xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: xen-devel@lists.xen.org
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: [PATCH 12/15] xen/xsm: remove .xsm_initcall.init section
Date: Thu,  9 Jun 2016 10:47:15 -0400	[thread overview]
Message-ID: <1465483638-9489-13-git-send-email-dgdegra@tycho.nsa.gov> (raw)
In-Reply-To: <1465483638-9489-1-git-send-email-dgdegra@tycho.nsa.gov>

Since FLASK is the only implementation of XSM hooks in Xen, using an
iterated initcall dispatch for setup is overly complex.  Change this to
a direct function call to a globally visible function; if additional XSM
hooks are added in the future, a switching mechanism will be needed
regardless, and that can be placed in xsm_core.c.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
 xen/arch/arm/xen.lds.S |  5 -----
 xen/arch/x86/xen.lds.S |  5 -----
 xen/common/Kconfig     | 37 +++++++++++++++++++------------------
 xen/include/xsm/xsm.h  | 16 ++++++++--------
 xen/xsm/flask/hooks.c  |  4 +---
 xen/xsm/xsm_core.c     |  8 +-------
 6 files changed, 29 insertions(+), 46 deletions(-)

diff --git a/xen/arch/arm/xen.lds.S b/xen/arch/arm/xen.lds.S
index 76982b2..8320381 100644
--- a/xen/arch/arm/xen.lds.S
+++ b/xen/arch/arm/xen.lds.S
@@ -162,11 +162,6 @@ SECTIONS
        *(.initcall1.init)
        __initcall_end = .;
   } :text
-  .xsm_initcall.init : {
-       __xsm_initcall_start = .;
-       *(.xsm_initcall.init)
-       __xsm_initcall_end = .;
-  } :text
   __init_end_efi = .;
   . = ALIGN(STACK_SIZE);
   __init_end = .;
diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S
index a43b29d..dcbb8fe 100644
--- a/xen/arch/x86/xen.lds.S
+++ b/xen/arch/x86/xen.lds.S
@@ -190,11 +190,6 @@ SECTIONS
        *(.initcall1.init)
        __initcall_end = .;
   } :text
-  .xsm_initcall.init : {
-       __xsm_initcall_start = .;
-       *(.xsm_initcall.init)
-       __xsm_initcall_end = .;
-  } :text
   . = ALIGN(PAGE_SIZE);
   __init_end = .;
 
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index cd59574..b8f1800 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -11,24 +11,6 @@ config COMPAT
 config CORE_PARKING
 	bool
 
-config FLASK
-	bool "FLux Advanced Security Kernel support"
-	default y
-	depends on XSM
-	---help---
-	  Enables the FLASK (FLux Advanced Security Kernel) support which
-	  provides a mandatory access control framework by which security
-	  enforcement, isolation, and auditing can be achieved with fine
-	  granular control via a security policy.
-
-	  If unsure, say N.
-
-config FLASK_AVC_STATS
-	def_bool y
-	depends on FLASK
-	---help---
-	  Maintain statistics on the access vector cache
-
 # Select HAS_DEVICE_TREE if device tree is supported
 config HAS_DEVICE_TREE
 	bool
@@ -137,6 +119,25 @@ config XSM
 
 	  If unsure, say N.
 
+config FLASK
+	bool "FLux Advanced Security Kernel support"
+	default y
+	depends on XSM
+	---help---
+	  Enables FLASK (FLux Advanced Security Kernel) as the access control
+	  mechanism used by the XSM framework.  This provides a mandatory access
+	  control framework by which security enforcement, isolation, and
+	  auditing can be achieved with fine granular control via a security
+	  policy.
+
+	  If unsure, say Y.
+
+config FLASK_AVC_STATS
+	def_bool y
+	depends on FLASK
+	---help---
+	  Maintain statistics on the access vector cache
+
 # Enable schedulers
 menu "Schedulers"
 	visible if EXPERT = "y"
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 8ed8ee5..0d525ec 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -46,14 +46,6 @@ typedef enum xsm_default xsm_default_t;
 extern char *policy_buffer;
 extern u32 policy_size;
 
-typedef void (*xsm_initcall_t)(void);
-
-extern xsm_initcall_t __xsm_initcall_start[], __xsm_initcall_end[];
-
-#define xsm_initcall(fn) \
-    static xsm_initcall_t __initcall_##fn \
-    __used_section(".xsm_initcall.init") = fn
-
 struct xsm_operations {
     void (*security_domaininfo) (struct domain *d,
                                         struct xen_domctl_getdomaininfo *info);
@@ -763,6 +755,14 @@ extern int unregister_xsm(struct xsm_operations *ops);
 extern struct xsm_operations dummy_xsm_ops;
 extern void xsm_fixup_ops(struct xsm_operations *ops);
 
+#ifdef CONFIG_FLASK
+extern void flask_init(void);
+#else
+static inline void flask_init(void)
+{
+}
+#endif
+
 #else /* CONFIG_XSM */
 
 #include <xsm/dummy.h>
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 3ab3fbf..596ac0a 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1816,7 +1816,7 @@ static struct xsm_operations flask_ops = {
     .xen_version = flask_xen_version,
 };
 
-static __init void flask_init(void)
+__init void flask_init(void)
 {
     int ret = -ENOENT;
 
@@ -1859,8 +1859,6 @@ static __init void flask_init(void)
         printk(XENLOG_INFO "Flask:  Starting in permissive mode.\n");
 }
 
