Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/contrib/xen/xsm/flask_op.h
48255 views
1
/*

2
 *  This file contains the flask_op hypercall commands and definitions.

3
 *

4
 *  Author:  George Coker, <[email protected]>

5
 *

6
 * Permission is hereby granted, free of charge, to any person obtaining a copy

7
 * of this software and associated documentation files (the "Software"), to

8
 * deal in the Software without restriction, including without limitation the

9
 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or

10
 * sell copies of the Software, and to permit persons to whom the Software is

11
 * furnished to do so, subject to the following conditions:

12
 *

13
 * The above copyright notice and this permission notice shall be included in

14
 * all copies or substantial portions of the Software.

15
 *

16
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

17
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

18
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

19
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

20
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING

21
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER

22
 * DEALINGS IN THE SOFTWARE.

23
 */

24


25
#ifndef __FLASK_OP_H__

26
#define __FLASK_OP_H__

27


28
#include "../event_channel.h"

29


30
#define XEN_FLASK_INTERFACE_VERSION 1

31


32
struct xen_flask_load {

33
    XEN_GUEST_HANDLE(char) buffer;

34
    uint32_t size;

35
};

36
typedef struct xen_flask_load xen_flask_load_t;

37


38
struct xen_flask_setenforce {

39
    uint32_t enforcing;

40
};

41
typedef struct xen_flask_setenforce xen_flask_setenforce_t;

42


43
struct xen_flask_sid_context {

44
    /* IN/OUT: sid to convert to/from string */

45
    uint32_t sid;

46
    /* IN: size of the context buffer

47
     * OUT: actual size of the output context string

48
     */

49
    uint32_t size;

50
    XEN_GUEST_HANDLE(char) context;

51
};

52
typedef struct xen_flask_sid_context xen_flask_sid_context_t;

53


54
struct xen_flask_access {

55
    /* IN: access request */

56
    uint32_t ssid;

57
    uint32_t tsid;

58
    uint32_t tclass;

59
    uint32_t req;

60
    /* OUT: AVC data */

61
    uint32_t allowed;

62
    uint32_t audit_allow;

63
    uint32_t audit_deny;

64
    uint32_t seqno;

65
};

66
typedef struct xen_flask_access xen_flask_access_t;

67


68
struct xen_flask_transition {

69
    /* IN: transition SIDs and class */

70
    uint32_t ssid;

71
    uint32_t tsid;

72
    uint32_t tclass;

73
    /* OUT: new SID */

74
    uint32_t newsid;

75
};

76
typedef struct xen_flask_transition xen_flask_transition_t;

77


78
#if __XEN_INTERFACE_VERSION__ < 0x00040800

79
struct xen_flask_userlist {

80
    /* IN: starting SID for list */

81
    uint32_t start_sid;

82
    /* IN: size of user string and output buffer

83
     * OUT: number of SIDs returned */

84
    uint32_t size;

85
    union {

86
        /* IN: user to enumerate SIDs */

87
        XEN_GUEST_HANDLE(char) user;

88
        /* OUT: SID list */

89
        XEN_GUEST_HANDLE(uint32) sids;

90
    } u;

91
};

92
#endif

93


94
struct xen_flask_boolean {

95
    /* IN/OUT: numeric identifier for boolean [GET/SET]

96
     * If -1, name will be used and bool_id will be filled in. */

97
    uint32_t bool_id;

98
    /* OUT: current enforcing value of boolean [GET/SET] */

99
    uint8_t enforcing;

100
    /* OUT: pending value of boolean [GET/SET] */

101
    uint8_t pending;

102
    /* IN: new value of boolean [SET] */

103
    uint8_t new_value;

104
    /* IN: commit new value instead of only setting pending [SET] */

105
    uint8_t commit;

106
    /* IN: size of boolean name buffer [GET/SET]

107
     * OUT: actual size of name [GET only] */

108
    uint32_t size;

109
    /* IN: if bool_id is -1, used to find boolean [GET/SET]

110
     * OUT: textual name of boolean [GET only]

111
     */

112
    XEN_GUEST_HANDLE(char) name;

113
};

114
typedef struct xen_flask_boolean xen_flask_boolean_t;

115


116
struct xen_flask_setavc_threshold {

117
    /* IN */

118
    uint32_t threshold;

119
};

120
typedef struct xen_flask_setavc_threshold xen_flask_setavc_threshold_t;

