From patchwork Thu Jun 9 14:47:15 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel De Graaf X-Patchwork-Id: 9167201 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 456A9604DB for ; Thu, 9 Jun 2016 14:49:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 37D92264F4 for ; Thu, 9 Jun 2016 14:49:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2CCB92834F; Thu, 9 Jun 2016 14:49:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id AA00D264F4 for ; Thu, 9 Jun 2016 14:49:40 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bB1FA-000519-Ht; Thu, 09 Jun 2016 14:47:36 +0000 Received: from mail6.bemta6.messagelabs.com ([85.158.143.247]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bB1F8-0004uX-Kn for xen-devel@lists.xen.org; Thu, 09 Jun 2016 14:47:34 +0000 Received: from [85.158.143.35] by server-2.bemta-6.messagelabs.com id F7/D0-06230-68189575; Thu, 09 Jun 2016 14:47:34 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJLMWRWlGSWpSXmKPExsXCoZPKqdvaGBl ucPejpMWSj4tZHBg9ju7+zRTAGMWamZeUX5HAmtHwfyNTwXb1ivbuPywNjJMUuhg5OSQE/CSm LfzK0sXIxcEpMJ9F4tCybnYQR0LgCKPE9p7pYBkhgaWMEm3X37NBOFsZJQ7ufMgG0s8moCux4 OBKJhBbREBa4trny4wgNrOAtkTzu5nsILawgKPE4pZm1i5GDg4WAVWJ86tkQExeAVeJNY1cEF fISWzbsgeskxMo/Ob8SzaQEiEBF4mFP70mMPItYGRYxahenFpUllqka6SXVJSZnlGSm5iZo2t oYKaXm1pcnJiempOYVKyXnJ+7iREYJAxAsINx2V+nQ4ySHExKorzeJZHhQnxJ+SmVGYnFGfFF pTmpxYcYZTg4lCR4SxqAcoJFqempFWmZOcBwhUlLcPAoifAuAUnzFhck5hZnpkOkTjEqSonzW oAkBEASGaV5cG2wGLnEKCslzMsIdIgQT0FqUW5mCar8K0ZxDkYlYd4qkCk8mXklcNNfAS1mAl q8/Eg4yOKSRISUVANjBvtfi1Nb2jfqNPu0dG/pZfnCoD83Y9PqqMunnecuePROZMKRzJxX0u3 3LDMe5+2W7y/f8Oflv+QJl1cdKNq0TD/j0oq/Rp3vj55o3HaLe1/dKZ+Kqs9mE+QOHTEwEuHd p3s1cPs8ppbwjZfCLasMA3YwfZrTXsTY82Ujx6aiGe05ez9bac3WVmIpzkg01GIuKk4EANIE0 iCMAgAA X-Env-Sender: dgdegra@tycho.nsa.gov X-Msg-Ref: server-12.tower-21.messagelabs.com!1465483650!18280129!5 X-Originating-IP: [8.44.101.9] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.46; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16268 invoked from network); 9 Jun 2016 14:47:33 -0000 Received: from emsm-gh1-uea11.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) (8.44.101.9) by server-12.tower-21.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 9 Jun 2016 14:47:33 -0000 X-IronPort-AV: E=Sophos;i="5.26,445,1459814400"; d="scan'208";a="16783293" IronPort-PHdr: =?us-ascii?q?9a23=3A4gT7hhKWE5ewN46VcdmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgULP3xwZ3uMQTl6Ol3ixeRBMOAu6MC1Led7PqocFdDyKjCmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBy?= =?us-ascii?q?brysXNWC3oLoiqvtodX6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD888784Z8dYmyP+FiFf0LRAghZnA44ojnuAfO?= =?us-ascii?q?SSOL52AASSMGnxwOBBLKvz/gWZKkniL8t+d5kAWXdeLsRLk6EWCu4KtmRwXhoD?= =?us-ascii?q?sWPD4+tmfMg4p/i7wN80HpnAB234OBONLdD/F5ZK6IOIlCSA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HIAwBJgFlX/wHyM5BeGgEBAQGDIIFTuQiECYYTAoE1TAE?= =?us-ascii?q?BAQEBAQICYieCMIIWAgRrDhAYOVcZiC++KgEBAQEGAgEklQ4FiAiQTY4nAolZh?= =?us-ascii?q?UVGjx9UggccgWcgMooIAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Jun 2016 14:47:29 +0000 Received: from moss-nexus.infosec.tycho.ncsc.mil (moss-nexus [192.168.25.48]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u59ElSNE018061; Thu, 9 Jun 2016 10:47:29 -0400 From: Daniel De Graaf To: xen-devel@lists.xen.org Date: Thu, 9 Jun 2016 10:47:15 -0400 Message-Id: <1465483638-9489-13-git-send-email-dgdegra@tycho.nsa.gov> X-Mailer: git-send-email 2.5.5 In-Reply-To: <1465483638-9489-1-git-send-email-dgdegra@tycho.nsa.gov> References: <1465483638-9489-1-git-send-email-dgdegra@tycho.nsa.gov> Cc: Daniel De Graaf Subject: [Xen-devel] [PATCH 12/15] xen/xsm: remove .xsm_initcall.init section X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP Since FLASK is the only implementation of XSM hooks in Xen, using an iterated initcall dispatch for setup is overly complex. Change this to a direct function call to a globally visible function; if additional XSM hooks are added in the future, a switching mechanism will be needed regardless, and that can be placed in xsm_core.c. Signed-off-by: Daniel De Graaf Reviewed-by: Andrew Cooper --- xen/arch/arm/xen.lds.S | 5 ----- xen/arch/x86/xen.lds.S | 5 ----- xen/common/Kconfig | 37 +++++++++++++++++++------------------ xen/include/xsm/xsm.h | 16 ++++++++-------- xen/xsm/flask/hooks.c | 4 +--- xen/xsm/xsm_core.c | 8 +------- 6 files changed, 29 insertions(+), 46 deletions(-) diff --git a/xen/arch/arm/xen.lds.S b/xen/arch/arm/xen.lds.S index 76982b2..8320381 100644 --- a/xen/arch/arm/xen.lds.S +++ b/xen/arch/arm/xen.lds.S @@ -162,11 +162,6 @@ SECTIONS *(.initcall1.init) __initcall_end = .; } :text - .xsm_initcall.init : { - __xsm_initcall_start = .; - *(.xsm_initcall.init) - __xsm_initcall_end = .; - } :text __init_end_efi = .; . = ALIGN(STACK_SIZE); __init_end = .; diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S index a43b29d..dcbb8fe 100644 --- a/xen/arch/x86/xen.lds.S +++ b/xen/arch/x86/xen.lds.S @@ -190,11 +190,6 @@ SECTIONS *(.initcall1.init) __initcall_end = .; } :text - .xsm_initcall.init : { - __xsm_initcall_start = .; - *(.xsm_initcall.init) - __xsm_initcall_end = .; - } :text . = ALIGN(PAGE_SIZE); __init_end = .; diff --git a/xen/common/Kconfig b/xen/common/Kconfig index cd59574..b8f1800 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -11,24 +11,6 @@ config COMPAT config CORE_PARKING bool -config FLASK - bool "FLux Advanced Security Kernel support" - default y - depends on XSM - ---help--- - Enables the FLASK (FLux Advanced Security Kernel) support which - provides a mandatory access control framework by which security - enforcement, isolation, and auditing can be achieved with fine - granular control via a security policy. - - If unsure, say N. - -config FLASK_AVC_STATS - def_bool y - depends on FLASK - ---help--- - Maintain statistics on the access vector cache - # Select HAS_DEVICE_TREE if device tree is supported config HAS_DEVICE_TREE bool @@ -137,6 +119,25 @@ config XSM If unsure, say N. +config FLASK + bool "FLux Advanced Security Kernel support" + default y + depends on XSM + ---help--- + Enables FLASK (FLux Advanced Security Kernel) as the access control + mechanism used by the XSM framework. This provides a mandatory access + control framework by which security enforcement, isolation, and + auditing can be achieved with fine granular control via a security + policy. + + If unsure, say Y. + +config FLASK_AVC_STATS + def_bool y + depends on FLASK + ---help--- + Maintain statistics on the access vector cache + # Enable schedulers menu "Schedulers" visible if EXPERT = "y" diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 8ed8ee5..0d525ec 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -46,14 +46,6 @@ typedef enum xsm_default xsm_default_t; extern char *policy_buffer; extern u32 policy_size; -typedef void (*xsm_initcall_t)(void); - -extern xsm_initcall_t __xsm_initcall_start[], __xsm_initcall_end[]; - -#define xsm_initcall(fn) \ - static xsm_initcall_t __initcall_##fn \ - __used_section(".xsm_initcall.init") = fn - struct xsm_operations { void (*security_domaininfo) (struct domain *d, struct xen_domctl_getdomaininfo *info); @@ -763,6 +755,14 @@ extern int unregister_xsm(struct xsm_operations *ops); extern struct xsm_operations dummy_xsm_ops; extern void xsm_fixup_ops(struct xsm_operations *ops); +#ifdef CONFIG_FLASK +extern void flask_init(void); +#else +static inline void flask_init(void) +{ +} +#endif + #else /* CONFIG_XSM */ #include diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 3ab3fbf..596ac0a 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1816,7 +1816,7 @@ static struct xsm_operations flask_ops = { .xen_version = flask_xen_version, }; -static __init void flask_init(void) +__init void flask_init(void) { int ret = -ENOENT; @@ -1859,8 +1859,6 @@ static __init void flask_init(void) printk(XENLOG_INFO "Flask: Starting in permissive mode.\n"); } -xsm_initcall(flask_init); - /* * Local variables: * mode: C diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c index 634ec98..cb2fdb6 100644 --- a/xen/xsm/xsm_core.c +++ b/xen/xsm/xsm_core.c @@ -38,13 +38,7 @@ static inline int verify(struct xsm_operations *ops) static void __init do_xsm_initcalls(void) { - xsm_initcall_t *call; - call = __xsm_initcall_start; - while ( call < __xsm_initcall_end ) - { - (*call) (); - call++; - } + flask_init(); } static int __init xsm_core_init(void)