1#
2# Define the access vectors.
3#
4# class class_name { permission_name ... }
5
6# Class xen and xen2 consists of dom0-only operations dealing with the
7# hypervisor itself. Unless otherwise specified, the source is the domain
8# executing the hypercall, and the target is the xen initial sid (type xen_t).
9class xen
10{
11# XENPF_settime32
12# XENPF_settime64
13    settime
14# XEN_SYSCTL_tbuf_op
15    tbufcontrol
16# CONSOLEIO_read, XEN_SYSCTL_readconsole
17    readconsole
18# XEN_SYSCTL_readconsole with clear=1
19    clearconsole
20# XEN_SYSCTL_perfc_op
21    perfcontrol
22# XENPF_add_memtype
23    mtrr_add
24# XENPF_del_memtype
25    mtrr_del
26# XENPF_read_memtype
27    mtrr_read
28# XENPF_microcode_update
29    microcode
30# XEN_SYSCTL_physinfo, XEN_SYSCTL_cputopoinfo, XEN_SYSCTL_numainfo
31# XEN_SYSCTL_pcitopoinfo
32    physinfo
33# XENPF_platform_quirk
34    quirk
35# CONSOLEIO_write
36    writeconsole
37# PHYSDEVOP_apic_read, PHYSDEVOP_alloc_irq_vector
38    readapic
39# PHYSDEVOP_apic_write
40    writeapic
41# Most XENOPROF_*
42    privprofile
43# XENOPROF_{init,enable_virq,disable_virq,get_buffer}
44    nonprivprofile
45# kexec hypercall
46    kexec
47# XENPF_firmware_info, XENPF_efi_runtime_call
48    firmware
49# XENPF_enter_acpi_sleep
50    sleep
51# XENPF_change_freq
52    frequency
53# XENPF_getidletime
54    getidle
55# XEN_SYSCTL_debug_keys
56    debug
57# XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo
58    getcpuinfo
59# XEN_SYSCTL_availheap
60    heap
61# XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo,
62# XENPF_core_parking
63    pm_op
64# mca hypercall
65    mca_op
66# XEN_SYSCTL_lockprof_op
67    lockprof
68# XEN_SYSCTL_cpupool_op
69    cpupool_op
70# tmem hypercall (any access)
71    tmem_op
72# XEN_SYSCTL_tmem_op command of tmem (part of sysctl)
73    tmem_control
74# XEN_SYSCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_getinfo, XEN_SYSCTL_sched_id
75    getscheduler
76# XEN_SYSCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
77    setscheduler
78}
79
80# This is a continuation of class xen, since only 32 permissions can be
81# defined per class
82class xen2
83{
84# XENPF_resource_op
85    resource_op
86# XEN_SYSCTL_psr_cmt_op
87    psr_cmt_op
88# XEN_SYSCTL_psr_cat_op
89    psr_cat_op
90# XENPF_get_symbol
91    get_symbol
92# PMU control
93    pmu_ctrl
94# PMU use (domains, including unprivileged ones, will be using this operation)
95    pmu_use
96# XEN_SYSCTL_get_cpu_levelling_caps
97    get_cpu_levelling_caps
98# XEN_SYSCTL_get_cpu_featureset
99    get_cpu_featureset
100# XEN_SYSCTL_livepatch_op
101    livepatch_op
102# XEN_SYSCTL_gcov_op
103    gcov_op
104# XEN_SYSCTL_set_parameter
105    set_parameter
106}
107
108# Classes domain and domain2 consist of operations that a domain performs on
109# another domain or on itself.  Unless otherwise specified, the source is the
110# domain executing the hypercall, and the target is the domain being operated on
111# (which may result in a _self or _target type).
112#
113# transitions in class domain are used to produce the _self and _target types;
114# see docs/misc/xsm-flask.txt and the example XSM policy for details.
