[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 19/23] flask: move policy headers into hypervisor



Rather than keeping around headers that are autogenerated in order to
avoid adding build dependencies from xen/ to files in tools/, move the
relevant parts of the FLASK policy into the hypervisor tree and generate
the headers as part of the hypervisor's build.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 .gitignore                                         |   5 +
 .hgignore                                          |   5 +
 tools/flask/policy/Makefile                        |   2 +-
 tools/flask/policy/policy/flask/Makefile           |  41 -----
 tools/flask/policy/policy/flask/access_vectors     | 190 ---------------------
 tools/flask/policy/policy/flask/initial_sids       |  16 --
 tools/flask/policy/policy/flask/mkaccess_vector.sh | 138 ---------------
 tools/flask/policy/policy/flask/mkflask.sh         |  95 -----------
 tools/flask/policy/policy/flask/security_classes   |  21 ---
 xen/xsm/flask/Makefile                             |  25 +++
 xen/xsm/flask/include/av_perm_to_string.h          | 147 ----------------
 xen/xsm/flask/include/av_permissions.h             | 157 -----------------
 xen/xsm/flask/include/class_to_string.h            |  15 --
 xen/xsm/flask/include/flask.h                      |  35 ----
 xen/xsm/flask/include/initial_sid_to_string.h      |  16 --
 xen/xsm/flask/policy/access_vectors                | 190 +++++++++++++++++++++
 xen/xsm/flask/policy/initial_sids                  |  16 ++
 xen/xsm/flask/policy/mkaccess_vector.sh            | 138 +++++++++++++++
 xen/xsm/flask/policy/mkflask.sh                    |  95 +++++++++++
 xen/xsm/flask/policy/security_classes              |  21 +++
 20 files changed, 496 insertions(+), 872 deletions(-)
 delete mode 100644 tools/flask/policy/policy/flask/Makefile
 delete mode 100644 tools/flask/policy/policy/flask/access_vectors
 delete mode 100644 tools/flask/policy/policy/flask/initial_sids
 delete mode 100644 tools/flask/policy/policy/flask/mkaccess_vector.sh
 delete mode 100644 tools/flask/policy/policy/flask/mkflask.sh
 delete mode 100644 tools/flask/policy/policy/flask/security_classes
 delete mode 100644 xen/xsm/flask/include/av_perm_to_string.h
 delete mode 100644 xen/xsm/flask/include/av_permissions.h
 delete mode 100644 xen/xsm/flask/include/class_to_string.h
 delete mode 100644 xen/xsm/flask/include/flask.h
 delete mode 100644 xen/xsm/flask/include/initial_sid_to_string.h
 create mode 100644 xen/xsm/flask/policy/access_vectors
 create mode 100644 xen/xsm/flask/policy/initial_sids
 create mode 100644 xen/xsm/flask/policy/mkaccess_vector.sh
 create mode 100644 xen/xsm/flask/policy/mkflask.sh
 create mode 100644 xen/xsm/flask/policy/security_classes

diff --git a/.gitignore b/.gitignore
index f6edc43..aac7a14 100644
--- a/.gitignore
+++ b/.gitignore
@@ -309,6 +309,11 @@ xen/include/xen/banner.h
 xen/include/xen/compile.h
 xen/tools/figlet/figlet
 xen/tools/symbols
+xen/xsm/flask/include/av_perm_to_string.h
+xen/xsm/flask/include/av_permissions.h
+xen/xsm/flask/include/class_to_string.h
+xen/xsm/flask/include/flask.h
+xen/xsm/flask/include/initial_sid_to_string.h
 xen/xen
 xen/xen-syms
 xen/xen.*
diff --git a/.hgignore b/.hgignore
index 344792a..5ed903f 100644
--- a/.hgignore
+++ b/.hgignore
@@ -339,6 +339,11 @@
 ^xen/include/xen/compile\.h$
 ^xen/tools/figlet/figlet$
 ^xen/tools/symbols$
+^xen/xsm/flask/include/av_perm_to_string\.h$
+^xen/xsm/flask/include/av_permissions\.h$
+^xen/xsm/flask/include/class_to_string\.h$
+^xen/xsm/flask/include/flask\.h$
+^xen/xsm/flask/include/initial_sid_to_string\.h$
 ^xen/xen$
 ^xen/xen-syms$
 ^xen/xen\..*$
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index 5c25cbe..3f5aa38 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -61,7 +61,7 @@ LOADPOLICY := $(SBINDIR)/flask-loadpolicy
 # policy source layout
 POLDIR := policy
 MODDIR := $(POLDIR)/modules
-FLASKDIR := $(POLDIR)/flask
+FLASKDIR := ../../../xen/xsm/flask/policy
 SECCLASS := $(FLASKDIR)/security_classes
 ISIDS := $(FLASKDIR)/initial_sids
 AVS := $(FLASKDIR)/access_vectors
diff --git a/tools/flask/policy/policy/flask/Makefile 
b/tools/flask/policy/policy/flask/Makefile
deleted file mode 100644
index 5f57e88..0000000
--- a/tools/flask/policy/policy/flask/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-# flask needs to know where to export the libselinux headers.
-LIBSEL ?= ../../libselinux
-
-# flask needs to know where to export the kernel headers.
-LINUXDIR ?= ../../../linux-2.6
-
-AWK = awk
-
-CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
-          else if [ -x /bin/bash ]; then echo /bin/bash; \
-          else echo sh; fi ; fi)
-
-FLASK_H_DEPEND = security_classes initial_sids
-AV_H_DEPEND = access_vectors
-
-FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_perm_to_string.h av_permissions.h
-ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
-
-all:  $(ALL_H_FILES)
-
-$(FLASK_H_FILES): $(FLASK_H_DEPEND)
-       $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
-
-$(AV_H_FILES): $(AV_H_DEPEND)
-       $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
-
-tolib: all
-       install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
-       install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h 
av_perm_to_string.h $(LIBSEL)/src
-
-tokern: all
-       install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
-
-install: all
-
-relabel:
-
-clean:  
-       rm -f $(FLASK_H_FILES)
-       rm -f $(AV_H_FILES)
diff --git a/tools/flask/policy/policy/flask/access_vectors 
b/tools/flask/policy/policy/flask/access_vectors
deleted file mode 100644
index 7a7e253..0000000
--- a/tools/flask/policy/policy/flask/access_vectors
+++ /dev/null
@@ -1,190 +0,0 @@
-#
-# Define the access vectors.
