[FIX][ACM][Interface Manual] Updates / corrects Access Control Module information in the interface document

[FIX][ACM][Interface Manual] Updates / corrects Access Control Module information in the interface document

[Reiner Sailer]

[-- Attachment #1: Type: text/plain, Size: 162 bytes --]

This patch adds access control module information for hypercalls and 
xenstore entries to the interface manual.

Signed-off by: Reiner Sailer <sailer@us.ibm.com>

[-- Attachment #2: acm_interface_doc.diff --]
[-- Type: text/plain, Size: 2957 bytes --]

---
 docs/src/interface.tex |   42 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 39 insertions(+), 3 deletions(-)

Index: xen-unstable.hg-interface/docs/src/interface.tex
===================================================================
--- xen-unstable.hg-interface.orig/docs/src/interface.tex
+++ xen-unstable.hg-interface/docs/src/interface.tex
@@ -955,7 +955,6 @@ This information doesn't change and is i
 A {\bf /vm} entry contains the following information:
 
 \begin{description}
-\item[ssidref] ssid reference for domain
 \item[uuid] uuid of the domain (somewhat redundant)
 \item[on\_reboot] the action to take on a domain reboot request (destroy or restart)
 \item[on\_poweroff] the action to take on a domain halt request (destroy or restart)
@@ -1125,6 +1124,16 @@ This path contains:
       \end{description}
     \end{description}
 
+  \item[security/] access control information for the domain
+    \begin{description}
+    \item[ssidref] security reference identifier used inside the hypervisor
+    \item[access\_control/] security label used by management tools
+      \begin{description}
+       \item[label] security label name
+       \item[policy] security policy name
+      \end{description}
+    \end{description}
+
   \item[store/] per-domain information for the store
     \begin{description}
     \item[port] the event channel used for the store ring queue 
@@ -2168,19 +2177,46 @@ Most of the above are best understood by
 implementing them (in {\tt xen/common/dom0\_ops.c}) and in 
 the user-space tools that use them (mostly in {\tt tools/libxc}). 
 
+\section{Access Control Module Hypercalls}
+\label{s:acmops}
+
 Hypercalls relating to the management of the Access Control Module are
-also restricted to domain 0 access for now:
+also restricted to domain 0 access for now. For more details on any or
+all of these, please see {\tt xen/include/public/acm\_ops.h}.  A
+complete list is given below:
 
 \begin{quote}
 
-\hypercall{acm\_op(struct acm\_op * u\_acm\_op)}
+\hypercall{acm\_op(int cmd, void *args)}
 
 This hypercall can be used to configure the state of the ACM, query
 that state, request access control decisions and dump additional
 information.
 
+\begin{description}
+
+\item [ACMOP\_SETPOLICY:] set the access control policy
+
+\item [ACMOP\_GETPOLICY:] get the current access control policy and
+  status
+
+\item [ACMOP\_DUMPSTATS:] get current access control hook invocation
+  statistics
+
+\item [ACMOP\_GETSSID:] get security access control information for a
+  domain
+
+\item [ACMOP\_GETDECISION:] get access decision based on the currently
+  enforced access control policy
+
+\end{description}
 \end{quote}
 
+Most of the above are best understood by looking at the code
+implementing them (in {\tt xen/common/acm\_ops.c}) and in the
+user-space tools that use them (mostly in {\tt tools/security} and
+{\tt tools/python/xen/lowlevel/acm}).
+
 
 \section{Debugging Hypercalls} 
 

[-- Attachment #3: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel