Home | History | Annotate | Line # | Download | only in xsm 
      1 /*
      2  *  This file contains the flask_op hypercall commands and definitions.
      3  *
      4  *  Author:  George Coker, <gscoker (at) alpha.ncsc.mil>
      5  *
      6  * Permission is hereby granted, free of charge, to any person obtaining a copy
      7  * of this software and associated documentation files (the "Software"), to
      8  * deal in the Software without restriction, including without limitation the
      9  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
     10  * sell copies of the Software, and to permit persons to whom the Software is
     11  * furnished to do so, subject to the following conditions:
     12  *
     13  * The above copyright notice and this permission notice shall be included in
     14  * all copies or substantial portions of the Software.
     15  *
     16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
     17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
     18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
     19  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
     20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
     21  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
     22  * DEALINGS IN THE SOFTWARE.
     23  */
     24 
     25 #ifndef __FLASK_OP_H__
     26 #define __FLASK_OP_H__
     27 
     28 #include "../event_channel.h"
     29 
     30 #define XEN_FLASK_INTERFACE_VERSION 1
     31 
     32 struct xen_flask_load {
     33     XEN_GUEST_HANDLE(char) buffer;
     34     uint32_t size;
     35 };
     36 
     37 struct xen_flask_setenforce {
     38     uint32_t enforcing;
     39 };
     40 
     41 struct xen_flask_sid_context {
     42     /* IN/OUT: sid to convert to/from string */
     43     uint32_t sid;
     44     /* IN: size of the context buffer
     45      * OUT: actual size of the output context string
     46      */
     47     uint32_t size;
     48     XEN_GUEST_HANDLE(char) context;
     49 };
     50 
     51 struct xen_flask_access {
     52     /* IN: access request */
     53     uint32_t ssid;
     54     uint32_t tsid;
     55     uint32_t tclass;
     56     uint32_t req;
     57     /* OUT: AVC data */
     58     uint32_t allowed;
     59     uint32_t audit_allow;
     60     uint32_t audit_deny;
     61     uint32_t seqno;
     62 };
     63 
     64 struct xen_flask_transition {
     65     /* IN: transition SIDs and class */
     66     uint32_t ssid;
     67     uint32_t tsid;
     68     uint32_t tclass;
     69     /* OUT: new SID */
     70     uint32_t newsid;
     71 };
     72 
     73 #if __XEN_INTERFACE_VERSION__ < 0x00040800
     74 struct xen_flask_userlist {
     75     /* IN: starting SID for list */
     76     uint32_t start_sid;
     77     /* IN: size of user string and output buffer
     78      * OUT: number of SIDs returned */
     79     uint32_t size;
     80     union {
     81         /* IN: user to enumerate SIDs */
     82         XEN_GUEST_HANDLE(char) user;
     83         /* OUT: SID list */
     84         XEN_GUEST_HANDLE(uint32) sids;
     85     } u;
     86 };
     87 #endif
     88 
     89 struct xen_flask_boolean {
     90     /* IN/OUT: numeric identifier for boolean [GET/SET]
     91      * If -1, name will be used and bool_id will be filled in. */
     92     uint32_t bool_id;
     93     /* OUT: current enforcing value of boolean [GET/SET] */
     94     uint8_t enforcing;
     95     /* OUT: pending value of boolean [GET/SET] */
     96     uint8_t pending;
     97     /* IN: new value of boolean [SET] */
     98     uint8_t new_value;
     99     /* IN: commit new value instead of only setting pending [SET] */
    100     uint8_t commit;
    101     /* IN: size of boolean name buffer [GET/SET]
    102      * OUT: actual size of name [GET only] */
    103     uint32_t size;
