ia64/xen-unstable

changeset 15711:6384e168f122

[ACM] Support for running unlabeled domains alongside labeled ones

Add support for running unlabeled domains alongside labeled ones, if
the policy contains a VM label with name '__UNLABELED__' and an STE
type with the same name. The ezpolicy tool has been modified to
automatically suggest a policy under which unlabeled domains can
run. The user may delete this, if this is not desired.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author kfraser@localhost.localdomain
date Mon Aug 06 10:10:34 2007 +0100 (2007-08-06)
parents 0120cca78435
children 92e43b36d211
files tools/python/xen/util/acmpolicy.py tools/python/xen/util/security.py tools/python/xen/xend/XendDomainInfo.py tools/python/xen/xend/server/blkif.py tools/python/xen/xm/main.py tools/security/xensec_ezpolicy xen/acm/acm_chinesewall_hooks.c xen/acm/acm_simple_type_enforcement_hooks.c
line diff
     1.1 --- a/tools/python/xen/util/acmpolicy.py	Fri Aug 03 12:23:03 2007 +0100
     1.2 +++ b/tools/python/xen/util/acmpolicy.py	Mon Aug 06 10:10:34 2007 +0100
     1.3 @@ -47,6 +47,9 @@ ACM_POLICY_UNDEFINED = 15
     1.4  
     1.5  ACM_SCHEMA_FILE = "/etc/xen/acm-security/policies/security_policy.xsd"
     1.6  
     1.7 +ACM_LABEL_UNLABELED = "__UNLABELED__"
     1.8 +ACM_LABEL_UNLABELED_DISPLAY = "unlabeled"
     1.9 +
    1.10  class ACMPolicy(XSPolicy):
    1.11      """
    1.12       ACMPolicy class. Implements methods for getting information from
    1.13 @@ -925,11 +928,13 @@ class ACMPolicy(XSPolicy):
    1.14              return -xsconstants.XSERR_POLICY_INCONSISTENT, "", ""
    1.15  
    1.16          vms_with_chws = []
    1.17 -        chws_by_vm = {}
    1.18 +        chws_by_vm = { ACM_LABEL_UNLABELED : [] }
    1.19          for v in vms:
    1.20              if v.has_key("chws"):
    1.21                  vms_with_chws.append(v["name"])
    1.22                  chws_by_vm[v["name"]] = v["chws"]
    1.23 +
    1.24 +
    1.25          if bootstrap in vms_with_chws:
    1.26              vms_with_chws.remove(bootstrap)
    1.27              vms_with_chws.sort()
    1.28 @@ -937,12 +942,16 @@ class ACMPolicy(XSPolicy):
    1.29          else:
    1.30              vms_with_chws.sort()
    1.31  
    1.32 +        if ACM_LABEL_UNLABELED in vms_with_chws:
    1.33 +            vms_with_chws.remove(ACM_LABEL_UNLABELED) ; # @1
    1.34 +
    1.35          vms_with_stes = []
    1.36 -        stes_by_vm = {}
    1.37 +        stes_by_vm = { ACM_LABEL_UNLABELED : [] }
    1.38          for v in vms:
    1.39              if v.has_key("stes"):
    1.40                  vms_with_stes.append(v["name"])
    1.41                  stes_by_vm[v["name"]] = v["stes"]
    1.42 +
    1.43          if bootstrap in vms_with_stes:
    1.44              vms_with_stes.remove(bootstrap)
    1.45              vms_with_stes.sort()
    1.46 @@ -950,6 +959,9 @@ class ACMPolicy(XSPolicy):
    1.47          else:
    1.48              vms_with_stes.sort()
    1.49  
    1.50 +        if ACM_LABEL_UNLABELED in vms_with_stes:
    1.51 +            vms_with_stes.remove(ACM_LABEL_UNLABELED) ; # @2
    1.52 +
    1.53          resnames = self.policy_get_resourcelabel_names()
    1.54          resnames.sort()
    1.55          stes_by_res = {}
    1.56 @@ -958,6 +970,9 @@ class ACMPolicy(XSPolicy):
    1.57              if r.has_key("stes"):
    1.58                  stes_by_res[r["name"]] = r["stes"]
    1.59  
    1.60 +        if ACM_LABEL_UNLABELED in resnames:
    1.61 +            resnames.remove(ACM_LABEL_UNLABELED)
    1.62 +
    1.63          max_chw_ssids = 1 + len(vms_with_chws)
    1.64          max_chw_types = 1 + len(vms_with_chws)
    1.65          max_ste_ssids = 1 + len(vms_with_stes) + len(resnames)
