1 /*
2 * This file contains the flask_op hypercall commands and definitions.
3 *
4 * Author: George Coker, <gscoker@alpha.ncsc.mil>
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to
8 * deal in the Software without restriction, including without limitation the
9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10 * sell copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
22 * DEALINGS IN THE SOFTWARE.
23 */
24
25 #ifndef __FLASK_OP_H__
26 #define __FLASK_OP_H__
27
28 #include "../event_channel.h"
29
30 #define XEN_FLASK_INTERFACE_VERSION 1
31
32 struct xen_flask_load {
33 XEN_GUEST_HANDLE(char) buffer;
34 uint32_t size;
35 };
36
37 struct xen_flask_setenforce {
38 uint32_t enforcing;
39 };
40
41 struct xen_flask_sid_context {
42 /* IN/OUT: sid to convert to/from string */
43 uint32_t sid;
44 /* IN: size of the context buffer
45 * OUT: actual size of the output context string
46 */
47 uint32_t size;
48 XEN_GUEST_HANDLE(char) context;
49 };
50
51 struct xen_flask_access {
52 /* IN: access request */
53 uint32_t ssid;
54 uint32_t tsid;
55 uint32_t tclass;
56 uint32_t req;
57 /* OUT: AVC data */
58 uint32_t allowed;
59 uint32_t audit_allow;
60 uint32_t audit_deny;
61 uint32_t seqno;
62 };
63
64 struct xen_flask_transition {
65 /* IN: transition SIDs and class */
66 uint32_t ssid;
67 uint32_t tsid;
68 uint32_t tclass;
69 /* OUT: new SID */
70 uint32_t newsid;
71 };
72
73 struct xen_flask_userlist {
74 /* IN: starting SID for list */
75 uint32_t start_sid;
76 /* IN: size of user string and output buffer
77 * OUT: number of SIDs returned */
78 uint32_t size;
79 union {
80 /* IN: user to enumerate SIDs */
81 XEN_GUEST_HANDLE(char) user;
82 /* OUT: SID list */
83 XEN_GUEST_HANDLE(uint32) sids;
84 } u;
85 };
86
87 struct xen_flask_boolean {
88 /* IN/OUT: numeric identifier for boolean [GET/SET]
89 * If -1, name will be used and bool_id will be filled in. */
90 uint32_t bool_id;
91 /* OUT: current enforcing value of boolean [GET/SET] */
92 uint8_t enforcing;
93 /* OUT: pending value of boolean [GET/SET] */
94 uint8_t pending;
95 /* IN: new value of boolean [SET] */
96 uint8_t new_value;
97 /* IN: commit new value instead of only setting pending [SET] */
98 uint8_t commit;
99 /* IN: size of boolean name buffer [GET/SET]
100 * OUT: actual size of name [GET only] */
101 uint32_t size;
102 /* IN: if bool_id is -1, used to find boolean [GET/SET]
103 * OUT: textual name of boolean [GET only]
104 */
105 XEN_GUEST_HANDLE(char) name;
106 };
107
108 struct xen_flask_setavc_threshold {
109 /* IN */
110 uint32_t threshold;
111 };
112
113 struct xen_flask_hash_stats {
114 /* OUT */
115 uint32_t entries;
116 uint32_t buckets_used;
117 uint32_t buckets_total;
118 uint32_t max_chain_len;
119 };
120
121 struct xen_flask_cache_stats {
122 /* IN */
123 uint32_t cpu;
124 /* OUT */
125 uint32_t lookups;
126 uint32_t hits;
127 uint32_t misses;
128 uint32_t allocations;
129 uint32_t reclaims;
130 uint32_t frees;
131 };
132
133 struct xen_flask_ocontext {
134 /* IN */
135 uint32_t ocon;
136 uint32_t sid;
137 uint64_t low, high;
138 };
139
140 struct xen_flask_peersid {
141 /* IN */
142 evtchn_port_t evtchn;
143 /* OUT */
144 uint32_t sid;
145 };
146
147 struct xen_flask_relabel {
148 /* IN */
149 uint32_t domid;
150 uint32_t sid;
151 };
152
153 struct xen_flask_devicetree_label {
154 /* IN */
155 uint32_t sid;
156 uint32_t length;
157 XEN_GUEST_HANDLE(char) path;
158 };
159
160 struct xen_flask_op {
161 uint32_t cmd;
162 #define FLASK_LOAD 1
163 #define FLASK_GETENFORCE 2
164 #define FLASK_SETENFORCE 3
165 #define FLASK_CONTEXT_TO_SID 4
166 #define FLASK_SID_TO_CONTEXT 5
167 #define FLASK_ACCESS 6
168 #define FLASK_CREATE 7
169 #define FLASK_RELABEL 8
170 #define FLASK_USER 9
171 #define FLASK_POLICYVERS 10
172 #define FLASK_GETBOOL 11
173 #define FLASK_SETBOOL 12
174 #define FLASK_COMMITBOOLS 13
175 #define FLASK_MLS 14
176 #define FLASK_DISABLE 15
177 #define FLASK_GETAVC_THRESHOLD 16
178 #define FLASK_SETAVC_THRESHOLD 17
179 #define FLASK_AVC_HASHSTATS 18
180 #define FLASK_AVC_CACHESTATS 19
181 #define FLASK_MEMBER 20
182 #define FLASK_ADD_OCONTEXT 21
183 #define FLASK_DEL_OCONTEXT 22
184 #define FLASK_GET_PEER_SID 23
185 #define FLASK_RELABEL_DOMAIN 24
186 #define FLASK_DEVICETREE_LABEL 25
187 uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */
188 union {
189 struct xen_flask_load load;
190 struct xen_flask_setenforce enforce;
191 /* FLASK_CONTEXT_TO_SID and FLASK_SID_TO_CONTEXT */
192 struct xen_flask_sid_context sid_context;
193 struct xen_flask_access access;
194 /* FLASK_CREATE, FLASK_RELABEL, FLASK_MEMBER */
195 struct xen_flask_transition transition;
196 struct xen_flask_userlist userlist;
197 /* FLASK_GETBOOL, FLASK_SETBOOL */
198 struct xen_flask_boolean boolean;
199 struct xen_flask_setavc_threshold setavc_threshold;
200 struct xen_flask_hash_stats hash_stats;
201 struct xen_flask_cache_stats cache_stats;
202 /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */
203 struct xen_flask_ocontext ocontext;
204 struct xen_flask_peersid peersid;
205 struct xen_flask_relabel relabel;
206 struct xen_flask_devicetree_label devicetree_label;
207 } u;
208 };
209 typedef struct xen_flask_op xen_flask_op_t;
210 DEFINE_XEN_GUEST_HANDLE(xen_flask_op_t);
211
212 #endif
Cache object: 10bd1eeb03f2015cb4216491619ac1e7
|