ia64/xen-unstable

changeset 7457:1e40bed176d4

This patch to the Xen access control module (ACM) and tools:

1. adapts ACM hooks to the slightly changed event channel structure
2. introduces an ACM_GETDECISION command, which enables authorized
domains to retrieve policy decisions regarding the sharing of resources
(STE policy) from the Xen hypervisor
3. includes cleanup (warnings I found when applying analysis tools such
as beam or flawfinder to the ACM code)

The get_decision function is useful to enforce:
* the security policy on network traffic in the network backends in
domain 0; currently there is no enforcement in Dom0 and all packets flow
freely
* the security policy in block device backends to control which
domains can access which vdisk resources

I have added a small test program that shows how to use the get_decision
ACM interface call, it is in tools/security/get_decision.c and will be
compiled together with the policy tools. As usual, the ACM is unconfigured
until you switch on a security policy on in Config.mk.

Signed-off: Reiner Sailer <sailer@us.ibm.com>
author kaf24@firebug.cl.cam.ac.uk
date Thu Oct 20 21:37:15 2005 +0100 (2005-10-20)
parents 6f5b94da963a
children 19432bec4c06
files tools/security/Makefile tools/security/get_decision.c tools/security/secpol_tool.c xen/acm/acm_chinesewall_hooks.c xen/acm/acm_core.c xen/acm/acm_null_hooks.c xen/acm/acm_policy.c xen/acm/acm_simple_type_enforcement_hooks.c xen/common/acm_ops.c xen/common/dom0_ops.c xen/common/sched_sedf.c xen/include/acm/acm_core.h xen/include/acm/acm_endian.h xen/include/acm/acm_hooks.h xen/include/public/acm.h xen/include/public/acm_ops.h
line diff
     1.1 --- a/tools/security/Makefile	Thu Oct 20 19:37:41 2005 +0100
     1.2 +++ b/tools/security/Makefile	Thu Oct 20 21:37:15 2005 +0100
     1.3 @@ -43,6 +43,7 @@ endif
     1.4  build: mk-symlinks
     1.5  	$(MAKE) secpol_tool
     1.6  	$(MAKE) secpol_xml2bin
     1.7 +	$(MAKE) get_decision
     1.8  	chmod 700 ./setlabel.sh
     1.9  	chmod 700 ./updategrub.sh
    1.10  	chmod 700 ./getlabel.sh
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/tools/security/get_decision.c	Thu Oct 20 21:37:15 2005 +0100
     2.3 @@ -0,0 +1,176 @@
     2.4 +/****************************************************************
     2.5 + * get_decision.c
     2.6 + *
     2.7 + * Copyright (C) 2005 IBM Corporation
     2.8 + *
     2.9 + * Authors:
    2.10 + * Reiner Sailer <sailer@watson.ibm.com>
    2.11 + *
    2.12 + * This program is free software; you can redistribute it and/or
    2.13 + * modify it under the terms of the GNU General Public License as
    2.14 + * published by the Free Software Foundation, version 2 of the
    2.15 + * License.
    2.16 + *
    2.17 + * An example program that shows how to retrieve an access control
    2.18 + * decision from the hypervisor ACM based on the currently active policy.
    2.19 + *
    2.20 + */
    2.21 +
    2.22 +#include <unistd.h>
    2.23 +#include <stdio.h>
    2.24 +#include <errno.h>
    2.25 +#include <fcntl.h>
    2.26 +#include <getopt.h>
    2.27 +#include <sys/mman.h>
    2.28 +#include <sys/types.h>
    2.29 +#include <sys/stat.h>
    2.30 +#include <stdlib.h>
    2.31 +#include <sys/ioctl.h>
    2.32 +#include <string.h>
    2.33 +#include <netinet/in.h>
    2.34 +#include <xen/acm.h>
    2.35 +#include <xen/acm_ops.h>
    2.36 +#include <xen/linux/privcmd.h>
    2.37 +
    2.38 +#define PERROR(_m, _a...) \
    2.39 +fprintf(stderr, "ERROR: " _m " (%d = %s)\n" , ## _a ,	\
    2.40 +                errno, strerror(errno))
    2.41 +
    2.42 +void usage(char *progname)
    2.43 +{
    2.44 +    printf("Use: %s \n", progname);
    2.45 +    printf(" Test program illustrating the retrieval of\n");
    2.46 +    printf(" access control decisions from xen. At this time,\n");
    2.47 +    printf(" only sharing (STE) policy decisions are supported.\n");
    2.48 +    printf(" parameter options:\n");
    2.49 +    printf("\t -i domid -i domid\n");
    2.50 +    printf("\t -i domid -s ssidref\n");
    2.51 +    printf("\t -s ssidref -s ssidref\n\n");
    2.52 +    exit(-1);
    2.53 +}
    2.54 +
    2.55 +static inline int do_policycmd(int xc_handle, unsigned int cmd,
    2.56 +                               unsigned long data)
    2.57 +{
    2.58 +    return ioctl(xc_handle, cmd, data);
    2.59 +}
    2.60 +
    2.61 +static inline int do_xen_hypercall(int xc_handle,
    2.62 +                                   privcmd_hypercall_t * hypercall)
    2.63 +{
    2.64 +    return do_policycmd(xc_handle,
    2.65 +                        IOCTL_PRIVCMD_HYPERCALL,
    2.66 +                        (unsigned long) hypercall);
    2.67 +}
    2.68 +
    2.69 +static inline int do_acm_op(int xc_handle, struct acm_op *op)
    2.70 +{
    2.71 +    int ret = -1;
    2.72 +    privcmd_hypercall_t hypercall;
    2.73 +
    2.74 +    op->interface_version = ACM_INTERFACE_VERSION;
    2.75 +
    2.76 +    hypercall.op = __HYPERVISOR_acm_op;
    2.77 +    hypercall.arg[0] = (unsigned long) op;
    2.78 +
    2.79 +    if (mlock(op, sizeof(*op)) != 0) {
    2.80 +        PERROR("Could not lock memory for Xen policy hypercall");
    2.81 +        goto out1;
    2.82 +    }
    2.83 +
    2.84 +    if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) {
    2.85 +        if (errno == EACCES)
    2.86 +            fprintf(stderr, "ACM operation failed -- need to"
    2.87 +                    " rebuild the user-space tool set?\n");
    2.88 +        goto out2;
    2.89 +    }
    2.90 +
    2.91 +  out2:(void) munlock(op, sizeof(*op));
    2.92 +  out1:return ret;
    2.93 +}
    2.94 +
    2.95 +
    2.96 +/************************ get decision ******************************/
    2.97 +
    2.98 +/* this example uses two domain ids and retrieves the decision if these domains
    2.99 + * can share information (useful, i.e., to enforce policy onto network traffic in dom0
   2.100 + */
   2.101 +int acm_get_decision(int xc_handle, int argc, char *const argv[])
   2.102 +{
   2.103 +    struct acm_op op;
   2.104 +    int ret;
   2.105 +
   2.106 +    op.cmd = ACM_GETDECISION;
   2.107 +    op.interface_version = ACM_INTERFACE_VERSION;
   2.108 +    op.u.getdecision.get_decision_by1 = UNSET;
   2.109 +    op.u.getdecision.get_decision_by2 = UNSET;
   2.110 +    op.u.getdecision.hook = SHARING;
   2.111 +
   2.112 +    while (1) {
   2.113 +        int c = getopt(argc, argv, "i:s:");
   2.114 +        if (c == -1)
   2.115 +            break;
   2.116 +
   2.117 +        if (c == 'i') {
   2.118 +            if (op.u.getdecision.get_decision_by1 == UNSET) {
   2.119 +                op.u.getdecision.get_decision_by1 = DOMAINID;
   2.120 +                op.u.getdecision.id1.domainid = strtoul(optarg, NULL, 0);
   2.121 +            } else if (op.u.getdecision.get_decision_by2 == UNSET) {
   2.122 +                op.u.getdecision.get_decision_by2 = DOMAINID;
   2.123 +                op.u.getdecision.id2.domainid = strtoul(optarg, NULL, 0);
   2.124 +            } else
   2.125 +                usage(argv[0]);
   2.126 +        } else if (c == 's') {
   2.127 +            if (op.u.getdecision.get_decision_by1 == UNSET) {
   2.128 +                op.u.getdecision.get_decision_by1 = SSIDREF;
   2.129 +                op.u.getdecision.id1.ssidref = strtoul(optarg, NULL, 0);
   2.130 +            } else if (op.u.getdecision.get_decision_by2 == UNSET) {
   2.131 +                op.u.getdecision.get_decision_by2 = SSIDREF;
   2.132 +                op.u.getdecision.id2.ssidref = strtoul(optarg, NULL, 0);
   2.133 +            } else
   2.134 +                usage(argv[0]);
   2.135 +        } else
   2.136 +            usage(argv[0]);
   2.137 +    }
   2.138 +    if ((op.u.getdecision.get_decision_by1 == UNSET) ||
   2.139 +        (op.u.getdecision.get_decision_by2 == UNSET))
   2.140 +        usage(argv[0]);
   2.141 +
   2.142 +    if ((ret = do_acm_op(xc_handle, &op))) {
   2.143 +        printf("%s: Error getting decision (%d).\n", __func__, ret);
   2.144 +        printf("%s: decision = %s.\n", __func__,
   2.145 +               (op.u.getdecision.acm_decision ==
   2.146 +                ACM_ACCESS_PERMITTED) ? "PERMITTED" : ((op.u.getdecision.
   2.147 +                                                        acm_decision ==
   2.148 +                                                        ACM_ACCESS_DENIED)
   2.149 +                                                       ? "DENIED" :
   2.150 +                                                       "ERROR"));
   2.151 +        return ret;
   2.152 +    }
   2.153 +    return op.u.getdecision.acm_decision;
   2.154 +}
   2.155 +
   2.156 +/***************************** main **************************************/
   2.157 +
   2.158 +int main(int argc, char **argv)
   2.159 +{
   2.160 +
   2.161 +    int acm_cmd_fd, ret = 0;
   2.162 +
   2.163 +    if (argc < 5)
   2.164 +        usage(argv[0]);
   2.165 +
   2.166 +    if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) {
   2.167 +        printf("ERROR: Could not open xen privcmd device!\n");
   2.168 +        exit(-1);
   2.169 +    }
   2.170 +
   2.171 +    ret = acm_get_decision(acm_cmd_fd, argc, argv);
   2.172 +
   2.173 +    printf("Decision: %s (%d)\n",
   2.174 +           (ret == ACM_ACCESS_PERMITTED) ? "PERMITTED" :
   2.175 +           ((ret == ACM_ACCESS_DENIED) ? "DENIED" : "ERROR"), ret);
   2.176 +
   2.177 +    close(acm_cmd_fd);
   2.178 +    return ret;
   2.179 +}
     3.1 --- a/tools/security/secpol_tool.c	Thu Oct 20 19:37:41 2005 +0100
     3.2 +++ b/tools/security/secpol_tool.c	Thu Oct 20 21:37:15 2005 +0100
     3.3 @@ -67,7 +67,7 @@ static inline int do_xen_hypercall(int x
     3.4                          (unsigned long) hypercall);
     3.5  }
     3.6  
     3.7 -static inline int do_acm_op(int xc_handle, acm_op_t * op)
     3.8 +static inline int do_acm_op(int xc_handle, struct acm_op * op)
     3.9  {
    3.10      int ret = -1;
    3.11      privcmd_hypercall_t hypercall;
    3.12 @@ -275,10 +275,10 @@ void acm_dump_policy_buffer(void *buf, i
    3.13  /******************************* get policy ******************************/
    3.14  
    3.15  #define PULL_CACHE_SIZE		8192
    3.16 -u8 pull_buffer[PULL_CACHE_SIZE];
    3.17 +uint8_t pull_buffer[PULL_CACHE_SIZE];
    3.18  int acm_domain_getpolicy(int xc_handle)
    3.19  {
    3.20 -    acm_op_t op;
    3.21 +    struct acm_op op;
    3.22      int ret;
    3.23  
    3.24      memset(pull_buffer, 0x00, sizeof(pull_buffer));
    3.25 @@ -299,7 +299,7 @@ int acm_domain_loadpolicy(int xc_handle,
    3.26      struct stat mystat;
    3.27      int ret, fd;
    3.28      off_t len;
    3.29 -    u8 *buffer;
    3.30 +    uint8_t *buffer;
    3.31  
    3.32      if ((ret = stat(filename, &mystat)))
    3.33      {
    3.34 @@ -321,7 +321,7 @@ int acm_domain_loadpolicy(int xc_handle,
    3.35      }
    3.36      if (len == read(fd, buffer, len))
    3.37      {
    3.38 -        acm_op_t op;
    3.39 +        struct acm_op op;
    3.40          /* dump it and then push it down into xen/acm */
    3.41          acm_dump_policy_buffer(buffer, len);
    3.42          op.cmd = ACM_SETPOLICY;
    3.43 @@ -368,8 +368,8 @@ void dump_ste_stats(struct acm_ste_stats
    3.44  #define PULL_STATS_SIZE		8192
    3.45  int acm_domain_dumpstats(int xc_handle)
    3.46  {
    3.47 -    u8 stats_buffer[PULL_STATS_SIZE];
    3.48 -    acm_op_t op;
    3.49 +    uint8_t stats_buffer[PULL_STATS_SIZE];
    3.50 +    struct acm_op op;
    3.51      int ret;
    3.52      struct acm_stats_buffer *stats;
    3.53  
    3.54 @@ -442,7 +442,7 @@ int acm_domain_getssid(int xc_handle, in
    3.55      /* this includes header and a set of types */
    3.56      #define MAX_SSIDBUFFER  2000
    3.57      int ret, i;
    3.58 -    acm_op_t op;
    3.59 +    struct acm_op op;
    3.60      struct acm_ssid_buffer *hdr;
    3.61      unsigned char *buf;
    3.62  	int nice_print = 1;
     4.1 --- a/xen/acm/acm_chinesewall_hooks.c	Thu Oct 20 19:37:41 2005 +0100
     4.2 +++ b/xen/acm/acm_chinesewall_hooks.c	Thu Oct 20 21:37:15 2005 +0100
     4.3 @@ -26,7 +26,10 @@
     4.4   *    in which case all types of a new domain must be conflict-free
     4.5   *    with all types of already running domains.
     4.6   *
     4.7 + * indent -i4 -kr -nut
     4.8 + *
     4.9   */
    4.10 +
    4.11  #include <xen/config.h>
    4.12  #include <xen/errno.h>
    4.13  #include <xen/types.h>
    4.14 @@ -48,270 +51,333 @@ struct chwall_binary_policy chwall_bin_p
    4.15   */
    4.16  int acm_init_chwall_policy(void)
    4.17  {
    4.18 -	/* minimal startup policy; policy write-locked already */
    4.19 -	chwall_bin_pol.max_types = 1;
    4.20 -	chwall_bin_pol.max_ssidrefs = 2;
    4.21 -	chwall_bin_pol.max_conflictsets = 1;
    4.22 -	chwall_bin_pol.ssidrefs = (domaintype_t *)xmalloc_array(domaintype_t, chwall_bin_pol.max_ssidrefs*chwall_bin_pol.max_types);
    4.23 -	chwall_bin_pol.conflict_sets = (domaintype_t *)xmalloc_array(domaintype_t, chwall_bin_pol.max_conflictsets*chwall_bin_pol.max_types);
    4.24 -	chwall_bin_pol.running_types = (domaintype_t *)xmalloc_array(domaintype_t, chwall_bin_pol.max_types);
    4.25 -	chwall_bin_pol.conflict_aggregate_set = (domaintype_t *)xmalloc_array(domaintype_t, chwall_bin_pol.max_types);
    4.26 -	
    4.27 -	if ((chwall_bin_pol.conflict_sets == NULL) || (chwall_bin_pol.running_types == NULL) ||
    4.28 -	    (chwall_bin_pol.ssidrefs == NULL) || (chwall_bin_pol.conflict_aggregate_set == NULL))
    4.29 -		return ACM_INIT_SSID_ERROR;
    4.30 +    /* minimal startup policy; policy write-locked already */
    4.31 +    chwall_bin_pol.max_types = 1;
    4.32 +    chwall_bin_pol.max_ssidrefs = 2;
    4.33 +    chwall_bin_pol.max_conflictsets = 1;
    4.34 +    chwall_bin_pol.ssidrefs =
    4.35 +        (domaintype_t *) xmalloc_array(domaintype_t,
    4.36 +                                       chwall_bin_pol.max_ssidrefs *
    4.37 +                                       chwall_bin_pol.max_types);
    4.38 +    chwall_bin_pol.conflict_sets =
    4.39 +        (domaintype_t *) xmalloc_array(domaintype_t,
    4.40 +                                       chwall_bin_pol.max_conflictsets *
    4.41 +                                       chwall_bin_pol.max_types);
    4.42 +    chwall_bin_pol.running_types =
    4.43 +        (domaintype_t *) xmalloc_array(domaintype_t,
    4.44 +                                       chwall_bin_pol.max_types);
    4.45 +    chwall_bin_pol.conflict_aggregate_set =
    4.46 +        (domaintype_t *) xmalloc_array(domaintype_t,
    4.47 +                                       chwall_bin_pol.max_types);
    4.48  
    4.49 -	/* initialize state */
    4.50 -	memset((void *)chwall_bin_pol.ssidrefs, 0, chwall_bin_pol.max_ssidrefs*chwall_bin_pol.max_types*sizeof(domaintype_t));
    4.51 -	memset((void *)chwall_bin_pol.conflict_sets, 0, chwall_bin_pol.max_conflictsets*chwall_bin_pol.max_types*sizeof(domaintype_t));
    4.52 -	memset((void *)chwall_bin_pol.running_types, 0, chwall_bin_pol.max_types*sizeof(domaintype_t));
    4.53 -	memset((void *)chwall_bin_pol.conflict_aggregate_set, 0, chwall_bin_pol.max_types*sizeof(domaintype_t));	
    4.54 -	return ACM_OK;
    4.55 +    if ((chwall_bin_pol.conflict_sets == NULL)
    4.56 +        || (chwall_bin_pol.running_types == NULL)
    4.57 +        || (chwall_bin_pol.ssidrefs == NULL)
    4.58 +        || (chwall_bin_pol.conflict_aggregate_set == NULL))
    4.59 +        return ACM_INIT_SSID_ERROR;
    4.60 +
    4.61 +    /* initialize state */
    4.62 +    memset((void *) chwall_bin_pol.ssidrefs, 0,
    4.63 +           chwall_bin_pol.max_ssidrefs * chwall_bin_pol.max_types *
    4.64 +           sizeof(domaintype_t));
    4.65 +    memset((void *) chwall_bin_pol.conflict_sets, 0,
    4.66 +           chwall_bin_pol.max_conflictsets * chwall_bin_pol.max_types *
    4.67 +           sizeof(domaintype_t));
    4.68 +    memset((void *) chwall_bin_pol.running_types, 0,
    4.69 +           chwall_bin_pol.max_types * sizeof(domaintype_t));
    4.70 +    memset((void *) chwall_bin_pol.conflict_aggregate_set, 0,
    4.71 +           chwall_bin_pol.max_types * sizeof(domaintype_t));
    4.72 +    return ACM_OK;
    4.73  }
    4.74  
    4.75 -static int
    4.76 -chwall_init_domain_ssid(void **chwall_ssid, ssidref_t ssidref)
    4.77 +static int chwall_init_domain_ssid(void **chwall_ssid, ssidref_t ssidref)
    4.78  {
    4.79 -	struct chwall_ssid *chwall_ssidp = xmalloc(struct chwall_ssid);
    4.80 -	traceprintk("%s.\n", __func__);
    4.81 -	if (chwall_ssidp == NULL)
    4.82 -		return ACM_INIT_SSID_ERROR;
    4.83 -	/* 
    4.84 -	 * depending on wheter chwall is primary or secondary, get the respective
    4.85 -	 * part of the global ssidref (same way we'll get the partial ssid pointer)
    4.86 -	 */
    4.87 -	chwall_ssidp->chwall_ssidref = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
    4.88 -	if ((chwall_ssidp->chwall_ssidref >= chwall_bin_pol.max_ssidrefs) ||
    4.89 -	    (chwall_ssidp->chwall_ssidref == ACM_DEFAULT_LOCAL_SSID)) {
    4.90 -		printkd("%s: ERROR chwall_ssidref(%x) undefined (>max) or unset (0).\n",
    4.91 -			__func__, chwall_ssidp->chwall_ssidref);
    4.92 -		xfree(chwall_ssidp);
    4.93 -		return ACM_INIT_SSID_ERROR;
    4.94 -	}
    4.95 -	(*chwall_ssid) = chwall_ssidp;
    4.96 -	printkd("%s: determined chwall_ssidref to %x.\n", 
    4.97 -	       __func__, chwall_ssidp->chwall_ssidref);
    4.98 -	return ACM_OK;
    4.99 +    struct chwall_ssid *chwall_ssidp = xmalloc(struct chwall_ssid);
   4.100 +    traceprintk("%s.\n", __func__);
   4.101 +    if (chwall_ssidp == NULL)
   4.102 +        return ACM_INIT_SSID_ERROR;
   4.103 +
   4.104 +    chwall_ssidp->chwall_ssidref =
   4.105 +        GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
   4.106 +
   4.107 +    if ((chwall_ssidp->chwall_ssidref >= chwall_bin_pol.max_ssidrefs)
   4.108 +        || (chwall_ssidp->chwall_ssidref == ACM_DEFAULT_LOCAL_SSID))
   4.109 +    {
   4.110 +        printkd("%s: ERROR chwall_ssidref(%x) undefined (>max) or unset (0).\n",
   4.111 +                __func__, chwall_ssidp->chwall_ssidref);
   4.112 +        xfree(chwall_ssidp);
   4.113 +        return ACM_INIT_SSID_ERROR;
   4.114 +    }
   4.115 +    (*chwall_ssid) = chwall_ssidp;
   4.116 +    printkd("%s: determined chwall_ssidref to %x.\n",
   4.117 +            __func__, chwall_ssidp->chwall_ssidref);
   4.118 +    return ACM_OK;
   4.119  }
   4.120  
   4.121 -static void
   4.122 -chwall_free_domain_ssid(void *chwall_ssid)
   4.123 +static void chwall_free_domain_ssid(void *chwall_ssid)
   4.124  {
   4.125 -	traceprintk("%s.\n", __func__);
   4.126 -	if (chwall_ssid != NULL)
   4.127 -		xfree(chwall_ssid);
   4.128 -	return;
   4.129 +    traceprintk("%s.\n", __func__);
   4.130 +    if (chwall_ssid != NULL)
   4.131 +        xfree(chwall_ssid);
   4.132 +    return;
   4.133  }
   4.134  
   4.135  
   4.136  /* dump chinese wall cache; policy read-locked already */
   4.137 -static int
   4.138 -chwall_dump_policy(u8 *buf, u16 buf_size) {	
   4.139 -     struct acm_chwall_policy_buffer *chwall_buf = (struct acm_chwall_policy_buffer *)buf;
   4.140 -     int ret = 0;
   4.141 +static int chwall_dump_policy(u8 * buf, u32 buf_size)
   4.142 +{
   4.143 +    struct acm_chwall_policy_buffer *chwall_buf =
   4.144 +        (struct acm_chwall_policy_buffer *) buf;
   4.145 +    int ret = 0;
   4.146  
   4.147 -     chwall_buf->chwall_max_types = htonl(chwall_bin_pol.max_types);
   4.148 -     chwall_buf->chwall_max_ssidrefs = htonl(chwall_bin_pol.max_ssidrefs);
   4.149 -     chwall_buf->policy_code = htonl(ACM_CHINESE_WALL_POLICY);
   4.150 -     chwall_buf->chwall_ssid_offset = htonl(sizeof(struct acm_chwall_policy_buffer));
   4.151 -     chwall_buf->chwall_max_conflictsets = htonl(chwall_bin_pol.max_conflictsets);
   4.152 -     chwall_buf->chwall_conflict_sets_offset =
   4.153 -	     htonl(
   4.154 -		   ntohl(chwall_buf->chwall_ssid_offset) +
   4.155 -		   sizeof(domaintype_t) * chwall_bin_pol.max_ssidrefs * 
   4.156 -		   chwall_bin_pol.max_types);
   4.157 -
   4.158 -     chwall_buf->chwall_running_types_offset = 
   4.159 -	     htonl(
   4.160 -		   ntohl(chwall_buf->chwall_conflict_sets_offset) +
   4.161 -		   sizeof(domaintype_t) * chwall_bin_pol.max_conflictsets *
   4.162 -		   chwall_bin_pol.max_types);
   4.163 +    if (buf_size < sizeof(struct acm_chwall_policy_buffer))
   4.164 +        return -EINVAL;
   4.165  
   4.166 -     chwall_buf->chwall_conflict_aggregate_offset =
   4.167 -	     htonl(
   4.168 -		   ntohl(chwall_buf->chwall_running_types_offset) +
   4.169 -		   sizeof(domaintype_t) * chwall_bin_pol.max_types);
   4.170 +    chwall_buf->chwall_max_types = htonl(chwall_bin_pol.max_types);
   4.171 +    chwall_buf->chwall_max_ssidrefs = htonl(chwall_bin_pol.max_ssidrefs);
   4.172 +    chwall_buf->policy_code = htonl(ACM_CHINESE_WALL_POLICY);
   4.173 +    chwall_buf->chwall_ssid_offset =
   4.174 +        htonl(sizeof(struct acm_chwall_policy_buffer));
   4.175 +    chwall_buf->chwall_max_conflictsets =
   4.176 +        htonl(chwall_bin_pol.max_conflictsets);
   4.177 +    chwall_buf->chwall_conflict_sets_offset =
   4.178 +        htonl(ntohl(chwall_buf->chwall_ssid_offset) +
   4.179 +              sizeof(domaintype_t) * chwall_bin_pol.max_ssidrefs *
   4.180 +              chwall_bin_pol.max_types);
   4.181 +    chwall_buf->chwall_running_types_offset =
   4.182 +        htonl(ntohl(chwall_buf->chwall_conflict_sets_offset) +
   4.183 +              sizeof(domaintype_t) * chwall_bin_pol.max_conflictsets *
   4.184 +              chwall_bin_pol.max_types);
   4.185 +    chwall_buf->chwall_conflict_aggregate_offset =
   4.186 +        htonl(ntohl(chwall_buf->chwall_running_types_offset) +
   4.187 +              sizeof(domaintype_t) * chwall_bin_pol.max_types);
   4.188  
   4.189 -     ret = ntohl(chwall_buf->chwall_conflict_aggregate_offset) +
   4.190 -	     sizeof(domaintype_t) * chwall_bin_pol.max_types;
   4.191 -
   4.192 -     /* now copy buffers over */
   4.193 -     arrcpy16((u16 *)(buf + ntohl(chwall_buf->chwall_ssid_offset)),
   4.194 -	      chwall_bin_pol.ssidrefs,
   4.195 -	      chwall_bin_pol.max_ssidrefs * chwall_bin_pol.max_types);
   4.196 +    ret = ntohl(chwall_buf->chwall_conflict_aggregate_offset) +
   4.197 +        sizeof(domaintype_t) * chwall_bin_pol.max_types;
   4.198  
   4.199 -     arrcpy16((u16 *)(buf + ntohl(chwall_buf->chwall_conflict_sets_offset)),
   4.200 -	      chwall_bin_pol.conflict_sets,
   4.201 -	      chwall_bin_pol.max_conflictsets * chwall_bin_pol.max_types);
   4.202 +    if (buf_size < ret)
   4.203 +        return -EINVAL;
   4.204 +
   4.205 +    /* now copy buffers over */
   4.206 +    arrcpy16((u16 *) (buf + ntohl(chwall_buf->chwall_ssid_offset)),
   4.207 +             chwall_bin_pol.ssidrefs,
   4.208 +             chwall_bin_pol.max_ssidrefs * chwall_bin_pol.max_types);
   4.209  
   4.210 -     arrcpy16((u16 *)(buf + ntohl(chwall_buf->chwall_running_types_offset)),
   4.211 -	      chwall_bin_pol.running_types,
   4.212 -	      chwall_bin_pol.max_types);
   4.213 +    arrcpy16((u16 *) (buf +
   4.214 +                      ntohl(chwall_buf->chwall_conflict_sets_offset)),
   4.215 +             chwall_bin_pol.conflict_sets,
   4.216 +             chwall_bin_pol.max_conflictsets * chwall_bin_pol.max_types);
   4.217  
   4.218 -     arrcpy16((u16 *)(buf + ntohl(chwall_buf->chwall_conflict_aggregate_offset)),
   4.219 -	      chwall_bin_pol.conflict_aggregate_set,
   4.220 -	      chwall_bin_pol.max_types);
   4.221 -     return ret;
   4.222 +    arrcpy16((u16 *) (buf +
   4.223 +                      ntohl(chwall_buf->chwall_running_types_offset)),
   4.224 +             chwall_bin_pol.running_types, chwall_bin_pol.max_types);
   4.225 +
   4.226 +    arrcpy16((u16 *) (buf +
   4.227 +                      ntohl(chwall_buf->chwall_conflict_aggregate_offset)),
   4.228 +             chwall_bin_pol.conflict_aggregate_set,
   4.229 +             chwall_bin_pol.max_types);
   4.230 +    return ret;
   4.231  }
   4.232  
   4.233  /* adapt security state (running_types and conflict_aggregate_set) to all running
   4.234   * domains; chwall_init_state is called when a policy is changed to bring the security
   4.235   * information into a consistent state and to detect violations (return != 0).
   4.236   * from a security point of view, we simulate that all running domains are re-started
   4.237 - */ 
   4.238 + */
   4.239  static int
   4.240 -chwall_init_state(struct acm_chwall_policy_buffer *chwall_buf, domaintype_t *ssidrefs, domaintype_t *conflict_sets,
   4.241 -		  domaintype_t *running_types, domaintype_t *conflict_aggregate_set)
   4.242 +chwall_init_state(struct acm_chwall_policy_buffer *chwall_buf,
   4.243 +                  domaintype_t * ssidrefs, domaintype_t * conflict_sets,
   4.244 +                  domaintype_t * running_types,
   4.245 +                  domaintype_t * conflict_aggregate_set)
   4.246  {
   4.247 -	int violation = 0, i, j;
   4.248 -	struct chwall_ssid *chwall_ssid;
   4.249 -	ssidref_t chwall_ssidref;
   4.250 -	struct domain **pd;
   4.251 +    int violation = 0, i, j;
   4.252 +    struct chwall_ssid *chwall_ssid;
   4.253 +    ssidref_t chwall_ssidref;
   4.254 +    struct domain **pd;
   4.255  
   4.256 -        write_lock(&domlist_lock);
   4.257 -	/* go through all domains and adjust policy as if this domain was started now */
   4.258 -        pd = &domain_list;
   4.259 -        for ( pd = &domain_list; *pd != NULL; pd = &(*pd)->next_in_list ) {
   4.260 -		chwall_ssid = GET_SSIDP(ACM_CHINESE_WALL_POLICY, (struct acm_ssid_domain *)(*pd)->ssid);
   4.261 -		chwall_ssidref = chwall_ssid->chwall_ssidref;
   4.262 -		traceprintk("%s: validating policy for domain %x (chwall-REF=%x).\n", 
   4.263 -			__func__, (*pd)->domain_id, chwall_ssidref);
   4.264 -		/* a) adjust types ref-count for running domains */
   4.265 -		for (i=0; i< chwall_buf->chwall_max_types; i++)
   4.266 -			running_types[i] +=
   4.267 -				ssidrefs[chwall_ssidref*chwall_buf->chwall_max_types + i];
   4.268 +    write_lock(&domlist_lock);
   4.269 +    /* go through all domains and adjust policy as if this domain was started now */
   4.270 +    pd = &domain_list;
   4.271 +    for (pd = &domain_list; *pd != NULL; pd = &(*pd)->next_in_list)
   4.272 +    {
   4.273 +        chwall_ssid =
   4.274 +            GET_SSIDP(ACM_CHINESE_WALL_POLICY,
   4.275 +                      (struct acm_ssid_domain *) (*pd)->ssid);
   4.276 +        chwall_ssidref = chwall_ssid->chwall_ssidref;
   4.277 +        traceprintk("%s: validating policy for domain %x (chwall-REF=%x).\n",
   4.278 +                    __func__, (*pd)->domain_id, chwall_ssidref);
   4.279 +        /* a) adjust types ref-count for running domains */
   4.280 +        for (i = 0; i < chwall_buf->chwall_max_types; i++)
   4.281 +            running_types[i] +=
   4.282 +                ssidrefs[chwall_ssidref * chwall_buf->chwall_max_types + i];
   4.283  
   4.284 -		/* b) check for conflict */
   4.285 -		for (i=0; i< chwall_buf->chwall_max_types; i++)
   4.286 -			if (conflict_aggregate_set[i] && 
   4.287 -			    ssidrefs[chwall_ssidref*chwall_buf->chwall_max_types + i]) {
   4.288 -				printk("%s: CHINESE WALL CONFLICT in type %02x.\n", __func__, i);
   4.289 -				violation = 1;
   4.290 -				goto out;
   4.291 -			}
   4.292 -		/* set violation and break out of the loop */
   4.293 -		/* c) adapt conflict aggregate set for this domain (notice conflicts) */
   4.294 -		for (i=0; i<chwall_buf->chwall_max_conflictsets; i++) {
   4.295 -			int common = 0;
   4.296 -			/* check if conflict_set_i and ssidref have common types */
   4.297 -			for (j=0; j<chwall_buf->chwall_max_types; j++)
   4.298 -				if (conflict_sets[i*chwall_buf->chwall_max_types + j] &&
   4.299 -				    ssidrefs[chwall_ssidref*chwall_buf->chwall_max_types + j]) {
   4.300 -					common = 1;
   4.301 -					break;
   4.302 -				}
   4.303 -			if (common == 0)
   4.304 -				continue; /* try next conflict set */
   4.305 -			/* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   4.306 -			for (j=0; j<chwall_buf->chwall_max_types; j++)
   4.307 -				if (conflict_sets[i*chwall_buf->chwall_max_types + j] &&
   4.308 -				    !ssidrefs[chwall_ssidref*chwall_buf->chwall_max_types + j])
   4.309 -					conflict_aggregate_set[j]++;
   4.310 -		}	
   4.311 -	}
   4.312 +        /* b) check for conflict */
   4.313 +        for (i = 0; i < chwall_buf->chwall_max_types; i++)
   4.314 +            if (conflict_aggregate_set[i] &&
   4.315 +                ssidrefs[chwall_ssidref * chwall_buf->chwall_max_types + i])
   4.316 +            {
   4.317 +                printk("%s: CHINESE WALL CONFLICT in type %02x.\n",
   4.318 +                       __func__, i);
   4.319 +                violation = 1;
   4.320 +                goto out;
   4.321 +            }
   4.322 +        /* set violation and break out of the loop */
   4.323 +        /* c) adapt conflict aggregate set for this domain (notice conflicts) */
   4.324 +        for (i = 0; i < chwall_buf->chwall_max_conflictsets; i++)
   4.325 +        {
   4.326 +            int common = 0;
   4.327 +            /* check if conflict_set_i and ssidref have common types */
   4.328 +            for (j = 0; j < chwall_buf->chwall_max_types; j++)
   4.329 +                if (conflict_sets[i * chwall_buf->chwall_max_types + j] &&
   4.330 +                    ssidrefs[chwall_ssidref *
   4.331 +                            chwall_buf->chwall_max_types + j])
   4.332 +                {
   4.333 +                    common = 1;
   4.334 +                    break;
   4.335 +                }
   4.336 +            if (common == 0)
   4.337 +                continue;       /* try next conflict set */
   4.338 +            /* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   4.339 +            for (j = 0; j < chwall_buf->chwall_max_types; j++)
   4.340 +                if (conflict_sets[i * chwall_buf->chwall_max_types + j] &&
   4.341 +                    !ssidrefs[chwall_ssidref *
   4.342 +                             chwall_buf->chwall_max_types + j])
   4.343 +                    conflict_aggregate_set[j]++;
   4.344 +        }
   4.345 +    }
   4.346   out:
   4.347 -        write_unlock(&domlist_lock);
   4.348 -	return violation;
   4.349 -	/* returning "violation != 0" means that the currently running set of domains would 
   4.350 -	 * not be possible if the new policy had been enforced before starting them; for chinese
   4.351 -	 * wall, this means that the new policy includes at least one conflict set of which 
   4.352 -	 * more than one type is currently running */
   4.353 +    write_unlock(&domlist_lock);
   4.354 +    return violation;
   4.355 +    /* returning "violation != 0" means that the currently running set of domains would
   4.356 +     * not be possible if the new policy had been enforced before starting them; for chinese
   4.357 +     * wall, this means that the new policy includes at least one conflict set of which
   4.358 +     * more than one type is currently running */
   4.359  }
   4.360  
   4.361 -static int
   4.362 -chwall_set_policy(u8 *buf, u16 buf_size) 
   4.363 -{	
   4.364 -	/* policy write-locked already */
   4.365 -	struct acm_chwall_policy_buffer *chwall_buf = (struct acm_chwall_policy_buffer *)buf;
   4.366 -	void *ssids = NULL, *conflict_sets = NULL, *running_types = NULL, *conflict_aggregate_set = NULL;	
   4.367 +static int chwall_set_policy(u8 * buf, u32 buf_size)
   4.368 +{
   4.369 +    /* policy write-locked already */
   4.370 +    struct acm_chwall_policy_buffer *chwall_buf =
   4.371 +        (struct acm_chwall_policy_buffer *) buf;
   4.372 +    void *ssids = NULL, *conflict_sets = NULL, *running_types =
   4.373 +        NULL, *conflict_aggregate_set = NULL;
   4.374 +
   4.375 +    if (buf_size < sizeof(struct acm_chwall_policy_buffer))
   4.376 +        return -EINVAL;
   4.377  
   4.378 -        /* rewrite the policy due to endianess */
   4.379 -        chwall_buf->policy_code                      = ntohl(chwall_buf->policy_code);
   4.380 -        chwall_buf->policy_version                   = ntohl(chwall_buf->policy_version);
   4.381 -        chwall_buf->chwall_max_types                 = ntohl(chwall_buf->chwall_max_types);
   4.382 -        chwall_buf->chwall_max_ssidrefs              = ntohl(chwall_buf->chwall_max_ssidrefs);
   4.383 -        chwall_buf->chwall_max_conflictsets          = ntohl(chwall_buf->chwall_max_conflictsets);
   4.384 -        chwall_buf->chwall_ssid_offset               = ntohl(chwall_buf->chwall_ssid_offset);
   4.385 -        chwall_buf->chwall_conflict_sets_offset      = ntohl(chwall_buf->chwall_conflict_sets_offset);
   4.386 -        chwall_buf->chwall_running_types_offset      = ntohl(chwall_buf->chwall_running_types_offset);
   4.387 -        chwall_buf->chwall_conflict_aggregate_offset = ntohl(chwall_buf->chwall_conflict_aggregate_offset);
   4.388 +    /* rewrite the policy due to endianess */
   4.389 +    chwall_buf->policy_code = ntohl(chwall_buf->policy_code);
   4.390 +    chwall_buf->policy_version = ntohl(chwall_buf->policy_version);
   4.391 +    chwall_buf->chwall_max_types = ntohl(chwall_buf->chwall_max_types);
   4.392 +    chwall_buf->chwall_max_ssidrefs =
   4.393 +        ntohl(chwall_buf->chwall_max_ssidrefs);
   4.394 +    chwall_buf->chwall_max_conflictsets =
   4.395 +        ntohl(chwall_buf->chwall_max_conflictsets);
   4.396 +    chwall_buf->chwall_ssid_offset = ntohl(chwall_buf->chwall_ssid_offset);
   4.397 +    chwall_buf->chwall_conflict_sets_offset =
   4.398 +        ntohl(chwall_buf->chwall_conflict_sets_offset);
   4.399 +    chwall_buf->chwall_running_types_offset =
   4.400 +        ntohl(chwall_buf->chwall_running_types_offset);
   4.401 +    chwall_buf->chwall_conflict_aggregate_offset =
   4.402 +        ntohl(chwall_buf->chwall_conflict_aggregate_offset);
   4.403  
   4.404 -	/* policy type and version checks */
   4.405 -	if ((chwall_buf->policy_code != ACM_CHINESE_WALL_POLICY) ||
   4.406 -	    (chwall_buf->policy_version != ACM_CHWALL_VERSION))
   4.407 -		return -EINVAL;
   4.408 -
   4.409 -	/* 1. allocate new buffers */
   4.410 -	ssids = xmalloc_array(domaintype_t, chwall_buf->chwall_max_types*chwall_buf->chwall_max_ssidrefs);
   4.411 -	conflict_sets = xmalloc_array(domaintype_t, chwall_buf->chwall_max_conflictsets*chwall_buf->chwall_max_types);
   4.412 -	running_types = xmalloc_array(domaintype_t,chwall_buf->chwall_max_types);
   4.413 -	conflict_aggregate_set = xmalloc_array(domaintype_t, chwall_buf->chwall_max_types);
   4.414 +    /* policy type and version checks */
   4.415 +    if ((chwall_buf->policy_code != ACM_CHINESE_WALL_POLICY) ||
   4.416 +        (chwall_buf->policy_version != ACM_CHWALL_VERSION))
   4.417 +        return -EINVAL;
   4.418  
   4.419 -	if ((ssids == NULL)||(conflict_sets == NULL)||(running_types == NULL)||(conflict_aggregate_set == NULL))
   4.420 -		goto error_free;
   4.421 +    /* 1. allocate new buffers */
   4.422 +    ssids =
   4.423 +        xmalloc_array(domaintype_t,
   4.424 +                      chwall_buf->chwall_max_types *
   4.425 +                      chwall_buf->chwall_max_ssidrefs);
   4.426 +    conflict_sets =
   4.427 +        xmalloc_array(domaintype_t,
   4.428 +                      chwall_buf->chwall_max_conflictsets *
   4.429 +                      chwall_buf->chwall_max_types);
   4.430 +    running_types =
   4.431 +        xmalloc_array(domaintype_t, chwall_buf->chwall_max_types);
   4.432 +    conflict_aggregate_set =
   4.433 +        xmalloc_array(domaintype_t, chwall_buf->chwall_max_types);
   4.434  
   4.435 -	/* 2. set new policy */
   4.436 -	if (chwall_buf->chwall_ssid_offset + sizeof(domaintype_t) * 
   4.437 -	    chwall_buf->chwall_max_types * chwall_buf->chwall_max_ssidrefs > buf_size)
   4.438 -		goto error_free;
   4.439 -	arrcpy(ssids, buf + chwall_buf->chwall_ssid_offset,
   4.440 -	       sizeof(domaintype_t),  
   4.441 -	       chwall_buf->chwall_max_types * chwall_buf->chwall_max_ssidrefs);
   4.442 +    if ((ssids == NULL) || (conflict_sets == NULL)
   4.443 +        || (running_types == NULL) || (conflict_aggregate_set == NULL))
   4.444 +        goto error_free;
   4.445  
   4.446 -	if (chwall_buf->chwall_conflict_sets_offset + sizeof(domaintype_t) * 
   4.447 -	    chwall_buf->chwall_max_types * chwall_buf->chwall_max_conflictsets > buf_size)
   4.448 -		goto error_free;
   4.449 +    /* 2. set new policy */
   4.450 +    if (chwall_buf->chwall_ssid_offset + sizeof(domaintype_t) *
   4.451 +        chwall_buf->chwall_max_types * chwall_buf->chwall_max_ssidrefs >
   4.452 +        buf_size)
   4.453 +        goto error_free;
   4.454  
   4.455 -	arrcpy(conflict_sets, buf + chwall_buf->chwall_conflict_sets_offset,
   4.456 -	       sizeof(domaintype_t),
   4.457 -	       chwall_buf->chwall_max_types * chwall_buf->chwall_max_conflictsets);
   4.458 +    arrcpy(ssids, buf + chwall_buf->chwall_ssid_offset,
   4.459 +           sizeof(domaintype_t),
   4.460 +           chwall_buf->chwall_max_types * chwall_buf->chwall_max_ssidrefs);
   4.461 +
   4.462 +    if (chwall_buf->chwall_conflict_sets_offset + sizeof(domaintype_t) *
   4.463 +        chwall_buf->chwall_max_types *
   4.464 +        chwall_buf->chwall_max_conflictsets > buf_size)
   4.465 +        goto error_free;
   4.466  
   4.467 -	/* we also use new state buffers since max_types can change */
   4.468 -	memset(running_types, 0, sizeof(domaintype_t)*chwall_buf->chwall_max_types);
   4.469 -	memset(conflict_aggregate_set, 0, sizeof(domaintype_t)*chwall_buf->chwall_max_types);
   4.470 +    arrcpy(conflict_sets, buf + chwall_buf->chwall_conflict_sets_offset,
   4.471 +           sizeof(domaintype_t),
   4.472 +           chwall_buf->chwall_max_types *
   4.473 +           chwall_buf->chwall_max_conflictsets);
   4.474 +
   4.475 +    /* we also use new state buffers since max_types can change */
   4.476 +    memset(running_types, 0,
   4.477 +           sizeof(domaintype_t) * chwall_buf->chwall_max_types);
   4.478 +    memset(conflict_aggregate_set, 0,
   4.479 +           sizeof(domaintype_t) * chwall_buf->chwall_max_types);
   4.480  
   4.481 -	/* 3. now re-calculate the state for the new policy based on running domains; 
   4.482 -	 *    this can fail if new policy is conflicting with running domains */
   4.483 -	if (chwall_init_state(chwall_buf, ssids, conflict_sets, running_types, conflict_aggregate_set)) {
   4.484 -		printk("%s: New policy conflicts with running domains. Policy load aborted.\n", __func__);
   4.485 -		goto error_free; /* new policy conflicts with running domains */
   4.486 -	}
   4.487 -	/* 4. free old policy buffers, replace with new ones */
   4.488 -	chwall_bin_pol.max_types = chwall_buf->chwall_max_types;
   4.489 -	chwall_bin_pol.max_ssidrefs = chwall_buf->chwall_max_ssidrefs;
   4.490 -	chwall_bin_pol.max_conflictsets = chwall_buf->chwall_max_conflictsets;
   4.491 -	if (chwall_bin_pol.ssidrefs != NULL) 
   4.492 -		xfree(chwall_bin_pol.ssidrefs);
   4.493 -	if (chwall_bin_pol.conflict_aggregate_set != NULL) 
   4.494 -		xfree(chwall_bin_pol.conflict_aggregate_set);
   4.495 -	if (chwall_bin_pol.running_types != NULL) 
   4.496 -		xfree(chwall_bin_pol.running_types);
   4.497 -	if (chwall_bin_pol.conflict_sets != NULL) 
   4.498 -		xfree(chwall_bin_pol.conflict_sets);
   4.499 -	chwall_bin_pol.ssidrefs = ssids;
   4.500 -	chwall_bin_pol.conflict_aggregate_set = conflict_aggregate_set;
   4.501 -	chwall_bin_pol.running_types = running_types;
   4.502 -	chwall_bin_pol.conflict_sets = conflict_sets;
   4.503 -	return ACM_OK;
   4.504 +    /* 3. now re-calculate the state for the new policy based on running domains;
   4.505 +     *    this can fail if new policy is conflicting with running domains */
   4.506 +    if (chwall_init_state(chwall_buf, ssids,
   4.507 +                          conflict_sets, running_types,
   4.508 +                          conflict_aggregate_set))
   4.509 +    {
   4.510 +        printk("%s: New policy conflicts with running domains. Policy load aborted.\n",
   4.511 +               __func__);
   4.512 +        goto error_free;        /* new policy conflicts with running domains */
   4.513 +    }
   4.514 +    /* 4. free old policy buffers, replace with new ones */
   4.515 +    chwall_bin_pol.max_types = chwall_buf->chwall_max_types;
   4.516 +    chwall_bin_pol.max_ssidrefs = chwall_buf->chwall_max_ssidrefs;
   4.517 +    chwall_bin_pol.max_conflictsets = chwall_buf->chwall_max_conflictsets;
   4.518 +    if (chwall_bin_pol.ssidrefs != NULL)
   4.519 +        xfree(chwall_bin_pol.ssidrefs);
   4.520 +    if (chwall_bin_pol.conflict_aggregate_set != NULL)
   4.521 +        xfree(chwall_bin_pol.conflict_aggregate_set);
   4.522 +    if (chwall_bin_pol.running_types != NULL)
   4.523 +        xfree(chwall_bin_pol.running_types);
   4.524 +    if (chwall_bin_pol.conflict_sets != NULL)
   4.525 +        xfree(chwall_bin_pol.conflict_sets);
   4.526 +    chwall_bin_pol.ssidrefs = ssids;
   4.527 +    chwall_bin_pol.conflict_aggregate_set = conflict_aggregate_set;
   4.528 +    chwall_bin_pol.running_types = running_types;
   4.529 +    chwall_bin_pol.conflict_sets = conflict_sets;
   4.530 +    return ACM_OK;
   4.531  
   4.532 -error_free:
   4.533 -	printk("%s: ERROR setting policy.\n", __func__);
   4.534 -	if (ssids != NULL) xfree(ssids);
   4.535 -	if (conflict_sets != NULL) xfree(conflict_sets);
   4.536 -	if (running_types != NULL) xfree(running_types);
   4.537 -	if (conflict_aggregate_set != NULL) xfree(conflict_aggregate_set);
   4.538 -	return -EFAULT;
   4.539 -}
   4.540 -	
   4.541 -static int 
   4.542 -chwall_dump_stats(u8 *buf, u16 len)
   4.543 -{
   4.544 -	/* no stats for Chinese Wall Policy */
   4.545 -	return 0;
   4.546 + error_free:
   4.547 +    printk("%s: ERROR setting policy.\n", __func__);
   4.548 +    if (ssids != NULL)
   4.549 +        xfree(ssids);
   4.550 +    if (conflict_sets != NULL)
   4.551 +        xfree(conflict_sets);
   4.552 +    if (running_types != NULL)
   4.553 +        xfree(running_types);
   4.554 +    if (conflict_aggregate_set != NULL)
   4.555 +        xfree(conflict_aggregate_set);
   4.556 +    return -EFAULT;
   4.557  }
   4.558  
   4.559 -static int
   4.560 -chwall_dump_ssid_types(ssidref_t ssidref, u8 *buf, u16 len)
   4.561 +static int chwall_dump_stats(u8 * buf, u16 len)
   4.562 +{
   4.563 +    /* no stats for Chinese Wall Policy */
   4.564 +    return 0;
   4.565 +}
   4.566 +
   4.567 +static int chwall_dump_ssid_types(ssidref_t ssidref, u8 * buf, u16 len)
   4.568  {
   4.569      int i;
   4.570  
   4.571 @@ -319,12 +385,14 @@ chwall_dump_ssid_types(ssidref_t ssidref
   4.572      if (chwall_bin_pol.max_types > len)
   4.573          return -EFAULT;
   4.574  
   4.575 -	if (ssidref >= chwall_bin_pol.max_ssidrefs)
   4.576 -		return -EFAULT;
   4.577 +    if (ssidref >= chwall_bin_pol.max_ssidrefs)
   4.578 +        return -EFAULT;
   4.579  
   4.580      /* read types for chwall ssidref */
   4.581 -    for(i=0; i< chwall_bin_pol.max_types; i++) {
   4.582 -        if (chwall_bin_pol.ssidrefs[ssidref * chwall_bin_pol.max_types + i])
   4.583 +    for (i = 0; i < chwall_bin_pol.max_types; i++)
   4.584 +    {
   4.585 +        if (chwall_bin_pol.
