1251767Sgibbs/* 2251767Sgibbs * This file contains the flask_op hypercall commands and definitions. 3251767Sgibbs * 4251767Sgibbs * Author: George Coker, <gscoker@alpha.ncsc.mil> 5251767Sgibbs * 6251767Sgibbs * Permission is hereby granted, free of charge, to any person obtaining a copy 7251767Sgibbs * of this software and associated documentation files (the "Software"), to 8251767Sgibbs * deal in the Software without restriction, including without limitation the 9251767Sgibbs * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 10251767Sgibbs * sell copies of the Software, and to permit persons to whom the Software is 11251767Sgibbs * furnished to do so, subject to the following conditions: 12251767Sgibbs * 13251767Sgibbs * The above copyright notice and this permission notice shall be included in 14251767Sgibbs * all copies or substantial portions of the Software. 15251767Sgibbs * 16251767Sgibbs * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17251767Sgibbs * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18251767Sgibbs * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19251767Sgibbs * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20251767Sgibbs * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21251767Sgibbs * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 22251767Sgibbs * DEALINGS IN THE SOFTWARE. 23251767Sgibbs */ 24251767Sgibbs 25251767Sgibbs#ifndef __FLASK_OP_H__ 26251767Sgibbs#define __FLASK_OP_H__ 27251767Sgibbs 28251767Sgibbs#define XEN_FLASK_INTERFACE_VERSION 1 29251767Sgibbs 30251767Sgibbsstruct xen_flask_load { 31251767Sgibbs XEN_GUEST_HANDLE(char) buffer; 32251767Sgibbs uint32_t size; 33251767Sgibbs}; 34251767Sgibbs 35251767Sgibbsstruct xen_flask_setenforce { 36251767Sgibbs uint32_t enforcing; 37251767Sgibbs}; 38251767Sgibbs 39251767Sgibbsstruct xen_flask_sid_context { 40251767Sgibbs /* IN/OUT: sid to convert to/from string */ 41251767Sgibbs uint32_t sid; 42251767Sgibbs /* IN: size of the context buffer 43251767Sgibbs * OUT: actual size of the output context string 44251767Sgibbs */ 45251767Sgibbs uint32_t size; 46251767Sgibbs XEN_GUEST_HANDLE(char) context; 47251767Sgibbs}; 48251767Sgibbs 49251767Sgibbsstruct xen_flask_access { 50251767Sgibbs /* IN: access request */ 51251767Sgibbs uint32_t ssid; 52251767Sgibbs uint32_t tsid; 53251767Sgibbs uint32_t tclass; 54251767Sgibbs uint32_t req; 55251767Sgibbs /* OUT: AVC data */ 56251767Sgibbs uint32_t allowed; 57251767Sgibbs uint32_t audit_allow; 58251767Sgibbs uint32_t audit_deny; 59251767Sgibbs uint32_t seqno; 60251767Sgibbs}; 61251767Sgibbs 62251767Sgibbsstruct xen_flask_transition { 63251767Sgibbs /* IN: transition SIDs and class */ 64251767Sgibbs uint32_t ssid; 65251767Sgibbs uint32_t tsid; 66251767Sgibbs uint32_t tclass; 67251767Sgibbs /* OUT: new SID */ 68251767Sgibbs uint32_t newsid; 69251767Sgibbs}; 70251767Sgibbs 71251767Sgibbsstruct xen_flask_userlist { 72251767Sgibbs /* IN: starting SID for list */ 73251767Sgibbs uint32_t start_sid; 74251767Sgibbs /* IN: size of user string and output buffer 75251767Sgibbs * OUT: number of SIDs returned */ 76251767Sgibbs uint32_t size; 77251767Sgibbs union { 78251767Sgibbs /* IN: user to enumerate SIDs */ 79251767Sgibbs XEN_GUEST_HANDLE(char) user; 80251767Sgibbs /* OUT: SID list */ 81251767Sgibbs XEN_GUEST_HANDLE(uint32) sids; 82251767Sgibbs } u; 83251767Sgibbs}; 84251767Sgibbs 85251767Sgibbsstruct xen_flask_boolean { 86251767Sgibbs /* IN/OUT: numeric identifier for boolean [GET/SET] 87251767Sgibbs * If -1, name will be used and bool_id will be filled in. */ 88251767Sgibbs uint32_t bool_id; 89251767Sgibbs /* OUT: current enforcing value of boolean [GET/SET] */ 90251767Sgibbs uint8_t enforcing; 91251767Sgibbs /* OUT: pending value of boolean [GET/SET] */ 92251767Sgibbs uint8_t pending; 93251767Sgibbs /* IN: new value of boolean [SET] */ 94251767Sgibbs uint8_t new_value; 