flask_op.h revision 251767 
1/*
2 *  This file contains the flask_op hypercall commands and definitions.
3 *
4 *  Author:  George Coker, <gscoker@alpha.ncsc.mil>
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to
8 * deal in the Software without restriction, including without limitation the
9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10 * sell copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
22 * DEALINGS IN THE SOFTWARE.
23 */
24
25#ifndef __FLASK_OP_H__
26#define __FLASK_OP_H__
27
28#define XEN_FLASK_INTERFACE_VERSION 1
29
30struct xen_flask_load {
31    XEN_GUEST_HANDLE(char) buffer;
32    uint32_t size;
33};
34
35struct xen_flask_setenforce {
36    uint32_t enforcing;
37};
38
39struct xen_flask_sid_context {
40    /* IN/OUT: sid to convert to/from string */
41    uint32_t sid;
42    /* IN: size of the context buffer
43     * OUT: actual size of the output context string
44     */
45    uint32_t size;
46    XEN_GUEST_HANDLE(char) context;
47};
48
49struct xen_flask_access {
50    /* IN: access request */
51    uint32_t ssid;
52    uint32_t tsid;
53    uint32_t tclass;
54    uint32_t req;
55    /* OUT: AVC data */
56    uint32_t allowed;
57    uint32_t audit_allow;
58    uint32_t audit_deny;
59    uint32_t seqno;
60};
61
62struct xen_flask_transition {
63    /* IN: transition SIDs and class */
64    uint32_t ssid;
65    uint32_t tsid;
66    uint32_t tclass;
67    /* OUT: new SID */
68    uint32_t newsid;
69};
70
71struct xen_flask_userlist {
72    /* IN: starting SID for list */
73    uint32_t start_sid;
74    /* IN: size of user string and output buffer
75     * OUT: number of SIDs returned */
76    uint32_t size;
77    union {
78        /* IN: user to enumerate SIDs */
79        XEN_GUEST_HANDLE(char) user;
80        /* OUT: SID list */
81        XEN_GUEST_HANDLE(uint32) sids;
82    } u;
83};
84
85struct xen_flask_boolean {
86    /* IN/OUT: numeric identifier for boolean [GET/SET]
87     * If -1, name will be used and bool_id will be filled in. */
88    uint32_t bool_id;
89    /* OUT: current enforcing value of boolean [GET/SET] */
90    uint8_t enforcing;
91    /* OUT: pending value of boolean [GET/SET] */
92    uint8_t pending;
93    /* IN: new value of boolean [SET] */
94    uint8_t new_value;
95    /* IN: commit new value instead of only setting pending [SET] */
96    uint8_t commit;
97    /* IN: size of boolean name buffer [GET/SET]
98     * OUT: actual size of name [GET only] */
99    uint32_t size;
100    /* IN: if bool_id is -1, used to find boolean [GET/SET]
101     * OUT: textual name of boolean [GET only]
102     */
103    XEN_GUEST_HANDLE(char) name;
104};
105
106struct xen_flask_setavc_threshold {
107    /* IN */
108    uint32_t threshold;
109};
110
111struct xen_flask_hash_stats {
112    /* OUT */
113    uint32_t entries;
114    uint32_t buckets_used;
115    uint32_t buckets_total;
116    uint32_t max_chain_len;
117};
118
119struct xen_flask_cache_stats {
120    /* IN */
121    uint32_t cpu;
122    /* OUT */
123    uint32_t lookups;
124    uint32_t hits;
125    uint32_t misses;
126    uint32_t allocations;
127    uint32_t reclaims;
128    uint32_t frees;
129};
130
131struct xen_flask_ocontext {
132    /* IN */
133    uint32_t ocon;
134    uint32_t sid;
135    uint64_t low, high;
136};
137
138struct xen_flask_peersid {
139    /* IN */
140    evtchn_port_t evtchn;
141    /* OUT */
142    uint32_t sid;
143};
144
145struct xen_flask_op {
146    uint32_t cmd;
147#define FLASK_LOAD              1
148#define FLASK_GETENFORCE        2
149#define FLASK_SETENFORCE        3
150#define FLASK_CONTEXT_TO_SID    4
151#define FLASK_SID_TO_CONTEXT    5
152#define FLASK_ACCESS            6
153#define FLASK_CREATE            7
154#define FLASK_RELABEL           8
155#define FLASK_USER              9
156#define FLASK_POLICYVERS        10
157#define FLASK_GETBOOL           11
158#define FLASK_SETBOOL           12
159#define FLASK_COMMITBOOLS       13
160#define FLASK_MLS               14
161#define FLASK_DISABLE           15
162#define FLASK_GETAVC_THRESHOLD  16
163#define FLASK_SETAVC_THRESHOLD  17
164#define FLASK_AVC_HASHSTATS     18
165#define FLASK_AVC_CACHESTATS    19
166#define FLASK_MEMBER            20
167#define FLASK_ADD_OCONTEXT      21
168#define FLASK_DEL_OCONTEXT      22
169#define FLASK_GET_PEER_SID      23
170    uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */
171    union {
172        struct xen_flask_load load;
173        struct xen_flask_setenforce enforce;
174        /* FLASK_CONTEXT_TO_SID and FLASK_SID_TO_CONTEXT */
175        struct xen_flask_sid_context sid_context;
176        struct xen_flask_access access;
177        /* FLASK_CREATE, FLASK_RELABEL, FLASK_MEMBER */
178        struct xen_flask_transition transition;
179        struct xen_flask_userlist userlist;
180        /* FLASK_GETBOOL, FLASK_SETBOOL */
181        struct xen_flask_boolean boolean;
182        struct xen_flask_setavc_threshold setavc_threshold;
183        struct xen_flask_hash_stats hash_stats;
184        struct xen_flask_cache_stats cache_stats;
185        /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */
186        struct xen_flask_ocontext ocontext;
187        struct xen_flask_peersid peersid;
188    } u;
189};
190typedef struct xen_flask_op xen_flask_op_t;
191DEFINE_XEN_GUEST_HANDLE(xen_flask_op_t);
192
193#endif
194