[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 19/23] flask: move policy headers into hypervisor
Rather than keeping around headers that are autogenerated in order to avoid adding build dependencies from xen/ to files in tools/, move the relevant parts of the FLASK policy into the hypervisor tree and generate the headers as part of the hypervisor's build. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- .gitignore | 5 + .hgignore | 5 + tools/flask/policy/Makefile | 2 +- tools/flask/policy/policy/flask/Makefile | 41 ----- tools/flask/policy/policy/flask/access_vectors | 190 --------------------- tools/flask/policy/policy/flask/initial_sids | 16 -- tools/flask/policy/policy/flask/mkaccess_vector.sh | 138 --------------- tools/flask/policy/policy/flask/mkflask.sh | 95 ----------- tools/flask/policy/policy/flask/security_classes | 21 --- xen/xsm/flask/Makefile | 25 +++ xen/xsm/flask/include/av_perm_to_string.h | 147 ---------------- xen/xsm/flask/include/av_permissions.h | 157 ----------------- xen/xsm/flask/include/class_to_string.h | 15 -- xen/xsm/flask/include/flask.h | 35 ---- xen/xsm/flask/include/initial_sid_to_string.h | 16 -- xen/xsm/flask/policy/access_vectors | 190 +++++++++++++++++++++ xen/xsm/flask/policy/initial_sids | 16 ++ xen/xsm/flask/policy/mkaccess_vector.sh | 138 +++++++++++++++ xen/xsm/flask/policy/mkflask.sh | 95 +++++++++++ xen/xsm/flask/policy/security_classes | 21 +++ 20 files changed, 496 insertions(+), 872 deletions(-) delete mode 100644 tools/flask/policy/policy/flask/Makefile delete mode 100644 tools/flask/policy/policy/flask/access_vectors delete mode 100644 tools/flask/policy/policy/flask/initial_sids delete mode 100644 tools/flask/policy/policy/flask/mkaccess_vector.sh delete mode 100644 tools/flask/policy/policy/flask/mkflask.sh delete mode 100644 tools/flask/policy/policy/flask/security_classes delete mode 100644 xen/xsm/flask/include/av_perm_to_string.h delete mode 100644 xen/xsm/flask/include/av_permissions.h delete mode 100644 xen/xsm/flask/include/class_to_string.h delete mode 100644 xen/xsm/flask/include/flask.h delete mode 100644 xen/xsm/flask/include/initial_sid_to_string.h create mode 100644 xen/xsm/flask/policy/access_vectors create mode 100644 xen/xsm/flask/policy/initial_sids create mode 100644 xen/xsm/flask/policy/mkaccess_vector.sh create mode 100644 xen/xsm/flask/policy/mkflask.sh create mode 100644 xen/xsm/flask/policy/security_classes diff --git a/.gitignore b/.gitignore index f6edc43..aac7a14 100644 --- a/.gitignore +++ b/.gitignore @@ -309,6 +309,11 @@ xen/include/xen/banner.h xen/include/xen/compile.h xen/tools/figlet/figlet xen/tools/symbols +xen/xsm/flask/include/av_perm_to_string.h +xen/xsm/flask/include/av_permissions.h +xen/xsm/flask/include/class_to_string.h +xen/xsm/flask/include/flask.h +xen/xsm/flask/include/initial_sid_to_string.h xen/xen xen/xen-syms xen/xen.* diff --git a/.hgignore b/.hgignore index 344792a..5ed903f 100644 --- a/.hgignore +++ b/.hgignore @@ -339,6 +339,11 @@ ^xen/include/xen/compile\.h$ ^xen/tools/figlet/figlet$ ^xen/tools/symbols$ +^xen/xsm/flask/include/av_perm_to_string\.h$ +^xen/xsm/flask/include/av_permissions\.h$ +^xen/xsm/flask/include/class_to_string\.h$ +^xen/xsm/flask/include/flask\.h$ +^xen/xsm/flask/include/initial_sid_to_string\.h$ ^xen/xen$ ^xen/xen-syms$ ^xen/xen\..*$ diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile index 5c25cbe..3f5aa38 100644 --- a/tools/flask/policy/Makefile +++ b/tools/flask/policy/Makefile @@ -61,7 +61,7 @@ LOADPOLICY := $(SBINDIR)/flask-loadpolicy # policy source layout POLDIR := policy MODDIR := $(POLDIR)/modules -FLASKDIR := $(POLDIR)/flask +FLASKDIR := ../../../xen/xsm/flask/policy SECCLASS := $(FLASKDIR)/security_classes ISIDS := $(FLASKDIR)/initial_sids AVS := $(FLASKDIR)/access_vectors diff --git a/tools/flask/policy/policy/flask/Makefile b/tools/flask/policy/policy/flask/Makefile deleted file mode 100644 index 5f57e88..0000000 --- a/tools/flask/policy/policy/flask/Makefile +++ /dev/null @@ -1,41 +0,0 @@ -# flask needs to know where to export the libselinux headers. -LIBSEL ?= ../../libselinux - -# flask needs to know where to export the kernel headers. -LINUXDIR ?