WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] Cleanups after XSM checkin.

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] Cleanups after XSM checkin.
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 07 Sep 2007 09:13:42 -0700
Delivery-date: Fri, 07 Sep 2007 09:21:22 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Date 1188558307 -3600
# Node ID 7e7e0ea6a0bbc093461f199947d6c99eaae01eba
# Parent  fa4d44c9d9f668867f6cb578155433678f6c5a93
Cleanups after XSM checkin.
Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
---
 xen/include/acm/acm_core.h                      |  196 -------------
 xen/include/acm/acm_endian.h                    |   69 ----
 xen/include/acm/acm_hooks.h                     |  349 ------------------------
 xen/include/public/acm.h                        |  229 ---------------
 xen/include/public/acm_ops.h                    |  159 ----------
 .hgignore                                       |    1 
 Config.mk                                       |   12 
 tools/Rules.mk                                  |    2 
 tools/libxc/xenctrl.h                           |    4 
 tools/python/xen/lowlevel/acm/acm.c             |    5 
 tools/security/secpol_tool.c                    |    4 
 tools/security/secpol_xml2bin.c                 |    3 
 xen/Rules.mk                                    |    8 
 xen/arch/ia64/xen/xensetup.c                    |    2 
 xen/arch/powerpc/setup.c                        |    2 
 xen/arch/x86/setup.c                            |    2 
 xen/include/public/xsm/acm.h                    |  229 +++++++++++++++
 xen/include/public/xsm/acm_ops.h                |  159 ++++++++++
 xen/include/xen/sched.h                         |    5 
 xen/include/xsm/acm/acm_core.h                  |  196 +++++++++++++
 xen/include/xsm/acm/acm_endian.h                |   69 ++++
 xen/include/xsm/acm/acm_hooks.h                 |  349 ++++++++++++++++++++++++
 xen/xsm/acm/acm_chinesewall_hooks.c             |    9 
 xen/xsm/acm/acm_core.c                          |   10 
 xen/xsm/acm/acm_null_hooks.c                    |    2 
 xen/xsm/acm/acm_ops.c                           |    6 
 xen/xsm/acm/acm_policy.c                        |    8 
 xen/xsm/acm/acm_simple_type_enforcement_hooks.c |    6 
 xen/xsm/acm/acm_xsm_hooks.c                     |   20 -
 29 files changed, 1056 insertions(+), 1059 deletions(-)

diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb .hgignore
--- a/.hgignore Fri Aug 31 11:41:49 2007 +0100
+++ b/.hgignore Fri Aug 31 12:05:07 2007 +0100
@@ -151,6 +151,7 @@
 ^tools/python/build/.*$
 ^tools/security/secpol_tool$
 ^tools/security/xen/.*$
+^tools/security/xensec_tool$
 ^tools/tests/blowfish\.bin$
 ^tools/tests/blowfish\.h$
 ^tools/tests/test_x86_emulator$
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb Config.mk
--- a/Config.mk Fri Aug 31 11:41:49 2007 +0100
+++ b/Config.mk Fri Aug 31 12:05:07 2007 +0100
@@ -79,19 +79,9 @@ CFLAGS += $(foreach i, $(EXTRA_INCLUDES)
 CFLAGS += $(foreach i, $(EXTRA_INCLUDES), -I$(i))
 
 # Enable XSM security module.  Enabling XSM requires selection of an 
-# XSM security module.
+# XSM security module (FLASK_ENABLE or ACM_SECURITY).
 XSM_ENABLE ?= n
-ifeq ($(XSM_ENABLE),y)
 FLASK_ENABLE ?= n
-ifeq ($(FLASK_ENABLE),y)
-FLASK_DEVELOP ?= y
-FLASK_BOOTPARAM ?= y
-FLASK_AVC_STATS ?= y
-endif
-endif
-
-# If ACM_SECURITY = y, then the access control module is compiled
-# into Xen and the policy type can be set by the boot policy file
 ACM_SECURITY ?= n
 
 # Optional components
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/Rules.mk
--- a/tools/Rules.mk    Fri Aug 31 11:41:49 2007 +0100
+++ b/tools/Rules.mk    Fri Aug 31 12:05:07 2007 +0100
@@ -49,6 +49,8 @@ mk-symlinks:
        ( cd xen/hvm && ln -sf ../../$(XEN_ROOT)/xen/include/public/hvm/*.h . )
        mkdir -p xen/io
        ( cd xen/io && ln -sf ../../$(XEN_ROOT)/xen/include/public/io/*.h . )
+       mkdir -p xen/xsm
+       ( cd xen/xsm && ln -sf ../../$(XEN_ROOT)/xen/include/public/xsm/*.h . )
        mkdir -p xen/arch-x86
        ( cd xen/arch-x86 && ln -sf 
../../$(XEN_ROOT)/xen/include/public/arch-x86/*.h . )
        mkdir -p xen/foreign
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/libxc/xenctrl.h
--- a/tools/libxc/xenctrl.h     Fri Aug 31 11:41:49 2007 +0100
+++ b/tools/libxc/xenctrl.h     Fri Aug 31 12:05:07 2007 +0100
@@ -26,8 +26,8 @@
 #include <xen/event_channel.h>
 #include <xen/sched.h>
 #include <xen/memory.h>
-#include <xen/acm.h>
-#include <xen/acm_ops.h>
+#include <xen/xsm/acm.h>
+#include <xen/xsm/acm_ops.h>
 
 #ifdef __ia64__
 #define XC_PAGE_SHIFT           14
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/python/xen/lowlevel/acm/acm.c
--- a/tools/python/xen/lowlevel/acm/acm.c       Fri Aug 31 11:41:49 2007 +0100
+++ b/tools/python/xen/lowlevel/acm/acm.c       Fri Aug 31 12:05:07 2007 +0100
@@ -18,6 +18,7 @@
  *
  * indent -i4 -kr -nut
  */
+
 #include <Python.h>
 
 #include <stdio.h>
@@ -27,8 +28,8 @@
 #include <stdlib.h>
 #include <sys/ioctl.h>
 #include <netinet/in.h>
-#include <xen/acm.h>
-#include <xen/acm_ops.h>
+#include <xen/xsm/acm.h>
+#include <xen/xsm/acm_ops.h>
 
 #include <xenctrl.h>
 
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/security/secpol_tool.c
--- a/tools/security/secpol_tool.c      Fri Aug 31 11:41:49 2007 +0100
+++ b/tools/security/secpol_tool.c      Fri Aug 31 12:05:07 2007 +0100
@@ -34,8 +34,8 @@
 #include <string.h>
 #include <netinet/in.h>
 #include <stdint.h>
-#include <xen/acm.h>
-#include <xen/acm_ops.h>
+#include <xen/xsm/acm.h>
+#include <xen/xsm/acm_ops.h>
 
 #include <xenctrl.h>
 
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/security/secpol_xml2bin.c
--- a/tools/security/secpol_xml2bin.c   Fri Aug 31 11:41:49 2007 +0100
+++ b/tools/security/secpol_xml2bin.c   Fri Aug 31 12:05:07 2007 +0100
@@ -22,6 +22,7 @@
  *
  * indent -i4 -kr -nut
  */
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -38,7 +39,7 @@
 #include <libxml/tree.h>
 #include <libxml/xmlreader.h>
 #include <stdint.h>
-#include <xen/acm.h>
+#include <xen/xsm/acm.h>
 
 #include "secpol_xml2bin.h"
 
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/Rules.mk
--- a/xen/Rules.mk      Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/Rules.mk      Fri Aug 31 12:05:07 2007 +0100
@@ -57,11 +57,9 @@ ALL_OBJS-y               += $(BASEDIR)/a
 
 CFLAGS-y                += -g -D__XEN__
 CFLAGS-$(XSM_ENABLE)    += -DXSM_ENABLE
-CFLAGS-$(FLASK_ENABLE)    += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c
-CFLAGS-$(FLASK_DEVELOP)   += -DFLASK_DEVELOP
-CFLAGS-$(FLASK_BOOTPARAM) += -DFLASK_BOOTPARAM
-CFLAGS-$(FLASK_AVC_STATS) += -DFLASK_AVC_STATS
-CFLAGS-$(ACM_SECURITY)    += -DACM_SECURITY -DXSM_MAGIC=0xbcde0100
+CFLAGS-$(FLASK_ENABLE)  += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c
+CFLAGS-$(FLASK_ENABLE)  += -DFLASK_DEVELOP -DFLASK_BOOTPARAM -DFLASK_AVC_STATS
+CFLAGS-$(ACM_SECURITY)  += -DACM_SECURITY -DXSM_MAGIC=0xbcde0100
 CFLAGS-$(verbose)       += -DVERBOSE
 CFLAGS-$(crash_debug)   += -DCRASH_DEBUG
 CFLAGS-$(perfc)         += -DPERF_COUNTERS
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/arch/ia64/xen/xensetup.c
--- a/xen/arch/ia64/xen/xensetup.c      Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/arch/ia64/xen/xensetup.c      Fri Aug 31 12:05:07 2007 +0100
@@ -28,7 +28,7 @@
 #include <asm/iosapic.h>
 #include <xen/softirq.h>
 #include <xen/rcupdate.h>
-#include <acm/acm_hooks.h>
+#include <xsm/acm/acm_hooks.h>
 #include <asm/sn/simulator.h>
 
