ia64/xen-unstable

view xen/include/public/acm.h @ 6788:e939d5c5e646

Pass the root directory to Doxyfilter and thence pythfilter.py so that the latter can get the namespace/packages correct.
author ewan@linford.intra
date Tue Sep 13 14:42:21 2005 +0100 (2005-09-13)
parents 291e816acbf4
children b2f4823b6ff0 b35215021b32 9af349b055e5 3233e7ecfa9f
line source
1 /****************************************************************
2 * acm.h
3 *
4 * Copyright (C) 2005 IBM Corporation
5 *
6 * Author:
7 * Reiner Sailer <sailer@watson.ibm.com>
8 *
9 * Contributors:
10 * Stefan Berger <stefanb@watson.ibm.com>
11 * added network byte order support for binary policies
12 *
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License as
15 * published by the Free Software Foundation, version 2 of the
16 * License.
17 *
18 * sHype general access control module header file.
19 * here are all definitions that are shared between
20 * xen-core, guest-kernels, and applications.
21 *
22 * todo: move from static policy choice to compile option.
23 */
25 #ifndef _XEN_PUBLIC_ACM_H
26 #define _XEN_PUBLIC_ACM_H
28 #include "xen.h"
29 #include "sched_ctl.h"
31 /* if ACM_DEBUG defined, all hooks should
32 * print a short trace message (comment it out
33 * when not in testing mode )
34 */
35 /* #define ACM_DEBUG */
37 #ifdef ACM_DEBUG
38 # define printkd(fmt, args...) printk(fmt,## args)
39 #else
40 # define printkd(fmt, args...)
41 #endif
43 /* default ssid reference value if not supplied */
44 #define ACM_DEFAULT_SSID 0x0
45 #define ACM_DEFAULT_LOCAL_SSID 0x0
47 /* Internal ACM ERROR types */
48 #define ACM_OK 0
49 #define ACM_UNDEF -1
50 #define ACM_INIT_SSID_ERROR -2
51 #define ACM_INIT_SOID_ERROR -3
52 #define ACM_ERROR -4
54 /* External ACCESS DECISIONS */
55 #define ACM_ACCESS_PERMITTED 0
56 #define ACM_ACCESS_DENIED -111
57 #define ACM_NULL_POINTER_ERROR -200
59 /* primary policy in lower 4 bits */
60 #define ACM_NULL_POLICY 0
61 #define ACM_CHINESE_WALL_POLICY 1
62 #define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2
64 /* combinations have secondary policy component in higher 4bit */
65 #define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \
66 ((ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY << 4) | ACM_CHINESE_WALL_POLICY)
68 /* policy: */
69 #define ACM_POLICY_NAME(X) \
70 ((X) == (ACM_NULL_POLICY)) ? "NULL policy" : \
71 ((X) == (ACM_CHINESE_WALL_POLICY)) ? "CHINESE WALL policy" : \
72 ((X) == (ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "SIMPLE TYPE ENFORCEMENT policy" : \
73 ((X) == (ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "CHINESE WALL AND SIMPLE TYPE ENFORCEMENT policy" : \
74 "UNDEFINED policy"
76 /* the following policy versions must be increased
77 * whenever the interpretation of the related
78 * policy's data structure changes
79 */
80 #define ACM_POLICY_VERSION 1
81 #define ACM_CHWALL_VERSION 1
82 #define ACM_STE_VERSION 1
84 /* defines a ssid reference used by xen */
85 typedef u32 ssidref_t;
87 /* -------security policy relevant type definitions-------- */
89 /* type identifier; compares to "equal" or "not equal" */
90 typedef u16 domaintype_t;
92 /* CHINESE WALL POLICY DATA STRUCTURES
93 *
94 * current accumulated conflict type set:
95 * When a domain is started and has a type that is in
96 * a conflict set, the conflicting types are incremented in
97 * the aggregate set. When a domain is destroyed, the
98 * conflicting types to its type are decremented.
99 * If a domain has multiple types, this procedure works over
100 * all those types.
101 *
102 * conflict_aggregate_set[i] holds the number of
103 * running domains that have a conflict with type i.
104 *
105 * running_types[i] holds the number of running domains
106 * that include type i in their ssidref-referenced type set
107 *
108 * conflict_sets[i][j] is "0" if type j has no conflict
109 * with type i and is "1" otherwise.
110 */
111 /* high-16 = version, low-16 = check magic */
112 #define ACM_MAGIC 0x0001debc
114 /* each offset in bytes from start of the struct they
115 * are part of */
117 /* each buffer consists of all policy information for
118 * the respective policy given in the policy code
119 *
120 * acm_policy_buffer, acm_chwall_policy_buffer,
121 * and acm_ste_policy_buffer need to stay 32-bit aligned
122 * because we create binary policies also with external
123 * tools that assume packed representations (e.g. the java tool)
124 */
125 struct acm_policy_buffer {
126 u32 policy_version; /* ACM_POLICY_VERSION */
127 u32 magic;
128 u32 len;
129 u32 primary_policy_code;
130 u32 primary_buffer_offset;
131 u32 secondary_policy_code;
132 u32 secondary_buffer_offset;
133 };
135 struct acm_chwall_policy_buffer {
136 u32 policy_version; /* ACM_CHWALL_VERSION */
137 u32 policy_code;
138 u32 chwall_max_types;
139 u32 chwall_max_ssidrefs;
140 u32 chwall_max_conflictsets;
141 u32 chwall_ssid_offset;
142 u32 chwall_conflict_sets_offset;
143 u32 chwall_running_types_offset;
144 u32 chwall_conflict_aggregate_offset;
145 };
147 struct acm_ste_policy_buffer {
148 u32 policy_version; /* ACM_STE_VERSION */
149 u32 policy_code;
150 u32 ste_max_types;
151 u32 ste_max_ssidrefs;
152 u32 ste_ssid_offset;
153 };
155 struct acm_stats_buffer {
156 u32 magic;
157 u32 len;
158 u32 primary_policy_code;
159 u32 primary_stats_offset;
160 u32 secondary_policy_code;
161 u32 secondary_stats_offset;
162 };
164 struct acm_ste_stats_buffer {
165 u32 ec_eval_count;
166 u32 gt_eval_count;
167 u32 ec_denied_count;
168 u32 gt_denied_count;
169 u32 ec_cachehit_count;
170 u32 gt_cachehit_count;
171 };
173 struct acm_ssid_buffer {
174 u32 len;
175 ssidref_t ssidref;
176 u32 primary_policy_code;
177 u32 primary_max_types;
178 u32 primary_types_offset;
179 u32 secondary_policy_code;
180 u32 secondary_max_types;
181 u32 secondary_types_offset;
182 };
184 #endif