From: kfraser@localhost.localdomain Date: Wed, 18 Oct 2006 16:54:06 +0000 (+0100) Subject: [ACM] Add access control module information for hypercalls and X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~15589^2~43 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/success//%22http:/www.example.com/cgi/success/?a=commitdiff_plain;h=ae027013678935a824e7ee7e206f151f0283953e;p=xen.git [ACM] Add access control module information for hypercalls and xenstore entries to the interface manual. Signed-off by: Reiner Sailer --- diff --git a/docs/src/interface.tex b/docs/src/interface.tex index 9a598406a1..a77d4e81c2 100644 --- a/docs/src/interface.tex +++ b/docs/src/interface.tex @@ -955,7 +955,6 @@ This information doesn't change and is indexed by the domain's UUID. A {\bf /vm} entry contains the following information: \begin{description} -\item[ssidref] ssid reference for domain \item[uuid] uuid of the domain (somewhat redundant) \item[on\_reboot] the action to take on a domain reboot request (destroy or restart) \item[on\_poweroff] the action to take on a domain halt request (destroy or restart) @@ -1125,6 +1124,16 @@ This path contains: \end{description} \end{description} + \item[security/] access control information for the domain + \begin{description} + \item[ssidref] security reference identifier used inside the hypervisor + \item[access\_control/] security label used by management tools + \begin{description} + \item[label] security label name + \item[policy] security policy name + \end{description} + \end{description} + \item[store/] per-domain information for the store \begin{description} \item[port] the event channel used for the store ring queue @@ -2168,19 +2177,46 @@ Most of the above are best understood by looking at the code implementing them (in {\tt xen/common/dom0\_ops.c}) and in the user-space tools that use them (mostly in {\tt tools/libxc}). +\section{Access Control Module Hypercalls} +\label{s:acmops} + Hypercalls relating to the management of the Access Control Module are -also restricted to domain 0 access for now: +also restricted to domain 0 access for now. For more details on any or +all of these, please see {\tt xen/include/public/acm\_ops.h}. A +complete list is given below: \begin{quote} -\hypercall{acm\_op(struct acm\_op * u\_acm\_op)} +\hypercall{acm\_op(int cmd, void *args)} This hypercall can be used to configure the state of the ACM, query that state, request access control decisions and dump additional information. +\begin{description} + +\item [ACMOP\_SETPOLICY:] set the access control policy + +\item [ACMOP\_GETPOLICY:] get the current access control policy and + status + +\item [ACMOP\_DUMPSTATS:] get current access control hook invocation + statistics + +\item [ACMOP\_GETSSID:] get security access control information for a + domain + +\item [ACMOP\_GETDECISION:] get access decision based on the currently + enforced access control policy + +\end{description} \end{quote} +Most of the above are best understood by looking at the code +implementing them (in {\tt xen/common/acm\_ops.c}) and in the +user-space tools that use them (mostly in {\tt tools/security} and +{\tt tools/python/xen/lowlevel/acm}). + \section{Debugging Hypercalls}