-#
-# class class_name { permission_name ... }
-
-class xen
-{
-       scheduler
-       settime
-       tbufcontrol
-       readconsole
-       clearconsole
-       perfcontrol
-       mtrr_add
-       mtrr_del
-       mtrr_read
-       microcode
-       physinfo
-       quirk
-    writeconsole
-    readapic
-    writeapic
-    privprofile
-    nonprivprofile
-    kexec
-       firmware
-       sleep
-       frequency
-       getidle
-       debug
-       getcpuinfo
-       heap
-       pm_op
-       mca_op
-       lockprof
-       cpupool_op
-       sched_op
-       tmem_op
-       tmem_control
-}
-
-class domain
-{
-       setvcpucontext
-       pause
-       unpause
-    resume
-    create
-    transition
-    max_vcpus
-    destroy
-    setvcpuaffinity
-       getvcpuaffinity
-       scheduler
-       getdomaininfo
-       getvcpuinfo
-       getvcpucontext
-       setdomainmaxmem
-       setdomainhandle
-       setdebugging
-       hypercall
-    settime
-    set_target
-    shutdown
-    setaddrsize
-    getaddrsize
-       trigger
-       getextvcpucontext
-       setextvcpucontext
-       getvcpuextstate
-       setvcpuextstate
-       getpodtarget
-       setpodtarget
-       set_misc_info
-       set_virq_handler
-}
-
-class domain2
-{
-       relabelfrom
-       relabelto
-       relabelself
-       make_priv_for
-       set_as_target
-       set_cpuid
-       gettsc
-       settsc
-}
-
-class hvm
-{
-    sethvmc
-    gethvmc
-    setparam
-    getparam
-    pcilevel
-    irqlevel
-    pciroute
-       bind_irq
-       cacheattr
-    trackdirtyvram
-    hvmctl
-    mem_event
-    mem_sharing
-    audit_p2m
-    send_irq
-    share_mem
-}
-
-class event
-{
-       bind
-       send
-       status
-       notify
-       create
-    reset
-}
-
-class grant
-{
-       map_read
-       map_write
-       unmap
-       transfer
-       setup
-    copy
-    query
-}
-
-class mmu
-{
-       map_read
-       map_write
-       pageinfo
-       pagelist
-    adjust
-    stat
-    translategp
-       updatemp
-    physmap
-    pinpage
-    mfnlist
-    memorymap
-    remote_remap
-       mmuext_op
-       exchange
-}
-
-class shadow
-{
-       disable
-       enable
-    logdirty
-}
-
-class resource
-{
-       add
-       remove
-       use
-       add_irq
-       remove_irq
-       add_ioport
-       remove_ioport
-       add_iomem
-       remove_iomem
-       stat_device
-       add_device
-       remove_device
-       plug
-       unplug
-       setup
-}
-
-class security
-{
-       compute_av
-       compute_create
-       compute_member
-       check_context
-       load_policy
-       compute_relabel
-       compute_user
-       setenforce
-       setbool
-       setsecparam
-        add_ocontext
-        del_ocontext
-}
diff --git a/tools/flask/policy/policy/flask/initial_sids 
b/tools/flask/policy/policy/flask/initial_sids
deleted file mode 100644
index e508bde..0000000
--- a/tools/flask/policy/policy/flask/initial_sids
+++ /dev/null
@@ -1,16 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers 
-#
-sid xen
-sid dom0
-sid domio
-sid domxen
-sid unlabeled
-sid security
-sid ioport
-sid iomem
-sid irq
-sid device
-# FLASK
diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh 
b/tools/flask/policy/policy/flask/mkaccess_vector.sh
deleted file mode 100644
index 43a60a7..0000000
--- a/tools/flask/policy/policy/flask/mkaccess_vector.sh
+++ /dev/null
@@ -1,138 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift
-
-# output files
-av_permissions="av_permissions.h"
-av_perm_to_string="av_perm_to_string.h"
-
-cat $* | $awk "
-BEGIN  {
-               outfile = \"$av_permissions\"
-               avpermfile = \"$av_perm_to_string\"
-               "'
-               nextstate = "COMMON_OR_AV";
-               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > outfile;
-               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > avpermfile;
-;
-       }
-/^[ \t]*#/     { 
-                       next;
-               }
-$1 == "class"  {
-                       if (nextstate != "COMMON_OR_AV" &&
-                           nextstate != "CLASS_OR_CLASS-OPENBRACKET")
-                       {
-                               printf("Parse error:  Unexpected class 
definition on line %d\n", NR);
-                               next;   
-                       }
-
-                       tclass = $2;
-
-                       if (tclass in av_defined)
-                       {
-                               printf("Duplicate access vector definition for 
%s on line %d\n", tclass, NR);
-                               next;
-                       } 
-                       av_defined[tclass] = 1;
-
-                       permission = 1;
-
-                       nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
-                       next;
-               }
-$1 == "{"      { 
-                       if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
-                           nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
-                           nextstate != "COMMON-OPENBRACKET")
-                       {
-                               printf("Parse error:  Unexpected { on line 
%d\n", NR);
-                               next;
-                       }
-
-                       if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
-                               nextstate = "CLASS-CLOSEBRACKET";
-
-                       if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
-                               nextstate = "CLASS-CLOSEBRACKET";
-
-                       if (nextstate == "COMMON-OPENBRACKET")
-                               nextstate = "COMMON-CLOSEBRACKET";
-               }
-/[a-z][a-z_]*/ {
-                       if (nextstate != "COMMON-CLOSEBRACKET" &&
-                           nextstate != "CLASS-CLOSEBRACKET")
-                       {
-                               printf("Parse error:  Unexpected symbol %s on 
line %d\n", $1, NR);              
-                               next;
-                       }
-
-                       if (nextstate == "COMMON-CLOSEBRACKET")
-                       {
-                               if ((common_name,$1) in common_perms)
-                               {
-                                       printf("Duplicate permission %s for 
common %s on line %d.\n", $1, common_name, NR);
-                                       next;
-                               }
-
-                               common_perms[common_name,$1] = permission;
-
-                               printf("#define COMMON_%s__%s", 
toupper(common_name), toupper($1)) > outfile; 
-
-                               printf("    S_(\"%s\")\n", $1) > cpermfile;
-                       }
-                       else
-                       {
-                               if ((tclass,$1) in av_perms)
-                               {
-                                       printf("Duplicate permission %s for %s 
