[PATCH] choose security model for ACM at built-time

[aq <aquynh@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 640 bytes --]

At the moment, there is a problem with ACM: it is impossible to set
ACM security model at built-time, so even with ACM is chosen to build,
the default policy is NULL, which is useless.

This patch propose a solution to this problem: build process will
generate a header file (include/public/acm_policy.h) based on the
value set in xen/Makefile or at command-line, and gets acm.h included
it.

Signed-off-by: Nguyen Anh Quynh <aquynh@gmail.com>


$ diffstat acm6.patch 
 xen/Makefile             |   27 +++++++++++++++++++++++++--
 xen/include/public/acm.h |    9 +++------
 2 files changed, 28 insertions(+), 8 deletions(-)

[-- Attachment #2: acm6.patch --]
[-- Type: application/octet-stream, Size: 2816 bytes --]

===== xen/Makefile 1.86 vs edited =====
--- 1.86/xen/Makefile	2005-06-22 23:18:11 +09:00
+++ edited/xen/Makefile	2005-06-24 23:39:45 +09:00
@@ -15,6 +15,14 @@
 
 export BASEDIR          := $(CURDIR)
 
+# ACM_USE_SECURITY_POLICY is set to security policy for Xen
+# Supported models are:
+#	ACM_NULL_POLICY (ACM will not be built with this policy)
+#	ACM_CHINESE_WALL_POLICY
+#	ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
+#	ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
+ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
+
 include Rules.mk
 
 default: build
@@ -54,20 +62,35 @@
 
 $(TARGET): delete-unfresh-files
 	$(MAKE) include/xen/compile.h
+	$(MAKE) include/public/acm_policy.h
 	[ -e include/asm ] || ln -sf asm-$(TARGET_ARCH) include/asm
 	$(MAKE) -C arch/$(TARGET_ARCH) asm-offsets.s
 	$(MAKE) include/asm-$(TARGET_ARCH)/asm-offsets.h
 	$(MAKE) -C common
 	$(MAKE) -C drivers
-ifdef ACM_USE_SECURITY_POLICY
+ifneq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY)
 	$(MAKE) -C acm
 endif
 	$(MAKE) -C arch/$(TARGET_ARCH)
 
 # drivers/char/console.o may contain static banner/compile info. Blow it away.
 delete-unfresh-files:
-	rm -f include/xen/banner.h include/xen/compile.h drivers/char/console.o
+	rm -f include/xen/banner.h include/xen/compile.h include/public/acm_policy.h drivers/char/console.o
 	$(MAKE) -C arch/$(TARGET_ARCH) delete-unfresh-files
+
+# acm_policy.h contains security policy for Xen
+include/public/acm_policy.h:
+	@(set -e; \
+	  echo "/*"; \
+	  echo " * DO NOT MODIFY."; \
+	  echo " *"; \
+	  echo " * This file was auto-generated by xen/Makefile $<"; \
+	  echo " *"; \
+	  echo " */"; \
+	  echo ""; \
+	  echo "#ifndef ACM_USE_SECURITY_POLICY"; \
+	  echo "#define ACM_USE_SECURITY_POLICY $(ACM_USE_SECURITY_POLICY)"; \
+	  echo "#endif") >$@
 
 # compile.h contains dynamic build info. Rebuilt on every 'make' invocation.
 include/xen/compile.h: LANG=C
===== xen/include/public/acm.h 1.1 vs edited =====
--- 1.1/xen/include/public/acm.h	2005-06-21 07:28:06 +09:00
+++ edited/xen/include/public/acm.h	2005-06-25 00:18:40 +09:00
@@ -22,11 +22,12 @@
  * todo: move from static policy choice to compile option.
  */
 
-#ifndef _XEN_PUBLIC_SHYPE_H
-#define _XEN_PUBLIC_SHYPE_H
+#ifndef _XEN_PUBLIC_ACM_H
+#define _XEN_PUBLIC_ACM_H
 
 #include "xen.h"
 #include "sched_ctl.h"
+#include "acm_policy.h"
 
 /* if ACM_DEBUG defined, all hooks should
  * print a short trace message (comment it out
@@ -70,10 +71,6 @@
 	(X == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) ? "SIMPLE TYPE ENFORCEMENT policy" : \
 	(X == ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY) ? "CHINESE WALL AND SIMPLE TYPE ENFORCEMENT policy" : \
 	"UNDEFINED policy"
-
-#ifndef ACM_USE_SECURITY_POLICY
-#define ACM_USE_SECURITY_POLICY ACM_NULL_POLICY
-#endif
 
 /* defines a ssid reference used by xen */
 typedef u32 ssidref_t;

[-- Attachment #3: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel