[09/17] flask: remove unused AVC callback functions

Message ID	1466431466-28055-10-git-send-email-dgdegra@tycho.nsa.gov (mailing list archive)
State	New, archived
Headers	show Return-Path: <xen-devel-bounces@lists.xen.org> IronPort-PHdr: =?us-ascii?q?9a23=3AclKgSRSOdwHkB37ho4hu1pw6utpsv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa64YhWN2/xhgRfzUJnB7Loc0qyN4/GmCDFLv8nJmUtBWaIPfidNsd?= =?us-ascii?q?8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3BPAZ4?= =?us-ascii?q?bt74BpTVx5zukbviqtuCPk4W23KUWvBbElaflU3prM4YgI9veO4a6yDihT92Qd?= =?us-ascii?q?lQ3n5iPlmJnhzxtY+a9Z9n9DlM6bp6r5YTGZjge+wEaZAQTHF8ayFmrPHs4AnO?= =?us-ascii?q?S06D62URVk0SkwFUGE7V4Re8WY3+4QXgse8o9CCcPMDyBZw5ERu45q5lAEvkhy?= =?us-ascii?q?sKOCQw2H3Ggcx3yqRAqVSuoAIpkN2cW52cKPcrJvCVRtgdX2cUG5wJWg=3D=3D?= From: Daniel De Graaf <dgdegra@tycho.nsa.gov> To: xen-devel@lists.xen.org Date: Mon, 20 Jun 2016 10:04:18 -0400 Message-Id: <1466431466-28055-10-git-send-email-dgdegra@tycho.nsa.gov> In-Reply-To: <1466431466-28055-1-git-send-email-dgdegra@tycho.nsa.gov> References: <1466431466-28055-1-git-send-email-dgdegra@tycho.nsa.gov> Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov> Subject: [Xen-devel] [PATCH 09/17] flask: remove unused AVC callback functions Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>

Message ID

1466431466-28055-10-git-send-email-dgdegra@tycho.nsa.gov (mailing list archive)

State

New, archived

Headers

IronPort-PHdr: =?us-ascii?q?9a23=3AclKgSRSOdwHkB37ho4hu1pw6utpsv+yvbD5Q0YIu?=
	=?us-ascii?q?jvd0So/mwa64YhWN2/xhgRfzUJnB7Loc0qyN4/GmCDFLv8nJmUtBWaIPfidNsd?=
	=?us-ascii?q?8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3BPAZ4?=
	=?us-ascii?q?bt74BpTVx5zukbviqtuCPk4W23KUWvBbElaflU3prM4YgI9veO4a6yDihT92Qd?=
	=?us-ascii?q?lQ3n5iPlmJnhzxtY+a9Z9n9DlM6bp6r5YTGZjge+wEaZAQTHF8ayFmrPHs4AnO?=
	=?us-ascii?q?S06D62URVk0SkwFUGE7V4Re8WY3+4QXgse8o9CCcPMDyBZw5ERu45q5lAEvkhy?=
	=?us-ascii?q?sKOCQw2H3Ggcx3yqRAqVSuoAIpkN2cW52cKPcrJvCVRtgdX2cUG5wJWg=3D=3D?=
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: xen-devel@lists.xen.org
Date: Mon, 20 Jun 2016 10:04:18 -0400
Message-Id: <1466431466-28055-10-git-send-email-dgdegra@tycho.nsa.gov>
In-Reply-To: <1466431466-28055-1-git-send-email-dgdegra@tycho.nsa.gov>
References: <1466431466-28055-1-git-send-email-dgdegra@tycho.nsa.gov>
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: [Xen-devel] [PATCH 09/17] flask: remove unused AVC callback
	functions
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>

Commit Message

Daniel De Graaf June 20, 2016, 2:04 p.m. UTC

These callbacks are not used in Xen.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
 xen/xsm/flask/avc.c         | 97 ++-------------------------------------------
 xen/xsm/flask/include/avc.h | 13 ------
 2 files changed, 4 insertions(+), 106 deletions(-)

Comments

Douglas Goldstein June 20, 2016, 2:32 p.m. UTC | #1

On 6/20/16 9:04 AM, Daniel De Graaf wrote:
> These callbacks are not used in Xen.
> 
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Reviewed-by: Doug Goldstein <cardoe@cardoe.com>

diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c
index 7764379..a3e6108 100644
--- a/xen/xsm/flask/avc.c
+++ b/xen/xsm/flask/avc.c
@@ -86,18 +86,6 @@  struct avc_cache {
     u32            latest_notif;    /* latest revocation notification */
 };
 
-struct avc_callback_node {
-    int (*callback) (u32 event, u32 ssid, u32 tsid,
-                     u16 tclass, u32 perms,
-                     u32 *out_retained);
-    u32 events;
-    u32 ssid;
-    u32 tsid;
-    u16 tclass;
-    u32 perms;
-    struct avc_callback_node *next;
-};
-
 /* Exported via Flask hypercall */
 unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD;
 
@@ -106,7 +94,6 @@  DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
 #endif
 
 static struct avc_cache avc_cache;
-static struct avc_callback_node *avc_callbacks;
 
 static DEFINE_RCU_READ_LOCK(avc_rcu_lock);
 
@@ -616,46 +603,6 @@  void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
 }
 