115class domain
116{
117# XEN_DOMCTL_setvcpucontext
118# XEN_DOMCTL_setvcpuextstate
119# XEN_DOMCTL_set_ext_vcpucontext
120# XEN_DOMCTL_set_vcpu_msrs
121    setvcpucontext
122# XEN_DOMCTL_pausedomain
123    pause
124# XEN_DOMCTL_unpausedomain
125    unpause
126# XEN_DOMCTL_resumedomain
127    resume
128# XEN_DOMCTL_arm_createdomain
129    create
130# checked in FLASK_RELABEL_DOMAIN for any relabel operation:
131#  source = the old label of the domain
132#  target = the new label of the domain
133# see also the domain2 relabel{from,to,self} permissions
134    transition
135# XEN_DOMCTL_max_vcpus
136    max_vcpus
137# XEN_DOMCTL_destroydomain
138    destroy
139# XEN_DOMCTL_setvcpuaffinity
140# XEN_DOMCTL_setnodeaffinity
141    setaffinity
142# XEN_DOMCTL_getvcpuaffinity
143# XEN_DOMCTL_getnodeaffinity
144    getaffinity
145# XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_getinfo
146    getscheduler
147# XEN_DOMCTL_getdomaininfo, XEN_SYSCTL_getdomaininfolist
148    getdomaininfo
149# XEN_DOMCTL_getvcpuinfo
150    getvcpuinfo
151# XEN_DOMCTL_getvcpucontext
152# XEN_DOMCTL_get_ext_vcpucontext
153# XEN_DOMCTL_getvcpuextstate
154# XEN_DOMCTL_get_vcpu_msrs
155    getvcpucontext
156# XEN_DOMCTL_max_mem
157    setdomainmaxmem
158# XEN_DOMCTL_setdomainhandle
159    setdomainhandle
160# XEN_DOMCTL_setdebugging
161    setdebugging
162# XEN_DOMCTL_hypercall_init
163    hypercall
164# XEN_DOMCTL_settimeoffset
165    settime
166# checked in XEN_DOMCTL_set_target:
167#  source = the new device model domain
168#  target = the new target domain
169# see also the domain2 make_priv_for and set_as_target checks
170    set_target
171# SCHEDOP_remote_shutdown
172    shutdown
173# XEN_DOMCTL_set{,_machine}_address_size
174    setaddrsize
175# XEN_DOMCTL_get{,_machine}_address_size
176    getaddrsize
177# XEN_DOMCTL_sendtrigger
178    trigger
179# XENMEM_get_pod_target
180    getpodtarget
181# XENMEM_set_pod_target
182    setpodtarget
183# XEN_DOMCTL_subscribe, XEN_DOMCTL_disable_migrate,
184# XEN_DOMCTL_suppress_spurious_page_faults
185    set_misc_info
186# XEN_DOMCTL_set_virq_handler
187    set_virq_handler
188}
189
190# This is a continuation of class domain, since only 32 permissions can be
191# defined per class
192class domain2
193{
194# checked in FLASK_RELABEL_DOMAIN with non-DOMID_SELF:
195#  source = the domain making the hypercall
196#  target = the old label of the domain being relabeled
197    relabelfrom
198# checked in FLASK_RELABEL_DOMAIN with non-DOMID_SELF:
199#  source = the domain making the hypercall
200#  target = the new label of the domain being relabeled
201    relabelto
202# checked in FLASK_RELABEL_DOMAIN, only with DOMID_SELF:
203#  source = the old label of the domain
204#  target = the new label of the domain
205# see also domain__transition
206    relabelself
207# checked in XEN_DOMCTL_set_target:
208#  source = the domain making the hypercall
209#  target = the new device model domain
210    make_priv_for
211# checked in XEN_DOMCTL_set_target:
212#  source = the domain making the hypercall
213#  target = the new target domain
214    set_as_target
215# XEN_DOMCTL_set_cpuid
216    set_cpuid
217# XEN_DOMCTL_gettscinfo
218    gettsc
219# XEN_DOMCTL_settscinfo
220    settsc
221# XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
222    setscheduler
223# XENMEM_claim_pages
