Disabling XACE Extension (and other code build) by default

Eamon Walsh ewalsh at tycho.nsa.gov
Mon Jul 12 10:04:11 PDT 2010


On 07/05/2010 09:21 AM, Vignatti Tiago (Nokia-MS/Helsinki) wrote:
> On Sat, Jul 03, 2010 at 10:25:34PM +0200, ext Eamon Walsh wrote:
>   
>> On 06/21/2010 09:52 AM, Tiago Vignatti wrote:
>>     
>>> Last I remember, we want all possible build options set as on by default just
>>> to be sure the code they enable still being able to build after general
>>> changes. Is that correct?
>>>
>>> ---
>>>
>>> Apart from that, is there a reason to have XACE enabled by default without any
>>> hook backend? This is how the server is being compiled now by default.
>>>       
>> As long as the in-tree security extensions are disabled by default I
>> think it should be OK to disable XACE by default as well.
>>     
> Thanks for the answer, Eamon.
>
> So I disabled XACE here in my machine and now my static analyzer is accusing
> ~100 pieces of deadcode.  That's because we have XaceHook everywhere and, when
> disabling the extension, this function will always return Success which makes
> the subsequent "if (rc != Success)" useless. 
>
> I took a look on the code and couldn't find a way to put this conditional
> inside the XaceHook, when the extension is being used. Do you think there's an
> easy way to do so? Do we really need to always check for value or this is just
> a safety check? Or do you have an better idea?
>
>
> Thank you,
>              Tiago
>
>   


When XACE is disabled, XaceHook turns into a macro for Success, not a
function call that returns Success.  The compiler should optimize out
all the dead code.  This seems like a pretty common idiom to me.  I
don't think the static analyzer should warn on stuff like this.


-- 

Eamon Walsh 
National Security Agency



More information about the xorg-devel mailing list