1################################################################################
2#
3# Attributes for types
4#
5# An attribute may be used in a rule as shorthand for all types with that
6# attribute.
7#
8################################################################################
9attribute xen_type;
10attribute domain_type;
11attribute domain_self_type;
12attribute domain_target_type;
13attribute resource_type;
14attribute event_type;
15attribute mls_priv;
16
17################################################################################
18#
19# Types for the initial SIDs
20#
21# These types are used internally for objects created during Xen startup or for
22# devices that have not yet been labeled
23#
24################################################################################
25
26# The hypervisor itself
27type xenboot_t, xen_type, mls_priv;
28type xen_t, xen_type, mls_priv;
29
30# Domain 0
31declare_singleton_domain(dom0_t, mls_priv);
32
33# I/O memory (DOMID_IO pseudo-domain)
34type domio_t, xen_type;
35
36# Xen heap (DOMID_XEN pseudo-domain)
37type domxen_t, xen_type;
38
39# Unlabeled objects
40type unlabeled_t, xen_type;
41
42# The XSM/FLASK security server
43type security_t, xen_type;
44
45# Unlabeled device resources
46# Note: don't allow access to these types directly; see below for how to label
47#       devices and use that label for allow rules
48type irq_t, resource_type;
49type ioport_t, resource_type;
50type iomem_t, resource_type;
51type device_t, resource_type;
52
53# Domain destruction can result in some access checks for actions performed by
54# the hypervisor.  These should always be allowed.
55allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem };
56
57################################################################################
58#
59# Policy constraints
60#
61# Neverallow rules will cause the policy build to fail if an allow rule exists
62# that violates the expression. This is used to ensure proper labeling of
63# objects.
64#
65################################################################################
66
67# Domains must be declared using domain_type
68neverallow * ~domain_type:domain { create transition };
69
70# Resources must be declared using resource_type
71neverallow * ~resource_type:resource { use use_iommu use_iommu_nointremap
72                                       use_noiommu };
73
74# Events must use event_type (see create_channel for a template)
75neverallow ~event_type *:event bind;
76neverallow * ~event_type:event { create send status };
77
78################################################################################
79#
80# Users and Roles
81#
82################################################################################
83
84# The object role (object_r) is used for devices, resources, and event channels;
85# it does not need to be defined here and should not be used for domains.
86
87# The system user and role are used for utility domains and pseudo-domains.  In
88# systems where users and roles are not being used for separation, all domains
89# can use the system user and role.
90gen_user(system_u,, system_r, s0, s0 - mls_systemhigh)
91
92role system_r;
93role system_r types { xen_type dom0_t };
94