WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] [ACM] Add access control module informati

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] [ACM] Add access control module information for hypercalls and
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Oct 2006 19:20:16 +0000
Delivery-date: Wed, 18 Oct 2006 12:20:41 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID bae52f5cc421496e7e293d3fa3f6165a7c7780a5
# Parent  4d1b44450bdb2d36e163bc3fee110c7dcadb292b
[ACM] Add access control module information for hypercalls and
xenstore entries to the interface manual.

Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>
---
 docs/src/interface.tex |   42 +++++++++++++++++++++++++++++++++++++++---
 1 files changed, 39 insertions(+), 3 deletions(-)

diff -r 4d1b44450bdb -r bae52f5cc421 docs/src/interface.tex
--- a/docs/src/interface.tex    Wed Oct 18 17:45:19 2006 +0100
+++ b/docs/src/interface.tex    Wed Oct 18 17:54:06 2006 +0100
@@ -955,7 +955,6 @@ A {\bf /vm} entry contains the following
 A {\bf /vm} entry contains the following information:
 
 \begin{description}
-\item[ssidref] ssid reference for domain
 \item[uuid] uuid of the domain (somewhat redundant)
 \item[on\_reboot] the action to take on a domain reboot request (destroy or 
restart)
 \item[on\_poweroff] the action to take on a domain halt request (destroy or 
restart)
@@ -1125,6 +1124,16 @@ This path contains:
       \end{description}
     \end{description}
 
+  \item[security/] access control information for the domain
+    \begin{description}
+    \item[ssidref] security reference identifier used inside the hypervisor
+    \item[access\_control/] security label used by management tools
+      \begin{description}
+       \item[label] security label name
+       \item[policy] security policy name
+      \end{description}
+    \end{description}
+
   \item[store/] per-domain information for the store
     \begin{description}
     \item[port] the event channel used for the store ring queue 
@@ -2168,18 +2177,45 @@ implementing them (in {\tt xen/common/do
 implementing them (in {\tt xen/common/dom0\_ops.c}) and in 
 the user-space tools that use them (mostly in {\tt tools/libxc}). 
 
+\section{Access Control Module Hypercalls}
+\label{s:acmops}
+
 Hypercalls relating to the management of the Access Control Module are
-also restricted to domain 0 access for now:
+also restricted to domain 0 access for now. For more details on any or
+all of these, please see {\tt xen/include/public/acm\_ops.h}.  A
+complete list is given below:
 
 \begin{quote}
 
-\hypercall{acm\_op(struct acm\_op * u\_acm\_op)}
+\hypercall{acm\_op(int cmd, void *args)}
 
 This hypercall can be used to configure the state of the ACM, query
 that state, request access control decisions and dump additional
 information.
 
+\begin{description}
+
+\item [ACMOP\_SETPOLICY:] set the access control policy
+
+\item [ACMOP\_GETPOLICY:] get the current access control policy and
+  status
+
+\item [ACMOP\_DUMPSTATS:] get current access control hook invocation
+  statistics
+
+\item [ACMOP\_GETSSID:] get security access control information for a
+  domain
+
+\item [ACMOP\_GETDECISION:] get access decision based on the currently
+  enforced access control policy
+
+\end{description}
 \end{quote}
+
+Most of the above are best understood by looking at the code
+implementing them (in {\tt xen/common/acm\_ops.c}) and in the
+user-space tools that use them (mostly in {\tt tools/security} and
+{\tt tools/python/xen/lowlevel/acm}).
 
 
 \section{Debugging Hypercalls} 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] [ACM] Add access control module information for hypercalls and, Xen patchbot-unstable <=