1################################################################################ 2# 3# Allow dom0 access to all sysctls, devices, and the security server. 4# 5# While this could be written more briefly using wildcards, the permissions are 6# listed out to make removing specific permissions simpler. 7# 8################################################################################ 9allow dom0_t xen_t:xen { 10 settime tbufcontrol readconsole clearconsole perfcontrol mtrr_add 11 mtrr_del mtrr_read microcode physinfo quirk writeconsole readapic 12 writeapic privprofile nonprivprofile kexec firmware sleep frequency 13 getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op 14 getscheduler setscheduler hypfs_op 15}; 16allow dom0_t xen_t:xen2 { 17 resource_op psr_cmt_op psr_alloc pmu_ctrl get_symbol 18 get_cpu_levelling_caps get_cpu_featureset livepatch_op 19 coverage_op get_dom0_console 20}; 21 22# Allow dom0 to use all XENVER_ subops that have checks. 23# Note that dom0 is part of domain_type so this has duplicates. 24allow dom0_t xen_t:version { 25 xen_extraversion xen_compile_info xen_capabilities 26 xen_changeset xen_pagesize xen_guest_handle xen_commandline 27 xen_build_id 28}; 29 30allow dom0_t xen_t:mmu memorymap; 31 32# Allow dom0 to use these domctls on itself. For domctls acting on other 33# domains, see the definitions of create_domain and manage_domain. 34allow dom0_t dom0_t:domain { 35 setvcpucontext max_vcpus setaffinity getaffinity getscheduler 36 getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle 37 setdebugging hypercall settime setaddrsize getaddrsize trigger 38 getpodtarget setpodtarget getpagingmempool setpagingmempool set_misc_info 39 set_virq_handler 40}; 41allow dom0_t dom0_t:domain2 { 42 set_cpu_policy gettsc settsc setscheduler set_vnumainfo 43 get_vnumainfo psr_cmt_op psr_alloc get_cpu_policy 44}; 45allow dom0_t dom0_t:resource { add remove }; 46 47# These permissions allow using the FLASK security server to compute access 48# checks locally, which could be used by a domain or service (such as xenstore) 49# that does not have its own security server to make access decisions based on 50# Xen's security policy. 51allow dom0_t security_t:security { 52 compute_av compute_create compute_member compute_relabel 53}; 54 55# Allow string/SID conversions (for "xl list -Z" and similar) 56allow dom0_t security_t:security check_context; 57 58# Allow flask-label-pci to add and change labels 59allow dom0_t security_t:security { add_ocontext del_ocontext }; 60 61# Allow performance parameters of the security server to be tweaked 62allow dom0_t security_t:security setsecparam; 63 64# Allow changing the security policy 65allow dom0_t security_t:security { load_policy setenforce setbool }; 66 67# Audit policy change events even when they are allowed 68auditallow dom0_t security_t:security { load_policy setenforce setbool }; 69 70# Allow dom0 to report platform configuration changes back to the hypervisor 71allow dom0_t xen_t:resource setup; 72 73admin_device(dom0_t, device_t) 74admin_device(dom0_t, irq_t) 75admin_device(dom0_t, ioport_t) 76admin_device(dom0_t, iomem_t) 77 78domain_comms(dom0_t, dom0_t) 79 80# Allow the hypervisor to build domains of type dom0_t 81xen_build_domain(dom0_t) 82