 unsigned long xenheap_phys_end, total_pages;
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/arch/powerpc/setup.c
--- a/xen/arch/powerpc/setup.c  Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/arch/powerpc/setup.c  Fri Aug 31 12:05:07 2007 +0100
@@ -38,7 +38,7 @@
 #include <xen/numa.h>
 #include <xen/rcupdate.h>
 #include <xen/version.h>
-#include <acm/acm_hooks.h>
+#include <xsm/acm/acm_hooks.h>
 #include <public/version.h>
 #include <asm/mpic.h>
 #include <asm/processor.h>
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/arch/x86/setup.c
--- a/xen/arch/x86/setup.c      Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/arch/x86/setup.c      Fri Aug 31 12:05:07 2007 +0100
@@ -32,7 +32,7 @@
 #include <asm/desc.h>
 #include <asm/paging.h>
 #include <asm/e820.h>
-#include <acm/acm_hooks.h>
+#include <xsm/acm/acm_hooks.h>
 #include <xen/kexec.h>
 #include <asm/edd.h>
 #include <xsm/xsm.h>
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/acm/acm_core.h
--- a/xen/include/acm/acm_core.h        Fri Aug 31 11:41:49 2007 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,196 +0,0 @@
-/****************************************************************
- * acm_core.h 
- * 
- * Copyright (C) 2005 IBM Corporation
- *
- * Author:
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * sHype header file describing core data types and constants
- *    for the access control module and relevant policies
- *
- */
-
-#ifndef _ACM_CORE_H
-#define _ACM_CORE_H
-
-#include <xen/spinlock.h>
-#include <xen/list.h>
-#include <public/acm.h>
-#include <public/acm_ops.h>
-#include <acm/acm_endian.h>
-
-#define ACM_DEFAULT_SECURITY_POLICY \
-        ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
-
-/* Xen-internal representation of the binary policy */
-struct acm_binary_policy {
-    char *policy_reference_name;
-    u16 primary_policy_code;
-    u16 secondary_policy_code;
-    struct acm_policy_version xml_pol_version;
-};
-
-struct chwall_binary_policy {
-    u32 max_types;
-    u32 max_ssidrefs;
-    u32 max_conflictsets;
-    domaintype_t *ssidrefs;     /* [max_ssidrefs][max_types]  */
-    domaintype_t *conflict_aggregate_set;  /* [max_types]      */
-    domaintype_t *running_types;    /* [max_types]      */
-    domaintype_t *conflict_sets;   /* [max_conflictsets][max_types]*/
-};
-
-struct ste_binary_policy {
-    u32 max_types;
-    u32 max_ssidrefs;
-    domaintype_t *ssidrefs;     /* [max_ssidrefs][max_types]  */
-    atomic_t ec_eval_count, gt_eval_count;
-    atomic_t ec_denied_count, gt_denied_count;
-    atomic_t ec_cachehit_count, gt_cachehit_count;
-};
-
-/* global acm policy */
-extern u16 acm_active_security_policy;
-extern struct acm_binary_policy acm_bin_pol;
-extern struct chwall_binary_policy chwall_bin_pol;
-extern struct ste_binary_policy ste_bin_pol;
-/* use the lock when reading / changing binary policy ! */
-extern rwlock_t acm_bin_pol_rwlock;
-extern rwlock_t ssid_list_rwlock;
-
-/* subject and object type definitions */
-#define ACM_DATATYPE_domain 1
-
-/* defines number of access decisions to other domains can be cached
- * one entry per domain, TE does not distinguish evtchn or grant_table */
-#define ACM_TE_CACHE_SIZE 8
-#define ACM_STE_valid 0
-#define ACM_STE_free  1
-
-/* cache line:
- * if cache_line.valid==ACM_STE_valid, then
- *    STE decision is cached as "permitted" 
- *                 on domain cache_line.id
- */
-struct acm_ste_cache_line {
-    int valid; /* ACM_STE_* */
-    domid_t id;
-};
-
-/* general definition of a subject security id */
-struct acm_ssid_domain {
-    struct list_head node; /* all are chained together */
-    int datatype;          /* type of subject (e.g., partition): 
ACM_DATATYPE_* */
-    ssidref_t ssidref;     /* combined security reference */
-    ssidref_t old_ssidref; /* holds previous value of ssidref during 
relabeling */
-    void *primary_ssid;    /* primary policy ssid part (e.g. chinese wall) */
-    void *secondary_ssid;  /* secondary policy ssid part (e.g. type 
enforcement) */
-    struct domain *subject;/* backpointer to subject structure */
-    domid_t domainid;      /* replicate id */
-};
-
-/* chinese wall ssid type */
-struct chwall_ssid {
-    ssidref_t chwall_ssidref;
-};
-
-/* simple type enforcement ssid type */
-struct ste_ssid {
-    ssidref_t ste_ssidref;
-    struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache 
*/
-};
-
-/* macros to access ssidref for primary / secondary policy 
- * primary ssidref   = lower 16 bit
- *  secondary ssidref = higher 16 bit
- */
-#define ACM_PRIMARY(ssidref) \
- ((ssidref) & 0xffff)
-
-#define ACM_SECONDARY(ssidref) \
- ((ssidref) >> 16)
-
-#define GET_SSIDREF(POLICY, ssidref) \
- ((POLICY) == acm_bin_pol.primary_policy_code) ? \
- ACM_PRIMARY(ssidref) : ACM_SECONDARY(ssidref)
-
-/* macros to access ssid pointer for primary / secondary policy */
-#define GET_SSIDP(POLICY, ssid) \
- ((POLICY) == acm_bin_pol.primary_policy_code) ? \
- ((ssid)->primary_ssid) : ((ssid)->secondary_ssid)
-
-#define ACM_INVALID_SSIDREF  (0xffffffff)
-
-struct acm_sized_buffer
-{
-    uint32_t *array;
-    uint num_items;
-    uint position;
-};
-
-static inline int acm_array_append_tuple(struct acm_sized_buffer *buf,
-                                         uint32_t a, uint32_t b)
-{
-    uint i;
-    if (buf == NULL)
-        return 0;
-
-    i = buf->position;
-
-    if ((i + 2) > buf->num_items)
-        return 0;
-
-    buf->array[i]   = cpu_to_be32(a);
-    buf->array[i+1] = cpu_to_be32(b);
-    buf->position += 2;
-    return 1;
-}
-
-/* protos */
-int acm_init_domain_ssid(struct domain *, ssidref_t ssidref);
-void acm_free_domain_ssid(struct acm_ssid_domain *ssid);
-int acm_init_binary_policy(u32 policy_code);
-int acm_set_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
-int do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy,
-                      struct acm_sized_buffer *, struct acm_sized_buffer *,
-                      struct acm_sized_buffer *);
-int acm_get_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
-int acm_dump_statistics(XEN_GUEST_HANDLE_64(void) buf, u16 buf_size);
-int acm_get_ssid(ssidref_t ssidref, XEN_GUEST_HANDLE_64(void) buf, u16 
buf_size);
-int acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2, u32 hook);
-int acm_set_policy_reference(u8 * buf, u32 buf_size);
-int acm_dump_policy_reference(u8 *buf, u32 buf_size);
-int acm_change_policy(struct acm_change_policy *);
-int acm_relabel_domains(struct acm_relabel_doms *);
-int do_chwall_init_state_curr(struct acm_sized_buffer *);
-int do_ste_init_state_curr(struct acm_sized_buffer *);
-
-/* variables */
-extern ssidref_t dom0_chwall_ssidref;
-extern ssidref_t dom0_ste_ssidref;
-#define ACM_MAX_NUM_TYPES   (256)
-
-/* traversing the list of ssids */
-extern struct list_head ssid_list;
-#define for_each_acmssid( N )                               \
-   for ( N =  (struct acm_ssid_domain *)ssid_list.next;     \
-         N != (struct acm_ssid_domain *)&ssid_list;         \
-         N =  (struct acm_ssid_domain *)N->node.next     )
-
-#endif
-
-/*
- * Local variables:
- * mode: C
- * c-set-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/acm/acm_endian.h
--- a/xen/include/acm/acm_endian.h      Fri Aug 31 11:41:49 2007 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,69 +0,0 @@
-/****************************************************************
- * acm_endian.h 
- * 
- * Copyright (C) 2005 IBM Corporation
- *
- * Author:
- * Stefan Berger <stefanb@xxxxxxxxxxxxxx>
- * 
- * Contributions:
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * sHype header file defining endian-dependent functions for the
- * big-endian policy interface
- *
- */
-
-#ifndef _ACM_ENDIAN_H
-#define _ACM_ENDIAN_H
-
-#include <asm/byteorder.h>
-
-static inline void arrcpy16(u16 *dest, const u16 *src, size_t n)
-{
-    unsigned int i;
-    for ( i = 0; i < n; i++ )
-        dest[i] = cpu_to_be16(src[i]);
-}
-
-static inline void arrcpy32(u32 *dest, const u32 *src, size_t n)
-{
-    unsigned int i;
-    for ( i = 0; i < n; i++ )
-        dest[i] = cpu_to_be32(src[i]);
-}
-
-static inline void arrcpy(
-    void *dest, const void *src, unsigned int elsize, size_t n)
-{
-    switch ( elsize )
-    {
-    case sizeof(u16):
-        arrcpy16((u16 *)dest, (u16 *)src, n);
-        break;
-
-    case sizeof(u32):
-        arrcpy32((u32 *)dest, (u32 *)src, n);
-        break;
-
-    default:
-        memcpy(dest, src, elsize*n);
-    }
-}
-
-#endif
-
-/*
- * Local variables:
- * mode: C
- * c-set-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/acm/acm_hooks.h
--- a/xen/include/acm/acm_hooks.h       Fri Aug 31 11:41:49 2007 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,349 +0,0 @@
-/****************************************************************
- * acm_hooks.h 
- * 
- * Copyright (C) 2005 IBM Corporation
- *
- * Author:
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * acm header file implementing the global (policy-independent)
- *      sHype hooks that are called throughout Xen.
- * 
- */
-
-#ifndef _ACM_HOOKS_H
-#define _ACM_HOOKS_H
-
-#include <xen/config.h>
-#include <xen/errno.h>
-#include <xen/types.h>
-#include <xen/lib.h>
-#include <xen/delay.h>
-#include <xen/sched.h>
-#include <xen/multiboot.h>
-#include <public/acm.h>
-#include <acm/acm_core.h>
-#include <public/domctl.h>
-#include <public/event_channel.h>
-#include <asm/current.h>
-
-/*
- * HOOK structure and meaning (justifies a few words about our model):
- * 
- * General idea: every policy-controlled system operation is reflected in a 
- *               transaction in the system's security state
- *
- *      Keeping the security state consistent requires "atomic" transactions.
- *      The name of the hooks to place around policy-controlled transactions
- *      reflects this. If authorizations do not involve security state changes,
- *      then and only then POST and FAIL hooks remain empty since we don't care
- *      about the eventual outcome of the operation from a security viewpoint.
- *
- *      PURPOSE of hook types:
- *      ======================
- *      PRE-Hooks
- *       a) general authorization to guard a controlled system operation
- *       b) prepare security state change
- *          (means: fail hook must be able to "undo" this)
- *
- *      POST-Hooks
- *       a) commit prepared state change
