1################################################################################
2#
3# Attributes for types
4#
5# An attribute may be used in a rule as shorthand for all types with that
6# attribute.
7#
8################################################################################
9attribute xen_type;
10attribute domain_type;
11attribute domain_self_type;
12attribute domain_target_type;
13attribute resource_type;
14attribute event_type;
15attribute mls_priv;
16
17################################################################################
18#
19# Types for the initial SIDs
20#
21# These types are used internally for objects created during Xen startup or for
22# devices that have not yet been labeled
23#
24################################################################################
25
26# The hypervisor itself
27type xen_t, xen_type, mls_priv;
28
29# Domain 0
30declare_singleton_domain(dom0_t, mls_priv);
31
32# I/O memory (DOMID_IO pseudo-domain)
33type domio_t, xen_type;
34
35# Xen heap (DOMID_XEN pseudo-domain)
36type domxen_t, xen_type;
37
38# Unlabeled objects
39type unlabeled_t, xen_type;
40
41# The XSM/FLASK security server
42type security_t, xen_type;
43
44# Unlabeled device resources
45# Note: don't allow access to these types directly; see below for how to label
46#       devices and use that label for allow rules
47type irq_t, resource_type;
48type ioport_t, resource_type;
49type iomem_t, resource_type;
50type device_t, resource_type;
51
52# Domain destruction can result in some access checks for actions performed by
53# the hypervisor.  These should always be allowed.
54allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem };
55
56################################################################################
57#
58# Policy constraints
59#
60# Neverallow rules will cause the policy build to fail if an allow rule exists
61# that violates the expression. This is used to ensure proper labeling of
62# objects.
63#
64################################################################################
65
66# Domains must be declared using domain_type
67neverallow * ~domain_type:domain { create transition };
68
69# Resources must be declared using resource_type
70neverallow * ~resource_type:resource { use use_iommu use_iommu_nointremap
71                                       use_noiommu };
72
73# Events must use event_type (see create_channel for a template)
74neverallow ~event_type *:event bind;
75neverallow * ~event_type:event { create send status };
76
77################################################################################
78#
79# Users and Roles
80#
81################################################################################
82
83# The object role (object_r) is used for devices, resources, and event channels;
84# it does not need to be defined here and should not be used for domains.
85
86# The system user and role are used for utility domains and pseudo-domains.  In
87# systems where users and roles are not being used for separation, all domains
88# can use the system user and role.
89gen_user(system_u,, system_r, s0, s0 - mls_systemhigh)
90
91role system_r;
92role system_r types { xen_type dom0_t };
93