[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] [ACM] Add access control module information for hypercalls and

# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID bae52f5cc421496e7e293d3fa3f6165a7c7780a5
# Parent  4d1b44450bdb2d36e163bc3fee110c7dcadb292b
[ACM] Add access control module information for hypercalls and
xenstore entries to the interface manual.

Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>
 docs/src/interface.tex |   42 +++++++++++++++++++++++++++++++++++++++---
 1 files changed, 39 insertions(+), 3 deletions(-)

diff -r 4d1b44450bdb -r bae52f5cc421 docs/src/interface.tex
--- a/docs/src/interface.tex    Wed Oct 18 17:45:19 2006 +0100
+++ b/docs/src/interface.tex    Wed Oct 18 17:54:06 2006 +0100
@@ -955,7 +955,6 @@ A {\bf /vm} entry contains the following
 A {\bf /vm} entry contains the following information:
-\item[ssidref] ssid reference for domain
 \item[uuid] uuid of the domain (somewhat redundant)
 \item[on\_reboot] the action to take on a domain reboot request (destroy or 
 \item[on\_poweroff] the action to take on a domain halt request (destroy or 
@@ -1125,6 +1124,16 @@ This path contains:
+  \item[security/] access control information for the domain
+    \begin{description}
+    \item[ssidref] security reference identifier used inside the hypervisor
+    \item[access\_control/] security label used by management tools
+      \begin{description}
+       \item[label] security label name
+       \item[policy] security policy name
+      \end{description}
+    \end{description}
   \item[store/] per-domain information for the store
     \item[port] the event channel used for the store ring queue 
@@ -2168,18 +2177,45 @@ implementing them (in {\tt xen/common/do
 implementing them (in {\tt xen/common/dom0\_ops.c}) and in 
 the user-space tools that use them (mostly in {\tt tools/libxc}). 
+\section{Access Control Module Hypercalls}
 Hypercalls relating to the management of the Access Control Module are
-also restricted to domain 0 access for now:
+also restricted to domain 0 access for now. For more details on any or
+all of these, please see {\tt xen/include/public/acm\_ops.h}.  A
+complete list is given below:
-\hypercall{acm\_op(struct acm\_op * u\_acm\_op)}
+\hypercall{acm\_op(int cmd, void *args)}
 This hypercall can be used to configure the state of the ACM, query
 that state, request access control decisions and dump additional
+\item [ACMOP\_SETPOLICY:] set the access control policy
+\item [ACMOP\_GETPOLICY:] get the current access control policy and
+  status
+\item [ACMOP\_DUMPSTATS:] get current access control hook invocation
+  statistics
+\item [ACMOP\_GETSSID:] get security access control information for a
+  domain
+\item [ACMOP\_GETDECISION:] get access decision based on the currently
+  enforced access control policy
+Most of the above are best understood by looking at the code
+implementing them (in {\tt xen/common/acm\_ops.c}) and in the
+user-space tools that use them (mostly in {\tt tools/security} and
+{\tt tools/python/xen/lowlevel/acm}).
 \section{Debugging Hypercalls} 

Xen-changelog mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.