on line %d.\n", $1, tclass, NR);
-                                       next;
-                               }
-
-                               av_perms[tclass,$1] = permission;
-               
-                               printf("#define %s__%s", toupper(tclass), 
toupper($1)) > outfile; 
-
-                               printf("   S_(SECCLASS_%s, %s__%s, \"%s\")\n", 
toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; 
-                       }
-
-                       spaces = 40 - (length($1) + length(tclass));
-                       if (spaces < 1)
-                             spaces = 1;
-
-                       for (i = 0; i < spaces; i++) 
-                               printf(" ") > outfile; 
-                       printf("0x%08xUL\n", permission) > outfile; 
-                       permission = permission * 2;
-               }
-$1 == "}"      {
-                       if (nextstate != "CLASS-CLOSEBRACKET" && 
-                           nextstate != "COMMON-CLOSEBRACKET")
-                       {
-                               printf("Parse error:  Unexpected } on line 
%d\n", NR);
-                               next;
-                       }
-
-                       if (nextstate == "COMMON-CLOSEBRACKET")
-                       {
-                               common_base[common_name] = permission;
-                               printf("TE_(common_%s_perm_to_string)\n\n", 
common_name) > cpermfile; 
-                       }
-
-                       printf("\n") > outfile;
-
-                       nextstate = "COMMON_OR_AV";
-               }
-END    {
-               if (nextstate != "COMMON_OR_AV" && nextstate != 
"CLASS_OR_CLASS-OPENBRACKET")
-                       printf("Parse error:  Unexpected end of file\n");
-
-       }'
-
-# FLASK
diff --git a/tools/flask/policy/policy/flask/mkflask.sh 
b/tools/flask/policy/policy/flask/mkflask.sh
deleted file mode 100644
index 9c84754..0000000
--- a/tools/flask/policy/policy/flask/mkflask.sh
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift 1
-
-# output file
-output_file="flask.h"
-debug_file="class_to_string.h"
-debug_file2="initial_sid_to_string.h"
-
-cat $* | $awk "
-BEGIN  {
-               outfile = \"$output_file\"
-               debugfile = \"$debug_file\"
-               debugfile2 = \"$debug_file2\"
-               "'
-               nextstate = "CLASS";
-
-               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > outfile;
-
-               printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
-               printf("#define _SELINUX_FLASK_H_\n") > outfile;
-               printf("\n/*\n * Security object class definitions\n */\n") > 
outfile;
-               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > debugfile;
-               printf("/*\n * Security object class definitions\n */\n") > 
debugfile;
-               printf("    S_(\"null\")\n") > debugfile;
-               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > debugfile2;
-               printf("static char *initial_sid_to_string[] =\n{\n") > 
debugfile2;
-               printf("    \"null\",\n") > debugfile2;
-       }
-/^[ \t]*#/     { 
-                       next;
-               }
-$1 == "class"  { 
-                       if (nextstate != "CLASS")
-                       {
-                               printf("Parse error:  Unexpected class 
definition on line %d\n", NR);
-                               next;   
-                       }
-
-                       if ($2 in class_found)
-                       {
-                               printf("Duplicate class definition for %s on 
line %d.\n", $2, NR);
-                               next;
-                       }       
-                       class_found[$2] = 1;
-
-                       class_value++;
-
-                       printf("#define SECCLASS_%s", toupper($2)) > outfile;
-                       for (i = 0; i < 40 - length($2); i++) 
-                               printf(" ") > outfile; 
-                       printf("%d\n", class_value) > outfile; 
-
-                       printf("    S_(\"%s\")\n", $2) > debugfile;
-               }
-$1 == "sid"    { 
-                       if (nextstate == "CLASS")
-                       {
-                           nextstate = "SID";
-                           printf("\n/*\n * Security identifier indices for 
initial entities\n */\n") > outfile;                           
-                       }
-
-                       if ($2 in sid_found)
-                       {
-                               printf("Duplicate SID definition for %s on line 
%d.\n", $2, NR);
-                               next;
-                       }       
-                       sid_found[$2] = 1;
-                       sid_value++;
-
-                       printf("#define SECINITSID_%s", toupper($2)) > outfile;
-                       for (i = 0; i < 37 - length($2); i++) 
-                               printf(" ") > outfile; 
-                       printf("%d\n", sid_value) > outfile; 
-                       printf("    \"%s\",\n", $2) > debugfile2;
-               }
-END    {
-               if (nextstate != "SID")
-                       printf("Parse error:  Unexpected end of file\n");
-
-               printf("\n#define SECINITSID_NUM") > outfile;
-               for (i = 0; i < 34; i++) 
-                       printf(" ") > outfile; 
-               printf("%d\n", sid_value) > outfile; 
-               printf("\n#endif\n") > outfile;
-               printf("};\n\n") > debugfile2;
-       }'
-
-# FLASK
diff --git a/tools/flask/policy/policy/flask/security_classes 
b/tools/flask/policy/policy/flask/security_classes
deleted file mode 100644
index ef134a7..0000000
--- a/tools/flask/policy/policy/flask/security_classes
+++ /dev/null
@@ -1,21 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes 
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class xen
-class domain
-class domain2
-class hvm
-class mmu
-class resource
-class shadow
-class event
-class grant
-class security
-
-# FLASK
diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index 92fb410..1256512 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -5,3 +5,28 @@ obj-y += flask_op.o
 subdir-y += ss
 
 CFLAGS += -I./include
+
+AWK = awk
+
+CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+          else if [ -x /bin/bash ]; then echo /bin/bash; \
+          else echo sh; fi ; fi)
+
+FLASK_H_DEPEND = policy/security_classes policy/initial_sids
+AV_H_DEPEND = policy/access_vectors
+
+FLASK_H_FILES = include/flask.h include/class_to_string.h 
include/initial_sid_to_string.h
+AV_H_FILES = include/av_perm_to_string.h include/av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+
+$(obj-y) ss/built_in.o: $(ALL_H_FILES)
+
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
+       $(CONFIG_SHELL) policy/mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+
