[PATCH 06/10] xsm/flask: Improve error reporting for ocontexts

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: xen-devel@lists.xensource.com
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: [PATCH 06/10] xsm/flask: Improve error reporting for ocontexts
Date: Tue, 31 Jan 2012 16:26:14 -0500	[thread overview]
Message-ID: <1328045178-30665-7-git-send-email-dgdegra@tycho.nsa.gov> (raw)
In-Reply-To: <1328045178-30665-1-git-send-email-dgdegra@tycho.nsa.gov>

Instead of returning -EINVAL for all errors, return -EEXIST if adding an
entry that overlaps with an existing entry, and -ENOENT if attempting to
remove an entry that does not exist. Adding an ocontext that already
exists with the same SID is no longer an error.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
 xen/xsm/flask/ss/services.c |   29 +++++++++++++++++++++--------
 1 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/xen/xsm/flask/ss/services.c b/xen/xsm/flask/ss/services.c
index 7b08e73..3b0acf5 100644
--- a/xen/xsm/flask/ss/services.c
+++ b/xen/xsm/flask/ss/services.c
@@ -2084,8 +2084,10 @@ int security_ocontext_add( char *ocontext, unsigned long low, unsigned long high
         {
             if ( c->u.pirq == add->u.pirq )
             {
+                if ( c->sid[0] == sid )
+                    break;
                 printk("%s: Duplicate pirq %d\n", __FUNCTION__, add->u.pirq);
-                ret = -EINVAL;
+                ret = -EEXIST;
                 break;
             }
             c = c->next;
@@ -2112,10 +2114,14 @@ int security_ocontext_add( char *ocontext, unsigned long low, unsigned long high
 
         if (c && c->u.ioport.low_ioport <= high)
         {
+            if (c->u.ioport.low_ioport == low &&
+                c->u.ioport.high_ioport == high && c->sid[0] == sid)
+                break;
+
             printk("%s: IO Port overlap with entry 0x%x - 0x%x\n",
                    __FUNCTION__, c->u.ioport.low_ioport,
                    c->u.ioport.high_ioport);
-            ret = -EINVAL;
+            ret = -EEXIST;
             break;
         }
 
@@ -2142,10 +2148,14 @@ int security_ocontext_add( char *ocontext, unsigned long low, unsigned long high
 
         if (c && c->u.iomem.low_iomem <= high)
         {
+            if (c->u.iomem.low_iomem == low &&
+                c->u.iomem.high_iomem == high && c->sid[0] == sid)
+                break;
+
             printk("%s: IO Memory overlap with entry 0x%x - 0x%x\n",
                    __FUNCTION__, c->u.iomem.low_iomem,
                    c->u.iomem.high_iomem);
-            ret = -EINVAL;
+            ret = -EEXIST;
             break;
         }
 
@@ -2171,9 +2181,12 @@ int security_ocontext_add( char *ocontext, unsigned long low, unsigned long high
         {
             if ( c->u.device == add->u.device )
             {
+                if ( c->sid[0] == sid )
+                    break;
+
                 printk("%s: Duplicate PCI Device 0x%x\n", __FUNCTION__,
                         add->u.device);
-                ret = -EINVAL;
+                ret = -EEXIST;
                 break;
             }
             c = c->next;
@@ -2230,7 +2243,7 @@ int security_ocontext_del( char *ocontext, unsigned int low, unsigned int high )
         }
 
         printk("%s: ocontext not found: pirq %d\n", __FUNCTION__, low);
-        ret = -EINVAL;
+        ret = -ENOENT;
         break;
 
     case OCON_IOPORT:
@@ -2257,7 +2270,7 @@ int security_ocontext_del( char *ocontext, unsigned int low, unsigned int high )
 
         printk("%s: ocontext not found: ioport 0x%x - 0x%x\n", __FUNCTION__,
                 low, high);
-        ret = -EINVAL;
+        ret = -ENOENT;
         break;
 