- *
- *      FAIL-Hooks
- *       a) roll-back prepared security state change from PRE-Hook
- *
- *
- *      PLACEMENT of hook types:
- *      ========================
- *      PRE-Hooks must be called before a guarded/controlled system operation
- *      is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or
- *      error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED.
- *
- *      POST-Hooks must be called after a successful system operation.
- *      There is no return value: commit never fails.
- *
- *      FAIL-Hooks must be called:
- *       a) if system transaction (operation) fails after calling the PRE-hook
- *       b) if another (secondary) policy denies access in its PRE-Hook
- *          (policy layering is useful but requires additional handling)
- *
- * Hook model from a security transaction viewpoint:
- *   start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
- *                   (pre-hook)  \           (post-hook)
- *                                \
- *                               fail
- *                                   \
- *                                    \
- *                                  roll-back
- *                                 (fail-hook)
- *                                        \
- *                                       sys-ops error
- *
- */
-
-struct acm_operations {
-    /* policy management functions (must always be defined!) */
-    int  (*init_domain_ssid)           (void **ssid, ssidref_t ssidref);
-    void (*free_domain_ssid)           (void *ssid);
-    int  (*dump_binary_policy)         (u8 *buffer, u32 buf_size);
-    int  (*test_binary_policy)         (u8 *buffer, u32 buf_size,
-                                        int is_bootpolicy,
-                                        struct acm_sized_buffer *);
-    int  (*set_binary_policy)          (u8 *buffer, u32 buf_size);
-    int  (*dump_statistics)            (u8 *buffer, u16 buf_size);
-    int  (*dump_ssid_types)            (ssidref_t ssidref, u8 *buffer, u16 
buf_size);
-    /* domain management control hooks (can be NULL) */
-    int  (*domain_create)              (void *subject_ssid, ssidref_t ssidref,
-                                        domid_t domid);
-    void (*domain_destroy)             (void *object_ssid, struct domain *d);
-    /* event channel control hooks  (can be NULL) */
-    int  (*pre_eventchannel_unbound)      (domid_t id1, domid_t id2);
-    void (*fail_eventchannel_unbound)     (domid_t id1, domid_t id2);
-    int  (*pre_eventchannel_interdomain)  (domid_t id);
-    void (*fail_eventchannel_interdomain) (domid_t id);
-    /* grant table control hooks (can be NULL)  */
-    int  (*pre_grant_map_ref)          (domid_t id);
-    void (*fail_grant_map_ref)         (domid_t id);
-    int  (*pre_grant_setup)            (domid_t id);
-    void (*fail_grant_setup)           (domid_t id);
-    /* generic domain-requested decision hooks (can be NULL) */
-    int (*sharing)                     (ssidref_t ssidref1,
-                                        ssidref_t ssidref2);
-    int (*authorization)               (ssidref_t ssidref1,
-                                        ssidref_t ssidref2);
-    /* determine whether the default policy is installed */
-    int (*is_default_policy)           (void);
-};
-
-/* global variables */
-extern struct acm_operations *acm_primary_ops;
-extern struct acm_operations *acm_secondary_ops;
-
-/* if ACM_TRACE_MODE defined, all hooks should
- * print a short trace message */
-/* #define ACM_TRACE_MODE */
-
-#ifdef ACM_TRACE_MODE
-# define traceprintk(fmt, args...) printk(fmt,## args)
-#else
-# define traceprintk(fmt, args...)
-#endif
-
-
-#ifndef ACM_SECURITY
-
-static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
-{ return 0; }
-static inline int acm_pre_eventchannel_interdomain(domid_t id)
-{ return 0; }
-static inline int acm_pre_grant_map_ref(domid_t id) 
-{ return 0; }
-static inline int acm_pre_grant_setup(domid_t id) 
-{ return 0; }
-static inline int acm_is_policy(char *buf, unsigned long len)
-{ return 0; }
-static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
-{ return 0; }
-static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
-{ return 0; }
-static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
-{ return 0; }
-static inline void acm_domain_destroy(struct domain *d)
-{ return; }
-
-#define DOM0_SSIDREF 0x0
-
-#else
-
-static inline void acm_domain_ssid_onto_list(struct acm_ssid_domain *ssid)
-{
-    write_lock(&ssid_list_rwlock);
-    list_add(&ssid->node, &ssid_list);
-    write_unlock(&ssid_list_rwlock);
-}
-
-static inline void acm_domain_ssid_off_list(struct acm_ssid_domain *ssid)
-{
-    write_lock(&ssid_list_rwlock);
-    list_del(&ssid->node);
-    write_unlock(&ssid_list_rwlock);
-}
-
-static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
-{
-    if ((acm_primary_ops->pre_eventchannel_unbound != NULL) && 
-        acm_primary_ops->pre_eventchannel_unbound(id1, id2))
-        return ACM_ACCESS_DENIED;
-    else if ((acm_secondary_ops->pre_eventchannel_unbound != NULL) && 
-             acm_secondary_ops->pre_eventchannel_unbound(id1, id2)) {
-        /* roll-back primary */
-        if (acm_primary_ops->fail_eventchannel_unbound != NULL)
-            acm_primary_ops->fail_eventchannel_unbound(id1, id2);
-        return ACM_ACCESS_DENIED;
-    } else
-        return ACM_ACCESS_PERMITTED;
-}
-
-static inline int acm_pre_eventchannel_interdomain(domid_t id)
-{
-    if ((acm_primary_ops->pre_eventchannel_interdomain != NULL) &&
-        acm_primary_ops->pre_eventchannel_interdomain(id))
-        return ACM_ACCESS_DENIED;
-    else if ((acm_secondary_ops->pre_eventchannel_interdomain != NULL) &&
-             acm_secondary_ops->pre_eventchannel_interdomain(id)) {
-        /* roll-back primary */
-        if (acm_primary_ops->fail_eventchannel_interdomain != NULL)
-            acm_primary_ops->fail_eventchannel_interdomain(id);
-        return ACM_ACCESS_DENIED;
-    } else
-        return ACM_ACCESS_PERMITTED;
-}
-
-
-static inline int acm_pre_grant_map_ref(domid_t id)
-{
-    if ( (acm_primary_ops->pre_grant_map_ref != NULL) &&
-         acm_primary_ops->pre_grant_map_ref(id) )
-    {
-        return ACM_ACCESS_DENIED;
-    }
-    else if ( (acm_secondary_ops->pre_grant_map_ref != NULL) &&
-              acm_secondary_ops->pre_grant_map_ref(id) )
-    {
-        /* roll-back primary */
-        if ( acm_primary_ops->fail_grant_map_ref != NULL )
-            acm_primary_ops->fail_grant_map_ref(id);
-        return ACM_ACCESS_DENIED;
-    }
-    else
-    {
-        return ACM_ACCESS_PERMITTED;
-    }
-}
-
-static inline int acm_pre_grant_setup(domid_t id)
-{
-    if ( (acm_primary_ops->pre_grant_setup != NULL) &&
-         acm_primary_ops->pre_grant_setup(id) )
-    {
-        return ACM_ACCESS_DENIED;
-    }
-    else if ( (acm_secondary_ops->pre_grant_setup != NULL) &&
-              acm_secondary_ops->pre_grant_setup(id) )
-    {
-        /* roll-back primary */
-        if (acm_primary_ops->fail_grant_setup != NULL)
-            acm_primary_ops->fail_grant_setup(id);
-        return ACM_ACCESS_DENIED;
-    }
-    else
-    {
-        return ACM_ACCESS_PERMITTED;
-    }
-}
-
-
-static inline void acm_domain_destroy(struct domain *d)
-{
-    void *ssid = d->ssid;
-    if (ssid != NULL) {
-        if (acm_primary_ops->domain_destroy != NULL)
-            acm_primary_ops->domain_destroy(ssid, d);
-        if (acm_secondary_ops->domain_destroy != NULL)
-            acm_secondary_ops->domain_destroy(ssid, d);
-        /* free security ssid for the destroyed domain (also if null policy */
-        acm_domain_ssid_off_list(ssid);
-        acm_free_domain_ssid((struct acm_ssid_domain *)(ssid));
-    }
-}
-
-
-static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
-{
-    void *subject_ssid = current->domain->ssid;
-    domid_t domid = d->domain_id;
-    int rc;
-
-    read_lock(&acm_bin_pol_rwlock);
-    /*
-       To be called when a domain is created; returns '0' if the
-       domain is allowed to be created, != '0' if not.
-     */
-    rc = acm_init_domain_ssid(d, ssidref);
-    if (rc != ACM_OK)
-        goto error_out;
-
-    if ((acm_primary_ops->domain_create != NULL) &&
-        acm_primary_ops->domain_create(subject_ssid, ssidref, domid)) {
-        rc = ACM_ACCESS_DENIED;
-    } else if ((acm_secondary_ops->domain_create != NULL) &&
-                acm_secondary_ops->domain_create(subject_ssid, ssidref,
-                                                 domid)) {
-        /* roll-back primary */
-        if (acm_primary_ops->domain_destroy != NULL)
-            acm_primary_ops->domain_destroy(d->ssid, d);
-        rc = ACM_ACCESS_DENIED;
-    }
-
-    if ( rc == ACM_OK )
-    {
-        acm_domain_ssid_onto_list(d->ssid);
-    } else {
-        acm_free_domain_ssid(d->ssid);
-    }
-
-error_out:
-    read_unlock(&acm_bin_pol_rwlock);
-    return rc;
-}
-
-
-static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
-{
-    if ((acm_primary_ops->sharing != NULL) &&
-        acm_primary_ops->sharing(ssidref1, ssidref2))
-        return ACM_ACCESS_DENIED;
-    else if ((acm_secondary_ops->sharing != NULL) &&
-             acm_secondary_ops->sharing(ssidref1, ssidref2)) {
-        return ACM_ACCESS_DENIED;
-    } else
-        return ACM_ACCESS_PERMITTED;
-}
-
-
-static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
-{
-    if ((acm_primary_ops->authorization != NULL) &&
-        acm_primary_ops->authorization(ssidref1, ssidref2))
-        return ACM_ACCESS_DENIED;
-    else if ((acm_secondary_ops->authorization != NULL) &&
-             acm_secondary_ops->authorization(ssidref1, ssidref2)) {
-        return ACM_ACCESS_DENIED;
-    } else
-        return ACM_ACCESS_PERMITTED;
-}
-
-
-/* Return true iff buffer has an acm policy magic number.  */
-extern int acm_is_policy(char *buf, unsigned long len);
-
-#define DOM0_SSIDREF (dom0_ste_ssidref << 16 | dom0_chwall_ssidref)
-
-#endif
-
-#endif
-
-/*
- * Local variables:
- * mode: C
- * c-set-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/acm.h
--- a/xen/include/public/acm.h  Fri Aug 31 11:41:49 2007 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,229 +0,0 @@
-/*
- * acm.h: Xen access control module interface defintions
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to
- * deal in the Software without restriction, including without limitation the
- * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
- * sell copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
- * DEALINGS IN THE SOFTWARE.
- *
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- * Copyright (c) 2005, International Business Machines Corporation.
- */
-
-#ifndef _XEN_PUBLIC_ACM_H
-#define _XEN_PUBLIC_ACM_H
-
-#include "xen.h"
-
-/* if ACM_DEBUG defined, all hooks should
- * print a short trace message (comment it out
- * when not in testing mode )
- */
-/* #define ACM_DEBUG */
-
-#ifdef ACM_DEBUG
-#  define printkd(fmt, args...) printk(fmt,## args)
-#else
-#  define printkd(fmt, args...)
-#endif
-
-/* default ssid reference value if not supplied */
-#define ACM_DEFAULT_SSID  0x0
-#define ACM_DEFAULT_LOCAL_SSID  0x0
-
-/* Internal ACM ERROR types */
-#define ACM_OK     0
-#define ACM_UNDEF   -1
-#define ACM_INIT_SSID_ERROR  -2
-#define ACM_INIT_SOID_ERROR  -3
-#define ACM_ERROR          -4
-
-/* External ACCESS DECISIONS */
-#define ACM_ACCESS_PERMITTED        0
-#define ACM_ACCESS_DENIED           -111
-#define ACM_NULL_POINTER_ERROR      -200
-
-/*
-   Error codes reported in when trying to test for a new policy
-   These error codes are reported in an array of tuples where
-   each error code is followed by a parameter describing the error
-   more closely, such as a domain id.
-*/
-#define ACM_EVTCHN_SHARING_VIOLATION       0x100
-#define ACM_GNTTAB_SHARING_VIOLATION       0x101
-#define ACM_DOMAIN_LOOKUP                  0x102
-#define ACM_CHWALL_CONFLICT                0x103
-#define ACM_SSIDREF_IN_USE                 0x104
-
-
-/* primary policy in lower 4 bits */
-#define ACM_NULL_POLICY 0
-#define ACM_CHINESE_WALL_POLICY 1
-#define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2
-#define ACM_POLICY_UNDEFINED 15
-
-/* combinations have secondary policy component in higher 4bit */
-#define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \
-    ((ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY << 4) | ACM_CHINESE_WALL_POLICY)
-
-/* policy: */
-#define ACM_POLICY_NAME(X) \
- ((X) == (ACM_NULL_POLICY)) ? "NULL" :                        \
-    ((X) == (ACM_CHINESE_WALL_POLICY)) ? "CHINESE WALL" :        \
-    ((X) == (ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "SIMPLE TYPE ENFORCEMENT" 
: \
-    ((X) == (ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "CHINESE 
WALL AND SIMPLE TYPE ENFORCEMENT" : \
-     "UNDEFINED"
-
-/* the following policy versions must be increased
- * whenever the interpretation of the related
- * policy's data structure changes
- */
-#define ACM_POLICY_VERSION 3
-#define ACM_CHWALL_VERSION 1
-#define ACM_STE_VERSION  1
-
-/* defines a ssid reference used by xen */
-typedef uint32_t ssidref_t;
-
-/* hooks that are known to domains */
-#define ACMHOOK_none          0
-#define ACMHOOK_sharing       1
-#define ACMHOOK_authorization 2
-
-/* -------security policy relevant type definitions-------- */
-
-/* type identifier; compares to "equal" or "not equal" */
-typedef uint16_t domaintype_t;
-
-/* CHINESE WALL POLICY DATA STRUCTURES
- *
- * current accumulated conflict type set:
- * When a domain is started and has a type that is in
- * a conflict set, the conflicting types are incremented in
- * the aggregate set. When a domain is destroyed, the 
- * conflicting types to its type are decremented.
- * If a domain has multiple types, this procedure works over
- * all those types.
- *
- * conflict_aggregate_set[i] holds the number of
- *   running domains that have a conflict with type i.
- *
- * running_types[i] holds the number of running domains
- *        that include type i in their ssidref-referenced type set
- *
- * conflict_sets[i][j] is "0" if type j has no conflict
- *    with type i and is "1" otherwise.
- */
-/* high-16 = version, low-16 = check magic */
-#define ACM_MAGIC  0x0001debc
-
-/* each offset in bytes from start of the struct they
- * are part of */
-
-/* V3 of the policy buffer aded a version structure */
-struct acm_policy_version
-{
-    uint32_t major;
-    uint32_t minor;
-};
-
-
-/* each buffer consists of all policy information for
- * the respective policy given in the policy code
- *
- * acm_policy_buffer, acm_chwall_policy_buffer,
- * and acm_ste_policy_buffer need to stay 32-bit aligned
- * because we create binary policies also with external
- * tools that assume packed representations (e.g. the java tool)
- */
-struct acm_policy_buffer {
-    uint32_t magic;
-    uint32_t policy_version; /* ACM_POLICY_VERSION */
-    uint32_t len;
-    uint32_t policy_reference_offset;
-    uint32_t primary_policy_code;
-    uint32_t primary_buffer_offset;
-    uint32_t secondary_policy_code;
-    uint32_t secondary_buffer_offset;
-    struct acm_policy_version xml_pol_version; /* add in V3 */
-};
-
-
-struct acm_policy_reference_buffer {
-    uint32_t len;
-};
-
-struct acm_chwall_policy_buffer {
-    uint32_t policy_version; /* ACM_CHWALL_VERSION */
-    uint32_t policy_code;
-    uint32_t chwall_max_types;
-    uint32_t chwall_max_ssidrefs;
-    uint32_t chwall_max_conflictsets;
-    uint32_t chwall_ssid_offset;
-    uint32_t chwall_conflict_sets_offset;
-    uint32_t chwall_running_types_offset;
-    uint32_t chwall_conflict_aggregate_offset;
-};
-
-struct acm_ste_policy_buffer {
-    uint32_t policy_version; /* ACM_STE_VERSION */
-    uint32_t policy_code;
-    uint32_t ste_max_types;
-    uint32_t ste_max_ssidrefs;
-    uint32_t ste_ssid_offset;
-};
-
-struct acm_stats_buffer {
-    uint32_t magic;
-    uint32_t len;
-    uint32_t primary_policy_code;
-    uint32_t primary_stats_offset;
-    uint32_t secondary_policy_code;
-    uint32_t secondary_stats_offset;
-};
-
-struct acm_ste_stats_buffer {
-    uint32_t ec_eval_count;
-    uint32_t gt_eval_count;
-    uint32_t ec_denied_count;
-    uint32_t gt_denied_count;
-    uint32_t ec_cachehit_count;
-    uint32_t gt_cachehit_count;
-};
-
-struct acm_ssid_buffer {
-    uint32_t len;
-    ssidref_t ssidref;
-    uint32_t policy_reference_offset;
-    uint32_t primary_policy_code;
-    uint32_t primary_max_types;
-    uint32_t primary_types_offset;
-    uint32_t secondary_policy_code;
-    uint32_t secondary_max_types;
-    uint32_t secondary_types_offset;
-};
-
-#endif
-
-/*
- * Local variables:
- * mode: C
- * c-set-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/acm_ops.h
--- a/xen/include/public/acm_ops.h      Fri Aug 31 11:41:49 2007 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,159 +0,0 @@
-/*
- * acm_ops.h: Xen access control module hypervisor commands
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to
- * deal in the Software without restriction, including without limitation the
- * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
- * sell copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
- * DEALINGS IN THE SOFTWARE.
- *
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- * Copyright (c) 2005,2006 International Business Machines Corporation.
- */
-
-#ifndef __XEN_PUBLIC_ACM_OPS_H__
-#define __XEN_PUBLIC_ACM_OPS_H__
-
-#include "xen.h"
-#include "acm.h"
-
-/*
- * Make sure you increment the interface version whenever you modify this file!
- * This makes sure that old versions of acm tools will stop working in a
- * well-defined way (rather than crashing the machine, for instance).
- */
-#define ACM_INTERFACE_VERSION   0xAAAA000A
-
-/************************************************************************/
-
-/*
- * Prototype for this hypercall is:
- *  int acm_op(int cmd, void *args)
- * @cmd  == ACMOP_??? (access control module operation).
- * @args == Operation-specific extra arguments (NULL if none).
- */
-
-
-#define ACMOP_setpolicy         1
-struct acm_setpolicy {
-    /* IN */
-    XEN_GUEST_HANDLE_64(void) pushcache;
-    uint32_t pushcache_size;
-};
-
-
-#define ACMOP_getpolicy         2
-struct acm_getpolicy {
-    /* IN */
-    XEN_GUEST_HANDLE_64(void) pullcache;
-    uint32_t pullcache_size;
-};
-
-
-#define ACMOP_dumpstats         3
-struct acm_dumpstats {
-    /* IN */
-    XEN_GUEST_HANDLE_64(void) pullcache;
-    uint32_t pullcache_size;
-};
-
-
-#define ACMOP_getssid           4
-#define ACM_GETBY_ssidref  1
-#define ACM_GETBY_domainid 2
-struct acm_getssid {
-    /* IN */
-    uint32_t get_ssid_by; /* ACM_GETBY_* */
-    union {
-        domaintype_t domainid;
-        ssidref_t    ssidref;
-    } id;
-    XEN_GUEST_HANDLE_64(void) ssidbuf;
-    uint32_t ssidbuf_size;
-};
-
-#define ACMOP_getdecision      5
-struct acm_getdecision {
-    /* IN */
-    uint32_t get_decision_by1; /* ACM_GETBY_* */
-    uint32_t get_decision_by2; /* ACM_GETBY_* */
-    union {
-        domaintype_t domainid;
-        ssidref_t    ssidref;
-    } id1;
-    union {
-        domaintype_t domainid;
-        ssidref_t    ssidref;
-    } id2;
-    uint32_t hook;
-    /* OUT */
-    uint32_t acm_decision;
-};
-
-
-#define ACMOP_chgpolicy        6
-struct acm_change_policy {
-    /* IN */
-    XEN_GUEST_HANDLE_64(void) policy_pushcache;
-    uint32_t policy_pushcache_size;
-    XEN_GUEST_HANDLE_64(void) del_array;
-    uint32_t delarray_size;
-    XEN_GUEST_HANDLE_64(void) chg_array;
-    uint32_t chgarray_size;
-    /* OUT */
-    /* array with error code */
-    XEN_GUEST_HANDLE_64(void) err_array;
-    uint32_t errarray_size;
-};
-
-#define ACMOP_relabeldoms       7
-struct acm_relabel_doms {
-    /* IN */
-    XEN_GUEST_HANDLE_64(void) relabel_map;
-    uint32_t relabel_map_size;
-    /* OUT */
-    XEN_GUEST_HANDLE_64(void) err_array;
-    uint32_t errarray_size;
-};
-
-/* future interface to Xen */
-struct xen_acmctl {
-    uint32_t cmd;
-    uint32_t interface_version;
-    union {
-        struct acm_setpolicy     setpolicy;
-        struct acm_getpolicy     getpolicy;
-        struct acm_dumpstats     dumpstats;
-        struct acm_getssid       getssid;
-        struct acm_getdecision   getdecision;
-        struct acm_change_policy change_policy;
-        struct acm_relabel_doms  relabel_doms;
-    } u;
-};
-
-typedef struct xen_acmctl xen_acmctl_t;
-DEFINE_XEN_GUEST_HANDLE(xen_acmctl_t);
-
-#endif /* __XEN_PUBLIC_ACM_OPS_H__ */
-
-/*
- * Local variables:
- * mode: C
- * c-set-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/xsm/acm.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/xen/include/public/xsm/acm.h      Fri Aug 31 12:05:07 2007 +0100
@@ -0,0 +1,229 @@
+/*
+ * acm.h: Xen access control module interface defintions
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ * Copyright (c) 2005, International Business Machines Corporation.
+ */
+
+#ifndef _XEN_PUBLIC_ACM_H
+#define _XEN_PUBLIC_ACM_H
+
+#include "../xen.h"
+
+/* if ACM_DEBUG defined, all hooks should
+ * print a short trace message (comment it out
+ * when not in testing mode )
+ */
+/* #define ACM_DEBUG */
+
+#ifdef ACM_DEBUG
+#  define printkd(fmt, args...) printk(fmt,## args)
+#else
+#  define printkd(fmt, args...)
+#endif
+
+/* default ssid reference value if not supplied */
+#define ACM_DEFAULT_SSID  0x0
+#define ACM_DEFAULT_LOCAL_SSID  0x0
+
+/* Internal ACM ERROR types */
+#define ACM_OK     0
+#define ACM_UNDEF   -1
+#define ACM_INIT_SSID_ERROR  -2
+#define ACM_INIT_SOID_ERROR  -3
+#define ACM_ERROR          -4
+
+/* External ACCESS DECISIONS */
+#define ACM_ACCESS_PERMITTED        0
+#define ACM_ACCESS_DENIED           -111
+#define ACM_NULL_POINTER_ERROR      -200
+
+/*
+   Error codes reported in when trying to test for a new policy
+   These error codes are reported in an array of tuples where
+   each error code is followed by a parameter describing the error
+   more closely, such as a domain id.
+*/
+#define ACM_EVTCHN_SHARING_VIOLATION       0x100
+#define ACM_GNTTAB_SHARING_VIOLATION       0x101
+#define ACM_DOMAIN_LOOKUP                  0x102
+#define ACM_CHWALL_CONFLICT                0x103
+#define ACM_SSIDREF_IN_USE                 0x104
+
+
+/* primary policy in lower 4 bits */
+#define ACM_NULL_POLICY 0
+#define ACM_CHINESE_WALL_POLICY 1
+#define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2
+#define ACM_POLICY_UNDEFINED 15
+
+/* combinations have secondary policy component in higher 4bit */
+#define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \
+    ((ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY << 4) | ACM_CHINESE_WALL_POLICY)
+
+/* policy: */
+#define ACM_POLICY_NAME(X) \
+ ((X) == (ACM_NULL_POLICY)) ? "NULL" :                        \
+    ((X) == (ACM_CHINESE_WALL_POLICY)) ? "CHINESE WALL" :        \
+    ((X) == (ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "SIMPLE TYPE ENFORCEMENT" 
: \
+    ((X) == (ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "CHINESE 
WALL AND SIMPLE TYPE ENFORCEMENT" : \
+     "UNDEFINED"
+
+/* the following policy versions must be increased
+ * whenever the interpretation of the related
+ * policy's data structure changes
+ */
+#define ACM_POLICY_VERSION 3
+#define ACM_CHWALL_VERSION 1
+#define ACM_STE_VERSION  1
+
+/* defines a ssid reference used by xen */
+typedef uint32_t ssidref_t;
+
+/* hooks that are known to domains */
+#define ACMHOOK_none          0
+#define ACMHOOK_sharing       1
+#define ACMHOOK_authorization 2
+
+/* -------security policy relevant type definitions-------- */
+
+/* type identifier; compares to "equal" or "not equal" */
+typedef uint16_t domaintype_t;
+
+/* CHINESE WALL POLICY DATA STRUCTURES
+ *
+ * current accumulated conflict type set:
+ * When a domain is started and has a type that is in
+ * a conflict set, the conflicting types are incremented in
+ * the aggregate set. When a domain is destroyed, the 
+ * conflicting types to its type are decremented.
+ * If a domain has multiple types, this procedure works over
+ * all those types.
+ *
+ * conflict_aggregate_set[i] holds the number of
+ *   running domains that have a conflict with type i.
+ *
+ * running_types[i] holds the number of running domains
+ *        that include type i in their ssidref-referenced type set
+ *
+ * conflict_sets[i][j] is "0" if type j has no conflict
+ *    with type i and is "1" otherwise.
+ */
+/* high-16 = version, low-16 = check magic */
+#define ACM_MAGIC  0x0001debc
+
+/* each offset in bytes from start of the struct they
+ * are part of */
+
+/* V3 of the policy buffer aded a version structure */
+struct acm_policy_version
+{
+    uint32_t major;
+    uint32_t minor;
+};
+
+
+/* each buffer consists of all policy information for
+ * the respective policy given in the policy code
+ *
+ * acm_policy_buffer, acm_chwall_policy_buffer,
+ * and acm_ste_policy_buffer need to stay 32-bit aligned
+ * because we create binary policies also with external
+ * tools that assume packed representations (e.g. the java tool)
+ */
+struct acm_policy_buffer {
+    uint32_t magic;
+    uint32_t policy_version; /* ACM_POLICY_VERSION */
+    uint32_t len;
+    uint32_t policy_reference_offset;
+    uint32_t primary_policy_code;
+    uint32_t primary_buffer_offset;
+    uint32_t secondary_policy_code;
+    uint32_t secondary_buffer_offset;
+    struct acm_policy_version xml_pol_version; /* add in V3 */
+};
+
+
+struct acm_policy_reference_buffer {
+    uint32_t len;
+};
+
+struct acm_chwall_policy_buffer {
+    uint32_t policy_version; /* ACM_CHWALL_VERSION */
+    uint32_t policy_code;
+    uint32_t chwall_max_types;
+    uint32_t chwall_max_ssidrefs;
+    uint32_t chwall_max_conflictsets;
+    uint32_t chwall_ssid_offset;
+    uint32_t chwall_conflict_sets_offset;
+    uint32_t chwall_running_types_offset;
+    uint32_t chwall_conflict_aggregate_offset;
+};
+
+struct acm_ste_policy_buffer {
+    uint32_t policy_version; /* ACM_STE_VERSION */
+    uint32_t policy_code;
+    uint32_t ste_max_types;
+    uint32_t ste_max_ssidrefs;
+    uint32_t ste_ssid_offset;
+};
+
+struct acm_stats_buffer {
+    uint32_t magic;
+    uint32_t len;
+    uint32_t primary_policy_code;
+    uint32_t primary_stats_offset;
+    uint32_t secondary_policy_code;
+    uint32_t secondary_stats_offset;
+};
+
+struct acm_ste_stats_buffer {
+    uint32_t ec_eval_count;
+    uint32_t gt_eval_count;
+    uint32_t ec_denied_count;
+    uint32_t gt_denied_count;
+    uint32_t ec_cachehit_count;
+    uint32_t gt_cachehit_count;
+};
+
+struct acm_ssid_buffer {
+    uint32_t len;
+    ssidref_t ssidref;
+    uint32_t policy_reference_offset;
+    uint32_t primary_policy_code;
+    uint32_t primary_max_types;
+    uint32_t primary_types_offset;
+    uint32_t secondary_policy_code;
+    uint32_t secondary_max_types;
+    uint32_t secondary_types_offset;
+};
+
+#endif
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/xsm/acm_ops.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/xen/include/public/xsm/acm_ops.h  Fri Aug 31 12:05:07 2007 +0100
@@ -0,0 +1,159 @@
+/*
+ * acm_ops.h: Xen access control module hypervisor commands
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ * Copyright (c) 2005,2006 International Business Machines Corporation.
+ */
+
+#ifndef __XEN_PUBLIC_ACM_OPS_H__
+#define __XEN_PUBLIC_ACM_OPS_H__
+
+#include "../xen.h"
+#include "acm.h"
+
+/*
+ * Make sure you increment the interface version whenever you modify this file!
+ * This makes sure that old versions of acm tools will stop working in a
+ * well-defined way (rather than crashing the machine, for instance).
+ */
+#define ACM_INTERFACE_VERSION   0xAAAA000A
+
+/************************************************************************/
+
+/*
+ * Prototype for this hypercall is:
+ *  int acm_op(int cmd, void *args)
+ * @cmd  == ACMOP_??? (access control module operation).
+ * @args == Operation-specific extra arguments (NULL if none).
+ */
+
+
+#define ACMOP_setpolicy         1
+struct acm_setpolicy {
+    /* IN */
+    XEN_GUEST_HANDLE_64(void) pushcache;
+    uint32_t pushcache_size;
+};
+
+
+#define ACMOP_getpolicy         2
+struct acm_getpolicy {
+    /* IN */
+    XEN_GUEST_HANDLE_64(void) pullcache;
+    uint32_t pullcache_size;
+};
+
+
+#define ACMOP_dumpstats         3
+struct acm_dumpstats {
+    /* IN */
+    XEN_GUEST_HANDLE_64(void) pullcache;
+    uint32_t pullcache_size;
+};
+
+
+#define ACMOP_getssid           4
+#define ACM_GETBY_ssidref  1
+#define ACM_GETBY_domainid 2
+struct acm_getssid {
+    /* IN */
+    uint32_t get_ssid_by; /* ACM_GETBY_* */
+    union {
+        domaintype_t domainid;
+        ssidref_t    ssidref;
+    } id;
+    XEN_GUEST_HANDLE_64(void) ssidbuf;
+    uint32_t ssidbuf_size;
+};
+
+#define ACMOP_getdecision      5
+struct acm_getdecision {
+    /* IN */
+    uint32_t get_decision_by1; /* ACM_GETBY_* */
+    uint32_t get_decision_by2; /* ACM_GETBY_* */
+    union {
+        domaintype_t domainid;
+        ssidref_t    ssidref;
+    } id1;
+    union {
+        domaintype_t domainid;
+        ssidref_t    ssidref;
+    } id2;
+    uint32_t hook;
+    /* OUT */
+    uint32_t acm_decision;
+};
+
+
+#define ACMOP_chgpolicy        6
+struct acm_change_policy {
+    /* IN */
+    XEN_GUEST_HANDLE_64(void) policy_pushcache;
+    uint32_t policy_pushcache_size;
+    XEN_GUEST_HANDLE_64(void) del_array;
+    uint32_t delarray_size;
+    XEN_GUEST_HANDLE_64(void) chg_array;
+    uint32_t chgarray_size;
+    /* OUT */
+    /* array with error code */
+    XEN_GUEST_HANDLE_64(void) err_array;
+    uint32_t errarray_size;
+};
+
+#define ACMOP_relabeldoms       7
+struct acm_relabel_doms {
+    /* IN */
+    XEN_GUEST_HANDLE_64(void) relabel_map;
+    uint32_t relabel_map_size;
+    /* OUT */
+    XEN_GUEST_HANDLE_64(void) err_array;
+    uint32_t errarray_size;
+};
+
+/* future interface to Xen */
+struct xen_acmctl {
+    uint32_t cmd;
+    uint32_t interface_version;
+    union {
+        struct acm_setpolicy     setpolicy;
+        struct acm_getpolicy     getpolicy;
+        struct acm_dumpstats     dumpstats;
+        struct acm_getssid       getssid;
+        struct acm_getdecision   getdecision;
+        struct acm_change_policy change_policy;
+        struct acm_relabel_doms  relabel_doms;
+    } u;
+};
+
+typedef struct xen_acmctl xen_acmctl_t;
+DEFINE_XEN_GUEST_HANDLE(xen_acmctl_t);
+
+#endif /* __XEN_PUBLIC_ACM_OPS_H__ */
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xen/sched.h
--- a/xen/include/xen/sched.h   Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/include/xen/sched.h   Fri Aug 31 12:05:07 2007 +0100
@@ -10,7 +10,7 @@
 #include <public/xen.h>
 #include <public/domctl.h>
 #include <public/vcpu.h>
-#include <public/acm.h>
+#include <public/xsm/acm.h>
 #include <xen/time.h>
 #include <xen/timer.h>
 #include <xen/grant_table.h>
@@ -63,6 +63,9 @@ struct evtchn
         u16 pirq;      /* state == ECS_PIRQ */
         u16 virq;      /* state == ECS_VIRQ */
     } u;
+#ifdef FLASK_ENABLE
+    void *ssid;
+#endif
 };
 