+$(AV_H_FILES): $(AV_H_DEPEND)
+       $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+
+.PHONY: clean
+clean::
+       rm -f $(ALL_H_FILES) *.o $(DEPS)
diff --git a/xen/xsm/flask/include/av_perm_to_string.h 
b/xen/xsm/flask/include/av_perm_to_string.h
deleted file mode 100644
index c3f2370..0000000
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ /dev/null
@@ -1,147 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-   S_(SECCLASS_XEN, XEN__SCHEDULER, "scheduler")
-   S_(SECCLASS_XEN, XEN__SETTIME, "settime")
-   S_(SECCLASS_XEN, XEN__TBUFCONTROL, "tbufcontrol")
-   S_(SECCLASS_XEN, XEN__READCONSOLE, "readconsole")
-   S_(SECCLASS_XEN, XEN__CLEARCONSOLE, "clearconsole")
-   S_(SECCLASS_XEN, XEN__PERFCONTROL, "perfcontrol")
-   S_(SECCLASS_XEN, XEN__MTRR_ADD, "mtrr_add")
-   S_(SECCLASS_XEN, XEN__MTRR_DEL, "mtrr_del")
-   S_(SECCLASS_XEN, XEN__MTRR_READ, "mtrr_read")
-   S_(SECCLASS_XEN, XEN__MICROCODE, "microcode")
-   S_(SECCLASS_XEN, XEN__PHYSINFO, "physinfo")
-   S_(SECCLASS_XEN, XEN__QUIRK, "quirk")
-   S_(SECCLASS_XEN, XEN__WRITECONSOLE, "writeconsole")
-   S_(SECCLASS_XEN, XEN__READAPIC, "readapic")
-   S_(SECCLASS_XEN, XEN__WRITEAPIC, "writeapic")
-   S_(SECCLASS_XEN, XEN__PRIVPROFILE, "privprofile")
-   S_(SECCLASS_XEN, XEN__NONPRIVPROFILE, "nonprivprofile")
-   S_(SECCLASS_XEN, XEN__KEXEC, "kexec")
-   S_(SECCLASS_XEN, XEN__FIRMWARE, "firmware")
-   S_(SECCLASS_XEN, XEN__SLEEP, "sleep")
-   S_(SECCLASS_XEN, XEN__FREQUENCY, "frequency")
-   S_(SECCLASS_XEN, XEN__GETIDLE, "getidle")
-   S_(SECCLASS_XEN, XEN__DEBUG, "debug")
-   S_(SECCLASS_XEN, XEN__GETCPUINFO, "getcpuinfo")
-   S_(SECCLASS_XEN, XEN__HEAP, "heap")
-   S_(SECCLASS_XEN, XEN__PM_OP, "pm_op")
-   S_(SECCLASS_XEN, XEN__MCA_OP, "mca_op")
-   S_(SECCLASS_XEN, XEN__LOCKPROF, "lockprof")
-   S_(SECCLASS_XEN, XEN__CPUPOOL_OP, "cpupool_op")
-   S_(SECCLASS_XEN, XEN__SCHED_OP, "sched_op")
-   S_(SECCLASS_XEN, XEN__TMEM_OP, "tmem_op")
-   S_(SECCLASS_XEN, XEN__TMEM_CONTROL, "tmem_control")
-   S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUCONTEXT, "setvcpucontext")
-   S_(SECCLASS_DOMAIN, DOMAIN__PAUSE, "pause")
-   S_(SECCLASS_DOMAIN, DOMAIN__UNPAUSE, "unpause")
-   S_(SECCLASS_DOMAIN, DOMAIN__RESUME, "resume")
-   S_(SECCLASS_DOMAIN, DOMAIN__CREATE, "create")
-   S_(SECCLASS_DOMAIN, DOMAIN__TRANSITION, "transition")
-   S_(SECCLASS_DOMAIN, DOMAIN__MAX_VCPUS, "max_vcpus")
-   S_(SECCLASS_DOMAIN, DOMAIN__DESTROY, "destroy")
-   S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUAFFINITY, "setvcpuaffinity")
-   S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUAFFINITY, "getvcpuaffinity")
-   S_(SECCLASS_DOMAIN, DOMAIN__SCHEDULER, "scheduler")
-   S_(SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO, "getdomaininfo")
-   S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUINFO, "getvcpuinfo")
-   S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUCONTEXT, "getvcpucontext")
-   S_(SECCLASS_DOMAIN, DOMAIN__SETDOMAINMAXMEM, "setdomainmaxmem")
-   S_(SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE, "setdomainhandle")
-   S_(SECCLASS_DOMAIN, DOMAIN__SETDEBUGGING, "setdebugging")
-   S_(SECCLASS_DOMAIN, DOMAIN__HYPERCALL, "hypercall")
-   S_(SECCLASS_DOMAIN, DOMAIN__SETTIME, "settime")
-   S_(SECCLASS_DOMAIN, DOMAIN__SET_TARGET, "set_target")
-   S_(SECCLASS_DOMAIN, DOMAIN__SHUTDOWN, "shutdown")
-   S_(SECCLASS_DOMAIN, DOMAIN__SETADDRSIZE, "setaddrsize")
-   S_(SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE, "getaddrsize")
-   S_(SECCLASS_DOMAIN, DOMAIN__TRIGGER, "trigger")
-   S_(SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT, "getextvcpucontext")
-   S_(SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT, "setextvcpucontext")
-   S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE, "getvcpuextstate")
-   S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE, "setvcpuextstate")
-   S_(SECCLASS_DOMAIN, DOMAIN__GETPODTARGET, "getpodtarget")
-   S_(SECCLASS_DOMAIN, DOMAIN__SETPODTARGET, "setpodtarget")
-   S_(SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO, "set_misc_info")
-   S_(SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER, "set_virq_handler")
-   S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, "relabelfrom")
-   S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, "relabelto")
-   S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, "relabelself")
-   S_(SECCLASS_DOMAIN2, DOMAIN2__MAKE_PRIV_FOR, "make_priv_for")
-   S_(SECCLASS_DOMAIN2, DOMAIN2__SET_AS_TARGET, "set_as_target")
-   S_(SECCLASS_DOMAIN2, DOMAIN2__SET_CPUID, "set_cpuid")
-   S_(SECCLASS_DOMAIN2, DOMAIN2__GETTSC, "gettsc")
-   S_(SECCLASS_DOMAIN2, DOMAIN2__SETTSC, "settsc")
-   S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc")
-   S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
-   S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")
-   S_(SECCLASS_HVM, HVM__GETPARAM, "getparam")
-   S_(SECCLASS_HVM, HVM__PCILEVEL, "pcilevel")
-   S_(SECCLASS_HVM, HVM__IRQLEVEL, "irqlevel")
-   S_(SECCLASS_HVM, HVM__PCIROUTE, "pciroute")
-   S_(SECCLASS_HVM, HVM__BIND_IRQ, "bind_irq")
-   S_(SECCLASS_HVM, HVM__CACHEATTR, "cacheattr")
-   S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram")
-   S_(SECCLASS_HVM, HVM__HVMCTL, "hvmctl")
-   S_(SECCLASS_HVM, HVM__MEM_EVENT, "mem_event")
-   S_(SECCLASS_HVM, HVM__MEM_SHARING, "mem_sharing")
-   S_(SECCLASS_HVM, HVM__AUDIT_P2M, "audit_p2m")
-   S_(SECCLASS_HVM, HVM__SEND_IRQ, "send_irq")
-   S_(SECCLASS_HVM, HVM__SHARE_MEM, "share_mem")
-   S_(SECCLASS_EVENT, EVENT__BIND, "bind")
-   S_(SECCLASS_EVENT, EVENT__SEND, "send")
-   S_(SECCLASS_EVENT, EVENT__STATUS, "status")
-   S_(SECCLASS_EVENT, EVENT__NOTIFY, "notify")
-   S_(SECCLASS_EVENT, EVENT__CREATE, "create")
-   S_(SECCLASS_EVENT, EVENT__RESET, "reset")
-   S_(SECCLASS_GRANT, GRANT__MAP_READ, "map_read")
-   S_(SECCLASS_GRANT, GRANT__MAP_WRITE, "map_write")
-   S_(SECCLASS_GRANT, GRANT__UNMAP, "unmap")
-   S_(SECCLASS_GRANT, GRANT__TRANSFER, "transfer")
-   S_(SECCLASS_GRANT, GRANT__SETUP, "setup")
-   S_(SECCLASS_GRANT, GRANT__COPY, "copy")
-   S_(SECCLASS_GRANT, GRANT__QUERY, "query")
-   S_(SECCLASS_MMU, MMU__MAP_READ, "map_read")
-   S_(SECCLASS_MMU, MMU__MAP_WRITE, "map_write")
-   S_(SECCLASS_MMU, MMU__PAGEINFO, "pageinfo")
-   S_(SECCLASS_MMU, MMU__PAGELIST, "pagelist")
-   S_(SECCLASS_MMU, MMU__ADJUST, "adjust")
-   S_(SECCLASS_MMU, MMU__STAT, "stat")
-   S_(SECCLASS_MMU, MMU__TRANSLATEGP, "translategp")
-   S_(SECCLASS_MMU, MMU__UPDATEMP, "updatemp")
-   S_(SECCLASS_MMU, MMU__PHYSMAP, "physmap")
-   S_(SECCLASS_MMU, MMU__PINPAGE, "pinpage")
-   S_(SECCLASS_MMU, MMU__MFNLIST, "mfnlist")
-   S_(SECCLASS_MMU, MMU__MEMORYMAP, "memorymap")
-   S_(SECCLASS_MMU, MMU__REMOTE_REMAP, "remote_remap")
-   S_(SECCLASS_MMU, MMU__MMUEXT_OP, "mmuext_op")
-   S_(SECCLASS_MMU, MMU__EXCHANGE, "exchange")
-   S_(SECCLASS_SHADOW, SHADOW__DISABLE, "disable")
-   S_(SECCLASS_SHADOW, SHADOW__ENABLE, "enable")