   4.586 +            ssidrefs[ssidref * chwall_bin_pol.max_types + i])
   4.587              buf[i] = 1;
   4.588          else
   4.589              buf[i] = 0;
   4.590 @@ -336,198 +404,239 @@ chwall_dump_ssid_types(ssidref_t ssidref
   4.591   * Authorization functions
   4.592   ***************************/
   4.593  
   4.594 -
   4.595  /* -------- DOMAIN OPERATION HOOKS -----------*/
   4.596  
   4.597 -static int 
   4.598 -chwall_pre_domain_create(void *subject_ssid, ssidref_t ssidref)
   4.599 +static int chwall_pre_domain_create(void *subject_ssid, ssidref_t ssidref)
   4.600  {
   4.601 -	ssidref_t chwall_ssidref;
   4.602 -	int i,j;
   4.603 -	traceprintk("%s.\n", __func__);
   4.604 +    ssidref_t chwall_ssidref;
   4.605 +    int i, j;
   4.606 +    traceprintk("%s.\n", __func__);
   4.607  
   4.608 -	read_lock(&acm_bin_pol_rwlock);
   4.609 -	chwall_ssidref = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
   4.610 -	if (chwall_ssidref == ACM_DEFAULT_LOCAL_SSID) {
   4.611 -		printk("%s: ERROR CHWALL SSID is NOT SET but policy enforced.\n", __func__);
   4.612 -		read_unlock(&acm_bin_pol_rwlock);
   4.613 -		return ACM_ACCESS_DENIED; /* catching and indicating config error */
   4.614 -	}
   4.615 -	if (chwall_ssidref >= chwall_bin_pol.max_ssidrefs) {
   4.616 -		printk("%s: ERROR chwall_ssidref > max(%x).\n",
   4.617 -		       __func__, chwall_bin_pol.max_ssidrefs-1);
   4.618 -		read_unlock(&acm_bin_pol_rwlock);
   4.619 -		return ACM_ACCESS_DENIED;
   4.620 -	}
   4.621 -	/* A: chinese wall check for conflicts */
   4.622 -	for (i=0; i< chwall_bin_pol.max_types; i++)
   4.623 -		if (chwall_bin_pol.conflict_aggregate_set[i] && 
   4.624 -		    chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + i]) {
   4.625 -			printk("%s: CHINESE WALL CONFLICT in type %02x.\n", __func__, i);
   4.626 -			read_unlock(&acm_bin_pol_rwlock);
   4.627 -		        return ACM_ACCESS_DENIED;
   4.628 -		}
   4.629 +    read_lock(&acm_bin_pol_rwlock);
   4.630 +    chwall_ssidref = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
   4.631 +    if (chwall_ssidref == ACM_DEFAULT_LOCAL_SSID)
   4.632 +    {
   4.633 +        printk("%s: ERROR CHWALL SSID is NOT SET but policy enforced.\n",
   4.634 +               __func__);
   4.635 +        read_unlock(&acm_bin_pol_rwlock);
   4.636 +        return ACM_ACCESS_DENIED;       /* catching and indicating config error */
   4.637 +    }
   4.638 +    if (chwall_ssidref >= chwall_bin_pol.max_ssidrefs)
   4.639 +    {
   4.640 +        printk("%s: ERROR chwall_ssidref > max(%x).\n",
   4.641 +               __func__, chwall_bin_pol.max_ssidrefs - 1);
   4.642 +        read_unlock(&acm_bin_pol_rwlock);
   4.643 +        return ACM_ACCESS_DENIED;
   4.644 +    }
   4.645 +    /* A: chinese wall check for conflicts */
   4.646 +    for (i = 0; i < chwall_bin_pol.max_types; i++)
   4.647 +        if (chwall_bin_pol.conflict_aggregate_set[i] &&
   4.648 +            chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.649 +                                   chwall_bin_pol.max_types + i])
   4.650 +        {
   4.651 +            printk("%s: CHINESE WALL CONFLICT in type %02x.\n", __func__, i);
   4.652 +            read_unlock(&acm_bin_pol_rwlock);
   4.653 +            return ACM_ACCESS_DENIED;
   4.654 +        }
   4.655  
   4.656 -	/* B: chinese wall conflict set adjustment (so that other 
   4.657 -	 *	other domains simultaneously created are evaluated against this new set)*/
   4.658 -	for (i=0; i<chwall_bin_pol.max_conflictsets; i++) {
   4.659 -		int common = 0;
   4.660 -		/* check if conflict_set_i and ssidref have common types */
   4.661 -		for (j=0; j<chwall_bin_pol.max_types; j++)
   4.662 -			if (chwall_bin_pol.conflict_sets[i*chwall_bin_pol.max_types + j] &&
   4.663 -			    chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + j]) {
   4.664 -				common = 1;
   4.665 -				break;
   4.666 -			}
   4.667 -		if (common == 0)
   4.668 -			continue; /* try next conflict set */
   4.669 -		/* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   4.670 -		for (j=0; j<chwall_bin_pol.max_types; j++)
   4.671 -			if (chwall_bin_pol.conflict_sets[i*chwall_bin_pol.max_types + j] &&
   4.672 -			    !chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + j])
   4.673 -				chwall_bin_pol.conflict_aggregate_set[j]++;
   4.674 -	}
   4.675 -	read_unlock(&acm_bin_pol_rwlock);
   4.676 -	return ACM_ACCESS_PERMITTED;
   4.677 +    /* B: chinese wall conflict set adjustment (so that other
   4.678 +     *      other domains simultaneously created are evaluated against this new set)*/
   4.679 +    for (i = 0; i < chwall_bin_pol.max_conflictsets; i++)
   4.680 +    {
   4.681 +        int common = 0;
   4.682 +        /* check if conflict_set_i and ssidref have common types */
   4.683 +        for (j = 0; j < chwall_bin_pol.max_types; j++)
   4.684 +            if (chwall_bin_pol.
   4.685 +                conflict_sets[i * chwall_bin_pol.max_types + j]
   4.686 +                && chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.687 +                                          chwall_bin_pol.max_types + j])
   4.688 +            {
   4.689 +                common = 1;
   4.690 +                break;
   4.691 +            }
   4.692 +        if (common == 0)
   4.693 +            continue;           /* try next conflict set */
   4.694 +        /* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   4.695 +        for (j = 0; j < chwall_bin_pol.max_types; j++)
   4.696 +            if (chwall_bin_pol.
   4.697 +                conflict_sets[i * chwall_bin_pol.max_types + j]
   4.698 +                && !chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.699 +                                           chwall_bin_pol.max_types + j])
   4.700 +                chwall_bin_pol.conflict_aggregate_set[j]++;
   4.701 +    }
   4.702 +    read_unlock(&acm_bin_pol_rwlock);
   4.703 +    return ACM_ACCESS_PERMITTED;
   4.704  }
   4.705  
   4.706 -static void
   4.707 -chwall_post_domain_create(domid_t domid, ssidref_t ssidref)
   4.708 +static void chwall_post_domain_create(domid_t domid, ssidref_t ssidref)
   4.709  {
   4.710 -	int i,j;
   4.711 -	ssidref_t chwall_ssidref;
   4.712 -	traceprintk("%s.\n", __func__);
   4.713 -	
   4.714 -	read_lock(&acm_bin_pol_rwlock);
   4.715 -	chwall_ssidref = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
   4.716 -	/* adjust types ref-count for running domains */
   4.717 -	for (i=0; i< chwall_bin_pol.max_types; i++)
   4.718 -		chwall_bin_pol.running_types[i] +=
   4.719 -			chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + i];
   4.720 -	if (domid) {
   4.721 -		read_unlock(&acm_bin_pol_rwlock);
   4.722 -		return;
   4.723 -	}
   4.724 -	/* Xen does not call pre-create hook for DOM0;
   4.725 -	 * to consider type conflicts of any domain with DOM0, we need
   4.726 -	 * to adjust the conflict_aggregate for DOM0 here the same way it
   4.727 -	 * is done for non-DOM0 domains in the pre-hook */
   4.728 -	printkd("%s: adjusting security state for DOM0 (ssidref=%x, chwall_ssidref=%x).\n", 
   4.729 -		__func__, ssidref, chwall_ssidref);
   4.730 +    int i, j;
   4.731 +    ssidref_t chwall_ssidref;
   4.732 +    traceprintk("%s.\n", __func__);
   4.733 +
   4.734 +    read_lock(&acm_bin_pol_rwlock);
   4.735 +    chwall_ssidref = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
   4.736 +    /* adjust types ref-count for running domains */
   4.737 +    for (i = 0; i < chwall_bin_pol.max_types; i++)
   4.738 +        chwall_bin_pol.running_types[i] +=
   4.739 +            chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.740 +                                   chwall_bin_pol.max_types + i];
   4.741 +    if (domid)
   4.742 +    {
   4.743 +        read_unlock(&acm_bin_pol_rwlock);
   4.744 +        return;
   4.745 +    }
   4.746 +    /* Xen does not call pre-create hook for DOM0;
   4.747 +     * to consider type conflicts of any domain with DOM0, we need
   4.748 +     * to adjust the conflict_aggregate for DOM0 here the same way it
   4.749 +     * is done for non-DOM0 domains in the pre-hook */
   4.750 +    printkd("%s: adjusting security state for DOM0 (ssidref=%x, chwall_ssidref=%x).\n",
   4.751 +            __func__, ssidref, chwall_ssidref);
   4.752  
   4.753 -	/* chinese wall conflict set adjustment (so that other 
   4.754 -	 *	other domains simultaneously created are evaluated against this new set)*/
   4.755 -	for (i=0; i<chwall_bin_pol.max_conflictsets; i++) {
   4.756 -		int common = 0;
   4.757 -		/* check if conflict_set_i and ssidref have common types */
   4.758 -		for (j=0; j<chwall_bin_pol.max_types; j++)
   4.759 -			if (chwall_bin_pol.conflict_sets[i*chwall_bin_pol.max_types + j] &&
   4.760 -			    chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + j]) {
   4.761 -				common = 1;
   4.762 -				break;
   4.763 -			}
   4.764 -		if (common == 0)
   4.765 -			continue; /* try next conflict set */
   4.766 -		/* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   4.767 -		for (j=0; j<chwall_bin_pol.max_types; j++)
   4.768 -			if (chwall_bin_pol.conflict_sets[i*chwall_bin_pol.max_types + j] &&
   4.769 -			    !chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + j])
   4.770 -				chwall_bin_pol.conflict_aggregate_set[j]++;
   4.771 -	}
   4.772 -	read_unlock(&acm_bin_pol_rwlock);
   4.773 -	return;
   4.774 +    /* chinese wall conflict set adjustment (so that other
   4.775 +     *      other domains simultaneously created are evaluated against this new set)*/
   4.776 +    for (i = 0; i < chwall_bin_pol.max_conflictsets; i++)
   4.777 +    {
   4.778 +        int common = 0;
   4.779 +        /* check if conflict_set_i and ssidref have common types */
   4.780 +        for (j = 0; j < chwall_bin_pol.max_types; j++)
   4.781 +            if (chwall_bin_pol.
   4.782 +                conflict_sets[i * chwall_bin_pol.max_types + j]
   4.783 +                && chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.784 +                                          chwall_bin_pol.max_types + j])
   4.785 +            {
   4.786 +                common = 1;
   4.787 +                break;
   4.788 +            }
   4.789 +        if (common == 0)
   4.790 +            continue;           /* try next conflict set */
   4.791 +        /* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   4.792 +        for (j = 0; j < chwall_bin_pol.max_types; j++)
   4.793 +            if (chwall_bin_pol.
   4.794 +                conflict_sets[i * chwall_bin_pol.max_types + j]
   4.795 +                && !chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.796 +                                           chwall_bin_pol.max_types + j])
   4.797 +                chwall_bin_pol.conflict_aggregate_set[j]++;
   4.798 +    }
   4.799 +    read_unlock(&acm_bin_pol_rwlock);
   4.800 +    return;
   4.801  }
   4.802  
   4.803  static void
   4.804  chwall_fail_domain_create(void *subject_ssid, ssidref_t ssidref)
   4.805  {
   4.806 -	int i, j;
   4.807 -	ssidref_t chwall_ssidref;
   4.808 -	traceprintk("%s.\n", __func__);
   4.809 +    int i, j;
   4.810 +    ssidref_t chwall_ssidref;
   4.811 +    traceprintk("%s.\n", __func__);
   4.812  
   4.813 -	read_lock(&acm_bin_pol_rwlock);
   4.814 -	chwall_ssidref = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
   4.815 -	/* roll-back: re-adjust conflicting types aggregate */
   4.816 -	for (i=0; i<chwall_bin_pol.max_conflictsets; i++) {
   4.817 -		int common = 0;
   4.818 -		/* check if conflict_set_i and ssidref have common types */
   4.819 -		for (j=0; j<chwall_bin_pol.max_types; j++)
   4.820 -			if (chwall_bin_pol.conflict_sets[i*chwall_bin_pol.max_types + j] &&
   4.821 -			    chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + j]) {
   4.822 -				common = 1;
   4.823 -				break;
   4.824 -			}
   4.825 -		if (common == 0)
   4.826 -			continue; /* try next conflict set, this one does not include any type of chwall_ssidref */
   4.827 -		/* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   4.828 -		for (j=0; j<chwall_bin_pol.max_types; j++)
   4.829 -			if (chwall_bin_pol.conflict_sets[i*chwall_bin_pol.max_types + j] &&
   4.830 -			    !chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + j])
   4.831 -				chwall_bin_pol.conflict_aggregate_set[j]--;
   4.832 -	}
   4.833 -	read_unlock(&acm_bin_pol_rwlock);
   4.834 +    read_lock(&acm_bin_pol_rwlock);
   4.835 +    chwall_ssidref = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
   4.836 +    /* roll-back: re-adjust conflicting types aggregate */
   4.837 +    for (i = 0; i < chwall_bin_pol.max_conflictsets; i++)
   4.838 +    {
   4.839 +        int common = 0;
   4.840 +        /* check if conflict_set_i and ssidref have common types */
   4.841 +        for (j = 0; j < chwall_bin_pol.max_types; j++)
   4.842 +            if (chwall_bin_pol.
   4.843 +                conflict_sets[i * chwall_bin_pol.max_types + j]
   4.844 +                && chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.845 +                                          chwall_bin_pol.max_types + j])
   4.846 +            {
   4.847 +                common = 1;
   4.848 +                break;
   4.849 +            }
   4.850 +        if (common == 0)
   4.851 +            continue;           /* try next conflict set, this one does not include any type of chwall_ssidref */
   4.852 +        /* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   4.853 +        for (j = 0; j < chwall_bin_pol.max_types; j++)
   4.854 +            if (chwall_bin_pol.
   4.855 +                conflict_sets[i * chwall_bin_pol.max_types + j]
   4.856 +                && !chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.857 +                                           chwall_bin_pol.max_types + j])
   4.858 +                chwall_bin_pol.conflict_aggregate_set[j]--;
   4.859 +    }
   4.860 +    read_unlock(&acm_bin_pol_rwlock);
   4.861  }
   4.862  
   4.863  
   4.864 -static void
   4.865 -chwall_post_domain_destroy(void *object_ssid, domid_t id) 
   4.866 +static void chwall_post_domain_destroy(void *object_ssid, domid_t id)
   4.867  {
   4.868 -	int i,j;
   4.869 -	struct chwall_ssid *chwall_ssidp = 
   4.870 -		GET_SSIDP(ACM_CHINESE_WALL_POLICY, (struct acm_ssid_domain *)object_ssid);
   4.871 -	ssidref_t chwall_ssidref = chwall_ssidp->chwall_ssidref;
   4.872 +    int i, j;
   4.873 +    struct chwall_ssid *chwall_ssidp = GET_SSIDP(ACM_CHINESE_WALL_POLICY,
   4.874 +                                                 (struct acm_ssid_domain *)
   4.875 +                                                 object_ssid);
   4.876 +    ssidref_t chwall_ssidref = chwall_ssidp->chwall_ssidref;
   4.877  
   4.878 -	traceprintk("%s.\n", __func__);
   4.879 +    traceprintk("%s.\n", __func__);
   4.880  
   4.881 -	read_lock(&acm_bin_pol_rwlock);
   4.882 -	/* adjust running types set */
   4.883 -	for (i=0; i< chwall_bin_pol.max_types; i++)
   4.884 -		chwall_bin_pol.running_types[i] -=
   4.885 -			chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + i];
   4.886 +    read_lock(&acm_bin_pol_rwlock);
   4.887 +    /* adjust running types set */
   4.888 +    for (i = 0; i < chwall_bin_pol.max_types; i++)
   4.889 +        chwall_bin_pol.running_types[i] -=
   4.890 +            chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.891 +                                   chwall_bin_pol.max_types + i];
   4.892  
   4.893 -	/* roll-back: re-adjust conflicting types aggregate */
   4.894 -	for (i=0; i<chwall_bin_pol.max_conflictsets; i++) {
   4.895 -		int common = 0;
   4.896 -		/* check if conflict_set_i and ssidref have common types */
   4.897 -		for (j=0; j<chwall_bin_pol.max_types; j++)
   4.898 -			if (chwall_bin_pol.conflict_sets[i*chwall_bin_pol.max_types + j] &&
   4.899 -			    chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + j]) {
   4.900 -				common = 1;
   4.901 -				break;
   4.902 -			}
   4.903 -		if (common == 0)
   4.904 -			continue; /* try next conflict set, this one does not include any type of chwall_ssidref */
   4.905 -		/* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   4.906 -		for (j=0; j<chwall_bin_pol.max_types; j++)
   4.907 -			if (chwall_bin_pol.conflict_sets[i*chwall_bin_pol.max_types + j] &&
   4.908 -			    !chwall_bin_pol.ssidrefs[chwall_ssidref*chwall_bin_pol.max_types + j])
   4.909 -				chwall_bin_pol.conflict_aggregate_set[j]--;
   4.910 -	}
   4.911 -	read_unlock(&acm_bin_pol_rwlock);
   4.912 -	return;
   4.913 +    /* roll-back: re-adjust conflicting types aggregate */
   4.914 +    for (i = 0; i < chwall_bin_pol.max_conflictsets; i++)
   4.915 +    {
   4.916 +        int common = 0;
   4.917 +        /* check if conflict_set_i and ssidref have common types */
   4.918 +        for (j = 0; j < chwall_bin_pol.max_types; j++)
   4.919 +            if (chwall_bin_pol.
   4.920 +                conflict_sets[i * chwall_bin_pol.max_types + j]
   4.921 +                && chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.922 +                                          chwall_bin_pol.max_types + j])
   4.923 +            {
   4.924 +                common = 1;
   4.925 +                break;
   4.926 +            }
   4.927 +        if (common == 0)
   4.928 +            continue;           /* try next conflict set, this one does not include any type of chwall_ssidref */
   4.929 +        /* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   4.930 +        for (j = 0; j < chwall_bin_pol.max_types; j++)
   4.931 +            if (chwall_bin_pol.
   4.932 +                conflict_sets[i * chwall_bin_pol.max_types + j]
   4.933 +                && !chwall_bin_pol.ssidrefs[chwall_ssidref *
   4.934 +                                           chwall_bin_pol.max_types + j])
   4.935 +                chwall_bin_pol.conflict_aggregate_set[j]--;
   4.936 +    }
   4.937 +    read_unlock(&acm_bin_pol_rwlock);
   4.938 +    return;
   4.939  }
   4.940  
   4.941  struct acm_operations acm_chinesewall_ops = {
   4.942 -	/* policy management services */
   4.943 -	.init_domain_ssid		= chwall_init_domain_ssid,
   4.944 -	.free_domain_ssid		= chwall_free_domain_ssid,
   4.945 -	.dump_binary_policy		= chwall_dump_policy,
   4.946 -	.set_binary_policy		= chwall_set_policy,
   4.947 -	.dump_statistics		= chwall_dump_stats,
   4.948 -    .dump_ssid_types        = chwall_dump_ssid_types,
   4.949 -	/* domain management control hooks */
   4.950 -	.pre_domain_create     		= chwall_pre_domain_create,
   4.951 -	.post_domain_create		= chwall_post_domain_create,
   4.952 -	.fail_domain_create		= chwall_fail_domain_create,
   4.953 -	.post_domain_destroy		= chwall_post_domain_destroy,
   4.954 -	/* event channel control hooks */
   4.955 -	.pre_eventchannel_unbound      	= NULL,
   4.956 -	.fail_eventchannel_unbound	= NULL,
   4.957 -	.pre_eventchannel_interdomain	= NULL,
   4.958 -	.fail_eventchannel_interdomain  = NULL,
   4.959 -	/* grant table control hooks */
   4.960 -	.pre_grant_map_ref       	= NULL,
   4.961 -	.fail_grant_map_ref		= NULL,
   4.962 -	.pre_grant_setup	       	= NULL,
   4.963 -	.fail_grant_setup		= NULL,
   4.964 +    /* policy management services */
   4.965 +    .init_domain_ssid = chwall_init_domain_ssid,
   4.966 +    .free_domain_ssid = chwall_free_domain_ssid,
   4.967 +    .dump_binary_policy = chwall_dump_policy,
   4.968 +    .set_binary_policy = chwall_set_policy,
   4.969 +    .dump_statistics = chwall_dump_stats,
   4.970 +    .dump_ssid_types = chwall_dump_ssid_types,
   4.971 +    /* domain management control hooks */
   4.972 +    .pre_domain_create = chwall_pre_domain_create,
   4.973 +    .post_domain_create = chwall_post_domain_create,
   4.974 +    .fail_domain_create = chwall_fail_domain_create,
   4.975 +    .post_domain_destroy = chwall_post_domain_destroy,
   4.976 +    /* event channel control hooks */
   4.977 +    .pre_eventchannel_unbound = NULL,
   4.978 +    .fail_eventchannel_unbound = NULL,
   4.979 +    .pre_eventchannel_interdomain = NULL,
   4.980 +    .fail_eventchannel_interdomain = NULL,
   4.981 +    /* grant table control hooks */
   4.982 +    .pre_grant_map_ref = NULL,
   4.983 +    .fail_grant_map_ref = NULL,
   4.984 +    .pre_grant_setup = NULL,
   4.985 +    .fail_grant_setup = NULL,
   4.986 +    /* generic domain-requested decision hooks */
   4.987 +    .sharing = NULL,
   4.988  };
   4.989 +
   4.990 +/*
   4.991 + * Local variables:
   4.992 + * mode: C
   4.993 + * c-set-style: "BSD"
   4.994 + * c-basic-offset: 4
   4.995 + * tab-width: 4
   4.996 + * indent-tabs-mode: nil
   4.997 + * End:
   4.998 + */
     5.1 --- a/xen/acm/acm_core.c	Thu Oct 20 19:37:41 2005 +0100
     5.2 +++ b/xen/acm/acm_core.c	Thu Oct 20 21:37:15 2005 +0100
     5.3 @@ -47,7 +47,7 @@ void acm_init_chwall_policy(void);
     5.4  void acm_init_ste_policy(void);
     5.5  
     5.6  extern struct acm_operations acm_chinesewall_ops, 
     5.7 -	acm_simple_type_enforcement_ops, acm_null_ops;
     5.8 +    acm_simple_type_enforcement_ops, acm_null_ops;
     5.9  
    5.10  /* global ops structs called by the hooks */
    5.11  struct acm_operations *acm_primary_ops = NULL;
    5.12 @@ -66,7 +66,7 @@ void acm_set_endian(void)
    5.13      u32 test = 1;
    5.14      if (*((u8 *)&test) == 1)
    5.15      {
    5.16 -      	printk("ACM module running in LITTLE ENDIAN.\n");
    5.17 +        printk("ACM module running in LITTLE ENDIAN.\n");
    5.18          little_endian = 1;
    5.19      }
    5.20      else
    5.21 @@ -80,10 +80,10 @@ void acm_set_endian(void)
    5.22  static void
    5.23  acm_init_binary_policy(void *primary, void *secondary)
    5.24  {
    5.25 -	acm_bin_pol.primary_policy_code = 0;
    5.26 -	acm_bin_pol.secondary_policy_code = 0;
    5.27 -	acm_bin_pol.primary_binary_policy = primary;
    5.28 -	acm_bin_pol.secondary_binary_policy = secondary;
    5.29 +    acm_bin_pol.primary_policy_code = 0;
    5.30 +    acm_bin_pol.secondary_policy_code = 0;
    5.31 +    acm_bin_pol.primary_binary_policy = primary;
    5.32 +    acm_bin_pol.secondary_binary_policy = secondary;
    5.33  }
    5.34  
    5.35  static int
    5.36 @@ -96,7 +96,7 @@ acm_setup(unsigned int *initrdidx,
    5.37      int rc = ACM_OK;
    5.38  
    5.39      if (mbi->mods_count > 1)
    5.40 -	    *initrdidx = 1;
    5.41 +        *initrdidx = 1;
    5.42  
    5.43      /*
    5.44       * Try all modules and see whichever could be the binary policy.
    5.45 @@ -115,14 +115,14 @@ acm_setup(unsigned int *initrdidx,
    5.46  #error Architecture unsupported by sHype
    5.47  #endif
    5.48          _policy_len   = mod[i].mod_end - mod[i].mod_start;
    5.49 -	if (_policy_len < sizeof(struct acm_policy_buffer))
    5.50 -		continue; /* not a policy */
    5.51 +        if (_policy_len < sizeof(struct acm_policy_buffer))
    5.52 +            continue; /* not a policy */
    5.53  
    5.54          pol = (struct acm_policy_buffer *)_policy_start;
    5.55          if (ntohl(pol->magic) == ACM_MAGIC)
    5.56          {
    5.57              rc = acm_set_policy((void *)_policy_start,
    5.58 -                                (u16)_policy_len,
    5.59 +                                (u32)_policy_len,
    5.60                                  0);
    5.61              if (rc == ACM_OK)
    5.62              {
    5.63 @@ -145,7 +145,7 @@ acm_setup(unsigned int *initrdidx,
    5.64              }
    5.65              else
    5.66              {
    5.67 -            	printk("Invalid policy. %d.th module line.\n", i+1);
    5.68 +                printk("Invalid policy. %d.th module line.\n", i+1);
    5.69              }
    5.70          } /* end if a binary policy definition, i.e., (ntohl(pol->magic) == ACM_MAGIC ) */
    5.71      }
    5.72 @@ -158,10 +158,10 @@ acm_init(unsigned int *initrdidx,
    5.73           const multiboot_info_t *mbi,
    5.74           unsigned long initial_images_start)
    5.75  {
    5.76 -	int ret = ACM_OK;
    5.77 +    int ret = ACM_OK;
    5.78  
    5.79      acm_set_endian();
    5.80 -	write_lock(&acm_bin_pol_rwlock);
    5.81 +    write_lock(&acm_bin_pol_rwlock);
    5.82      acm_init_binary_policy(NULL, NULL);
    5.83  
    5.84      /* set primary policy component */
    5.85 @@ -170,14 +170,14 @@ acm_init(unsigned int *initrdidx,
    5.86  
    5.87      case ACM_CHINESE_WALL_POLICY:
    5.88          acm_init_chwall_policy();
    5.89 -		acm_bin_pol.primary_policy_code = ACM_CHINESE_WALL_POLICY;
    5.90 -		acm_primary_ops = &acm_chinesewall_ops;
    5.91 +        acm_bin_pol.primary_policy_code = ACM_CHINESE_WALL_POLICY;
    5.92 +        acm_primary_ops = &acm_chinesewall_ops;
    5.93          break;
    5.94  
    5.95      case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY:
    5.96          acm_init_ste_policy();
    5.97 -		acm_bin_pol.primary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY;
    5.98 -		acm_primary_ops = &acm_simple_type_enforcement_ops;
    5.99 +        acm_bin_pol.primary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY;
   5.100 +        acm_primary_ops = &acm_simple_type_enforcement_ops;
   5.101          break;
   5.102  
   5.103      default:
   5.104 @@ -190,9 +190,9 @@ acm_init(unsigned int *initrdidx,
   5.105      /* secondary policy component part */
   5.106      switch ((ACM_USE_SECURITY_POLICY) >> 4) {
   5.107      case ACM_NULL_POLICY:
   5.108 -		acm_bin_pol.secondary_policy_code = ACM_NULL_POLICY;
   5.109 -		acm_secondary_ops = &acm_null_ops;
   5.110 -		break;
   5.111 +        acm_bin_pol.secondary_policy_code = ACM_NULL_POLICY;
   5.112 +        acm_secondary_ops = &acm_null_ops;
   5.113 +        break;
   5.114  
   5.115      case ACM_CHINESE_WALL_POLICY:
   5.116          if (acm_bin_pol.primary_policy_code == ACM_CHINESE_WALL_POLICY)
   5.117 @@ -200,9 +200,9 @@ acm_init(unsigned int *initrdidx,
   5.118              ret = -EINVAL;
   5.119              goto out;
   5.120          }
   5.121 -		acm_init_chwall_policy();
   5.122 +        acm_init_chwall_policy();
   5.123          acm_bin_pol.secondary_policy_code = ACM_CHINESE_WALL_POLICY;
   5.124 -		acm_secondary_ops = &acm_chinesewall_ops;
   5.125 +        acm_secondary_ops = &acm_chinesewall_ops;
   5.126          break;
   5.127  
   5.128      case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY:
   5.129 @@ -211,9 +211,9 @@ acm_init(unsigned int *initrdidx,
   5.130              ret = -EINVAL;
   5.131              goto out;
   5.132          }
   5.133 -		acm_init_ste_policy();
   5.134 -		acm_bin_pol.secondary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY;
   5.135 -		acm_secondary_ops = &acm_simple_type_enforcement_ops;
   5.136 +        acm_init_ste_policy();
   5.137 +        acm_bin_pol.secondary_policy_code = ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY;
   5.138 +        acm_secondary_ops = &acm_simple_type_enforcement_ops;
   5.139          break;
   5.140  
   5.141      default:
   5.142 @@ -222,96 +222,103 @@ acm_init(unsigned int *initrdidx,
   5.143      }
   5.144  
   5.145   out:
   5.146 -	write_unlock(&acm_bin_pol_rwlock);
   5.147 +    write_unlock(&acm_bin_pol_rwlock);
   5.148  
   5.149 -	if (ret != ACM_OK)
   5.150 +    if (ret != ACM_OK)
   5.151      {
   5.152 -        printk("%s: Error setting policies.\n", __func__);
   5.153 +        printk("%s: Error initializing policies.\n", __func__);
   5.154          /* here one could imagine a clean panic */
   5.155 -		return -EINVAL;
   5.156 -	}
   5.157 -	acm_setup(initrdidx, mbi, initial_images_start);
   5.158 -	printk("%s: Enforcing Primary %s, Secondary %s.\n", __func__, 
   5.159 -	       ACM_POLICY_NAME(acm_bin_pol.primary_policy_code),
   5.160 +        return -EINVAL;
   5.161 +    }
   5.162 +    if (acm_setup(initrdidx, mbi, initial_images_start) != ACM_OK)
   5.163 +    {
   5.164 +        printk("%s: Error loading policy at boot time.\n", __func__);
   5.165 +        /* ignore, just continue with the minimal hardcoded startup policy */
   5.166 +    }
   5.167 +    printk("%s: Enforcing Primary %s, Secondary %s.\n", __func__, 
   5.168 +           ACM_POLICY_NAME(acm_bin_pol.primary_policy_code),
   5.169             ACM_POLICY_NAME(acm_bin_pol.secondary_policy_code));
   5.170 -	return ret;
   5.171 +    return ret;
   5.172  }
   5.173  
   5.174  int
   5.175  acm_init_domain_ssid(domid_t id, ssidref_t ssidref)
   5.176  {
   5.177 -	struct acm_ssid_domain *ssid;
   5.178 -	struct domain *subj = find_domain_by_id(id);
   5.179 -	int ret1, ret2;
   5.180 -	
   5.181 -	if (subj == NULL)
   5.182 +    struct acm_ssid_domain *ssid;
   5.183 +    struct domain *subj = find_domain_by_id(id);
   5.184 +    int ret1, ret2;
   5.185 + 
   5.186 +    if (subj == NULL)
   5.187      {
   5.188 -		printk("%s: ACM_NULL_POINTER ERROR (id=%x).\n", __func__, id);
   5.189 -		return ACM_NULL_POINTER_ERROR;
   5.190 -	}
   5.191 -	if ((ssid = xmalloc(struct acm_ssid_domain)) == NULL)
   5.192 -		return ACM_INIT_SSID_ERROR;
   5.193 +        printk("%s: ACM_NULL_POINTER ERROR (id=%x).\n", __func__, id);
   5.194 +        return ACM_NULL_POINTER_ERROR;
   5.195 +    }
   5.196 +    if ((ssid = xmalloc(struct acm_ssid_domain)) == NULL)
   5.197 +        return ACM_INIT_SSID_ERROR;
   5.198  
   5.199 -	ssid->datatype       = DOMAIN;
   5.200 -	ssid->subject  	     = subj;
   5.201 -	ssid->domainid	     = subj->domain_id;
   5.202 -	ssid->primary_ssid   = NULL;
   5.203 -	ssid->secondary_ssid = NULL;
   5.204 +    ssid->datatype       = DOMAIN;
   5.205 +    ssid->subject        = subj;
   5.206 +    ssid->domainid      = subj->domain_id;
   5.207 +    ssid->primary_ssid   = NULL;
   5.208 +    ssid->secondary_ssid = NULL;
   5.209  
   5.210 -	if (ACM_USE_SECURITY_POLICY != ACM_NULL_POLICY)
   5.211 -		ssid->ssidref = ssidref;
   5.212 -	else
   5.213 -		ssid->ssidref = ACM_DEFAULT_SSID;
   5.214 +    if (ACM_USE_SECURITY_POLICY != ACM_NULL_POLICY)
   5.215 +        ssid->ssidref = ssidref;
   5.216 +    else
   5.217 +        ssid->ssidref = ACM_DEFAULT_SSID;
   5.218  
   5.219 -	subj->ssid           = ssid;
   5.220 -	/* now fill in primary and secondary parts; we only get here through hooks */
   5.221 -	if (acm_primary_ops->init_domain_ssid != NULL)
   5.222 -		ret1 = acm_primary_ops->init_domain_ssid(&(ssid->primary_ssid), ssidref);
   5.223 -	else
   5.224 -		ret1 = ACM_OK;
   5.225 +    subj->ssid           = ssid;
   5.226 +    /* now fill in primary and secondary parts; we only get here through hooks */
   5.227 +    if (acm_primary_ops->init_domain_ssid != NULL)
   5.228 +        ret1 = acm_primary_ops->init_domain_ssid(&(ssid->primary_ssid), ssidref);
   5.229 +    else
   5.230 +        ret1 = ACM_OK;
   5.231  
   5.232 -	if (acm_secondary_ops->init_domain_ssid != NULL)
   5.233 -		ret2 = acm_secondary_ops->init_domain_ssid(&(ssid->secondary_ssid), ssidref);
   5.234 -	else
   5.235 -		ret2 = ACM_OK;
   5.236 +    if (acm_secondary_ops->init_domain_ssid != NULL)
   5.237 +        ret2 = acm_secondary_ops->init_domain_ssid(&(ssid->secondary_ssid), ssidref);
   5.238 +    else
   5.239 +        ret2 = ACM_OK;
   5.240  
   5.241 -	if ((ret1 != ACM_OK) || (ret2 != ACM_OK))
   5.242 +    if ((ret1 != ACM_OK) || (ret2 != ACM_OK))
   5.243      {
   5.244 -		printk("%s: ERROR instantiating individual ssids for domain 0x%02x.\n",
   5.245 -		       __func__, subj->domain_id);
   5.246 -		acm_free_domain_ssid(ssid);	
   5.247 -	        put_domain(subj);
   5.248 -		return ACM_INIT_SSID_ERROR;
   5.249 -	}
   5.250 -	printk("%s: assigned domain %x the ssidref=%x.\n",
   5.251 +        printk("%s: ERROR instantiating individual ssids for domain 0x%02x.\n",
   5.252 +               __func__, subj->domain_id);
   5.253 +        acm_free_domain_ssid(ssid); 
   5.254 +        put_domain(subj);
   5.255 +        return ACM_INIT_SSID_ERROR;
   5.256 +    }
   5.257 +    printk("%s: assigned domain %x the ssidref=%x.\n",
   5.258             __func__, id, ssid->ssidref);
   5.259 -	put_domain(subj);
   5.260 -	return ACM_OK;
   5.261 +    put_domain(subj);
   5.262 +    return ACM_OK;
   5.263  }
   5.264  
   5.265  
   5.266 -int
   5.267 +void
   5.268  acm_free_domain_ssid(struct acm_ssid_domain *ssid)
   5.269  {
   5.270 -	domid_t id;
   5.271 -
   5.272 -	/* domain is already gone, just ssid is left */
   5.273 -	if (ssid == NULL)
   5.274 -    {
   5.275 -		printk("%s: ACM_NULL_POINTER ERROR.\n", __func__);
   5.276 -		return ACM_NULL_POINTER_ERROR;
   5.277 -	}
   5.278 -    id = ssid->domainid;
   5.279 -	ssid->subject  	     = NULL;
   5.280 +    /* domain is already gone, just ssid is left */
   5.281 +    if (ssid == NULL)
   5.282 +        return;
   5.283  
   5.284 -	if (acm_primary_ops->free_domain_ssid != NULL) /* null policy */
   5.285 -		acm_primary_ops->free_domain_ssid(ssid->primary_ssid);
   5.286 -	ssid->primary_ssid = NULL;
   5.287 -	if (acm_secondary_ops->free_domain_ssid != NULL)
   5.288 -		acm_secondary_ops->free_domain_ssid(ssid->secondary_ssid);
   5.289 -	ssid->secondary_ssid = NULL;
   5.290 -	xfree(ssid);
   5.291 -	printkd("%s: Freed individual domain ssid (domain=%02x).\n",
   5.292 +    ssid->subject = NULL;
   5.293 +    if (acm_primary_ops->free_domain_ssid != NULL) /* null policy */
   5.294 +        acm_primary_ops->free_domain_ssid(ssid->primary_ssid);
   5.295 +    ssid->primary_ssid = NULL;
   5.296 +    if (acm_secondary_ops->free_domain_ssid != NULL)
   5.297 +        acm_secondary_ops->free_domain_ssid(ssid->secondary_ssid);
   5.298 +    ssid->secondary_ssid = NULL;
   5.299 +    xfree(ssid);
   5.300 +    printkd("%s: Freed individual domain ssid (domain=%02x).\n",
   5.301              __func__, id);
   5.302 -	return ACM_OK;
   5.303  }
   5.304 +
   5.305 +/*
   5.306 + * Local variables:
   5.307 + * mode: C
   5.308 + * c-set-style: "BSD"
   5.309 + * c-basic-offset: 4
   5.310 + * tab-width: 4
   5.311 + * indent-tabs-mode: nil
   5.312 + * End:
   5.313 + */
     6.1 --- a/xen/acm/acm_null_hooks.c	Thu Oct 20 19:37:41 2005 +0100
     6.2 +++ b/xen/acm/acm_null_hooks.c	Thu Oct 20 21:37:15 2005 +0100
     6.3 @@ -11,37 +11,38 @@
     6.4   * published by the Free Software Foundation, version 2 of the
     6.5   * License.
     6.6   */
     6.7 +
     6.8  #include <acm/acm_hooks.h>
     6.9  
    6.10  static int
    6.11  null_init_domain_ssid(void **ssid, ssidref_t ssidref)
    6.12  {
    6.13 -	return ACM_OK;
    6.14 +    return ACM_OK;
    6.15  }
    6.16  
    6.17  static void
    6.18  null_free_domain_ssid(void *ssid)
    6.19  {
    6.20 -	return;
    6.21 +    return;
    6.22  }
    6.23  
    6.24  static int
    6.25 -null_dump_binary_policy(u8 *buf, u16 buf_size) 
    6.26 -{	
    6.27 -	return 0;
    6.28 +null_dump_binary_policy(u8 *buf, u32 buf_size)
    6.29 +{ 
    6.30 +    return 0;
    6.31  }
    6.32  
    6.33  static int
    6.34 -null_set_binary_policy(u8 *buf, u16 buf_size) 
    6.35 -{	
    6.36 -	return ACM_OK;
    6.37 +null_set_binary_policy(u8 *buf, u32 buf_size)
    6.38 +{ 
    6.39 +    return ACM_OK;
    6.40  }
    6.41 -	
    6.42 + 
    6.43  static int 
    6.44  null_dump_stats(u8 *buf, u16 buf_size)
    6.45  {
    6.46 -	/* no stats for NULL policy */
    6.47 -	return 0;
    6.48 +    /* no stats for NULL policy */
    6.49 +    return 0;
    6.50  }
    6.51  
    6.52  static int
    6.53 @@ -54,25 +55,35 @@ null_dump_ssid_types(ssidref_t ssidref, 
    6.54  
    6.55  /* now define the hook structure similarly to LSM */
    6.56  struct acm_operations acm_null_ops = {
    6.57 -	.init_domain_ssid		= null_init_domain_ssid,
    6.58 -	.free_domain_ssid		= null_free_domain_ssid,
    6.59 -	.dump_binary_policy           	= null_dump_binary_policy,
    6.60 -	.set_binary_policy		= null_set_binary_policy,
    6.61 -	.dump_statistics	        = null_dump_stats,
    6.62 -    .dump_ssid_types        = null_dump_ssid_types,
    6.63 -	/* domain management control hooks */
    6.64 -	.pre_domain_create     		= NULL,
    6.65 -	.post_domain_create		= NULL,
    6.66 -	.fail_domain_create		= NULL,
    6.67 -	.post_domain_destroy		= NULL,
    6.68 -	/* event channel control hooks */
    6.69 -	.pre_eventchannel_unbound      	= NULL,
    6.70 -	.fail_eventchannel_unbound	= NULL,
    6.71 -	.pre_eventchannel_interdomain	= NULL,
    6.72 -	.fail_eventchannel_interdomain	= NULL,
    6.73 -	/* grant table control hooks */
    6.74 -	.pre_grant_map_ref       	= NULL,
    6.75 -	.fail_grant_map_ref		= NULL,
    6.76 -	.pre_grant_setup	       	= NULL,
    6.77 -	.fail_grant_setup		= NULL
    6.78 +    .init_domain_ssid = null_init_domain_ssid,
    6.79 +    .free_domain_ssid = null_free_domain_ssid,
    6.80 +    .dump_binary_policy = null_dump_binary_policy,
    6.81 +    .set_binary_policy = null_set_binary_policy,
    6.82 +    .dump_statistics = null_dump_stats,
    6.83 +    .dump_ssid_types = null_dump_ssid_types,
    6.84 +    /* domain management control hooks */
    6.85 +    .pre_domain_create = NULL,
    6.86 +    .post_domain_create = NULL,
    6.87 +    .fail_domain_create = NULL,
    6.88 +    .post_domain_destroy = NULL,
    6.89 +    /* event channel control hooks */
    6.90 +    .pre_eventchannel_unbound = NULL,
    6.91 +    .fail_eventchannel_unbound = NULL,
    6.92 +    .pre_eventchannel_interdomain = NULL,
    6.93 +    .fail_eventchannel_interdomain = NULL,
    6.94 +    /* grant table control hooks */
    6.95 +    .pre_grant_map_ref = NULL,
    6.96 +    .fail_grant_map_ref = NULL,
    6.97 +    .pre_grant_setup = NULL,
    6.98 +    .fail_grant_setup = NULL
    6.99  };
   6.100 +
   6.101 +/*
   6.102 + * Local variables:
   6.103 + * mode: C
   6.104 + * c-set-style: "BSD"
   6.105 + * c-basic-offset: 4
   6.106 + * tab-width: 4
   6.107 + * indent-tabs-mode: nil
   6.108 + * End:
   6.109 + */
     7.1 --- a/xen/acm/acm_policy.c	Thu Oct 20 19:37:41 2005 +0100
     7.2 +++ b/xen/acm/acm_policy.c	Thu Oct 20 21:37:15 2005 +0100
     7.3 @@ -32,165 +32,166 @@
     7.4  #include <acm/acm_endian.h>
     7.5  
     7.6  int
     7.7 -acm_set_policy(void *buf, u16 buf_size, int isuserbuffer)
     7.8 +acm_set_policy(void *buf, u32 buf_size, int isuserbuffer)
     7.9  {
    7.10 -	u8 *policy_buffer = NULL;
    7.11 -	struct acm_policy_buffer *pol;
    7.12 -	
    7.13 +    u8 *policy_buffer = NULL;
    7.14 +    struct acm_policy_buffer *pol;
    7.15 + 
    7.16      if (buf_size < sizeof(struct acm_policy_buffer))
    7.17 -		return -EFAULT;
    7.18 +        return -EFAULT;
    7.19  
    7.20 -	/* 1. copy buffer from domain */
    7.21 -	if ((policy_buffer = xmalloc_array(u8, buf_size)) == NULL)
    7.22 -	    return -ENOMEM;
    7.23 +    /* 1. copy buffer from domain */
    7.24 +    if ((policy_buffer = xmalloc_array(u8, buf_size)) == NULL)
    7.25 +        return -ENOMEM;
    7.26  
    7.27 -	if (isuserbuffer) {
    7.28 -		if (copy_from_user(policy_buffer, buf, buf_size))
    7.29 +    if (isuserbuffer) {
    7.30 +        if (copy_from_user(policy_buffer, buf, buf_size))
    7.31          {
    7.32 -			printk("%s: Error copying!\n",__func__);
    7.33 -			goto error_free;
    7.34 -		}
    7.35 -	} else
    7.36 -		memcpy(policy_buffer, buf, buf_size);
    7.37 +            printk("%s: Error copying!\n",__func__);
    7.38 +            goto error_free;
    7.39 +        }
    7.40 +    } else
    7.41 +        memcpy(policy_buffer, buf, buf_size);
    7.42  
    7.43 -	/* 2. some sanity checking */
    7.44 -	pol = (struct acm_policy_buffer *)policy_buffer;
    7.45 +    /* 2. some sanity checking */
    7.46 +    pol = (struct acm_policy_buffer *)policy_buffer;
    7.47  
    7.48 -	if ((ntohl(pol->magic) != ACM_MAGIC) || 
    7.49 -	    (ntohl(pol->policy_version) != ACM_POLICY_VERSION) ||
    7.50 -	    (ntohl(pol->primary_policy_code) != acm_bin_pol.primary_policy_code) ||
    7.51 -	    (ntohl(pol->secondary_policy_code) != acm_bin_pol.secondary_policy_code))
    7.52 +    if ((ntohl(pol->magic) != ACM_MAGIC) || 
    7.53 +        (ntohl(pol->policy_version) != ACM_POLICY_VERSION) ||
    7.54 +        (ntohl(pol->primary_policy_code) != acm_bin_pol.primary_policy_code) ||
    7.55 +        (ntohl(pol->secondary_policy_code) != acm_bin_pol.secondary_policy_code))
    7.56      {
    7.57 -		printkd("%s: Wrong policy magics or versions!\n", __func__);
    7.58 -		goto error_free;
    7.59 -	}
    7.60 -	if (buf_size != ntohl(pol->len))
    7.61 +        printkd("%s: Wrong policy magics or versions!\n", __func__);
    7.62 +        goto error_free;
    7.63 +    }
    7.64 +    if (buf_size != ntohl(pol->len))
    7.65      {
    7.66 -		printk("%s: ERROR in buf size.\n", __func__);
    7.67 -		goto error_free;
    7.68 -	}
    7.69 +        printk("%s: ERROR in buf size.\n", __func__);
    7.70 +        goto error_free;
    7.71 +    }
    7.72  
    7.73 -	/* get bin_policy lock and rewrite policy (release old one) */
    7.74 -	write_lock(&acm_bin_pol_rwlock);
    7.75 +    /* get bin_policy lock and rewrite policy (release old one) */
    7.76 +    write_lock(&acm_bin_pol_rwlock);
    7.77  
    7.78 -	/* 3. set primary policy data */
    7.79 -	if (acm_primary_ops->set_binary_policy(buf + ntohl(pol->primary_buffer_offset),
    7.80 -                                               ntohl(pol->secondary_buffer_offset) -
    7.81 -					       ntohl(pol->primary_buffer_offset)))
    7.82 -		goto error_lock_free;
    7.83 +    /* 3. set primary policy data */
    7.84 +    if (acm_primary_ops->set_binary_policy(buf + ntohl(pol->primary_buffer_offset),
    7.85 +                                           ntohl(pol->secondary_buffer_offset) -
    7.86 +                                           ntohl(pol->primary_buffer_offset)))
    7.87 +        goto error_lock_free;
    7.88  
    7.89 -	/* 4. set secondary policy data */
    7.90 -	if (acm_secondary_ops->set_binary_policy(buf + ntohl(pol->secondary_buffer_offset),
    7.91 -						 ntohl(pol->len) - 
    7.92 -						 ntohl(pol->secondary_buffer_offset)))
    7.93 -		goto error_lock_free;
    7.94 +    /* 4. set secondary policy data */
    7.95 +    if (acm_secondary_ops->set_binary_policy(buf + ntohl(pol->secondary_buffer_offset),
    7.96 +                                             ntohl(pol->len) - 
    7.97 +                                             ntohl(pol->secondary_buffer_offset)))
    7.98 +        goto error_lock_free;
    7.99  
   7.100 -	write_unlock(&acm_bin_pol_rwlock);
   7.101 -	xfree(policy_buffer);
   7.102 -	return ACM_OK;
   7.103 +    write_unlock(&acm_bin_pol_rwlock);
   7.104 +    xfree(policy_buffer);
   7.105 +    return ACM_OK;
   7.106  
   7.107   error_lock_free:
   7.108 -	write_unlock(&acm_bin_pol_rwlock);
   7.109 +    write_unlock(&acm_bin_pol_rwlock);
   7.110   error_free:
   7.111 -	printk("%s: Error setting policy.\n", __func__);
   7.112 +    printk("%s: Error setting policy.\n", __func__);
   7.113      xfree(policy_buffer);
   7.114 -	return -EFAULT;
   7.115 +    return -EFAULT;
   7.116  }
   7.117  
   7.118  int
   7.119 -acm_get_policy(void *buf, u16 buf_size)
   7.120 -{	
   7.121 -     u8 *policy_buffer;
   7.122 -     int ret;
   7.123 -     struct acm_policy_buffer *bin_pol;
   7.124 -	
   7.125 +acm_get_policy(void *buf, u32 buf_size)
   7.126 +{ 
   7.127 +    u8 *policy_buffer;
   7.128 +    int ret;
   7.129 +    struct acm_policy_buffer *bin_pol;
   7.130 + 
   7.131      if (buf_size < sizeof(struct acm_policy_buffer))
   7.132 -		return -EFAULT;
   7.133 +        return -EFAULT;
   7.134  
   7.135 -     if ((policy_buffer = xmalloc_array(u8, buf_size)) == NULL)
   7.136 -	    return -ENOMEM;
   7.137 +    if ((policy_buffer = xmalloc_array(u8, buf_size)) == NULL)
   7.138 +        return -ENOMEM;
   7.139  
   7.140 -     read_lock(&acm_bin_pol_rwlock);
   7.141 +    read_lock(&acm_bin_pol_rwlock);
   7.142  
   7.143 -     bin_pol = (struct acm_policy_buffer *)policy_buffer;
   7.144 -     bin_pol->magic = htonl(ACM_MAGIC);
   7.145 -     bin_pol->primary_policy_code = htonl(acm_bin_pol.primary_policy_code);
   7.146 -     bin_pol->secondary_policy_code = htonl(acm_bin_pol.secondary_policy_code);
   7.147 +    bin_pol = (struct acm_policy_buffer *)policy_buffer;
   7.148 +    bin_pol->magic = htonl(ACM_MAGIC);
   7.149 +    bin_pol->primary_policy_code = htonl(acm_bin_pol.primary_policy_code);
   7.150 +    bin_pol->secondary_policy_code = htonl(acm_bin_pol.secondary_policy_code);
   7.151  
   7.152 -     bin_pol->len = htonl(sizeof(struct acm_policy_buffer));
   7.153 -     bin_pol->primary_buffer_offset = htonl(ntohl(bin_pol->len));
   7.154 -     bin_pol->secondary_buffer_offset = htonl(ntohl(bin_pol->len));
   7.155 +    bin_pol->len = htonl(sizeof(struct acm_policy_buffer));
   7.156 +    bin_pol->primary_buffer_offset = htonl(ntohl(bin_pol->len));
   7.157 +    bin_pol->secondary_buffer_offset = htonl(ntohl(bin_pol->len));
   7.158       
   7.159 -     ret = acm_primary_ops->dump_binary_policy (policy_buffer + ntohl(bin_pol->primary_buffer_offset),
   7.160 -				       buf_size - ntohl(bin_pol->primary_buffer_offset));
   7.161 -     if (ret < 0)
   7.162 -         goto error_free_unlock;
   7.163 +    ret = acm_primary_ops->dump_binary_policy (policy_buffer + ntohl(bin_pol->primary_buffer_offset),
   7.164 +                                               buf_size - ntohl(bin_pol->primary_buffer_offset));
   7.165 +    if (ret < 0)
   7.166 +        goto error_free_unlock;
   7.167  
   7.168 -     bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
   7.169 -     bin_pol->secondary_buffer_offset = htonl(ntohl(bin_pol->len));
   7.170 +    bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
   7.171 +    bin_pol->secondary_buffer_offset = htonl(ntohl(bin_pol->len));
   7.172  
   7.173 -     ret = acm_secondary_ops->dump_binary_policy(policy_buffer + ntohl(bin_pol->secondary_buffer_offset),
   7.174 -				    buf_size - ntohl(bin_pol->secondary_buffer_offset));
   7.175 -     if (ret < 0)
   7.176 -         goto error_free_unlock;
   7.177 +    ret = acm_secondary_ops->dump_binary_policy(policy_buffer + ntohl(bin_pol->secondary_buffer_offset),
   7.178 +                                                buf_size - ntohl(bin_pol->secondary_buffer_offset));
   7.179 +    if (ret < 0)
   7.180 +        goto error_free_unlock;
   7.181  
   7.182 -     bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
   7.183 -     if (copy_to_user(buf, policy_buffer, ntohl(bin_pol->len)))
   7.184 -	     goto error_free_unlock;
   7.185 +    bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
   7.186 +    if (copy_to_user(buf, policy_buffer, ntohl(bin_pol->len)))
   7.187 +        goto error_free_unlock;
   7.188  
   7.189 -     read_unlock(&acm_bin_pol_rwlock);
   7.190 -     xfree(policy_buffer);
   7.191 -     return ACM_OK;
   7.192 +    read_unlock(&acm_bin_pol_rwlock);
   7.193 +    xfree(policy_buffer);
   7.194 +    return ACM_OK;
   7.195  
   7.196   error_free_unlock:
   7.197 -     read_unlock(&acm_bin_pol_rwlock);
   7.198 -     printk("%s: Error getting policy.\n", __func__);
   7.199 -     xfree(policy_buffer);
   7.200 -     return -EFAULT;
   7.201 +    read_unlock(&acm_bin_pol_rwlock);
   7.202 +    printk("%s: Error getting policy.\n", __func__);
   7.203 +    xfree(policy_buffer);
   7.204 +    return -EFAULT;
   7.205  }
   7.206  
   7.207  int
   7.208  acm_dump_statistics(void *buf, u16 buf_size)
   7.209 -{	
   7.210 +{ 
   7.211      /* send stats to user space */
   7.212 -     u8 *stats_buffer;
   7.213 -     int len1, len2;
   7.214 -     struct acm_stats_buffer acm_stats;
   7.215 +    u8 *stats_buffer;
   7.216 +    int len1, len2;
   7.217 +    struct acm_stats_buffer acm_stats;
   7.218  
   7.219 -     if ((stats_buffer = xmalloc_array(u8, buf_size)) == NULL)
   7.220 -	    return -ENOMEM;
   7.221 +    if ((stats_buffer = xmalloc_array(u8, buf_size)) == NULL)
   7.222 +        return -ENOMEM;
   7.223  
   7.224 -     read_lock(&acm_bin_pol_rwlock);
   7.225 +    read_lock(&acm_bin_pol_rwlock);
   7.226       
   7.227 -     len1 = acm_primary_ops->dump_statistics(stats_buffer + sizeof(struct acm_stats_buffer),
   7.228 -					     buf_size - sizeof(struct acm_stats_buffer));
   7.229 -     if (len1 < 0)
   7.230 -	     goto error_lock_free;
   7.231 -	     
   7.232 -     len2 = acm_secondary_ops->dump_statistics(stats_buffer + sizeof(struct acm_stats_buffer) + len1,
   7.233 -					       buf_size - sizeof(struct acm_stats_buffer) - len1);
   7.234 -     if (len2 < 0)
   7.235 -	     goto error_lock_free;
   7.236 +    len1 = acm_primary_ops->dump_statistics(stats_buffer + sizeof(struct acm_stats_buffer),
   7.237 +                                            buf_size - sizeof(struct acm_stats_buffer));
   7.238 +    if (len1 < 0)
   7.239 +        goto error_lock_free;
   7.240 +      
   7.241 +    len2 = acm_secondary_ops->dump_statistics(stats_buffer + sizeof(struct acm_stats_buffer) + len1,
   7.242 +                                              buf_size - sizeof(struct acm_stats_buffer) - len1);
   7.243 +    if (len2 < 0)
   7.244 +        goto error_lock_free;
   7.245  
   7.246 -     acm_stats.magic = htonl(ACM_MAGIC);
   7.247 -     acm_stats.primary_policy_code = htonl(acm_bin_pol.primary_policy_code);
   7.248 -     acm_stats.secondary_policy_code = htonl(acm_bin_pol.secondary_policy_code);
   7.249 -     acm_stats.primary_stats_offset = htonl(sizeof(struct acm_stats_buffer));
   7.250 -     acm_stats.secondary_stats_offset = htonl(sizeof(struct acm_stats_buffer) + len1);
   7.251 -     acm_stats.len = htonl(sizeof(struct acm_stats_buffer) + len1 + len2);
   7.252 -     memcpy(stats_buffer, &acm_stats, sizeof(struct acm_stats_buffer));
   7.253 +    acm_stats.magic = htonl(ACM_MAGIC);
   7.254 +    acm_stats.primary_policy_code = htonl(acm_bin_pol.primary_policy_code);
   7.255 +    acm_stats.secondary_policy_code = htonl(acm_bin_pol.secondary_policy_code);
   7.256 +    acm_stats.primary_stats_offset = htonl(sizeof(struct acm_stats_buffer));
   7.257 +    acm_stats.secondary_stats_offset = htonl(sizeof(struct acm_stats_buffer) + len1);
   7.258 +    acm_stats.len = htonl(sizeof(struct acm_stats_buffer) + len1 + len2);
   7.259  
   7.260 -     if (copy_to_user(buf, stats_buffer, sizeof(struct acm_stats_buffer) + len1 + len2))
   7.261 -	     goto error_lock_free;
   7.262 +    memcpy(stats_buffer, &acm_stats, sizeof(struct acm_stats_buffer));
   7.263  
   7.264 -     read_unlock(&acm_bin_pol_rwlock);
   7.265 -     xfree(stats_buffer);
   7.266 -     return ACM_OK;
   7.267 +    if (copy_to_user(buf, stats_buffer, sizeof(struct acm_stats_buffer) + len1 + len2))
   7.268 +        goto error_lock_free;
   7.269 +
   7.270 +    read_unlock(&acm_bin_pol_rwlock);
   7.271 +    xfree(stats_buffer);
   7.272 +    return ACM_OK;
   7.273  
   7.274   error_lock_free:
   7.275 -     read_unlock(&acm_bin_pol_rwlock);
   7.276 -     xfree(stats_buffer);
   7.277 -     return -EFAULT;
   7.278 +    read_unlock(&acm_bin_pol_rwlock);
   7.279 +    xfree(stats_buffer);
   7.280 +    return -EFAULT;
   7.281  }
   7.282  
   7.283  
   7.284 @@ -198,57 +199,88 @@ int
   7.285  acm_get_ssid(ssidref_t ssidref, u8 *buf, u16 buf_size)
   7.286  {
   7.287      /* send stats to user space */
   7.288 -     u8 *ssid_buffer;
   7.289 -     int ret;
   7.290 -     struct acm_ssid_buffer *acm_ssid;
   7.291 -     if (buf_size < sizeof(struct acm_ssid_buffer))
   7.292 -		return -EFAULT;
   7.293 +    u8 *ssid_buffer;
   7.294 +    int ret;
   7.295 +    struct acm_ssid_buffer *acm_ssid;
   7.296 +    if (buf_size < sizeof(struct acm_ssid_buffer))
   7.297 +        return -EFAULT;
   7.298  
   7.299 -     if ((ssid_buffer = xmalloc_array(u8, buf_size)) == NULL)
   7.300 -	    return -ENOMEM;
   7.301 +    if ((ssid_buffer = xmalloc_array(u8, buf_size)) == NULL)
   7.302 +        return -ENOMEM;
   7.303  
   7.304 -     read_lock(&acm_bin_pol_rwlock);
   7.305 +    read_lock(&acm_bin_pol_rwlock);
   7.306  
   7.307 -     acm_ssid = (struct acm_ssid_buffer *)ssid_buffer;
   7.308 -     acm_ssid->len = sizeof(struct acm_ssid_buffer);
   7.309 -     acm_ssid->ssidref = ssidref;
   7.310 -     acm_ssid->primary_policy_code = acm_bin_pol.primary_policy_code;
   7.311 -     acm_ssid->secondary_policy_code = acm_bin_pol.secondary_policy_code;
   7.312 -     acm_ssid->primary_types_offset = acm_ssid->len;
   7.313 +    acm_ssid = (struct acm_ssid_buffer *)ssid_buffer;
   7.314 +    acm_ssid->len = sizeof(struct acm_ssid_buffer);
   7.315 +    acm_ssid->ssidref = ssidref;
   7.316 +    acm_ssid->primary_policy_code = acm_bin_pol.primary_policy_code;
   7.317 +    acm_ssid->secondary_policy_code = acm_bin_pol.secondary_policy_code;
   7.318 +    acm_ssid->primary_types_offset = acm_ssid->len;
   7.319  
   7.320 -     /* ret >= 0 --> ret == max_types */
   7.321 -     ret = acm_primary_ops->dump_ssid_types(ACM_PRIMARY(ssidref),
   7.322 -                                            ssid_buffer + acm_ssid->primary_types_offset,
   7.323 -                                            buf_size - acm_ssid->primary_types_offset);
   7.324 -     if (ret < 0)
   7.325 -         goto error_free_unlock;
   7.326 +    /* ret >= 0 --> ret == max_types */
   7.327 +    ret = acm_primary_ops->dump_ssid_types(ACM_PRIMARY(ssidref),
   7.328 +                                           ssid_buffer + acm_ssid->primary_types_offset,
   7.329 +                                           buf_size - acm_ssid->primary_types_offset);
   7.330 +    if (ret < 0)
   7.331 +        goto error_free_unlock;
   7.332  
   7.333 -     acm_ssid->len += ret;
   7.334 -     acm_ssid->primary_max_types = ret;
   7.335 -
   7.336 -     acm_ssid->secondary_types_offset = acm_ssid->len;
   7.337 +    acm_ssid->len += ret;
   7.338 +    acm_ssid->primary_max_types = ret;
   7.339 +    acm_ssid->secondary_types_offset = acm_ssid->len;
   7.340  
   7.341 -     ret = acm_secondary_ops->dump_ssid_types(ACM_SECONDARY(ssidref),
   7.342 -                                              ssid_buffer + acm_ssid->secondary_types_offset,
   7.343 -                                              buf_size - acm_ssid->secondary_types_offset);
   7.344 -     if (ret < 0)
   7.345 -         goto error_free_unlock;
   7.346 +    ret = acm_secondary_ops->dump_ssid_types(ACM_SECONDARY(ssidref),
   7.347 +                                             ssid_buffer + acm_ssid->secondary_types_offset,
   7.348 +                                             buf_size - acm_ssid->secondary_types_offset);
   7.349 +    if (ret < 0)
   7.350 +        goto error_free_unlock;
   7.351  
   7.352 -     acm_ssid->len += ret;
   7.353 -     acm_ssid->secondary_max_types = ret;
   7.354 +    acm_ssid->len += ret;
   7.355 +    acm_ssid->secondary_max_types = ret;
   7.356  
   7.357 -     if (copy_to_user(buf, ssid_buffer, acm_ssid->len))
   7.358 -	     goto error_free_unlock;
   7.359 +    if (copy_to_user(buf, ssid_buffer, acm_ssid->len))
   7.360 +        goto error_free_unlock;
   7.361  
   7.362 -     read_unlock(&acm_bin_pol_rwlock);
   7.363 -     xfree(ssid_buffer);
   7.364 -     return ACM_OK;
   7.365 +    read_unlock(&acm_bin_pol_rwlock);
   7.366 +    xfree(ssid_buffer);
   7.367 +    return ACM_OK;
   7.368  
   7.369   error_free_unlock:
   7.370 -     read_unlock(&acm_bin_pol_rwlock);
   7.371 -     printk("%s: Error getting ssid.\n", __func__);
   7.372 -     xfree(ssid_buffer);
   7.373 -     return -ENOMEM;
   7.374 +    read_unlock(&acm_bin_pol_rwlock);
   7.375 +    printk("%s: Error getting ssid.\n", __func__);
   7.376 +    xfree(ssid_buffer);
   7.377 +    return -ENOMEM;
   7.378  }
   7.379  
   7.380 -/*eof*/
   7.381 +int
   7.382 +acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2,
   7.383 +                 enum acm_hook_type hook)
   7.384 +{
   7.385 +    int ret = ACM_ACCESS_DENIED;
   7.386 +    switch (hook) {
   7.387 +
   7.388 +    case SHARING:
   7.389 +        /* SHARING Hook restricts access in STE policy only */
   7.390 +        ret = acm_sharing(ssidref1, ssidref2);
   7.391 +        break;
   7.392 +
   7.393 +    default:
   7.394 +        /* deny */
   7.395 +        break;
   7.396 +    }
   7.397 +
   7.398 +    printkd("%s: ssid1=%x, ssid2=%x, decision=%s.\n",
   7.399 +            __func__, ssidref1, ssidref2,
   7.400 +            (ret == ACM_ACCESS_PERMITTED) ? "GRANTED" : "DENIED");
   7.401 +
   7.402 +    return ret;
   7.403 +}
   7.404 +
   7.405 +/*
   7.406 + * Local variables:
   7.407 + * mode: C
   7.408 + * c-set-style: "BSD"
   7.409 + * c-basic-offset: 4
   7.410 + * tab-width: 4
   7.411 + * indent-tabs-mode: nil
   7.412 + * End:
   7.413 + */
     8.1 --- a/xen/acm/acm_simple_type_enforcement_hooks.c	Thu Oct 20 19:37:41 2005 +0100
     8.2 +++ b/xen/acm/acm_simple_type_enforcement_hooks.c	Thu Oct 20 21:37:15 2005 +0100
     8.3 @@ -24,6 +24,7 @@
     8.4   *     share at least on common type.
     8.5   *
     8.6   */
     8.7 +
     8.8  #include <xen/lib.h>
     8.9  #include <asm/types.h>
    8.10  #include <asm/current.h>
    8.11 @@ -35,34 +36,34 @@
    8.12  struct ste_binary_policy ste_bin_pol;
    8.13  
    8.14  static inline int have_common_type (ssidref_t ref1, ssidref_t ref2) {
    8.15 -	int i;
    8.16 -	for(i=0; i< ste_bin_pol.max_types; i++)
    8.17 -		if ( ste_bin_pol.ssidrefs[ref1*ste_bin_pol.max_types + i] && 
    8.18 -		     ste_bin_pol.ssidrefs[ref2*ste_bin_pol.max_types + i]) {
    8.19 -			printkd("%s: common type #%02x.\n", __func__, i);
    8.20 -			return 1;
    8.21 -		}
    8.22 -	return 0;
    8.23 +    int i;
    8.24 +    for(i=0; i< ste_bin_pol.max_types; i++)
    8.25 +        if ( ste_bin_pol.ssidrefs[ref1*ste_bin_pol.max_types + i] && 
    8.26 +             ste_bin_pol.ssidrefs[ref2*ste_bin_pol.max_types + i]) {
    8.27 +            printkd("%s: common type #%02x.\n", __func__, i);
    8.28 +            return 1;
    8.29 +        }
    8.30 +    return 0;
    8.31  }
    8.32  
    8.33  /* Helper function: return = (subj and obj share a common type) */
    8.34  static int share_common_type(struct domain *subj, struct domain *obj)
    8.35  {
    8.36 -	ssidref_t ref_s, ref_o;
    8.37 -	int ret;
    8.38 +    ssidref_t ref_s, ref_o;
    8.39 +    int ret;
    8.40  
    8.41 -	if ((subj == NULL) || (obj == NULL) || (subj->ssid == NULL) || (obj->ssid == NULL))
    8.42 -		return 0;
    8.43 -	read_lock(&acm_bin_pol_rwlock);
    8.44 -	/* lookup the policy-local ssids */
    8.45 -	ref_s = ((struct ste_ssid *)(GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
    8.46 -				    (struct acm_ssid_domain *)subj->ssid)))->ste_ssidref;
    8.47 -	ref_o = ((struct ste_ssid *)(GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
    8.48 -				    (struct acm_ssid_domain *)obj->ssid)))->ste_ssidref;
    8.49 -        /* check whether subj and obj share a common ste type */
    8.50 -	ret = have_common_type(ref_s, ref_o);
    8.51 -	read_unlock(&acm_bin_pol_rwlock);
    8.52 -	return ret;
    8.53 +    if ((subj == NULL) || (obj == NULL) || (subj->ssid == NULL) || (obj->ssid == NULL))
    8.54 +        return 0;
    8.55 +    read_lock(&acm_bin_pol_rwlock);
    8.56 +    /* lookup the policy-local ssids */
    8.57 +    ref_s = ((struct ste_ssid *)(GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
    8.58 +                                           (struct acm_ssid_domain *)subj->ssid)))->ste_ssidref;
    8.59 +    ref_o = ((struct ste_ssid *)(GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
    8.60 +                                           (struct acm_ssid_domain *)obj->ssid)))->ste_ssidref;
    8.61 +    /* check whether subj and obj share a common ste type */
    8.62 +    ret = have_common_type(ref_s, ref_o);
    8.63 +    read_unlock(&acm_bin_pol_rwlock);
    8.64 +    return ret;
    8.65  }
    8.66  
    8.67  /*
    8.68 @@ -71,26 +72,26 @@ static int share_common_type(struct doma
    8.69   */
    8.70  int acm_init_ste_policy(void)
    8.71  {
    8.72 -	/* minimal startup policy; policy write-locked already */
    8.73 -	ste_bin_pol.max_types = 1;
    8.74 -	ste_bin_pol.max_ssidrefs = 2;
    8.75 -	ste_bin_pol.ssidrefs = (domaintype_t *)xmalloc_array(domaintype_t, 2);
    8.76 -	memset(ste_bin_pol.ssidrefs, 0, 2);
    8.77 +    /* minimal startup policy; policy write-locked already */
    8.78 +    ste_bin_pol.max_types = 1;
    8.79 +    ste_bin_pol.max_ssidrefs = 2;
    8.80 +    ste_bin_pol.ssidrefs = (domaintype_t *)xmalloc_array(domaintype_t, 2);
    8.81 +    memset(ste_bin_pol.ssidrefs, 0, 2);
    8.82  
    8.83 -	if (ste_bin_pol.ssidrefs == NULL)
    8.84 -		return ACM_INIT_SSID_ERROR;
    8.85 +    if (ste_bin_pol.ssidrefs == NULL)
    8.86 +        return ACM_INIT_SSID_ERROR;
    8.87  
    8.88 -	/* initialize state so that dom0 can start up and communicate with itself */
    8.89 -	ste_bin_pol.ssidrefs[1] = 1;
    8.90 + /* initialize state so that dom0 can start up and communicate with itself */
    8.91 +    ste_bin_pol.ssidrefs[1] = 1;
    8.92  
    8.93 -	/* init stats */
    8.94 -	atomic_set(&(ste_bin_pol.ec_eval_count), 0);
    8.95 -	atomic_set(&(ste_bin_pol.ec_denied_count), 0); 
    8.96 -	atomic_set(&(ste_bin_pol.ec_cachehit_count), 0);
    8.97 -	atomic_set(&(ste_bin_pol.gt_eval_count), 0);
    8.98 -	atomic_set(&(ste_bin_pol.gt_denied_count), 0); 
    8.99 -	atomic_set(&(ste_bin_pol.gt_cachehit_count), 0);
   8.100 -	return ACM_OK;
   8.101 +    /* init stats */
   8.102 +    atomic_set(&(ste_bin_pol.ec_eval_count), 0);
   8.103 +    atomic_set(&(ste_bin_pol.ec_denied_count), 0); 
   8.104 +    atomic_set(&(ste_bin_pol.ec_cachehit_count), 0);
   8.105 +    atomic_set(&(ste_bin_pol.gt_eval_count), 0);
   8.106 +    atomic_set(&(ste_bin_pol.gt_denied_count), 0); 
   8.107 +    atomic_set(&(ste_bin_pol.gt_cachehit_count), 0);
   8.108 +    return ACM_OK;
   8.109  }
   8.110  
   8.111  
   8.112 @@ -98,62 +99,68 @@ int acm_init_ste_policy(void)
   8.113  static int
   8.114  ste_init_domain_ssid(void **ste_ssid, ssidref_t ssidref)
   8.115  {
   8.116 -	int i;
   8.117 -	struct ste_ssid *ste_ssidp = xmalloc(struct ste_ssid); 
   8.118 -	traceprintk("%s.\n", __func__);
   8.119 +    int i;
   8.120 +    struct ste_ssid *ste_ssidp = xmalloc(struct ste_ssid); 
   8.121 +    traceprintk("%s.\n", __func__);
   8.122  
   8.123 -	if (ste_ssidp == NULL)
   8.124 -		return ACM_INIT_SSID_ERROR;
   8.125 +    if (ste_ssidp == NULL)
   8.126 +        return ACM_INIT_SSID_ERROR;
   8.127  
   8.128 -	/* get policy-local ssid reference */
   8.129 -	ste_ssidp->ste_ssidref = GET_SSIDREF(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, ssidref);
   8.130 -	if ((ste_ssidp->ste_ssidref >= ste_bin_pol.max_ssidrefs) ||
   8.131 -	    (ste_ssidp->ste_ssidref == ACM_DEFAULT_LOCAL_SSID))	{
   8.132 -		printkd("%s: ERROR ste_ssidref (%x) undefined or unset (0).\n",
   8.133 -			__func__, ste_ssidp->ste_ssidref);
   8.134 -		xfree(ste_ssidp);
   8.135 -		return ACM_INIT_SSID_ERROR;
   8.136 -	}
   8.137 -	/* clean ste cache */
   8.138 -	for (i=0; i<ACM_TE_CACHE_SIZE; i++)
   8.139 -		ste_ssidp->ste_cache[i].valid = FREE;
   8.140 +    /* get policy-local ssid reference */
   8.141 +    ste_ssidp->ste_ssidref = GET_SSIDREF(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, ssidref);
   8.142 +    if ((ste_ssidp->ste_ssidref >= ste_bin_pol.max_ssidrefs) ||
   8.143 +        (ste_ssidp->ste_ssidref == ACM_DEFAULT_LOCAL_SSID)) {
   8.144 +        printkd("%s: ERROR ste_ssidref (%x) undefined or unset (0).\n",
   8.145 +                __func__, ste_ssidp->ste_ssidref);
   8.146 +        xfree(ste_ssidp);
   8.147 +        return ACM_INIT_SSID_ERROR;
   8.148 +    }
   8.149 +    /* clean ste cache */
   8.150 +    for (i=0; i<ACM_TE_CACHE_SIZE; i++)
   8.151 +        ste_ssidp->ste_cache[i].valid = FREE;
   8.152  
   8.153 -	(*ste_ssid) = ste_ssidp;
   8.154 -	printkd("%s: determined ste_ssidref to %x.\n", 
   8.155 -	       __func__, ste_ssidp->ste_ssidref);
   8.156 -	return ACM_OK;
   8.157 +    (*ste_ssid) = ste_ssidp;
   8.158 +    printkd("%s: determined ste_ssidref to %x.\n", 
   8.159 +            __func__, ste_ssidp->ste_ssidref);
   8.160 +    return ACM_OK;
   8.161  }
   8.162  
   8.163  
   8.164  static void
   8.165  ste_free_domain_ssid(void *ste_ssid)
   8.166  {
   8.167 -	traceprintk("%s.\n", __func__);
   8.168 -	if (ste_ssid != NULL)
   8.169 -		xfree(ste_ssid);
   8.170 -	return;
   8.171 +    traceprintk("%s.\n", __func__);
   8.172 +    if (ste_ssid != NULL)
   8.173 +        xfree(ste_ssid);
   8.174 +    return;
   8.175  }
   8.176  
   8.177  /* dump type enforcement cache; policy read-locked already */
   8.178  static int 
   8.179 -ste_dump_policy(u8 *buf, u16 buf_size) {
   8.180 -     struct acm_ste_policy_buffer *ste_buf = (struct acm_ste_policy_buffer *)buf;
   8.181 -     int ret = 0;
   8.182 +ste_dump_policy(u8 *buf, u32 buf_size) {
   8.183 +    struct acm_ste_policy_buffer *ste_buf = (struct acm_ste_policy_buffer *)buf;
   8.184 +    int ret = 0;
   8.185 +
   8.186 +    if (buf_size < sizeof(struct acm_ste_policy_buffer))
   8.187 +        return -EINVAL;
   8.188  
   8.189 -     ste_buf->ste_max_types = htonl(ste_bin_pol.max_types);
   8.190 -     ste_buf->ste_max_ssidrefs = htonl(ste_bin_pol.max_ssidrefs);
   8.191 -     ste_buf->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
   8.192 -     ste_buf->ste_ssid_offset = htonl(sizeof(struct acm_ste_policy_buffer));
   8.193 -     ret = ntohl(ste_buf->ste_ssid_offset) +
   8.194 -	     sizeof(domaintype_t)*ste_bin_pol.max_ssidrefs*ste_bin_pol.max_types;
   8.195 +    ste_buf->ste_max_types = htonl(ste_bin_pol.max_types);
   8.196 +    ste_buf->ste_max_ssidrefs = htonl(ste_bin_pol.max_ssidrefs);
   8.197 +    ste_buf->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
   8.198 +    ste_buf->ste_ssid_offset = htonl(sizeof(struct acm_ste_policy_buffer));
   8.199 +    ret = ntohl(ste_buf->ste_ssid_offset) +
   8.200 +        sizeof(domaintype_t)*ste_bin_pol.max_ssidrefs*ste_bin_pol.max_types;
   8.201  
   8.202 -     /* now copy buffer over */
   8.203 -     arrcpy(buf + ntohl(ste_buf->ste_ssid_offset),
   8.204 -	    ste_bin_pol.ssidrefs,
   8.205 -	    sizeof(domaintype_t),
   8.206 -             ste_bin_pol.max_ssidrefs*ste_bin_pol.max_types);
   8.207 +    if (buf_size < ret)
   8.208 +        return -EINVAL;
   8.209  
   8.210 -     return ret;
   8.211 +    /* now copy buffer over */
   8.212 +    arrcpy(buf + ntohl(ste_buf->ste_ssid_offset),
   8.213 +           ste_bin_pol.ssidrefs,
   8.214 +           sizeof(domaintype_t),
   8.215 +           ste_bin_pol.max_ssidrefs*ste_bin_pol.max_types);
   8.216 +
   8.217 +    return ret;
   8.218  }
   8.219  
   8.220  /* ste_init_state is called when a policy is changed to detect violations (return != 0).
