| |
|
 |
|
 |
|
|
|
| |
|
|
xen-devel
[Xen-devel] [Resend][PATCH][ACM][Interface Manual] Updates / corrects Ac
This patch adds access control module information for hypercalls and
xenstore entries to the interface manual.
Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>
---
docs/src/interface.tex | 42 +++++++++++++++++++++++++++++++++++++++---
1 file changed, 39 insertions(+), 3 deletions(-)
Index: xen-unstable.hg-interface/docs/src/interface.tex
===================================================================
--- xen-unstable.hg-interface.orig/docs/src/interface.tex
+++ xen-unstable.hg-interface/docs/src/interface.tex
@@ -955,7 +955,6 @@ This information doesn't change and is i
A {\bf /vm} entry contains the following information:
\begin{description}
-\item[ssidref] ssid reference for domain
\item[uuid] uuid of the domain (somewhat redundant)
\item[on\_reboot] the action to take on a domain reboot request (destroy or
restart)
\item[on\_poweroff] the action to take on a domain halt request (destroy or
restart)
@@ -1125,6 +1124,16 @@ This path contains:
\end{description}
\end{description}
+ \item[security/] access control information for the domain
+ \begin{description}
+ \item[ssidref] security reference identifier used inside the hypervisor
+ \item[access\_control/] security label used by management tools
+ \begin{description}
+ \item[label] security label name
+ \item[policy] security policy name
+ \end{description}
+ \end{description}
+
\item[store/] per-domain information for the store
\begin{description}
\item[port] the event channel used for the store ring queue
@@ -2168,19 +2177,46 @@ Most of the above are best understood by
implementing them (in {\tt xen/common/dom0\_ops.c}) and in
the user-space tools that use them (mostly in {\tt tools/libxc}).
+\section{Access Control Module Hypercalls}
+\label{s:acmops}
+
Hypercalls relating to the management of the Access Control Module are
-also restricted to domain 0 access for now:
+also restricted to domain 0 access for now. For more details on any or
+all of these, please see {\tt xen/include/public/acm\_ops.h}. A
+complete list is given below:
\begin{quote}
-\hypercall{acm\_op(struct acm\_op * u\_acm\_op)}
+\hypercall{acm\_op(int cmd, void *args)}
This hypercall can be used to configure the state of the ACM, query
that state, request access control decisions and dump additional
information.
+\begin{description}
+
+\item [ACMOP\_SETPOLICY:] set the access control policy
+
+\item [ACMOP\_GETPOLICY:] get the current access control policy and
+ status
+
+\item [ACMOP\_DUMPSTATS:] get current access control hook invocation
+ statistics
+
+\item [ACMOP\_GETSSID:] get security access control information for a
+ domain
+
+\item [ACMOP\_GETDECISION:] get access decision based on the currently
+ enforced access control policy
+
+\end{description}
\end{quote}
+Most of the above are best understood by looking at the code
+implementing them (in {\tt xen/common/acm\_ops.c}) and in the
+user-space tools that use them (mostly in {\tt tools/security} and
+{\tt tools/python/xen/lowlevel/acm}).
+
\section{Debugging Hypercalls}
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
| <Prev in Thread] |
Current Thread |
[Next in Thread> |
- [Xen-devel] [Resend][PATCH][ACM][Interface Manual] Updates / corrects Access Control Module information in the interface document,
Reiner Sailer <=
|
|
|
| |
|
Home