flask_op.h revision 251767
1/* 2 * This file contains the flask_op hypercall commands and definitions. 3 * 4 * Author: George Coker, <gscoker@alpha.ncsc.mil> 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to 8 * deal in the Software without restriction, including without limitation the 9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 10 * sell copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in 14 * all copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 22 * DEALINGS IN THE SOFTWARE. 23 */ 24 25#ifndef __FLASK_OP_H__ 26#define __FLASK_OP_H__ 27 28#define XEN_FLASK_INTERFACE_VERSION 1 29 30struct xen_flask_load { 31 XEN_GUEST_HANDLE(char) buffer; 32 uint32_t size; 33}; 34 35struct xen_flask_setenforce { 36 uint32_t enforcing; 37}; 38 39struct xen_flask_sid_context { 40 /* IN/OUT: sid to convert to/from string */ 41 uint32_t sid; 42 /* IN: size of the context buffer 43 * OUT: actual size of the output context string 44 */ 45 uint32_t size; 46 XEN_GUEST_HANDLE(char) context; 47}; 48 49struct xen_flask_access { 50 /* IN: access request */ 51 uint32_t ssid; 52 uint32_t tsid; 53 uint32_t tclass; 54 uint32_t req; 55 /* OUT: AVC data */ 56 uint32_t allowed; 57 uint32_t audit_allow; 58 uint32_t audit_deny; 59 uint32_t seqno; 60}; 61 62struct xen_flask_transition { 63 /* IN: transition SIDs and class */ 64 uint32_t ssid; 65 uint32_t tsid; 66 uint32_t tclass; 67 /* OUT: new SID */ 68 uint32_t newsid; 69}; 70 71struct xen_flask_userlist { 72 /* IN: starting SID for list */ 73 uint32_t start_sid; 74 /* IN: size of user string and output buffer 75 * OUT: number of SIDs returned */ 76 uint32_t size; 77 union { 78 /* IN: user to enumerate SIDs */ 79 XEN_GUEST_HANDLE(char) user; 80 /* OUT: SID list */ 81 XEN_GUEST_HANDLE(uint32) sids; 82 } u; 83}; 84 85struct xen_flask_boolean { 86 /* IN/OUT: numeric identifier for boolean [GET/SET] 87 * If -1, name will be used and bool_id will be filled in. */ 88 uint32_t bool_id; 89 /* OUT: current enforcing value of boolean [GET/SET] */ 90 uint8_t enforcing; 91 /* OUT: pending value of boolean [GET/SET] */ 92 uint8_t pending; 93 /* IN: new value of boolean [SET] */ 94 uint8_t new_value; 95 /* IN: commit new value instead of only setting pending [SET] */ 96 uint8_t commit; 97 /* IN: size of boolean name buffer [GET/SET] 98 * OUT: actual size of name [GET only] */ 99 uint32_t size; 100 /* IN: if bool_id is -1, used to find boolean [GET/SET] 101 * OUT: textual name of boolean [GET only] 102 */ 103 XEN_GUEST_HANDLE(char) name; 104}; 105 106struct xen_flask_setavc_threshold { 107 /* IN */ 108 uint32_t threshold; 109}; 110 111struct xen_flask_hash_stats { 112 /* OUT */ 113 uint32_t entries; 114 uint32_t buckets_used; 115 uint32_t buckets_total; 116 uint32_t max_chain_len; 117}; 118 119struct xen_flask_cache_stats { 120 /* IN */ 121 uint32_t cpu; 122 /* OUT */ 123 uint32_t lookups; 124 uint32_t hits; 125 uint32_t misses; 126 uint32_t allocations; 127 uint32_t reclaims; 128 uint32_t frees; 129}; 130 131struct xen_flask_ocontext { 132 /* IN */ 133 uint32_t ocon; 134 uint32_t sid; 135 uint64_t low, high; 136}; 137 138struct xen_flask_peersid { 139 /* IN */ 140 evtchn_port_t evtchn; 141 /* OUT */ 142 uint32_t sid; 143}; 144 145struct xen_flask_op { 146 uint32_t cmd; 147#define FLASK_LOAD 1 148#define FLASK_GETENFORCE 2 149#define FLASK_SETENFORCE 3 150#define FLASK_CONTEXT_TO_SID 4 151#define FLASK_SID_TO_CONTEXT 5 152#define FLASK_ACCESS 6 153#define FLASK_CREATE 7 154#define FLASK_RELABEL 8 155#define FLASK_USER 9 156#define FLASK_POLICYVERS 10 157#define FLASK_GETBOOL 11 158#define FLASK_SETBOOL 12 159#define FLASK_COMMITBOOLS 13 160#define FLASK_MLS 14 161#define FLASK_DISABLE 15 162#define FLASK_GETAVC_THRESHOLD 16 163#define FLASK_SETAVC_THRESHOLD 17 164#define FLASK_AVC_HASHSTATS 18 165#define FLASK_AVC_CACHESTATS 19 166#define FLASK_MEMBER 20 167#define FLASK_ADD_OCONTEXT 21 168#define FLASK_DEL_OCONTEXT 22 169#define FLASK_GET_PEER_SID 23 170 uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */ 171 union { 172 struct xen_flask_load load; 173 struct xen_flask_setenforce enforce; 174 /* FLASK_CONTEXT_TO_SID and FLASK_SID_TO_CONTEXT */ 175 struct xen_flask_sid_context sid_context; 176 struct xen_flask_access access; 177 /* FLASK_CREATE, FLASK_RELABEL, FLASK_MEMBER */ 178 struct xen_flask_transition transition; 179 struct xen_flask_userlist userlist; 180 /* FLASK_GETBOOL, FLASK_SETBOOL */ 181 struct xen_flask_boolean boolean; 182 struct xen_flask_setavc_threshold setavc_threshold; 183 struct xen_flask_hash_stats hash_stats; 184 struct xen_flask_cache_stats cache_stats; 185 /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */ 186 struct xen_flask_ocontext ocontext; 187 struct xen_flask_peersid peersid; 188 } u; 189}; 190typedef struct xen_flask_op xen_flask_op_t; 191DEFINE_XEN_GUEST_HANDLE(xen_flask_op_t); 192 193#endif 194