1# Macro definitions for FLASK policy
2
3################################################################################
4#
5# Domain creation and setup
6#
7################################################################################
8define(`declare_domain_common', `
9	allow $1 $2:grant { query setup };
10	allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp mmuext_op };
11	allow $1 $2:hvm { getparam setparam altp2mhvm_op };
12	allow $1 $2:domain2 get_vnumainfo;
13')
14
15# declare_domain(type, attrs...)
16#   Declare a domain type, along with associated _self and _channel types
17#   Allow the domain to perform basic operations on itself
18define(`declare_domain', `
19	type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
20	type $1_self, domain_type, domain_self_type;
21	type_transition $1 $1:domain $1_self;
22	type $1_channel, event_type;
23	type_transition $1 domain_type:event $1_channel;
24	declare_domain_common($1, $1_self)
25')
26
27# declare_singleton_domain(type, attrs...)
28#   Declare a domain type and associated _channel types.
29#   Note: Because the domain can perform basic operations on itself and any
30#   other domain of the same type, this constructor should be used for types
31#   containing at most one domain. This is not enforced by policy.
32define(`declare_singleton_domain', `
33	type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
34	define(`$1_self', `$1')
35	type $1_channel, event_type;
36	type_transition $1 domain_type:event $1_channel;
37	declare_domain_common($1, $1)
38')
39
40# declare_build_label(type)
41#   Declare a paired _building type for the given domain type
42define(`declare_build_label', `
43	type $1_building, domain_type;
44	type_transition $1_building domain_type:event $1_channel;
45	allow $1_building $1 : domain transition;
46')
47
48define(`create_domain_common', `
49	allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
50			getdomaininfo hypercall setvcpucontext getscheduler
51			getvcpuinfo getaddrsize getaffinity setaffinity
52			settime setdomainhandle getvcpucontext set_misc_info };
53	allow $1 $2:domain2 { set_cpu_policy settsc setscheduler setclaim
54			set_vnumainfo get_vnumainfo cacheflush
55			psr_cmt_op psr_alloc soft_reset
56			resource_map get_cpu_policy };
57	allow $1 $2:security check_context;
58	allow $1 $2:shadow enable;
59	allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
60	allow $1 $2:grant setup;
61	allow $1 $2:hvm { getparam hvmctl sethvmc
62			setparam nested altp2mhvm altp2mhvm_op dm };
63')
64
65# create_domain(priv, target)
66#   Allow a domain to be created directly
67define(`create_domain', `
68	create_domain_common($1, $2)
69	allow $1 $2_channel:event create;
70')
71
72# create_domain_build_label(priv, target)
73#   Allow a domain to be created via its domain build label
74define(`create_domain_build_label', `
75	create_domain_common($1, $2_building)
76	allow $1 $2_channel:event create;
77	allow $1 $2_building:domain2 relabelfrom;
78	allow $1 $2:domain2 relabelto;
79	allow $2_building $2:domain transition;
80')
81
82# manage_domain(priv, target)
83#   Allow managing a running domain
84define(`manage_domain', `
85	allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
86			getaddrsize pause unpause trigger shutdown destroy
87			setaffinity setdomainmaxmem getscheduler resume
88			setpodtarget getpodtarget };
89    allow $1 $2:domain2 set_vnumainfo;
90')
91
92# migrate_domain_out(priv, target)
93#   Allow creation of a snapshot or migration image from a domain
94#   (inbound migration is the same as domain creation)
95define(`migrate_domain_out', `
96	allow $1 domxen_t:mmu map_read;
97	allow $1 $2:hvm { gethvmc getparam };
98	allow $1 $2:mmu { stat pageinfo map_read };
99	allow $1 $2:domain { getaddrsize getvcpucontext pause destroy };
100	allow $1 $2:domain2 gettsc;
101	allow $1 $2:shadow { enable disable logdirty };
102')
103
104################################################################################
