evtchn: optimize XSM ssid field

When FLASK is the only enabled implementation of the XSM hooks in Xen,
some of the abstractions required to handle multiple XSM providers are
redundant and only produce unneeded overhead.  This patch reduces the
memory overhead of enabling XSM on event channels by replacing the
untyped ssid pointer from struct evtchn with a union containing the
contents of the structure.  This avoids an additional heap allocation
for every event channel, and on 64-bit systems, reduces the size of
struct evtchn by 4 bytes.  If an out-of-tree XSM module needs the full
flexibility of the generic evtcnn ssid pointer, defining the symbol
XSM_NEED_GENERIC_EVTCHN_SSID will include a suitable pointer field.

This also cleans up the unused selinux_checkreqprot declaration left
from the Linux port.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 00f0ebae6b4d044c171aaff3089b2ec187b1c512..b9ba3793d81e6826450b6ea743e988d8622e93a5 100644 (file)
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -100,8 +100,24 @@ struct evtchn
     u8 pending:1;
     u16 last_vcpu_id;
     u8 last_priority;
+#ifdef XSM_ENABLE
+    union {
+#ifdef XSM_NEED_GENERIC_EVTCHN_SSID
+        /*
+         * If an XSM module needs more space for its event channel context,
+         * this pointer stores the necessary data for the security server.
+         */
+        void *generic;
+#endif
 #ifdef FLASK_ENABLE
-    void *ssid;
+        /*
+         * Inlining the contents of the structure for FLASK avoids unneeded
+         * allocations, and on 64-bit platforms with only FLASK enabled,
+         * reduces the size of struct evtchn.
+         */
+        u32 flask_sid;
+#endif
+    } ssid;
 #endif
 };
 

diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index ba719de8bd63b1024891a06af8373a6338f7b475..4ce31c90e538709931f73dcb044946cbabf5186e 100644 (file)
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -55,8 +55,7 @@ static u32 domain_target_sid(struct domain *src, struct domain *dst)
 
 static u32 evtchn_sid(const struct evtchn *chn)
 {
-    struct evtchn_security_struct *esec = chn->ssid;
-    return esec->sid;
+    return chn->ssid.flask_sid;
 }
 
 static int domain_has_perm(struct domain *dom1, struct domain *dom2, 
@@ -182,7 +181,6 @@ static int flask_evtchn_unbound(struct domain *d1, struct evtchn *chn,
     u32 sid1, sid2, newsid;
     int rc;
     struct domain *d2;
-    struct evtchn_security_struct *esec;
 
     d2 = rcu_lock_domain_by_any_id(id2);
     if ( d2 == NULL )
@@ -190,7 +188,6 @@ static int flask_evtchn_unbound(struct domain *d1, struct evtchn *chn,
 
     sid1 = domain_sid(d1);
     sid2 = domain_target_sid(d1, d2);
-    esec = chn->ssid;
 
     rc = security_transition_sid(sid1, sid2, SECCLASS_EVENT, &newsid);
     if ( rc )
@@ -204,7 +201,7 @@ static int flask_evtchn_unbound(struct domain *d1, struct evtchn *chn,
     if ( rc )
         goto out;
 
-    esec->sid = newsid;
+    chn->ssid.flask_sid = newsid;
 
  out:
     rcu_unlock_domain(d2);
@@ -216,7 +213,6 @@ static int flask_evtchn_interdomain(struct domain *d1, struct evtchn *chn1,
 {
     u32 sid1, sid2, newsid, reverse_sid;
     int rc;
-    struct evtchn_security_struct *esec1;
     struct avc_audit_data ad;
     AVC_AUDIT_DATA_INIT(&ad, NONE);
     ad.sdom = d1;
@@ -225,8 +221,6 @@ static int flask_evtchn_interdomain(struct domain *d1, struct evtchn *chn1,
     sid1 = domain_sid(d1);
     sid2 = domain_target_sid(d1, d2);
 
-    esec1 = chn1->ssid;
-
     rc = security_transition_sid(sid1, sid2, SECCLASS_EVENT, &newsid);
     if ( rc )
     {
@@ -252,17 +246,14 @@ static int flask_evtchn_interdomain(struct domain *d1, struct evtchn *chn1,
     if ( rc )
         return rc;
 
-    esec1->sid = newsid;
+    chn1->ssid.flask_sid = newsid;
 
     return rc;
 }
 
 static void flask_evtchn_close_post(struct evtchn *chn)
 {
-    struct evtchn_security_struct *esec;
-    esec = chn->ssid;
-
-    esec->sid = SECINITSID_UNLABELED;
+    chn->ssid.flask_sid = SECINITSID_UNLABELED;
 }
 
 static int flask_evtchn_send(struct domain *d, struct evtchn *chn)
@@ -297,33 +288,17 @@ static int flask_evtchn_reset(struct domain *d1, struct domain *d2)
 
 static int flask_alloc_security_evtchn(struct evtchn *chn)
 {
-    struct evtchn_security_struct *esec;
-
-    esec = xzalloc(struct evtchn_security_struct);
-    if ( !esec )
-        return -ENOMEM;
-
-    esec->sid = SECINITSID_UNLABELED;
-
-    chn->ssid = esec;
+    chn->ssid.flask_sid = SECINITSID_UNLABELED;
 
     return 0;    
 }
 
 static void flask_free_security_evtchn(struct evtchn *chn)
 {
-    struct evtchn_security_struct *esec;
-
     if ( !chn )
         return;
 
-    esec = chn->ssid;
-
-    if ( !esec )
-        return;
-
-    chn->ssid = NULL;
-    xfree(esec);
+    chn->ssid.flask_sid = SECINITSID_UNLABELED;
 }
 
 static char *flask_show_security_evtchn(struct domain *d, const struct evtchn *chn)

diff --git a/xen/xsm/flask/include/objsec.h b/xen/xsm/flask/include/objsec.h
index 6595dc3470624f88e588070cbd541c54b07fcd49..b576a5dd4381e0625e1072f7a894105e9e2bef50 100644 (file)
--- a/xen/xsm/flask/include/objsec.h
+++ b/xen/xsm/flask/include/objsec.h
@@ -23,10 +23,4 @@ struct domain_security_struct {
     u32 target_sid;        /* SID for device model target domain */
 };
 
-struct evtchn_security_struct {
-    u32 sid;                 /* current SID */
-};
-
-extern unsigned int selinux_checkreqprot;
-
 #endif /* _FLASK_OBJSEC_H_ */