    104     /* IN: if bool_id is -1, used to find boolean [GET/SET]
    105      * OUT: textual name of boolean [GET only]
    106      */
    107     XEN_GUEST_HANDLE(char) name;
    108 };
    109 
    110 struct xen_flask_setavc_threshold {
    111     /* IN */
    112     uint32_t threshold;
    113 };
    114 
    115 struct xen_flask_hash_stats {
    116     /* OUT */
    117     uint32_t entries;
    118     uint32_t buckets_used;
    119     uint32_t buckets_total;
    120     uint32_t max_chain_len;
    121 };
    122 
    123 struct xen_flask_cache_stats {
    124     /* IN */
    125     uint32_t cpu;
    126     /* OUT */
    127     uint32_t lookups;
    128     uint32_t hits;
    129     uint32_t misses;
    130     uint32_t allocations;
    131     uint32_t reclaims;
    132     uint32_t frees;
    133 };
    134 
    135 struct xen_flask_ocontext {
    136     /* IN */
    137     uint32_t ocon;
    138     uint32_t sid;
    139     uint64_t low, high;
    140 };
    141 
    142 struct xen_flask_peersid {
    143     /* IN */
    144     evtchn_port_t evtchn;
    145     /* OUT */
    146     uint32_t sid;
    147 };
    148 
    149 struct xen_flask_relabel {
    150     /* IN */
    151     uint32_t domid;
    152     uint32_t sid;
    153 };
    154 
    155 struct xen_flask_devicetree_label {
    156     /* IN */
    157     uint32_t sid;
    158     uint32_t length;
    159     XEN_GUEST_HANDLE(char) path;
    160 };
    161 
    162 struct xen_flask_op {
    163     uint32_t cmd;
    164 #define FLASK_LOAD              1
    165 #define FLASK_GETENFORCE        2
    166 #define FLASK_SETENFORCE        3
    167 #define FLASK_CONTEXT_TO_SID    4
    168 #define FLASK_SID_TO_CONTEXT    5
    169 #define FLASK_ACCESS            6
    170 #define FLASK_CREATE            7
    171 #define FLASK_RELABEL           8
    172 #define FLASK_USER              9  /* No longer implemented */
    173 #define FLASK_POLICYVERS        10
    174 #define FLASK_GETBOOL           11
    175 #define FLASK_SETBOOL           12
    176 #define FLASK_COMMITBOOLS       13
    177 #define FLASK_MLS               14
    178 #define FLASK_DISABLE           15
    179 #define FLASK_GETAVC_THRESHOLD  16
    180 #define FLASK_SETAVC_THRESHOLD  17
    181 #define FLASK_AVC_HASHSTATS     18
    182 #define FLASK_AVC_CACHESTATS    19
    183 #define FLASK_MEMBER            20
    184 #define FLASK_ADD_OCONTEXT      21
    185 #define FLASK_DEL_OCONTEXT      22
    186 #define FLASK_GET_PEER_SID      23
    187 #define FLASK_RELABEL_DOMAIN    24
    188 #define FLASK_DEVICETREE_LABEL  25
    189     uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */
    190     union {
    191         struct xen_flask_load load;
    192         struct xen_flask_setenforce enforce;
    193         /* FLASK_CONTEXT_TO_SID and FLASK_SID_TO_CONTEXT */
    194         struct xen_flask_sid_context sid_context;
    195         struct xen_flask_access access;
    196         /* FLASK_CREATE, FLASK_RELABEL, FLASK_MEMBER */
    197         struct xen_flask_transition transition;
    198 #if __XEN_INTERFACE_VERSION__ < 0x00040800
    199         struct xen_flask_userlist userlist;
    200 #endif
    201         /* FLASK_GETBOOL, FLASK_SETBOOL */
    202         struct xen_flask_boolean boolean;
    203         struct xen_flask_setavc_threshold setavc_threshold;
    204         struct xen_flask_hash_stats hash_stats;
    205         struct xen_flask_cache_stats cache_stats;
    206         /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */
    207         struct xen_flask_ocontext ocontext;
    208         struct xen_flask_peersid peersid;
    209         struct xen_flask_relabel relabel;
    210         struct xen_flask_devicetree_label devicetree_label;
    211     } u;
    212 };
    213 typedef struct xen_flask_op xen_flask_op_t;
    214 DEFINE_XEN_GUEST_HANDLE(xen_flask_op_t);
    215 
    216 #endif
    217