1Xen Statements 2============== 3 4Policy version 30 introduced the [`devicetreecon`](cil_xen_statements.md#devicetreecon) statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages). 5 6See the ["XSM/FLASK Configuration"](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt) document for further information ([](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt)) 7 8iomemcon 9-------- 10 11Label i/o memory. This may be a single memory location or a range. 12 13**Statement definition:** 14 15 (iomemcon mem_addr|(mem_low mem_high) context_id) 16 17**Where:** 18 19<table> 20<colgroup> 21<col width="25%" /> 22<col width="75%" /> 23</colgroup> 24<tbody> 25<tr class="odd"> 26<td align="left"><p><code>iomemcon</code></p></td> 27<td align="left"><p>The <code>iomemcon</code> keyword.</p></td> 28</tr> 29<tr class="even"> 30<td align="left"><p><code>mem_addr |</code></p> 31<p><code>(mem_low mem_high)</code></p></td> 32<td align="left"><p>A single memory address to apply the context, or a range of addresses.</p> 33<p>The entries must consist of numerics <code>[0-9]</code>.</p></td> 34</tr> 35<tr class="odd"> 36<td align="left"><p><code>context_id</code></p></td> 37<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 38</tr> 39</tbody> 40</table> 41 42**Example:** 43 44An anonymous context for a memory address range of `0xfebe0-0xfebff`: 45 46 (iomemcon (1043424 1043455) (unconfined.user object_r unconfined.object low_low)) 47 48ioportcon 49--------- 50 51Label i/o ports. This may be a single port or a range. 52 53**Statement definition:** 54 55 (ioportcon port|(port_low port_high) context_id) 56 57**Where:** 58 59<table> 60<colgroup> 61<col width="27%" /> 62<col width="72%" /> 63</colgroup> 64<tbody> 65<tr class="odd"> 66<td align="left"><p><code>ioportcon</code></p></td> 67<td align="left"><p>The <code>ioportcon</code> keyword.</p></td> 68</tr> 69<tr class="even"> 70<td align="left"><p><code>port |</code></p> 71<p><code>(port_low port_high)</code></p></td> 72<td align="left"><p>A single port to apply the context, or a range of ports.</p> 73<p>The entries must consist of numerics <code>[0-9]</code>.</p></td> 74</tr> 75<tr class="odd"> 76<td align="left"><p><code>context_id</code></p></td> 77<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 78</tr> 79</tbody> 80</table> 81 82**Example:** 83 84An anonymous context for a single port of :`0xecc0`: 85 86 (ioportcon 60608 (unconfined.user object_r unconfined.object low_low)) 87 88pcidevicecon 89------------ 90 91Label a PCI device. 92 93**Statement definition:** 94 95 (pcidevicecon device context_id) 96 97**Where:** 98 99<table> 100<colgroup> 101<col width="25%" /> 102<col width="75%" /> 103</colgroup> 104<tbody> 105<tr class="odd"> 106<td align="left"><p><code>pcidevicecon</code></p></td> 107<td align="left"><p>The <code>pcidevicecon</code> keyword.</p></td> 108</tr> 109<tr class="even"> 110<td align="left"><p><code>device</code></p></td> 111<td align="left"><p>The device number.The entries must consist of numerics <code>[0-9]</code>.</p></td> 112</tr> 113<tr class="odd"> 114<td align="left"><p><code>context_id</code></p></td> 115<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 116</tr> 117</tbody> 118</table> 119 120**Example:** 121 122An anonymous context for a pci device address of `0xc800`: 123 124 (pcidevicecon 51200 (unconfined.user object_r unconfined.object low_low)) 125 126pirqcon 127------- 128 129Label an interrupt level. 130 131**Statement definition:** 132 133 (pirqcon irq_level context_id) 134 135**Where:** 136 137<table> 138<colgroup> 139<col width="25%" /> 140<col width="75%" /> 141</colgroup> 142<tbody> 143<tr class="odd"> 144<td align="left"><p><code>pirqcon</code></p></td> 145<td align="left"><p>The <code>pirqcon</code> keyword.</p></td> 146</tr> 147<tr class="even"> 148<td align="left"><p><code>irq_level</code></p></td> 149<td align="left"><p>The interrupt request number. The entries must consist of numerics <code>[0-9]</code>.</p></td> 150</tr> 151<tr class="odd"> 152<td align="left"><p><code>context_id</code></p></td> 153<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 154</tr> 155</tbody> 156</table> 157 158**Example:** 159 160An anonymous context for IRQ 33: 161 162 (pirqcon 33 (unconfined.user object_r unconfined.object low_low)) 163 164devicetreecon 165------------- 166 167Label device tree nodes. 168 169**Statement definition:** 170 171 (devicetreecon path context_id) 172 173**Where:** 174 175<table> 176<colgroup> 177<col width="25%" /> 178<col width="75%" /> 179</colgroup> 180<tbody> 181<tr class="odd"> 182<td align="left"><p><code>devicetreecon</code></p></td> 183<td align="left"><p>The <code>devicetreecon</code> keyword.</p></td> 184</tr> 185<tr class="even"> 186<td align="left"><p><code>path</code></p></td> 187<td align="left"><p>The device tree path. If this contains spaces enclose within <code>""</code>.</p></td> 188</tr> 189<tr class="odd"> 190<td align="left"><p><code>context_id</code></p></td> 191<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 192</tr> 193</tbody> 194</table> 195 196**Example:** 197 198An anonymous context for the specified path: 199 200 (devicetreecon "/this is/a/path" (unconfined.user object_r unconfined.object low_low)) 201