xref: /freebsd/sys/contrib/xen/xsm/flask_op.h (revision 8aac90f18aef7c9eea906c3ff9a001ca7b94f375)
1 /*
2  *  This file contains the flask_op hypercall commands and definitions.
3  *
4  *  Author:  George Coker, <gscoker@alpha.ncsc.mil>
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to
8  * deal in the Software without restriction, including without limitation the
9  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10  * sell copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
22  * DEALINGS IN THE SOFTWARE.
23  */
24 
25 #ifndef __FLASK_OP_H__
26 #define __FLASK_OP_H__
27 
28 #include "../event_channel.h"
29 
30 #define XEN_FLASK_INTERFACE_VERSION 1
31 
32 struct xen_flask_load {
33     XEN_GUEST_HANDLE(char) buffer;
34     uint32_t size;
35 };
36 typedef struct xen_flask_load xen_flask_load_t;
37 
38 struct xen_flask_setenforce {
39     uint32_t enforcing;
40 };
41 typedef struct xen_flask_setenforce xen_flask_setenforce_t;
42 
43 struct xen_flask_sid_context {
44     /* IN/OUT: sid to convert to/from string */
45     uint32_t sid;
46     /* IN: size of the context buffer
47      * OUT: actual size of the output context string
48      */
49     uint32_t size;
50     XEN_GUEST_HANDLE(char) context;
51 };
52 typedef struct xen_flask_sid_context xen_flask_sid_context_t;
53 
54 struct xen_flask_access {
55     /* IN: access request */
56     uint32_t ssid;
57     uint32_t tsid;
58     uint32_t tclass;
59     uint32_t req;
60     /* OUT: AVC data */
61     uint32_t allowed;
62     uint32_t audit_allow;
63     uint32_t audit_deny;
64     uint32_t seqno;
65 };
66 typedef struct xen_flask_access xen_flask_access_t;
67 
68 struct xen_flask_transition {
69     /* IN: transition SIDs and class */
70     uint32_t ssid;
71     uint32_t tsid;
72     uint32_t tclass;
73     /* OUT: new SID */
74     uint32_t newsid;
75 };
76 typedef struct xen_flask_transition xen_flask_transition_t;
77 
78 #if __XEN_INTERFACE_VERSION__ < 0x00040800
79 struct xen_flask_userlist {
80     /* IN: starting SID for list */
81     uint32_t start_sid;
82     /* IN: size of user string and output buffer
83      * OUT: number of SIDs returned */
84     uint32_t size;
85     union {
86         /* IN: user to enumerate SIDs */
87         XEN_GUEST_HANDLE(char) user;
88         /* OUT: SID list */
89         XEN_GUEST_HANDLE(uint32) sids;
90     } u;
91 };
92 #endif
93 
94 struct xen_flask_boolean {
95     /* IN/OUT: numeric identifier for boolean [GET/SET]
96      * If -1, name will be used and bool_id will be filled in. */
97     uint32_t bool_id;
98     /* OUT: current enforcing value of boolean [GET/SET] */
99     uint8_t enforcing;
100     /* OUT: pending value of boolean [GET/SET] */
101     uint8_t pending;
102     /* IN: new value of boolean [SET] */
103     uint8_t new_value;
104     /* IN: commit new value instead of only setting pending [SET] */
105     uint8_t commit;
106     /* IN: size of boolean name buffer [GET/SET]
107      * OUT: actual size of name [GET only] */
108     uint32_t size;
109     /* IN: if bool_id is -1, used to find boolean [GET/SET]
110      * OUT: textual name of boolean [GET only]
111      */
112     XEN_GUEST_HANDLE(char) name;
113 };
114 typedef struct xen_flask_boolean xen_flask_boolean_t;
115 
116 struct xen_flask_setavc_threshold {
117     /* IN */
118     uint32_t threshold;
119 };
120 typedef struct xen_flask_setavc_threshold xen_flask_setavc_threshold_t;
121 
122 struct xen_flask_hash_stats {
123     /* OUT */
124     uint32_t entries;