-   S_(SECCLASS_SHADOW, SHADOW__LOGDIRTY, "logdirty")
-   S_(SECCLASS_RESOURCE, RESOURCE__ADD, "add")
-   S_(SECCLASS_RESOURCE, RESOURCE__REMOVE, "remove")
-   S_(SECCLASS_RESOURCE, RESOURCE__USE, "use")
-   S_(SECCLASS_RESOURCE, RESOURCE__ADD_IRQ, "add_irq")
-   S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IRQ, "remove_irq")
-   S_(SECCLASS_RESOURCE, RESOURCE__ADD_IOPORT, "add_ioport")
-   S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IOPORT, "remove_ioport")
-   S_(SECCLASS_RESOURCE, RESOURCE__ADD_IOMEM, "add_iomem")
-   S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IOMEM, "remove_iomem")
-   S_(SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, "stat_device")
-   S_(SECCLASS_RESOURCE, RESOURCE__ADD_DEVICE, "add_device")
-   S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_DEVICE, "remove_device")
-   S_(SECCLASS_RESOURCE, RESOURCE__PLUG, "plug")
-   S_(SECCLASS_RESOURCE, RESOURCE__UNPLUG, "unplug")
-   S_(SECCLASS_RESOURCE, RESOURCE__SETUP, "setup")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
-   S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
-   S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
-   S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
-   S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
-   S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
-   S_(SECCLASS_SECURITY, SECURITY__ADD_OCONTEXT, "add_ocontext")
-   S_(SECCLASS_SECURITY, SECURITY__DEL_OCONTEXT, "del_ocontext")
diff --git a/xen/xsm/flask/include/av_permissions.h 
b/xen/xsm/flask/include/av_permissions.h
deleted file mode 100644
index 65302e8..0000000
--- a/xen/xsm/flask/include/av_permissions.h
+++ /dev/null
@@ -1,157 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-#define XEN__SCHEDULER                            0x00000001UL
-#define XEN__SETTIME                              0x00000002UL
-#define XEN__TBUFCONTROL                          0x00000004UL
-#define XEN__READCONSOLE                          0x00000008UL
-#define XEN__CLEARCONSOLE                         0x00000010UL
-#define XEN__PERFCONTROL                          0x00000020UL
-#define XEN__MTRR_ADD                             0x00000040UL
-#define XEN__MTRR_DEL                             0x00000080UL
-#define XEN__MTRR_READ                            0x00000100UL
-#define XEN__MICROCODE                            0x00000200UL
-#define XEN__PHYSINFO                             0x00000400UL
-#define XEN__QUIRK                                0x00000800UL
-#define XEN__WRITECONSOLE                         0x00001000UL
-#define XEN__READAPIC                             0x00002000UL
-#define XEN__WRITEAPIC                            0x00004000UL
-#define XEN__PRIVPROFILE                          0x00008000UL
-#define XEN__NONPRIVPROFILE                       0x00010000UL
-#define XEN__KEXEC                                0x00020000UL
-#define XEN__FIRMWARE                             0x00040000UL
-#define XEN__SLEEP                                0x00080000UL
-#define XEN__FREQUENCY                            0x00100000UL
-#define XEN__GETIDLE                              0x00200000UL
-#define XEN__DEBUG                                0x00400000UL
-#define XEN__GETCPUINFO                           0x00800000UL
-#define XEN__HEAP                                 0x01000000UL
-#define XEN__PM_OP                                0x02000000UL
-#define XEN__MCA_OP                               0x04000000UL
-#define XEN__LOCKPROF                             0x08000000UL
-#define XEN__CPUPOOL_OP                           0x10000000UL
-#define XEN__SCHED_OP                             0x20000000UL
-#define XEN__TMEM_OP                              0x40000000UL
-#define XEN__TMEM_CONTROL                         0x80000000UL
-
-#define DOMAIN__SETVCPUCONTEXT                    0x00000001UL
-#define DOMAIN__PAUSE                             0x00000002UL
-#define DOMAIN__UNPAUSE                           0x00000004UL
-#define DOMAIN__RESUME                            0x00000008UL
-#define DOMAIN__CREATE                            0x00000010UL
-#define DOMAIN__TRANSITION                        0x00000020UL
-#define DOMAIN__MAX_VCPUS                         0x00000040UL
-#define DOMAIN__DESTROY                           0x00000080UL
-#define DOMAIN__SETVCPUAFFINITY                   0x00000100UL
-#define DOMAIN__GETVCPUAFFINITY                   0x00000200UL
-#define DOMAIN__SCHEDULER                         0x00000400UL
-#define DOMAIN__GETDOMAININFO                     0x00000800UL
-#define DOMAIN__GETVCPUINFO                       0x00001000UL
-#define DOMAIN__GETVCPUCONTEXT                    0x00002000UL
-#define DOMAIN__SETDOMAINMAXMEM                   0x00004000UL
-#define DOMAIN__SETDOMAINHANDLE                   0x00008000UL
-#define DOMAIN__SETDEBUGGING                      0x00010000UL
-#define DOMAIN__HYPERCALL                         0x00020000UL
-#define DOMAIN__SETTIME                           0x00040000UL
-#define DOMAIN__SET_TARGET                        0x00080000UL
-#define DOMAIN__SHUTDOWN                          0x00100000UL
-#define DOMAIN__SETADDRSIZE                       0x00200000UL
-#define DOMAIN__GETADDRSIZE                       0x00400000UL
-#define DOMAIN__TRIGGER                           0x00800000UL
-#define DOMAIN__GETEXTVCPUCONTEXT                 0x01000000UL
-#define DOMAIN__SETEXTVCPUCONTEXT                 0x02000000UL
-#define DOMAIN__GETVCPUEXTSTATE                   0x04000000UL
-#define DOMAIN__SETVCPUEXTSTATE                   0x08000000UL
-#define DOMAIN__GETPODTARGET                      0x10000000UL
-#define DOMAIN__SETPODTARGET                      0x20000000UL
-#define DOMAIN__SET_MISC_INFO                     0x40000000UL
-#define DOMAIN__SET_VIRQ_HANDLER                  0x80000000UL
-
-#define DOMAIN2__RELABELFROM                      0x00000001UL
-#define DOMAIN2__RELABELTO                        0x00000002UL
-#define DOMAIN2__RELABELSELF                      0x00000004UL
-#define DOMAIN2__MAKE_PRIV_FOR                    0x00000008UL
-#define DOMAIN2__SET_AS_TARGET                    0x00000010UL
-#define DOMAIN2__SET_CPUID                        0x00000020UL
-#define DOMAIN2__GETTSC                           0x00000040UL
-#define DOMAIN2__SETTSC                           0x00000080UL
-
-#define HVM__SETHVMC                              0x00000001UL
-#define HVM__GETHVMC                              0x00000002UL
-#define HVM__SETPARAM                             0x00000004UL
-#define HVM__GETPARAM                             0x00000008UL
-#define HVM__PCILEVEL                             0x00000010UL
-#define HVM__IRQLEVEL                             0x00000020UL
-#define HVM__PCIROUTE                             0x00000040UL
-#define HVM__BIND_IRQ                             0x00000080UL
-#define HVM__CACHEATTR                            0x00000100UL
-#define HVM__TRACKDIRTYVRAM                       0x00000200UL
-#define HVM__HVMCTL                               0x00000400UL
-#define HVM__MEM_EVENT                            0x00000800UL
-#define HVM__MEM_SHARING                          0x00001000UL
-#define HVM__AUDIT_P2M                            0x00002000UL
-#define HVM__SEND_IRQ                             0x00004000UL
-#define HVM__SHARE_MEM                            0x00008000UL
-
-#define EVENT__BIND                               0x00000001UL
-#define EVENT__SEND                               0x00000002UL
-#define EVENT__STATUS                             0x00000004UL
-#define EVENT__NOTIFY                             0x00000008UL
-#define EVENT__CREATE                             0x00000010UL
-#define EVENT__RESET                              0x00000020UL
-
-#define GRANT__MAP_READ                           0x00000001UL
-#define GRANT__MAP_WRITE                          0x00000002UL
-#define GRANT__UNMAP                              0x00000004UL
-#define GRANT__TRANSFER                           0x00000008UL
-#define GRANT__SETUP                              0x00000010UL
-#define GRANT__COPY                               0x00000020UL
-#define GRANT__QUERY                              0x00000040UL
-
-#define MMU__MAP_READ                             0x00000001UL
-#define MMU__MAP_WRITE                            0x00000002UL
-#define MMU__PAGEINFO                             0x00000004UL
-#define MMU__PAGELIST                             0x00000008UL
-#define MMU__ADJUST                               0x00000010UL
-#define MMU__STAT                                 0x00000020UL
-#define MMU__TRANSLATEGP                          0x00000040UL
-#define MMU__UPDATEMP                             0x00000080UL
-#define MMU__PHYSMAP                              0x00000100UL
-#define MMU__PINPAGE                              0x00000200UL
-#define MMU__MFNLIST                              0x00000400UL
-#define MMU__MEMORYMAP                            0x00000800UL
-#define MMU__REMOTE_REMAP                         0x00001000UL
-#define MMU__MMUEXT_OP                            0x00002000UL
-#define MMU__EXCHANGE                             0x00004000UL
-
-#define SHADOW__DISABLE                           0x00000001UL
-#define SHADOW__ENABLE                            0x00000002UL
-#define SHADOW__LOGDIRTY                          0x00000004UL
-
-#define RESOURCE__ADD                             0x00000001UL
-#define RESOURCE__REMOVE                          0x00000002UL
-#define RESOURCE__USE                             0x00000004UL
-#define RESOURCE__ADD_IRQ                         0x00000008UL
-#define RESOURCE__REMOVE_IRQ                      0x00000010UL
-#define RESOURCE__ADD_IOPORT                      0x00000020UL
-#define RESOURCE__REMOVE_IOPORT                   0x00000040UL
-#define RESOURCE__ADD_IOMEM                       0x00000080UL
-#define RESOURCE__REMOVE_IOMEM                    0x00000100UL
-#define RESOURCE__STAT_DEVICE                     0x00000200UL
-#define RESOURCE__ADD_DEVICE                      0x00000400UL
-#define RESOURCE__REMOVE_DEVICE                   0x00000800UL
-#define RESOURCE__PLUG                            0x00001000UL
-#define RESOURCE__UNPLUG                          0x00002000UL
-#define RESOURCE__SETUP                           0x00004000UL
-
-#define SECURITY__COMPUTE_AV                      0x00000001UL
-#define SECURITY__COMPUTE_CREATE                  0x00000002UL
-#define SECURITY__COMPUTE_MEMBER                  0x00000004UL
-#define SECURITY__CHECK_CONTEXT                   0x00000008UL
-#define SECURITY__LOAD_POLICY                     0x00000010UL
-#define SECURITY__COMPUTE_RELABEL                 0x00000020UL
-#define SECURITY__COMPUTE_USER                    0x00000040UL
-#define SECURITY__SETENFORCE                      0x00000080UL
-#define SECURITY__SETBOOL                         0x00000100UL
-#define SECURITY__SETSECPARAM                     0x00000200UL
-#define SECURITY__ADD_OCONTEXT                    0x00000400UL
-#define SECURITY__DEL_OCONTEXT                    0x00000800UL
-
diff --git a/xen/xsm/flask/include/class_to_string.h 
b/xen/xsm/flask/include/class_to_string.h
deleted file mode 100644
index 7716645..0000000
--- a/xen/xsm/flask/include/class_to_string.h
+++ /dev/null
@@ -1,15 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-/*
- * Security object class definitions
- */
-    S_("null")
-    S_("xen")
-    S_("domain")
-    S_("domain2")
-    S_("hvm")
-    S_("mmu")
-    S_("resource")
-    S_("shadow")
-    S_("event")
-    S_("grant")
-    S_("security")
diff --git a/xen/xsm/flask/include/flask.h b/xen/xsm/flask/include/flask.h
deleted file mode 100644
index 3bff998..0000000
--- a/xen/xsm/flask/include/flask.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-#ifndef _SELINUX_FLASK_H_
-#define _SELINUX_FLASK_H_
-
-/*
- * Security object class definitions
- */
-#define SECCLASS_XEN                                     1
-#define SECCLASS_DOMAIN                                  2
-#define SECCLASS_DOMAIN2                                 3
-#define SECCLASS_HVM                                     4
-#define SECCLASS_MMU                                     5
-#define SECCLASS_RESOURCE                                6
-#define SECCLASS_SHADOW                                  7
-#define SECCLASS_EVENT                                   8
-#define SECCLASS_GRANT                                   9
-#define SECCLASS_SECURITY                                10
-
-/*
- * Security identifier indices for initial entities
- */
-#define SECINITSID_XEN                                  1
-#define SECINITSID_DOM0                                 2
-#define SECINITSID_DOMIO                                3
-#define SECINITSID_DOMXEN                               4
-#define SECINITSID_UNLABELED                            5
-#define SECINITSID_SECURITY                             6
-#define SECINITSID_IOPORT                               7
-#define SECINITSID_IOMEM                                8
-#define SECINITSID_IRQ                                  9
-#define SECINITSID_DEVICE                               10
-
-#define SECINITSID_NUM                                  10
-
-#endif
diff --git a/xen/xsm/flask/include/initial_sid_to_string.h 
b/xen/xsm/flask/include/initial_sid_to_string.h
deleted file mode 100644
index 814f4bf..0000000
--- a/xen/xsm/flask/include/initial_sid_to_string.h
+++ /dev/null
@@ -1,16 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-static char *initial_sid_to_string[] =
-{
-    "null",
-    "xen",
-    "dom0",
-    "domio",
-    "domxen",
-    "unlabeled",
-    "security",
-    "ioport",
-    "iomem",
-    "irq",
-    "device",
-};
-
diff --git a/xen/xsm/flask/policy/access_vectors 
b/xen/xsm/flask/policy/access_vectors
new file mode 100644
index 0000000..7a7e253
--- /dev/null
+++ b/xen/xsm/flask/policy/access_vectors
@@ -0,0 +1,190 @@
+#
+# Define the access vectors.