-xsm_initcall(flask_init);
-
 /*
  * Local variables:
  * mode: C
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index 634ec98..cb2fdb6 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -38,13 +38,7 @@ static inline int verify(struct xsm_operations *ops)
 
 static void __init do_xsm_initcalls(void)
 {
-    xsm_initcall_t *call;
-    call = __xsm_initcall_start;
-    while ( call < __xsm_initcall_end )
-    {
-        (*call) ();
-        call++;
-    }
+    flask_init();
 }
 
 static int __init xsm_core_init(void)
-- 
2.5.5


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

  parent reply	other threads:[~2016-06-09 14:47 UTC|newest]

Thread overview: 63+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-09 14:47 [PATCH 00/15] XSM/FLASK updates for 4.8 Daniel De Graaf
2016-06-09 14:47 ` [PATCH 01/15] flask/policy: split into modules Daniel De Graaf
2016-06-14 18:55   ` Konrad Rzeszutek Wilk
2016-06-20  5:15   ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 02/15] flask/policy: split out rules for system_r Daniel De Graaf
2016-06-14 19:08   ` Konrad Rzeszutek Wilk
2016-06-20  5:21   ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 03/15] flask/policy: move user definitions and constraints into modules Daniel De Graaf
2016-06-17 15:28   ` Konrad Rzeszutek Wilk
2016-06-17 16:49     ` Daniel De Graaf
2016-06-20  5:22   ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 04/15] flask/policy: remove unused support for binary modules Daniel De Graaf
2016-06-20  5:22   ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 05/15] flask/policy: xenstore stubdom policy Daniel De Graaf
2016-06-17 15:34   ` Konrad Rzeszutek Wilk
2016-06-20  5:22   ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 06/15] flask/policy: remove unused example Daniel De Graaf
2016-06-17 15:34   ` Konrad Rzeszutek Wilk
2016-06-20  5:23   ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 07/15] flask: unify {get, set}vcpucontext permissions Daniel De Graaf
2016-06-17 15:37   ` Konrad Rzeszutek Wilk
2016-06-09 14:47 ` [PATCH 08/15] flask: remove unused secondary context in ocontext Daniel De Graaf
2016-06-09 16:01   ` Jan Beulich
2016-06-09 16:38     ` Daniel De Graaf
2016-06-09 14:47 ` [PATCH 09/15] flask: remove unused AVC callback functions Daniel De Graaf
2016-06-09 14:47 ` [PATCH 10/15] flask: remove xen_flask_userlist operation Daniel De Graaf
2016-06-09 16:07   ` Jan Beulich
2016-06-09 16:43     ` Daniel De Graaf
2016-06-10  6:51       ` Jan Beulich
2016-06-10 13:08         ` Daniel De Graaf
2016-06-10 14:28           ` Jan Beulich
2016-06-09 14:47 ` [PATCH 11/15] flask: improve unknown permission handling Daniel De Graaf
2016-06-17 15:45   ` Konrad Rzeszutek Wilk
2016-06-17 17:02     ` Daniel De Graaf
2016-06-17 17:13       ` Konrad Rzeszutek Wilk
2016-06-17 17:20         ` Daniel De Graaf
2016-06-09 14:47 ` Daniel De Graaf [this message]
2016-06-09 15:14   ` [PATCH 12/15] xen/xsm: remove .xsm_initcall.init section Andrew Cooper
2016-06-09 16:11   ` Jan Beulich
2016-06-09 16:42     ` Daniel De Graaf
2016-06-17 15:50   ` Konrad Rzeszutek Wilk
2016-06-17 17:04     ` Daniel De Graaf
2016-06-17 17:14       ` Konrad Rzeszutek Wilk
2016-06-17 17:18         ` Daniel De Graaf
2016-06-17 17:21           ` Konrad Rzeszutek Wilk
2016-06-17 23:17             ` Daniel De Graaf
2016-06-09 14:47 ` [PATCH 13/15] xsm: annotate setup functions with __init Daniel De Graaf
2016-06-09 15:15   ` Andrew Cooper
2016-06-09 14:47 ` [PATCH 14/15] xsm: clean up unregistration Daniel De Graaf
2016-06-09 15:16   ` Andrew Cooper
2016-06-17 15:51   ` Konrad Rzeszutek Wilk
2016-06-09 14:47 ` [PATCH 15/15] xsm: add a default policy to .init.data Daniel De Graaf
2016-06-09 15:30   ` Andrew Cooper
2016-06-09 16:58     ` Daniel De Graaf
2016-06-10  7:15       ` Jan Beulich
2016-06-09 16:15   ` Jan Beulich
2016-06-09 16:53     ` Daniel De Graaf
2016-06-09 21:54       ` Doug Goldstein
2016-06-10 14:50         ` Daniel De Graaf
2016-06-10  6:53       ` Jan Beulich
2016-06-17 15:54   ` Konrad Rzeszutek Wilk
2016-06-17 16:00 ` [PATCH 00/15] XSM/FLASK updates for 4.8 Konrad Rzeszutek Wilk
2016-06-20  5:40 ` Doug Goldstein

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1465483638-9489-13-git-send-email-dgdegra@tycho.nsa.gov \
    --to=dgdegra@tycho.nsa.gov \
    --cc=xen-devel@lists.xen.org \
    --subject='Re: [PATCH 12/15] xen/xsm: remove .xsm_initcall.init section' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
on how to clone and mirror all data and code used for this inbox