105#
106# Inter-domain communication
107#
108################################################################################
109
110# create_channel(source, dest, chan-label)
111#   This allows an event channel to be created from domains with labels
112#   <source> to <dest> and will label it <chan-label>
113define(`create_channel', `
114	allow $1 $3:event { create send status };
115	allow $3 $2:event { bind };
116')
117
118# domain_event_comms(dom1, dom2)
119#   Allow two domain types to communicate using event channels
120define(`domain_event_comms', `
121	create_channel($1, $2, $1_channel)
122	create_channel($2, $1, $2_channel)
123')
124
125# domain_comms(dom1, dom2)
126#   Allow two domain types to communicate using grants and event channels
127define(`domain_comms', `
128	domain_event_comms($1, $2)
129	allow $1 $2:grant { map_read map_write copy unmap };
130	allow $2 $1:grant { map_read map_write copy unmap };
131')
132
133# domain_self_comms(domain)
134#   Allow a non-singleton domain type to communicate with itself using grants
135#   and event channels
136define(`domain_self_comms', `
137	create_channel($1, $1_self, $1_channel)
138	allow $1 $1_self:grant { map_read map_write copy unmap };
139')
140
141# device_model(dm_dom, hvm_dom)
142#   Define how a device model domain interacts with its target
143define(`device_model', `
144	type $2_target, domain_type, domain_target_type;
145	type_transition $2 $1:domain $2_target;
146	allow $1 $2:domain set_target;
147
148	type_transition $2_target domain_type:event $2_channel;
149	create_channel($1, $2_target, $1_channel)
150	create_channel($2, $1, $2_channel)
151	allow $1 $2_channel:event create;
152
153	allow $1 $2_target:domain { getdomaininfo shutdown };
154	allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack };
155	allow $1 $2_target:hvm { getparam setparam hvmctl dm };
156	allow $1 $2_target:domain2 resource_map;
157')
158
159# make_device_model(priv, dm_dom, hvm_dom)
160#   Allow creation of a device model and HVM domain pair
161define(`make_device_model', `
162	device_model($2, $3)
163	allow $1 $2:domain2 make_priv_for;
164	allow $1 $3:domain2 set_as_target;
165')
166################################################################################
167#
168# Device types and delegation (PCI passthrough)
169#
170################################################################################
171
172# use_device_iommu(domain, device)
173#   Allow a device to be used by a domain
174#   only if an IOMMU provides isolation.
175define(`use_device_iommu', `
176    allow $1 $1_self:mmu exchange;
177    allow $1 $2:resource use_iommu;
178    allow $1 domio_t:mmu { map_read map_write };
179')
180
181# use_device_iommu_nointremap(domain, device)
182#   Allow a device to be used by a domain
183#   only if an IOMMU is active, even if it does not support
184#   interrupt remapping.
185#   Allows acceptance of (typically older) less isolating hardware.
186define(`use_device_iommu_nointremap', `
187    allow $1 $1_self:mmu exchange;
188    allow $1 $2:resource { use_iommu use_iommu_nointremap };
189    allow $1 domio_t:mmu { map_read map_write };
190')
191
192# use_device_noiommu(domain, device)
193#   Allow a device to be used by a domain
194#   even without an IOMMU available.
195define(`use_device_noiommu', `
196    allow $1 $1_self:mmu exchange;
197    allow $1 $2:resource { use_iommu use_iommu_nointremap use_noiommu };
198    allow $1 domio_t:mmu { map_read map_write };
199')
200
201# admin_device(domain, device)
202#   Allow a device to be used and delegated by a domain
203define(`admin_device', `
204    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug };
205    allow $1 $2:hvm bind_irq;
206    use_device_noiommu($1, $2)
207')
208
209# delegate_devices(priv-domain, target-domain)
210#   Allow devices to be delegated
211define(`delegate_devices', `
212    allow $1 $2:resource { add remove };
213')
214