[PATCH] flask/policy: allow dom0 to use PHYSDEVOP_pci_mmcfg_reserved

[PATCH] flask/policy: allow dom0 to use PHYSDEVOP_pci_mmcfg_reserved

[Daniel De Graaf]

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
 tools/flask/policy/modules/dom0.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
index dfdcdcd128..a0566671d6 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -66,6 +66,9 @@ allow dom0_t security_t:security { load_policy setenforce setbool };
 # Audit policy change events even when they are allowed
 auditallow dom0_t security_t:security { load_policy setenforce setbool };
 
+# Allow dom0 to report platform configuration changes back to the hypervisor
+allow dom0_t xen_t:resource setup;
+
 admin_device(dom0_t, device_t)
 admin_device(dom0_t, irq_t)
 admin_device(dom0_t, ioport_t)
-- 
2.14.5


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] flask/policy: allow dom0 to use PHYSDEVOP_pci_mmcfg_reserved

[Andrew Cooper]

On 02/11/18 17:46, Daniel De Graaf wrote:
> Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel