1Xen Statements
2==============
3
4Policy version 30 introduced the [`devicetreecon`](cil_xen_statements.md#devicetreecon) statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages).
5
6See the ["XSM/FLASK Configuration"](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt) document for further information ([](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt))
7
8iomemcon
9--------
10
11Label i/o memory. This may be a single memory location or a range.
12
13**Statement definition:**
14
15    (iomemcon mem_addr|(mem_low mem_high) context_id)
16
17**Where:**
18
19<table>
20<colgroup>
21<col width="25%" />
22<col width="75%" />
23</colgroup>
24<tbody>
25<tr class="odd">
26<td align="left"><p><code>iomemcon</code></p></td>
27<td align="left"><p>The <code>iomemcon</code> keyword.</p></td>
28</tr>
29<tr class="even">
30<td align="left"><p><code>mem_addr |</code></p>
31<p><code>(mem_low mem_high)</code></p></td>
32<td align="left"><p>A single memory address to apply the context, or a range of addresses.</p>
33<p>The entries must consist of numerics <code>[0-9]</code>.</p></td>
34</tr>
35<tr class="odd">
36<td align="left"><p><code>context_id</code></p></td>
37<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
38</tr>
39</tbody>
40</table>
41
42**Example:**
43
44An anonymous context for a memory address range of `0xfebe0-0xfebff`:
45
46    (iomemcon (1043424 1043455) (unconfined.user object_r unconfined.object low_low))
47
48ioportcon
49---------
50
51Label i/o ports. This may be a single port or a range.
52
53**Statement definition:**
54
55    (ioportcon port|(port_low port_high) context_id)
56
57**Where:**
58
59<table>
60<colgroup>
61<col width="27%" />
62<col width="72%" />
63</colgroup>
64<tbody>
65<tr class="odd">
66<td align="left"><p><code>ioportcon</code></p></td>
67<td align="left"><p>The <code>ioportcon</code> keyword.</p></td>
68</tr>
69<tr class="even">
70<td align="left"><p><code>port |</code></p>
71<p><code>(port_low port_high)</code></p></td>
72<td align="left"><p>A single port to apply the context, or a range of ports.</p>
73<p>The entries must consist of numerics <code>[0-9]</code>.</p></td>
74</tr>
75<tr class="odd">
76<td align="left"><p><code>context_id</code></p></td>
77<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
78</tr>
79</tbody>
80</table>
81
82**Example:**
83
84An anonymous context for a single port of :`0xecc0`:
85
86    (ioportcon 60608 (unconfined.user object_r unconfined.object low_low))
87
88pcidevicecon
89------------
90
91Label a PCI device.
92
93**Statement definition:**
94
95    (pcidevicecon device context_id)
96
97**Where:**
98
99<table>
100<colgroup>
101<col width="25%" />
102<col width="75%" />
103</colgroup>
104<tbody>
105<tr class="odd">
106<td align="left"><p><code>pcidevicecon</code></p></td>
107<td align="left"><p>The <code>pcidevicecon</code> keyword.</p></td>
108</tr>
109<tr class="even">
110<td align="left"><p><code>device</code></p></td>
111<td align="left"><p>The device number.The entries must consist of numerics <code>[0-9]</code>.</p></td>
112</tr>
113<tr class="odd">
114<td align="left"><p><code>context_id</code></p></td>
115<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
116</tr>
117</tbody>
118</table>
119
120**Example:**
121
122An anonymous context for a pci device address of `0xc800`:
123
124    (pcidevicecon 51200 (unconfined.user object_r unconfined.object low_low))
125
126pirqcon
127-------
128
129Label an interrupt level.
130
131**Statement definition:**
132
133    (pirqcon irq_level context_id)
134
135**Where:**
136
137<table>
138<colgroup>
139<col width="25%" />
140<col width="75%" />
141</colgroup>
142<tbody>
143<tr class="odd">
144<td align="left"><p><code>pirqcon</code></p></td>
145<td align="left"><p>The <code>pirqcon</code> keyword.</p></td>
146</tr>
147<tr class="even">
148<td align="left"><p><code>irq_level</code></p></td>
149<td align="left"><p>The interrupt request number. The entries must consist of numerics <code>[0-9]</code>.</p></td>
150</tr>
151<tr class="odd">
152<td align="left"><p><code>context_id</code></p></td>
153<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
154</tr>
155</tbody>
156</table>
157
158**Example:**
159
160An anonymous context for IRQ 33:
161
162    (pirqcon 33 (unconfined.user object_r unconfined.object low_low))
163
164devicetreecon
165-------------
166
167Label device tree nodes.
168
169**Statement definition:**
170
171    (devicetreecon path context_id)
172
173**Where:**
174
175<table>
176<colgroup>
177<col width="25%" />
178<col width="75%" />
179</colgroup>
180<tbody>
181<tr class="odd">
182<td align="left"><p><code>devicetreecon</code></p></td>
183<td align="left"><p>The <code>devicetreecon</code> keyword.</p></td>
184</tr>
185<tr class="even">
186<td align="left"><p><code>path</code></p></td>
187<td align="left"><p>The device tree path. If this contains spaces enclose within <code>&quot;&quot;</code>.</p></td>
188</tr>
189<tr class="odd">
190<td align="left"><p><code>context_id</code></p></td>
191<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
192</tr>
193</tbody>
194</table>
195
196**Example:**
197
198An anonymous context for the specified path:
199
200    (devicetreecon "/this is/a/path" (unconfined.user object_r unconfined.object low_low))
201