This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] Re: [PATCH] [ACM/Xen] Fix policy buffer layout changed with

To: Stefan Berger <stefanb@xxxxxxxxxx>
Subject: [Xen-devel] Re: [PATCH] [ACM/Xen] Fix policy buffer layout changed with XSM
From: "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
Date: Tue, 04 Sep 2007 14:29:10 -0400
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>, Keir Fraser <keir@xxxxxxxxxxxxx>
Delivery-date: Wed, 05 Sep 2007 08:13:45 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <1188917824.6407.3.camel@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <1188917824.6407.3.camel@xxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
On Tue, 2007-09-04 at 10:57 -0400, Stefan Berger wrote:
> This fixes a regression due to changes in the policy buffer layout
> submitted by the XSM module.

Hi Stefan,

This was done to make the ACM magic number the first word in the policy
file.  This seemed to be the logical choice to afford ACM the greatest
flexibility for loading policies under XSM.  In principal, under XSM, a
security module could be capable of loading and parsing policies over a
range of policy versions.

Your patch reverts the ACM module to the original form where the first
word of the policy file is the policy version - which could change over
time.  This is the general problem of magic numbers.

A benefit of your patch is old ACM policies will not need to be
recompiled to work under XSM with this patch, but I see there being
future confusion and a potential loss of flexibility for ACM by making
this change.  I would argue that the ACM policy version should instead
be bumped for the move to XSM since the XSM patches actually caused a
format change to the ACM policy binary.

Admittedly, this discussion is moot because ACM has only one policy
version at this time.  The XSM_MAGIC number must also be updated to
03000000 to ensure proper boot time policy detection under XSM with your

I also see that there are dups of /xsm in the includes dir.  Since this
was a restructuring from inclusion in xen-staging, perhaps some cleanups
are in order.  Keir? 


Xen-devel mailing list