# # Define the access vectors. # # class class_name { permission_name ... } # Class xen consists of dom0-only operations dealing with the hypervisor itself. # Unless otherwise specified, the source is the domain executing the hypercall, # and the target is the xen initial sid (type xen_t). class xen { # XENPF_settime settime # XEN_SYSCTL_tbuf_op tbufcontrol # CONSOLEIO_read, XEN_SYSCTL_readconsole readconsole # XEN_SYSCTL_readconsole with clear=1 clearconsole # XEN_SYSCTL_perfc_op perfcontrol # XENPF_add_memtype mtrr_add # XENPF_del_memtype mtrr_del # XENPF_read_memtype mtrr_read # XENPF_microcode_update microcode # XEN_SYSCTL_physinfo, XEN_SYSCTL_topologyinfo, XEN_SYSCTL_numainfo physinfo # XENPF_platform_quirk quirk # CONSOLEIO_write writeconsole # PHYSDEVOP_apic_read, PHYSDEVOP_alloc_irq_vector readapic # PHYSDEVOP_apic_write writeapic # Most XENOPROF_* privprofile # XENOPROF_{init,enable_virq,disable_virq,get_buffer} nonprivprofile # kexec hypercall kexec # XENPF_firmware_info, XENPF_efi_runtime_call firmware # XENPF_enter_acpi_sleep sleep # XENPF_change_freq frequency # XENPF_getidletime getidle # XEN_SYSCTL_debug_keys debug # XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo getcpuinfo # XEN_SYSCTL_availheap heap # XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo, # XENPF_core_parking pm_op # mca hypercall mca_op # XEN_SYSCTL_lockprof_op lockprof # XEN_SYSCTL_cpupool_op cpupool_op # tmem hypercall (any access) tmem_op # TMEM_CONTROL command of tmem hypercall tmem_control # XEN_SYSCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_getinfo, XEN_SYSCTL_sched_id getscheduler # XEN_SYSCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo setscheduler } # Classes domain and domain2 consist of operations that a domain performs on # another domain or on itself. Unless otherwise specified, the source is the # domain executing the hypercall, and the target is the domain being operated on # (which may result in a _self or _target type). # # transitions in class domain are used to produce the _self and _target types; # see docs/misc/xsm-flask.txt and the example XSM policy for details. class domain { # XEN_DOMCTL_setvcpucontext setvcpucontext # XEN_DOMCTL_pausedomain pause # XEN_DOMCTL_unpausedomain unpause # XEN_DOMCTL_resumedomain resume # XEN_DOMCTL_createdomain create # checked in FLASK_RELABEL_DOMAIN for any relabel operation: # source = the old label of the domain # target = the new label of the domain # see also the domain2 relabel{from,to,self} permissions transition # XEN_DOMCTL_max_vcpus max_vcpus # XEN_DOMCTL_destroydomain destroy # XEN_DOMCTL_setvcpuaffinity # XEN_DOMCTL_setnodeaffinity setaffinity # XEN_DOMCTL_getvcpuaffinity # XEN_DOMCTL_getnodeaffinity getaffinity # XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_getinfo getscheduler # XEN_DOMCTL_getdomaininfo, XEN_SYSCTL_getdomaininfolist getdomaininfo # XEN_DOMCTL_getvcpuinfo getvcpuinfo # XEN_DOMCTL_getvcpucontext getvcpucontext # XEN_DOMCTL_max_mem setdomainmaxmem # XEN_DOMCTL_setdomainhandle setdomainhandle # XEN_DOMCTL_setdebugging setdebugging # XEN_DOMCTL_hypercall_init hypercall # XEN_DOMCTL_settimeoffset settime # checked in XEN_DOMCTL_set_target: # source = the new device model domain # target = the new target domain # see also the domain2 make_priv_for and set_as_target checks set_target # SCHEDOP_remote_shutdown shutdown # XEN_DOMCTL_set{,_machine}_address_size setaddrsize # XEN_DOMCTL_get{,_machine}_address_size getaddrsize # XEN_DOMCTL_sendtrigger trigger # XEN_DOMCTL_get_ext_vcpucontext getextvcpucontext # XEN_DOMCTL_set_ext_vcpucontext setextvcpucontext # XEN_DOMCTL_getvcpuextstate getvcpuextstate # XEN_DOMCTL_setvcpuextstate setvcpuextstate # XENMEM_get_pod_target getpodtarget # XENMEM_set_pod_target setpodtarget # XEN_DOMCTL_subscribe, XEN_DOMCTL_disable_migrate, # XEN_DOMCTL_suppress_spurious_page_faults set_misc_info # XEN_DOMCTL_set_virq_handler set_virq_handler } # This is a continuation of class domain, since only 32 permissions can be # defined per class class domain2 { # checked in FLASK_RELABEL_DOMAIN with non-DOMID_SELF: # source = the domain making the hypercall # target = the old label of the domain being relabeled relabelfrom # checked in FLASK_RELABEL_DOMAIN with non-DOMID_SELF: # source = the domain making the hypercall # target = the new label of the domain being relabeled