224    setclaim
225# XEN_DOMCTL_set_max_evtchn
226    set_max_evtchn
227# XEN_DOMCTL_cacheflush
228    cacheflush
229# Creation of the hardware domain when it is not dom0
230    create_hardware_domain
231# XEN_DOMCTL_setvnumainfo
232    set_vnumainfo
233# XENMEM_getvnumainfo
234    get_vnumainfo
235# XEN_DOMCTL_psr_cmt_op
236    psr_cmt_op
237# XEN_DOMCTL_set_access_required
238# XEN_DOMCTL_monitor_op
239# XEN_DOMCTL_vm_event_op
240    vm_event
241# XEN_DOMCTL_soft_reset
242    soft_reset
243# XENMEM_access_op
244    mem_access
245# XENMEM_paging_op
246    mem_paging
247# XENMEM_sharing_op
248    mem_sharing
249# XEN_DOMCTL_psr_cat_op
250    psr_cat_op
251# XEN_DOMCTL_set_gnttab_limits
252    set_gnttab_limits
253}
254
255# Similar to class domain, but primarily contains domctls related to HVM domains
256class hvm
257{
258# XEN_DOMCTL_sethvmcontext
259    sethvmc
260# XEN_DOMCTL_gethvmcontext, XEN_DOMCTL_gethvmcontext_partial
261    gethvmc
262# HVMOP_set_param
263    setparam
264# HVMOP_get_param
265    getparam
266    bind_irq
267# XEN_DOMCTL_pin_mem_cacheattr
268    cacheattr
269# HVMOP_get_mem_type,
270# HVMOP_set_mem_access, HVMOP_get_mem_access, HVMOP_pagetable_dying
271    hvmctl
272# XEN_DOMCTL_mem_sharing_op and XENMEM_sharing_op_{share,add_physmap} with:
273#  source = the domain making the hypercall
274#  target = domain whose memory is being shared
275    mem_sharing
276# XEN_DOMCTL_audit_p2m
277    audit_p2m
278# checked in XENMEM_sharing_op_{share,add_physmap} with:
279#  source = domain whose memory is being shared
280#  target = client domain
281    share_mem
282# HVMOP_set_param setting HVM_PARAM_NESTEDHVM
283    nested
284# HVMOP_set_param setting HVM_PARAM_ALTP2MHVM
285    altp2mhvm
286# HVMOP_altp2m_set_domain_state HVMOP_altp2m_get_domain_state
287# HVMOP_altp2m_vcpu_enable_notify HVMOP_altp2m_create_p2m
288# HVMOP_altp2m_destroy_p2m HVMOP_altp2m_switch_p2m
289# HVMOP_altp2m_set_mem_access HVMOP_altp2m_change_gfn
290    altp2mhvm_op
291# DMOP
292    dm
293}
294
295# Class event describes event channels.  Interdomain event channels have their
296# own security label which is computed using a type transition between the
297# source and target domains.  Each endpoint has its own label, and the
298# permission checks must pass on both endpoints for an event channel to be
299# established.
300class event
301{
302# when creating an interdomain event channel endpoint:
303#  source = event channel label
304#  target = remote domain the event channel binds to.  This may be a _self or
305#           _target label if the endpoints are related as such.
306# This permission is checked when creating an unbound event channel and when the
307# interdomain event channel is established.
308    bind
309# EVTCHNOP_send:
310#  source = domain sending the event
311#  target = event channel label
312    send
313# EVTCHNOP_status; same as _send
314    status
315# when creating an interdomain event channel endpoint:
316#  source = the domain creating the channel (which might not be an endpoint)
317#  target = event channel label
318    create
319# EVTCHNOP_reset:
320#  source = domain making the hypercall
321#  target = domain whose event channels are being reset
322    reset
323}
324
325# Class grant describes pages shared by grant mappings.  Pages use the security
326# label of their owning domain.
