[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] [ACM] Makes acm_setup arch-independant.



# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID 8190a4a7ea4d547a5fc30fb4da6e53175c11a154
# Parent  7b99b8bdbc85b532427f64b646b8091948882705
[ACM] Makes acm_setup arch-independant.
Move module extraction code to x86/setup.c

Be sure the dump binary file is aligned.

Signed-off-by: Tristan Gingold <tristan.gingold@xxxxxxxx>
---
 xen/acm/acm_core.c          |  105 ++++++++++++++++----------------------------
 xen/arch/x86/setup.c        |   45 ++++++++++++++++++
 xen/include/acm/acm_hooks.h |   14 +++--
 3 files changed, 92 insertions(+), 72 deletions(-)

diff -r 7b99b8bdbc85 -r 8190a4a7ea4d xen/acm/acm_core.c
--- a/xen/acm/acm_core.c        Wed Oct 18 17:17:15 2006 +0100
+++ b/xen/acm/acm_core.c        Wed Oct 18 17:24:36 2006 +0100
@@ -100,9 +100,11 @@ acm_dump_policy_reference(u8 *buf, u32 b
     struct acm_policy_reference_buffer *pr_buf = (struct 
acm_policy_reference_buffer *)buf;
     int ret = sizeof(struct acm_policy_reference_buffer) + 
strlen(acm_bin_pol.policy_reference_name) + 1;
 
+    ret = (ret + 7) & ~7;
     if (buf_size < ret)
         return -EINVAL;
 
+    memset(buf, 0, ret);
     pr_buf->len = htonl(strlen(acm_bin_pol.policy_reference_name) + 1); /* 
including stringend '\0' */
     strcpy((char *)(buf + sizeof(struct acm_policy_reference_buffer)),
            acm_bin_pol.policy_reference_name);
@@ -187,85 +189,58 @@ acm_init_binary_policy(u32 policy_code)
     return ret;
 }
 
+int
+acm_is_policy(char *buf, unsigned long len)
+{
+    struct acm_policy_buffer *pol;
+
+    if (buf == NULL || len < sizeof(struct acm_policy_buffer))
+        return 0;
+
+    pol = (struct acm_policy_buffer *)buf;
+    return ntohl(pol->magic) == ACM_MAGIC;
+}
+
+
 static int
-acm_setup(unsigned int *initrdidx,
-          const multiboot_info_t *mbi,
-          unsigned long initial_images_start)
-{
-    int i;
-    module_t *mod = (module_t *)__va(mbi->mods_addr);
+acm_setup(char *policy_start,
+          unsigned long policy_len)
+{
     int rc = ACM_OK;
-
-    if (mbi->mods_count > 1)
-        *initrdidx = 1;
-
-    /*
-     * Try all modules and see whichever could be the binary policy.
-     * Adjust the initrdidx if module[1] is the binary policy.
-     */
-    for (i = mbi->mods_count-1; i >= 1; i--)
-    {
-        struct acm_policy_buffer *pol;
-        char *_policy_start;
-        unsigned long _policy_len;
-#if defined(__i386__)
-        _policy_start = (char *)(initial_images_start + 
(mod[i].mod_start-mod[0].mod_start));
-#elif defined(__x86_64__)
-        _policy_start = __va(initial_images_start + 
(mod[i].mod_start-mod[0].mod_start));
-#else
-#error Architecture unsupported by sHype
-#endif
-        _policy_len   = mod[i].mod_end - mod[i].mod_start;
-        if (_policy_len < sizeof(struct acm_policy_buffer))
-            continue; /* not a policy */
-
-        pol = (struct acm_policy_buffer *)_policy_start;
-        if (ntohl(pol->magic) == ACM_MAGIC)
-        {
-            rc = do_acm_set_policy((void *)_policy_start,
-                                   (u32)_policy_len);
-            if (rc == ACM_OK)
-            {
-                printkd("Policy len  0x%lx, start at 
%p.\n",_policy_len,_policy_start);
-                if (i == 1)
-                {
-                    if (mbi->mods_count > 2)
-                    {
-                        *initrdidx = 2;
-                    }
-                    else {
-                        *initrdidx = 0;
-                    }
-                }
-                else
-                {
-                    *initrdidx = 1;
-                }
-                break;
-            }
-            else
-            {
-                printk("Invalid policy. %d.th module line.\n", i+1);
-                /* load default policy later */
-                acm_active_security_policy = ACM_POLICY_UNDEFINED;
-            }
-        } /* end if a binary policy definition, i.e., (ntohl(pol->magic) == 
ACM_MAGIC ) */
+    struct acm_policy_buffer *pol;
+
+    if (policy_start == NULL || policy_len < sizeof(struct acm_policy_buffer))
+        return rc;
+
+    pol = (struct acm_policy_buffer *)policy_start;
+    if (ntohl(pol->magic) != ACM_MAGIC)
+        return rc;
+
+    rc = do_acm_set_policy((void *)policy_start, (u32)policy_len);
+    if (rc == ACM_OK)
+    {
+        printkd("Policy len  0x%lx, start at %p.\n",policy_len,policy_start);
+    }
+    else
+    {
+        printk("Invalid policy.\n");
+        /* load default policy later */
+        acm_active_security_policy = ACM_POLICY_UNDEFINED;
     }
     return rc;
 }
 
 
 int
-acm_init(unsigned int *initrdidx,
-         const multiboot_info_t *mbi,
-         unsigned long initial_images_start)
+acm_init(char *policy_start,
+         unsigned long policy_len)
 {
     int ret = ACM_OK;
 
     acm_set_endian();
 
