ia64/xen-unstable

view xen/include/acm/acm_core.h @ 6552:a9873d384da4

Merge.
author adsharma@los-vmm.sc.intel.com
date Thu Aug 25 12:24:48 2005 -0700 (2005-08-25)
parents 112d44270733 fa0754a9f64f
children dfaf788ab18c
line source
1 /****************************************************************
2 * acm_core.h
3 *
4 * Copyright (C) 2005 IBM Corporation
5 *
6 * Author:
7 * Reiner Sailer <sailer@watson.ibm.com>
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 *
14 * sHype header file describing core data types and constants
15 * for the access control module and relevant policies
16 *
17 */
18 #ifndef _ACM_CORE_H
19 #define _ACM_CORE_H
21 #include <xen/spinlock.h>
22 #include <public/acm.h>
23 #include <xen/acm_policy.h>
24 #include <public/acm_ops.h>
26 /* Xen-internal representation of the binary policy */
27 struct acm_binary_policy {
28 u16 primary_policy_code;
29 u16 secondary_policy_code;
30 void *primary_binary_policy;
31 void *secondary_binary_policy;
33 };
35 struct chwall_binary_policy {
36 u16 max_types;
37 u16 max_ssidrefs;
38 u16 max_conflictsets;
39 domaintype_t *ssidrefs; /* [max_ssidrefs][max_types] */
40 domaintype_t *conflict_aggregate_set; /* [max_types] */
41 domaintype_t *running_types; /* [max_types] */
42 domaintype_t *conflict_sets; /* [max_conflictsets][max_types]*/
43 };
45 struct ste_binary_policy {
46 u16 max_types;
47 u16 max_ssidrefs;
48 domaintype_t *ssidrefs; /* [max_ssidrefs][max_types] */
49 atomic_t ec_eval_count, gt_eval_count;
50 atomic_t ec_denied_count, gt_denied_count;
51 atomic_t ec_cachehit_count, gt_cachehit_count;
52 };
54 /* global acm policy */
55 extern struct acm_binary_policy acm_bin_pol;
56 extern struct chwall_binary_policy chwall_bin_pol;
57 extern struct ste_binary_policy ste_bin_pol;
58 /* use the lock when reading / changing binary policy ! */
59 extern rwlock_t acm_bin_pol_rwlock;
61 /* subject and object type definitions */
62 enum acm_datatype { DOMAIN };
64 /* defines number of access decisions to other domains can be cached
65 * one entry per domain, TE does not distinguish evtchn or grant_table */
66 #define ACM_TE_CACHE_SIZE 8
67 enum acm_ste_flag { VALID, FREE };
69 /* cache line:
70 * if cache_line.valid==VALID, then
71 * STE decision is cached as "permitted"
72 * on domain cache_line.id
73 */
74 struct acm_ste_cache_line {
75 enum acm_ste_flag valid;
76 domid_t id;
77 };
79 /* general definition of a subject security id */
80 struct acm_ssid_domain {
81 enum acm_datatype datatype; /* type of subject (e.g., partition) */
82 ssidref_t ssidref; /* combined security reference */
83 void *primary_ssid; /* primary policy ssid part (e.g. chinese wall) */
84 void *secondary_ssid; /* secondary policy ssid part (e.g. type enforcement) */
85 struct domain *subject; /* backpointer to subject structure */
86 domid_t domainid; /* replicate id */
87 };
89 /* chinese wall ssid type */
90 struct chwall_ssid {
91 ssidref_t chwall_ssidref;
92 };
94 /* simple type enforcement ssid type */
95 struct ste_ssid {
96 ssidref_t ste_ssidref;
97 struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache */
98 };
100 /* macros to access ssidref for primary / secondary policy
101 * primary ssidref = lower 16 bit
102 * secondary ssidref = higher 16 bit
103 */
104 #define GET_SSIDREF(POLICY, ssidref) \
105 ((POLICY) == acm_bin_pol.primary_policy_code) ? \
106 ((ssidref) & 0xffff) : ((ssidref) >> 16)
108 /* macros to access ssid pointer for primary / secondary policy */
109 #define GET_SSIDP(POLICY, ssid) \
110 ((POLICY) == acm_bin_pol.primary_policy_code) ? \
111 ((ssid)->primary_ssid) : ((ssid)->secondary_ssid)
113 /* protos */
114 int acm_init_domain_ssid(domid_t id, ssidref_t ssidref);
115 int acm_free_domain_ssid(struct acm_ssid_domain *ssid);
116 int acm_set_policy(void *buf, u16 buf_size, int isuserbuffer);
117 int acm_get_policy(void *buf, u16 buf_size);
118 int acm_dump_statistics(void *buf, u16 buf_size);
120 #endif