= ../../../linux-2.6 - -AWK = awk - -CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ - else if [ -x /bin/bash ]; then echo /bin/bash; \ - else echo sh; fi ; fi) - -FLASK_H_DEPEND = security_classes initial_sids -AV_H_DEPEND = access_vectors - -FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h -AV_H_FILES = av_perm_to_string.h av_permissions.h -ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) - -all: $(ALL_H_FILES) - -$(FLASK_H_FILES): $(FLASK_H_DEPEND) - $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND) - -$(AV_H_FILES): $(AV_H_DEPEND) - $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) - -tolib: all - install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux - install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src - -tokern: all - install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include - -install: all - -relabel: - -clean: - rm -f $(FLASK_H_FILES) - rm -f $(AV_H_FILES) diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors deleted file mode 100644 index 7a7e253..0000000 --- a/tools/flask/policy/policy/flask/access_vectors +++ /dev/null @@ -1,190 +0,0 @@ -# -# Define the access vectors. -# -# class class_name { permission_name ... } - -class xen -{ - scheduler - settime - tbufcontrol - readconsole - clearconsole - perfcontrol - mtrr_add - mtrr_del - mtrr_read - microcode - physinfo - quirk - writeconsole - readapic - writeapic - privprofile - nonprivprofile - kexec - firmware - sleep - frequency - getidle - debug - getcpuinfo - heap - pm_op - mca_op - lockprof - cpupool_op - sched_op - tmem_op - tmem_control -} - -class domain -{ - setvcpucontext - pause - unpause - resume - create - transition - max_vcpus - destroy - setvcpuaffinity - getvcpuaffinity - scheduler - getdomaininfo - getvcpuinfo - getvcpucontext - setdomainmaxmem - setdomainhandle - setdebugging - hypercall - settime - set_target - shutdown - setaddrsize - getaddrsize - trigger - getextvcpucontext - setextvcpucontext - getvcpuextstate - setvcpuextstate - getpodtarget - setpodtarget - set_misc_info - set_virq_handler -} - -class domain2 -{ - relabelfrom - relabelto - relabelself - make_priv_for - set_as_target - set_cpuid - gettsc - settsc -} - -class hvm -{ - sethvmc - gethvmc - setparam - getparam - pcilevel - irqlevel - pciroute - bind_irq - cacheattr - trackdirtyvram - hvmctl - mem_event - mem_sharing - audit_p2m - send_irq - share_mem -} - -class event -{ - bind - send - status - notify - create - reset -} - -class grant -{ - map_read - map_write - unmap - transfer - setup - copy - query -} - -class mmu -{ - map_read - map_write - pageinfo - pagelist - adjust - stat - translategp - updatemp - physmap - pinpage - mfnlist - memorymap - remote_remap - mmuext_op - exchange -} - -class shadow -{ - disable - enable - logdirty -} - -class resource -{ - add - remove - use - add_irq - remove_irq - add_ioport - remove_ioport - add_iomem - remove_iomem - stat_device - add_device - remove_device - plug - unplug - setup -} - -class security -{ - compute_av - compute_create - compute_member - check_context - load_policy - compute_relabel - compute_user - setenforce - setbool - setsecparam - add_ocontext - del_ocontext -} diff --git a/tools/flask/policy/policy/flask/initial_sids b/tools/flask/policy/policy/flask/initial_sids deleted file mode 100644 index e508bde..0000000 --- a/tools/flask/policy/policy/flask/initial_sids +++ /dev/null @@ -1,16 +0,0 @@ -# FLASK - -# -# Define initial security identifiers -# -sid xen -sid dom0 -sid domio -sid domxen -sid unlabeled -sid security -sid ioport -sid iomem -sid irq -sid device -# FLASK diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh b/tools/flask/policy/policy/flask/mkaccess_vector.sh deleted file mode 100644 index 43a60a7..0000000 --- a/tools/flask/policy/policy/flask/mkaccess_vector.sh +++ /dev/null @@ -1,138 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift - -# output files -av_permissions="av_permissions.h" -av_perm_to_string="av_perm_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$av_permissions\" - avpermfile = \"$av_perm_to_string\" - "' - nextstate = "COMMON_OR_AV"; - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; -; - } -/^[ \t]*#/ { - next; - } -$1 == "class" { - if (nextstate != "COMMON_OR_AV" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - tclass = $2; - - if (tclass in av_defined) - { - printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); - next; - } - av_defined[tclass] = 