Hi,
Default XSM policy doesn't allow the use of unlabeled PCI resources that
have been passed through to target domain.
xen.te
# Resources must be declared using . resource_type
neverallow * ~resource_type:resource use;
It allows the resource to be added and removed by the source domain to
target domain, but its use by target domain is blocked.
The resource can be used only if it has been labeled using
flask-label-pci command which needs to be rerun after every boot and
after every policy reload.
The above approach reduces the flexibility and necessitates admin
intervention to give passthrough rights after host has booted. Also, in
general if I want to allow all domUs to have PCI passthough access to
all PCI device, I have no other way apart from disabling the
"neverallow" rule.
Given that what we ship is just a sample default policy for reference
which is expected to be permissive in most of the scenarios so that it
doesn't affect the basic functionalities, is this "neverallow" rule needed ?
Thanks
Anshul Makkar
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
