Xen project Mailing List

[Xen-changelog] Fix ACM so that it can be built with NULL policy.

From: BitKeeper Bot <riel@xxxxxxxxxxx>

Date: Thu, 23 Jun 2005 16:09:21 +0000

Delivery-date: Thu, 23 Jun 2005 17:02:06 +0000

List-id: BK change log <xen-changelog.lists.xensource.com>

ChangeSet 1.1745, 2005/06/23 17:09:21+01:00, kaf24@xxxxxxxxxxxxxxxxxxxx Fix ACM so that it can be built with NULL policy. Signed-off-by: Nguyen Anh Quynh <aquynh@xxxxxxxxx> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx> acm/acm_core.c | 4 + include/acm/acm_hooks.h | 141 +++++++++++++++++++++++------------------------- 2 files changed, 72 insertions(+), 73 deletions(-) diff -Nru a/xen/acm/acm_core.c b/xen/acm/acm_core.c --- a/xen/acm/acm_core.c 2005-06-23 13:03:06 -04:00 +++ b/xen/acm/acm_core.c 2005-06-23 13:03:06 -04:00 @@ -69,6 +69,8 @@ } } +#if (ACM_USE_SECURITY_POLICY != ACM_NULL_POLICY) + /* initialize global security policy for Xen; policy write-locked already */ static void acm_init_binary_policy(void *primary, void *secondary) @@ -79,6 +81,7 @@ acm_bin_pol.secondary_binary_policy = secondary; } + int acm_init(void) { @@ -129,6 +132,7 @@ return ACM_OK; } +#endif int acm_init_domain_ssid(domid_t id, ssidref_t ssidref) diff -Nru a/xen/include/acm/acm_hooks.h b/xen/include/acm/acm_hooks.h --- a/xen/include/acm/acm_hooks.h 2005-06-23 13:03:06 -04:00 +++ b/xen/include/acm/acm_hooks.h 2005-06-23 13:03:06 -04:00 @@ -30,99 +30,59 @@ #include <public/event_channel.h> #include <asm/current.h> -#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY) - -static inline int acm_pre_dom0_op(dom0_op_t *op, void **ssid) -{ return 0; } -static inline void acm_post_dom0_op(dom0_op_t *op, void *ssid) -{ return; } -static inline void acm_fail_dom0_op(dom0_op_t *op, void *ssid) -{ return; } -static inline int acm_pre_event_channel(evtchn_op_t *op) -{ return 0; } -static inline int acm_pre_grant_map_ref(domid_t id) -{ return 0; } -static inline int acm_pre_grant_setup(domid_t id) -{ return 0; } -static inline int acm_init(void) -{ return 0; } -static inline void acm_post_domain0_create(domid_t domid) -{ return; } - -#else - -/* if ACM_TRACE_MODE defined, all hooks should - * print a short trace message */ -/* #define ACM_TRACE_MODE */ - -#ifdef ACM_TRACE_MODE -# define traceprintk(fmt, args...) printk(fmt,## args) -#else -# define traceprintk(fmt, args...) -#endif - -/* global variables */ -extern struct acm_operations *acm_primary_ops; -extern struct acm_operations *acm_secondary_ops; - -/********************************************************************* +/* * HOOK structure and meaning (justifies a few words about our model): * * General idea: every policy-controlled system operation is reflected in a * transaction in the system's security state * - * Keeping the security state consistent requires "atomic" transactions. + * Keeping the security state consistent requires "atomic" transactions. * The name of the hooks to place around policy-controlled transactions * reflects this. If authorizations do not involve security state changes, * then and only then POST and FAIL hooks remain empty since we don't care * about the eventual outcome of the operation from a security viewpoint. * - * PURPOSE of hook types: + * PURPOSE of hook types: * ====================== * PRE-Hooks - * a) general authorization to guard a controlled system operation - * b) prepare security state change - * (means: fail hook must be able to "undo" this) + * a) general authorization to guard a controlled system operation + * b) prepare security state change + * (means: fail hook must be able to "undo" this) * - * POST-Hooks - * a) commit prepared state change + * POST-Hooks + * a) commit prepared state change * * FAIL-Hooks - * a) roll-back prepared security state change from PRE-Hook + * a) roll-back prepared security state change from PRE-Hook * * * PLACEMENT of hook types: * ======================== - * PRE-Hooks must be called: - * a) before a guarded/controlled system operation is started - * (return is ACM_ACCESS_PERMITTED or ACM_ACCESS_DENIED or error) - * --> operation must be aborted if return is != ACM_ACCESS_PERMITTED - * - * POST-Hooks must be called: - * a) after successful transaction (no return value; commit shall never fail) - * - * FAIL-Hooks must be called: - * a) if system transaction (operation) fails somewhen after calling the PRE-hook - * (obviously the POST-Hook is not called in this case) - * b) if another (secondary) policy denies access in its PRE-Hook - * (policy layering is useful but requires additional handling) - * - * + * PRE-Hooks must be called before a guarded/controlled system operation + * is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or + * error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED. + * + * POST-Hooks must be called after a successful system operation. + * There is no return value: commit never fails. + * + * FAIL-Hooks must be called: + * a) if system transaction (operation) fails after calling the PRE-hook + * b) if another (secondary) policy denies access in its PRE-Hook + * (policy layering is useful but requires additional handling) + * + * Hook model from a security transaction viewpoint: + * start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success + * (pre-hook) \ (post-hook) + * \ + * fail + * \ + * \ + * roll-back + * (fail-hook) + * \ + * sys-ops error * - * Hook model from a security transaction viewpoint: - * - * start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success - * (pre-hook) \ (post-hook) - * \ - * fail - * \ - * \ - * roll-back - * (fail-hook) - * \ - * sys-ops error - * - ********************************************************************/ + */ struct acm_operations { /* policy management functions (must always be defined!) */ @@ -147,6 +107,41 @@ int (*pre_grant_setup) (domid_t id); void (*fail_grant_setup) (domid_t id); }; + +/* global variables */ +extern struct acm_operations *acm_primary_ops; +extern struct acm_operations *acm_secondary_ops; + +/* if ACM_TRACE_MODE defined, all hooks should + * print a short trace message */ +/* #define ACM_TRACE_MODE */ + +#ifdef ACM_TRACE_MODE +# define traceprintk(fmt, args...) printk(fmt,## args) +#else +# define traceprintk(fmt, args...) +#endif + +#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY) + +static inline int acm_pre_dom0_op(dom0_op_t *op, void **ssid) +{ return 0; } +static inline void acm_post_dom0_op(dom0_op_t *op, void *ssid) +{ return; } +static inline void acm_fail_dom0_op(dom0_op_t *op, void *ssid) +{ return; } +static inline int acm_pre_event_channel(evtchn_op_t *op) +{ return 0; } +static inline int acm_pre_grant_map_ref(domid_t id) +{ return 0; } +static inline int acm_pre_grant_setup(domid_t id) +{ return 0; } +static inline int acm_init(void) +{ return 0; } +static inline void acm_post_domain0_create(domid_t domid) +{ return; } + +#else static inline int acm_pre_domain_create(void *subject_ssid, ssidref_t ssidref) { _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.