Xen project Mailing List

[Xen-devel] [PATCH 12/15] xen/xsm: remove .xsm_initcall.init section

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Thu, 9 Jun 2016 10:47:15 -0400

Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Thu, 09 Jun 2016 14:47:36 +0000

Ironport-phdr: 9a23:4gT7hhKWE5ewN46VcdmcpTZWNBhigK39O0sv0rFitYgULP3xwZ3uMQTl6Ol3ixeRBMOAu6MC1Led7PqocFdDyKjCmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBybrysXNWC3oLoiqvtodX6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO9MxGlldhq5lhf44dqsrtY4q3wD888784Z8dYmyP+FiFf0LRAghZnA44ojnuAfOSSOL52AASSMGnxwOBBLKvz/gWZKkniL8t+d5kAWXdeLsRLk6EWCu4KtmRwXhoDsWPD4+tmfMg4p/i7wN80HpnAB234OBONLdD/F5ZK6IOIlCSA==

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Since FLASK is the only implementation of XSM hooks in Xen, using an iterated initcall dispatch for setup is overly complex. Change this to a direct function call to a globally visible function; if additional XSM hooks are added in the future, a switching mechanism will be needed regardless, and that can be placed in xsm_core.c. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- xen/arch/arm/xen.lds.S | 5 ----- xen/arch/x86/xen.lds.S | 5 ----- xen/common/Kconfig | 37 +++++++++++++++++++------------------ xen/include/xsm/xsm.h | 16 ++++++++-------- xen/xsm/flask/hooks.c | 4 +--- xen/xsm/xsm_core.c | 8 +------- 6 files changed, 29 insertions(+), 46 deletions(-) diff --git a/xen/arch/arm/xen.lds.S b/xen/arch/arm/xen.lds.S index 76982b2..8320381 100644 --- a/xen/arch/arm/xen.lds.S +++ b/xen/arch/arm/xen.lds.S @@ -162,11 +162,6 @@ SECTIONS *(.initcall1.init) __initcall_end = .; } :text - .xsm_initcall.init : { - __xsm_initcall_start = .; - *(.xsm_initcall.init) - __xsm_initcall_end = .; - } :text __init_end_efi = .; . = ALIGN(STACK_SIZE); __init_end = .; diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S index a43b29d..dcbb8fe 100644 --- a/xen/arch/x86/xen.lds.S +++ b/xen/arch/x86/xen.lds.S @@ -190,11 +190,6 @@ SECTIONS *(.initcall1.init) __initcall_end = .; } :text - .xsm_initcall.init : { - __xsm_initcall_start = .; - *(.xsm_initcall.init) - __xsm_initcall_end = .; - } :text . = ALIGN(PAGE_SIZE); __init_end = .; diff --git a/xen/common/Kconfig b/xen/common/Kconfig index cd59574..b8f1800 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -11,24 +11,6 @@ config COMPAT config CORE_PARKING bool -config FLASK - bool "FLux Advanced Security Kernel support" - default y - depends on XSM - ---help--- - Enables the FLASK (FLux Advanced Security Kernel) support which - provides a mandatory access control framework by which security - enforcement, isolation, and auditing can be achieved with fine - granular control via a security policy. - - If unsure, say N. - -config FLASK_AVC_STATS - def_bool y - depends on FLASK - ---help--- - Maintain statistics on the access vector cache - # Select HAS_DEVICE_TREE if device tree is supported config HAS_DEVICE_TREE bool @@ -137,6 +119,25 @@ config XSM If unsure, say N. +config FLASK + bool "FLux Advanced Security Kernel support" + default y + depends on XSM + ---help--- + Enables FLASK (FLux Advanced Security Kernel) as the access control + mechanism used by the XSM framework. This provides a mandatory access + control framework by which security enforcement, isolation, and + auditing can be achieved with fine granular control via a security + policy. + + If unsure, say Y. + +config FLASK_AVC_STATS + def_bool y + depends on FLASK + ---help--- + Maintain statistics on the access vector cache + # Enable schedulers menu "Schedulers" visible if EXPERT = "y" diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 8ed8ee5..0d525ec 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -46,14 +46,6 @@ typedef enum xsm_default xsm_default_t; extern char *policy_buffer; extern u32 policy_size; -typedef void (*xsm_initcall_t)(void); - -extern xsm_initcall_t __xsm_initcall_start[], __xsm_initcall_end[]; - -#define xsm_initcall(fn) \ - static xsm_initcall_t __initcall_##fn \ - __used_section(".xsm_initcall.init") = fn - struct xsm_operations { void (*security_domaininfo) (struct domain *d, struct xen_domctl_getdomaininfo *info); @@ -763,6 +755,14 @@ extern int unregister_xsm(struct xsm_operations *ops); extern struct xsm_operations dummy_xsm_ops; extern void xsm_fixup_ops(struct xsm_operations *ops); +#ifdef CONFIG_FLASK +extern void flask_init(void); +#else +static inline void flask_init(void) +{ +} +#endif + #else /* CONFIG_XSM */ #include <xsm/dummy.h> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 3ab3fbf..596ac0a 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1816,7 +1816,7 @@ static struct xsm_operations flask_ops = { .xen_version = flask_xen_version, }; -static __init void flask_init(void) +__init void flask_init(void) { int ret = -ENOENT; @@ -1859,8 +1859,6 @@ static __init void flask_init(void) printk(XENLOG_INFO "Flask: Starting in permissive mode.\n"); } -xsm_initcall(flask_init); - /* * Local variables: * mode: C diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c index 634ec98..cb2fdb6 100644 --- a/xen/xsm/xsm_core.c +++ b/xen/xsm/xsm_core.c @@ -38,13 +38,7 @@ static inline int verify(struct xsm_operations *ops) static void __init do_xsm_initcalls(void) { - xsm_initcall_t *call; - call = __xsm_initcall_start; - while ( call < __xsm_initcall_end ) - { - (*call) (); - call++; - } + flask_init(); } static int __init xsm_core_init(void) -- 2.5.5 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.