bitkeeper revision 1.1745 (42badeb1hE5PDZxZYF5DYBsU0Jya9w)

Fix ACM so that it can be built with NULL policy.
Signed-off-by: Nguyen Anh Quynh <aquynh@gmail.com>
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>

2 files changed, 69 insertions, 70 deletions

diff --git a/xen/acm/acm_core.c b/xen/acm/acm_core.c
index fe5bacdb6d..7d628808fe 100644
--- a/xen/acm/acm_core.c
+++ b/xen/acm/acm_core.c
@@ -69,6 +69,8 @@ void acm_set_endian(void)
     }
 }
 
+#if (ACM_USE_SECURITY_POLICY != ACM_NULL_POLICY)
+
 /* initialize global security policy for Xen; policy write-locked already */
 static void
 acm_init_binary_policy(void *primary, void *secondary)
@@ -79,6 +81,7 @@ acm_init_binary_policy(void *primary, void *secondary)
 	acm_bin_pol.secondary_binary_policy = secondary;
 }
 
+
 int
 acm_init(void)
 {
@@ -129,6 +132,7 @@ acm_init(void)
 	return ACM_OK;
 }
 
+#endif
 
 int
 acm_init_domain_ssid(domid_t id, ssidref_t ssidref)
diff --git a/xen/include/acm/acm_hooks.h b/xen/include/acm/acm_hooks.h
index 7c5e3faa9d..6109b5ee0c 100644
--- a/xen/include/acm/acm_hooks.h
+++ b/xen/include/acm/acm_hooks.h
@@ -30,99 +30,59 @@
 #include <public/event_channel.h>
 #include <asm/current.h>
 
-#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
-
-static inline int acm_pre_dom0_op(dom0_op_t *op, void **ssid) 
-{ return 0; }
-static inline void acm_post_dom0_op(dom0_op_t *op, void *ssid) 
-{ return; }
-static inline void acm_fail_dom0_op(dom0_op_t *op, void *ssid) 
-{ return; }
-static inline int acm_pre_event_channel(evtchn_op_t *op) 
-{ return 0; }
-static inline int acm_pre_grant_map_ref(domid_t id) 
-{ return 0; }
-static inline int acm_pre_grant_setup(domid_t id) 
-{ return 0; }
-static inline int acm_init(void)
-{ return 0; }
-static inline void acm_post_domain0_create(domid_t domid) 
-{ return; }
-
-#else
-
-/* if ACM_TRACE_MODE defined, all hooks should
- * print a short trace message */
-/* #define ACM_TRACE_MODE */
-
-#ifdef ACM_TRACE_MODE
-# define traceprintk(fmt, args...) printk(fmt,## args)
-#else
-# define traceprintk(fmt, args...)
-#endif
-
-/* global variables */
-extern struct acm_operations *acm_primary_ops;
-extern struct acm_operations *acm_secondary_ops;
-
-/*********************************************************************
+/*
  * HOOK structure and meaning (justifies a few words about our model):
  * 
  * General idea: every policy-controlled system operation is reflected in a 
  *               transaction in the system's security state
  *
- *	Keeping the security state consistent requires "atomic" transactions.
+ *      Keeping the security state consistent requires "atomic" transactions.
  *      The name of the hooks to place around policy-controlled transactions
  *      reflects this. If authorizations do not involve security state changes,
  *      then and only then POST and FAIL hooks remain empty since we don't care
  *      about the eventual outcome of the operation from a security viewpoint.
  *
- *	PURPOSE of hook types:
+ *      PURPOSE of hook types:
  *      ======================
  *      PRE-Hooks
- *		a) general authorization to guard a controlled system operation
- *		b) prepare security state change
- *                 (means: fail hook must be able to "undo" this)
+ *       a) general authorization to guard a controlled system operation
+ *       b) prepare security state change
+ *          (means: fail hook must be able to "undo" this)
  *
- *	POST-Hooks
- *		a) commit prepared state change
+ *      POST-Hooks
+ *       a) commit prepared state change
  *
  *      FAIL-Hooks
- *		a) roll-back prepared security state change from PRE-Hook
+ *       a) roll-back prepared security state change from PRE-Hook
  *
  *
  *      PLACEMENT of hook types:
  *      ========================
- *	PRE-Hooks must be called:
- *		a) before a guarded/controlled system operation is started
- *		(return is ACM_ACCESS_PERMITTED or ACM_ACCESS_DENIED or error)
- *		   --> operation must be aborted if return is != ACM_ACCESS_PERMITTED
- *
- *	POST-Hooks must be called:
- *		a) after successful transaction (no return value; commit shall never fail)
- *
- *	FAIL-Hooks must be called:
- *		a) if system transaction (operation) fails somewhen after calling the PRE-hook
- *		   (obviously the POST-Hook is not called in this case)
- *		b) if another (secondary) policy denies access in its PRE-Hook
- *		   (policy layering is useful but requires additional handling)
+ *      PRE-Hooks must be called before a guarded/controlled system operation
+ *      is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or
+ *      error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED.
  *
+ *      POST-Hooks must be called after a successful system operation.
+ *      There is no return value: commit never fails.
  *
+ *      FAIL-Hooks must be called:
+ *       a) if system transaction (operation) fails after calling the PRE-hook
+ *       b) if another (secondary) policy denies access in its PRE-Hook
+ *          (policy layering is useful but requires additional handling)
  *
- *       Hook model from a security transaction viewpoint:
+ * Hook model from a security transaction viewpoint:
+ *   start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
+ *                   (pre-hook)  \           (post-hook)
+ *                                \
+ *                               fail
+ *                                   \
+ *                                    \
+ *                                  roll-back
+ *                                 (fail-hook)
+ *                                        \
+ *                                       sys-ops error
  *
- *          start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
- *                          (pre-hook)  \           (post-hook)
- *                                       \
- *                                       fail
- *                                         \
- *                                          \
- *                                        roll-back
- *                                       (fail-hook)
- *                                             \
- *                                            sys-ops error
- *
- ********************************************************************/
+ */
 
 struct acm_operations {
     /* policy management functions (must always be defined!) */
@@ -148,6 +108,41 @@ struct acm_operations {
     void (*fail_grant_setup)           (domid_t id);
 };
 
+/* global variables */
+extern struct acm_operations *acm_primary_ops;
+extern struct acm_operations *acm_secondary_ops;
+
+/* if ACM_TRACE_MODE defined, all hooks should
+ * print a short trace message */
+/* #define ACM_TRACE_MODE */
+
+#ifdef ACM_TRACE_MODE
+# define traceprintk(fmt, args...) printk(fmt,## args)
+#else
+# define traceprintk(fmt, args...)
+#endif
+
+#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY)
+
+static inline int acm_pre_dom0_op(dom0_op_t *op, void **ssid) 
+{ return 0; }
+static inline void acm_post_dom0_op(dom0_op_t *op, void *ssid) 
+{ return; }
+static inline void acm_fail_dom0_op(dom0_op_t *op, void *ssid) 
+{ return; }
+static inline int acm_pre_event_channel(evtchn_op_t *op) 
+{ return 0; }
+static inline int acm_pre_grant_map_ref(domid_t id) 
+{ return 0; }
+static inline int acm_pre_grant_setup(domid_t id) 
+{ return 0; }
+static inline int acm_init(void)
+{ return 0; }
+static inline void acm_post_domain0_create(domid_t domid) 
+{ return; }
+
+#else
+
 static inline int acm_pre_domain_create(void *subject_ssid, ssidref_t ssidref)
 {
     if ((acm_primary_ops->pre_domain_create != NULL) &&