1; - - permission = 1; - - nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; - next; - } -$1 == "{" { - if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET" && - nextstate != "COMMON-OPENBRACKET") - { - printf("Parse error: Unexpected { on line %d\n", NR); - next; - } - - if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "COMMON-OPENBRACKET") - nextstate = "COMMON-CLOSEBRACKET"; - } -/[a-z][a-z_]*/ { - if (nextstate != "COMMON-CLOSEBRACKET" && - nextstate != "CLASS-CLOSEBRACKET") - { - printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - if ((common_name,$1) in common_perms) - { - printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); - next; - } - - common_perms[common_name,$1] = permission; - - printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; - - printf(" S_(\"%s\")\n", $1) > cpermfile; - } - else - { - if ((tclass,$1) in av_perms) - { - printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); - next; - } - - av_perms[tclass,$1] = permission; - - printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; - - printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; - } - - spaces = 40 - (length($1) + length(tclass)); - if (spaces < 1) - spaces = 1; - - for (i = 0; i < spaces; i++) - printf(" ") > outfile; - printf("0x%08xUL\n", permission) > outfile; - permission = permission * 2; - } -$1 == "}" { - if (nextstate != "CLASS-CLOSEBRACKET" && - nextstate != "COMMON-CLOSEBRACKET") - { - printf("Parse error: Unexpected } on line %d\n", NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - common_base[common_name] = permission; - printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; - } - - printf("\n") > outfile; - - nextstate = "COMMON_OR_AV"; - } -END { - if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") - printf("Parse error: Unexpected end of file\n"); - - }' - -# FLASK diff --git a/tools/flask/policy/policy/flask/mkflask.sh b/tools/flask/policy/policy/flask/mkflask.sh deleted file mode 100644 index 9c84754..0000000 --- a/tools/flask/policy/policy/flask/mkflask.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift 1 - -# output file -output_file="flask.h" -debug_file="class_to_string.h" -debug_file2="initial_sid_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$output_file\" - debugfile = \"$debug_file\" - debugfile2 = \"$debug_file2\" - "' - nextstate = "CLASS"; - - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - - printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; - printf("#define _SELINUX_FLASK_H_\n") > outfile; - printf("\n/*\n * Security object class definitions\n */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; - printf("/*\n * Security object class definitions\n */\n") > debugfile; - printf(" S_(\"null\")\n") > debugfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; - printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; - printf(" \"null\",\n") > debugfile2; - } -/^[ \t]*#/ { - next; - } -$1 == "class" { - if (nextstate != "CLASS") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - if ($2 in class_found) - { - printf("Duplicate class definition for %s on line %d.\n", $2, NR); - next; - } - class_found[$2] = 1; - - class_value++; - - printf("#define SECCLASS_%s", toupper($2)) > outfile; - for (i = 0; i < 40 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", class_value) > outfile; - - printf(" S_(\"%s\")\n", $2) > debugfile; - } -$1 == "sid" { - if (nextstate == "CLASS") - { - nextstate = "SID"; - printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; - } - - if ($2 in sid_found) - { - printf("Duplicate SID definition for %s on line %d.\n", $2, NR); - next; - } - sid_found[$2] = 1; - sid_value++; - - printf("#define SECINITSID_%s", toupper($2)) > outfile; - for (i = 0; i < 37 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf(" \"%s\",\n", $2) > debugfile2; - } -END { - if (nextstate != "SID") - printf("Parse error: Unexpected end of file\n"); - - printf("\n#define SECINITSID_NUM") > outfile; - for (i = 0; i < 34; i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf("\n#endif\n") > outfile; - printf("};\n\n") > debugfile2; - }' - -# FLASK diff --git a/tools/flask/policy/policy/flask/security_classes b/tools/flask/policy/policy/flask/security_classes deleted file mode 100644 index ef134a7..0000000 --- a/tools/flask/policy/policy/flask/security_classes +++ /dev/null @@ -1,21 +0,0 @@ -# FLASK - -# -# Define the security object classes -# - -# Classes marked as userspace are classes -# for userspace object managers - -class xen -class domain -class domain2 -class hvm -class mmu -class resource -class shadow -class event -class grant -class security - -# FLASK diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile index 92fb410..1256512 100644 --- a/xen/xsm/flask/Makefile +++ b/xen/xsm/flask/Makefile @@ -5,3 +5,28 @@ obj-y += flask_op.o subdir-y += ss CFLAGS += -I./include + +AWK = awk + +CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ + else if [ -x /bin/bash ]; then echo /bin/bash; \ + else echo sh; fi ; fi) + +FLASK_H_DEPEND = policy/security_classes policy/initial_sids +AV_H_DEPEND = policy/access_vectors + +FLASK_H_FILES = include/flask.h include/class_to_string.h include/initial_sid_to_string.h +AV_H_FILES = include/av_perm_to_string.h include/av_permissions.h +ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) + +$(obj-y) ss/built_in.o: $(ALL_H_FILES) + +$(FLASK_H_FILES): $(FLASK_H_DEPEND) + $(CONFIG_SHELL) policy/mkflask.sh $(AWK) $(FLASK_H_DEPEND) + +$(AV_H_FILES): $(AV_H_DEPEND) + $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) + +.PHONY: clean +clean:: + rm -f $(ALL_H_FILES) *.o $(DEPS) diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h deleted file mode 100644 index c3f2370..0000000 --- a/xen/xsm/flask/include/av_perm_to_string.h +++ /dev/null @@ -1,147 +0,0 @@ -/* This file is automatically generated. Do not edit. */ - S_(SECCLASS_XEN, XEN__SCHEDULER, "scheduler") - S_(SECCLASS_XEN, XEN__SETTIME, "settime") - S_(SECCLASS_XEN, XEN__TBUFCONTROL, "tbufcontrol") - S_(SECCLASS_XEN, XEN__READCONSOLE, "readconsole") - S_(SECCLASS_XEN, XEN__CLEARCONSOLE, "clearconsole") - S_(SECCLASS_XEN, XEN__PERFCONTROL, "perfcontrol") - S_(SECCLASS_XEN, XEN__MTRR_ADD, "mtrr_add") - S_(SECCLASS_XEN, XEN__MTRR_DEL, "mtrr_del") - S_(SECCLASS_XEN, XEN__MTRR_READ, "mtrr_read") - S_(SECCLASS_XEN, XEN__MICROCODE, "microcode") - S_(SECCLASS_XEN, XEN__PHYSINFO, "physinfo") - S_(SECCLASS_XEN, XEN__QUIRK, "quirk") - S_(SECCLASS_XEN, XEN__WRITECONSOLE, "writeconsole") - S_(SECCLASS_XEN, XEN__READAPIC, "readapic") - S_(SECCLASS_XEN, XEN__WRITEAPIC, "writeapic") - S_(SECCLASS_XEN, XEN__PRIVPROFILE, "privprofile") - S_(SECCLASS_XEN, XEN__NONPRIVPROFILE, "nonprivprofile") - S_(SECCLASS_XEN, XEN__KEXEC, "kexec") - S_(SECCLASS_XEN, XEN__FIRMWARE, "firmware") - S_(SECCLASS_XEN, XEN__SLEEP, "sleep") - S_(SECCLASS_XEN, XEN__FREQUENCY, "frequency") - S_(SECCLASS_XEN, XEN__GETIDLE, "getidle") - S_(SECCLASS_XEN, XEN__DEBUG, "debug") - S_(SECCLASS_XEN, XEN__GETCPUINFO, "getcpuinfo") - S_(SECCLASS_XEN, XEN__HEAP, "heap") - S_(SECCLASS_XEN, XEN__PM_OP, "pm_op") - S_(SECCLASS_XEN, XEN__MCA_OP, "mca_op") - S_(SECCLASS_XEN, XEN__LOCKPROF, "lockprof") - S_(SECCLASS_XEN, XEN__CPUPOOL_OP, "cpupool_op") - S_(SECCLASS_XEN, XEN__SCHED_OP, "sched_op") - S_(SECCLASS_XEN, XEN__TMEM_OP, "tmem_op") - S_(SECCLASS_XEN, XEN__TMEM_CONTROL, "tmem_control") - S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUCONTEXT, "setvcpucontext") - S_(SECCLASS_DOMAIN, DOMAIN__PAUSE, "pause") - S_(SECCLASS_DOMAIN, DOMAIN__UNPAUSE, "unpause") - S_(SECCLASS_DOMAIN, DOMAIN__RESUME, "resume") - S_(SECCLASS_DOMAIN, DOMAIN__CREATE, "create") - S_(SECCLASS_DOMAIN, DOMAIN__TRANSITION, "transition") - S_(SECCLASS_DOMAIN, DOMAIN__MAX_VCPUS, "max_vcpus") - S_(SECCLASS_DOMAIN, DOMAIN__DESTROY, "destroy") - S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUAFFINITY, "setvcpuaffinity") - S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUAFFINITY, "getvcpuaffinity") - S_(SECCLASS_DOMAIN, DOMAIN__SCHEDULER, "scheduler") - S_(SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO, "getdomaininfo") - S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUINFO, "getvcpuinfo") - S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUCONTEXT, "getvcpucontext") - S_(SECCLASS_DOMAIN, DOMAIN__SETDOMAINMAXMEM, "setdomainmaxmem") - S_(SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE, "setdomainhandle") - S_(SECCLASS_DOMAIN, DOMAIN__SETDEBUGGING, "setdebugging") - S_(SECCLASS_DOMAIN, DOMAIN__HYPERCALL, "hypercall") - S_(SECCLASS_DOMAIN, DOMAIN__SETTIME, "settime") - S_(SECCLASS_DOMAIN, DOMAIN__SET_TARGET, "set_target") - S_(SECCLASS_DOMAIN, DOMAIN__SHUTDOWN, "shutdown") - S_(SECCLASS_DOMAIN, DOMAIN__SETADDRSIZE, "setaddrsize") - S_(SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE, "getaddrsize") - S_(SECCLASS_DOMAIN, DOMAIN__TRIGGER, "trigger") - S_(SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT, "getextvcpucontext") - S_(SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT, "setextvcpucontext") - S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE, "getvcpuextstate") - S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE, "setvcpuextstate") - S_(SECCLASS_DOMAIN, DOMAIN__GETPODTARGET, "getpodtarget") - S_(SECCLASS_DOMAIN, DOMAIN__SETPODTARGET, "setpodtarget") - S_(SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO, "set_misc_info") - S_(SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER, "set_virq_handler") - S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, "relabelfrom") - S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, "relabelto") - S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, "relabelself") - S_(SECCLASS_DOMAIN2, DOMAIN2__MAKE_PRIV_FOR, "make_priv_for") - S_(SECCLASS_DOMAIN2, DOMAIN2__SET_AS_TARGET, "set_as_target") - S_(SECCLASS_DOMAIN2, DOMAIN2__SET_CPUID, "set_cpuid") - S_(SECCLASS_DOMAIN2, DOMAIN2__GETTSC, "gettsc") - S_(SECCLASS_DOMAIN2, DOMAIN2__SETTSC, "settsc") - S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc") - S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc") - S_(SECCLASS_HVM, HVM__SETPARAM, "setparam") - S_(SECCLASS_HVM, HVM__GETPARAM, "getparam") - S_(SECCLASS_HVM, HVM__PCILEVEL, "pcilevel") - S_(SECCLASS_HVM, HVM__IRQLEVEL, "irqlevel") - S_(SECCLASS_HVM, HVM__PCIROUTE, "pciroute") - S_(SECCLASS_HVM, HVM__BIND_IRQ, "bind_irq") - S_(SECCLASS_HVM, HVM__CACHEATTR, "cacheattr") - S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram") - S_(SECCLASS_HVM, HVM__HVMCTL, "hvmctl") - S_(SECCLASS_HVM, HVM__MEM_EVENT, "mem_event") - S_(SECCLASS_HVM, HVM__MEM_SHARING, "mem_sharing") - S_(SECCLASS_HVM, HVM__AUDIT_P2M, "audit_p2m") - S_(SECCLASS_HVM, HVM__SEND_IRQ, "send_irq") - S_(SECCLASS_HVM, HVM__SHARE_MEM, "share_mem") - S_(SECCLASS_EVENT, EVENT__BIND, "bind") - S_(SECCLASS_EVENT, EVENT__SEND, "send") - S_(SECCLASS_EVENT, EVENT__STATUS, "status") - S_(SECCLASS_EVENT, EVENT__NOTIFY, "notify") - S_(SECCLASS_EVENT, EVENT__CREATE, "create") - S_(SECCLASS_EVENT, EVENT__RESET, "reset") - S_(SECCLASS_GRANT, GRANT__MAP_READ, "map_read") - S_(SECCLASS_GRANT, GRANT__MAP_WRITE, "map_write") - S_(SECCLASS_GRANT, GRANT__UNMAP, "unmap") - S_(SECCLASS_GRANT, GRANT__TRANSFER, "transfer") - S_(SECCLASS_GRANT, GRANT__SETUP, "setup") - S_(SECCLASS_GRANT, GRANT__COPY, "copy") - S_(SECCLASS_GRANT, GRANT__QUERY, "query") - S_(SECCLASS_MMU, MMU__MAP_READ, "map_read") - S_(SECCLASS_MMU, MMU__MAP_WRITE, "map_write") - S_(SECCLASS_MMU, MMU__PAGEINFO, "pageinfo") - S_(SECCLASS_MMU, MMU__PAGELIST, "pagelist") - S_(SECCLASS_MMU, MMU__ADJUST, "adjust") - S_(SECCLASS_MMU, MMU__STAT, "stat") - S_(SECCLASS_MMU, MMU__TRANSLATEGP, "translategp") - S_(SECCLASS_MMU, MMU__UPDATEMP, "updatemp") - S_(SECCLASS_MMU, MMU__PHYSMAP, "physmap") - S_(SECCLASS_MMU, MMU__PINPAGE, "pinpage") - S_(SECCLASS_MMU, MMU__MFNLIST, "mfnlist") - S_(SECCLASS_MMU, MMU__MEMORYMAP, "memorymap") - S_(SECCLASS_MMU, MMU__REMOTE_REMAP, "remote_remap") - S_(SECCLASS_MMU, MMU__MMUEXT_OP, "mmuext_op") - S_(SECCLASS_MMU, MMU__EXCHANGE, "exchange") - S_(SECCLASS_SHADOW, SHADOW__DISABLE, "disable") - S_(SECCLASS_SHADOW, SHADOW__ENABLE, "enable") - S_(SECCLASS_SHADOW, SHADOW__LOGDIRTY, "logdirty") - S_(SECCLASS_RESOURCE, RESOURCE__ADD, "add") - S_(SECCLASS_RESOURCE, RESOURCE__REMOVE, "remove") - S_(SECCLASS_RESOURCE, RESOURCE__USE, "use") - S_(SECCLASS_RESOURCE, RESOURCE__ADD_IRQ, "add_irq") - S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IRQ, "remove_irq") - S_(SECCLASS_RESOURCE, RESOURCE__ADD_IOPORT, "add_ioport") - S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IOPORT, "remove_ioport") - S_(SECCLASS_RESOURCE, RESOURCE__ADD_IOMEM, "add_iomem") - S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IOMEM, "remove_iomem") - S_(SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, "stat_device") - S_(SECCLASS_RESOURCE, RESOURCE__ADD_DEVICE, "add_device") - S