#
# Define the access vectors.
#
# class class_name { permission_name ... }

# Class xen consists of dom0-only operations dealing with the hypervisor itself.
# Unless otherwise specified, the source is the domain executing the hypercall,
# and the target is the xen initial sid (type xen_t).
class xen
{
# XENPF_settime
    settime
# XEN_SYSCTL_tbuf_op
    tbufcontrol
# CONSOLEIO_read, XEN_SYSCTL_readconsole
    readconsole
# XEN_SYSCTL_readconsole with clear=1
    clearconsole
# XEN_SYSCTL_perfc_op
    perfcontrol
# XENPF_add_memtype
    mtrr_add
# XENPF_del_memtype
    mtrr_del
# XENPF_read_memtype
    mtrr_read
# XENPF_microcode_update
    microcode
# XEN_SYSCTL_physinfo, XEN_SYSCTL_topologyinfo, XEN_SYSCTL_numainfo
    physinfo
# XENPF_platform_quirk
    quirk
# CONSOLEIO_write
    writeconsole
# PHYSDEVOP_apic_read, PHYSDEVOP_alloc_irq_vector
    readapic
# PHYSDEVOP_apic_write
    writeapic
# Most XENOPROF_*
    privprofile
# XENOPROF_{init,enable_virq,disable_virq,get_buffer}
    nonprivprofile
# kexec hypercall
    kexec
# XENPF_firmware_info, XENPF_efi_runtime_call
    firmware
# XENPF_enter_acpi_sleep
    sleep
# XENPF_change_freq
    frequency
# XENPF_getidletime
    getidle
# XEN_SYSCTL_debug_keys
    debug
# XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo
    getcpuinfo
# XEN_SYSCTL_availheap
    heap
# XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo,
# XENPF_core_parking
    pm_op
# mca hypercall
    mca_op
# XEN_SYSCTL_lockprof_op
    lockprof
# XEN_SYSCTL_cpupool_op
    cpupool_op
# tmem hypercall (any access)
    tmem_op
# TMEM_CONTROL command of tmem hypercall
    tmem_control
# XEN_SYSCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_getinfo, XEN_SYSCTL_sched_id
    getscheduler
# XEN_SYSCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
    setscheduler
}

# Classes domain and domain2 consist of operations that a domain performs on
# another domain or on itself.  Unless otherwise specified, the source is the
# domain executing the hypercall, and the target is the domain being operated on
# (which may result in a _self or _target type).
#
# transitions in class domain are used to produce the _self and _target types;
# see docs/misc/xsm-flask.txt and the example XSM policy for details.
class domain
{
# XEN_DOMCTL_setvcpucontext
    setvcpucontext
# XEN_DOMCTL_pausedomain
    pause
# XEN_DOMCTL_unpausedomain
    unpause
# XEN_DOMCTL_resumedomain
    resume
# XEN_DOMCTL_createdomain
    create
# checked in FLASK_RELABEL_DOMAIN for any relabel operation:
#  source = the old label of the domain
#  target = the new label of the domain
# see also the domain2 relabel{from,to,self} permissions
    transition
# XEN_DOMCTL_max_vcpus
    max_vcpus
# XEN_DOMCTL_destroydomain
    destroy
# XEN_DOMCTL_setvcpuaffinity
# XEN_DOMCTL_setnodeaffinity
    setaffinity
# XEN_DOMCTL_getvcpuaffinity
# XEN_DOMCTL_getnodeaffinity
    getaffinity
# XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_getinfo
    getscheduler
# XEN_DOMCTL_getdomaininfo, XEN_SYSCTL_getdomaininfolist
    getdomaininfo
# XEN_DOMCTL_getvcpuinfo
    getvcpuinfo
# XEN_DOMCTL_getvcpucontext
    getvcpucontext
# XEN_DOMCTL_max_mem
    setdomainmaxmem
# XEN_DOMCTL_setdomainhandle
    setdomainhandle
# XEN_DOMCTL_setdebugging
    setdebugging
# XEN_DOMCTL_hypercall_init
    hypercall
# XEN_DOMCTL_settimeoffset
    settime
# checked in XEN_DOMCTL_set_target:
#  source = the new device model domain
#  target = the new target domain
# see also the domain2 make_priv_for and set_as_target checks
    set_target
# SCHEDOP_remote_shutdown
    shutdown
# XEN_DOMCTL_set{,_machine}_address_size
    setaddrsize
# XEN_DOMCTL_get{,_machine}_address_size
    getaddrsize
# XEN_DOMCTL_sendtrigger
    trigger
# XEN_DOMCTL_get_ext_vcpucontext
    getextvcpucontext
# XEN_DOMCTL_set_ext_vcpucontext
    setextvcpucontext
# XEN_DOMCTL_getvcpuextstate
    getvcpuextstate
# XEN_DOMCTL_setvcpuextstate
    setvcpuextstate
# XENMEM_get_pod_target
    getpodtarget
# XENMEM_set_pod_target
    setpodtarget
# XEN_DOMCTL_subscribe, XEN_DOMCTL_disable_migrate,
# XEN_DOMCTL_suppress_spurious_page_faults
    set_misc_info
# XEN_DOMCTL_set_virq_handler
    set_virq_handler
}

# This is a continuation of class domain, since only 32 permissions can be
# defined per class
class domain2
{
# checked in FLASK_RELABEL_DOMAIN with non-DOMID_SELF:
#  source = the domain making the hypercall
#  target = the old label of the domain being relabeled
    relabelfrom
# checked in FLASK_RELABEL_DOMAIN with non-DOMID_SELF:
#  source = the domain making the hypercall
#  target = the new label of the domain being relabeled
    relabelto
# checked in FLASK_RELABEL_DOMAIN, only with DOMID_SELF:
#  source = the old label of the domain
#  target = the new label of the domain
# see also domain__transition
    relabelself
# checked in XEN_DOMCTL_set_target:
#  source = the domain making the hypercall
#  target = the new device model domain
    make_priv_for
# checked in XEN_DOMCTL_set_target:
#  source = the domain making the hypercall
#  target = the new target domain
    set_as_target
# XEN_DOMCTL_set_cpuid
    set_cpuid
# XEN_DOMCTL_gettscinfo
    gettsc
# XEN_DOMCTL_settscinfo
    settsc
# XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
    setscheduler
# XENMEM_claim_pages
    setclaim
# XEN_DOMCTL_set_max_evtchn
    set_max_evtchn
# XEN_DOMCTL_cacheflush
    cacheflush
}

# Similar to class domain, but primarily contains domctls related to HVM domains
class hvm
{
# XEN_DOMCTL_sethvmcontext
    sethvmc
# XEN_DOMCTL_gethvmcontext, XEN_DOMCTL_gethvmcontext_partial
    gethvmc
# HVMOP_set_param
    setparam
# HVMOP_get_param
    getparam
# HVMOP_set_pci_intx_level (also needs hvmctl)
    pcilevel
# HVMOP_set_isa_irq_level
    irqlevel
# HVMOP_set_pci_link_route
    pciroute
    bind_irq
# XEN_DOMCTL_pin_mem_cacheattr
    cacheattr
# HVMOP_track_dirty_vram
    trackdirtyvram
# HVMOP_modified_memory, HVMOP_get_mem_type, HVMOP_set_mem_type,
# HVMOP_set_mem_access, HVMOP_get_mem_access, HVMOP_pagetable_dying,
# HVMOP_inject_trap
    hvmctl
# XEN_DOMCTL_set_access_required
    mem_event
# XEN_DOMCTL_mem_sharing_op and XENMEM_sharing_op_{share,add_physmap} with:
#  source = the domain making the hypercall
#  target = domain whose memory is being shared
    mem_sharing
# XEN_DOMCTL_audit_p2m
    audit_p2m
# HVMOP_inject_msi
    send_irq
# checked in XENMEM_sharing_op_{share,add_physmap} with:
#  source = domain whose memory is being shared
#  target = client domain
    share_mem
# HVMOP_set_param setting HVM_PARAM_NESTEDHVM
    nested
}

# Class event describes event channels.  Interdomain event channels have their
# own security label which is computed using a type transition between the
# source and target domains.  Each endpoint has its own label, and the
# permission checks must pass on both endpoints for an event channel to be
# established.
class event
{
# when creating an interdomain event channel endpoint:
#  source = event channel label
#  target = remote domain the event channel binds to.  This may be a _self or
#           _target label if the endpoints are related as such.
# This permission is checked when creating an unbound event channel and when the
# interdomain event channel is established.
    bind
# EVTCHNOP_send:
#  source = domain sending the event
#  target = event channel label
    send
# EVTCHNOP_status; same as _send
    status
# when creating an interdomain event channel endpoint:
#  source = the domain creating the channel (which might not be an endpoint)
#  target = event channel label
    create
# EVTCHNOP_reset:
#  source = domain making the hypercall
#  target = domain whose event channels are being reset
    reset
}

# Class grant describes pages shared by grant mappings.  Pages use the security
# label of their owning domain.
class grant
{
# GNTTABOP_map_grant_ref with any access
    map_read
# GNTTABOP_map_grant_ref with write access
    map_write
# GNTTABOP_unmap_grant_ref
    unmap
# GNTTABOP_transfer
    transfer
# GNTTABOP_setup_table, GNTTABOP_get_status_frames (target is commonly _self)
    setup
# GNTTABOP_copy
    copy
# GNTTABOP_query_size, GNTTABOP_get_version
    query
}