 int  evtchn_init(struct domain *d);
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xsm/acm/acm_core.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/xen/include/xsm/acm/acm_core.h    Fri Aug 31 12:05:07 2007 +0100
@@ -0,0 +1,196 @@
+/****************************************************************
+ * acm_core.h 
+ * 
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Author:
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * sHype header file describing core data types and constants
+ *    for the access control module and relevant policies
+ *
+ */
+
+#ifndef _ACM_CORE_H
+#define _ACM_CORE_H
+
+#include <xen/spinlock.h>
+#include <xen/list.h>
+#include <public/xsm/acm.h>
+#include <public/xsm/acm_ops.h>
+#include <xsm/acm/acm_endian.h>
+
+#define ACM_DEFAULT_SECURITY_POLICY \
+        ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
+
+/* Xen-internal representation of the binary policy */
+struct acm_binary_policy {
+    char *policy_reference_name;
+    u16 primary_policy_code;
+    u16 secondary_policy_code;
+    struct acm_policy_version xml_pol_version;
+};
+
+struct chwall_binary_policy {
+    u32 max_types;
+    u32 max_ssidrefs;
+    u32 max_conflictsets;
+    domaintype_t *ssidrefs;     /* [max_ssidrefs][max_types]  */
+    domaintype_t *conflict_aggregate_set;  /* [max_types]      */
+    domaintype_t *running_types;    /* [max_types]      */
+    domaintype_t *conflict_sets;   /* [max_conflictsets][max_types]*/
+};
+
+struct ste_binary_policy {
+    u32 max_types;
+    u32 max_ssidrefs;
+    domaintype_t *ssidrefs;     /* [max_ssidrefs][max_types]  */
+    atomic_t ec_eval_count, gt_eval_count;
+    atomic_t ec_denied_count, gt_denied_count;
+    atomic_t ec_cachehit_count, gt_cachehit_count;
+};
+
+/* global acm policy */
+extern u16 acm_active_security_policy;
+extern struct acm_binary_policy acm_bin_pol;
+extern struct chwall_binary_policy chwall_bin_pol;
+extern struct ste_binary_policy ste_bin_pol;
+/* use the lock when reading / changing binary policy ! */
+extern rwlock_t acm_bin_pol_rwlock;
+extern rwlock_t ssid_list_rwlock;
+
+/* subject and object type definitions */
+#define ACM_DATATYPE_domain 1
+
+/* defines number of access decisions to other domains can be cached
+ * one entry per domain, TE does not distinguish evtchn or grant_table */
+#define ACM_TE_CACHE_SIZE 8
+#define ACM_STE_valid 0
+#define ACM_STE_free  1
+
+/* cache line:
+ * if cache_line.valid==ACM_STE_valid, then
+ *    STE decision is cached as "permitted" 
+ *                 on domain cache_line.id
+ */
+struct acm_ste_cache_line {
+    int valid; /* ACM_STE_* */
+    domid_t id;
+};
+
+/* general definition of a subject security id */
+struct acm_ssid_domain {
+    struct list_head node; /* all are chained together */
+    int datatype;          /* type of subject (e.g., partition): 
ACM_DATATYPE_* */
+    ssidref_t ssidref;     /* combined security reference */
+    ssidref_t old_ssidref; /* holds previous value of ssidref during 
relabeling */
+    void *primary_ssid;    /* primary policy ssid part (e.g. chinese wall) */
+    void *secondary_ssid;  /* secondary policy ssid part (e.g. type 
enforcement) */
+    struct domain *subject;/* backpointer to subject structure */
+    domid_t domainid;      /* replicate id */
+};
+
+/* chinese wall ssid type */
+struct chwall_ssid {
+    ssidref_t chwall_ssidref;
+};
+
+/* simple type enforcement ssid type */
+struct ste_ssid {
+    ssidref_t ste_ssidref;
+    struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache 
*/
+};
+
+/* macros to access ssidref for primary / secondary policy 
+ * primary ssidref   = lower 16 bit
+ *  secondary ssidref = higher 16 bit
+ */
+#define ACM_PRIMARY(ssidref) \
+ ((ssidref) & 0xffff)
+
+#define ACM_SECONDARY(ssidref) \
+ ((ssidref) >> 16)
+
+#define GET_SSIDREF(POLICY, ssidref) \
+ ((POLICY) == acm_bin_pol.primary_policy_code) ? \
+ ACM_PRIMARY(ssidref) : ACM_SECONDARY(ssidref)
+
+/* macros to access ssid pointer for primary / secondary policy */
+#define GET_SSIDP(POLICY, ssid) \
+ ((POLICY) == acm_bin_pol.primary_policy_code) ? \
+ ((ssid)->primary_ssid) : ((ssid)->secondary_ssid)
+
+#define ACM_INVALID_SSIDREF  (0xffffffff)
+
+struct acm_sized_buffer
+{
+    uint32_t *array;
+    uint num_items;
+    uint position;
+};
+
+static inline int acm_array_append_tuple(struct acm_sized_buffer *buf,
+                                         uint32_t a, uint32_t b)
+{
+    uint i;
+    if (buf == NULL)
+        return 0;
+
+    i = buf->position;
+
+    if ((i + 2) > buf->num_items)
+        return 0;
+
+    buf->array[i]   = cpu_to_be32(a);
+    buf->array[i+1] = cpu_to_be32(b);
+    buf->position += 2;
+    return 1;
+}
+
+/* protos */
+int acm_init_domain_ssid(struct domain *, ssidref_t ssidref);
+void acm_free_domain_ssid(struct acm_ssid_domain *ssid);
+int acm_init_binary_policy(u32 policy_code);
+int acm_set_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
+int do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy,
+                      struct acm_sized_buffer *, struct acm_sized_buffer *,
+                      struct acm_sized_buffer *);
+int acm_get_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
+int acm_dump_statistics(XEN_GUEST_HANDLE_64(void) buf, u16 buf_size);
+int acm_get_ssid(ssidref_t ssidref, XEN_GUEST_HANDLE_64(void) buf, u16 
buf_size);
+int acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2, u32 hook);
+int acm_set_policy_reference(u8 * buf, u32 buf_size);
+int acm_dump_policy_reference(u8 *buf, u32 buf_size);
+int acm_change_policy(struct acm_change_policy *);
+int acm_relabel_domains(struct acm_relabel_doms *);
+int do_chwall_init_state_curr(struct acm_sized_buffer *);
+int do_ste_init_state_curr(struct acm_sized_buffer *);
+
+/* variables */
+extern ssidref_t dom0_chwall_ssidref;
+extern ssidref_t dom0_ste_ssidref;
+#define ACM_MAX_NUM_TYPES   (256)
+
+/* traversing the list of ssids */
+extern struct list_head ssid_list;
+#define for_each_acmssid( N )                               \
+   for ( N =  (struct acm_ssid_domain *)ssid_list.next;     \
+         N != (struct acm_ssid_domain *)&ssid_list;         \
+         N =  (struct acm_ssid_domain *)N->node.next     )
+
+#endif
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xsm/acm/acm_endian.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/xen/include/xsm/acm/acm_endian.h  Fri Aug 31 12:05:07 2007 +0100
@@ -0,0 +1,69 @@
+/****************************************************************
+ * acm_endian.h 
+ * 
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Author:
+ * Stefan Berger <stefanb@xxxxxxxxxxxxxx>
+ * 
+ * Contributions:
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * sHype header file defining endian-dependent functions for the
+ * big-endian policy interface
+ *
+ */
+
+#ifndef _ACM_ENDIAN_H
+#define _ACM_ENDIAN_H
+
+#include <asm/byteorder.h>
+
+static inline void arrcpy16(u16 *dest, const u16 *src, size_t n)
+{
+    unsigned int i;
+    for ( i = 0; i < n; i++ )
+        dest[i] = cpu_to_be16(src[i]);
+}
+
+static inline void arrcpy32(u32 *dest, const u32 *src, size_t n)
+{
+    unsigned int i;
+    for ( i = 0; i < n; i++ )
+        dest[i] = cpu_to_be32(src[i]);
+}
+
+static inline void arrcpy(
+    void *dest, const void *src, unsigned int elsize, size_t n)
+{
+    switch ( elsize )
+    {
+    case sizeof(u16):
+        arrcpy16((u16 *)dest, (u16 *)src, n);
+        break;
+
+    case sizeof(u32):
+        arrcpy32((u32 *)dest, (u32 *)src, n);
+        break;
+
+    default:
+        memcpy(dest, src, elsize*n);
+    }
+}
+
+#endif
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xsm/acm/acm_hooks.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/xen/include/xsm/acm/acm_hooks.h   Fri Aug 31 12:05:07 2007 +0100
@@ -0,0 +1,349 @@
+/****************************************************************
+ * acm_hooks.h 
+ * 
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Author:
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * acm header file implementing the global (policy-independent)
+ *      sHype hooks that are called throughout Xen.
+ * 
+ */
+
+#ifndef _ACM_HOOKS_H
+#define _ACM_HOOKS_H
+
+#include <xen/config.h>
+#include <xen/errno.h>
+#include <xen/types.h>
+#include <xen/lib.h>
+#include <xen/delay.h>
+#include <xen/sched.h>
+#include <xen/multiboot.h>
+#include <public/xsm/acm.h>
+#include <xsm/acm/acm_core.h>
+#include <public/domctl.h>
+#include <public/event_channel.h>
+#include <asm/current.h>
+
+/*
+ * HOOK structure and meaning (justifies a few words about our model):
+ * 
+ * General idea: every policy-controlled system operation is reflected in a 
+ *               transaction in the system's security state
+ *
+ *      Keeping the security state consistent requires "atomic" transactions.
+ *      The name of the hooks to place around policy-controlled transactions
+ *      reflects this. If authorizations do not involve security state changes,
+ *      then and only then POST and FAIL hooks remain empty since we don't care
+ *      about the eventual outcome of the operation from a security viewpoint.
+ *
+ *      PURPOSE of hook types:
+ *      ======================
+ *      PRE-Hooks
+ *       a) general authorization to guard a controlled system operation
+ *       b) prepare security state change
+ *          (means: fail hook must be able to "undo" this)
+ *
+ *      POST-Hooks
+ *       a) commit prepared state change
+ *
+ *      FAIL-Hooks
+ *       a) roll-back prepared security state change from PRE-Hook
+ *
+ *
+ *      PLACEMENT of hook types:
+ *      ========================
+ *      PRE-Hooks must be called before a guarded/controlled system operation
+ *      is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or
+ *      error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED.
+ *
+ *      POST-Hooks must be called after a successful system operation.
+ *      There is no return value: commit never fails.
+ *
+ *      FAIL-Hooks must be called:
+ *       a) if system transaction (operation) fails after calling the PRE-hook
+ *       b) if another (secondary) policy denies access in its PRE-Hook
+ *          (policy layering is useful but requires additional handling)
+ *
+ * Hook model from a security transaction viewpoint:
+ *   start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
+ *                   (pre-hook)  \           (post-hook)
+ *                                \
+ *                               fail
+ *                                   \
+ *                                    \
+ *                                  roll-back
+ *                                 (fail-hook)
+ *                                        \
+ *                                       sys-ops error
+ *
+ */
+
+struct acm_operations {
+    /* policy management functions (must always be defined!) */
+    int  (*init_domain_ssid)           (void **ssid, ssidref_t ssidref);
+    void (*free_domain_ssid)           (void *ssid);
+    int  (*dump_binary_policy)         (u8 *buffer, u32 buf_size);
+    int  (*test_binary_policy)         (u8 *buffer, u32 buf_size,
+                                        int is_bootpolicy,
+                                        struct acm_sized_buffer *);
+    int  (*set_binary_policy)          (u8 *buffer, u32 buf_size);
+    int  (*dump_statistics)            (u8 *buffer, u16 buf_size);
+    int  (*dump_ssid_types)            (ssidref_t ssidref, u8 *buffer, u16 
buf_size);
+    /* domain management control hooks (can be NULL) */
+    int  (*domain_create)              (void *subject_ssid, ssidref_t ssidref,
+                                        domid_t domid);
+    void (*domain_destroy)             (void *object_ssid, struct domain *d);
+    /* event channel control hooks  (can be NULL) */
+    int  (*pre_eventchannel_unbound)      (domid_t id1, domid_t id2);
+    void (*fail_eventchannel_unbound)     (domid_t id1, domid_t id2);
+    int  (*pre_eventchannel_interdomain)  (domid_t id);
+    void (*fail_eventchannel_interdomain) (domid_t id);
+    /* grant table control hooks (can be NULL)  */
+    int  (*pre_grant_map_ref)          (domid_t id);
+    void (*fail_grant_map_ref)         (domid_t id);
+    int  (*pre_grant_setup)            (domid_t id);
+    void (*fail_grant_setup)           (domid_t id);
+    /* generic domain-requested decision hooks (can be NULL) */
+    int (*sharing)                     (ssidref_t ssidref1,
+                                        ssidref_t ssidref2);
+    int (*authorization)               (ssidref_t ssidref1,
+                                        ssidref_t ssidref2);
+    /* determine whether the default policy is installed */
+    int (*is_default_policy)           (void);
+};
+
+/* global variables */
+extern struct acm_operations *acm_primary_ops;
+extern struct acm_operations *acm_secondary_ops;
+
+/* if ACM_TRACE_MODE defined, all hooks should
+ * print a short trace message */
+/* #define ACM_TRACE_MODE */
+
+#ifdef ACM_TRACE_MODE
+# define traceprintk(fmt, args...) printk(fmt,## args)
+#else
+# define traceprintk(fmt, args...)
+#endif
+
+
+#ifndef ACM_SECURITY
+
+static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
+{ return 0; }
+static inline int acm_pre_eventchannel_interdomain(domid_t id)
+{ return 0; }
+static inline int acm_pre_grant_map_ref(domid_t id) 
+{ return 0; }
+static inline int acm_pre_grant_setup(domid_t id) 
+{ return 0; }
+static inline int acm_is_policy(char *buf, unsigned long len)
+{ return 0; }
+static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
+{ return 0; }
+static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
+{ return 0; }
+static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
+{ return 0; }
+static inline void acm_domain_destroy(struct domain *d)
+{ return; }
+
+#define DOM0_SSIDREF 0x0
+
+#else
+
+static inline void acm_domain_ssid_onto_list(struct acm_ssid_domain *ssid)
+{
+    write_lock(&ssid_list_rwlock);
+    list_add(&ssid->node, &ssid_list);
+    write_unlock(&ssid_list_rwlock);
+}
+
+static inline void acm_domain_ssid_off_list(struct acm_ssid_domain *ssid)
+{
+    write_lock(&ssid_list_rwlock);
+    list_del(&ssid->node);
+    write_unlock(&ssid_list_rwlock);
+}
+
+static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
+{
+    if ((acm_primary_ops->pre_eventchannel_unbound != NULL) && 
+        acm_primary_ops->pre_eventchannel_unbound(id1, id2))
+        return ACM_ACCESS_DENIED;
+    else if ((acm_secondary_ops->pre_eventchannel_unbound != NULL) && 
+             acm_secondary_ops->pre_eventchannel_unbound(id1, id2)) {
+        /* roll-back primary */
+        if (acm_primary_ops->fail_eventchannel_unbound != NULL)
+            acm_primary_ops->fail_eventchannel_unbound(id1, id2);
+        return ACM_ACCESS_DENIED;
+    } else
+        return ACM_ACCESS_PERMITTED;
+}
+
+static inline int acm_pre_eventchannel_interdomain(domid_t id)
+{
+    if ((acm_primary_ops->pre_eventchannel_interdomain != NULL) &&
+        acm_primary_ops->pre_eventchannel_interdomain(id))
+        return ACM_ACCESS_DENIED;
+    else if ((acm_secondary_ops->pre_eventchannel_interdomain != NULL) &&
+             acm_secondary_ops->pre_eventchannel_interdomain(id)) {
+        /* roll-back primary */
+        if (acm_primary_ops->fail_eventchannel_interdomain != NULL)
+            acm_primary_ops->fail_eventchannel_interdomain(id);
+        return ACM_ACCESS_DENIED;
+    } else
+        return ACM_ACCESS_PERMITTED;
+}
+
+
+static inline int acm_pre_grant_map_ref(domid_t id)
+{
+    if ( (acm_primary_ops->pre_grant_map_ref != NULL) &&
+         acm_primary_ops->pre_grant_map_ref(id) )
+    {
+        return ACM_ACCESS_DENIED;
+    }
+    else if ( (acm_secondary_ops->pre_grant_map_ref != NULL) &&
+              acm_secondary_ops->pre_grant_map_ref(id) )
+    {
+        /* roll-back primary */
+        if ( acm_primary_ops->fail_grant_map_ref != NULL )
+            acm_primary_ops->fail_grant_map_ref(id);
+        return ACM_ACCESS_DENIED;
+    }
+    else
+    {
+        return ACM_ACCESS_PERMITTED;
+    }
+}
+
+static inline int acm_pre_grant_setup(domid_t id)
+{
+    if ( (acm_primary_ops->pre_grant_setup != NULL) &&
+         acm_primary_ops->pre_grant_setup(id) )
+    {
+        return ACM_ACCESS_DENIED;
+    }
+    else if ( (acm_secondary_ops->pre_grant_setup != NULL) &&
+              acm_secondary_ops->pre_grant_setup(id) )
+    {
+        /* roll-back primary */
+        if (acm_primary_ops->fail_grant_setup != NULL)
+            acm_primary_ops->fail_grant_setup(id);
+        return ACM_ACCESS_DENIED;
+    }
+    else
+    {
+        return ACM_ACCESS_PERMITTED;
+    }
+}
+
+
+static inline void acm_domain_destroy(struct domain *d)
+{
+    void *ssid = d->ssid;
+    if (ssid != NULL) {
+        if (acm_primary_ops->domain_destroy != NULL)
+            acm_primary_ops->domain_destroy(ssid, d);
+        if (acm_secondary_ops->domain_destroy != NULL)
+            acm_secondary_ops->domain_destroy(ssid, d);
+        /* free security ssid for the destroyed domain (also if null policy */
+        acm_domain_ssid_off_list(ssid);
+        acm_free_domain_ssid((struct acm_ssid_domain *)(ssid));
+    }
+}
+
+
+static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
+{
+    void *subject_ssid = current->domain->ssid;
+    domid_t domid = d->domain_id;
+    int rc;
+
+    read_lock(&acm_bin_pol_rwlock);
+    /*
+       To be called when a domain is created; returns '0' if the
+       domain is allowed to be created, != '0' if not.
+     */
+    rc = acm_init_domain_ssid(d, ssidref);
+    if (rc != ACM_OK)
+        goto error_out;
+
+    if ((acm_primary_ops->domain_create != NULL) &&
+        acm_primary_ops->domain_create(subject_ssid, ssidref, domid)) {
+        rc = ACM_ACCESS_DENIED;
+    } else if ((acm_secondary_ops->domain_create != NULL) &&
+                acm_secondary_ops->domain_create(subject_ssid, ssidref,
+                                                 domid)) {
+        /* roll-back primary */
+        if (acm_primary_ops->domain_destroy != NULL)
+            acm_primary_ops->domain_destroy(d->ssid, d);
+        rc = ACM_ACCESS_DENIED;
+    }
+
+    if ( rc == ACM_OK )
+    {
+        acm_domain_ssid_onto_list(d->ssid);
+    } else {
+        acm_free_domain_ssid(d->ssid);
+    }
+
+error_out:
+    read_unlock(&acm_bin_pol_rwlock);
+    return rc;
+}
+
+
+static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
+{
+    if ((acm_primary_ops->sharing != NULL) &&
+        acm_primary_ops->sharing(ssidref1, ssidref2))
+        return ACM_ACCESS_DENIED;
+    else if ((acm_secondary_ops->sharing != NULL) &&
+             acm_secondary_ops->sharing(ssidref1, ssidref2)) {
+        return ACM_ACCESS_DENIED;
+    } else
+        return ACM_ACCESS_PERMITTED;
+}
+
+
+static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
+{
+    if ((acm_primary_ops->authorization != NULL) &&
+        acm_primary_ops->authorization(ssidref1, ssidref2))
+        return ACM_ACCESS_DENIED;
+    else if ((acm_secondary_ops->authorization != NULL) &&
+             acm_secondary_ops->authorization(ssidref1, ssidref2)) {
+        return ACM_ACCESS_DENIED;
+    } else
+        return ACM_ACCESS_PERMITTED;
+}
+
+
+/* Return true iff buffer has an acm policy magic number.  */
+extern int acm_is_policy(char *buf, unsigned long len);
+
+#define DOM0_SSIDREF (dom0_ste_ssidref << 16 | dom0_chwall_ssidref)
+
+#endif
+
+#endif
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_chinesewall_hooks.c
--- a/xen/xsm/acm/acm_chinesewall_hooks.c       Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_chinesewall_hooks.c       Fri Aug 31 12:05:07 2007 +0100
@@ -36,12 +36,11 @@
 #include <xen/lib.h>
 #include <xen/delay.h>
 #include <xen/sched.h>
-#include <public/acm.h>
+#include <public/xsm/acm.h>
 #include <asm/atomic.h>
-#include <acm/acm_core.h>
-#include <acm/acm_hooks.h>
-#include <acm/acm_endian.h>
-#include <acm/acm_core.h>
+#include <xsm/acm/acm_core.h>
+#include <xsm/acm/acm_hooks.h>
+#include <xsm/acm/acm_endian.h>
 
 ssidref_t dom0_chwall_ssidref = 0x0001;
 
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_core.c
--- a/xen/xsm/acm/acm_core.c    Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_core.c    Fri Aug 31 12:05:07 2007 +0100
@@ -1,4 +1,4 @@
-/****************************************************************
+#/****************************************************************
  * acm_core.c
  * 
  * Copyright (C) 2005 IBM Corporation
@@ -29,16 +29,16 @@
 #include <xen/delay.h>
 #include <xen/sched.h>
 #include <xen/multiboot.h>
-#include <acm/acm_hooks.h>
-#include <acm/acm_endian.h>
+#include <xsm/acm/acm_hooks.h>
+#include <xsm/acm/acm_endian.h>
 #include <xsm/xsm.h>
 
 /* debug: 
- *   include/acm/acm_hooks.h defines a constant ACM_TRACE_MODE;
+ *   include/xsm/acm/acm_hooks.h defines a constant ACM_TRACE_MODE;
  *   define/undefine this constant to receive / suppress any
  *   security hook debug output of sHype
  *
- *   include/public/acm.h defines a constant ACM_DEBUG
+ *   include/public/xsm/acm.h defines a constant ACM_DEBUG
  *   define/undefine this constant to receive non-hook-related
  *   debug output.
  */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_null_hooks.c
--- a/xen/xsm/acm/acm_null_hooks.c      Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_null_hooks.c      Fri Aug 31 12:05:07 2007 +0100
@@ -12,7 +12,7 @@
  * License.
  */
 