     /* first try to load the boot policy (uses its own locks) */
-    acm_setup(initrdidx, mbi, initial_images_start);
+    acm_setup(policy_start, policy_len);
 
     if (acm_active_security_policy != ACM_POLICY_UNDEFINED)
     {
diff -r 7b99b8bdbc85 -r 8190a4a7ea4d xen/arch/x86/setup.c
--- a/xen/arch/x86/setup.c      Wed Oct 18 17:17:15 2006 +0100
+++ b/xen/arch/x86/setup.c      Wed Oct 18 17:24:36 2006 +0100
@@ -202,6 +202,44 @@ static void __init percpu_free_unused_ar
 #endif
 }
 
+/* Fetch acm policy module from multiboot modules. */
+static void extract_acm_policy(
+    multiboot_info_t *mbi,
+    unsigned int *initrdidx,
+    char **_policy_start,
+    unsigned long *_policy_len)
+{
+    int i;
+    module_t *mod = (module_t *)__va(mbi->mods_addr);
+    unsigned long start, policy_len;
+    char *policy_start;
+
+    /*
+     * Try all modules and see whichever could be the binary policy.
+     * Adjust the initrdidx if module[1] is the binary policy.
+     */
+    for ( i = mbi->mods_count-1; i >= 1; i-- )
+    {
+        start = initial_images_start + (mod[i].mod_start-mod[0].mod_start);
+#if defined(__i386__)
+        policy_start = (char *)start;
+#elif defined(__x86_64__)
+        policy_start = __va(start);
+#endif
+        policy_len   = mod[i].mod_end - mod[i].mod_start;
+        if ( acm_is_policy(policy_start, policy_len) )
+        {
+            printk("Policy len  0x%lx, start at %p - module %d.\n",
+                   policy_len, policy_start, i);
+            *_policy_start = policy_start;
+            *_policy_len = policy_len;
+            if ( i == 1 )
+                *initrdidx = (mbi->mods_count > 2) ? 2 : 0;
+            break;
+        }
+    }
+}
+
 static void __init init_idle_domain(void)
 {
     struct domain *idle_domain;
@@ -224,6 +262,8 @@ void __init __start_xen(multiboot_info_t
     char __cmdline[] = "", *cmdline = __cmdline;
     unsigned long _initrd_start = 0, _initrd_len = 0;
     unsigned int initrdidx = 1;
+    char *_policy_start = NULL;
+    unsigned long _policy_len = 0;
     module_t *mod = (module_t *)__va(mbi->mods_addr);
     unsigned long nr_pages, modules_length;
     paddr_t s, e;
@@ -565,8 +605,11 @@ void __init __start_xen(multiboot_info_t
     if ( opt_watchdog ) 
         watchdog_enable();
 
+    /* Extract policy from multiboot.  */
+    extract_acm_policy(mbi, &initrdidx, &_policy_start, &_policy_len);
+
     /* initialize access control security module */
-    acm_init(&initrdidx, mbi, initial_images_start);
+    acm_init(_policy_start, _policy_len);
 
     /* Create initial domain 0. */
     dom0 = domain_create(0);
diff -r 7b99b8bdbc85 -r 8190a4a7ea4d xen/include/acm/acm_hooks.h
--- a/xen/include/acm/acm_hooks.h       Wed Oct 18 17:17:15 2006 +0100
+++ b/xen/include/acm/acm_hooks.h       Wed Oct 18 17:24:36 2006 +0100
@@ -143,9 +143,9 @@ static inline int acm_pre_grant_map_ref(
 { return 0; }
 static inline int acm_pre_grant_setup(domid_t id) 
 { return 0; }
-static inline int acm_init(unsigned int *initrdidx,
-                           const multiboot_info_t *mbi,
-                           unsigned long start)
+static inline int acm_init(char *policy_start, unsigned long policy_len)
+{ return 0; }
+static inline int acm_is_policy(char *buf, unsigned long len)
 { return 0; }
 static inline void acm_post_domain0_create(domid_t domid) 
 { return; }
@@ -369,9 +369,11 @@ static inline int acm_sharing(ssidref_t 
         return ACM_ACCESS_PERMITTED;
 }
 
-extern int acm_init(unsigned int *initrdidx,
-                    const multiboot_info_t *mbi,
-                    unsigned long start);
+
+extern int acm_init(char *policy_start, unsigned long policy_len);
+
+/* Return true iff buffer has an acm policy magic number.  */
+extern int acm_is_policy(char *buf, unsigned long len);
 
 #endif
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.