diff options
Diffstat (limited to 'xen/common/policy_ops.c')
-rw-r--r-- | xen/common/policy_ops.c | 64 |
1 files changed, 42 insertions, 22 deletions
diff --git a/xen/common/policy_ops.c b/xen/common/policy_ops.c index ff2b2f9ba4..11e28d25bc 100644 --- a/xen/common/policy_ops.c +++ b/xen/common/policy_ops.c @@ -1,5 +1,5 @@ /****************************************************************************** - *policy_ops.c + * policy_ops.c * * Copyright (C) 2005 IBM Corporation * @@ -14,6 +14,7 @@ * Process policy command requests from guest OS. * */ + #include <xen/config.h> #include <xen/types.h> #include <xen/lib.h> @@ -27,29 +28,39 @@ #include <public/sched_ctl.h> #include <acm/acm_hooks.h> +#if (ACM_USE_SECURITY_POLICY == ACM_NULL_POLICY) + +long do_policy_op(policy_op_t *u_policy_op) +{ + return -ENOSYS; +} + +#else + /* function prototypes defined in acm/acm_policy.c */ int acm_set_policy(void *buf, u16 buf_size, u16 policy); int acm_get_policy(void *buf, u16 buf_size); int acm_dump_statistics(void *buf, u16 buf_size); typedef enum policyoperation { - POLICY, /* access to policy interface (early drop) */ - GETPOLICY, /* dump policy cache */ - SETPOLICY, /* set policy cache (controls security) */ - DUMPSTATS /* dump policy statistics */ + POLICY, /* access to policy interface (early drop) */ + GETPOLICY, /* dump policy cache */ + SETPOLICY, /* set policy cache (controls security) */ + DUMPSTATS /* dump policy statistics */ } policyoperation_t; int acm_authorize_policyops(struct domain *d, policyoperation_t pops) { - /* currently, all policy management functions are restricted to privileged domains, - * soon we will introduce finer-grained privileges for policy operations - */ - if (!IS_PRIV(d)) { - printk("%s: Policy management authorization denied ERROR!\n", __func__); - return ACM_ACCESS_DENIED; - } - return ACM_ACCESS_PERMITTED; + /* all policy management functions are restricted to privileged domains, + * soon we will introduce finer-grained privileges for policy operations + */ + if (!IS_PRIV(d)) { + printk("%s: Policy management authorization denied ERROR!\n", + __func__); + return ACM_ACCESS_DENIED; + } + return ACM_ACCESS_PERMITTED; } long do_policy_op(policy_op_t *u_policy_op) @@ -60,7 +71,7 @@ long do_policy_op(policy_op_t *u_policy_op) /* check here policy decision for policy commands */ /* for now allow DOM0 only, later indepedently */ if (acm_authorize_policyops(current->domain, POLICY)) - return -EACCES; + return -EACCES; if ( copy_from_user(op, u_policy_op, sizeof(*op)) ) return -EFAULT; @@ -73,9 +84,12 @@ long do_policy_op(policy_op_t *u_policy_op) case POLICY_SETPOLICY: { if (acm_authorize_policyops(current->domain, SETPOLICY)) - return -EACCES; - printkd("%s: setting policy.\n", __func__); - ret = acm_set_policy(op->u.setpolicy.pushcache, op->u.setpolicy.pushcache_size, op->u.setpolicy.policy_type); + return -EACCES; + printkd("%s: setting policy.\n", __func__); + ret = acm_set_policy( + op->u.setpolicy.pushcache, + op->u.setpolicy.pushcache_size, + op->u.setpolicy.policy_type); if (ret == ACM_OK) ret = 0; else @@ -86,9 +100,11 @@ long do_policy_op(policy_op_t *u_policy_op) case POLICY_GETPOLICY: { if (acm_authorize_policyops(current->domain, GETPOLICY)) - return -EACCES; + return -EACCES; printkd("%s: getting policy.\n", __func__); - ret = acm_get_policy(op->u.getpolicy.pullcache, op->u.getpolicy.pullcache_size); + ret = acm_get_policy( + op->u.getpolicy.pullcache, + op->u.getpolicy.pullcache_size); if (ret == ACM_OK) ret = 0; else @@ -99,9 +115,11 @@ long do_policy_op(policy_op_t *u_policy_op) case POLICY_DUMPSTATS: { if (acm_authorize_policyops(current->domain, DUMPSTATS)) - return -EACCES; - printkd("%s: dumping statistics.\n", __func__); - ret = acm_dump_statistics(op->u.dumpstats.pullcache, op->u.dumpstats.pullcache_size); + return -EACCES; + printkd("%s: dumping statistics.\n", __func__); + ret = acm_dump_statistics( + op->u.dumpstats.pullcache, + op->u.dumpstats.pullcache_size); if (ret == ACM_OK) ret = 0; else @@ -115,3 +133,5 @@ long do_policy_op(policy_op_t *u_policy_op) } return ret; } + +#endif |