1# Allow all domains to use PMU (but not to change its settings --- that's what 2# pmu_ctrl is for) 3allow domain_type xen_t:xen2 pmu_use; 4 5# Allow all domains to enable the Argo interdomain communication hypercall; 6# to register single-sender (unicast) rings to partner with any domain; 7# to register any-sender (wildcard) rings that can be sent to by any domain; 8# and send messages to rings. 9allow domain_type xen_t:argo { enable register_any_source }; 10allow domain_type domain_type:argo { send register_single_source }; 11 12# Allow guest console output to the serial console. This is used by PV Linux 13# and stub domains for early boot output, so don't audit even when we deny it. 14# Without XSM, this is enabled only if the Xen was compiled in debug mode. 15gen_bool(guest_writeconsole, true) 16if (guest_writeconsole) { 17 allow domain_type xen_t : xen writeconsole; 18} else { 19 dontaudit domain_type xen_t : xen writeconsole; 20} 21 22# For normal guests, allow all queries except XENVER_commandline. 23allow domain_type xen_t:version { 24 xen_extraversion xen_compile_info xen_capabilities 25 xen_changeset xen_pagesize xen_guest_handle 26}; 27 28# Version queries don't need auditing when denied. They can be 29# encountered in normal operation by xl or by reading sysfs files in 30# Linux, so without this they will show up in the logs. Since these 31# operations return valid responses (like "denied"), hiding the denials 32# should not break anything. 33dontaudit domain_type xen_t:version { 34 xen_commandline xen_build_id 35}; 36