ia64/xen-unstable

changeset 16451:483329e219c9

find changesets by author, revision, files, or words in the commit message
[ACM] Remove aggregate set calculations for Domain-0

Since the pre_domain_create hook is called also for Dom-0, this
special case handling is not necessary any more.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Sat Nov 24 13:39:13 2007 +0000 (2007-11-24)
parents 5e8e82e80f3b
children b92239112869
files xen/xsm/acm/acm_chinesewall_hooks.c
line diff
     1.1 --- a/xen/xsm/acm/acm_chinesewall_hooks.c	Sat Nov 24 13:37:26 2007 +0000
     1.2 +++ b/xen/xsm/acm/acm_chinesewall_hooks.c	Sat Nov 24 13:39:13 2007 +0000
     1.3 @@ -547,7 +547,7 @@ static int _chwall_pre_domain_create(voi
     1.4  
     1.5  static void _chwall_post_domain_create(domid_t domid, ssidref_t ssidref)
     1.6  {
     1.7 -    int i, j;
     1.8 +    int i;
     1.9      ssidref_t chwall_ssidref;
    1.10  
    1.11      chwall_ssidref = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
    1.12 @@ -556,48 +556,6 @@ static void _chwall_post_domain_create(d
    1.13          chwall_bin_pol.running_types[i] +=
    1.14              chwall_bin_pol.ssidrefs[chwall_ssidref *
    1.15                                     chwall_bin_pol.max_types + i];
    1.16 -    if ( domid )
    1.17 -        return;
    1.18 -
    1.19 -    /* Xen does not call pre-create hook for DOM0;
    1.20 -     * to consider type conflicts of any domain with DOM0, we need
    1.21 -     * to adjust the conflict_aggregate for DOM0 here the same way it
    1.22 -     * is done for non-DOM0 domains in the pre-hook */
    1.23 -    printkd("%s: adjusting security state for DOM0 (ssidref=%x, chwall_ssidref=%x).\n",
    1.24 -            __func__, ssidref, chwall_ssidref);
    1.25 -
    1.26 -    /* chinese wall conflict set adjustment (so that other
    1.27 -     *      other domains simultaneously created are evaluated against this new set)*/
    1.28 -    for ( i = 0; i < chwall_bin_pol.max_conflictsets; i++ )
    1.29 -    {
    1.30 -        int common = 0;
    1.31 -        /* check if conflict_set_i and ssidref have common types */
    1.32 -        for ( j = 0; j < chwall_bin_pol.max_types; j++ )
    1.33 -            if ( chwall_bin_pol.
    1.34 -                 conflict_sets[i * chwall_bin_pol.max_types + j]
    1.35 -                 && chwall_bin_pol.ssidrefs[chwall_ssidref *
    1.36 -                                            chwall_bin_pol.max_types + j] )
    1.37 -            {
    1.38 -                common = 1;
    1.39 -                break;
    1.40 -            }
    1.41 -
    1.42 -        if ( common == 0 )
    1.43 -        {
    1.44 -            /* try next conflict set */
    1.45 -            continue;
    1.46 -        }
    1.47 -
    1.48 -        /* now add types of the conflict set to conflict_aggregate_set
    1.49 -           (except types in chwall_ssidref) */
    1.50 -        for ( j = 0; j < chwall_bin_pol.max_types; j++ )
    1.51 -            if ( chwall_bin_pol.
    1.52 -                 conflict_sets[i * chwall_bin_pol.max_types + j]
    1.53 -                 && !chwall_bin_pol.ssidrefs[chwall_ssidref *
    1.54 -                                             chwall_bin_pol.max_types + j] )
    1.55 -                chwall_bin_pol.conflict_aggregate_set[j]++;
    1.56 -    }
    1.57 -    return;
    1.58  }
    1.59  
    1.60