1# This is an alternative to nomigrate_t: a policy boolean controls the ability 2# to create or migrate a domain of type prot_domU_t. If disabled, dom0 cannot 3# map memory belonging to those domains. 4gen_bool(prot_doms_locked, false) 5declare_domain(prot_domU_t) 6if (!prot_doms_locked) { 7 create_domain(dom0_t, prot_domU_t) 8 migrate_domain_out(dom0_t, prot_domU_t) 9} 10domain_comms(dom0_t, prot_domU_t) 11domain_comms(domU_t, prot_domU_t) 12domain_comms(prot_domU_t, prot_domU_t) 13domain_self_comms(prot_domU_t) 14