+#
+# class class_name { permission_name ... }
+
+class xen
+{
+       scheduler
+       settime
+       tbufcontrol
+       readconsole
+       clearconsole
+       perfcontrol
+       mtrr_add
+       mtrr_del
+       mtrr_read
+       microcode
+       physinfo
+       quirk
+    writeconsole
+    readapic
+    writeapic
+    privprofile
+    nonprivprofile
+    kexec
+       firmware
+       sleep
+       frequency
+       getidle
+       debug
+       getcpuinfo
+       heap
+       pm_op
+       mca_op
+       lockprof
+       cpupool_op
+       sched_op
+       tmem_op
+       tmem_control
+}
+
+class domain
+{
+       setvcpucontext
+       pause
+       unpause
+    resume
+    create
+    transition
+    max_vcpus
+    destroy
+    setvcpuaffinity
+       getvcpuaffinity
+       scheduler
+       getdomaininfo
+       getvcpuinfo
+       getvcpucontext
+       setdomainmaxmem
+       setdomainhandle
+       setdebugging
+       hypercall
+    settime
+    set_target
+    shutdown
+    setaddrsize
+    getaddrsize
+       trigger
+       getextvcpucontext
+       setextvcpucontext
+       getvcpuextstate
+       setvcpuextstate
+       getpodtarget
+       setpodtarget
+       set_misc_info
+       set_virq_handler
+}
+
+class domain2
+{
+       relabelfrom
+       relabelto
+       relabelself
+       make_priv_for
+       set_as_target
+       set_cpuid
+       gettsc
+       settsc
+}
+
+class hvm
+{
+    sethvmc
+    gethvmc
+    setparam
+    getparam
+    pcilevel
+    irqlevel
+    pciroute
+       bind_irq
+       cacheattr
+    trackdirtyvram
+    hvmctl
+    mem_event
+    mem_sharing
+    audit_p2m
+    send_irq
+    share_mem
+}
+
+class event
+{
+       bind
+       send
+       status
+       notify
+       create
+    reset
+}
+
+class grant
+{
+       map_read
+       map_write
+       unmap
+       transfer
+       setup
+    copy
+    query
+}
+
+class mmu
+{
+       map_read
+       map_write
+       pageinfo
+       pagelist
+    adjust
+    stat
+    translategp
+       updatemp
+    physmap
+    pinpage
+    mfnlist
+    memorymap
+    remote_remap
+       mmuext_op
+       exchange
+}
+
+class shadow
+{
+       disable
+       enable
+    logdirty
+}
+
+class resource
+{
+       add
+       remove
+       use
+       add_irq
+       remove_irq
+       add_ioport
+       remove_ioport
+       add_iomem
+       remove_iomem
+       stat_device
+       add_device
+       remove_device
+       plug
+       unplug
+       setup
+}
+
+class security
+{
+       compute_av
+       compute_create
+       compute_member
+       check_context
+       load_policy
+       compute_relabel
+       compute_user
+       setenforce
+       setbool
+       setsecparam
+        add_ocontext
+        del_ocontext
+}
diff --git a/xen/xsm/flask/policy/initial_sids 
b/xen/xsm/flask/policy/initial_sids
new file mode 100644
index 0000000..e508bde
--- /dev/null
+++ b/xen/xsm/flask/policy/initial_sids
@@ -0,0 +1,16 @@
+# FLASK
+
+#
+# Define initial security identifiers 
+#
+sid xen
+sid dom0
+sid domio
+sid domxen
+sid unlabeled
+sid security
+sid ioport
+sid iomem
+sid irq
+sid device
+# FLASK
diff --git a/xen/xsm/flask/policy/mkaccess_vector.sh 
b/xen/xsm/flask/policy/mkaccess_vector.sh
new file mode 100644
index 0000000..8ec87f7
--- /dev/null
+++ b/xen/xsm/flask/policy/mkaccess_vector.sh
@@ -0,0 +1,138 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift
+
+# output files
+av_permissions="include/av_permissions.h"
+av_perm_to_string="include/av_perm_to_string.h"
+
+cat $* | $awk "
+BEGIN  {
+               outfile = \"$av_permissions\"
+               avpermfile = \"$av_perm_to_string\"
+               "'
+               nextstate = "COMMON_OR_AV";
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > outfile;
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > avpermfile;
+;
+       }
+/^[ \t]*#/     { 
+                       next;
+               }
+$1 == "class"  {
+                       if (nextstate != "COMMON_OR_AV" &&
+                           nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+                       {
+                               printf("Parse error:  Unexpected class 
definition on line %d\n", NR);
+                               next;   
+                       }
+
+                       tclass = $2;
+
+                       if (tclass in av_defined)
+                       {
+                               printf("Duplicate access vector definition for 
%s on line %d\n", tclass, NR);
+                               next;
+                       } 
+                       av_defined[tclass] = 1;
+
+                       permission = 1;
+
+                       nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
+                       next;
+               }
+$1 == "{"      { 
+                       if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
+                           nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
+                           nextstate != "COMMON-OPENBRACKET")
+                       {
+                               printf("Parse error:  Unexpected { on line 
%d\n", NR);
+                               next;
+                       }
+
+                       if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
+                               nextstate = "CLASS-CLOSEBRACKET";
+
+                       if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
+                               nextstate = "CLASS-CLOSEBRACKET";
+
+                       if (nextstate == "COMMON-OPENBRACKET")
+                               nextstate = "COMMON-CLOSEBRACKET";
+               }
+/[a-z][a-z_]*/ {
+                       if (nextstate != "COMMON-CLOSEBRACKET" &&
+                           nextstate != "CLASS-CLOSEBRACKET")
+                       {
+                               printf("Parse error:  Unexpected symbol %s on 
line %d\n", $1, NR);              
+                               next;
+                       }
+
+                       if (nextstate == "COMMON-CLOSEBRACKET")
+                       {
+                               if ((common_name,$1) in common_perms)
+                               {
+                                       printf("Duplicate permission %s for 
common %s on line %d.\n", $1, common_name, NR);
+                                       next;
+                               }
+
+                               common_perms[common_name,$1] = permission;
+
