From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: xen-devel@lists.xen.org
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: [PATCH 09/15] flask: remove unused AVC callback functions
Date: Thu, 9 Jun 2016 10:47:12 -0400 [thread overview]
Message-ID: <1465483638-9489-10-git-send-email-dgdegra@tycho.nsa.gov> (raw)
In-Reply-To: <1465483638-9489-1-git-send-email-dgdegra@tycho.nsa.gov>
These callbacks are not used in Xen.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
xen/xsm/flask/avc.c | 97 ++-------------------------------------------
xen/xsm/flask/include/avc.h | 13 ------
2 files changed, 4 insertions(+), 106 deletions(-)
diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c
index 7764379..a3e6108 100644
--- a/xen/xsm/flask/avc.c
+++ b/xen/xsm/flask/avc.c
@@ -86,18 +86,6 @@ struct avc_cache {
u32 latest_notif; /* latest revocation notification */
};
-struct avc_callback_node {
- int (*callback) (u32 event, u32 ssid, u32 tsid,
- u16 tclass, u32 perms,
- u32 *out_retained);
- u32 events;
- u32 ssid;
- u32 tsid;
- u16 tclass;
- u32 perms;
- struct avc_callback_node *next;
-};
-
/* Exported via Flask hypercall */
unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD;
@@ -106,7 +94,6 @@ DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
#endif
static struct avc_cache avc_cache;
-static struct avc_callback_node *avc_callbacks;
static DEFINE_RCU_READ_LOCK(avc_rcu_lock);
@@ -616,46 +603,6 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
}
/**
- * avc_add_callback - Register a callback for security events.
- * @callback: callback function
- * @events: security events
- * @ssid: source security identifier or %SECSID_WILD
- * @tsid: target security identifier or %SECSID_WILD
- * @tclass: target security class
- * @perms: permissions
- *
- * Register a callback function for events in the set @events
- * related to the SID pair (@ssid, @tsid) and
- * and the permissions @perms, interpreting
- * @perms based on @tclass. Returns %0 on success or
- * -%ENOMEM if insufficient memory exists to add the callback.
- */
-int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, u16 tclass,
- u32 perms, u32 *out_retained), u32 events, u32 ssid, u32 tsid,
- u16 tclass, u32 perms)
-{
- struct avc_callback_node *c;
- int rc = 0;
-
- c = xmalloc(struct avc_callback_node);
- if ( !c )
- {
- rc = -ENOMEM;
- goto out;
- }
-
- c->callback = callback;
- c->events = events;
- c->ssid = ssid;
- c->tsid = tsid;
- c->perms = perms;
- c->next = avc_callbacks;
- avc_callbacks = c;
- out:
- return rc;
-}
-
-/**
* avc_update_node Update an AVC entry
* @event : Updating event
* @perms : Permission mask bits
@@ -666,7 +613,7 @@ int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, u16 tclass,
* otherwise, this function update the AVC entry. The original AVC-entry object
* will release later by RCU.
*/
-static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
+static int avc_update_node(u32 perms, u32 ssid, u32 tsid, u16 tclass,
u32 seqno)
{
int hvalue, rc = 0;
@@ -715,28 +662,7 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd);
- switch ( event )
- {
- case AVC_CALLBACK_GRANT:
- node->ae.avd.allowed |= perms;
- break;
- case AVC_CALLBACK_TRY_REVOKE:
- case AVC_CALLBACK_REVOKE:
- node->ae.avd.allowed &= ~perms;
- break;
- case AVC_CALLBACK_AUDITALLOW_ENABLE:
- node->ae.avd.auditallow |= perms;
- break;
- case AVC_CALLBACK_AUDITALLOW_DISABLE:
- node->ae.avd.auditallow &= ~perms;
- break;
- case AVC_CALLBACK_AUDITDENY_ENABLE:
- node->ae.avd.auditdeny |= perms;
- break;
- case AVC_CALLBACK_AUDITDENY_DISABLE:
- node->ae.avd.auditdeny &= ~perms;
- break;
- }
+ node->ae.avd.allowed |= perms;
avc_node_replace(node, orig);
out_unlock:
spin_unlock_irqrestore(lock, flag);
@@ -750,8 +676,7 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
*/
int avc_ss_reset(u32 seqno)
{
- struct avc_callback_node *c;
- int i, rc = 0, tmprc;
+ int i, rc = 0;
unsigned long flag;
struct avc_node *node;
struct hlist_head *head;
@@ -771,19 +696,6 @@ int avc_ss_reset(u32 seqno)
spin_unlock_irqrestore(lock, flag);
}
- for ( c = avc_callbacks; c; c = c->next )
- {
- if ( c->events & AVC_CALLBACK_RESET )
- {
- tmprc = c->callback(AVC_CALLBACK_RESET,
- 0, 0, 0, 0, NULL);
- /* save the first error encountered for the return
- value and continue processing the callbacks */
- if ( !rc )
- rc = tmprc;
- }
- }
-
avc_latest_notif_update(seqno, 0);
return rc;
}
@@ -845,8 +757,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
if ( denied )
{
if ( !flask_enforcing || (avd->flags & AVD_FLAGS_PERMISSIVE) )