relabelto # checked in FLASK_RELABEL_DOMAIN, only with DOMID_SELF: # source = the old label of the domain # target = the new label of the domain # see also domain__transition relabelself # checked in XEN_DOMCTL_set_target: # source = the domain making the hypercall # target = the new device model domain make_priv_for # checked in XEN_DOMCTL_set_target: # source = the domain making the hypercall # target = the new target domain set_as_target # XEN_DOMCTL_set_cpuid set_cpuid # XEN_DOMCTL_gettscinfo gettsc # XEN_DOMCTL_settscinfo settsc # XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo setscheduler # XENMEM_claim_pages setclaim # XEN_DOMCTL_set_max_evtchn set_max_evtchn } # Similar to class domain, but primarily contains domctls related to HVM domains class hvm { # XEN_DOMCTL_sethvmcontext sethvmc # XEN_DOMCTL_gethvmcontext, XEN_DOMCTL_gethvmcontext_partial gethvmc # HVMOP_set_param setparam # HVMOP_get_param getparam # HVMOP_set_pci_intx_level (also needs hvmctl) pcilevel # HVMOP_set_isa_irq_level irqlevel # HVMOP_set_pci_link_route pciroute bind_irq # XEN_DOMCTL_pin_mem_cacheattr cacheattr # HVMOP_track_dirty_vram trackdirtyvram # HVMOP_modified_memory, HVMOP_get_mem_type, HVMOP_set_mem_type, # HVMOP_set_mem_access, HVMOP_get_mem_access, HVMOP_pagetable_dying, # HVMOP_inject_trap hvmctl # XEN_DOMCTL_set_access_required mem_event # XEN_DOMCTL_mem_sharing_op and XENMEM_sharing_op_{share,add_physmap} with: # source = the domain making the hypercall # target = domain whose memory is being shared mem_sharing # XEN_DOMCTL_audit_p2m audit_p2m # HVMOP_inject_msi send_irq # checked in XENMEM_sharing_op_{share,add_physmap} with: # source = domain whose memory is being shared # target = client domain share_mem # HVMOP_set_param setting HVM_PARAM_NESTEDHVM nested } # Class event describes event channels. Interdomain event channels have their # own security label which is computed using a type transition between the # source and target domains. Each endpoint has its own label, and the # permission checks must pass on both endpoints for an event channel to be # established. class event { # when creating an interdomain event channel endpoint: # source = event channel label # target = remote domain the event channel binds to. This may be a _self or # _target label if the endpoints are related as such. # This permission is checked when creating an unbound event channel and when the # interdomain event channel is established. bind # EVTCHNOP_send: # source = domain sending the event # target = event channel label send # EVTCHNOP_status; same as _send status # when creating an interdomain event channel endpoint: # source = the domain creating the channel (which might not be an endpoint) # target = event channel label create # EVTCHNOP_reset: # source = domain making the hypercall # target = domain whose event channels are being reset reset } # Class grant describes pages shared by grant mappings. Pages use the security # label of their owning domain. class grant { # GNTTABOP_map_grant_ref with any access map_read # GNTTABOP_map_grant_ref with write access map_write # GNTTABOP_unmap_grant_ref unmap # GNTTABOP_transfer transfer # GNTTABOP_setup_table, GNTTABOP_get_status_frames (target is commonly _self) setup # GNTTABOP_copy copy # GNTTABOP_query_size, GNTTABOP_get_version query } # Class mmu describes pages of memory not accessed using grants. Permissions # are checked using the domain ID used to access the page - the most common case # is a domain's own ID (the _self label). Using DOMID_IO in the map command to # restrict the mapping to IO memory will result in the target being domio_t, and # migration uses read-only mappings with a target of DOMID_XEN (domxen_t). class mmu { # checked when using mmu_update to map a page readably # source = domain making the hypercall (which might not own the page table) # target = domain whose pages are being mapped map_read # checked when using mmu_update to map a page writably # source = domain making the hypercall # target = domain whose pages are being mapped map_write # XEN_DOMCTL_getpageframeinfo* pageinfo # XEN_DOMCTL_getmemlist pagelist # XENMEM_{increase,decrease}_reservation, XENMEM_populate_physmap adjust # XENMEM_{current,maximum}_reservation, XENMEM_maximum_gpfn stat # mmu_update MMU_MACHPHYS_UPDATE updatemp # XENMEM_add_to_physmap, XENMEM_remove_from_physmap