|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] [ACM] Add access control module information for hypercalls and
# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID bae52f5cc421496e7e293d3fa3f6165a7c7780a5
# Parent 4d1b44450bdb2d36e163bc3fee110c7dcadb292b
[ACM] Add access control module information for hypercalls and
xenstore entries to the interface manual.
Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>
---
docs/src/interface.tex | 42 +++++++++++++++++++++++++++++++++++++++---
1 files changed, 39 insertions(+), 3 deletions(-)
diff -r 4d1b44450bdb -r bae52f5cc421 docs/src/interface.tex
--- a/docs/src/interface.tex Wed Oct 18 17:45:19 2006 +0100
+++ b/docs/src/interface.tex Wed Oct 18 17:54:06 2006 +0100
@@ -955,7 +955,6 @@ A {\bf /vm} entry contains the following
A {\bf /vm} entry contains the following information:
\begin{description}
-\item[ssidref] ssid reference for domain
\item[uuid] uuid of the domain (somewhat redundant)
\item[on\_reboot] the action to take on a domain reboot request (destroy or
restart)
\item[on\_poweroff] the action to take on a domain halt request (destroy or
restart)
@@ -1125,6 +1124,16 @@ This path contains:
\end{description}
\end{description}
+ \item[security/] access control information for the domain
+ \begin{description}
+ \item[ssidref] security reference identifier used inside the hypervisor
+ \item[access\_control/] security label used by management tools
+ \begin{description}
+ \item[label] security label name
+ \item[policy] security policy name
+ \end{description}
+ \end{description}
+
\item[store/] per-domain information for the store
\begin{description}
\item[port] the event channel used for the store ring queue
@@ -2168,18 +2177,45 @@ implementing them (in {\tt xen/common/do
implementing them (in {\tt xen/common/dom0\_ops.c}) and in
the user-space tools that use them (mostly in {\tt tools/libxc}).
+\section{Access Control Module Hypercalls}
+\label{s:acmops}
+
Hypercalls relating to the management of the Access Control Module are
-also restricted to domain 0 access for now:
+also restricted to domain 0 access for now. For more details on any or
+all of these, please see {\tt xen/include/public/acm\_ops.h}. A
+complete list is given below:
\begin{quote}
-\hypercall{acm\_op(struct acm\_op * u\_acm\_op)}
+\hypercall{acm\_op(int cmd, void *args)}
This hypercall can be used to configure the state of the ACM, query
that state, request access control decisions and dump additional
information.
+\begin{description}
+
+\item [ACMOP\_SETPOLICY:] set the access control policy
+
+\item [ACMOP\_GETPOLICY:] get the current access control policy and
+ status
+
+\item [ACMOP\_DUMPSTATS:] get current access control hook invocation
+ statistics
+
+\item [ACMOP\_GETSSID:] get security access control information for a
+ domain
+
+\item [ACMOP\_GETDECISION:] get access decision based on the currently
+ enforced access control policy
+
+\end{description}
\end{quote}
+
+Most of the above are best understood by looking at the code
+implementing them (in {\tt xen/common/acm\_ops.c}) and in the
+user-space tools that use them (mostly in {\tt tools/security} and
+{\tt tools/python/xen/lowlevel/acm}).
\section{Debugging Hypercalls}
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |