#
# Define the access vectors.
#
# class class_name { permission_name ... }

# Class xen and xen2 consists of dom0-only operations dealing with the
# hypervisor itself. Unless otherwise specified, the source is the domain
# executing the hypercall, and the target is the xen initial sid (type xen_t).
class xen
{
# XENPF_settime32
# XENPF_settime64
    settime
# XEN_SYSCTL_tbuf_op
    tbufcontrol
# CONSOLEIO_read, XEN_SYSCTL_readconsole
    readconsole
# XEN_SYSCTL_readconsole with clear=1
    clearconsole
# XEN_SYSCTL_perfc_op
    perfcontrol
# XENPF_add_memtype
    mtrr_add
# XENPF_del_memtype
    mtrr_del
# XENPF_read_memtype
    mtrr_read
# XENPF_microcode_update
    microcode
# XEN_SYSCTL_physinfo, XEN_SYSCTL_cputopoinfo, XEN_SYSCTL_numainfo
# XEN_SYSCTL_pcitopoinfo, XEN_SYSCTL_get_cpu_policy
    physinfo
# XENPF_platform_quirk
    quirk
# CONSOLEIO_write
    writeconsole
# PHYSDEVOP_apic_read, PHYSDEVOP_alloc_irq_vector
    readapic
# PHYSDEVOP_apic_write
    writeapic
# Most XENOPROF_*
    privprofile
# XENOPROF_{init,enable_virq,disable_virq,get_buffer}
    nonprivprofile
# kexec hypercall
    kexec
# XENPF_firmware_info, XENPF_efi_runtime_call
    firmware
# XENPF_enter_acpi_sleep
    sleep
# XENPF_change_freq
    frequency
# XENPF_getidletime
    getidle
# XEN_SYSCTL_debug_keys
    debug
# XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo
    getcpuinfo
# XEN_SYSCTL_availheap
    heap
# XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo,
# XENPF_core_parking
    pm_op
# mca hypercall
    mca_op
# XEN_SYSCTL_lockprof_op
    lockprof
# XEN_SYSCTL_cpupool_op
    cpupool_op
# hypfs hypercall
    hypfs_op
# XEN_SYSCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_getinfo, XEN_SYSCTL_sched_id, XEN_DOMCTL_SCHEDOP_getvcpuinfo
    getscheduler
# XEN_SYSCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo, XEN_DOMCTL_SCHEDOP_putvcpuinfo
    setscheduler
}

# This is a continuation of class xen, since only 32 permissions can be
# defined per class
class xen2
{
# XENPF_resource_op
    resource_op
# XEN_SYSCTL_psr_cmt_op
    psr_cmt_op
# XEN_SYSCTL_psr_alloc
    psr_alloc
# XENPF_get_symbol
    get_symbol
# PMU control
    pmu_ctrl
# PMU use (domains, including unprivileged ones, will be using this operation)
    pmu_use
# XEN_SYSCTL_get_cpu_levelling_caps
    get_cpu_levelling_caps
# XEN_SYSCTL_get_cpu_featureset
    get_cpu_featureset
# XEN_SYSCTL_livepatch_op
    livepatch_op
# XEN_SYSCTL_coverage_op
    coverage_op
# XENPF_get_dom0_console
    get_dom0_console
}

# Classes domain and domain2 consist of operations that a domain performs on
# another domain or on itself.  Unless otherwise specified, the source is the
# domain executing the hypercall, and the target is the domain being operated on
# (which may result in a _self or _target type).
#
# transitions in class domain are used to produce the _self and _target types;
# see docs/misc/xsm-flask.txt and the example XSM policy for details.
class domain
{
# XEN_DOMCTL_setvcpucontext
# XEN_DOMCTL_setvcpuextstate
# XEN_DOMCTL_set_ext_vcpucontext
# XEN_DOMCTL_set_vcpu_msrs
    setvcpucontext
# XEN_DOMCTL_pausedomain
    pause
# XEN_DOMCTL_unpausedomain
    unpause
# XEN_DOMCTL_resumedomain
    resume
# XEN_DOMCTL_arm_createdomain
    create
# checked in FLASK_RELABEL_DOMAIN for any relabel operation:
#  source = the old label of the domain
#  target = the new label of the domain
# see also the domain2 relabel{from,to,self} permissions
    transition
# XEN_DOMCTL_max_vcpus
    max_vcpus
# XEN_DOMCTL_destroydomain
    destroy
# XEN_DOMCTL_setvcpuaffinity
# XEN_DOMCTL_setnodeaffinity
    setaffinity
# XEN_DOMCTL_getvcpuaffinity
# XEN_DOMCTL_getnodeaffinity
    getaffinity
# XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_getinfo
    getscheduler
# XEN_DOMCTL_getdomaininfo, XEN_SYSCTL_getdomaininfolist
    getdomaininfo
# XEN_DOMCTL_getvcpuinfo
    getvcpuinfo
# XEN_DOMCTL_getvcpucontext
# XEN_DOMCTL_get_ext_vcpucontext
# XEN_DOMCTL_getvcpuextstate
# XEN_DOMCTL_get_vcpu_msrs
    getvcpucontext
# XEN_DOMCTL_max_mem
    setdomainmaxmem
# XEN_DOMCTL_setdomainhandle
    setdomainhandle
# XEN_DOMCTL_setdebugging
    setdebugging
# XEN_DOMCTL_hypercall_init
    hypercall
# XEN_DOMCTL_settimeoffset
    settime
# checked in XEN_DOMCTL_set_target:
#  source = the new device model domain
#  target = the new target domain
# see also the domain2 make_priv_for and set_as_target checks
    set_target
# SCHEDOP_remote_shutdown
    shutdown
# XEN_DOMCTL_set_address_size
    setaddrsize
# XEN_DOMCTL_get_address_size
    getaddrsize
# XEN_DOMCTL_sendtrigger
    trigger
# XENMEM_get_pod_target
    getpodtarget
# XENMEM_set_pod_target
    setpodtarget
# XEN_DOMCTL_subscribe
    set_misc_info
# XEN_DOMCTL_set_virq_handler
    set_virq_handler
# XEN_DOMCTL_get_paging_mempool_size
    getpagingmempool
# XEN_DOMCTL_set_paging_mempool_size
    setpagingmempool
}

# This is a continuation of class domain, since only 32 permissions can be
# defined per class
class domain2
{
# checked in FLASK_RELABEL_DOMAIN with non-DOMID_SELF:
#  source = the domain making the hypercall
#  target = the old label of the domain being relabeled
    relabelfrom
# checked in FLASK_RELABEL_DOMAIN with non-DOMID_SELF:
#  source = the domain making the hypercall
#  target = the new label of the domain being relabeled
    relabelto
# checked in FLASK_RELABEL_DOMAIN, only with DOMID_SELF:
#  source = the old label of the domain
#  target = the new label of the domain
# see also domain__transition
    relabelself
# checked in XEN_DOMCTL_set_target:
#  source = the domain making the hypercall
#  target = the new device model domain
    make_priv_for
# checked in XEN_DOMCTL_set_target:
#  source = the domain making the hypercall
#  target = the new target domain
    set_as_target
# XEN_DOMCTL_set_cpu_policy
    set_cpu_policy
# XEN_DOMCTL_gettscinfo
    gettsc
# XEN_DOMCTL_settscinfo
    settsc
# XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
    setscheduler
# XENMEM_claim_pages
    setclaim
# XEN_DOMCTL_cacheflush
    cacheflush
# Creation of the hardware domain when it is not dom0
    create_hardware_domain
# XEN_DOMCTL_setvnumainfo
    set_vnumainfo
# XENMEM_getvnumainfo
    get_vnumainfo
# XEN_DOMCTL_psr_cmt_op
    psr_cmt_op
# XEN_DOMCTL_set_access_required
# XEN_DOMCTL_monitor_op
# XEN_DOMCTL_vm_event_op
    vm_event
# XEN_DOMCTL_soft_reset
    soft_reset
# XENMEM_access_op
    mem_access
# XENMEM_paging_op
    mem_paging
# XENMEM_sharing_op
    mem_sharing
# XEN_DOMCTL_psr_alloc
    psr_alloc
# XENMEM_resource_map
    resource_map
# XEN_DOMCTL_get_cpu_policy
    get_cpu_policy
# XEN_DOMCTL_vuart_op
    vuart_op
# XEN_DOMCTL_dt_overlay
    dt_overlay
# XEN_DOMCTL_set_llc_colors
    set_llc_colors
}

