1################################################################################ 2# 3# Allow dom0 access to all sysctls, devices, and the security server. 4# 5# While this could be written more briefly using wildcards, the permissions are 6# listed out to make removing specific permissions simpler. 7# 8################################################################################ 9allow dom0_t xen_t:xen { 10 settime tbufcontrol readconsole clearconsole perfcontrol mtrr_add 11 mtrr_del mtrr_read microcode physinfo quirk writeconsole readapic 12 writeapic privprofile nonprivprofile kexec firmware sleep frequency 13 getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op 14 getscheduler setscheduler hypfs_op 15}; 16allow dom0_t xen_t:xen2 { 17 resource_op psr_cmt_op psr_alloc pmu_ctrl get_symbol 18 get_cpu_levelling_caps get_cpu_featureset livepatch_op 19 coverage_op 20}; 21 22# Allow dom0 to use all XENVER_ subops that have checks. 23# Note that dom0 is part of domain_type so this has duplicates. 24allow dom0_t xen_t:version { 25 xen_extraversion xen_compile_info xen_capabilities 26 xen_changeset xen_pagesize xen_guest_handle xen_commandline 27 xen_build_id 28}; 29 30allow dom0_t xen_t:mmu memorymap; 31 32# Allow dom0 to use these domctls on itself. For domctls acting on other 33# domains, see the definitions of create_domain and manage_domain. 34allow dom0_t dom0_t:domain { 35 setvcpucontext max_vcpus setaffinity getaffinity getscheduler 36 getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle 37 setdebugging hypercall settime setaddrsize getaddrsize trigger 38 getpodtarget setpodtarget set_misc_info set_virq_handler 39}; 40allow dom0_t dom0_t:domain2 { 41 set_cpu_policy gettsc settsc setscheduler set_vnumainfo 42 get_vnumainfo psr_cmt_op psr_alloc get_cpu_policy 43}; 44allow dom0_t dom0_t:resource { add remove }; 45 46# These permissions allow using the FLASK security server to compute access 47# checks locally, which could be used by a domain or service (such as xenstore) 48# that does not have its own security server to make access decisions based on 49# Xen's security policy. 50allow dom0_t security_t:security { 51 compute_av compute_create compute_member compute_relabel 52}; 53 54# Allow string/SID conversions (for "xl list -Z" and similar) 55allow dom0_t security_t:security check_context; 56 57# Allow flask-label-pci to add and change labels 58allow dom0_t security_t:security { add_ocontext del_ocontext }; 59 60# Allow performance parameters of the security server to be tweaked 61allow dom0_t security_t:security setsecparam; 62 63# Allow changing the security policy 64allow dom0_t security_t:security { load_policy setenforce setbool }; 65 66# Audit policy change events even when they are allowed 67auditallow dom0_t security_t:security { load_policy setenforce setbool }; 68 69# Allow dom0 to report platform configuration changes back to the hypervisor 70allow dom0_t xen_t:resource setup; 71 72admin_device(dom0_t, device_t) 73admin_device(dom0_t, irq_t) 74admin_device(dom0_t, ioport_t) 75admin_device(dom0_t, iomem_t) 76 77domain_comms(dom0_t, dom0_t) 78