95251767Sgibbs /* IN: commit new value instead of only setting pending [SET] */ 96251767Sgibbs uint8_t commit; 97251767Sgibbs /* IN: size of boolean name buffer [GET/SET] 98251767Sgibbs * OUT: actual size of name [GET only] */ 99251767Sgibbs uint32_t size; 100251767Sgibbs /* IN: if bool_id is -1, used to find boolean [GET/SET] 101251767Sgibbs * OUT: textual name of boolean [GET only] 102251767Sgibbs */ 103251767Sgibbs XEN_GUEST_HANDLE(char) name; 104251767Sgibbs}; 105251767Sgibbs 106251767Sgibbsstruct xen_flask_setavc_threshold { 107251767Sgibbs /* IN */ 108251767Sgibbs uint32_t threshold; 109251767Sgibbs}; 110251767Sgibbs 111251767Sgibbsstruct xen_flask_hash_stats { 112251767Sgibbs /* OUT */ 113251767Sgibbs uint32_t entries; 114251767Sgibbs uint32_t buckets_used; 115251767Sgibbs uint32_t buckets_total; 116251767Sgibbs uint32_t max_chain_len; 117251767Sgibbs}; 118251767Sgibbs 119251767Sgibbsstruct xen_flask_cache_stats { 120251767Sgibbs /* IN */ 121251767Sgibbs uint32_t cpu; 122251767Sgibbs /* OUT */ 123251767Sgibbs uint32_t lookups; 124251767Sgibbs uint32_t hits; 125251767Sgibbs uint32_t misses; 126251767Sgibbs uint32_t allocations; 127251767Sgibbs uint32_t reclaims; 128251767Sgibbs uint32_t frees; 129251767Sgibbs}; 130251767Sgibbs 131251767Sgibbsstruct xen_flask_ocontext { 132251767Sgibbs /* IN */ 133251767Sgibbs uint32_t ocon; 134251767Sgibbs uint32_t sid; 135251767Sgibbs uint64_t low, high; 136251767Sgibbs}; 137251767Sgibbs 138251767Sgibbsstruct xen_flask_peersid { 139251767Sgibbs /* IN */ 140251767Sgibbs evtchn_port_t evtchn; 141251767Sgibbs /* OUT */ 142251767Sgibbs uint32_t sid; 143251767Sgibbs}; 144251767Sgibbs 145251767Sgibbsstruct xen_flask_op { 146251767Sgibbs uint32_t cmd; 147251767Sgibbs#define FLASK_LOAD 1 148251767Sgibbs#define FLASK_GETENFORCE 2 149251767Sgibbs#define FLASK_SETENFORCE 3 150251767Sgibbs#define FLASK_CONTEXT_TO_SID 4 151251767Sgibbs#define FLASK_SID_TO_CONTEXT 5 152251767Sgibbs#define FLASK_ACCESS 6 153251767Sgibbs#define FLASK_CREATE 7 154251767Sgibbs#define FLASK_RELABEL 8 155251767Sgibbs#define FLASK_USER 9 156251767Sgibbs#define FLASK_POLICYVERS 10 157251767Sgibbs#define FLASK_GETBOOL 11 158251767Sgibbs#define FLASK_SETBOOL 12 159251767Sgibbs#define FLASK_COMMITBOOLS 13 160251767Sgibbs#define FLASK_MLS 14 161251767Sgibbs#define FLASK_DISABLE 15 162251767Sgibbs#define FLASK_GETAVC_THRESHOLD 16 163251767Sgibbs#define FLASK_SETAVC_THRESHOLD 17 164251767Sgibbs#define FLASK_AVC_HASHSTATS 18 165251767Sgibbs#define FLASK_AVC_CACHESTATS 19 166251767Sgibbs#define FLASK_MEMBER 20 167251767Sgibbs#define FLASK_ADD_OCONTEXT 21 168251767Sgibbs#define FLASK_DEL_OCONTEXT 22 169251767Sgibbs#define FLASK_GET_PEER_SID 23 170251767Sgibbs uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */ 171251767Sgibbs union { 172251767Sgibbs struct xen_flask_load load; 173251767Sgibbs struct xen_flask_setenforce enforce; 174251767Sgibbs /* FLASK_CONTEXT_TO_SID and FLASK_SID_TO_CONTEXT */ 175251767Sgibbs struct xen_flask_sid_context sid_context; 176251767Sgibbs struct xen_flask_access access; 177251767Sgibbs /* FLASK_CREATE, FLASK_RELABEL, FLASK_MEMBER */ 178251767Sgibbs struct xen_flask_transition transition; 179251767Sgibbs struct xen_flask_userlist userlist; 180251767Sgibbs /* FLASK_GETBOOL, FLASK_SETBOOL */ 181251767Sgibbs struct xen_flask_boolean boolean; 182251767Sgibbs struct xen_flask_setavc_threshold setavc_threshold; 183251767Sgibbs struct xen_flask_hash_stats hash_stats; 184251767Sgibbs struct xen_flask_cache_stats cache_stats; 185251767Sgibbs /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */ 186251767Sgibbs struct xen_flask_ocontext ocontext; 187251767Sgibbs struct xen_flask_peersid peersid; 188251767Sgibbs } u; 189251767Sgibbs}; 190251767Sgibbstypedef struct xen_flask_op xen_flask_op_t; 191251767SgibbsDEFINE_XEN_GUEST_HANDLE(xen_flask_op_t); 192251767Sgibbs 193251767Sgibbs#endif 194