Home | History | Annotate | Download | only in docs 
      1 Xen Statements
      2 ==============
      3 
      4 Policy version 30 introduced the [`devicetreecon`](cil_xen_statements.md#devicetreecon) statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages).
      5 
      6 See the ["XSM/FLASK Configuration"](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt) document for further information ([](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt))
      7 
      8 iomemcon
      9 --------
     10 
     11 Label i/o memory. This may be a single memory location or a range.
     12 
     13 **Statement definition:**
     14 
     15     (iomemcon mem_addr|(mem_low mem_high) context_id)
     16 
     17 **Where:**
     18 
     19 <table>
     20 <colgroup>
     21 <col width="25%" />
     22 <col width="75%" />
     23 </colgroup>
     24 <tbody>
     25 <tr class="odd">
     26 <td align="left"><p><code>iomemcon</code></p></td>
     27 <td align="left"><p>The <code>iomemcon</code> keyword.</p></td>
     28 </tr>
     29 <tr class="even">
     30 <td align="left"><p><code>mem_addr |</code></p>
     31 <p><code>(mem_low mem_high)</code></p></td>
     32 <td align="left"><p>A single memory address to apply the context, or a range of addresses.</p>
     33 <p>The entries must consist of numerics <code>[0-9]</code>.</p></td>
     34 </tr>
     35 <tr class="odd">
     36 <td align="left"><p><code>context_id</code></p></td>
     37 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
     38 </tr>
     39 </tbody>
     40 </table>
     41 
     42 **Example:**
     43 
     44 An anonymous context for a memory address range of `0xfebe0-0xfebff`:
     45 
     46     (iomemcon (1043424 1043455) (unconfined.user object_r unconfined.object low_low))
     47 
     48 ioportcon
     49 ---------
     50 
     51 Label i/o ports. This may be a single port or a range.
     52 
     53 **Statement definition:**
     54 
     55     (ioportcon port|(port_low port_high) context_id)
     56 
     57 **Where:**
     58 
     59 <table>
     60 <colgroup>
     61 <col width="27%" />
     62 <col width="72%" />
     63 </colgroup>
     64 <tbody>
     65 <tr class="odd">
     66 <td align="left"><p><code>ioportcon</code></p></td>
     67 <td align="left"><p>The <code>ioportcon</code> keyword.</p></td>
     68 </tr>
     69 <tr class="even">
     70 <td align="left"><p><code>port |</code></p>
     71 <p><code>(port_low port_high)</code></p></td>
     72 <td align="left"><p>A single port to apply the context, or a range of ports.</p>
     73 <p>The entries must consist of numerics <code>[0-9]</code>.</p></td>
     74 </tr>
     75 <tr class="odd">
     76 <td align="left"><p><code>context_id</code></p></td>
     77 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
     78 </tr>
     79 </tbody>
     80 </table>
     81 
     82 **Example:**
     83 
     84 An anonymous context for a single port of :`0xecc0`:
     85 
     86     (ioportcon 60608 (unconfined.user object_r unconfined.object low_low))
     87 
     88 pcidevicecon
     89 ------------
     90 
     91 Label a PCI device.
     92 
     93 **Statement definition:**
     94 
     95     (pcidevicecon device context_id)
     96 
     97 **Where:**
     98 
     99 <table>
    100 <colgroup>
    101 <col width="25%" />
    102 <col width="75%" />
    103 </colgroup>
    104 <tbody>
    105 <tr class="odd">
    106 <td align="left"><p><code>pcidevicecon</code></p></td>
    107 <td align="left"><p>The <code>pcidevicecon</code> keyword.</p></td>
    108 </tr>
    109 <tr class="even">
    110 <td align="left"><p><code>device</code></p></td>
    111 <td align="left"><p>The device number.The entries must consist of numerics <code>[0-9]</code>.</p></td>
    112 </tr>
    113 <tr class="odd">
    114 <td align="left"><p><code>context_id</code></p></td>
    115 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
    116 </tr>
    117 </tbody>
    118 </table>
    119 
    120 **Example:**
    121 
    122 An anonymous context for a pci device address of `0xc800`:
    123 
    124     (pcidevicecon 51200 (unconfined.user object_r unconfined.object low_low))
    125 
    126 pirqcon
    127 -------
    128 
    129 Label an interrupt level.
    130 
    131 **Statement definition:**
    132 
    133     (pirqcon irq_level context_id)
    134 
    135 **Where:**
    136 
    137 <table>
    138 <colgroup>
    139 <col width="25%" />
    140 <col width="75%" />
    141 </colgroup>
    142 <tbody>
    143 <tr class="odd">
    144 <td align="left"><p><code>pirqcon</code></p></td>
    145 <td align="left"><p>The <code>pirqcon</code> keyword.</p></td>
    146 </tr>
    147 <tr class="even">
    148 <td align="left"><p><code>irq_level</code></p></td>
    149 <td align="left"><p>The interrupt request number. The entries must consist of numerics <code>[0-9]</code>.</p></td>
    150 </tr>
    151 <tr class="odd">
    152 <td align="left"><p><code>context_id</code></p></td>
    153 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
    154 </tr>
    155 </tbody>
    156 </table>
    157 
    158 **Example:**
    159 
    160 An anonymous context for IRQ 33:
    161 
    162     (pirqcon 33 (unconfined.user object_r unconfined.object low_low))
    163 
    164 devicetreecon
    165 -------------
    166 
    167 Label device tree nodes.
    168 
    169 **Statement definition:**
    170 
    171     (devicetreecon path context_id)
    172 
    173 **Where:**
    174 
    175 <table>
    176 <colgroup>
    177 <col width="25%" />
    178 <col width="75%" />
    179 </colgroup>
    180 <tbody>
    181 <tr class="odd">
    182 <td align="left"><p><code>devicetreecon</code></p></td>
    183 <td align="left"><p>The <code>devicetreecon</code> keyword.</p></td>
    184 </tr>
    185 <tr class="even">
    186 <td align="left"><p><code>path</code></p></td>
    187 <td align="left"><p>The device tree path. If this contains spaces enclose within <code>&quot;&quot;</code>.</p></td>
    188 </tr>
    189 <tr class="odd">
    190 <td align="left"><p><code>context_id</code></p></td>
    191 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
    192 </tr>
    193 </tbody>
    194 </table>
    195 
    196 **Example:**
    197 
    198 An anonymous context for the specified path:
    199 
    200     (devicetreecon "/this is/a/path" (unconfined.user object_r unconfined.object low_low))
    201