- avc_update_node(AVC_CALLBACK_GRANT,requested,
- ssid,tsid,tclass,avd->seqno);
+ avc_update_node(requested, ssid,tsid,tclass,avd->seqno);
else
rc = -EACCES;
}
diff --git a/xen/xsm/flask/include/avc.h b/xen/xsm/flask/include/avc.h
index 729856e..c153c8e 100644
--- a/xen/xsm/flask/include/avc.h
+++ b/xen/xsm/flask/include/avc.h
@@ -90,19 +90,6 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested,
struct avc_audit_data *auditdata);
-#define AVC_CALLBACK_GRANT 1
-#define AVC_CALLBACK_TRY_REVOKE 2
-#define AVC_CALLBACK_REVOKE 4
-#define AVC_CALLBACK_RESET 8
-#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
-#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
-#define AVC_CALLBACK_AUDITDENY_ENABLE 64
-#define AVC_CALLBACK_AUDITDENY_DISABLE 128
-
-int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
- u16 tclass, u32 perms, u32 *out_retained), u32 events,
- u32 ssid, u32 tsid, u16 tclass, u32 perms);
-
/* Exported to selinuxfs */
struct xen_flask_hash_stats;
int avc_get_hash_stats(struct xen_flask_hash_stats *arg);
--
2.5.5
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-06-09 14:47 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-09 14:47 [PATCH 00/15] XSM/FLASK updates for 4.8 Daniel De Graaf
2016-06-09 14:47 ` [PATCH 01/15] flask/policy: split into modules Daniel De Graaf
2016-06-14 18:55 ` Konrad Rzeszutek Wilk
2016-06-20 5:15 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 02/15] flask/policy: split out rules for system_r Daniel De Graaf
2016-06-14 19:08 ` Konrad Rzeszutek Wilk
2016-06-20 5:21 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 03/15] flask/policy: move user definitions and constraints into modules Daniel De Graaf
2016-06-17 15:28 ` Konrad Rzeszutek Wilk
2016-06-17 16:49 ` Daniel De Graaf
2016-06-20 5:22 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 04/15] flask/policy: remove unused support for binary modules Daniel De Graaf
2016-06-20 5:22 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 05/15] flask/policy: xenstore stubdom policy Daniel De Graaf
2016-06-17 15:34 ` Konrad Rzeszutek Wilk
2016-06-20 5:22 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 06/15] flask/policy: remove unused example Daniel De Graaf
2016-06-17 15:34 ` Konrad Rzeszutek Wilk
2016-06-20 5:23 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 07/15] flask: unify {get, set}vcpucontext permissions Daniel De Graaf
2016-06-17 15:37 ` Konrad Rzeszutek Wilk
2016-06-09 14:47 ` [PATCH 08/15] flask: remove unused secondary context in ocontext Daniel De Graaf
2016-06-09 16:01 ` Jan Beulich
2016-06-09 16:38 ` Daniel De Graaf
2016-06-09 14:47 ` Daniel De Graaf [this message]
2016-06-09 14:47 ` [PATCH 10/15] flask: remove xen_flask_userlist operation Daniel De Graaf
2016-06-09 16:07 ` Jan Beulich
2016-06-09 16:43 ` Daniel De Graaf
2016-06-10 6:51 ` Jan Beulich
2016-06-10 13:08 ` Daniel De Graaf
2016-06-10 14:28 ` Jan Beulich
2016-06-09 14:47 ` [PATCH 11/15] flask: improve unknown permission handling Daniel De Graaf
2016-06-17 15:45 ` Konrad Rzeszutek Wilk
2016-06-17 17:02 ` Daniel De Graaf
2016-06-17 17:13 ` Konrad Rzeszutek Wilk
2016-06-17 17:20 ` Daniel De Graaf
2016-06-09 14:47 ` [PATCH 12/15] xen/xsm: remove .xsm_initcall.init section Daniel De Graaf
2016-06-09 15:14 ` Andrew Cooper
2016-06-09 16:11 ` Jan Beulich
2016-06-09 16:42 ` Daniel De Graaf
2016-06-17 15:50 ` Konrad Rzeszutek Wilk
2016-06-17 17:04 ` Daniel De Graaf
2016-06-17 17:14 ` Konrad Rzeszutek Wilk
2016-06-17 17:18 ` Daniel De Graaf
2016-06-17 17:21 ` Konrad Rzeszutek Wilk
2016-06-17 23:17 ` Daniel De Graaf
2016-06-09 14:47 ` [PATCH 13/15] xsm: annotate setup functions with __init Daniel De Graaf
2016-06-09 15:15 ` Andrew Cooper
2016-06-09 14:47 ` [PATCH 14/15] xsm: clean up unregistration Daniel De Graaf
2016-06-09 15:16 ` Andrew Cooper
2016-06-17 15:51 ` Konrad Rzeszutek Wilk
2016-06-09 14:47 ` [PATCH 15/15] xsm: add a default policy to .init.data Daniel De Graaf
2016-06-09 15:30 ` Andrew Cooper
2016-06-09 16:58 ` Daniel De Graaf
2016-06-10 7:15 ` Jan Beulich
2016-06-09 16:15 ` Jan Beulich
2016-06-09 16:53 ` Daniel De Graaf
2016-06-09 21:54 ` Doug Goldstein
2016-06-10 14:50 ` Daniel De Graaf
2016-06-10 6:53 ` Jan Beulich
2016-06-17 15:54 ` Konrad Rzeszutek Wilk
2016-06-17 16:00 ` [PATCH 00/15] XSM/FLASK updates for 4.8 Konrad Rzeszutek Wilk
2016-06-20 5:40 ` Doug Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1465483638-9489-10-git-send-email-dgdegra@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.