# Similar to class domain, but primarily contains domctls related to HVM domains
class hvm
{
# XEN_DOMCTL_sethvmcontext
    sethvmc
# XEN_DOMCTL_gethvmcontext, XEN_DOMCTL_gethvmcontext_partial
    gethvmc
# HVMOP_set_param
    setparam
# HVMOP_get_param
    getparam
    bind_irq
# HVMOP_get_mem_type,
# HVMOP_set_mem_access, HVMOP_get_mem_access, HVMOP_pagetable_dying
    hvmctl
# XEN_DOMCTL_mem_sharing_op and XENMEM_sharing_op_{share,add_physmap} with:
#  source = the domain making the hypercall
#  target = domain whose memory is being shared
    mem_sharing
# XEN_DOMCTL_audit_p2m
    audit_p2m
# checked in XENMEM_sharing_op_{share,add_physmap} with:
#  source = domain whose memory is being shared
#  target = client domain
    share_mem
# HVMOP_set_param setting HVM_PARAM_ALTP2MHVM
    altp2mhvm
# HVMOP_altp2m_set_domain_state HVMOP_altp2m_get_domain_state
# HVMOP_altp2m_vcpu_enable_notify HVMOP_altp2m_create_p2m
# HVMOP_altp2m_destroy_p2m HVMOP_altp2m_switch_p2m
# HVMOP_altp2m_set_mem_access HVMOP_altp2m_change_gfn
    altp2mhvm_op
# DMOP
    dm
}

# Class event describes event channels.  Interdomain event channels have their
# own security label which is computed using a type transition between the
# source and target domains.  Each endpoint has its own label, and the
# permission checks must pass on both endpoints for an event channel to be
# established.
class event
{
# when creating an interdomain event channel endpoint:
#  source = event channel label
#  target = remote domain the event channel binds to.  This may be a _self or
#           _target label if the endpoints are related as such.
# This permission is checked when creating an unbound event channel and when the
# interdomain event channel is established.
    bind
# EVTCHNOP_send:
#  source = domain sending the event
#  target = event channel label
    send
# EVTCHNOP_status; same as _send
    status
# when creating an interdomain event channel endpoint:
#  source = the domain creating the channel (which might not be an endpoint)
#  target = event channel label
    create
# EVTCHNOP_reset:
#  source = domain making the hypercall
#  target = domain whose event channels are being reset
    reset
}

# Class grant describes pages shared by grant mappings.  Pages use the security
# label of their owning domain.
class grant
{
# GNTTABOP_map_grant_ref with any access
    map_read
# GNTTABOP_map_grant_ref with write access
    map_write
# GNTTABOP_unmap_grant_ref
    unmap
# GNTTABOP_transfer
    transfer
# GNTTABOP_setup_table, GNTTABOP_get_status_frames (target is commonly _self)
    setup
# GNTTABOP_copy
    copy
# GNTTABOP_query_size, GNTTABOP_get_version
    query
}

# Class mmu describes pages of memory not accessed using grants.  Permissions
# are checked using the domain ID used to access the page - the most common case
# is a domain's own ID (the _self label).  Using DOMID_IO in the map command to
# restrict the mapping to IO memory will result in the target being domio_t, and
# migration uses read-only mappings with a target of DOMID_XEN (domxen_t).
class mmu
{
# checked when using mmu_update to map a page readably
#  source = domain making the hypercall (which might not own the page table)
#  target = domain whose pages are being mapped
    map_read
# checked when using mmu_update to map a page writably
#  source = domain making the hypercall
#  target = domain whose pages are being mapped
    map_write
# XEN_DOMCTL_getpageframeinfo3
    pageinfo
# XENMEM_{increase,decrease}_reservation, XENMEM_populate_physmap
    adjust
# XENMEM_{current,maximum}_reservation, XENMEM_maximum_gpfn
    stat
# mmu_update MMU_MACHPHYS_UPDATE
    updatemp
# XENMEM_add_to_physmap, XENMEM_remove_from_physmap
    physmap
# MMUEXT_PIN_L*_TABLE
    pinpage
# XENMEM_machine_memory_map (with target xen_t)
# XENMEM_set_memory_map (with domain target)
    memorymap
# checked when using mmu_update to update the page tables of another domain
#  source = domain making the hypercall
#  target = domain whose page tables are being modified
    remote_remap
# the mmuext_op hypercall acting on the target domain
    mmuext_op
# XENMEM_exchange:
#  source = domain making the hypercall
#  target = domain whose pages are being exchanged
    exchange
# Allow a privileged domain to install a map of a page it does not own.  Used
# for stub domain device models with the PV framebuffer.
    target_hack
}

# control of the paging_domctl split by subop
class shadow
{
# XEN_DOMCTL_SHADOW_OP_OFF
    disable
# enable, get/set allocation
    enable
# enable, read, and clean log
    logdirty
}

