1 /*
2  *  This file contains the flask_op hypercall commands and definitions.
3  *
4  *  Author:  George Coker, <gscoker@alpha.ncsc.mil>
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to
8  * deal in the Software without restriction, including without limitation the
9  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10  * sell copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
22  * DEALINGS IN THE SOFTWARE.
23  */
24 
25 #ifndef __FLASK_OP_H__
26 #define __FLASK_OP_H__
27 
28 #include "../event_channel.h"
29 
30 #define XEN_FLASK_INTERFACE_VERSION 1
31 
32 struct xen_flask_load {
33     XEN_GUEST_HANDLE(char) buffer;
34     uint32_t size;
35 };
36 
37 struct xen_flask_setenforce {
38     uint32_t enforcing;
39 };
40 
41 struct xen_flask_sid_context {
42     /* IN/OUT: sid to convert to/from string */
43     uint32_t sid;
44     /* IN: size of the context buffer
45      * OUT: actual size of the output context string
46      */
47     uint32_t size;
48     XEN_GUEST_HANDLE(char) context;
49 };
50 
51 struct xen_flask_access {
52     /* IN: access request */
53     uint32_t ssid;
54     uint32_t tsid;
55     uint32_t tclass;
56     uint32_t req;
57     /* OUT: AVC data */
58     uint32_t allowed;
59     uint32_t audit_allow;
60     uint32_t audit_deny;
61     uint32_t seqno;
62 };
63 
64 struct xen_flask_transition {
65     /* IN: transition SIDs and class */
66     uint32_t ssid;
67     uint32_t tsid;
68     uint32_t tclass;
69     /* OUT: new SID */
70     uint32_t newsid;
71 };
72 
73 #if __XEN_INTERFACE_VERSION__ < 0x00040800
74 struct xen_flask_userlist {
75     /* IN: starting SID for list */
76     uint32_t start_sid;
77     /* IN: size of user string and output buffer
78      * OUT: number of SIDs returned */
79     uint32_t size;
80     union {
81         /* IN: user to enumerate SIDs */
82         XEN_GUEST_HANDLE(char) user;
83         /* OUT: SID list */
84         XEN_GUEST_HANDLE(uint32) sids;
85     } u;
86 };
87 #endif
88 
89 struct xen_flask_boolean {
90     /* IN/OUT: numeric identifier for boolean [GET/SET]
91      * If -1, name will be used and bool_id will be filled in. */
92     uint32_t bool_id;
93     /* OUT: current enforcing value of boolean [GET/SET] */
94     uint8_t enforcing;
95     /* OUT: pending value of boolean [GET/SET] */
96     uint8_t pending;
97     /* IN: new value of boolean [SET] */
98     uint8_t new_value;
99     /* IN: commit new value instead of only setting pending [SET] */
100     uint8_t commit;
101     /* IN: size of boolean name buffer [GET/SET]
102      * OUT: actual size of name [GET only] */
103     uint32_t size;
104     /* IN: if bool_id is -1, used to find boolean [GET/SET]
105      * OUT: textual name of boolean [GET only]
106      */
107     XEN_GUEST_HANDLE(char) name;
108 };
109 
110 struct xen_flask_setavc_threshold {
111     /* IN */
112     uint32_t threshold;
113 };
114 
115 struct xen_flask_hash_stats {
116     /* OUT */
117     uint32_t entries;
118     uint32_t buckets_used;
119     uint32_t buckets_total;
120     uint32_t max_chain_len;
121 };
122 
123 struct xen_flask_cache_stats {
124     /* IN */
125     uint32_t cpu;
126     /* OUT */
127     uint32_t lookups;
128     uint32_t hits;
129     uint32_t misses;
130     uint32_t allocations;
131     uint32_t reclaims;
132     uint32_t frees;
133 };
134 
135 struct xen_flask_ocontext {
136     /* IN */
137     uint32_t ocon;
138     uint32_t sid;
139     uint64_t low, high;
140 };
141 
142 struct xen_flask_peersid {
143     /* IN */
144     evtchn_port_t evtchn;
145     /* OUT */
146     uint32_t sid;
147 };
148 
149 struct xen_flask_relabel {
150     /* IN */
151     uint32_t domid;
152     uint32_t sid;
153 };
154 
155 struct xen_flask_devicetree_label {
156     /* IN */
157     uint32_t sid;
158     uint32_t length;
159     XEN_GUEST_HANDLE(char) path;
160 };
161 
162 struct xen_flask_op {
163     uint32_t cmd;
164 #define FLASK_LOAD              1
165 #define FLASK_GETENFORCE        2
166 #define FLASK_SETENFORCE        3
167 #define FLASK_CONTEXT_TO_SID    4
168 #define FLASK_SID_TO_CONTEXT    5
169 #define FLASK_ACCESS            6
170 #define FLASK_CREATE            7
171 #define FLASK_RELABEL           8
172 #define FLASK_USER              9  /* No longer implemented */
173 #define FLASK_POLICYVERS        10
174 #define FLASK_GETBOOL           11
175 #define FLASK_SETBOOL           12
176 #define FLASK_COMMITBOOLS       13
177 #define FLASK_MLS               14
178 #define FLASK_DISABLE           15
179 #define FLASK_GETAVC_THRESHOLD  16
180 #define FLASK_SETAVC_THRESHOLD  17
181 #define FLASK_AVC_HASHSTATS     18
182 #define FLASK_AVC_CACHESTATS    19
183 #define FLASK_MEMBER            20
184 #define FLASK_ADD_OCONTEXT      21
185 #define FLASK_DEL_OCONTEXT      22
186 #define FLASK_GET_PEER_SID      23
187 #define FLASK_RELABEL_DOMAIN    24
188 #define FLASK_DEVICETREE_LABEL  25
189     uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */
190     union {
191         struct xen_flask_load load;
192         struct xen_flask_setenforce enforce;
193         /* FLASK_CONTEXT_TO_SID and FLASK_SID_TO_CONTEXT */
194         struct xen_flask_sid_context sid_context;
195         struct xen_flask_access access;
196         /* FLASK_CREATE, FLASK_RELABEL, FLASK_MEMBER */
197         struct xen_flask_transition transition;
198 #if __XEN_INTERFACE_VERSION__ < 0x00040800
199         struct xen_flask_userlist userlist;
200 #endif
201         /* FLASK_GETBOOL, FLASK_SETBOOL */
202         struct xen_flask_boolean boolean;
203         struct xen_flask_setavc_threshold setavc_threshold;
204         struct xen_flask_hash_stats hash_stats;
205         struct xen_flask_cache_stats cache_stats;
206         /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */
207         struct xen_flask_ocontext ocontext;
208         struct xen_flask_peersid peersid;
209         struct xen_flask_relabel relabel;
210         struct xen_flask_devicetree_label devicetree_label;
211     } u;
212 };
213 typedef struct xen_flask_op xen_flask_op_t;
214 DEFINE_XEN_GUEST_HANDLE(xen_flask_op_t);
215 
216 #endif
217