327class grant
328{
329# GNTTABOP_map_grant_ref with any access
330    map_read
331# GNTTABOP_map_grant_ref with write access
332    map_write
333# GNTTABOP_unmap_grant_ref
334    unmap
335# GNTTABOP_transfer
336    transfer
337# GNTTABOP_setup_table, GNTTABOP_get_status_frames (target is commonly _self)
338    setup
339# GNTTABOP_copy
340    copy
341# GNTTABOP_query_size, GNTTABOP_get_version
342    query
343}
344
345# Class mmu describes pages of memory not accessed using grants.  Permissions
346# are checked using the domain ID used to access the page - the most common case
347# is a domain's own ID (the _self label).  Using DOMID_IO in the map command to
348# restrict the mapping to IO memory will result in the target being domio_t, and
349# migration uses read-only mappings with a target of DOMID_XEN (domxen_t).
350class mmu
351{
352# checked when using mmu_update to map a page readably
353#  source = domain making the hypercall (which might not own the page table)
354#  target = domain whose pages are being mapped
355    map_read
356# checked when using mmu_update to map a page writably
357#  source = domain making the hypercall
358#  target = domain whose pages are being mapped
359    map_write
360# XEN_DOMCTL_getpageframeinfo3
361    pageinfo
362# XEN_DOMCTL_getmemlist
363    pagelist
364# XENMEM_{increase,decrease}_reservation, XENMEM_populate_physmap
365    adjust
366# XENMEM_{current,maximum}_reservation, XENMEM_maximum_gpfn
367    stat
368# mmu_update MMU_MACHPHYS_UPDATE
369    updatemp
370# XENMEM_add_to_physmap, XENMEM_remove_from_physmap
371    physmap
372# MMUEXT_PIN_L*_TABLE
373    pinpage
374# XENMEM_machine_memory_map (with target xen_t)
375# XENMEM_set_memory_map (with domain target)
376    memorymap
377# checked when using mmu_update to update the page tables of another domain
378#  source = domain making the hypercall
379#  target = domain whose page tables are being modified
380    remote_remap
381# the mmuext_op hypercall acting on the target domain
382    mmuext_op
383# XENMEM_exchange:
384#  source = domain making the hypercall
385#  target = domain whose pages are being exchanged
386    exchange
387# Allow a privileged domain to install a map of a page it does not own.  Used
388# for stub domain device models with the PV framebuffer.
389    target_hack
390}
391
392# control of the paging_domctl split by subop
393class shadow
394{
395# XEN_DOMCTL_SHADOW_OP_OFF
396    disable
397# enable, get/set allocation
398    enable
399# enable, read, and clean log
400    logdirty
401}
402
403# Class resource is used to describe the resources used in hardware device
404# passthrough.  Resources include: hardware IRQs, MMIO regions, x86 I/O ports,
405# and PCI devices; see docs/misc/xsm-flask.txt for how to label them.
406#
407# Access to the legacy PCI configuration space on x86 via port 0xCF8/CFC
408# requires IS_PRIV, even with FLASK.  Writes to the BARs are checked as "setup",
409# while other reads/writes are "use"; the target is the PCI device whose
410# configuration space is being modified.  Accesses to the MMIO-based PCI express
411# configuration space described by the ACPI MCFG table are controlled as MMIO
412# accesses, and cannot special-case BAR writes.
413#
414# The {add,remove}_{irq,ioport,iomem,device} permissions use:
415#  source = domain making the hypercall
416#  target = resource's security label
417class resource
418{
419# checked when adding a resource to a domain:
420#  source = domain making the hypercall
421#  target = domain which will have access to the resource
422    add
423# checked when removing a resource from a domain:
424#  source = domain making the hypercall
425#  target = domain which will no longer have access to the resource
426    remove
427# checked when using some core Xen devices (target xen_t)
428#  source = domain which will have access to the resource
429#  target = xen_t
430    use
431# checked when adding a resource to a domain:
432#  source = domain which will have access to the resource
433#  target = resource's security label
434# Requires an active IOMMU capable of interrupt remapping in order to
435# enforce isolation.