# Class resource is used to describe the resources used in hardware device
# passthrough.  Resources include: hardware IRQs, MMIO regions, x86 I/O ports,
# and PCI devices; see docs/misc/xsm-flask.txt for how to label them.
#
# Access to the legacy PCI configuration space on x86 via port 0xCF8/CFC
# requires IS_PRIV, even with FLASK.  Writes to the BARs are checked as "setup",
# while other reads/writes are "use"; the target is the PCI device whose
# configuration space is being modified.  Accesses to the MMIO-based PCI express
# configuration space described by the ACPI MCFG table are controlled as MMIO
# accesses, and cannot special-case BAR writes.
#
# The {add,remove}_{irq,ioport,iomem,device} permissions use:
#  source = domain making the hypercall
#  target = resource's security label
class resource
{
# checked when adding a resource to a domain:
#  source = domain making the hypercall
#  target = domain which will have access to the resource
    add
# checked when removing a resource from a domain:
#  source = domain making the hypercall
#  target = domain which will no longer have access to the resource
    remove
# checked when using some core Xen devices (target xen_t)
#  source = domain which will have access to the resource
#  target = xen_t
    use
# checked when adding a resource to a domain:
#  source = domain which will have access to the resource
#  target = resource's security label
# Requires an active IOMMU capable of interrupt remapping in order to
# enforce isolation.
    use_iommu
# checked when adding a resource to a domain when an IOMMU is available
# but it is not capable of interrupt mapping:
#  source = domain which will have access to the resource
#  target = resource's security label
# Enable this to allow some less secure systems to still work.
    use_iommu_nointremap
# checked when adding a resource to a domain when no IOMMU present:
#  source = domain which will have access to the resource
#  target = resource's security label
# Enable this to allow resource use without an active IOMMU.
    use_noiommu
# PHYSDEVOP_map_pirq and ioapic writes for dom0, when acting on real IRQs
#  For GSI interrupts, the IRQ's label is indexed by the IRQ number
#  For MSI interrupts, the label of the PCI device is used
    add_irq
# PHYSDEVOP_unmap_pirq (same as map, and only for real IRQs)
    remove_irq
# XEN_DOMCTL_ioport_permission, XEN_DOMCTL_ioport_mapping
    add_ioport
    remove_ioport
# XEN_DOMCTL_iomem_permission, XEN_DOMCTL_memory_mapping
    add_iomem
    remove_iomem
# XEN_DOMCTL_get_device_group, XEN_DOMCTL_test_assign_device:
#  source = domain making the hypercall
#  target = device being queried
    stat_device
# XEN_DOMCTL_assign_device
    add_device
# XEN_DOMCTL_deassign_device
    remove_device
# checked for PCI hot and cold-plug hypercalls, with target as the PCI device
# checked for CPU and memory hotplug with xen_t as the target
    plug
# checked for PCI hot-unplug hypercalls, with target as the PCI device
# checked for CPU offlining with xen_t as the target
    unplug
# checked for PHYSDEVOP_restore_msi* (target PCI device)
# checked for PHYSDEVOP_setup_gsi (target IRQ)
# checked for PHYSDEVOP_pci_mmcfg_reserved (target xen_t)
    setup
}

# Class security describes the FLASK security server itself; these operations
# are accessed using the xsm_op hypercall.  The source is the domain invoking
# the hypercall, and the target is security_t.
#
# Any domain with access to load_policy or setenforce must be trusted, since it
# can bypass the rest of the security policy.
class security
{
# use the security server to compute an access check
    compute_av
# use the security server to compute a type transition
    compute_create
# use the security server to compute member selection
    compute_member
# sid <-> context string conversions
    check_context
# allow loading a new XSM/FLASK policy
    load_policy
# use the security server to compute an object relabel
    compute_relabel
# allow switching between enforcing and permissive mode
    setenforce
# allow changing policy booleans
    setbool
# allow changing security server configuration parmeters
    setsecparam
# add ocontext label definitions for resources
    add_ocontext
# remove ocontext label definitions for resources
    del_ocontext
}

# Class version is used to describe the XENVER_ hypercall.
# Almost all sub-ops are described here - in the default case all of them should
# be allowed except the XENVER_commandline.
#
# The ones that are omitted are XENVER_version, XENVER_platform_parameters,
# and XENVER_get_features  - as they MUST always be returned to a guest.
#
class version
{
# Extra information (-unstable).
    xen_extraversion
# Compile information of the hypervisor.
    xen_compile_info
# Such as "xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64".
    xen_capabilities
# Source code changeset.
    xen_changeset
# Page size the hypervisor uses.
    xen_pagesize
# An value that the control stack can choose.
    xen_guest_handle
# Xen command line.
    xen_commandline
# Xen build id
    xen_build_id
}

# Class argo is used to describe the Argo interdomain communication system.
class argo
{
    # Enable initialization of a domain's argo subsystem and
    # permission to access the argo hypercall operations.
    enable
    # Domain requesting registration of a communication ring
    # to receive messages from a specific other domain.
    register_single_source
    # Domain requesting registration of a communication ring
    # to receive messages from any other domain.
    register_any_source
    # Domain sending a message to another domain.
    send
}