   8.221 @@ -176,83 +183,83 @@ ste_init_state(struct acm_ste_policy_buf
   8.222      /* go through all domains and adjust policy as if this domain was started now */
   8.223      pd = &domain_list;
   8.224      for ( pd = &domain_list; *pd != NULL; pd = &(*pd)->next_in_list ) {
   8.225 -	    ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.226 -				 (struct acm_ssid_domain *)(*pd)->ssid);
   8.227 -	    ste_ssidref = ste_ssid->ste_ssidref;
   8.228 -	    traceprintk("%s: validating policy for eventch domain %x (ste-Ref=%x).\n",
   8.229 -		    __func__, (*pd)->domain_id, ste_ssidref);
   8.230 -	    /* a) check for event channel conflicts */
   8.231 -	    for (port=0; port < NR_EVTCHN_BUCKETS; port++) {
   8.232 -		    spin_lock(&(*pd)->evtchn_lock);
   8.233 -		    if ((*pd)->evtchn[port] == NULL) {
   8.234 -                            spin_unlock(&(*pd)->evtchn_lock);
   8.235 -		            continue;
   8.236 -		    }
   8.237 -		    if ((*pd)->evtchn[port]->state == ECS_INTERDOMAIN) {
   8.238 -			    rdom = (*pd)->evtchn[port]->u.interdomain.remote_dom;
   8.239 -			    rdomid = rdom->domain_id;
   8.240 -			    /* rdom now has remote domain */
   8.241 -			    ste_rssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.242 -						  (struct acm_ssid_domain *)(rdom->ssid));
   8.243 -			    ste_rssidref = ste_rssid->ste_ssidref;
   8.244 -		    } else if ((*pd)->evtchn[port]->state == ECS_UNBOUND) {
   8.245 -			    rdomid = (*pd)->evtchn[port]->u.unbound.remote_domid;
   8.246 -			    if ((rdom = find_domain_by_id(rdomid)) == NULL) {
   8.247 -				    printk("%s: Error finding domain to id %x!\n", __func__, rdomid);
   8.248 -				    goto out;
   8.249 -			    }
   8.250 -			    /* rdom now has remote domain */
   8.251 -			    ste_rssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.252 -						  (struct acm_ssid_domain *)(rdom->ssid));
   8.253 -			    ste_rssidref = ste_rssid->ste_ssidref;
   8.254 -			    put_domain(rdom);
   8.255 -		    } else {
   8.256 -			    spin_unlock(&(*pd)->evtchn_lock);
   8.257 -			    continue; /* port unused */
   8.258 -		    }
   8.259 -		    spin_unlock(&(*pd)->evtchn_lock);
   8.260 +        ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.261 +                             (struct acm_ssid_domain *)(*pd)->ssid);
   8.262 +        ste_ssidref = ste_ssid->ste_ssidref;
   8.263 +        traceprintk("%s: validating policy for eventch domain %x (ste-Ref=%x).\n",
   8.264 +                    __func__, (*pd)->domain_id, ste_ssidref);
   8.265 +        /* a) check for event channel conflicts */
   8.266 +        for (port=0; port < NR_EVTCHN_BUCKETS; port++) {
   8.267 +            spin_lock(&(*pd)->evtchn_lock);
   8.268 +            if ((*pd)->evtchn[port] == NULL) {
   8.269 +                spin_unlock(&(*pd)->evtchn_lock);
   8.270 +                continue;
   8.271 +            }
   8.272 +            if ((*pd)->evtchn[port]->state == ECS_INTERDOMAIN) {
   8.273 +                rdom = (*pd)->evtchn[port]->u.interdomain.remote_dom;
   8.274 +                rdomid = rdom->domain_id;
   8.275 +                /* rdom now has remote domain */
   8.276 +                ste_rssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.277 +                                      (struct acm_ssid_domain *)(rdom->ssid));
   8.278 +                ste_rssidref = ste_rssid->ste_ssidref;
   8.279 +            } else if ((*pd)->evtchn[port]->state == ECS_UNBOUND) {
   8.280 +                rdomid = (*pd)->evtchn[port]->u.unbound.remote_domid;
   8.281 +                if ((rdom = find_domain_by_id(rdomid)) == NULL) {
   8.282 +                    printk("%s: Error finding domain to id %x!\n", __func__, rdomid);
   8.283 +                    goto out;
   8.284 +                }
   8.285 +                /* rdom now has remote domain */
   8.286 +                ste_rssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.287 +                                      (struct acm_ssid_domain *)(rdom->ssid));
   8.288 +                ste_rssidref = ste_rssid->ste_ssidref;
   8.289 +                put_domain(rdom);
   8.290 +            } else {
   8.291 +                spin_unlock(&(*pd)->evtchn_lock);
   8.292 +                continue; /* port unused */
   8.293 +            }
   8.294 +            spin_unlock(&(*pd)->evtchn_lock);
   8.295  
   8.296 -		    /* rdom now has remote domain */
   8.297 -		    ste_rssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.298 -					     (struct acm_ssid_domain *)(rdom->ssid));
   8.299 -		    ste_rssidref = ste_rssid->ste_ssidref;
   8.300 -		    traceprintk("%s: eventch: domain %x (ssidref %x) --> domain %x (rssidref %x) used (port %x).\n", 
   8.301 -			    __func__, (*pd)->domain_id, ste_ssidref, rdom->domain_id, ste_rssidref, port);  
   8.302 -		    /* check whether on subj->ssid, obj->ssid share a common type*/
   8.303 -		    if (!have_common_type(ste_ssidref, ste_rssidref)) {
   8.304 -			    printkd("%s: Policy violation in event channel domain %x -> domain %x.\n",
   8.305 -				    __func__, (*pd)->domain_id, rdomid);
   8.306 -			    goto out;
   8.307 -		    }
   8.308 -	    }	
   8.309 -	    /* b) check for grant table conflicts on shared pages */
   8.310 -	    if ((*pd)->grant_table->shared == NULL) {
   8.311 -		    printkd("%s: Grant ... sharing for domain %x not setup!\n", __func__, (*pd)->domain_id);
   8.312 -		    continue;
   8.313 -	    }
   8.314 -	    for ( i = 0; i < NR_GRANT_ENTRIES; i++ ) {
   8.315 -		    sha_copy =  (*pd)->grant_table->shared[i];
   8.316 -		    if ( sha_copy.flags ) {
   8.317 -			    printkd("%s: grant dom (%hu) SHARED (%d) flags:(%hx) dom:(%hu) frame:(%lx)\n",
   8.318 -				    __func__, (*pd)->domain_id, i, sha_copy.flags, sha_copy.domid, 
   8.319 -				    (unsigned long)sha_copy.frame);
   8.320 -			    rdomid = sha_copy.domid;
   8.321 -			    if ((rdom = find_domain_by_id(rdomid)) == NULL) {
   8.322 -			    	    printkd("%s: domain not found ERROR!\n", __func__);
   8.323 -			    	    goto out;
   8.324 -			    };
   8.325 -			    /* rdom now has remote domain */
   8.326 -			    ste_rssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.327 -			    			  (struct acm_ssid_domain *)(rdom->ssid));
   8.328 -			    ste_rssidref = ste_rssid->ste_ssidref;
   8.329 -			    put_domain(rdom);
   8.330 -			    if (!have_common_type(ste_ssidref, ste_rssidref)) {
   8.331 -			    	    printkd("%s: Policy violation in grant table sharing domain %x -> domain %x.\n",
   8.332 -			    		    __func__, (*pd)->domain_id, rdomid);
   8.333 -			    	    goto out;
   8.334 -			    }
   8.335 -		    }
   8.336 -	    }
   8.337 +            /* rdom now has remote domain */
   8.338 +            ste_rssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.339 +                                  (struct acm_ssid_domain *)(rdom->ssid));
   8.340 +            ste_rssidref = ste_rssid->ste_ssidref;
   8.341 +            traceprintk("%s: eventch: domain %x (ssidref %x) --> domain %x (rssidref %x) used (port %x).\n", 
   8.342 +                        __func__, (*pd)->domain_id, ste_ssidref, rdom->domain_id, ste_rssidref, port);  
   8.343 +            /* check whether on subj->ssid, obj->ssid share a common type*/
   8.344 +            if (!have_common_type(ste_ssidref, ste_rssidref)) {
   8.345 +                printkd("%s: Policy violation in event channel domain %x -> domain %x.\n",
   8.346 +                        __func__, (*pd)->domain_id, rdomid);
   8.347 +                goto out;
   8.348 +            }
   8.349 +        } 
   8.350 +        /* b) check for grant table conflicts on shared pages */
   8.351 +        if ((*pd)->grant_table->shared == NULL) {
   8.352 +            printkd("%s: Grant ... sharing for domain %x not setup!\n", __func__, (*pd)->domain_id);
   8.353 +            continue;
   8.354 +        }
   8.355 +        for ( i = 0; i < NR_GRANT_ENTRIES; i++ ) {
   8.356 +            sha_copy =  (*pd)->grant_table->shared[i];
   8.357 +            if ( sha_copy.flags ) {
   8.358 +                printkd("%s: grant dom (%hu) SHARED (%d) flags:(%hx) dom:(%hu) frame:(%lx)\n",
   8.359 +                        __func__, (*pd)->domain_id, i, sha_copy.flags, sha_copy.domid, 
   8.360 +                        (unsigned long)sha_copy.frame);
   8.361 +                rdomid = sha_copy.domid;
   8.362 +                if ((rdom = find_domain_by_id(rdomid)) == NULL) {
   8.363 +                    printkd("%s: domain not found ERROR!\n", __func__);
   8.364 +                    goto out;
   8.365 +                };
   8.366 +                /* rdom now has remote domain */
   8.367 +                ste_rssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.368 +                                      (struct acm_ssid_domain *)(rdom->ssid));
   8.369 +                ste_rssidref = ste_rssid->ste_ssidref;
   8.370 +                put_domain(rdom);
   8.371 +                if (!have_common_type(ste_ssidref, ste_rssidref)) {
   8.372 +                    printkd("%s: Policy violation in grant table sharing domain %x -> domain %x.\n",
   8.373 +                            __func__, (*pd)->domain_id, rdomid);
   8.374 +                    goto out;
   8.375 +                }
   8.376 +            }
   8.377 +        }
   8.378      }
   8.379      violation = 0;
   8.380   out:
   8.381 @@ -267,69 +274,72 @@ ste_init_state(struct acm_ste_policy_buf
   8.382  
   8.383  /* set new policy; policy write-locked already */
   8.384  static int
   8.385 -ste_set_policy(u8 *buf, u16 buf_size) 
   8.386 +ste_set_policy(u8 *buf, u32 buf_size)
   8.387  {
   8.388 -     struct acm_ste_policy_buffer *ste_buf = (struct acm_ste_policy_buffer *)buf;
   8.389 -     void *ssidrefsbuf;
   8.390 -     struct ste_ssid *ste_ssid;
   8.391 -     struct domain **pd;
   8.392 -     int i;
   8.393 +    struct acm_ste_policy_buffer *ste_buf = (struct acm_ste_policy_buffer *)buf;
   8.394 +    void *ssidrefsbuf;
   8.395 +    struct ste_ssid *ste_ssid;
   8.396 +    struct domain **pd;
   8.397 +    int i;
   8.398 +
   8.399 +    if (buf_size < sizeof(struct acm_ste_policy_buffer))
   8.400 +        return -EINVAL;
   8.401  
   8.402 -     /* Convert endianess of policy */
   8.403 -     ste_buf->policy_code = ntohl(ste_buf->policy_code);
   8.404 -     ste_buf->policy_version = ntohl(ste_buf->policy_version);
   8.405 -     ste_buf->ste_max_types = ntohl(ste_buf->ste_max_types);
   8.406 -     ste_buf->ste_max_ssidrefs = ntohl(ste_buf->ste_max_ssidrefs);
   8.407 -     ste_buf->ste_ssid_offset = ntohl(ste_buf->ste_ssid_offset);
   8.408 +    /* Convert endianess of policy */
   8.409 +    ste_buf->policy_code = ntohl(ste_buf->policy_code);
   8.410 +    ste_buf->policy_version = ntohl(ste_buf->policy_version);
   8.411 +    ste_buf->ste_max_types = ntohl(ste_buf->ste_max_types);
   8.412 +    ste_buf->ste_max_ssidrefs = ntohl(ste_buf->ste_max_ssidrefs);
   8.413 +    ste_buf->ste_ssid_offset = ntohl(ste_buf->ste_ssid_offset);
   8.414  
   8.415 -     /* policy type and version checks */
   8.416 -     if ((ste_buf->policy_code != ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) ||
   8.417 -	 (ste_buf->policy_version != ACM_STE_VERSION))
   8.418 -	     return -EINVAL;
   8.419 +    /* policy type and version checks */
   8.420 +    if ((ste_buf->policy_code != ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) ||
   8.421 +        (ste_buf->policy_version != ACM_STE_VERSION))
   8.422 +        return -EINVAL;
   8.423  
   8.424 -     /* 1. create and copy-in new ssidrefs buffer */
   8.425 -     ssidrefsbuf = xmalloc_array(u8, sizeof(domaintype_t)*ste_buf->ste_max_types*ste_buf->ste_max_ssidrefs);
   8.426 -     if (ssidrefsbuf == NULL) {
   8.427 -	     return -ENOMEM;
   8.428 -     }
   8.429 -     if (ste_buf->ste_ssid_offset + sizeof(domaintype_t) * ste_buf->ste_max_ssidrefs*ste_buf->ste_max_types > buf_size)
   8.430 -         goto error_free;
   8.431 +    /* 1. create and copy-in new ssidrefs buffer */
   8.432 +    ssidrefsbuf = xmalloc_array(u8, sizeof(domaintype_t)*ste_buf->ste_max_types*ste_buf->ste_max_ssidrefs);
   8.433 +    if (ssidrefsbuf == NULL) {
   8.434 +        return -ENOMEM;
   8.435 +    }
   8.436 +    if (ste_buf->ste_ssid_offset + sizeof(domaintype_t) * ste_buf->ste_max_ssidrefs*ste_buf->ste_max_types > buf_size)
   8.437 +        goto error_free;
   8.438  
   8.439 -     arrcpy(ssidrefsbuf, 
   8.440 -            buf + ste_buf->ste_ssid_offset,
   8.441 -            sizeof(domaintype_t),
   8.442 -	    ste_buf->ste_max_ssidrefs*ste_buf->ste_max_types);
   8.443 +    arrcpy(ssidrefsbuf, 
   8.444 +           buf + ste_buf->ste_ssid_offset,
   8.445 +           sizeof(domaintype_t),
   8.446 +           ste_buf->ste_max_ssidrefs*ste_buf->ste_max_types);
   8.447  
   8.448 -     /* 2. now re-calculate sharing decisions based on running domains; 
   8.449 -      *    this can fail if new policy is conflicting with sharing of running domains 
   8.450 -      *    now: reject violating new policy; future: adjust sharing through revoking sharing */
   8.451 -     if (ste_init_state(ste_buf, (domaintype_t *)ssidrefsbuf)) {
   8.452 -	     printk("%s: New policy conflicts with running domains. Policy load aborted.\n", __func__);
   8.453 -	     goto error_free; /* new policy conflicts with sharing of running domains */
   8.454 -     }
   8.455 -     /* 3. replace old policy (activate new policy) */
   8.456 -     ste_bin_pol.max_types = ste_buf->ste_max_types;
   8.457 -     ste_bin_pol.max_ssidrefs = ste_buf->ste_max_ssidrefs;
   8.458 -     if (ste_bin_pol.ssidrefs) 
   8.459 -	     xfree(ste_bin_pol.ssidrefs);
   8.460 -     ste_bin_pol.ssidrefs = (domaintype_t *)ssidrefsbuf;
   8.461 +    /* 2. now re-calculate sharing decisions based on running domains; 
   8.462 +     *    this can fail if new policy is conflicting with sharing of running domains 
   8.463 +     *    now: reject violating new policy; future: adjust sharing through revoking sharing */
   8.464 +    if (ste_init_state(ste_buf, (domaintype_t *)ssidrefsbuf)) {
   8.465 +        printk("%s: New policy conflicts with running domains. Policy load aborted.\n", __func__);
   8.466 +        goto error_free; /* new policy conflicts with sharing of running domains */
   8.467 +    }
   8.468 +    /* 3. replace old policy (activate new policy) */
   8.469 +    ste_bin_pol.max_types = ste_buf->ste_max_types;
   8.470 +    ste_bin_pol.max_ssidrefs = ste_buf->ste_max_ssidrefs;
   8.471 +    if (ste_bin_pol.ssidrefs) 
   8.472 +        xfree(ste_bin_pol.ssidrefs);
   8.473 +    ste_bin_pol.ssidrefs = (domaintype_t *)ssidrefsbuf;
   8.474  
   8.475 -     /* clear all ste caches */
   8.476 -     read_lock(&domlist_lock);
   8.477 -     pd = &domain_list;
   8.478 -     for ( pd = &domain_list; *pd != NULL; pd = &(*pd)->next_in_list ) {
   8.479 -	 ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.480 -			 (struct acm_ssid_domain *)(*pd)->ssid);
   8.481 - 	 for (i=0; i<ACM_TE_CACHE_SIZE; i++)
   8.482 -		ste_ssid->ste_cache[i].valid = FREE;
   8.483 -     }
   8.484 -     read_unlock(&domlist_lock);
   8.485 -     return ACM_OK;
   8.486 +    /* clear all ste caches */
   8.487 +    read_lock(&domlist_lock);
   8.488 +    pd = &domain_list;
   8.489 +    for ( pd = &domain_list; *pd != NULL; pd = &(*pd)->next_in_list ) {
   8.490 +        ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.491 +                             (struct acm_ssid_domain *)(*pd)->ssid);
   8.492 +        for (i=0; i<ACM_TE_CACHE_SIZE; i++)
   8.493 +            ste_ssid->ste_cache[i].valid = FREE;
   8.494 +    }
   8.495 +    read_unlock(&domlist_lock);
   8.496 +    return ACM_OK;
   8.497  
   8.498 -error_free:
   8.499 -	printk("%s: ERROR setting policy.\n", __func__);
   8.500 -	if (ssidrefsbuf != NULL) xfree(ssidrefsbuf);
   8.501 -	return -EFAULT;
   8.502 + error_free:
   8.503 +    printk("%s: ERROR setting policy.\n", __func__);
   8.504 +    if (ssidrefsbuf != NULL) xfree(ssidrefsbuf);
   8.505 +    return -EFAULT;
   8.506  }
   8.507  
   8.508  static int 
   8.509 @@ -337,41 +347,6 @@ ste_dump_stats(u8 *buf, u16 buf_len)
   8.510  {
   8.511      struct acm_ste_stats_buffer stats;
   8.512  
   8.513 -#ifdef ACM_DEBUG
   8.514 -    int i;
   8.515 -    struct ste_ssid *ste_ssid;
   8.516 -    struct domain **pd;
   8.517 -
   8.518 -    printk("ste: Decision caches:\n");
   8.519 -    /* go through all domains and adjust policy as if this domain was started now */
   8.520 -    read_lock(&domlist_lock); /* go by domain? or directly by global? event/grant list */
   8.521 -    pd = &domain_list;
   8.522 -    for ( pd = &domain_list; *pd != NULL; pd = &(*pd)->next_in_list ) {
   8.523 -        printk("ste: Cache Domain %02x.\n", (*pd)->domain_id);
   8.524 -	ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.525 -			 (struct acm_ssid_domain *)(*pd)->ssid);
   8.526 -	for (i=0; i<ACM_TE_CACHE_SIZE; i++)
   8.527 -		printk("\t\tcache[%02x] = %s, domid=%x.\n", i,
   8.528 -		       (ste_ssid->ste_cache[i].valid == VALID) ? 
   8.529 -		       "VALID" : "FREE",
   8.530 -		       (ste_ssid->ste_cache[i].valid == VALID) ? 
