1# Macro definitions for FLASK policy
2
3################################################################################
4#
5# Domain creation and setup
6#
7################################################################################
8define(`declare_domain_common', `
9	allow $1 $2:grant { query setup };
10	allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp mmuext_op };
11	allow $1 $2:hvm { getparam setparam altp2mhvm_op };
12	allow $1 $2:domain2 get_vnumainfo;
13')
14
15# declare_domain(type, attrs...)
16#   Declare a domain type, along with associated _self and _channel types
17#   Allow the domain to perform basic operations on itself
18define(`declare_domain', `
19	type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
20	type $1_self, domain_type, domain_self_type;
21	type_transition $1 $1:domain $1_self;
22	type $1_channel, event_type;
23	type_transition $1 domain_type:event $1_channel;
24	declare_domain_common($1, $1_self)
25')
26
27# declare_singleton_domain(type, attrs...)
28#   Declare a domain type and associated _channel types.
29#   Note: Because the domain can perform basic operations on itself and any
30#   other domain of the same type, this constructor should be used for types
31#   containing at most one domain. This is not enforced by policy.
32define(`declare_singleton_domain', `
33	type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
34	define(`$1_self', `$1')
35	type $1_channel, event_type;
36	type_transition $1 domain_type:event $1_channel;
37	declare_domain_common($1, $1)
38')
39
40# declare_build_label(type)
41#   Declare a paired _building type for the given domain type
42define(`declare_build_label', `
43	type $1_building, domain_type;
44	type_transition $1_building domain_type:event $1_channel;
45	allow $1_building $1 : domain transition;
46')
47
48define(`create_domain_common', `
49	allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
50			getdomaininfo hypercall setvcpucontext getscheduler
51			getvcpuinfo getaddrsize getaffinity setaffinity
52			settime setdomainhandle getvcpucontext set_misc_info };
53	allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
54			set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
55			psr_cmt_op psr_cat_op soft_reset set_gnttab_limits };
56	allow $1 $2:security check_context;
57	allow $1 $2:shadow enable;
58	allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
59	allow $1 $2:grant setup;
60	allow $1 $2:hvm { cacheattr getparam hvmctl sethvmc
61			setparam nested altp2mhvm altp2mhvm_op dm };
62')
63
64# create_domain(priv, target)
65#   Allow a domain to be created directly
66define(`create_domain', `
67	create_domain_common($1, $2)
68	allow $1 $2_channel:event create;
69')
70
71# create_domain_build_label(priv, target)
72#   Allow a domain to be created via its domain build label
73define(`create_domain_build_label', `
74	create_domain_common($1, $2_building)
75	allow $1 $2_channel:event create;
76	allow $1 $2_building:domain2 relabelfrom;
77	allow $1 $2:domain2 relabelto;
78	allow $2_building $2:domain transition;
79')
80
81# manage_domain(priv, target)
82#   Allow managing a running domain
83define(`manage_domain', `
84	allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
85			getaddrsize pause unpause trigger shutdown destroy
86			setaffinity setdomainmaxmem getscheduler resume
87			setpodtarget getpodtarget };
88    allow $1 $2:domain2 set_vnumainfo;
89')
90
91# migrate_domain_out(priv, target)
92#   Allow creation of a snapshot or migration image from a domain
93#   (inbound migration is the same as domain creation)
94define(`migrate_domain_out', `
95	allow $1 domxen_t:mmu map_read;
96	allow $1 $2:hvm { gethvmc getparam };
97	allow $1 $2:mmu { stat pageinfo map_read };
98	allow $1 $2:domain { getaddrsize getvcpucontext pause destroy };
99	allow $1 $2:domain2 gettsc;
100	allow $1 $2:shadow { enable disable logdirty };
101')
102
103################################################################################
104#
105# Inter-domain communication
106#
107################################################################################
108
109# create_channel(source, dest, chan-label)
110#   This allows an event channel to be created from domains with labels
111#   <source> to <dest> and will label it <chan-label>
112define(`create_channel', `
113	allow $1 $3:event { create send status };
114	allow $3 $2:event { bind };
115')
116
117# domain_event_comms(dom1, dom2)
118#   Allow two domain types to communicate using event channels
119define(`domain_event_comms', `
120	create_channel($1, $2, $1_channel)
121	create_channel($2, $1, $2_channel)
122')
123
124# domain_comms(dom1, dom2)
125#   Allow two domain types to communicate using grants and event channels
126define(`domain_comms', `
127	domain_event_comms($1, $2)
128	allow $1 $2:grant { map_read map_write copy unmap };
129	allow $2 $1:grant { map_read map_write copy unmap };
130')
131
132# domain_self_comms(domain)
133#   Allow a non-singleton domain type to communicate with itself using grants
134#   and event channels
135define(`domain_self_comms', `
136	create_channel($1, $1_self, $1_channel)
137	allow $1 $1_self:grant { map_read map_write copy unmap };
138')
139
140# device_model(dm_dom, hvm_dom)
141#   Define how a device model domain interacts with its target
142define(`device_model', `
143	type $2_target, domain_type, domain_target_type;
144	type_transition $2 $1:domain $2_target;
145	allow $1 $2:domain set_target;
146
147	type_transition $2_target domain_type:event $2_channel;
148	create_channel($1, $2_target, $1_channel)
149	create_channel($2, $1, $2_channel)
150	allow $1 $2_channel:event create;
151
152	allow $1 $2_target:domain { getdomaininfo shutdown };
153	allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack };
154	allow $1 $2_target:hvm { getparam setparam hvmctl cacheattr dm };
155')
156
157# make_device_model(priv, dm_dom, hvm_dom)
158#   Allow creation of a device model and HVM domain pair
159define(`make_device_model', `
160	device_model($2, $3)
161	allow $1 $2:domain2 make_priv_for;
162	allow $1 $3:domain2 set_as_target;
163')
164################################################################################
165#
166# Device types and delegation (PCI passthrough)
167#
168################################################################################
169
170# use_device_iommu(domain, device)
171#   Allow a device to be used by a domain
172#   only if an IOMMU provides isolation.
173define(`use_device_iommu', `
174    allow $1 $1_self:mmu exchange;
175    allow $1 $2:resource use_iommu;
176    allow $1 domio_t:mmu { map_read map_write };
177')
178
179# use_device_iommu_nointremap(domain, device)
180#   Allow a device to be used by a domain
181#   only if an IOMMU is active, even if it does not support
182#   interrupt remapping.
183#   Allows acceptance of (typically older) less isolating hardware.
184define(`use_device_iommu_nointremap', `
185    allow $1 $1_self:mmu exchange;
186    allow $1 $2:resource { use_iommu use_iommu_nointremap };
187    allow $1 domio_t:mmu { map_read map_write };
188')
189
190# use_device_noiommu(domain, device)
191#   Allow a device to be used by a domain
192#   even without an IOMMU available.
193define(`use_device_noiommu', `
194    allow $1 $1_self:mmu exchange;
195    allow $1 $2:resource { use_iommu use_iommu_nointremap use_noiommu };
196    allow $1 domio_t:mmu { map_read map_write };
197')
198
199# admin_device(domain, device)
200#   Allow a device to be used and delegated by a domain
201define(`admin_device', `
202    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug };
203    allow $1 $2:hvm bind_irq;
204    use_device_noiommu($1, $2)
205')
206
207# delegate_devices(priv-domain, target-domain)
208#   Allow devices to be delegated
209define(`delegate_devices', `
210    allow $1 $2:resource { add remove };
211')
212