 /**
- * avc_add_callback - Register a callback for security events.
- * @callback: callback function
- * @events: security events
- * @ssid: source security identifier or %SECSID_WILD
- * @tsid: target security identifier or %SECSID_WILD
- * @tclass: target security class
- * @perms: permissions
- *
- * Register a callback function for events in the set @events
- * related to the SID pair (@ssid, @tsid) and
- * and the permissions @perms, interpreting
- * @perms based on @tclass.  Returns %0 on success or
- * -%ENOMEM if insufficient memory exists to add the callback.
- */
-int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, u16 tclass,
-                                     u32 perms, u32 *out_retained), u32 events, u32 ssid, u32 tsid,
-                     u16 tclass, u32 perms)
-{
-    struct avc_callback_node *c;
-    int rc = 0;
-
-    c = xmalloc(struct avc_callback_node);
-    if ( !c )
-    {
-        rc = -ENOMEM;
-        goto out;
-    }
-
-    c->callback = callback;
-    c->events = events;
-    c->ssid = ssid;
-    c->tsid = tsid;
-    c->perms = perms;
-    c->next = avc_callbacks;
-    avc_callbacks = c;
- out:
-    return rc;
-}
-
-/**
  * avc_update_node Update an AVC entry
  * @event : Updating event
  * @perms : Permission mask bits
@@ -666,7 +613,7 @@  int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, u16 tclass,
  * otherwise, this function update the AVC entry. The original AVC-entry object
  * will release later by RCU.
  */
-static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
+static int avc_update_node(u32 perms, u32 ssid, u32 tsid, u16 tclass,
                            u32 seqno)
 {
     int hvalue, rc = 0;
@@ -715,28 +662,7 @@  static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
 
     avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd);
 
-    switch ( event )
-    {
-    case AVC_CALLBACK_GRANT:
-        node->ae.avd.allowed |= perms;
-        break;
-    case AVC_CALLBACK_TRY_REVOKE:
-    case AVC_CALLBACK_REVOKE:
-        node->ae.avd.allowed &= ~perms;
-        break;
-    case AVC_CALLBACK_AUDITALLOW_ENABLE:
-        node->ae.avd.auditallow |= perms;
-        break;
-    case AVC_CALLBACK_AUDITALLOW_DISABLE:
-        node->ae.avd.auditallow &= ~perms;
-        break;
-    case AVC_CALLBACK_AUDITDENY_ENABLE:
-        node->ae.avd.auditdeny |= perms;
-        break;
-    case AVC_CALLBACK_AUDITDENY_DISABLE:
-        node->ae.avd.auditdeny &= ~perms;
-        break;
-    }
+    node->ae.avd.allowed |= perms;
     avc_node_replace(node, orig);
  out_unlock:
     spin_unlock_irqrestore(lock, flag);
@@ -750,8 +676,7 @@  static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
  */
 int avc_ss_reset(u32 seqno)
 {
-    struct avc_callback_node *c;
-    int i, rc = 0, tmprc;
+    int i, rc = 0;
     unsigned long flag;
     struct avc_node *node;
     struct hlist_head *head;
@@ -771,19 +696,6 @@  int avc_ss_reset(u32 seqno)
         spin_unlock_irqrestore(lock, flag);
     }
     
-    for ( c = avc_callbacks; c; c = c->next )
-    {
-        if ( c->events & AVC_CALLBACK_RESET )
-        {
-            tmprc = c->callback(AVC_CALLBACK_RESET,
-                                0, 0, 0, 0, NULL);
-            /* save the first error encountered for the return
-               value and continue processing the callbacks */
-            if ( !rc )
-                rc = tmprc;
-        }
-    }
-
     avc_latest_notif_update(seqno, 0);
     return rc;
 }
@@ -845,8 +757,7 @@  int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
     if ( denied )
     {
         if ( !flask_enforcing || (avd->flags & AVD_FLAGS_PERMISSIVE) )
-            avc_update_node(AVC_CALLBACK_GRANT,requested,
-                            ssid,tsid,tclass,avd->seqno);
+            avc_update_node(requested, ssid,tsid,tclass,avd->seqno);
         else
             rc = -EACCES;
     }
diff --git a/xen/xsm/flask/include/avc.h b/xen/xsm/flask/include/avc.h
index 729856e..c153c8e 100644
--- a/xen/xsm/flask/include/avc.h
+++ b/xen/xsm/flask/include/avc.h
@@ -90,19 +90,6 @@  int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
 int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested,
                                              struct avc_audit_data *auditdata);
 
-#define AVC_CALLBACK_GRANT        1
-#define AVC_CALLBACK_TRY_REVOKE        2
-#define AVC_CALLBACK_REVOKE        4
-#define AVC_CALLBACK_RESET        8
-#define AVC_CALLBACK_AUDITALLOW_ENABLE    16
-#define AVC_CALLBACK_AUDITALLOW_DISABLE    32
-#define AVC_CALLBACK_AUDITDENY_ENABLE    64
-#define AVC_CALLBACK_AUDITDENY_DISABLE    128
-
-int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
-                        u16 tclass, u32 perms, u32 *out_retained), u32 events, 
-                                    u32 ssid, u32 tsid, u16 tclass, u32 perms);
-
 /* Exported to selinuxfs */
 struct xen_flask_hash_stats;
 int avc_get_hash_stats(struct xen_flask_hash_stats *arg);

[09/17] flask: remove unused AVC callback functions

Commit Message

Comments

Patch