    1.66 @@ -1083,6 +1098,8 @@ class ACMPolicy(XSPolicy):
    1.67               pr_bin += "\x00"
    1.68  
    1.69          # Build chinese wall part
    1.70 +        vms_with_chws.insert(0, ACM_LABEL_UNLABELED)
    1.71 +
    1.72          cfses_names = self.policy_get_chwall_cfses_names_sorted()
    1.73          cfses = self.policy_get_chwall_cfses()
    1.74  
    1.75 @@ -1105,9 +1122,7 @@ class ACMPolicy(XSPolicy):
    1.76                                chw_running_types_offset,
    1.77                                chw_conf_agg_offset)
    1.78          chw_bin_body = ""
    1.79 -        # simulate __NULL_LABEL__
    1.80 -        for c in chws:
    1.81 -            chw_bin_body += struct.pack("!h",0)
    1.82 +
    1.83          # VMs that are listed and their chinese walls
    1.84          for v in vms_with_chws:
    1.85              for c in chws:
    1.86 @@ -1143,6 +1158,8 @@ class ACMPolicy(XSPolicy):
    1.87              chw_bin += "\x00"
    1.88  
    1.89          # Build STE part
    1.90 +        vms_with_stes.insert(0, ACM_LABEL_UNLABELED) # Took out in @2
    1.91 +
    1.92          steformat="!iiiii"
    1.93          ste_bin = struct.pack(steformat,
    1.94                                ACM_STE_VERSION,
    1.95 @@ -1152,10 +1169,7 @@ class ACMPolicy(XSPolicy):
    1.96                                struct.calcsize(steformat))
    1.97          ste_bin_body = ""
    1.98          if stes:
    1.99 -            # Simulate __NULL_LABEL__
   1.100 -            for s in stes:
   1.101 -                ste_bin_body += struct.pack("!h",0)
   1.102 -            # VMs that are listed and their chinese walls
   1.103 +            # VMs that are listed and their STE types
   1.104              for v in vms_with_stes:
   1.105                  unknown_ste |= (set(stes_by_vm[v]) - set(stes))
   1.106                  for s in stes:
     2.1 --- a/tools/python/xen/util/security.py	Fri Aug 03 12:23:03 2007 +0100
     2.2 +++ b/tools/python/xen/util/security.py	Mon Aug 06 10:10:34 2007 +0100
     2.3 @@ -155,7 +155,7 @@ def calc_dom_ssidref_from_info(info):
     2.4              ssidref = label2ssidref(vmlabel, policyname, "dom")
     2.5              return ssidref
     2.6          else:
     2.7 -            return 0
     2.8 +            return 0x0
     2.9      raise VmError("security.calc_dom_ssidref_from_info: info of type '%s'"
    2.10                    "not supported." % type(info))
    2.11  
    2.12 @@ -232,6 +232,10 @@ def ssidref2label(ssidref_var):
    2.13      else:
    2.14          err("Instance type of ssidref not supported (must be of type 'str' or 'int')")
    2.15  
    2.16 +    if ssidref == 0:
    2.17 +        from xen.util.acmpolicy import ACM_LABEL_UNLABELED
    2.18 +        return ACM_LABEL_UNLABELED
    2.19 +
    2.20      try:
    2.21          mapfile_lock()
    2.22  
    2.23 @@ -867,7 +871,7 @@ def get_domain_resources(dominfo):
    2.24                  resources[typ].append("%s:%s:%s" %
    2.25                                        (xsconstants.ACM_POLICY_ID,
    2.26                                         active_policy,
    2.27 -                                       "unlabeled"))
    2.28 +                                       ACM_LABEL_UNLABELED))
    2.29  
    2.30      return resources
    2.31  
     3.1 --- a/tools/python/xen/xend/XendDomainInfo.py	Fri Aug 03 12:23:03 2007 +0100
     3.2 +++ b/tools/python/xen/xend/XendDomainInfo.py	Mon Aug 06 10:10:34 2007 +0100
     3.3 @@ -1463,8 +1463,6 @@ class XendDomainInfo:
     3.4          ssidref = 0
     3.5          if security.on():
     3.6              ssidref = security.calc_dom_ssidref_from_info(self.info)
     3.7 -            if ssidref == 0:
     3.8 -                raise VmError('VM is not properly labeled.')