125     uint32_t buckets_used;
126     uint32_t buckets_total;
127     uint32_t max_chain_len;
128 };
129 typedef struct xen_flask_hash_stats xen_flask_hash_stats_t;
130 
131 struct xen_flask_cache_stats {
132     /* IN */
133     uint32_t cpu;
134     /* OUT */
135     uint32_t lookups;
136     uint32_t hits;
137     uint32_t misses;
138     uint32_t allocations;
139     uint32_t reclaims;
140     uint32_t frees;
141 };
142 typedef struct xen_flask_cache_stats xen_flask_cache_stats_t;
143 
144 struct xen_flask_ocontext {
145     /* IN */
146     uint32_t ocon;
147     uint32_t sid;
148     uint64_t low, high;
149 };
150 typedef struct xen_flask_ocontext xen_flask_ocontext_t;
151 
152 struct xen_flask_peersid {
153     /* IN */
154     evtchn_port_t evtchn;
155     /* OUT */
156     uint32_t sid;
157 };
158 typedef struct xen_flask_peersid xen_flask_peersid_t;
159 
160 struct xen_flask_relabel {
161     /* IN */
162     uint32_t domid;
163     uint32_t sid;
164 };
165 typedef struct xen_flask_relabel xen_flask_relabel_t;
166 
167 struct xen_flask_devicetree_label {
168     /* IN */
169     uint32_t sid;
170     uint32_t length;
171     XEN_GUEST_HANDLE(char) path;
172 };
173 typedef struct xen_flask_devicetree_label xen_flask_devicetree_label_t;
174 
175 struct xen_flask_op {
176     uint32_t cmd;
177 #define FLASK_LOAD              1
178 #define FLASK_GETENFORCE        2
179 #define FLASK_SETENFORCE        3
180 #define FLASK_CONTEXT_TO_SID    4
181 #define FLASK_SID_TO_CONTEXT    5
182 #define FLASK_ACCESS            6
183 #define FLASK_CREATE            7
184 #define FLASK_RELABEL           8
185 #define FLASK_USER              9  /* No longer implemented */
186 #define FLASK_POLICYVERS        10
187 #define FLASK_GETBOOL           11
188 #define FLASK_SETBOOL           12
189 #define FLASK_COMMITBOOLS       13
190 #define FLASK_MLS               14
191 #define FLASK_DISABLE           15 /* No longer implemented */
192 #define FLASK_GETAVC_THRESHOLD  16
193 #define FLASK_SETAVC_THRESHOLD  17
194 #define FLASK_AVC_HASHSTATS     18
195 #define FLASK_AVC_CACHESTATS    19
196 #define FLASK_MEMBER            20
197 #define FLASK_ADD_OCONTEXT      21
198 #define FLASK_DEL_OCONTEXT      22
199 #define FLASK_GET_PEER_SID      23
200 #define FLASK_RELABEL_DOMAIN    24
201 #define FLASK_DEVICETREE_LABEL  25
202     uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */
203     union {
204         xen_flask_load_t load;
205         xen_flask_setenforce_t enforce;
206         /* FLASK_CONTEXT_TO_SID and FLASK_SID_TO_CONTEXT */
207         xen_flask_sid_context_t sid_context;
208         xen_flask_access_t access;
209         /* FLASK_CREATE, FLASK_RELABEL, FLASK_MEMBER */
210         xen_flask_transition_t transition;
211 #if __XEN_INTERFACE_VERSION__ < 0x00040800
212         struct xen_flask_userlist userlist;
213 #endif
214         /* FLASK_GETBOOL, FLASK_SETBOOL */
215         xen_flask_boolean_t boolean;
216         xen_flask_setavc_threshold_t setavc_threshold;
217         xen_flask_hash_stats_t hash_stats;
218         xen_flask_cache_stats_t cache_stats;
219         /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */
220         xen_flask_ocontext_t ocontext;
221         xen_flask_peersid_t peersid;
222         xen_flask_relabel_t relabel;
223         xen_flask_devicetree_label_t devicetree_label;
224     } u;
225 };
226 typedef struct xen_flask_op xen_flask_op_t;
227 DEFINE_XEN_GUEST_HANDLE(xen_flask_op_t);
228 
229 #endif
230