Re: [Xen-devel] [PATCH 12/15] xen/xsm: remove .xsm_initcall.init section

Fri, 17 Jun 2016 10:05:22 -0700 

On 06/17/2016 11:50 AM, Konrad Rzeszutek Wilk wrote:

On Thu, Jun 09, 2016 at 10:47:15AM -0400, Daniel De Graaf wrote:

Since FLASK is the only implementation of XSM hooks in Xen, using an
iterated initcall dispatch for setup is overly complex.  Change this to


As such, should the Kconfig file enable the FLASK by default?
Or make the XSM entry have the configuration for FLASK?

Or perhaps make the FLASK be the visible one and select XSM?


XSM has previously been the configuration option to enable.  If XSM is
enabled (by choice), FLASK will then be enabled by default.

Logically, FLASK is an implementation of XSM, and while it would be
possible to swap them, this would probably need to be done by hiding the
XSM option from the user.


a direct function call to a globally visible function; if additional XSM
hooks are added in the future, a switching mechanism will be needed
regardless, and that can be placed in xsm_core.c.



+config FLASK
+       bool "FLux Advanced Security Kernel support"
+       default y
+       depends on XSM


So this would be 'select XSM' ?

+       ---help---
+         Enables FLASK (FLux Advanced Security Kernel) as the access control
+         mechanism used by the XSM framework.  This provides a mandatory access
+         control framework by which security enforcement, isolation, and
+         auditing can be achieved with fine granular control via a security
+         policy.
+
+         If unsure, say Y.
+
+config FLASK_AVC_STATS
+       def_bool y
+       depends on FLASK
+       ---help---
+         Maintain statistics on the access vector cache
+
 # Enable schedulers
 menu "Schedulers"
        visible if EXPERT = "y"
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index 634ec98..cb2fdb6 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -38,13 +38,7 @@ static inline int verify(struct xsm_operations *ops)

 static void __init do_xsm_initcalls(void)
 {
-    xsm_initcall_t *call;
-    call = __xsm_initcall_start;
-    while ( call < __xsm_initcall_end )
-    {
-        (*call) ();
-        call++;
-    }
+    flask_init();


Could you delete do_xsm_initcalls() and make xsm_init() call flask_init() ?


Sure.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel






















					Reply via email to