     3.9              if security.has_authorization(ssidref) == False:
    3.10                  raise VmError("VM is not authorized to run.")
    3.11  
     4.1 --- a/tools/python/xen/xend/server/blkif.py	Fri Aug 03 12:23:03 2007 +0100
     4.2 +++ b/tools/python/xen/xend/server/blkif.py	Mon Aug 06 10:10:34 2007 +0100
     4.3 @@ -73,17 +73,7 @@ class BlkifController(DevController):
     4.4              back['uuid'] = uuid
     4.5  
     4.6          if security.on():
     4.7 -            (label, ssidref, policy) = \
     4.8 -                                 security.get_res_security_details(uname)
     4.9 -            domain_label = self.vm.get_security_label()
    4.10 -            if domain_label:
    4.11 -                rc = security.res_security_check_xapi(label, ssidref, policy,
    4.12 -                                                      domain_label)
    4.13 -                if rc == 0:
    4.14 -                    raise VmError("VM's access to block device '%s' denied." %
    4.15 -                                  uname)
    4.16 -            else:
    4.17 -                raise VmError("VM must have a security label.")
    4.18 +            self.do_access_control(config, uname)
    4.19  
    4.20          devid = blkif.blkdev_name_to_number(dev)
    4.21          if devid is None:
    4.22 @@ -95,6 +85,21 @@ class BlkifController(DevController):
    4.23  
    4.24          return (devid, back, front)
    4.25  
    4.26 +    def do_access_control(self, config, uname):
    4.27 +        (label, ssidref, policy) = \
    4.28 +                             security.get_res_security_details(uname)
    4.29 +        domain_label = self.vm.get_security_label()
    4.30 +        if domain_label:
    4.31 +            rc = security.res_security_check_xapi(label, ssidref, policy,
    4.32 +                                                  domain_label)
    4.33 +            if rc == 0:
    4.34 +                raise VmError("VM's access to block device '%s' denied" %
    4.35 +                              uname)
    4.36 +        else:
    4.37 +            from xen.util.acmpolicy import ACM_LABEL_UNLABELED
    4.38 +            if label != ACM_LABEL_UNLABELED:
    4.39 +                raise VmError("VM must have a security label to access "
    4.40 +                              "block device '%s'" % uname)
    4.41  
    4.42      def reconfigureDevice(self, _, config):
    4.43          """@see DevController.reconfigureDevice"""
     5.1 --- a/tools/python/xen/xm/main.py	Fri Aug 03 12:23:03 2007 +0100
     5.2 +++ b/tools/python/xen/xm/main.py	Mon Aug 06 10:10:34 2007 +0100
     5.3 @@ -51,6 +51,7 @@ from xen.xm.opts import OptionError, Opt
     5.4  from xen.xm import console
     5.5  from xen.util.xmlrpcclient import ServerProxy
     5.6  from xen.util.security import ACMError
     5.7 +from xen.util.acmpolicy import ACM_LABEL_UNLABELED_DISPLAY
     5.8  
     5.9  import XenAPI
    5.10  
    5.11 @@ -947,7 +948,7 @@ def xm_label_list(doms):
    5.12          d = parse_doms_info(dom)
    5.13          if security.active_policy not in ['INACTIVE', 'NULL', 'DEFAULT']:
    5.14              if not d['seclabel']:
    5.15 -                d['seclabel'] = 'ERROR'
    5.16 +                d['seclabel'] = ACM_LABEL_UNLABELED_DISPLAY
    5.17          elif security.active_policy in ['DEFAULT']:
    5.18              d['seclabel'] = 'DEFAULT'
    5.19          else:
     6.1 --- a/tools/security/xensec_ezpolicy	Fri Aug 03 12:23:03 2007 +0100
     6.2 +++ b/tools/security/xensec_ezpolicy	Mon Aug 06 10:10:34 2007 +0100
     6.3 @@ -36,6 +36,8 @@ conflict_bmp = None
     6.4  realm_icon = None
     6.5  workload_icon = None
     6.6  
     6.7 +ACM_LABEL_UNLABELED = '__UNLABELED__'
     6.8 +
     6.9  class orgTreeCtrl(wx.TreeCtrl):
    6.10  
    6.11      event = None
    6.12 @@ -870,7 +872,8 @@ class ezFrame(wx.Frame):
    6.13              self.realm_menu.Enable(self.ID_ORGDEL, True)
    6.14              self.realm_menu.Enable(self.ID_ORGEDT, True)
    6.15              self.realm_menu.Enable(self.ID_ORGADD, True)
