ia64/xen-unstable

view xen/include/public/acm.h @ 12938:b58670602d35

[POWERPC][XEN] Builtin cmdline dependency rule
Rebuild cmdline.o when the user changes the CMDLINE=X argument passed to
the make invocation. I couldn't find an example of another project that
handles this case properly, so I came up with this.
Signed-off-by: Amos Waterland <apw@us.ibm.com>
Signed-off-by: Hollis Blanchard <hollisb@us.ibm.com>
author Hollis Blanchard <hollisb@us.ibm.com>
date Thu Oct 05 15:48:26 2006 -0500 (2006-10-05)
parents 8d0e06c38c0c
children 50965ae270c9
line source
1 /*
2 * acm.h: Xen access control module interface defintions
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a copy
5 * of this software and associated documentation files (the "Software"), to
6 * deal in the Software without restriction, including without limitation the
7 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
8 * sell copies of the Software, and to permit persons to whom the Software is
9 * furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice shall be included in
12 * all copies or substantial portions of the Software.
13 *
14 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
19 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
20 * DEALINGS IN THE SOFTWARE.
21 *
22 * Reiner Sailer <sailer@watson.ibm.com>
23 * Copyright (c) 2005, International Business Machines Corporation.
24 */
26 #ifndef _XEN_PUBLIC_ACM_H
27 #define _XEN_PUBLIC_ACM_H
29 #include "xen.h"
31 /* if ACM_DEBUG defined, all hooks should
32 * print a short trace message (comment it out
33 * when not in testing mode )
34 */
35 /* #define ACM_DEBUG */
37 #ifdef ACM_DEBUG
38 # define printkd(fmt, args...) printk(fmt,## args)
39 #else
40 # define printkd(fmt, args...)
41 #endif
43 /* default ssid reference value if not supplied */
44 #define ACM_DEFAULT_SSID 0x0
45 #define ACM_DEFAULT_LOCAL_SSID 0x0
47 /* Internal ACM ERROR types */
48 #define ACM_OK 0
49 #define ACM_UNDEF -1
50 #define ACM_INIT_SSID_ERROR -2
51 #define ACM_INIT_SOID_ERROR -3
52 #define ACM_ERROR -4
54 /* External ACCESS DECISIONS */
55 #define ACM_ACCESS_PERMITTED 0
56 #define ACM_ACCESS_DENIED -111
57 #define ACM_NULL_POINTER_ERROR -200
59 /* primary policy in lower 4 bits */
60 #define ACM_NULL_POLICY 0
61 #define ACM_CHINESE_WALL_POLICY 1
62 #define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2
63 #define ACM_POLICY_UNDEFINED 15
65 /* combinations have secondary policy component in higher 4bit */
66 #define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \
67 ((ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY << 4) | ACM_CHINESE_WALL_POLICY)
69 /* policy: */
70 #define ACM_POLICY_NAME(X) \
71 ((X) == (ACM_NULL_POLICY)) ? "NULL" : \
72 ((X) == (ACM_CHINESE_WALL_POLICY)) ? "CHINESE WALL" : \
73 ((X) == (ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "SIMPLE TYPE ENFORCEMENT" : \
74 ((X) == (ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "CHINESE WALL AND SIMPLE TYPE ENFORCEMENT" : \
75 "UNDEFINED"
77 /* the following policy versions must be increased
78 * whenever the interpretation of the related
79 * policy's data structure changes
80 */
81 #define ACM_POLICY_VERSION 2
82 #define ACM_CHWALL_VERSION 1
83 #define ACM_STE_VERSION 1
85 /* defines a ssid reference used by xen */
86 typedef uint32_t ssidref_t;
88 /* hooks that are known to domains */
89 #define ACMHOOK_none 0
90 #define ACMHOOK_sharing 1
92 /* -------security policy relevant type definitions-------- */
94 /* type identifier; compares to "equal" or "not equal" */
95 typedef uint16_t domaintype_t;
97 /* CHINESE WALL POLICY DATA STRUCTURES
98 *
99 * current accumulated conflict type set:
100 * When a domain is started and has a type that is in
101 * a conflict set, the conflicting types are incremented in
102 * the aggregate set. When a domain is destroyed, the
103 * conflicting types to its type are decremented.
104 * If a domain has multiple types, this procedure works over
105 * all those types.
106 *
107 * conflict_aggregate_set[i] holds the number of
108 * running domains that have a conflict with type i.
109 *
110 * running_types[i] holds the number of running domains
111 * that include type i in their ssidref-referenced type set
112 *
113 * conflict_sets[i][j] is "0" if type j has no conflict
114 * with type i and is "1" otherwise.
115 */
116 /* high-16 = version, low-16 = check magic */
117 #define ACM_MAGIC 0x0001debc
119 /* each offset in bytes from start of the struct they
120 * are part of */
122 /* each buffer consists of all policy information for
123 * the respective policy given in the policy code
124 *
125 * acm_policy_buffer, acm_chwall_policy_buffer,
126 * and acm_ste_policy_buffer need to stay 32-bit aligned
127 * because we create binary policies also with external
128 * tools that assume packed representations (e.g. the java tool)
129 */
130 struct acm_policy_buffer {
131 uint32_t policy_version; /* ACM_POLICY_VERSION */
132 uint32_t magic;
133 uint32_t len;
134 uint32_t policy_reference_offset;
135 uint32_t primary_policy_code;
136 uint32_t primary_buffer_offset;
137 uint32_t secondary_policy_code;
138 uint32_t secondary_buffer_offset;
139 };
141 struct acm_policy_reference_buffer {
142 uint32_t len;
143 };
145 struct acm_chwall_policy_buffer {
146 uint32_t policy_version; /* ACM_CHWALL_VERSION */
147 uint32_t policy_code;
148 uint32_t chwall_max_types;
149 uint32_t chwall_max_ssidrefs;
150 uint32_t chwall_max_conflictsets;
151 uint32_t chwall_ssid_offset;
152 uint32_t chwall_conflict_sets_offset;
153 uint32_t chwall_running_types_offset;
154 uint32_t chwall_conflict_aggregate_offset;
155 };
157 struct acm_ste_policy_buffer {
158 uint32_t policy_version; /* ACM_STE_VERSION */
159 uint32_t policy_code;
160 uint32_t ste_max_types;
161 uint32_t ste_max_ssidrefs;
162 uint32_t ste_ssid_offset;
163 };
165 struct acm_stats_buffer {
166 uint32_t magic;
167 uint32_t len;
168 uint32_t primary_policy_code;
169 uint32_t primary_stats_offset;
170 uint32_t secondary_policy_code;
171 uint32_t secondary_stats_offset;
172 };
174 struct acm_ste_stats_buffer {
175 uint32_t ec_eval_count;
176 uint32_t gt_eval_count;
177 uint32_t ec_denied_count;
178 uint32_t gt_denied_count;
179 uint32_t ec_cachehit_count;
180 uint32_t gt_cachehit_count;
181 };
183 struct acm_ssid_buffer {
184 uint32_t len;
185 ssidref_t ssidref;
186 uint32_t policy_reference_offset;
187 uint32_t primary_policy_code;
188 uint32_t primary_max_types;
189 uint32_t primary_types_offset;
190 uint32_t secondary_policy_code;
191 uint32_t secondary_max_types;
192 uint32_t secondary_types_offset;
193 };
195 #endif
197 /*
198 * Local variables:
199 * mode: C
200 * c-set-style: "BSD"
201 * c-basic-offset: 4
202 * tab-width: 4
203 * indent-tabs-mode: nil
204 * End:
205 */