   8.531 -		       ste_ssid->ste_cache[i].id : 0xffffffff);
   8.532 -    }
   8.533 -    read_unlock(&domlist_lock);
   8.534 -    /* init stats */
   8.535 -    printk("STE-Policy Security Hook Statistics:\n");
   8.536 -    printk("ste: event_channel eval_count      = %x\n", atomic_read(&(ste_bin_pol.ec_eval_count)));
   8.537 -    printk("ste: event_channel denied_count    = %x\n", atomic_read(&(ste_bin_pol.ec_denied_count))); 
   8.538 -    printk("ste: event_channel cache_hit_count = %x\n", atomic_read(&(ste_bin_pol.ec_cachehit_count)));
   8.539 -    printk("ste:\n");
   8.540 -    printk("ste: grant_table   eval_count      = %x\n", atomic_read(&(ste_bin_pol.gt_eval_count)));
   8.541 -    printk("ste: grant_table   denied_count    = %x\n", atomic_read(&(ste_bin_pol.gt_denied_count))); 
   8.542 -    printk("ste: grant_table   cache_hit_count = %x\n", atomic_read(&(ste_bin_pol.gt_cachehit_count)));
   8.543 -#endif
   8.544 -
   8.545 -    if (buf_len < sizeof(struct acm_ste_stats_buffer))
   8.546 -	    return -ENOMEM;
   8.547 -
   8.548      /* now send the hook counts to user space */
   8.549      stats.ec_eval_count = htonl(atomic_read(&ste_bin_pol.ec_eval_count));
   8.550      stats.gt_eval_count = htonl(atomic_read(&ste_bin_pol.gt_eval_count));
   8.551 @@ -379,6 +354,10 @@ ste_dump_stats(u8 *buf, u16 buf_len)
   8.552      stats.gt_denied_count = htonl(atomic_read(&ste_bin_pol.gt_denied_count)); 
   8.553      stats.ec_cachehit_count = htonl(atomic_read(&ste_bin_pol.ec_cachehit_count));
   8.554      stats.gt_cachehit_count = htonl(atomic_read(&ste_bin_pol.gt_cachehit_count));
   8.555 +
   8.556 +    if (buf_len < sizeof(struct acm_ste_stats_buffer))
   8.557 +        return -ENOMEM;
   8.558 +
   8.559      memcpy(buf, &stats, sizeof(struct acm_ste_stats_buffer));
   8.560      return sizeof(struct acm_ste_stats_buffer);
   8.561  }
   8.562 @@ -392,12 +371,12 @@ ste_dump_ssid_types(ssidref_t ssidref, u
   8.563      if (ste_bin_pol.max_types > len)
   8.564          return -EFAULT;
   8.565  
   8.566 -	if (ssidref >= ste_bin_pol.max_ssidrefs)
   8.567 -		return -EFAULT;
   8.568 +    if (ssidref >= ste_bin_pol.max_ssidrefs)
   8.569 +        return -EFAULT;
   8.570  
   8.571      /* read types for chwall ssidref */
   8.572      for(i=0; i< ste_bin_pol.max_types; i++) {
   8.573 -		if (ste_bin_pol.ssidrefs[ssidref * ste_bin_pol.max_types + i])
   8.574 +        if (ste_bin_pol.ssidrefs[ssidref * ste_bin_pol.max_types + i])
   8.575              buf[i] = 1;
   8.576          else
   8.577              buf[i] = 0;
   8.578 @@ -409,40 +388,40 @@ ste_dump_ssid_types(ssidref_t ssidref, u
   8.579   * returns 1 == cache hit */
   8.580  static int inline
   8.581  check_cache(struct domain *dom, domid_t rdom) {
   8.582 -	struct ste_ssid *ste_ssid;
   8.583 -	int i;
   8.584 +    struct ste_ssid *ste_ssid;
   8.585 +    int i;
   8.586  
   8.587 -	printkd("checking cache: %x --> %x.\n", dom->domain_id, rdom);
   8.588 -	ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.589 -			 (struct acm_ssid_domain *)(dom)->ssid);
   8.590 +    printkd("checking cache: %x --> %x.\n", dom->domain_id, rdom);
   8.591 +    ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.592 +                         (struct acm_ssid_domain *)(dom)->ssid);
   8.593  
   8.594 -	for(i=0; i< ACM_TE_CACHE_SIZE; i++) {
   8.595 -		if ((ste_ssid->ste_cache[i].valid == VALID) &&
   8.596 -		    (ste_ssid->ste_cache[i].id == rdom)) {
   8.597 -			printkd("cache hit (entry %x, id= %x!\n", i, ste_ssid->ste_cache[i].id);
   8.598 -			return 1;
   8.599 -		}
   8.600 -	}
   8.601 -	return 0;
   8.602 +    for(i=0; i< ACM_TE_CACHE_SIZE; i++) {
   8.603 +        if ((ste_ssid->ste_cache[i].valid == VALID) &&
   8.604 +            (ste_ssid->ste_cache[i].id == rdom)) {
   8.605 +            printkd("cache hit (entry %x, id= %x!\n", i, ste_ssid->ste_cache[i].id);
   8.606 +            return 1;
   8.607 +        }
   8.608 +    }
   8.609 +    return 0;
   8.610  }
   8.611  
   8.612  
   8.613  /* we only get here if there is NO entry yet; no duplication check! */
   8.614  static void inline
   8.615  cache_result(struct domain *subj, struct domain *obj) {
   8.616 -	struct ste_ssid *ste_ssid;
   8.617 -	int i;
   8.618 -	printkd("caching from doms: %x --> %x.\n", subj->domain_id, obj->domain_id);
   8.619 -	ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.620 -			 (struct acm_ssid_domain *)(subj)->ssid);
   8.621 -	for(i=0; i< ACM_TE_CACHE_SIZE; i++)
   8.622 -		if (ste_ssid->ste_cache[i].valid == FREE)
   8.623 -			break;
   8.624 -	if (i< ACM_TE_CACHE_SIZE) {
   8.625 -		ste_ssid->ste_cache[i].valid = VALID;
   8.626 -		ste_ssid->ste_cache[i].id = obj->domain_id;
   8.627 -	} else
   8.628 -		printk ("Cache of dom %x is full!\n", subj->domain_id);
   8.629 +    struct ste_ssid *ste_ssid;
   8.630 +    int i;
   8.631 +    printkd("caching from doms: %x --> %x.\n", subj->domain_id, obj->domain_id);
   8.632 +    ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.633 +                         (struct acm_ssid_domain *)(subj)->ssid);
   8.634 +    for(i=0; i< ACM_TE_CACHE_SIZE; i++)
   8.635 +        if (ste_ssid->ste_cache[i].valid == FREE)
   8.636 +            break;
   8.637 +    if (i< ACM_TE_CACHE_SIZE) {
   8.638 +        ste_ssid->ste_cache[i].valid = VALID;
   8.639 +        ste_ssid->ste_cache[i].id = obj->domain_id;
   8.640 +    } else
   8.641 +        printk ("Cache of dom %x is full!\n", subj->domain_id);
   8.642  }
   8.643  
   8.644  /* deletes entries for domain 'id' from all caches (re-use) */
   8.645 @@ -458,12 +437,12 @@ clean_id_from_cache(domid_t id)
   8.646      read_lock(&domlist_lock); /* look through caches of all domains */
   8.647      pd = &domain_list;
   8.648      for ( pd = &domain_list; *pd != NULL; pd = &(*pd)->next_in_list ) {
   8.649 -	ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.650 -			 (struct acm_ssid_domain *)(*pd)->ssid);
   8.651 -	for (i=0; i<ACM_TE_CACHE_SIZE; i++)
   8.652 -	    if ((ste_ssid->ste_cache[i].valid == VALID) &&
   8.653 -		(ste_ssid->ste_cache[i].id = id))
   8.654 -		    ste_ssid->ste_cache[i].valid = FREE;
   8.655 +        ste_ssid = GET_SSIDP(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
   8.656 +                             (struct acm_ssid_domain *)(*pd)->ssid);
   8.657 +        for (i=0; i<ACM_TE_CACHE_SIZE; i++)
   8.658 +            if ((ste_ssid->ste_cache[i].valid == VALID) &&
   8.659 +                (ste_ssid->ste_cache[i].id = id))
   8.660 +                ste_ssid->ste_cache[i].valid = FREE;
   8.661      }
   8.662      read_unlock(&domlist_lock);
   8.663  }
   8.664 @@ -482,15 +461,15 @@ ste_pre_domain_create(void *subject_ssid
   8.665      read_lock(&acm_bin_pol_rwlock);
   8.666      ste_ssidref = GET_SSIDREF(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, ssidref);
   8.667      if (ste_ssidref == ACM_DEFAULT_LOCAL_SSID) {
   8.668 -	printk("%s: ERROR STE SSID is NOT SET but policy enforced.\n", __func__);
   8.669 -	read_unlock(&acm_bin_pol_rwlock);
   8.670 -	return ACM_ACCESS_DENIED; /* catching and indicating config error */
   8.671 +        printk("%s: ERROR STE SSID is NOT SET but policy enforced.\n", __func__);
   8.672 +        read_unlock(&acm_bin_pol_rwlock);
   8.673 +        return ACM_ACCESS_DENIED; /* catching and indicating config error */
   8.674      }
   8.675      if (ste_ssidref >= ste_bin_pol.max_ssidrefs) {
   8.676 -	printk("%s: ERROR ste_ssidref > max(%x).\n", 
   8.677 -	       __func__, ste_bin_pol.max_ssidrefs-1);
   8.678 -	read_unlock(&acm_bin_pol_rwlock);
   8.679 -	return ACM_ACCESS_DENIED;
   8.680 +        printk("%s: ERROR ste_ssidref > max(%x).\n", 
   8.681 +               __func__, ste_bin_pol.max_ssidrefs-1);
   8.682 +        read_unlock(&acm_bin_pol_rwlock);
   8.683 +        return ACM_ACCESS_DENIED;
   8.684      }
   8.685      read_unlock(&acm_bin_pol_rwlock);
   8.686      return ACM_ACCESS_PERMITTED;
   8.687 @@ -506,163 +485,193 @@ ste_post_domain_destroy(void *subject_ss
   8.688  /* -------- EVENTCHANNEL OPERATIONS -----------*/
   8.689  static int
   8.690  ste_pre_eventchannel_unbound(domid_t id) {
   8.691 -	struct domain *subj, *obj;
   8.692 -	int ret;
   8.693 -	traceprintk("%s: dom%x-->dom%x.\n", 
   8.694 -		    __func__, current->domain->domain_id, id);
   8.695 +    struct domain *subj, *obj;
   8.696 +    int ret;
   8.697 +    traceprintk("%s: dom%x-->dom%x.\n", 
   8.698 +                __func__, current->domain->domain_id, id);
   8.699  
   8.700 -	if (check_cache(current->domain, id)) {
   8.701 -		atomic_inc(&ste_bin_pol.ec_cachehit_count);
   8.702 -		return ACM_ACCESS_PERMITTED;
   8.703 -	}
   8.704 -	atomic_inc(&ste_bin_pol.ec_eval_count);
   8.705 -	subj = current->domain;
   8.706 -	obj = find_domain_by_id(id);
   8.707 +    if (check_cache(current->domain, id)) {
   8.708 +        atomic_inc(&ste_bin_pol.ec_cachehit_count);
   8.709 +        return ACM_ACCESS_PERMITTED;
   8.710 +    }
   8.711 +    atomic_inc(&ste_bin_pol.ec_eval_count);
   8.712 +    subj = current->domain;
   8.713 +    obj = find_domain_by_id(id);
   8.714  
   8.715 -	if (share_common_type(subj, obj)) {
   8.716 -		cache_result(subj, obj);
   8.717 -		ret = ACM_ACCESS_PERMITTED;
   8.718 -	} else {
   8.719 -		atomic_inc(&ste_bin_pol.ec_denied_count); 
   8.720 -		ret = ACM_ACCESS_DENIED;	
   8.721 -	}
   8.722 -	if (obj != NULL)
   8.723 -		put_domain(obj);
   8.724 -	return ret;
   8.725 +    if (share_common_type(subj, obj)) {
   8.726 +        cache_result(subj, obj);
   8.727 +        ret = ACM_ACCESS_PERMITTED;
   8.728 +    } else {
   8.729 +        atomic_inc(&ste_bin_pol.ec_denied_count); 
   8.730 +        ret = ACM_ACCESS_DENIED; 
   8.731 +    }
   8.732 +    if (obj != NULL)
   8.733 +        put_domain(obj);
   8.734 +    return ret;
   8.735  }
   8.736  
   8.737  static int
   8.738  ste_pre_eventchannel_interdomain(domid_t id1, domid_t id2)
   8.739  {
   8.740 -	struct domain *subj, *obj;
   8.741 -	int ret;
   8.742 -	traceprintk("%s: dom%x-->dom%x.\n", __func__,
   8.743 -		    (id1 == DOMID_SELF) ? current->domain->domain_id : id1,
   8.744 -		    (id2 == DOMID_SELF) ? current->domain->domain_id : id2);
   8.745 +    struct domain *subj, *obj;
   8.746 +    int ret;
   8.747 +    traceprintk("%s: dom%x-->dom%x.\n", __func__,
   8.748 +                (id1 == DOMID_SELF) ? current->domain->domain_id : id1,
   8.749 +                (id2 == DOMID_SELF) ? current->domain->domain_id : id2);
   8.750  
   8.751 -	/* following is a bit longer but ensures that we
   8.752 -         * "put" only domains that we where "find"-ing 
   8.753 -	 */
   8.754 -	if (id1 == DOMID_SELF) id1 = current->domain->domain_id;
   8.755 -	if (id2 == DOMID_SELF) id2 = current->domain->domain_id;
   8.756 +    /* following is a bit longer but ensures that we
   8.757 +     * "put" only domains that we where "find"-ing 
   8.758 +     */
   8.759 +    if (id1 == DOMID_SELF) id1 = current->domain->domain_id;
   8.760 +    if (id2 == DOMID_SELF) id2 = current->domain->domain_id;
   8.761  
   8.762 -	subj = find_domain_by_id(id1);
   8.763 -	obj  = find_domain_by_id(id2);
   8.764 -	if ((subj == NULL) || (obj == NULL)) {
   8.765 -		ret = ACM_ACCESS_DENIED;
   8.766 -		goto out;
   8.767 -	}
   8.768 -	/* cache check late, but evtchn is not on performance critical path */
   8.769 -	if (check_cache(subj, obj->domain_id)) {
   8.770 -		atomic_inc(&ste_bin_pol.ec_cachehit_count);
   8.771 -		ret = ACM_ACCESS_PERMITTED;
   8.772 -		goto out;
   8.773 -	}
   8.774 -	atomic_inc(&ste_bin_pol.ec_eval_count);
   8.775 +    subj = find_domain_by_id(id1);
   8.776 +    obj  = find_domain_by_id(id2);
   8.777 +    if ((subj == NULL) || (obj == NULL)) {
   8.778 +        ret = ACM_ACCESS_DENIED;
   8.779 +        goto out;
   8.780 +    }
   8.781 +    /* cache check late, but evtchn is not on performance critical path */
   8.782 +    if (check_cache(subj, obj->domain_id)) {
   8.783 +        atomic_inc(&ste_bin_pol.ec_cachehit_count);
   8.784 +        ret = ACM_ACCESS_PERMITTED;
   8.785 +        goto out;
   8.786 +    }
   8.787 +    atomic_inc(&ste_bin_pol.ec_eval_count);
   8.788  
   8.789 -	if (share_common_type(subj, obj)) {
   8.790 -		cache_result(subj, obj);
   8.791 -		ret = ACM_ACCESS_PERMITTED;
   8.792 -	} else {
   8.793 -		atomic_inc(&ste_bin_pol.ec_denied_count); 
   8.794 -		ret = ACM_ACCESS_DENIED;	
   8.795 -	}
   8.796 +    if (share_common_type(subj, obj)) {
   8.797 +        cache_result(subj, obj);
   8.798 +        ret = ACM_ACCESS_PERMITTED;
   8.799 +    } else {
   8.800 +        atomic_inc(&ste_bin_pol.ec_denied_count); 
   8.801 +        ret = ACM_ACCESS_DENIED; 
   8.802 +    }
   8.803   out:
   8.804 -	if (obj != NULL)
   8.805 -		put_domain(obj);
   8.806 -	if (subj != NULL)
   8.807 -		put_domain(subj);
   8.808 -	return ret;
   8.809 +    if (obj != NULL)
   8.810 +        put_domain(obj);
   8.811 +    if (subj != NULL)
   8.812 +        put_domain(subj);
   8.813 +    return ret;
   8.814  }
   8.815  
   8.816  /* -------- SHARED MEMORY OPERATIONS -----------*/
   8.817  
   8.818  static int
   8.819  ste_pre_grant_map_ref (domid_t id) {
   8.820 -	struct domain *obj, *subj;
   8.821 -	int ret;
   8.822 -	traceprintk("%s: dom%x-->dom%x.\n", __func__,
   8.823 -		    current->domain->domain_id, id);
   8.824 +    struct domain *obj, *subj;
   8.825 +    int ret;
   8.826 +    traceprintk("%s: dom%x-->dom%x.\n", __func__,
   8.827 +                current->domain->domain_id, id);
   8.828  
   8.829 -	if (check_cache(current->domain, id)) {
   8.830 -		atomic_inc(&ste_bin_pol.gt_cachehit_count);
   8.831 -		return ACM_ACCESS_PERMITTED;
   8.832 -	}
   8.833 -	atomic_inc(&ste_bin_pol.gt_eval_count);
   8.834 -	subj = current->domain;
   8.835 -	obj = find_domain_by_id(id);
   8.836 +    if (check_cache(current->domain, id)) {
   8.837 +        atomic_inc(&ste_bin_pol.gt_cachehit_count);
   8.838 +        return ACM_ACCESS_PERMITTED;
   8.839 +    }
   8.840 +    atomic_inc(&ste_bin_pol.gt_eval_count);
   8.841 +    subj = current->domain;
   8.842 +    obj = find_domain_by_id(id);
   8.843  
   8.844 -	if (share_common_type(subj, obj)) {
   8.845 -		cache_result(subj, obj);
   8.846 -		ret = ACM_ACCESS_PERMITTED;
   8.847 -	} else {
   8.848 -		atomic_inc(&ste_bin_pol.gt_denied_count); 
   8.849 -		printkd("%s: ACCESS DENIED!\n", __func__);
   8.850 -		ret = ACM_ACCESS_DENIED;	
   8.851 -	}
   8.852 -	if (obj != NULL)
   8.853 -		put_domain(obj);
   8.854 -	return ret;
   8.855 +    if (share_common_type(subj, obj)) {
   8.856 +        cache_result(subj, obj);
   8.857 +        ret = ACM_ACCESS_PERMITTED;
   8.858 +    } else {
   8.859 +        atomic_inc(&ste_bin_pol.gt_denied_count); 
   8.860 +        printkd("%s: ACCESS DENIED!\n", __func__);
   8.861 +        ret = ACM_ACCESS_DENIED; 
   8.862 +    }
   8.863 +    if (obj != NULL)
   8.864 +        put_domain(obj);
   8.865 +    return ret;
   8.866  }
   8.867  
   8.868 +
   8.869  /* since setting up grant tables involves some implicit information
   8.870     flow from the creating domain to the domain that is setup, we 
   8.871     check types in addition to the general authorization */
   8.872  static int
   8.873  ste_pre_grant_setup (domid_t id) {
   8.874 -	struct domain *obj, *subj;
   8.875 -	int ret;
   8.876 -	traceprintk("%s: dom%x-->dom%x.\n", __func__,
   8.877 -		    current->domain->domain_id, id);
   8.878 +    struct domain *obj, *subj;
   8.879 +    int ret;
   8.880 +    traceprintk("%s: dom%x-->dom%x.\n", __func__,
   8.881 +                current->domain->domain_id, id);
   8.882 +
   8.883 +    if (check_cache(current->domain, id)) {
   8.884 +        atomic_inc(&ste_bin_pol.gt_cachehit_count);
   8.885 +        return ACM_ACCESS_PERMITTED;
   8.886 +    }
   8.887 +    atomic_inc(&ste_bin_pol.gt_eval_count);
   8.888 +    /* a) check authorization (eventually use specific capabilities) */
   8.889 +    if (!IS_PRIV(current->domain)) {
   8.890 +        printk("%s: Grant table management authorization denied ERROR!\n", __func__);
   8.891 +        return ACM_ACCESS_DENIED;
   8.892 +    }
   8.893 +    /* b) check types */
   8.894 +    subj = current->domain;
   8.895 +    obj = find_domain_by_id(id);
   8.896  
   8.897 -	if (check_cache(current->domain, id)) {
   8.898 -		atomic_inc(&ste_bin_pol.gt_cachehit_count);
   8.899 -		return ACM_ACCESS_PERMITTED;
   8.900 -	}
   8.901 -	atomic_inc(&ste_bin_pol.gt_eval_count);
   8.902 -	/* a) check authorization (eventually use specific capabilities) */
   8.903 -	if (!IS_PRIV(current->domain)) {
   8.904 -		printk("%s: Grant table management authorization denied ERROR!\n", __func__);
   8.905 -		return ACM_ACCESS_DENIED;
   8.906 -	}
   8.907 -	/* b) check types */
   8.908 -	subj = current->domain;
   8.909 -	obj = find_domain_by_id(id);
   8.910 +    if (share_common_type(subj, obj)) {
   8.911 +        cache_result(subj, obj);
   8.912 +        ret = ACM_ACCESS_PERMITTED;
   8.913 +    } else {
   8.914 +        atomic_inc(&ste_bin_pol.gt_denied_count); 
   8.915 +        ret = ACM_ACCESS_DENIED; 
   8.916 +    }
   8.917 +    if (obj != NULL)
   8.918 +        put_domain(obj);
   8.919 +    return ret;
   8.920 +}
   8.921  
   8.922 -	if (share_common_type(subj, obj)) {
   8.923 -		cache_result(subj, obj);
   8.924 -		ret = ACM_ACCESS_PERMITTED;
   8.925 -	} else {
   8.926 -		atomic_inc(&ste_bin_pol.gt_denied_count); 
   8.927 -		ret = ACM_ACCESS_DENIED;	
   8.928 -	}
   8.929 -	if (obj != NULL)
   8.930 -		put_domain(obj);
   8.931 -	return ret;
   8.932 +/* -------- DOMAIN-Requested Decision hooks -----------*/
   8.933 +
   8.934 +static int
   8.935 +ste_sharing(ssidref_t ssidref1, ssidref_t ssidref2) {
   8.936 +    if (have_common_type (
   8.937 +        GET_SSIDREF(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, ssidref1),
   8.938 +        GET_SSIDREF(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, ssidref2)
   8.939 +        ))
   8.940 +        return ACM_ACCESS_PERMITTED;
   8.941 +    else
   8.942 +        return ACM_ACCESS_DENIED;
   8.943  }
   8.944  
   8.945 +
   8.946  /* now define the hook structure similarly to LSM */
   8.947  struct acm_operations acm_simple_type_enforcement_ops = {
   8.948 -	/* policy management services */
   8.949 -	.init_domain_ssid		= ste_init_domain_ssid,
   8.950 -	.free_domain_ssid		= ste_free_domain_ssid,
   8.951 -	.dump_binary_policy     = ste_dump_policy,
   8.952 -	.set_binary_policy      = ste_set_policy,
   8.953 -	.dump_statistics		= ste_dump_stats,
   8.954 +
   8.955 +    /* policy management services */
   8.956 +    .init_domain_ssid  = ste_init_domain_ssid,
   8.957 +    .free_domain_ssid  = ste_free_domain_ssid,
   8.958 +    .dump_binary_policy     = ste_dump_policy,
   8.959 +    .set_binary_policy      = ste_set_policy,
   8.960 +    .dump_statistics  = ste_dump_stats,
   8.961      .dump_ssid_types        = ste_dump_ssid_types,
   8.962 -	/* domain management control hooks */
   8.963 -	.pre_domain_create     		= ste_pre_domain_create,
   8.964 -	.post_domain_create	    = NULL,
   8.965 -	.fail_domain_create     = NULL,
   8.966 -	.post_domain_destroy    = ste_post_domain_destroy,
   8.967 -	/* event channel control hooks */
   8.968 -	.pre_eventchannel_unbound   = ste_pre_eventchannel_unbound,
   8.969 -	.fail_eventchannel_unbound	= NULL,
   8.970 -	.pre_eventchannel_interdomain	= ste_pre_eventchannel_interdomain,
   8.971 -	.fail_eventchannel_interdomain  = NULL,
   8.972 -	/* grant table control hooks */
   8.973 -	.pre_grant_map_ref      = ste_pre_grant_map_ref,
   8.974 -	.fail_grant_map_ref     = NULL,
   8.975 -	.pre_grant_setup        = ste_pre_grant_setup,
   8.976 -	.fail_grant_setup       = NULL,
   8.977 +
   8.978 +    /* domain management control hooks */
   8.979 +    .pre_domain_create       = ste_pre_domain_create,
   8.980 +    .post_domain_create     = NULL,
   8.981 +    .fail_domain_create     = NULL,
   8.982 +    .post_domain_destroy    = ste_post_domain_destroy,
   8.983 +
   8.984 +    /* event channel control hooks */
   8.985 +    .pre_eventchannel_unbound   = ste_pre_eventchannel_unbound,
   8.986 +    .fail_eventchannel_unbound = NULL,
   8.987 +    .pre_eventchannel_interdomain = ste_pre_eventchannel_interdomain,
   8.988 +    .fail_eventchannel_interdomain  = NULL,
   8.989 +
   8.990 +    /* grant table control hooks */
   8.991 +    .pre_grant_map_ref      = ste_pre_grant_map_ref,
   8.992 +    .fail_grant_map_ref     = NULL,
   8.993 +    .pre_grant_setup        = ste_pre_grant_setup,
   8.994 +    .fail_grant_setup       = NULL,
   8.995 +    .sharing                = ste_sharing,
   8.996  };
   8.997 +
   8.998 +/*
   8.999 + * Local variables:
  8.1000 + * mode: C
  8.1001 + * c-set-style: "BSD"
  8.1002 + * c-basic-offset: 4
  8.1003 + * tab-width: 4
  8.1004 + * indent-tabs-mode: nil
  8.1005 + * End:
  8.1006 + */
     9.1 --- a/xen/common/acm_ops.c	Thu Oct 20 19:37:41 2005 +0100
     9.2 +++ b/xen/common/acm_ops.c	Thu Oct 20 21:37:15 2005 +0100
     9.3 @@ -31,22 +31,23 @@
     9.4  
     9.5  #if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
     9.6  
     9.7 -long do_acm_op(acm_op_t * u_acm_op)
     9.8 +long do_acm_op(struct acm_op * u_acm_op)
     9.9  {
    9.10      return -ENOSYS;
    9.11  }
    9.12  
    9.13  #else
    9.14  
    9.15 -typedef enum acm_operation {
    9.16 +enum acm_operation {
    9.17      POLICY,                     /* access to policy interface (early drop) */
    9.18      GETPOLICY,                  /* dump policy cache */
    9.19      SETPOLICY,                  /* set policy cache (controls security) */
    9.20      DUMPSTATS,                  /* dump policy statistics */
    9.21 -    GETSSID                     /* retrieve ssidref for domain id */
    9.22 -} acm_operation_t;
    9.23 +    GETSSID,                    /* retrieve ssidref for domain id (decide inside authorized domains) */
    9.24 +    GETDECISION                 /* retrieve ACM decision from authorized domains */
    9.25 +};
    9.26  
    9.27 -int acm_authorize_acm_ops(struct domain *d, acm_operation_t pops)
    9.28 +int acm_authorize_acm_ops(struct domain *d, enum acm_operation pops)
    9.29  {
    9.30      /* all policy management functions are restricted to privileged domains,
    9.31       * soon we will introduce finer-grained privileges for policy operations
    9.32 @@ -59,10 +60,10 @@ int acm_authorize_acm_ops(struct domain 
    9.33      return ACM_ACCESS_PERMITTED;
    9.34  }
    9.35  
    9.36 -long do_acm_op(acm_op_t * u_acm_op)
    9.37 +long do_acm_op(struct acm_op * u_acm_op)
    9.38  {
    9.39      long ret = 0;
    9.40 -    acm_op_t curop, *op = &curop;
    9.41 +    struct acm_op curop, *op = &curop;
    9.42  
    9.43      /* check here policy decision for policy commands */
    9.44      /* for now allow DOM0 only, later indepedently    */
    9.45 @@ -78,81 +79,148 @@ long do_acm_op(acm_op_t * u_acm_op)
    9.46      switch (op->cmd)
    9.47      {
    9.48      case ACM_SETPOLICY:
    9.49 -        {
    9.50 -            if (acm_authorize_acm_ops(current->domain, SETPOLICY))
    9.51 -                return -EACCES;
    9.52 -            printkd("%s: setting policy.\n", __func__);
    9.53 -            ret = acm_set_policy(op->u.setpolicy.pushcache,
    9.54 -                                 op->u.setpolicy.pushcache_size, 1);
    9.55 -            if (ret == ACM_OK)
    9.56 -                ret = 0;
    9.57 -            else
    9.58 -                ret = -ESRCH;
    9.59 -        }
    9.60 -        break;
    9.61 +    {
    9.62 +        if (acm_authorize_acm_ops(current->domain, SETPOLICY))
    9.63 +            return -EACCES;
    9.64 +        printkd("%s: setting policy.\n", __func__);
    9.65 +        ret = acm_set_policy(op->u.setpolicy.pushcache,
    9.66 +                             op->u.setpolicy.pushcache_size, 1);
    9.67 +        if (ret == ACM_OK)
    9.68 +            ret = 0;
    9.69 +        else
    9.70 +            ret = -ESRCH;
    9.71 +    }
    9.72 +    break;
    9.73  
    9.74      case ACM_GETPOLICY:
    9.75 -        {
    9.76 -            if (acm_authorize_acm_ops(current->domain, GETPOLICY))
    9.77 -                return -EACCES;
    9.78 -            printkd("%s: getting policy.\n", __func__);
    9.79 -            ret = acm_get_policy(op->u.getpolicy.pullcache,
    9.80 -                                 op->u.getpolicy.pullcache_size);
    9.81 -            if (ret == ACM_OK)
    9.82 -                ret = 0;
    9.83 -            else
    9.84 -                ret = -ESRCH;
    9.85 -        }
    9.86 -        break;
    9.87 +    {
    9.88 +        if (acm_authorize_acm_ops(current->domain, GETPOLICY))
    9.89 +            return -EACCES;
    9.90 +        printkd("%s: getting policy.\n", __func__);
    9.91 +        ret = acm_get_policy(op->u.getpolicy.pullcache,
    9.92 +                             op->u.getpolicy.pullcache_size);
    9.93 +        if (ret == ACM_OK)
    9.94 +            ret = 0;
    9.95 +        else
    9.96 +            ret = -ESRCH;
    9.97 +    }
    9.98 +    break;
    9.99  
   9.100      case ACM_DUMPSTATS:
   9.101 -        {
   9.102 -            if (acm_authorize_acm_ops(current->domain, DUMPSTATS))
   9.103 -                return -EACCES;
   9.104 -            printkd("%s: dumping statistics.\n", __func__);
   9.105 -            ret = acm_dump_statistics(op->u.dumpstats.pullcache,
   9.106 -                                      op->u.dumpstats.pullcache_size);
   9.107 -            if (ret == ACM_OK)
   9.108 -                ret = 0;
   9.109 -            else
   9.110 -                ret = -ESRCH;
   9.111 -        }
   9.112 -        break;
   9.113 +    {
   9.114 +        if (acm_authorize_acm_ops(current->domain, DUMPSTATS))
   9.115 +            return -EACCES;
   9.116 +        printkd("%s: dumping statistics.\n", __func__);
   9.117 +        ret = acm_dump_statistics(op->u.dumpstats.pullcache,
   9.118 +                                  op->u.dumpstats.pullcache_size);
   9.119 +        if (ret == ACM_OK)
   9.120 +            ret = 0;
   9.121 +        else
   9.122 +            ret = -ESRCH;
   9.123 +    }
   9.124 +    break;
   9.125  
   9.126      case ACM_GETSSID:
   9.127 -        {
   9.128 -			ssidref_t ssidref;
   9.129 +    {
   9.130 +        ssidref_t ssidref;
   9.131  
   9.132 -            if (acm_authorize_acm_ops(current->domain, GETSSID))
   9.133 -                return -EACCES;
   9.134 +        if (acm_authorize_acm_ops(current->domain, GETSSID))
   9.135 +            return -EACCES;
   9.136 +        printkd("%s: getting SSID.\n", __func__);
   9.137 +        if (op->u.getssid.get_ssid_by == SSIDREF)
   9.138 +            ssidref = op->u.getssid.id.ssidref;
   9.139 +        else if (op->u.getssid.get_ssid_by == DOMAINID) {
   9.140 +            struct domain *subj = find_domain_by_id(op->u.getssid.id.domainid);
   9.141 +            if (!subj)
   9.142 +                return -ESRCH; /* domain not found */
   9.143  
   9.144 -			if (op->u.getssid.get_ssid_by == SSIDREF)
   9.145 -				ssidref = op->u.getssid.id.ssidref;
   9.146 -			else if (op->u.getssid.get_ssid_by == DOMAINID) {
   9.147 -				struct domain *subj = find_domain_by_id(op->u.getssid.id.domainid);
   9.148 -				if (!subj)
   9.149 -					return -ESRCH; /* domain not found */
   9.150 +            ssidref = ((struct acm_ssid_domain *)(subj->ssid))->ssidref;
   9.151 +            put_domain(subj);
   9.152 +        } else
   9.153 +            return -ESRCH;
   9.154 +
   9.155 +        ret = acm_get_ssid(ssidref,
   9.156 +                           op->u.getssid.ssidbuf,
   9.157 +                           op->u.getssid.ssidbuf_size);
   9.158 +        if (ret == ACM_OK)
   9.159 +            ret = 0;
   9.160 +        else
   9.161 +            ret = -ESRCH;
   9.162 +    }
   9.163 +    break;
   9.164 +
   9.165 +    case ACM_GETDECISION:
   9.166 +    {
   9.167 +        ssidref_t ssidref1, ssidref2;
   9.168  
   9.169 -				ssidref = ((struct acm_ssid_domain *)(subj->ssid))->ssidref;
   9.170 -				put_domain(subj);
   9.171 -			} else
   9.172 -				return -ESRCH;
   9.173 -
   9.174 -            ret = acm_get_ssid(ssidref,
   9.175 -                               op->u.getssid.ssidbuf,
   9.176 -                               op->u.getssid.ssidbuf_size);
   9.177 -            if (ret == ACM_OK)
   9.178 -                ret = 0;
   9.179 -            else
   9.180 -                ret = -ESRCH;
   9.181 +        if (acm_authorize_acm_ops(current->domain, GETDECISION)) {
   9.182 +            ret = -EACCES;
   9.183 +            goto out;
   9.184 +        }
   9.185 +        printkd("%s: getting access control decision.\n", __func__);
   9.186 +        if (op->u.getdecision.get_decision_by1 == SSIDREF) {
   9.187 +            ssidref1 = op->u.getdecision.id1.ssidref;
   9.188          }
   9.189 -        break;
   9.190 +        else if (op->u.getdecision.get_decision_by1 == DOMAINID) {
   9.191 +            struct domain *subj = find_domain_by_id(op->u.getdecision.id1.domainid);
   9.192 +            if (!subj) {
   9.193 +                ret = -ESRCH; /* domain not found */
   9.194 +                goto out;
   9.195 +            }
   9.196 +            ssidref1 = ((struct acm_ssid_domain *)(subj->ssid))->ssidref;
   9.197 +            put_domain(subj);
   9.198 +        } else {
   9.199 +            ret = -ESRCH;
   9.200 +            goto out;
   9.201 +        }
   9.202 +        if (op->u.getdecision.get_decision_by2 == SSIDREF) {
   9.203 +            ssidref2 = op->u.getdecision.id2.ssidref;
   9.204 +        }
   9.205 +        else if (op->u.getdecision.get_decision_by2 == DOMAINID) {
   9.206 +            struct domain *subj = find_domain_by_id(op->u.getdecision.id2.domainid);
   9.207 +            if (!subj) {
   9.208 +                ret = -ESRCH; /* domain not found */
   9.209 +                goto out;
   9.210 +            }
   9.211 +            ssidref2 = ((struct acm_ssid_domain *)(subj->ssid))->ssidref;
   9.212 +            put_domain(subj);
   9.213 +        } else {
   9.214 +            ret = -ESRCH;
   9.215 +            goto out;
   9.216 +        }
   9.217 +        ret = acm_get_decision(ssidref1, ssidref2, op->u.getdecision.hook);
   9.218 +    }
   9.219 +    break;
   9.220  
   9.221      default:
   9.222          ret = -ESRCH;
   9.223 +    }
   9.224  
   9.225 + out:
   9.226 +    if (ret == ACM_ACCESS_PERMITTED) {
   9.227 +        op->u.getdecision.acm_decision = ACM_ACCESS_PERMITTED;
   9.228 +        ret = 0;
   9.229 +    } else if  (ret == ACM_ACCESS_DENIED) {
   9.230 +        op->u.getdecision.acm_decision = ACM_ACCESS_DENIED;
   9.231 +        ret = 0;
   9.232 +    } else {
   9.233 +        op->u.getdecision.acm_decision = ACM_ACCESS_DENIED;
   9.234 +        if (ret > 0)
   9.235 +            ret = -ret;
   9.236      }
   9.237 +    /* copy decision back to user space */
   9.238 +    copy_to_user(u_acm_op, op, sizeof(*op));
   9.239      return ret;
   9.240  }
   9.241  
   9.242  #endif
   9.243 +
   9.244 +/*
   9.245 + * Local variables:
   9.246 + * mode: C
   9.247 + * c-set-style: "BSD"
   9.248 + * c-basic-offset: 4
   9.249 + * tab-width: 4
   9.250 + * indent-tabs-mode: nil
   9.251 + * End:
   9.252 + */
    10.1 --- a/xen/common/dom0_ops.c	Thu Oct 20 19:37:41 2005 +0100
    10.2 +++ b/xen/common/dom0_ops.c	Thu Oct 20 21:37:15 2005 +0100
    10.3 @@ -199,7 +199,7 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
    10.4          /*
    10.5           * If we're on a HT system, we only use the first HT for dom0, other 
    10.6           * domains will all share the second HT of each CPU. Since dom0 is on 
    10.7 -	     * CPU 0, we favour high numbered CPUs in the event of a tie.
