[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [PATCH] [ACM/Xen] Fix policy buffer layout changed with XSM




"George S. Coker, II" <gscoker@xxxxxxxxxxxxxx> wrote on 09/04/2007 02:29:10 PM:

> On Tue, 2007-09-04 at 10:57 -0400, Stefan Berger wrote:
> > This fixes a regression due to changes in the policy buffer layout
> > submitted by the XSM module.
> >
>
> Hi Stefan,
>
> This was done to make the ACM magic number the first word in the policy
> file.  This seemed to be the logical choice to afford ACM the greatest
> flexibility for loading policies under XSM.  In principal, under XSM, a
> security module could be capable of loading and parsing policies over a
> range of policy versions.


Did you adapt the tools to generate a binary policy in that form?

>
> Your patch reverts the ACM module to the original form where the first
> word of the policy file is the policy version - which could change over
> time.  This is the general problem of magic numbers.


Yes, I changed it back because it was broken, at least it did not accept the policy I tried to load.

   Stefan


>
> A benefit of your patch is old ACM policies will not need to be
> recompiled to work under XSM with this patch, but I see there being
> future confusion and a potential loss of flexibility for ACM by making
> this change.  I would argue that the ACM policy version should instead
> be bumped for the move to XSM since the XSM patches actually caused a
> format change to the ACM policy binary.
>
> Admittedly, this discussion is moot because ACM has only one policy
> version at this time.  The XSM_MAGIC number must also be updated to
> 03000000 to ensure proper boot time policy detection under XSM with your
> patch.
>
> I also see that there are dups of /xsm in the includes dir.  Since this
> was a restructuring from inclusion in xen-staging, perhaps some cleanups
> are in order.  Keir?
>
> George
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.