (such as xenstore)
# that does not have its own security server to make access decisions based on
# Xen's security policy.
allow dom0_t security_t:security {
	compute_av compute_create compute_member compute_relabel
};

# Allow string/SID conversions (for "xl list -Z" and similar)
allow dom0_t security_t:security check_context;

# Allow flask-label-pci to add and change labels
allow dom0_t security_t:security { add_ocontext del_ocontext };

# Allow performance parameters of the security server to be tweaked
allow dom0_t security_t:security setsecparam;

# Allow changing the security policy
allow dom0_t security_t:security { load_policy setenforce setbool };

# Audit policy change events even when they are allowed
auditallow dom0_t security_t:security { load_policy setenforce setbool };

admin_device(dom0_t, device_t)
admin_device(dom0_t, irq_t)
admin_device(dom0_t, ioport_t)
admin_device(dom0_t, iomem_t)

domain_comms(dom0_t, dom0_t)