direct-io.hg
changeset 11813:bae52f5cc421
[ACM] Add access control module information for hypercalls and
xenstore entries to the interface manual.
Signed-off by: Reiner Sailer <sailer@us.ibm.com>
xenstore entries to the interface manual.
Signed-off by: Reiner Sailer <sailer@us.ibm.com>
| author | kfraser@localhost.localdomain |
|---|---|
| date | Wed Oct 18 17:54:06 2006 +0100 (2006-10-18) |
| parents | 4d1b44450bdb |
| children | 58144f4b102c |
| files | docs/src/interface.tex |
line diff
1.1 --- a/docs/src/interface.tex Wed Oct 18 17:45:19 2006 +0100 1.2 +++ b/docs/src/interface.tex Wed Oct 18 17:54:06 2006 +0100 1.3 @@ -955,7 +955,6 @@ This information doesn't change and is i 1.4 A {\bf /vm} entry contains the following information: 1.5 1.6 \begin{description} 1.7 -\item[ssidref] ssid reference for domain 1.8 \item[uuid] uuid of the domain (somewhat redundant) 1.9 \item[on\_reboot] the action to take on a domain reboot request (destroy or restart) 1.10 \item[on\_poweroff] the action to take on a domain halt request (destroy or restart) 1.11 @@ -1125,6 +1124,16 @@ This path contains: 1.12 \end{description} 1.13 \end{description} 1.14 1.15 + \item[security/] access control information for the domain 1.16 + \begin{description} 1.17 + \item[ssidref] security reference identifier used inside the hypervisor 1.18 + \item[access\_control/] security label used by management tools 1.19 + \begin{description} 1.20 + \item[label] security label name 1.21 + \item[policy] security policy name 1.22 + \end{description} 1.23 + \end{description} 1.24 + 1.25 \item[store/] per-domain information for the store 1.26 \begin{description} 1.27 \item[port] the event channel used for the store ring queue 1.28 @@ -2168,19 +2177,46 @@ Most of the above are best understood by 1.29 implementing them (in {\tt xen/common/dom0\_ops.c}) and in 1.30 the user-space tools that use them (mostly in {\tt tools/libxc}). 1.31 1.32 +\section{Access Control Module Hypercalls} 1.33 +\label{s:acmops} 1.34 + 1.35 Hypercalls relating to the management of the Access Control Module are 1.36 -also restricted to domain 0 access for now: 1.37 +also restricted to domain 0 access for now. For more details on any or 1.38 +all of these, please see {\tt xen/include/public/acm\_ops.h}. A 1.39 +complete list is given below: 1.40 1.41 \begin{quote} 1.42 1.43 -\hypercall{acm\_op(struct acm\_op * u\_acm\_op)} 1.44 +\hypercall{acm\_op(int cmd, void *args)} 1.45 1.46 This hypercall can be used to configure the state of the ACM, query 1.47 that state, request access control decisions and dump additional 1.48 information. 1.49 1.50 +\begin{description} 1.51 + 1.52 +\item [ACMOP\_SETPOLICY:] set the access control policy 1.53 + 1.54 +\item [ACMOP\_GETPOLICY:] get the current access control policy and 1.55 + status 1.56 + 1.57 +\item [ACMOP\_DUMPSTATS:] get current access control hook invocation 1.58 + statistics 1.59 + 1.60 +\item [ACMOP\_GETSSID:] get security access control information for a 1.61 + domain 1.62 + 1.63 +\item [ACMOP\_GETDECISION:] get access decision based on the currently 1.64 + enforced access control policy 1.65 + 1.66 +\end{description} 1.67 \end{quote} 1.68 1.69 +Most of the above are best understood by looking at the code 1.70 +implementing them (in {\tt xen/common/acm\_ops.c}) and in the 1.71 +user-space tools that use them (mostly in {\tt tools/security} and 1.72 +{\tt tools/python/xen/lowlevel/acm}). 1.73 + 1.74 1.75 \section{Debugging Hypercalls} 1.76