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_DEVICE, "remove_device") - S_(SECCLASS_RESOURCE, RESOURCE__PLUG, "plug") - S_(SECCLASS_RESOURCE, RESOURCE__UNPLUG, "unplug") - S_(SECCLASS_RESOURCE, RESOURCE__SETUP, "setup") - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av") - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create") - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member") - S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context") - S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy") - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel") - S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user") - S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce") - S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool") - S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam") - S_(SECCLASS_SECURITY, SECURITY__ADD_OCONTEXT, "add_ocontext") - S_(SECCLASS_SECURITY, SECURITY__DEL_OCONTEXT, "del_ocontext") diff --git a/xen/xsm/flask/include/av_permissions.h b/xen/xsm/flask/include/av_permissions.h deleted file mode 100644 index 65302e8..0000000 --- a/xen/xsm/flask/include/av_permissions.h +++ /dev/null @@ -1,157 +0,0 @@ -/* This file is automatically generated. Do not edit. */ -#define XEN__SCHEDULER 0x00000001UL -#define XEN__SETTIME 0x00000002UL -#define XEN__TBUFCONTROL 0x00000004UL -#define XEN__READCONSOLE 0x00000008UL -#define XEN__CLEARCONSOLE 0x00000010UL -#define XEN__PERFCONTROL 0x00000020UL -#define XEN__MTRR_ADD 0x00000040UL -#define XEN__MTRR_DEL 0x00000080UL -#define XEN__MTRR_READ 0x00000100UL -#define XEN__MICROCODE 0x00000200UL -#define XEN__PHYSINFO 0x00000400UL -#define XEN__QUIRK 0x00000800UL -#define XEN__WRITECONSOLE 0x00001000UL -#define XEN__READAPIC 0x00002000UL -#define XEN__WRITEAPIC 0x00004000UL -#define XEN__PRIVPROFILE 0x00008000UL -#define XEN__NONPRIVPROFILE 0x00010000UL -#define XEN__KEXEC 0x00020000UL -#define XEN__FIRMWARE 0x00040000UL -#define XEN__SLEEP 0x00080000UL -#define XEN__FREQUENCY 0x00100000UL -#define XEN__GETIDLE 0x00200000UL -#define XEN__DEBUG 0x00400000UL -#define XEN__GETCPUINFO 0x00800000UL -#define XEN__HEAP 0x01000000UL -#define XEN__PM_OP 0x02000000UL -#define XEN__MCA_OP 0x04000000UL -#define XEN__LOCKPROF 0x08000000UL -#define XEN__CPUPOOL_OP 0x10000000UL -#define XEN__SCHED_OP 0x20000000UL -#define XEN__TMEM_OP 0x40000000UL -#define XEN__TMEM_CONTROL 0x80000000UL - -#define DOMAIN__SETVCPUCONTEXT 0x00000001UL -#define DOMAIN__PAUSE 0x00000002UL -#define DOMAIN__UNPAUSE 0x00000004UL -#define DOMAIN__RESUME 0x00000008UL -#define DOMAIN__CREATE 0x00000010UL -#define DOMAIN__TRANSITION 0x00000020UL -#define DOMAIN__MAX_VCPUS 0x00000040UL -#define DOMAIN__DESTROY 0x00000080UL -#define DOMAIN__SETVCPUAFFINITY 0x00000100UL -#define DOMAIN__GETVCPUAFFINITY 0x00000200UL -#define DOMAIN__SCHEDULER 0x00000400UL -#define DOMAIN__GETDOMAININFO 0x00000800UL -#define DOMAIN__GETVCPUINFO 0x00001000UL -#define DOMAIN__GETVCPUCONTEXT 0x00002000UL -#define DOMAIN__SETDOMAINMAXMEM 0x00004000UL -#define DOMAIN__SETDOMAINHANDLE 0x00008000UL -#define DOMAIN__SETDEBUGGING 0x00010000UL -#define DOMAIN__HYPERCALL 0x00020000UL -#define DOMAIN__SETTIME 0x00040000UL -#define DOMAIN__SET_TARGET 0x00080000UL -#define DOMAIN__SHUTDOWN 0x00100000UL -#define DOMAIN__SETADDRSIZE 0x00200000UL -#define DOMAIN__GETADDRSIZE 0x00400000UL -#define DOMAIN__TRIGGER 0x00800000UL -#define DOMAIN__GETEXTVCPUCONTEXT 0x01000000UL -#define DOMAIN__SETEXTVCPUCONTEXT 0x02000000UL -#define DOMAIN__GETVCPUEXTSTATE 0x04000000UL -#define DOMAIN__SETVCPUEXTSTATE 0x08000000UL -#define DOMAIN__GETPODTARGET 0x10000000UL -#define DOMAIN__SETPODTARGET 0x20000000UL -#define DOMAIN__SET_MISC_INFO 0x40000000UL -#define DOMAIN__SET_VIRQ_HANDLER 0x80000000UL - -#define DOMAIN2__RELABELFROM 0x00000001UL -#define DOMAIN2__RELABELTO 0x00000002UL -#define DOMAIN2__RELABELSELF 0x00000004UL -#define DOMAIN2__MAKE_PRIV_FOR 0x00000008UL -#define DOMAIN2__SET_AS_TARGET 0x00000010UL -#define DOMAIN2__SET_CPUID 0x00000020UL -#define DOMAIN2__GETTSC 0x00000040UL -#define DOMAIN2__SETTSC 0x00000080UL - -#define HVM__SETHVMC 0x00000001UL -#define HVM__GETHVMC 0x00000002UL -#define HVM__SETPARAM 0x00000004UL -#define HVM__GETPARAM 0x00000008UL -#define HVM__PCILEVEL 0x00000010UL -#define HVM__IRQLEVEL 0x00000020UL -#define