-#include <acm/acm_hooks.h>
+#include <xsm/acm/acm_hooks.h>
 
 static int
 null_init_domain_ssid(void **ssid, ssidref_t ssidref)
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_ops.c
--- a/xen/xsm/acm/acm_ops.c     Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_ops.c     Fri Aug 31 12:05:07 2007 +0100
@@ -18,14 +18,14 @@
 #include <xen/types.h>
 #include <xen/lib.h>
 #include <xen/mm.h>
-#include <public/acm.h>
-#include <public/acm_ops.h>
+#include <public/xsm/acm.h>
+#include <public/xsm/acm_ops.h>
 #include <xen/sched.h>
 #include <xen/event.h>
 #include <xen/trace.h>
 #include <xen/console.h>
 #include <xen/guest_access.h>
-#include <acm/acm_hooks.h>
+#include <xsm/acm/acm_hooks.h>
 
 #ifndef ACM_SECURITY
 
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_policy.c
--- a/xen/xsm/acm/acm_policy.c  Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_policy.c  Fri Aug 31 12:05:07 2007 +0100
@@ -28,10 +28,10 @@
 #include <xen/sched.h>
 #include <xen/guest_access.h>
 #include <public/xen.h>
-#include <acm/acm_core.h>
-#include <public/acm_ops.h>
-#include <acm/acm_hooks.h>
-#include <acm/acm_endian.h>
+#include <xsm/acm/acm_core.h>
+#include <public/xsm/acm_ops.h>
+#include <xsm/acm/acm_hooks.h>
+#include <xsm/acm/acm_endian.h>
 #include <asm/current.h>
 
 static int acm_check_deleted_ssidrefs(struct acm_sized_buffer *dels,
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb 
xen/xsm/acm/acm_simple_type_enforcement_hooks.c
--- a/xen/xsm/acm/acm_simple_type_enforcement_hooks.c   Fri Aug 31 11:41:49 
2007 +0100
+++ b/xen/xsm/acm/acm_simple_type_enforcement_hooks.c   Fri Aug 31 12:05:07 
2007 +0100
@@ -28,10 +28,10 @@
 #include <xen/lib.h>
 #include <asm/types.h>
 #include <asm/current.h>
-#include <acm/acm_hooks.h>
 #include <asm/atomic.h>
-#include <acm/acm_endian.h>
-#include <acm/acm_core.h>
+#include <xsm/acm/acm_hooks.h>
+#include <xsm/acm/acm_endian.h>
+#include <xsm/acm/acm_core.h>
 
 ssidref_t dom0_ste_ssidref = 0x0001;
 
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_xsm_hooks.c
--- a/xen/xsm/acm/acm_xsm_hooks.c       Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_xsm_hooks.c       Fri Aug 31 12:05:07 2007 +0100
@@ -20,34 +20,36 @@
  */
 
 #include <xsm/xsm.h>
-#include <acm/acm_hooks.h>
-#include <public/acm.h>
+#include <xsm/acm/acm_hooks.h>
+#include <public/xsm/acm.h>
 
-static int acm_grant_mapref (struct domain *ld, struct domain *rd,
-                                                                 uint32_t 
flags) 
+static int acm_grant_mapref(
+    struct domain *ld, struct domain *rd, uint32_t flags) 
 {
     domid_t id = rd->domain_id;
 
     return acm_pre_grant_map_ref(id);
 }
 
-static int acm_evtchn_unbound (struct domain *d1, struct evtchn *chn1, domid_t 
id2) 
+static int acm_evtchn_unbound(
+    struct domain *d1, struct evtchn *chn1, domid_t id2) 
 {
     domid_t id1 = d1->domain_id;
     
     return acm_pre_eventchannel_unbound(id1, id2);
 }
 
-static int acm_evtchn_interdomain (struct domain *d1, struct evtchn *chn1, 
-                                        struct domain *d2, struct evtchn 
*chn2) 
+static int acm_evtchn_interdomain(
+    struct domain *d1, struct evtchn *chn1, 
+    struct domain *d2, struct evtchn *chn2) 
 {
     domid_t id2 = d2->domain_id;
 
     return acm_pre_eventchannel_interdomain(id2);
 }
 
-static void acm_security_domaininfo (struct domain *d, 
-                                        struct xen_domctl_getdomaininfo *info)
+static void acm_security_domaininfo(
+    struct domain *d, struct xen_domctl_getdomaininfo *info)
 {
     if ( d->ssid != NULL )
         info->ssidref = ((struct acm_ssid_domain *)d->ssid)->ssidref;

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] Cleanups after XSM checkin., Xen patchbot-unstable <=