[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] xen: XSPolicy.can_run hypervisor support



# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1207040818 -3600
# Node ID 05ac689a947393892f54d82b0dbe180840a80ad2
# Parent  76c4af29842f3f1f39aeae2d58873311fa83728e
xen: XSPolicy.can_run hypervisor support

Add functionality for checking whether a domain is in a conflict set
with existing domains.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 xen/include/public/xsm/acm.h                    |    1 
 xen/include/xsm/acm/acm_hooks.h                 |   14 +++++++++
 xen/xsm/acm/acm_chinesewall_hooks.c             |   36 ++++++++++++++++++++++++
 xen/xsm/acm/acm_policy.c                        |    3 ++
 xen/xsm/acm/acm_simple_type_enforcement_hooks.c |    2 +
 5 files changed, 56 insertions(+)

diff -r 76c4af29842f -r 05ac689a9473 xen/include/public/xsm/acm.h
--- a/xen/include/public/xsm/acm.h      Tue Apr 01 10:05:52 2008 +0100
+++ b/xen/include/public/xsm/acm.h      Tue Apr 01 10:06:58 2008 +0100
@@ -102,6 +102,7 @@ typedef uint32_t ssidref_t;
 #define ACMHOOK_none          0
 #define ACMHOOK_sharing       1
 #define ACMHOOK_authorization 2
+#define ACMHOOK_conflictset   3
 
 /* -------security policy relevant type definitions-------- */
 
diff -r 76c4af29842f -r 05ac689a9473 xen/include/xsm/acm/acm_hooks.h
--- a/xen/include/xsm/acm/acm_hooks.h   Tue Apr 01 10:05:52 2008 +0100
+++ b/xen/include/xsm/acm/acm_hooks.h   Tue Apr 01 10:06:58 2008 +0100
@@ -116,6 +116,7 @@ struct acm_operations {
                                         ssidref_t ssidref2);
     int (*authorization)               (ssidref_t ssidref1,
                                         ssidref_t ssidref2);
+    int (*conflictset)                 (ssidref_t ssidref1);
     /* determine whether the default policy is installed */
     int (*is_default_policy)           (void);
 };
@@ -150,6 +151,8 @@ static inline int acm_sharing(ssidref_t 
 static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
 { return 0; }
 static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
+{ return 0; }
+static inline int acm_conflictset(ssidref_t ssidref1)
 { return 0; }
 static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
 { return 0; }
@@ -329,6 +332,17 @@ static inline int acm_authorization(ssid
 }
 
 
+static inline int acm_conflictset(ssidref_t ssidref1)
+{
+    if ((acm_primary_ops->conflictset != NULL) &&
+        acm_primary_ops->conflictset(ssidref1))
+        return ACM_ACCESS_DENIED;
+    else if ((acm_secondary_ops->conflictset != NULL) &&
+             acm_secondary_ops->conflictset(ssidref1))
+        return ACM_ACCESS_DENIED;
+    return ACM_ACCESS_PERMITTED;
+}
+
 /* Return true iff buffer has an acm policy magic number.  */
 extern int acm_is_policy(char *buf, unsigned long len);
 
diff -r 76c4af29842f -r 05ac689a9473 xen/xsm/acm/acm_chinesewall_hooks.c
--- a/xen/xsm/acm/acm_chinesewall_hooks.c       Tue Apr 01 10:05:52 2008 +0100
+++ b/xen/xsm/acm/acm_chinesewall_hooks.c       Tue Apr 01 10:06:58 2008 +0100
@@ -641,6 +641,41 @@ static int chwall_is_default_policy(void
              (chwall_bin_pol.max_ssidrefs == 2 ) );
 }
 
+
+static int chwall_is_in_conflictset(ssidref_t ssidref1)
+{
+    /* is ssidref1 in conflict with any running domains ? */
+    int rc = 0;
+    int i, j;
+    ssidref_t ssid_chwall;
+
+    read_lock(&acm_bin_pol_rwlock);
+
+    ssid_chwall = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref1);
+
+    if ( ssid_chwall >= 0 && ssid_chwall < chwall_bin_pol.max_ssidrefs ) {
+        for ( i = 0; i < chwall_bin_pol.max_conflictsets && rc == 0; i++ ) {
+            for ( j = 0; j < chwall_bin_pol.max_types; j++ ) {
+                if ( chwall_bin_pol.conflict_aggregate_set
+                                 [i * chwall_bin_pol.max_types + j] &&
+                     chwall_bin_pol.ssidrefs
+                                 [ssid_chwall * chwall_bin_pol.max_types + j])
+                {
+                    rc = 1;
+                    break;
+                }
+            }
+        }
+    } else {
+        rc = 1;
+    }
+
+    read_unlock(&acm_bin_pol_rwlock);
+
+    return rc;
+}
+
+
 struct acm_operations acm_chinesewall_ops = {
     /* policy management services */
     .init_domain_ssid = chwall_init_domain_ssid,
@@ -666,6 +701,7 @@ struct acm_operations acm_chinesewall_op
     /* generic domain-requested decision hooks */
     .sharing = NULL,
     .authorization = NULL,
+    .conflictset = chwall_is_in_conflictset,
 
     .is_default_policy = chwall_is_default_policy,
 };
diff -r 76c4af29842f -r 05ac689a9473 xen/xsm/acm/acm_policy.c
--- a/xen/xsm/acm/acm_policy.c  Tue Apr 01 10:05:52 2008 +0100
+++ b/xen/xsm/acm/acm_policy.c  Tue Apr 01 10:06:58 2008 +0100
@@ -446,6 +446,9 @@ acm_get_decision(ssidref_t ssidref1, ssi
         ret = acm_authorization(ssidref1, ssidref2);
         break;
 
+    case ACMHOOK_conflictset:
+        ret = acm_conflictset(ssidref1);
+
     default:
         /* deny */
         break;
diff -r 76c4af29842f -r 05ac689a9473 
xen/xsm/acm/acm_simple_type_enforcement_hooks.c
--- a/xen/xsm/acm/acm_simple_type_enforcement_hooks.c   Tue Apr 01 10:05:52 
2008 +0100
+++ b/xen/xsm/acm/acm_simple_type_enforcement_hooks.c   Tue Apr 01 10:06:58 
2008 +0100
@@ -899,8 +899,10 @@ struct acm_operations acm_simple_type_en
     .fail_grant_map_ref     = NULL,
     .pre_grant_setup        = ste_pre_grant_setup,
     .fail_grant_setup       = NULL,
+    /* generic domain-requested decision hooks */
     .sharing                = ste_sharing,
     .authorization          = ste_authorization,
+    .conflictset            = NULL,
 
     .is_default_policy      = ste_is_default_policy,
 };

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.