Xen Statements
==============

Policy version 30 introduced the [`devicetreecon`](cil_xen_statements.md#devicetreecon) statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages).

See the ["XSM/FLASK Configuration"](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt) document for further information ([](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt))

iomemcon
--------

Label i/o memory. This may be a single memory location or a range.

**Statement definition:**

```secil
    (iomemcon mem_addr|(mem_low mem_high) context_id)
```

**Where:**











iomemcon


The iomemcon keyword.






mem_addr |


(mem_low mem_high)


A single memory address to apply the context, or a range of addresses.


The entries must consist of numerics [0-9].






context_id


A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.







**Example:**

An anonymous context for a memory address range of `0xfebe0-0xfebff`:

```secil
    (iomemcon (1043424 1043455) (unconfined.user object_r unconfined.object low_low))
```

ioportcon
---------

Label i/o ports. This may be a single port or a range.

**Statement definition:**

```secil
    (ioportcon port|(port_low port_high) context_id)
```

**Where:**











ioportcon


The ioportcon keyword.






port |


(port_low port_high)


A single port to apply the context, or a range of ports.


The entries must consist of numerics [0-9].






context_id


A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.







**Example:**

An anonymous context for a single port of :`0xecc0`:

```secil
    (ioportcon 60608 (unconfined.user object_r unconfined.object low_low))
```

pcidevicecon
------------

Label a PCI device.

**Statement definition:**

```secil
    (pcidevicecon device context_id)
```

**Where:**











pcidevicecon


The pcidevicecon keyword.






device


The device number.The entries must consist of numerics [0-9].






context_id


A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.







**Example:**

An anonymous context for a pci device address of `0xc800`:

```secil
    (pcidevicecon 51200 (unconfined.user object_r unconfined.object low_low))
```

pirqcon
-------

Label an interrupt level.

**Statement definition:**

```secil
    (pirqcon irq_level context_id)
```

**Where:**











pirqcon


The pirqcon keyword.






irq_level


The interrupt request number. The entries must consist of numerics [0-9].






context_id


A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.







**Example:**

An anonymous context for IRQ 33:

```secil
    (pirqcon 33 (unconfined.user object_r unconfined.object low_low))
```

devicetreecon
-------------

Label device tree nodes.

**Statement definition:**

```secil
    (devicetreecon path context_id)
```

**Where:**











devicetreecon


The devicetreecon keyword.






path


The device tree path. If this contains spaces enclose within "".






context_id


A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.







**Example:**

An anonymous context for the specified path:

```secil
    (devicetreecon "/this is/a/path" (unconfined.user object_r unconfined.object low_low))
```