1# Allow all domains to use (unprivileged parts of) the tmem hypercall 2allow domain_type xen_t:xen tmem_op; 3 4# Allow all domains to use PMU (but not to change its settings --- that's what 5# pmu_ctrl is for) 6allow domain_type xen_t:xen2 pmu_use; 7 8# Allow guest console output to the serial console. This is used by PV Linux 9# and stub domains for early boot output, so don't audit even when we deny it. 10# Without XSM, this is enabled only if the Xen was compiled in debug mode. 11gen_bool(guest_writeconsole, true) 12if (guest_writeconsole) { 13 allow domain_type xen_t : xen writeconsole; 14} else { 15 dontaudit domain_type xen_t : xen writeconsole; 16} 17 18# For normal guests, allow all queries except XENVER_commandline. 19allow domain_type xen_t:version { 20 xen_extraversion xen_compile_info xen_capabilities 21 xen_changeset xen_pagesize xen_guest_handle 22}; 23 24# Version queries don't need auditing when denied. They can be 25# encountered in normal operation by xl or by reading sysfs files in 26# Linux, so without this they will show up in the logs. Since these 27# operations return valid responses (like "denied"), hiding the denials 28# should not break anything. 29dontaudit domain_type xen_t:version { 30 xen_commandline xen_build_id 31}; 32