1 files changed, 39 insertions, 3 deletions

diff --git a/docs/src/interface.tex b/docs/src/interface.tex
index 9a598406a1..a77d4e81c2 100644
--- a/docs/src/interface.tex
+++ b/docs/src/interface.tex
@@ -955,7 +955,6 @@ This information doesn't change and is indexed by the domain's UUID.
 A {\bf /vm} entry contains the following information:
 
 \begin{description}
-\item[ssidref] ssid reference for domain
 \item[uuid] uuid of the domain (somewhat redundant)
 \item[on\_reboot] the action to take on a domain reboot request (destroy or restart)
 \item[on\_poweroff] the action to take on a domain halt request (destroy or restart)
@@ -1125,6 +1124,16 @@ This path contains:
       \end{description}
     \end{description}
 
+  \item[security/] access control information for the domain
+    \begin{description}
+    \item[ssidref] security reference identifier used inside the hypervisor
+    \item[access\_control/] security label used by management tools
+      \begin{description}
+       \item[label] security label name
+       \item[policy] security policy name
+      \end{description}
+    \end{description}
+
   \item[store/] per-domain information for the store
     \begin{description}
     \item[port] the event channel used for the store ring queue 
@@ -2168,19 +2177,46 @@ Most of the above are best understood by looking at the code
 implementing them (in {\tt xen/common/dom0\_ops.c}) and in 
 the user-space tools that use them (mostly in {\tt tools/libxc}). 
 
+\section{Access Control Module Hypercalls}
+\label{s:acmops}
+
 Hypercalls relating to the management of the Access Control Module are
-also restricted to domain 0 access for now:
+also restricted to domain 0 access for now. For more details on any or
+all of these, please see {\tt xen/include/public/acm\_ops.h}.  A
+complete list is given below:
 
 \begin{quote}
 
-\hypercall{acm\_op(struct acm\_op * u\_acm\_op)}
+\hypercall{acm\_op(int cmd, void *args)}
 
 This hypercall can be used to configure the state of the ACM, query
 that state, request access control decisions and dump additional
 information.
 
+\begin{description}
+
+\item [ACMOP\_SETPOLICY:] set the access control policy
+
+\item [ACMOP\_GETPOLICY:] get the current access control policy and
+  status
+
+\item [ACMOP\_DUMPSTATS:] get current access control hook invocation
+  statistics
+
+\item [ACMOP\_GETSSID:] get security access control information for a
+  domain
+
+\item [ACMOP\_GETDECISION:] get access decision based on the currently
+  enforced access control policy
+
+\end{description}
 \end{quote}
 
+Most of the above are best understood by looking at the code
+implementing them (in {\tt xen/common/acm\_ops.c}) and in the
+user-space tools that use them (mostly in {\tt tools/security} and
+{\tt tools/python/xen/lowlevel/acm}).
+
 
 \section{Debugging Hypercalls}