436    use_iommu
437# checked when adding a resource to a domain when an IOMMU is available
438# but it is not capable of interrupt mapping:
439#  source = domain which will have access to the resource
440#  target = resource's security label
441# Enable this to allow some less secure systems to still work.
442    use_iommu_nointremap
443# checked when adding a resource to a domain when no IOMMU present:
444#  source = domain which will have access to the resource
445#  target = resource's security label
446# Enable this to allow resource use without an active IOMMU.
447    use_noiommu
448# PHYSDEVOP_map_pirq and ioapic writes for dom0, when acting on real IRQs
449#  For GSI interrupts, the IRQ's label is indexed by the IRQ number
450#  For MSI interrupts, the label of the PCI device is used
451    add_irq
452# PHYSDEVOP_unmap_pirq (same as map, and only for real IRQs)
453    remove_irq
454# XEN_DOMCTL_ioport_permission, XEN_DOMCTL_ioport_mapping
455    add_ioport
456    remove_ioport
457# XEN_DOMCTL_iomem_permission, XEN_DOMCTL_memory_mapping
458    add_iomem
459    remove_iomem
460# XEN_DOMCTL_get_device_group, XEN_DOMCTL_test_assign_device:
461#  source = domain making the hypercall
462#  target = device being queried
463    stat_device
464# XEN_DOMCTL_assign_device
465    add_device
466# XEN_DOMCTL_deassign_device
467    remove_device
468# checked for PCI hot and cold-plug hypercalls, with target as the PCI device
469# checked for CPU and memory hotplug with xen_t as the target
470    plug
471# checked for PCI hot-unplug hypercalls, with target as the PCI device
472# checked for CPU offlining with xen_t as the target
473    unplug
474# checked for PHYSDEVOP_restore_msi* (target PCI device)
475# checked for PHYSDEVOP_setup_gsi (target IRQ)
476# checked for PHYSDEVOP_pci_mmcfg_reserved (target xen_t)
477    setup
478}
479
480# Class security describes the FLASK security server itself; these operations
481# are accessed using the xsm_op hypercall.  The source is the domain invoking
482# the hypercall, and the target is security_t.
483#
484# Any domain with access to load_policy or setenforce must be trusted, since it
485# can bypass the rest of the security policy.
486class security
487{
488# use the security server to compute an access check
489    compute_av
490# use the security server to compute a type transition
491    compute_create
492# use the security server to compute member selection
493    compute_member
494# sid <-> context string conversions
495    check_context
496# allow loading a new XSM/FLASK policy
497    load_policy
498# use the security server to compute an object relabel
499    compute_relabel
500# allow switching between enforcing and permissive mode
501    setenforce
502# allow changing policy booleans
503    setbool
504# allow changing security server configuration parmeters
505    setsecparam
506# add ocontext label definitions for resources
507    add_ocontext
508# remove ocontext label definitions for resources
509    del_ocontext
510}
511
512# Class version is used to describe the XENVER_ hypercall.
513# Almost all sub-ops are described here - in the default case all of them should
514# be allowed except the XENVER_commandline.
515#
516# The ones that are omitted are XENVER_version, XENVER_platform_parameters,
517# and XENVER_get_features  - as they MUST always be returned to a guest.
518#
519class version
520{
521# Extra informations (-unstable).
522    xen_extraversion
523# Compile information of the hypervisor.
524    xen_compile_info
525# Such as "xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64".
526    xen_capabilities
527# Source code changeset.
528    xen_changeset
529# Page size the hypervisor uses.
530    xen_pagesize
531# An value that the control stack can choose.
532    xen_guest_handle
533# Xen command line.
534    xen_commandline
535# Xen build id
536    xen_build_id
537}
538