    10.8 +         * CPU 0, we favour high numbered CPUs in the event of a tie.
    10.9           */
   10.10          pro = smp_num_siblings - 1;
   10.11          for ( i = pro; i < num_online_cpus(); i += smp_num_siblings )
    11.1 --- a/xen/common/sched_sedf.c	Thu Oct 20 19:37:41 2005 +0100
    11.2 +++ b/xen/common/sched_sedf.c	Thu Oct 20 21:37:15 2005 +0100
    11.3 @@ -1150,7 +1150,7 @@ void sedf_wake(struct vcpu *d) {
    11.4      inf->block_tot++;
    11.5  #endif
    11.6      if (unlikely(now < PERIOD_BEGIN(inf))) {
    11.7 -    	PRINT(4,"extratime unblock\n");
    11.8 +        PRINT(4,"extratime unblock\n");
    11.9          /* unblocking in extra-time! */
   11.10  #if (EXTRA == EXTRA_BLOCK_WEIGHT)
   11.11          if (inf->status & EXTRA_WANT_PEN_Q) {
   11.12 @@ -1459,3 +1459,13 @@ struct scheduler sched_sedf_def = {
   11.13      .wake           = sedf_wake,
   11.14      .adjdom         = sedf_adjdom,
   11.15  };
   11.16 +
   11.17 +/*
   11.18 + * Local variables:
   11.19 + * mode: C
   11.20 + * c-set-style: "BSD"
   11.21 + * c-basic-offset: 4
   11.22 + * tab-width: 4
   11.23 + * indent-tabs-mode: nil
   11.24 + * End:
   11.25 + */
    12.1 --- a/xen/include/acm/acm_core.h	Thu Oct 20 19:37:41 2005 +0100
    12.2 +++ b/xen/include/acm/acm_core.h	Thu Oct 20 21:37:15 2005 +0100
    12.3 @@ -15,6 +15,7 @@
    12.4   *    for the access control module and relevant policies
    12.5   *
    12.6   */
    12.7 +
    12.8  #ifndef _ACM_CORE_H
    12.9  #define _ACM_CORE_H
   12.10  
   12.11 @@ -25,30 +26,30 @@
   12.12  
   12.13  /* Xen-internal representation of the binary policy */
   12.14  struct acm_binary_policy {
   12.15 -	u16 primary_policy_code;
   12.16 -	u16 secondary_policy_code;
   12.17 -	void *primary_binary_policy;                                 
   12.18 -	void *secondary_binary_policy;
   12.19 -	
   12.20 +    u16 primary_policy_code;
   12.21 +    u16 secondary_policy_code;
   12.22 +    void *primary_binary_policy;                                 
   12.23 +    void *secondary_binary_policy;
   12.24 + 
   12.25  };
   12.26  
   12.27  struct chwall_binary_policy {
   12.28 -	u16 max_types;
   12.29 -	u16 max_ssidrefs;
   12.30 -	u16 max_conflictsets;
   12.31 -	domaintype_t *ssidrefs;			/* [max_ssidrefs][max_types] 	*/
   12.32 -	domaintype_t *conflict_aggregate_set; 	/* [max_types] 			*/
   12.33 -	domaintype_t *running_types; 		/* [max_types] 			*/
   12.34 -	domaintype_t *conflict_sets;		/* [max_conflictsets][max_types]*/
   12.35 +    u32 max_types;
   12.36 +    u32 max_ssidrefs;
   12.37 +    u32 max_conflictsets;
   12.38 +    domaintype_t *ssidrefs;     /* [max_ssidrefs][max_types]  */
   12.39 +    domaintype_t *conflict_aggregate_set;  /* [max_types]      */
   12.40 +    domaintype_t *running_types;    /* [max_types]      */
   12.41 +    domaintype_t *conflict_sets;   /* [max_conflictsets][max_types]*/
   12.42  };
   12.43  
   12.44  struct ste_binary_policy {
   12.45 -	u16 max_types;
   12.46 -	u16 max_ssidrefs;
   12.47 -	domaintype_t *ssidrefs;			/* [max_ssidrefs][max_types] 	*/
   12.48 -	atomic_t ec_eval_count, gt_eval_count;
   12.49 -	atomic_t ec_denied_count, gt_denied_count; 
   12.50 -	atomic_t ec_cachehit_count, gt_cachehit_count;
   12.51 +    u32 max_types;
   12.52 +    u32 max_ssidrefs;
   12.53 +    domaintype_t *ssidrefs;     /* [max_ssidrefs][max_types]  */
   12.54 +    atomic_t ec_eval_count, gt_eval_count;
   12.55 +    atomic_t ec_denied_count, gt_denied_count; 
   12.56 +    atomic_t ec_cachehit_count, gt_cachehit_count;
   12.57  };
   12.58  
   12.59  /* global acm policy */
   12.60 @@ -63,7 +64,7 @@ enum acm_datatype { DOMAIN };
   12.61  
   12.62  /* defines number of access decisions to other domains can be cached
   12.63   * one entry per domain, TE does not distinguish evtchn or grant_table */
   12.64 -#define ACM_TE_CACHE_SIZE	8
   12.65 +#define ACM_TE_CACHE_SIZE 8
   12.66  enum acm_ste_flag { VALID, FREE };
   12.67  
   12.68  /* cache line:
   12.69 @@ -72,57 +73,67 @@ enum acm_ste_flag { VALID, FREE };
   12.70   *                 on domain cache_line.id
   12.71   */
   12.72  struct acm_ste_cache_line {
   12.73 -	enum acm_ste_flag valid;
   12.74 -	domid_t id;
   12.75 +    enum acm_ste_flag valid;
   12.76 +    domid_t id;
   12.77  };
   12.78  
   12.79  /* general definition of a subject security id */
   12.80  struct acm_ssid_domain {
   12.81 -	enum acm_datatype datatype;		/* type of subject (e.g., partition) */
   12.82 -	ssidref_t	  ssidref;		/* combined security reference */
   12.83 -	void           	  *primary_ssid; 	/* primary policy ssid part (e.g. chinese wall) */
   12.84 -	void	          *secondary_ssid;  	/* secondary policy ssid part (e.g. type enforcement) */
   12.85 -	struct domain     *subject;	       	/* backpointer to subject structure */
   12.86 -	domid_t		  domainid;		/* replicate id */
   12.87 +    enum acm_datatype datatype; /* type of subject (e.g., partition) */
   12.88 +    ssidref_t ssidref;   /* combined security reference */
   12.89 +    void *primary_ssid;   /* primary policy ssid part (e.g. chinese wall) */
   12.90 +    void *secondary_ssid;    /* secondary policy ssid part (e.g. type enforcement) */
   12.91 +    struct domain *subject;     /* backpointer to subject structure */
   12.92 +    domid_t domainid;   /* replicate id */
   12.93  };
   12.94  
   12.95  /* chinese wall ssid type */
   12.96  struct chwall_ssid {
   12.97 -	ssidref_t chwall_ssidref;
   12.98 +    ssidref_t chwall_ssidref;
   12.99  };
  12.100  
  12.101  /* simple type enforcement ssid type */
  12.102  struct ste_ssid {
  12.103 -	ssidref_t ste_ssidref;
  12.104 -	struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache */
  12.105 +    ssidref_t ste_ssidref;
  12.106 +    struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache */
  12.107  };
  12.108  
  12.109  /* macros to access ssidref for primary / secondary policy 
  12.110 - *	primary ssidref   = lower 16 bit
  12.111 - *      secondary ssidref = higher 16 bit
  12.112 + * primary ssidref   = lower 16 bit
  12.113 + *  secondary ssidref = higher 16 bit
  12.114   */
  12.115  #define ACM_PRIMARY(ssidref) \
  12.116 -	((ssidref) & 0xffff)
  12.117 + ((ssidref) & 0xffff)
  12.118  
  12.119  #define ACM_SECONDARY(ssidref) \
  12.120 -	((ssidref) >> 16)
  12.121 + ((ssidref) >> 16)
  12.122  
  12.123  #define GET_SSIDREF(POLICY, ssidref) \
  12.124 -	((POLICY) == acm_bin_pol.primary_policy_code) ? \
  12.125 -	ACM_PRIMARY(ssidref) : ACM_SECONDARY(ssidref)
  12.126 + ((POLICY) == acm_bin_pol.primary_policy_code) ? \
  12.127 + ACM_PRIMARY(ssidref) : ACM_SECONDARY(ssidref)
  12.128  
  12.129  /* macros to access ssid pointer for primary / secondary policy */
  12.130  #define GET_SSIDP(POLICY, ssid) \
  12.131 -	((POLICY) == acm_bin_pol.primary_policy_code) ? \
  12.132 -	((ssid)->primary_ssid) : ((ssid)->secondary_ssid)
  12.133 + ((POLICY) == acm_bin_pol.primary_policy_code) ? \
  12.134 + ((ssid)->primary_ssid) : ((ssid)->secondary_ssid)
  12.135  
  12.136  /* protos */
  12.137  int acm_init_domain_ssid(domid_t id, ssidref_t ssidref);
  12.138 -int acm_free_domain_ssid(struct acm_ssid_domain *ssid);
  12.139 -int acm_set_policy(void *buf, u16 buf_size, int isuserbuffer);
  12.140 -int acm_get_policy(void *buf, u16 buf_size);
  12.141 +void acm_free_domain_ssid(struct acm_ssid_domain *ssid);
  12.142 +int acm_set_policy(void *buf, u32 buf_size, int isuserbuffer);
  12.143 +int acm_get_policy(void *buf, u32 buf_size);
  12.144  int acm_dump_statistics(void *buf, u16 buf_size);
  12.145  int acm_get_ssid(ssidref_t ssidref, u8 *buf, u16 buf_size);
  12.146 +int acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2, enum acm_hook_type hook);
  12.147  
  12.148  #endif
  12.149  
  12.150 +/*
  12.151 + * Local variables:
  12.152 + * mode: C
  12.153 + * c-set-style: "BSD"
  12.154 + * c-basic-offset: 4
  12.155 + * tab-width: 4
  12.156 + * indent-tabs-mode: nil
  12.157 + * End:
  12.158 + */
    13.1 --- a/xen/include/acm/acm_endian.h	Thu Oct 20 19:37:41 2005 +0100
    13.2 +++ b/xen/include/acm/acm_endian.h	Thu Oct 20 21:37:15 2005 +0100
    13.3 @@ -18,6 +18,7 @@
    13.4   * big-endian policy interface
    13.5   *
    13.6   */
    13.7 +
    13.8  #ifndef _ACM_ENDIAN_H
    13.9  #define _ACM_ENDIAN_H
   13.10  
   13.11 @@ -30,10 +31,10 @@ static inline u32 ntohl(u32 x)
   13.12  {
   13.13      if (little_endian)
   13.14          return 
   13.15 -	    ( (((x) >> 24) & 0xff      )| 
   13.16 -	      (((x) >>  8) & 0xff00    )| 
   13.17 -	      (((x) <<  8) & 0xff0000  )|
   13.18 -	      (((x) << 24) & 0xff000000) );
   13.19 +            ( (((x) >> 24) & 0xff      )| 
   13.20 +              (((x) >>  8) & 0xff00    )| 
   13.21 +              (((x) <<  8) & 0xff0000  )|
   13.22 +              (((x) << 24) & 0xff000000) );
   13.23      else
   13.24          return x;
   13.25  }
   13.26 @@ -42,10 +43,10 @@ static inline u16 ntohs(u16 x)
   13.27  {
   13.28      if (little_endian)
   13.29          return 
   13.30 -	    ( (((x) >> 8) & 0xff   )|
   13.31 -	      (((x) << 8) & 0xff00 ) );
   13.32 +            ( (((x) >> 8) & 0xff   )|
   13.33 +              (((x) << 8) & 0xff00 ) );
   13.34      else
   13.35 -	return x;
   13.36 +        return x;
   13.37  }
   13.38  
   13.39  #define htonl(x) ntohl(x)
   13.40 @@ -55,8 +56,8 @@ static inline void arrcpy16(u16 *dest, c
   13.41  {
   13.42      unsigned int i = 0;
   13.43      while (i < n) {
   13.44 -       	dest[i] = htons(src[i]);
   13.45 -       	i++;
   13.46 +        dest[i] = htons(src[i]);
   13.47 +        i++;
   13.48      }
   13.49  }
   13.50  
   13.51 @@ -64,8 +65,8 @@ static inline void arrcpy32(u32 *dest, c
   13.52  {
   13.53      unsigned int i = 0;
   13.54      while (i < n) {
   13.55 -	dest[i] = htonl(src[i]);
   13.56 -	i++;
   13.57 +        dest[i] = htonl(src[i]);
   13.58 +        i++;
   13.59      }
   13.60  }
   13.61  
   13.62 @@ -86,3 +87,13 @@ static inline void arrcpy(void *dest, co
   13.63  }
   13.64  
   13.65  #endif
   13.66 +
   13.67 +/*
   13.68 + * Local variables:
   13.69 + * mode: C
   13.70 + * c-set-style: "BSD"
   13.71 + * c-basic-offset: 4
   13.72 + * tab-width: 4
   13.73 + * indent-tabs-mode: nil
   13.74 + * End:
   13.75 + */
    14.1 --- a/xen/include/acm/acm_hooks.h	Thu Oct 20 19:37:41 2005 +0100
    14.2 +++ b/xen/include/acm/acm_hooks.h	Thu Oct 20 21:37:15 2005 +0100
    14.3 @@ -15,6 +15,7 @@
    14.4   *      sHype hooks that are called throughout Xen.
    14.5   * 
    14.6   */
    14.7 +
    14.8  #ifndef _ACM_HOOKS_H
    14.9  #define _ACM_HOOKS_H
   14.10  
   14.11 @@ -89,8 +90,8 @@ struct acm_operations {
   14.12      /* policy management functions (must always be defined!) */
   14.13      int  (*init_domain_ssid)           (void **ssid, ssidref_t ssidref);
   14.14      void (*free_domain_ssid)           (void *ssid);
   14.15 -    int  (*dump_binary_policy)         (u8 *buffer, u16 buf_size);
   14.16 -    int  (*set_binary_policy)          (u8 *buffer, u16 buf_size);
   14.17 +    int  (*dump_binary_policy)         (u8 *buffer, u32 buf_size);
   14.18 +    int  (*set_binary_policy)          (u8 *buffer, u32 buf_size);
   14.19      int  (*dump_statistics)            (u8 *buffer, u16 buf_size);
   14.20      int  (*dump_ssid_types)            (ssidref_t ssidref, u8 *buffer, u16 buf_size);
   14.21      /* domain management control hooks (can be NULL) */
   14.22 @@ -108,6 +109,8 @@ struct acm_operations {
   14.23      void (*fail_grant_map_ref)         (domid_t id);
   14.24      int  (*pre_grant_setup)            (domid_t id);
   14.25      void (*fail_grant_setup)           (domid_t id);
   14.26 +    /* generic domain-requested decision hooks (can be NULL) */
   14.27 +    int (*sharing)                     (ssidref_t ssidref1, ssidref_t ssidref2);
   14.28  };
   14.29  
   14.30  /* global variables */
   14.31 @@ -144,6 +147,8 @@ static inline int acm_init(unsigned int 
   14.32  { return 0; }
   14.33  static inline void acm_post_domain0_create(domid_t domid) 
   14.34  { return; }
   14.35 +static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
   14.36 +{ return 0; }
   14.37  
   14.38  #else
   14.39  
   14.40 @@ -281,7 +286,8 @@ static inline int acm_pre_event_channel(
   14.41          break;
   14.42      case EVTCHNOP_bind_interdomain:
   14.43          ret = acm_pre_eventchannel_interdomain(
   14.44 -            op->u.bind_interdomain.dom1, op->u.bind_interdomain.dom2);
   14.45 +            current->domain->domain_id,
   14.46 +            op->u.bind_interdomain.remote_dom);
   14.47          break;
   14.48      default:
   14.49          ret = 0; /* ok */
   14.50 @@ -341,6 +347,18 @@ static inline void acm_post_domain0_crea
   14.51      acm_post_domain_create(domid, ACM_DOM0_SSIDREF);
   14.52  }
   14.53  
   14.54 +static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
   14.55 +{
   14.56 +    if ((acm_primary_ops->sharing != NULL) &&
   14.57 +        acm_primary_ops->sharing(ssidref1, ssidref2))
   14.58 +        return ACM_ACCESS_DENIED;
   14.59 +    else if ((acm_secondary_ops->sharing != NULL) &&
   14.60 +             acm_secondary_ops->sharing(ssidref1, ssidref2)) {
   14.61 +        return ACM_ACCESS_DENIED;
   14.62 +    } else
   14.63 +        return ACM_ACCESS_PERMITTED;
   14.64 +}
   14.65 +
   14.66  extern int acm_init(unsigned int *initrdidx,
   14.67                      const multiboot_info_t *mbi,
   14.68                      unsigned long start);
   14.69 @@ -348,3 +366,13 @@ extern int acm_init(unsigned int *initrd
   14.70  #endif
   14.71  
   14.72  #endif
   14.73 +
   14.74 +/*
   14.75 + * Local variables:
   14.76 + * mode: C
   14.77 + * c-set-style: "BSD"
   14.78 + * c-basic-offset: 4
   14.79 + * tab-width: 4
   14.80 + * indent-tabs-mode: nil
   14.81 + * End:
   14.82 + */
    15.1 --- a/xen/include/public/acm.h	Thu Oct 20 19:37:41 2005 +0100
    15.2 +++ b/xen/include/public/acm.h	Thu Oct 20 21:37:15 2005 +0100
    15.3 @@ -52,9 +52,9 @@
    15.4  #define ACM_ERROR          -4
    15.5  
    15.6  /* External ACCESS DECISIONS */
    15.7 -#define ACM_ACCESS_PERMITTED  0
    15.8 -#define ACM_ACCESS_DENIED  -111
    15.9 -#define ACM_NULL_POINTER_ERROR  -200
   15.10 +#define ACM_ACCESS_PERMITTED        0
   15.11 +#define ACM_ACCESS_DENIED           -111
   15.12 +#define ACM_NULL_POINTER_ERROR      -200
   15.13  
   15.14  /* primary policy in lower 4 bits */
   15.15  #define ACM_NULL_POLICY 0
   15.16 @@ -84,6 +84,9 @@
   15.17  /* defines a ssid reference used by xen */
   15.18  typedef uint32_t ssidref_t;
   15.19  
   15.20 +/* hooks that are known to domains */
   15.21 +enum acm_hook_type {NONE=0, SHARING};
   15.22 +
   15.23  /* -------security policy relevant type definitions-------- */
   15.24  
   15.25  /* type identifier; compares to "equal" or "not equal" */
    16.1 --- a/xen/include/public/acm_ops.h	Thu Oct 20 19:37:41 2005 +0100
    16.2 +++ b/xen/include/public/acm_ops.h	Thu Oct 20 21:37:15 2005 +0100
    16.3 @@ -27,36 +27,36 @@
    16.4   * This makes sure that old versions of acm tools will stop working in a
    16.5   * well-defined way (rather than crashing the machine, for instance).
    16.6   */
    16.7 -#define ACM_INTERFACE_VERSION   0xAAAA0004
    16.8 +#define ACM_INTERFACE_VERSION   0xAAAA0005
    16.9  
   16.10  /************************************************************************/
   16.11  
   16.12  #define ACM_SETPOLICY         4
   16.13 -typedef struct acm_setpolicy {
   16.14 +struct acm_setpolicy {
   16.15      /* OUT variables */
   16.16      void *pushcache;
   16.17 -    uint16_t pushcache_size;
   16.18 -} acm_setpolicy_t;
   16.19 +    uint32_t pushcache_size;
   16.20 +};
   16.21  
   16.22  
   16.23  #define ACM_GETPOLICY         5
   16.24 -typedef struct acm_getpolicy {
   16.25 +struct acm_getpolicy {
   16.26      /* OUT variables */
   16.27      void *pullcache;
   16.28 -    uint16_t pullcache_size;
   16.29 -} acm_getpolicy_t;
   16.30 +    uint32_t pullcache_size;
   16.31 +};
   16.32  
   16.33  
   16.34  #define ACM_DUMPSTATS         6
   16.35 -typedef struct acm_dumpstats {
   16.36 +struct acm_dumpstats {
   16.37      void *pullcache;
   16.38 -    uint16_t pullcache_size;
   16.39 -} acm_dumpstats_t;
   16.40 +    uint32_t pullcache_size;
   16.41 +};
   16.42  
   16.43  
   16.44  #define ACM_GETSSID           7
   16.45 -enum get_type {UNSET, SSIDREF, DOMAINID};
   16.46 -typedef struct acm_getssid {
   16.47 +enum get_type {UNSET=0, SSIDREF, DOMAINID};
   16.48 +struct acm_getssid {
   16.49      enum get_type get_ssid_by;
   16.50      union {
   16.51          domaintype_t domainid;
   16.52 @@ -64,18 +64,35 @@ typedef struct acm_getssid {
   16.53      } id;
   16.54      void *ssidbuf;
   16.55      uint16_t ssidbuf_size;
   16.56 -} acm_getssid_t;
   16.57 +};
   16.58  
   16.59 -typedef struct acm_op {
   16.60 +#define ACM_GETDECISION        8
   16.61 +struct acm_getdecision {
   16.62 +    enum get_type get_decision_by1; /* in */
   16.63 +    enum get_type get_decision_by2;
   16.64 +    union {
   16.65 +        domaintype_t domainid;
   16.66 +        ssidref_t    ssidref;
   16.67 +    } id1;
   16.68 +    union {
   16.69 +        domaintype_t domainid;
   16.70 +        ssidref_t    ssidref;
   16.71 +    } id2;
   16.72 +    enum acm_hook_type hook;
   16.73 +    int acm_decision;           /* out */
   16.74 +};
   16.75 +
   16.76 +struct acm_op {
   16.77      uint32_t cmd;
   16.78      uint32_t interface_version;      /* ACM_INTERFACE_VERSION */
   16.79      union {
   16.80 -        acm_setpolicy_t setpolicy;
   16.81 -        acm_getpolicy_t getpolicy;
   16.82 -        acm_dumpstats_t dumpstats;
   16.83 -        acm_getssid_t getssid;
   16.84 +        struct acm_setpolicy setpolicy;
   16.85 +        struct acm_getpolicy getpolicy;
   16.86 +        struct acm_dumpstats dumpstats;
   16.87 +        struct acm_getssid getssid;
   16.88 +        struct acm_getdecision getdecision;
   16.89      } u;
   16.90 -} acm_op_t;
   16.91 +};
   16.92  
   16.93  #endif                          /* __XEN_PUBLIC_ACM_OPS_H__ */
   16.94