121


122
struct xen_flask_hash_stats {

123
    /* OUT */

124
    uint32_t entries;

125
    uint32_t buckets_used;

126
    uint32_t buckets_total;

127
    uint32_t max_chain_len;

128
};

129
typedef struct xen_flask_hash_stats xen_flask_hash_stats_t;

130


131
struct xen_flask_cache_stats {

132
    /* IN */

133
    uint32_t cpu;

134
    /* OUT */

135
    uint32_t lookups;

136
    uint32_t hits;

137
    uint32_t misses;

138
    uint32_t allocations;

139
    uint32_t reclaims;

140
    uint32_t frees;

141
};

142
typedef struct xen_flask_cache_stats xen_flask_cache_stats_t;

143


144
struct xen_flask_ocontext {

145
    /* IN */

146
    uint32_t ocon;

147
    uint32_t sid;

148
    uint64_t low, high;

149
};

150
typedef struct xen_flask_ocontext xen_flask_ocontext_t;

151


152
struct xen_flask_peersid {

153
    /* IN */

154
    evtchn_port_t evtchn;

155
    /* OUT */

156
    uint32_t sid;

157
};

158
typedef struct xen_flask_peersid xen_flask_peersid_t;

159


160
struct xen_flask_relabel {

161
    /* IN */

162
    uint32_t domid;

163
    uint32_t sid;

164
};

165
typedef struct xen_flask_relabel xen_flask_relabel_t;

166


167
struct xen_flask_devicetree_label {

168
    /* IN */

169
    uint32_t sid;

170
    uint32_t length;

171
    XEN_GUEST_HANDLE(char) path;

172
};

173
typedef struct xen_flask_devicetree_label xen_flask_devicetree_label_t;

174


175
struct xen_flask_op {

176
    uint32_t cmd;

177
#define FLASK_LOAD              1

178
#define FLASK_GETENFORCE        2

179
#define FLASK_SETENFORCE        3

180
#define FLASK_CONTEXT_TO_SID    4

181
#define FLASK_SID_TO_CONTEXT    5

182
#define FLASK_ACCESS            6

183
#define FLASK_CREATE            7

184
#define FLASK_RELABEL           8

185
#define FLASK_USER              9  /* No longer implemented */

186
#define FLASK_POLICYVERS        10

187
#define FLASK_GETBOOL           11

188
#define FLASK_SETBOOL           12

189
#define FLASK_COMMITBOOLS       13

190
#define FLASK_MLS               14

191
#define FLASK_DISABLE           15 /* No longer implemented */

192
#define FLASK_GETAVC_THRESHOLD  16

193
#define FLASK_SETAVC_THRESHOLD  17

194
#define FLASK_AVC_HASHSTATS     18

195
#define FLASK_AVC_CACHESTATS    19

196
#define FLASK_MEMBER            20

197
#define FLASK_ADD_OCONTEXT      21

198
#define FLASK_DEL_OCONTEXT      22

199
#define FLASK_GET_PEER_SID      23

200
#define FLASK_RELABEL_DOMAIN    24

201
#define FLASK_DEVICETREE_LABEL  25

202
    uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */

203
    union {

204
        xen_flask_load_t load;

205
        xen_flask_setenforce_t enforce;

206
        /* FLASK_CONTEXT_TO_SID and FLASK_SID_TO_CONTEXT */

207
        xen_flask_sid_context_t sid_context;

208
        xen_flask_access_t access;

209
        /* FLASK_CREATE, FLASK_RELABEL, FLASK_MEMBER */

210
        xen_flask_transition_t transition;

211
#if __XEN_INTERFACE_VERSION__ < 0x00040800

212
        struct xen_flask_userlist userlist;

213
#endif

214
        /* FLASK_GETBOOL, FLASK_SETBOOL */

215
        xen_flask_boolean_t boolean;

216
        xen_flask_setavc_threshold_t setavc_threshold;

217
        xen_flask_hash_stats_t hash_stats;

218
        xen_flask_cache_stats_t cache_stats;

219
        /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */

220
        xen_flask_ocontext_t ocontext;

221
        xen_flask_peersid_t peersid;

222
        xen_flask_relabel_t relabel;

223
        xen_flask_devicetree_label_t devicetree_label;

224
    } u;

225
};

226
typedef struct xen_flask_op xen_flask_op_t;

227
DEFINE_XEN_GUEST_HANDLE(xen_flask_op_t);

228


229
#endif

230


231