+                               printf("#define COMMON_%s__%s", 
toupper(common_name), toupper($1)) > outfile; 
+
+                               printf("    S_(\"%s\")\n", $1) > cpermfile;
+                       }
+                       else
+                       {
+                               if ((tclass,$1) in av_perms)
+                               {
+                                       printf("Duplicate permission %s for %s 
on line %d.\n", $1, tclass, NR);
+                                       next;
+                               }
+
+                               av_perms[tclass,$1] = permission;
+               
+                               printf("#define %s__%s", toupper(tclass), 
toupper($1)) > outfile; 
+
+                               printf("   S_(SECCLASS_%s, %s__%s, \"%s\")\n", 
toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; 
+                       }
+
+                       spaces = 40 - (length($1) + length(tclass));
+                       if (spaces < 1)
+                             spaces = 1;
+
+                       for (i = 0; i < spaces; i++) 
+                               printf(" ") > outfile; 
+                       printf("0x%08xUL\n", permission) > outfile; 
+                       permission = permission * 2;
+               }
+$1 == "}"      {
+                       if (nextstate != "CLASS-CLOSEBRACKET" && 
+                           nextstate != "COMMON-CLOSEBRACKET")
+                       {
+                               printf("Parse error:  Unexpected } on line 
%d\n", NR);
+                               next;
+                       }
+
+                       if (nextstate == "COMMON-CLOSEBRACKET")
+                       {
+                               common_base[common_name] = permission;
+                               printf("TE_(common_%s_perm_to_string)\n\n", 
common_name) > cpermfile; 
+                       }
+
+                       printf("\n") > outfile;
+
+                       nextstate = "COMMON_OR_AV";
+               }
+END    {
+               if (nextstate != "COMMON_OR_AV" && nextstate != 
"CLASS_OR_CLASS-OPENBRACKET")
+                       printf("Parse error:  Unexpected end of file\n");
+
+       }'
+
+# FLASK
diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh
new file mode 100644
index 0000000..e8d8fb5
--- /dev/null
+++ b/xen/xsm/flask/policy/mkflask.sh
@@ -0,0 +1,95 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift 1
+
+# output file
+output_file="include/flask.h"
+debug_file="include/class_to_string.h"
+debug_file2="include/initial_sid_to_string.h"
+
+cat $* | $awk "
+BEGIN  {
+               outfile = \"$output_file\"
+               debugfile = \"$debug_file\"
+               debugfile2 = \"$debug_file2\"
+               "'
+               nextstate = "CLASS";
+
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > outfile;
+
+               printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+               printf("#define _SELINUX_FLASK_H_\n") > outfile;
+               printf("\n/*\n * Security object class definitions\n */\n") > 
outfile;
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > debugfile;
+               printf("/*\n * Security object class definitions\n */\n") > 
debugfile;
+               printf("    S_(\"null\")\n") > debugfile;
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > debugfile2;
+               printf("static char *initial_sid_to_string[] =\n{\n") > 
debugfile2;
+               printf("    \"null\",\n") > debugfile2;
+       }
+/^[ \t]*#/     { 
+                       next;
+               }
+$1 == "class"  { 
+                       if (nextstate != "CLASS")
+                       {
+                               printf("Parse error:  Unexpected class 
definition on line %d\n", NR);
+                               next;   
+                       }
+
+                       if ($2 in class_found)
+                       {
+                               printf("Duplicate class definition for %s on 
line %d.\n", $2, NR);
+                               next;
+                       }       
+                       class_found[$2] = 1;
+
+                       class_value++;
+
+                       printf("#define SECCLASS_%s", toupper($2)) > outfile;
+                       for (i = 0; i < 40 - length($2); i++) 
+                               printf(" ") > outfile; 
+                       printf("%d\n", class_value) > outfile; 
+
+                       printf("    S_(\"%s\")\n", $2) > debugfile;
+               }
+$1 == "sid"    { 
+                       if (nextstate == "CLASS")
+                       {
+                           nextstate = "SID";
+                           printf("\n/*\n * Security identifier indices for 
initial entities\n */\n") > outfile;                           
+                       }
+
+                       if ($2 in sid_found)
+                       {
+                               printf("Duplicate SID definition for %s on line 
%d.\n", $2, NR);
+                               next;
+                       }       
+                       sid_found[$2] = 1;
+                       sid_value++;
+
+                       printf("#define SECINITSID_%s", toupper($2)) > outfile;
+                       for (i = 0; i < 37 - length($2); i++) 
+                               printf(" ") > outfile; 
+                       printf("%d\n", sid_value) > outfile; 
+                       printf("    \"%s\",\n", $2) > debugfile2;
+               }
+END    {
+               if (nextstate != "SID")
+                       printf("Parse error:  Unexpected end of file\n");
+
+               printf("\n#define SECINITSID_NUM") > outfile;
+               for (i = 0; i < 34; i++) 
+                       printf(" ") > outfile; 
+               printf("%d\n", sid_value) > outfile; 
+               printf("\n#endif\n") > outfile;
+               printf("};\n\n") > debugfile2;
+       }'
+
+# FLASK
diff --git a/xen/xsm/flask/policy/security_classes 
b/xen/xsm/flask/policy/security_classes
new file mode 100644
index 0000000..ef134a7
--- /dev/null
+++ b/xen/xsm/flask/policy/security_classes
@@ -0,0 +1,21 @@
+# FLASK
+
+#
+# Define the security object classes 
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class xen
+class domain
+class domain2
+class hvm
+class mmu
+class resource
+class shadow
+class event
+class grant
+class security
+
+# FLASK
-- 
1.7.11.7


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.