[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] Add support for Xen device policies



Add support for Xen ocontext records to enable device polices.  The
default policy will not be changed and instructions have been added to
enable the new functionality.  Examples on how to use the new policy
language have been added but commented out.  The newest version of
checkpolicy (>= 2.0.20) and libsepol (>= 2.0.39) is needed in order to
compile it.  Devices can be labeled and enforced using the following new
commands; pirqcon, iomemcon, ioportcon and pcidevicecon.  

Signed-off-by : George Coker <gscoker@xxxxxxxxxxxxxx>

Signed-off-by : Paul Nuzzi <pjnuzzi@xxxxxxxxxxxxxx>

---

 docs/misc/xsm-flask.txt                      |   64
++++++++++++++++++++++++
 tools/flask/policy/Makefile                  |   20 ++++++-
 tools/flask/policy/policy/modules/xen/xen.if |   31 +++++++++++
 tools/flask/policy/policy/modules/xen/xen.te |   35 +++++++++++++
 xen/xsm/flask/avc.c                          |    2
 xen/xsm/flask/hooks.c                        |   31 ++++++++---
 xen/xsm/flask/include/avc.h                  |    6 --
 xen/xsm/flask/ss/policydb.c                  |   71
+++++++++++++++++++++++++--
 xen/xsm/flask/ss/policydb.h                  |   23 ++++++--
 xen/xsm/flask/ss/services.c                  |    9 +--
 10 files changed, 263 insertions(+), 29 deletions(-)

Attachment: device_ocontexts.patch
Description: Text Data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.