physmap # MMUEXT_PIN_L*_TABLE pinpage # XENMEM_machine_memory_map (with target xen_t) # XENMEM_set_memory_map (with domain target) memorymap # checked when using mmu_update to update the page tables of another domain # source = domain making the hypercall # target = domain whose page tables are being modified remote_remap # the mmuext_op hypercall acting on the target domain mmuext_op # XENMEM_exchange: # source = domain making the hypercall # target = domain whose pages are being exchanged exchange # Allow a privileged domain to install a map of a page it does not own. Used # for stub domain device models with the PV framebuffer. target_hack } # control of the paging_domctl split by subop class shadow { # XEN_DOMCTL_SHADOW_OP_OFF disable # enable, get/set allocation enable # enable, read, and clean log logdirty } # Class resource is used to describe the resources used in hardware device # passthrough. Resources include: hardware IRQs, MMIO regions, x86 I/O ports, # and PCI devices; see docs/misc/xsm-flask.txt for how to label them. # # Access to the legacy PCI configuration space on x86 via port 0xCF8/CFC # requires IS_PRIV, even with FLASK. Writes to the BARs are checked as "setup", # while other reads/writes are "use"; the target is the PCI device whose # configuration space is being modified. Accesses to the MMIO-based PCI express # configuration space described by the ACPI MCFG table are controlled as MMIO # accesses, and cannot special-case BAR writes. # # The {add,remove}_{irq,ioport,iomem,device} permissions use: # source = domain making the hypercall # target = resource's security label class resource { # checked when adding a resource to a domain: # source = domain making the hypercall # target = domain which will have access to the resource add # checked when removing a resource from a domain: # source = domain making the hypercall # target = domain which will no longer have access to the resource remove # checked when adding a resource to a domain: # source = domain which will have access to the resource # target = resource's security label # also checked when using some core Xen devices (target xen_t) use # PHYSDEVOP_map_pirq and ioapic writes for dom0, when acting on real IRQs # For GSI interrupts, the IRQ's label is indexed by the IRQ number # For MSI interrupts, the label of the PCI device is used add_irq # PHYSDEVOP_unmap_pirq (same as map, and only for real IRQs) remove_irq # XEN_DOMCTL_ioport_permission, XEN_DOMCTL_ioport_mapping add_ioport remove_ioport # XEN_DOMCTL_iomem_permission, XEN_DOMCTL_memory_mapping add_iomem remove_iomem # XEN_DOMCTL_get_device_group, XEN_DOMCTL_test_assign_device: # source = domain making the hypercall # target = PCI device being queried stat_device # XEN_DOMCTL_assign_device add_device # XEN_DOMCTL_deassign_device remove_device # checked for PCI hot and cold-plug hypercalls, with target as the PCI device # checked for CPU and memory hotplug with xen_t as the target plug # checked for PCI hot-unplug hypercalls, with target as the PCI device # checked for CPU offlining with xen_t as the target unplug # checked for PHYSDEVOP_restore_msi* (target PCI device) # checked for PHYSDEVOP_setup_gsi (target IRQ) # checked for PHYSDEVOP_pci_mmcfg_reserved (target xen_t) setup } # Class security describes the FLASK security server itself; these operations # are accessed using the xsm_op hypercall. The source is the domain invoking # the hypercall, and the target is security_t. # # Any domain with access to load_policy or setenforce must be trusted, since it # can bypass the rest of the security policy. class security { # use the security server to compute an access check compute_av # use the security server to compute a type transition compute_create # use the security server to compute member selection compute_member # sid <-> context string conversions check_context # allow loading a new XSM/FLASK policy load_policy # use the security server to compute an object relabel compute_relabel # use the security server to list the SIDs reachable by a given user compute_user # allow switching between enforcing and permissive mode setenforce # allow changing policy booleans setbool # allow changing security server configuration parmeters setsecparam # add ocontext label definitions for resources add_ocontext # remove ocontext label definitions for resources del_ocontext }