# Class mmu describes pages of memory not accessed using grants.  Permissions
# are checked using the domain ID used to access the page - the most common case
# is a domain's own ID (the _self label).  Using DOMID_IO in the map command to
# restrict the mapping to IO memory will result in the target being domio_t, and
# migration uses read-only mappings with a target of DOMID_XEN (domxen_t).
class mmu
{
# checked when using mmu_update to map a page readably
#  source = domain making the hypercall (which might not own the page table)
#  target = domain whose pages are being mapped
    map_read
# checked when using mmu_update to map a page writably
#  source = domain making the hypercall
#  target = domain whose pages are being mapped
    map_write
# XEN_DOMCTL_getpageframeinfo*
    pageinfo
# XEN_DOMCTL_getmemlist
    pagelist
# XENMEM_{increase,decrease}_reservation, XENMEM_populate_physmap
    adjust
# XENMEM_{current,maximum}_reservation, XENMEM_maximum_gpfn
    stat
# mmu_update MMU_MACHPHYS_UPDATE
    updatemp
# XENMEM_add_to_physmap, XENMEM_remove_from_physmap
    physmap
# MMUEXT_PIN_L*_TABLE
    pinpage
# XENMEM_machine_memory_map (with target xen_t)
# XENMEM_set_memory_map (with domain target)
    memorymap
# checked when using mmu_update to update the page tables of another domain
#  source = domain making the hypercall
#  target = domain whose page tables are being modified
    remote_remap
# the mmuext_op hypercall acting on the target domain
    mmuext_op
# XENMEM_exchange:
#  source = domain making the hypercall
#  target = domain whose pages are being exchanged
    exchange
# Allow a privileged domain to install a map of a page it does not own.  Used
# for stub domain device models with the PV framebuffer.
    target_hack
}

# control of the paging_domctl split by subop
class shadow
{
# XEN_DOMCTL_SHADOW_OP_OFF
    disable
# enable, get/set allocation
    enable
# enable, read, and clean log
    logdirty
}

# Class resource is used to describe the resources used in hardware device
# passthrough.  Resources include: hardware IRQs, MMIO regions, x86 I/O ports,
# and PCI devices; see docs/misc/xsm-flask.txt for how to label them.
#
# Access to the legacy PCI configuration space on x86 via port 0xCF8/CFC
# requires IS_PRIV, even with FLASK.  Writes to the BARs are checked as "setup",
# while other reads/writes are "use"; the target is the PCI device whose
# configuration space is being modified.  Accesses to the MMIO-based PCI express
# configuration space described by the ACPI MCFG table are controlled as MMIO
# accesses, and cannot special-case BAR writes.
#
# The {add,remove}_{irq,ioport,iomem,device} permissions use:
#  source = domain making the hypercall
#  target = resource's security label
class resource
{
# checked when adding a resource to a domain:
#  source = domain making the hypercall
#  target = domain which will have access to the resource
    add
# checked when removing a resource from a domain:
#  source = domain making the hypercall
#  target = domain which will no longer have access to the resource
    remove
# checked when adding a resource to a domain:
#  source = domain which will have access to the resource
#  target = resource's security label
# also checked when using some core Xen devices (target xen_t)
    use
# PHYSDEVOP_map_pirq and ioapic writes for dom0, when acting on real IRQs
#  For GSI interrupts, the IRQ's label is indexed by the IRQ number
#  For MSI interrupts, the label of the PCI device is used
    add_irq
# PHYSDEVOP_unmap_pirq (same as map, and only for real IRQs)
    remove_irq
# XEN_DOMCTL_ioport_permission, XEN_DOMCTL_ioport_mapping
    add_ioport
    remove_ioport
# XEN_DOMCTL_iomem_permission, XEN_DOMCTL_memory_mapping
    add_iomem
    remove_iomem
# XEN_DOMCTL_get_device_group, XEN_DOMCTL_test_assign_device:
#  source = domain making the hypercall
#  target = PCI device being queried
    stat_device
# XEN_DOMCTL_assign_device
    add_device
# XEN_DOMCTL_deassign_device
    remove_device
# checked for PCI hot and cold-plug hypercalls, with target as the PCI device
# checked for CPU and memory hotplug with xen_t as the target
    plug
# checked for PCI hot-unplug hypercalls, with target as the PCI device
# checked for CPU offlining with xen_t as the target
    unplug
# checked for PHYSDEVOP_restore_msi* (target PCI device)
# checked for PHYSDEVOP_setup_gsi (target IRQ)
# checked for PHYSDEVOP_pci_mmcfg_reserved (target xen_t)
    setup
}

# Class security describes the FLASK security server itself; these operations
# are accessed using the xsm_op hypercall.  The source is the domain invoking
# the hypercall, and the target is security_t.
#
# Any domain with access to load_policy or setenforce must be trusted, since it
# can bypass the rest of the security policy.
class security
{
# use the security server to compute an access check
    compute_av
# use the security server to compute a type transition
    compute_create
# use the security server to compute member selection
    compute_member
# sid <-> context string conversions
    check_context
# allow loading a new XSM/FLASK policy
    load_policy
# use the security server to compute an object relabel
    compute_relabel
# use the security server to list the SIDs reachable by a given user
    compute_user
# allow switching between enforcing and permissive mode
    setenforce
# allow changing policy booleans
    setbool
# allow changing security server configuration parmeters
    setsecparam
# add ocontext label definitions for resources
    add_ocontext
# remove ocontext label definitions for resources
    del_ocontext
}
