1/*
2 *  This file contains the flask_op hypercall commands and definitions.
3 *
4 *  Author:  George Coker, <gscoker@alpha.ncsc.mil>
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to
8 * deal in the Software without restriction, including without limitation the
9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10 * sell copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
22 * DEALINGS IN THE SOFTWARE.
23 */
24
25#ifndef __FLASK_OP_H__
26#define __FLASK_OP_H__
27
28#include "../event_channel.h"
29
30#define XEN_FLASK_INTERFACE_VERSION 1
31
32struct xen_flask_load {
33    XEN_GUEST_HANDLE(char) buffer;
34    uint32_t size;
35};
36
37struct xen_flask_setenforce {
38    uint32_t enforcing;
39};
40
41struct xen_flask_sid_context {
42    /* IN/OUT: sid to convert to/from string */
43    uint32_t sid;
44    /* IN: size of the context buffer
45     * OUT: actual size of the output context string
46     */
47    uint32_t size;
48    XEN_GUEST_HANDLE(char) context;
49};
50
51struct xen_flask_access {
52    /* IN: access request */
53    uint32_t ssid;
54    uint32_t tsid;
55    uint32_t tclass;
56    uint32_t req;
57    /* OUT: AVC data */
58    uint32_t allowed;
59    uint32_t audit_allow;
60    uint32_t audit_deny;
61    uint32_t seqno;
62};
63
64struct xen_flask_transition {
65    /* IN: transition SIDs and class */
66    uint32_t ssid;
67    uint32_t tsid;
68    uint32_t tclass;
69    /* OUT: new SID */
70    uint32_t newsid;
71};
72
73#if __XEN_INTERFACE_VERSION__ < 0x00040800
74struct xen_flask_userlist {
75    /* IN: starting SID for list */
76    uint32_t start_sid;
77    /* IN: size of user string and output buffer
78     * OUT: number of SIDs returned */
79    uint32_t size;
80    union {
81        /* IN: user to enumerate SIDs */
82        XEN_GUEST_HANDLE(char) user;
83        /* OUT: SID list */
84        XEN_GUEST_HANDLE(uint32) sids;
85    } u;
86};
87#endif
88
89struct xen_flask_boolean {
90    /* IN/OUT: numeric identifier for boolean [GET/SET]
91     * If -1, name will be used and bool_id will be filled in. */
92    uint32_t bool_id;
93    /* OUT: current enforcing value of boolean [GET/SET] */
94    uint8_t enforcing;
95    /* OUT: pending value of boolean [GET/SET] */
96    uint8_t pending;
97    /* IN: new value of boolean [SET] */
98    uint8_t new_value;
99    /* IN: commit new value instead of only setting pending [SET] */
100    uint8_t commit;
101    /* IN: size of boolean name buffer [GET/SET]
102     * OUT: actual size of name [GET only] */
103    uint32_t size;
104    /* IN: if bool_id is -1, used to find boolean [GET/SET]
105     * OUT: textual name of boolean [GET only]
106     */
107    XEN_GUEST_HANDLE(char) name;
108};
109
110struct xen_flask_setavc_threshold {
111    /* IN */
112    uint32_t threshold;
113};
114
115struct xen_flask_hash_stats {
116    /* OUT */
117    uint32_t entries;
118    uint32_t buckets_used;
119    uint32_t buckets_total;
120    uint32_t max_chain_len;
121};
122
123struct xen_flask_cache_stats {
124    /* IN */
125    uint32_t cpu;
126    /* OUT */
127    uint32_t lookups;
128    uint32_t hits;
129    uint32_t misses;
130    uint32_t allocations;
131    uint32_t reclaims;
132    uint32_t frees;
133};
134
135struct xen_flask_ocontext {
136    /* IN */
137    uint32_t ocon;
138    uint32_t sid;
139    uint64_t low, high;
140};
141
142struct xen_flask_peersid {
143    /* IN */
144    evtchn_port_t evtchn;
145    /* OUT */
146    uint32_t sid;
147};
148
149struct xen_flask_relabel {
150    /* IN */
151    uint32_t domid;
152    uint32_t sid;
153};
154
155struct xen_flask_devicetree_label {
156    /* IN */
157    uint32_t sid;
158    uint32_t length;
159    XEN_GUEST_HANDLE(char) path;
160};
161
162struct xen_flask_op {
163    uint32_t cmd;
164#define FLASK_LOAD              1
165#define FLASK_GETENFORCE        2
166#define FLASK_SETENFORCE        3
167#define FLASK_CONTEXT_TO_SID    4
168#define FLASK_SID_TO_CONTEXT    5
169#define FLASK_ACCESS            6
170#define FLASK_CREATE            7
171#define FLASK_RELABEL           8
172#define FLASK_USER              9  /* No longer implemented */
173#define FLASK_POLICYVERS        10
174#define FLASK_GETBOOL           11
175#define FLASK_SETBOOL           12
176#define FLASK_COMMITBOOLS       13
177#define FLASK_MLS               14
178#define FLASK_DISABLE           15
179#define FLASK_GETAVC_THRESHOLD  16
180#define FLASK_SETAVC_THRESHOLD  17
181#define FLASK_AVC_HASHSTATS     18
182#define FLASK_AVC_CACHESTATS    19
183#define FLASK_MEMBER            20
184#define FLASK_ADD_OCONTEXT      21
185#define FLASK_DEL_OCONTEXT      22
186#define FLASK_GET_PEER_SID      23
187#define FLASK_RELABEL_DOMAIN    24
188#define FLASK_DEVICETREE_LABEL  25
189    uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */
190    union {
191        struct xen_flask_load load;
192        struct xen_flask_setenforce enforce;
193        /* FLASK_CONTEXT_TO_SID and FLASK_SID_TO_CONTEXT */
194        struct xen_flask_sid_context sid_context;
195        struct xen_flask_access access;
196        /* FLASK_CREATE, FLASK_RELABEL, FLASK_MEMBER */
197        struct xen_flask_transition transition;
198#if __XEN_INTERFACE_VERSION__ < 0x00040800
199        struct xen_flask_userlist userlist;
200#endif
201        /* FLASK_GETBOOL, FLASK_SETBOOL */
202        struct xen_flask_boolean boolean;
203        struct xen_flask_setavc_threshold setavc_threshold;
204        struct xen_flask_hash_stats hash_stats;
205        struct xen_flask_cache_stats cache_stats;
206        /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */
207        struct xen_flask_ocontext ocontext;
208        struct xen_flask_peersid peersid;
209        struct xen_flask_relabel relabel;
210        struct xen_flask_devicetree_label devicetree_label;
211    } u;
212};
213typedef struct xen_flask_op xen_flask_op_t;
214DEFINE_XEN_GUEST_HANDLE(xen_flask_op_t);
215
216#endif
217