selinux/secilc/docs/cil_xen_statements.md

5.6 KiB

Xen Statements

Policy version 30 introduced the devicetreecon statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages).

See the "XSM/FLASK Configuration" document for further information ()

iomemcon

Label i/o memory. This may be a single memory location or a range.

Statement definition:

(iomemcon mem_addr|(mem_low mem_high) context_id)

Where:

iomemcon

The iomemcon keyword.

mem_addr |

(mem_low mem_high)

A single memory address to apply the context, or a range of addresses.

The entries must consist of numerics [0-9].

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

Example:

An anonymous context for a memory address range of 0xfebe0-0xfebff:

(iomemcon (1043424 1043455) (unconfined.user object_r unconfined.object low_low))

ioportcon

Label i/o ports. This may be a single port or a range.

Statement definition:

(ioportcon port|(port_low port_high) context_id)

Where:

ioportcon

The ioportcon keyword.

port |

(port_low port_high)

A single port to apply the context, or a range of ports.

The entries must consist of numerics [0-9].

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

Example:

An anonymous context for a single port of :0xecc0:

(ioportcon 60608 (unconfined.user object_r unconfined.object low_low))

pcidevicecon

Label a PCI device.

Statement definition:

(pcidevicecon device context_id)

Where:

pcidevicecon

The pcidevicecon keyword.

device

The device number.The entries must consist of numerics [0-9].

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

Example:

An anonymous context for a pci device address of 0xc800:

(pcidevicecon 51200 (unconfined.user object_r unconfined.object low_low))

pirqcon

Label an interrupt level.

Statement definition:

(pirqcon irq_level context_id)

Where:

pirqcon

The pirqcon keyword.

irq_level

The interrupt request number. The entries must consist of numerics [0-9].

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

Example:

An anonymous context for IRQ 33:

(pirqcon 33 (unconfined.user object_r unconfined.object low_low))

devicetreecon

Label device tree nodes.

Statement definition:

(devicetreecon path context_id)

Where:

devicetreecon

The devicetreecon keyword.

path

The device tree path. If this contains spaces enclose within "".

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

Example:

An anonymous context for the specified path:

(devicetreecon "/this is/a/path" (unconfined.user object_r unconfined.object low_low))