    6.16 -            if len(self.orgs.GetSelections()) > 1:
    6.17 +            if len(self.orgs.GetSelections()) > 1 or \
    6.18 +               ACM_LABEL_UNLABELED == self.orgs.GetItemText(item):
    6.19                  self.realm_menu.Enable(self.ID_ORGEDT, False)
    6.20                  self.realm_menu.Enable(self.ID_ORGADD, False)
    6.21              self.PopupMenu(self.realm_menu)
    6.22 @@ -1622,6 +1625,8 @@ def main():
    6.23      app = ezApp(0)
    6.24      if len(sys.argv) in [2]:
    6.25          app.Load(sys.argv[1])
    6.26 +    else:
    6.27 +        dict2org({'orgs' : [[ACM_LABEL_UNLABELED,[]]], 'cons': []})
    6.28      app.MainLoop()
    6.29      print "Goodbye"
    6.30  
     7.1 --- a/xen/acm/acm_chinesewall_hooks.c	Fri Aug 03 12:23:03 2007 +0100
     7.2 +++ b/xen/acm/acm_chinesewall_hooks.c	Mon Aug 06 10:10:34 2007 +0100
     7.3 @@ -93,6 +93,7 @@ int acm_init_chwall_policy(void)
     7.4      return ACM_OK;
     7.5  }
     7.6  
     7.7 +
     7.8  static int chwall_init_domain_ssid(void **chwall_ssid, ssidref_t ssidref)
     7.9  {
    7.10      struct chwall_ssid *chwall_ssidp = xmalloc(struct chwall_ssid);
    7.11 @@ -104,10 +105,10 @@ static int chwall_init_domain_ssid(void 
    7.12      chwall_ssidp->chwall_ssidref =
    7.13          GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
    7.14  
    7.15 -    if ( (chwall_ssidp->chwall_ssidref >= chwall_bin_pol.max_ssidrefs)
    7.16 -        || (chwall_ssidp->chwall_ssidref == ACM_DEFAULT_LOCAL_SSID) )
    7.17 +    if ( chwall_ssidp->chwall_ssidref >= chwall_bin_pol.max_ssidrefs )
    7.18      {
    7.19 -        printkd("%s: ERROR chwall_ssidref(%x) undefined (>max) or unset (0).\n",
    7.20 +        printkd("%s: ERROR chwall_ssidref(%x) undefined (>max) or unset "
    7.21 +                "(0).\n",
    7.22                  __func__, chwall_ssidp->chwall_ssidref);
    7.23          xfree(chwall_ssidp);
    7.24          return ACM_INIT_SSID_ERROR;
    7.25 @@ -118,6 +119,7 @@ static int chwall_init_domain_ssid(void 
    7.26      return ACM_OK;
    7.27  }
    7.28  
    7.29 +
    7.30  static void chwall_free_domain_ssid(void *chwall_ssid)
    7.31  {
    7.32      xfree(chwall_ssid);
    7.33 @@ -205,7 +207,9 @@ chwall_init_state(struct acm_chwall_poli
    7.34  
    7.35      read_lock(&ssid_list_rwlock);
    7.36  
    7.37 -    /* go through all domains and adjust policy as if this domain was started now */
    7.38 +    /* go through all domains and adjust policy as if this domain was
    7.39 +     * started now
    7.40 +     */
    7.41      for_each_acmssid( rawssid )
    7.42      {
    7.43          chwall_ssid =
    7.44 @@ -220,8 +224,8 @@ chwall_init_state(struct acm_chwall_poli
    7.45  
    7.46          /* b) check for conflict */
    7.47          for ( i = 0; i < chwall_buf->chwall_max_types; i++ )
    7.48 -            if (conflict_aggregate_set[i] &&
    7.49 -                ssidrefs[chwall_ssidref * chwall_buf->chwall_max_types + i])
    7.50 +            if ( conflict_aggregate_set[i] &&
    7.51 +                 ssidrefs[chwall_ssidref * chwall_buf->chwall_max_types + i] )
    7.52              {
    7.53                  printk("%s: CHINESE WALL CONFLICT in type %02x.\n",
    7.54                         __func__, i);
    7.55 @@ -231,37 +235,46 @@ chwall_init_state(struct acm_chwall_poli
    7.56  
    7.57                  goto out;
    7.58              }
    7.59 +
    7.60          /* set violation and break out of the loop */
    7.61 -        /* c) adapt conflict aggregate set for this domain (notice conflicts) */
    7.62 +        /* c) adapt conflict aggregate set for this domain
    7.63 +         *    (notice conflicts)
    7.64 +         */
    7.65          for ( i = 0; i < chwall_buf->chwall_max_conflictsets; i++ )
    7.66          {
    7.67              int common = 0;
    7.68              /* check if conflict_set_i and ssidref have common types */
    7.69              for ( j = 0; j < chwall_buf->chwall_max_types; j++ )
    7.70 -                if (conflict_sets[i * chwall_buf->chwall_max_types + j] &&
    7.71 -                    ssidrefs[chwall_ssidref *
    7.72 -                            chwall_buf->chwall_max_types + j])
    7.73 +                if ( conflict_sets[i * chwall_buf->chwall_max_types + j] &&
    7.74 +                     ssidrefs[chwall_ssidref *
    7.75 +                              chwall_buf->chwall_max_types + j] )
    7.76                  {
    7.77                      common = 1;
    7.78                      break;
    7.79                  }
    7.80 -            if (common == 0)
    7.81 +
    7.82 +            if ( common == 0 )
    7.83                  continue;       /* try next conflict set */
    7.84 -            /* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
    7.85 +
    7.86 +            /* now add types of the conflict set to conflict_aggregate_set
    7.87 +             * (except types in chwall_ssidref)
    7.88 +             */
    7.89              for ( j = 0; j < chwall_buf->chwall_max_types; j++ )
    7.90 -                if (conflict_sets[i * chwall_buf->chwall_max_types + j] &&
    7.91 -                    !ssidrefs[chwall_ssidref *
    7.92 -                             chwall_buf->chwall_max_types + j])
    7.93 +                if ( conflict_sets[i * chwall_buf->chwall_max_types + j] &&
    7.94 +                     !ssidrefs[chwall_ssidref *
    7.95 +                               chwall_buf->chwall_max_types + j] )
    7.96                      conflict_aggregate_set[j]++;
    7.97          }
    7.98      }
    7.99   out:
   7.100      read_unlock(&ssid_list_rwlock);
   7.101      return violation;
   7.102 -    /* returning "violation != 0" means that the currently running set of domains would
   7.103 -     * not be possible if the new policy had been enforced before starting them; for chinese
   7.104 -     * wall, this means that the new policy includes at least one conflict set of which
   7.105 -     * more than one type is currently running */
   7.106 +    /* returning "violation != 0" means that the currently running set of
   7.107 +     * domains would not be possible if the new policy had been enforced
   7.108 +     * before starting them; for chinese wall, this means that the new
   7.109 +     * policy includes at least one conflict set of which more than one
   7.110 +     * type is currently running
   7.111 +     */
   7.112  }
   7.113  
   7.114  
   7.115 @@ -348,8 +361,10 @@ static int _chwall_update_policy(u8 *buf
   7.116      memset(conflict_aggregate_set, 0,
   7.117             sizeof(domaintype_t) * chwall_buf->chwall_max_types);
   7.118  
   7.119 -    /* 3. now re-calculate the state for the new policy based on running domains;
   7.120 -     *    this can fail if new policy is conflicting with running domains */
   7.121 +    /* 3. now re-calculate the state for the new policy based on
   7.122 +     *    running domains; this can fail if new policy is conflicting
   7.123 +     *    with running domains
   7.124 +     */
   7.125      if ( chwall_init_state(chwall_buf, ssids,
   7.126                             conflict_sets, running_types,
   7.127                             conflict_aggregate_set,
   7.128 @@ -483,31 +498,27 @@ static int _chwall_pre_domain_create(voi
   7.129  
   7.130      chwall_ssidref = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
   7.131  
   7.132 -    if (chwall_ssidref == ACM_DEFAULT_LOCAL_SSID)
   7.133 -    {
   7.134 -        printk("%s: ERROR CHWALL SSID is NOT SET but policy enforced.\n",
   7.135 -               __func__);
   7.136 -        return ACM_ACCESS_DENIED;       /* catching and indicating config error */
   7.137 -    }
   7.138 -
   7.139 -    if (chwall_ssidref >= chwall_bin_pol.max_ssidrefs)
   7.140 +    if ( chwall_ssidref >= chwall_bin_pol.max_ssidrefs )
   7.141      {
   7.142          printk("%s: ERROR chwall_ssidref > max(%x).\n",
   7.143                 __func__, chwall_bin_pol.max_ssidrefs - 1);
   7.144          return ACM_ACCESS_DENIED;
   7.145      }
   7.146 +
