ia64/xen-unstable

changeset 5564:68de76620c9c

bitkeeper revision 1.1745 (42badeb1hE5PDZxZYF5DYBsU0Jya9w)

Fix ACM so that it can be built with NULL policy.
Signed-off-by: Nguyen Anh Quynh <aquynh@gmail.com>
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author kaf24@firebug.cl.cam.ac.uk
date Thu Jun 23 16:09:21 2005 +0000 (2005-06-23)
parents d23f547a023e
children 6d68b0c27199
files xen/acm/acm_core.c xen/include/acm/acm_hooks.h
line diff
     1.1 --- a/xen/acm/acm_core.c	Thu Jun 23 12:33:22 2005 +0000
     1.2 +++ b/xen/acm/acm_core.c	Thu Jun 23 16:09:21 2005 +0000
     1.3 @@ -69,6 +69,8 @@ void acm_set_endian(void)
     1.4      }
     1.5  }
     1.6  
     1.7 +#if (ACM_USE_SECURITY_POLICY != ACM_NULL_POLICY)
     1.8 +
     1.9  /* initialize global security policy for Xen; policy write-locked already */
    1.10  static void
    1.11  acm_init_binary_policy(void *primary, void *secondary)
    1.12 @@ -79,6 +81,7 @@ acm_init_binary_policy(void *primary, vo
    1.13  	acm_bin_pol.secondary_binary_policy = secondary;
    1.14  }
    1.15  
    1.16 +
    1.17  int
    1.18  acm_init(void)
    1.19  {
    1.20 @@ -129,6 +132,7 @@ acm_init(void)
    1.21  	return ACM_OK;
    1.22  }
    1.23  
    1.24 +#endif
    1.25  
    1.26  int
    1.27  acm_init_domain_ssid(domid_t id, ssidref_t ssidref)
     2.1 --- a/xen/include/acm/acm_hooks.h	Thu Jun 23 12:33:22 2005 +0000
     2.2 +++ b/xen/include/acm/acm_hooks.h	Thu Jun 23 16:09:21 2005 +0000
     2.3 @@ -30,99 +30,59 @@
     2.4  #include <public/event_channel.h>
     2.5  #include <asm/current.h>
     2.6  
     2.7 -#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
     2.8 -
     2.9 -static inline int acm_pre_dom0_op(dom0_op_t *op, void **ssid) 
    2.10 -{ return 0; }
    2.11 -static inline void acm_post_dom0_op(dom0_op_t *op, void *ssid) 
    2.12 -{ return; }
    2.13 -static inline void acm_fail_dom0_op(dom0_op_t *op, void *ssid) 
    2.14 -{ return; }
    2.15 -static inline int acm_pre_event_channel(evtchn_op_t *op) 
    2.16 -{ return 0; }
    2.17 -static inline int acm_pre_grant_map_ref(domid_t id) 
    2.18 -{ return 0; }
    2.19 -static inline int acm_pre_grant_setup(domid_t id) 
    2.20 -{ return 0; }
    2.21 -static inline int acm_init(void)
    2.22 -{ return 0; }
    2.23 -static inline void acm_post_domain0_create(domid_t domid) 
    2.24 -{ return; }
    2.25 -
    2.26 -#else
    2.27 -
    2.28 -/* if ACM_TRACE_MODE defined, all hooks should
    2.29 - * print a short trace message */
    2.30 -/* #define ACM_TRACE_MODE */
    2.31 -
    2.32 -#ifdef ACM_TRACE_MODE
    2.33 -# define traceprintk(fmt, args...) printk(fmt,## args)
    2.34 -#else
    2.35 -# define traceprintk(fmt, args...)
    2.36 -#endif
    2.37 -
    2.38 -/* global variables */
    2.39 -extern struct acm_operations *acm_primary_ops;
    2.40 -extern struct acm_operations *acm_secondary_ops;
    2.41 -
    2.42 -/*********************************************************************
    2.43 +/*
    2.44   * HOOK structure and meaning (justifies a few words about our model):
    2.45   * 
    2.46   * General idea: every policy-controlled system operation is reflected in a 
    2.47   *               transaction in the system's security state
    2.48   *
    2.49 - *	Keeping the security state consistent requires "atomic" transactions.
    2.50 + *      Keeping the security state consistent requires "atomic" transactions.
    2.51   *      The name of the hooks to place around policy-controlled transactions
    2.52   *      reflects this. If authorizations do not involve security state changes,
    2.53   *      then and only then POST and FAIL hooks remain empty since we don't care
    2.54   *      about the eventual outcome of the operation from a security viewpoint.
    2.55   *
    2.56 - *	PURPOSE of hook types:
    2.57 + *      PURPOSE of hook types:
    2.58   *      ======================
    2.59   *      PRE-Hooks
    2.60 - *		a) general authorization to guard a controlled system operation
    2.61 - *		b) prepare security state change
    2.62 - *                 (means: fail hook must be able to "undo" this)
    2.63 + *       a) general authorization to guard a controlled system operation
    2.64 + *       b) prepare security state change
    2.65 + *          (means: fail hook must be able to "undo" this)
    2.66   *
    2.67 - *	POST-Hooks
    2.68 - *		a) commit prepared state change
    2.69 + *      POST-Hooks
    2.70 + *       a) commit prepared state change
    2.71   *
    2.72   *      FAIL-Hooks
    2.73 - *		a) roll-back prepared security state change from PRE-Hook
    2.74 + *       a) roll-back prepared security state change from PRE-Hook
    2.75   *
    2.76   *
    2.77   *      PLACEMENT of hook types:
    2.78   *      ========================
    2.79 - *	PRE-Hooks must be called:
    2.80 - *		a) before a guarded/controlled system operation is started
    2.81 - *		(return is ACM_ACCESS_PERMITTED or ACM_ACCESS_DENIED or error)
    2.82 - *		   --> operation must be aborted if return is != ACM_ACCESS_PERMITTED
    2.83 + *      PRE-Hooks must be called before a guarded/controlled system operation
    2.84 + *      is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or
    2.85 + *      error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED.
    2.86   *
    2.87 - *	POST-Hooks must be called:
    2.88 - *		a) after successful transaction (no return value; commit shall never fail)
    2.89 + *      POST-Hooks must be called after a successful system operation.
    2.90 + *      There is no return value: commit never fails.
    2.91   *
    2.92 - *	FAIL-Hooks must be called:
    2.93 - *		a) if system transaction (operation) fails somewhen after calling the PRE-hook
    2.94 - *		   (obviously the POST-Hook is not called in this case)
    2.95 - *		b) if another (secondary) policy denies access in its PRE-Hook
    2.96 - *		   (policy layering is useful but requires additional handling)
    2.97 - *
    2.98 + *      FAIL-Hooks must be called:
    2.99 + *       a) if system transaction (operation) fails after calling the PRE-hook
   2.100 + *       b) if another (secondary) policy denies access in its PRE-Hook
   2.101 + *          (policy layering is useful but requires additional handling)
   2.102   *
   2.103 - *
   2.104 - *       Hook model from a security transaction viewpoint:
   2.105 + * Hook model from a security transaction viewpoint:
   2.106 + *   start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
   2.107 + *                   (pre-hook)  \           (post-hook)
   2.108 + *                                \
   2.109 + *                               fail
   2.110 + *                                   \
   2.111 + *                                    \
   2.112 + *                                  roll-back
   2.113 + *                                 (fail-hook)
   2.114 + *                                        \
   2.115 + *                                       sys-ops error
   2.116   *
   2.117 - *          start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
   2.118 - *                          (pre-hook)  \           (post-hook)
   2.119 - *                                       \
   2.120 - *                                       fail
   2.121 - *                                         \
   2.122 - *                                          \
   2.123 - *                                        roll-back
   2.124 - *                                       (fail-hook)
   2.125 - *                                             \
   2.126 - *                                            sys-ops error
   2.127 - *
   2.128 - ********************************************************************/
   2.129 + */
   2.130  
   2.131  struct acm_operations {
   2.132      /* policy management functions (must always be defined!) */
   2.133 @@ -148,6 +108,41 @@ struct acm_operations {
   2.134      void (*fail_grant_setup)           (domid_t id);
   2.135  };
   2.136  
   2.137 +/* global variables */
   2.138 +extern struct acm_operations *acm_primary_ops;
   2.139 +extern struct acm_operations *acm_secondary_ops;
   2.140 +
   2.141 +/* if ACM_TRACE_MODE defined, all hooks should
   2.142 + * print a short trace message */
   2.143 +/* #define ACM_TRACE_MODE */
   2.144 +
   2.145 +#ifdef ACM_TRACE_MODE
   2.146 +# define traceprintk(fmt, args...) printk(fmt,## args)
   2.147 +#else
   2.148 +# define traceprintk(fmt, args...)
   2.149 +#endif
   2.150 +
   2.151 +#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
   2.152 +
   2.153 +static inline int acm_pre_dom0_op(dom0_op_t *op, void **ssid) 
   2.154 +{ return 0; }
   2.155 +static inline void acm_post_dom0_op(dom0_op_t *op, void *ssid) 
   2.156 +{ return; }
   2.157 +static inline void acm_fail_dom0_op(dom0_op_t *op, void *ssid) 
   2.158 +{ return; }
   2.159 +static inline int acm_pre_event_channel(evtchn_op_t *op) 
   2.160 +{ return 0; }
   2.161 +static inline int acm_pre_grant_map_ref(domid_t id) 
   2.162 +{ return 0; }
   2.163 +static inline int acm_pre_grant_setup(domid_t id) 
   2.164 +{ return 0; }
   2.165 +static inline int acm_init(void)
   2.166 +{ return 0; }
   2.167 +static inline void acm_post_domain0_create(domid_t domid) 
   2.168 +{ return; }
   2.169 +
   2.170 +#else
   2.171 +
   2.172  static inline int acm_pre_domain_create(void *subject_ssid, ssidref_t ssidref)
   2.173  {
   2.174      if ((acm_primary_ops->pre_domain_create != NULL) &&