     case OCON_IOMEM:
@@ -2284,7 +2297,7 @@ int security_ocontext_del( char *ocontext, unsigned int low, unsigned int high )
 
         printk("%s: ocontext not found: iomem 0x%x - 0x%x\n", __FUNCTION__,
                 low, high);
-        ret = -EINVAL;
+        ret = -ENOENT;
         break;
 
     case OCON_DEVICE:
@@ -2309,7 +2322,7 @@ int security_ocontext_del( char *ocontext, unsigned int low, unsigned int high )
         }
 
         printk("%s: ocontext not found: pcidevice 0x%x\n", __FUNCTION__, low);
-        ret = -EINVAL;
+        ret = -ENOENT;
         break;
 
     default:
-- 
1.7.7.6

next prev parent reply	other threads:[~2012-01-31 21:26 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-31 21:26 [PATCH 00/10] FLASK updates: MSI interrupts, cleanups Daniel De Graaf
2012-01-31 21:26 ` [PATCH 01/10] xsm: Add security labels to event-channel dump Daniel De Graaf
2012-01-31 21:26 ` [PATCH 02/10] xsm: Add security label to IRQ debug output Daniel De Graaf
2012-01-31 21:26 ` [PATCH 03/10] xsm/flask: Use PCI device label for PCI-MSI IRQs Daniel De Graaf
2012-01-31 21:26 ` [PATCH 04/10] xsm: Add xsm_map_domain_pirq hook Daniel De Graaf
2012-01-31 21:26 ` [PATCH 05/10] xsm: Use mapped IRQ not PIRQ in unmap_domain_pirq Daniel De Graaf
2012-01-31 21:26 ` Daniel De Graaf [this message]
2012-01-31 21:26 ` [PATCH 07/10] xsm/flask: Remove useless back pointers Daniel De Graaf
2012-01-31 21:26 ` [PATCH 08/10] flask/policy: Policy build updates Daniel De Graaf
2012-01-31 21:26 ` [PATCH 09/10] flask/policy: Add user and constraint examples Daniel De Graaf
2012-01-31 21:26 ` [PATCH 10/10] flask/policy: use declare_domain for dom0_t Daniel De Graaf
2012-02-01 19:09 ` [PATCH 0/8] XSM/FLASK updates part 2: booleans, stubdoms Daniel De Graaf
2012-02-01 19:09   ` [PATCH 1/8] xen/xsm: fix incorrect handling of XSM hook return Daniel De Graaf
2012-02-01 19:09   ` [PATCH 2/8] xsm/flask: allow policy booleans to be addressed by name Daniel De Graaf
2012-02-01 19:09   ` [PATCH 3/8] libflask: Add boolean manipulation functions Daniel De Graaf
2012-02-02  9:06     ` Ian Campbell
2012-02-02 14:28       ` Daniel De Graaf
2012-02-02 14:50         ` Ian Campbell
2012-02-02 15:22           ` Daniel De Graaf
2012-02-01 19:09   ` [PATCH 4/8] flask: add flask-{get,set}-bool tools Daniel De Graaf
2012-02-01 19:09   ` [PATCH 5/8] flask/policy: Add boolean example Daniel De Graaf
2012-02-01 19:09   ` [PATCH 6/8] libxl: Add device_model_stubdomain_seclabel Daniel De Graaf
2012-02-02 15:28     ` Keir Fraser
2012-02-09 18:25     ` Ian Jackson
2012-02-01 19:09   ` [PATCH 7/8] flask/policy: add device model types to example policy Daniel De Graaf
2012-02-09 18:25     ` Ian Jackson
2012-02-01 19:09   ` [PATCH 8/8] xsm/flask: Improve domain ID auditing in AVCs Daniel De Graaf

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7b08e73 dfblob:3b0acf5 )
 OR (
bs:"[PATCH 06/10] xsm/flask: Improve error reporting for ocontexts" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1328045178-30665-7-git-send-email-dgdegra@tycho.nsa.gov \
    --to=dgdegra@tycho.nsa.gov \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).