   7.147      /* A: chinese wall check for conflicts */
   7.148 -    for (i = 0; i < chwall_bin_pol.max_types; i++)
   7.149 -        if (chwall_bin_pol.conflict_aggregate_set[i] &&
   7.150 -            chwall_bin_pol.ssidrefs[chwall_ssidref *
   7.151 -                                   chwall_bin_pol.max_types + i])
   7.152 +    for ( i = 0; i < chwall_bin_pol.max_types; i++ )
   7.153 +        if ( chwall_bin_pol.conflict_aggregate_set[i] &&
   7.154 +             chwall_bin_pol.ssidrefs[chwall_ssidref *
   7.155 +                                     chwall_bin_pol.max_types + i] )
   7.156          {
   7.157              printk("%s: CHINESE WALL CONFLICT in type %02x.\n", __func__, i);
   7.158              return ACM_ACCESS_DENIED;
   7.159          }
   7.160  
   7.161      /* B: chinese wall conflict set adjustment (so that other
   7.162 -     *      other domains simultaneously created are evaluated against this new set)*/
   7.163 +     *    other domains simultaneously created are evaluated against
   7.164 +     *    this new set)
   7.165 +     */
   7.166      for ( i = 0; i < chwall_bin_pol.max_conflictsets; i++ )
   7.167      {
   7.168          int common = 0;
   7.169 @@ -521,7 +532,7 @@ static int _chwall_pre_domain_create(voi
   7.170                  common = 1;
   7.171                  break;
   7.172              }
   7.173 -        if (common == 0)
   7.174 +        if ( common == 0 )
   7.175              continue;           /* try next conflict set */
   7.176          /* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   7.177          for ( j = 0; j < chwall_bin_pol.max_types; j++ )
   7.178 @@ -571,9 +582,15 @@ static void _chwall_post_domain_create(d
   7.179                  common = 1;
   7.180                  break;
   7.181              }
   7.182 +
   7.183          if ( common == 0 )
   7.184 -            continue;           /* try next conflict set */
   7.185 -        /* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   7.186 +        {
   7.187 +            /* try next conflict set */
   7.188 +            continue;
   7.189 +        }
   7.190 +
   7.191 +        /* now add types of the conflict set to conflict_aggregate_set
   7.192 +           (except types in chwall_ssidref) */
   7.193          for ( j = 0; j < chwall_bin_pol.max_types; j++ )
   7.194              if ( chwall_bin_pol.
   7.195                   conflict_sets[i * chwall_bin_pol.max_types + j]
   7.196 @@ -638,9 +655,15 @@ static void chwall_domain_destroy(void *
   7.197                  common = 1;
   7.198                  break;
   7.199              }
   7.200 -        if (common == 0)
   7.201 -            continue;           /* try next conflict set, this one does not include any type of chwall_ssidref */
   7.202 -        /* now add types of the conflict set to conflict_aggregate_set (except types in chwall_ssidref) */
   7.203 +        if ( common == 0 )
   7.204 +        {
   7.205 +            /* try next conflict set, this one does not include
   7.206 +               any type of chwall_ssidref */
   7.207 +            continue;
   7.208 +        }
   7.209 +
   7.210 +        /* now add types of the conflict set to conflict_aggregate_set
   7.211 +           (except types in chwall_ssidref) */
   7.212          for ( j = 0; j < chwall_bin_pol.max_types; j++ )
   7.213              if ( chwall_bin_pol.
   7.214                   conflict_sets[i * chwall_bin_pol.max_types + j]
     8.1 --- a/xen/acm/acm_simple_type_enforcement_hooks.c	Fri Aug 03 12:23:03 2007 +0100
     8.2 +++ b/xen/acm/acm_simple_type_enforcement_hooks.c	Mon Aug 06 10:10:34 2007 +0100
     8.3 @@ -408,7 +408,7 @@ static int
     8.4          ste_bin_pol.max_ssidrefs = ste_buf->ste_max_ssidrefs;
     8.5          ste_bin_pol.ssidrefs = (domaintype_t *)ssidrefsbuf;
     8.6  
     8.7 -        if ( ste_init_state(NULL) )
     8.8 +        if ( ste_init_state(errors) )
     8.9          {
    8.10              /* new policy conflicts with sharing of running domains */
    8.11              printk("%s: New policy conflicts with running domains. "