HVM__PCIROUTE 0x00000040UL -#define HVM__BIND_IRQ 0x00000080UL -#define HVM__CACHEATTR 0x00000100UL -#define HVM__TRACKDIRTYVRAM 0x00000200UL -#define HVM__HVMCTL 0x00000400UL -#define HVM__MEM_EVENT 0x00000800UL -#define HVM__MEM_SHARING 0x00001000UL -#define HVM__AUDIT_P2M 0x00002000UL -#define HVM__SEND_IRQ 0x00004000UL -#define HVM__SHARE_MEM 0x00008000UL - -#define EVENT__BIND 0x00000001UL -#define EVENT__SEND 0x00000002UL -#define EVENT__STATUS 0x00000004UL -#define EVENT__NOTIFY 0x00000008UL -#define EVENT__CREATE 0x00000010UL -#define EVENT__RESET 0x00000020UL - -#define GRANT__MAP_READ 0x00000001UL -#define GRANT__MAP_WRITE 0x00000002UL -#define GRANT__UNMAP 0x00000004UL -#define GRANT__TRANSFER 0x00000008UL -#define GRANT__SETUP 0x00000010UL -#define GRANT__COPY 0x00000020UL -#define GRANT__QUERY 0x00000040UL - -#define MMU__MAP_READ 0x00000001UL -#define MMU__MAP_WRITE 0x00000002UL -#define MMU__PAGEINFO 0x00000004UL -#define MMU__PAGELIST 0x00000008UL -#define MMU__ADJUST 0x00000010UL -#define MMU__STAT 0x00000020UL -#define MMU__TRANSLATEGP 0x00000040UL -#define MMU__UPDATEMP 0x00000080UL -#define MMU__PHYSMAP 0x00000100UL -#define MMU__PINPAGE 0x00000200UL -#define MMU__MFNLIST 0x00000400UL -#define MMU__MEMORYMAP 0x00000800UL -#define MMU__REMOTE_REMAP 0x00001000UL -#define MMU__MMUEXT_OP 0x00002000UL -#define MMU__EXCHANGE 0x00004000UL - -#define SHADOW__DISABLE 0x00000001UL -#define SHADOW__ENABLE 0x00000002UL -#define SHADOW__LOGDIRTY 0x00000004UL - -#define RESOURCE__ADD 0x00000001UL -#define RESOURCE__REMOVE 0x00000002UL -#define RESOURCE__USE 0x00000004UL -#define RESOURCE__ADD_IRQ 0x00000008UL -#define RESOURCE__REMOVE_IRQ 0x00000010UL -#define RESOURCE__ADD_IOPORT 0x00000020UL -#define RESOURCE__REMOVE_IOPORT 0x00000040UL -#define RESOURCE__ADD_IOMEM 0x00000080UL -#define RESOURCE__REMOVE_IOMEM 0x00000100UL -#define RESOURCE__STAT_DEVICE 0x00000200UL -#define RESOURCE__ADD_DEVICE 0x00000400UL -#define RESOURCE__REMOVE_DEVICE 0x00000800UL -#define RESOURCE__PLUG 0x00001000UL -#define RESOURCE__UNPLUG 0x00002000UL -#define RESOURCE__SETUP 0x00004000UL - -#define SECURITY__COMPUTE_AV 0x00000001UL -#define SECURITY__COMPUTE_CREATE 0x00000002UL -#define SECURITY__COMPUTE_MEMBER 0x00000004UL -#define SECURITY__CHECK_CONTEXT 0x00000008UL -#define SECURITY__LOAD_POLICY 0x00000010UL -#define SECURITY__COMPUTE_RELABEL 0x00000020UL -#define SECURITY__COMPUTE_USER 0x00000040UL -#define SECURITY__SETENFORCE 0x00000080UL -#define SECURITY__SETBOOL 0x00000100UL -#define SECURITY__SETSECPARAM 0x00000200UL -#define SECURITY__ADD_OCONTEXT 0x00000400UL -#define SECURITY__DEL_OCONTEXT 0x00000800UL - diff --git a/xen/xsm/flask/include/class_to_string.h b/xen/xsm/flask/include/class_to_string.h deleted file mode 100644 index 7716645..0000000 --- a/xen/xsm/flask/include/class_to_string.h +++ /dev/null @@ -1,15 +0,0 @@ -/* This file is automatically generated. Do not edit. */ -/* - * Security object class definitions - */ - S_("null") - S_("xen") - S_("domain") - S_("domain2") - S_("hvm") - S_("mmu") - S_("resource") - S_("shadow") - S_("event") - S_("grant") - S_("security") diff --git a/xen/xsm/flask/include/flask.h b/xen/xsm/flask/include/flask.h deleted file mode 100644 index 3bff998..0000000 --- a/xen/xsm/flask/include/flask.h +++ /dev/null @@ -1,35 +0,0 @@ -/* This file is automatically generated. Do not edit. */ -#ifndef _SELINUX_FLASK_H_ -#define _SELINUX_FLASK_H_ - -/* - * Security object class definitions - */ -#define SECCLASS_XEN 1 -#define SECCLASS_DOMAIN 2 -#define SECCLASS_DOMAIN2 3 -#define SECCLASS_HVM 4 -#define SECCLASS_MMU 5 -#define SECCLASS_RESOURCE 6 -#define SECCLASS_SHADOW 7 -#define SECCLASS_EVENT 8 -#define SECCLASS_GRANT 9 -#define SECCLASS_SECURITY 10 - -/* - * Security identifier indices for initial entities - */ -#define SECINITSID_XEN 1 -#define SECINITSID_DOM0 2 -#define SECINITSID_DOMIO 3 -#define SECINITSID_DOMXEN 4 -#define SECINITSID_UNLABELED 5 -#define SECINITSID_SECURITY 6 -#define SECINITSID_IOPORT 7 -#define SECINITSID_IOMEM 8 -#define SECINITSID_IRQ 9 -#define SECINITSID_DEVICE 10 - -#define SECINITSID_NUM 10 - -#endif diff --git a/xen/xsm/flask/include/initial_sid_to_string.h b/xen/xsm/flask/include/initial_sid_to_string.h deleted file mode 100644 index 814f4bf..0000000 --- a/xen/xsm/flask/include/initial_sid_to_string.h +++ /dev/null @@ -1,16 +0,0 @@ -/* This file is automatically generated. Do not edit. */ -static char *initial_sid_to_string[] = -{ - "null", - "xen", - "dom0", - "domio", - "domxen", - "unlabeled", - "security", - "ioport", - "iomem", - "irq", - "device", -}; - diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors new file mode 100644 index 0000000..7a7e253 --- /dev/null +++ b/xen/xsm/flask/policy/access_vectors @@ -0,0 +1,190 @@ +# +# Define the access vectors. +# +# class class_name { permission_name ... } + +class xen +{ + scheduler + settime + tbufcontrol + readconsole + clearconsole + perfcontrol + mtrr_add + mtrr_del + mtrr_read + microcode + physinfo + quirk + writeconsole + readapic + writeapic + privprofile + nonprivprofile + kexec + firmware + sleep + frequency + getidle + debug + getcpuinfo + heap + pm_op + mca_op + lockprof + cpupool_op + sched_op + tmem_op + tmem_control +} + +class domain +{ + setvcpucontext + pause + unpause + resume + create + transition + max_vcpus + destroy + setvcpuaffinity + getvcpuaffinity + scheduler + getdomaininfo + getvcpuinfo + getvcpucontext + setdomainmaxmem + setdomainhandle + setdebugging + hypercall + settime + set_target + shutdown + setaddrsize + getaddrsize + trigger + getextvcpucontext + setextvcpucontext + getvcpuextstate + setvcpuextstate + getpodtarget + setpodtarget + set_misc_info + set_virq_handler +} + +class domain2 +{ + relabelfrom + relabelto + relabelself + make_priv_for + set_as_target + set_cpuid + gettsc + settsc +} + +class hvm +{ + sethvmc + gethvmc + setparam + getparam + pcilevel + irqlevel + pciroute + bind_irq + cacheattr + trackdirtyvram + hvmctl + mem_event + mem_sharing + audit_p2m + send_irq + share_mem +} + +class event +{ + bind + send + status + notify + create + reset +} + +class grant +{ + map_read + map_write + unmap + transfer + setup + copy + query +} + +class mmu +{ + map_read + map_write + pageinfo + pagelist + adjust + stat + translategp + updatemp + physmap + pinpage + mfnlist + memorymap + remote_remap + mmuext_op + exchange +} + +class shadow +{ + disable + enable + logdirty +} + +class resource +{ + add + remove + use + add_irq + remove_irq + add_ioport + remove_ioport + add_iomem + remove_iomem + stat_device + add_device + remove_device + plug + unplug + setup +} + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce + setbool + setsecparam + add_ocontext + del_ocontext +} diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids new file mode 100644 index 0000000..e508bde --- /dev/null +++ b/xen/xsm/flask/policy/initial_sids @@ -0,0 +1,16 @@ +# FLASK + +# +# Define initial security identifiers +# +sid xen +sid dom0 +sid domio +sid domxen +sid unlabeled +sid security +sid ioport +sid iomem +sid irq +sid device +# FLASK diff --git a/xen/xsm/flask/policy/mkaccess_vector.sh b/xen/xsm/flask/policy/mkaccess_vector.sh new file mode 100644 index 0000000..8ec87f7 --- /dev/null +++ b/xen/xsm/flask/policy/mkaccess_vector.sh @@ -0,0 +1,138 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift + +# output files +av_permissions="include/av_permissions.h" +av_perm_to_string="include/av_perm_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$av_permissions\" + avpermfile = \"$av_perm_to_string\" + "' + nextstate = "COMMON_OR_AV"; + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; +; + } +/^[ \t]*#/ { + next; + } +$1 == "class" { + if (nextstate != "COMMON_OR_AV" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + tclass = $2; + + if (tclass in av_defined) + { + printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); + next; + } + av_defined[tclass] = 1; + + permission = 1; + + nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "{" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET" && + nextstate != "COMMON-OPENBRACKET") + { + printf("Parse error: Unexpected { on line %d\n", NR); + next; + } + + if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "COMMON-OPENBRACKET") + nextstate = "COMMON-CLOSEBRACKET"; + } +/[a-z][a-z_]*/ { + if (nextstate != "COMMON-CLOSEBRACKET" && + nextstate != "CLASS-CLOSEBRACKET") + { + printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + if ((common_name,$1) in common_perms) + { + printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); + next; + } + + common_perms[common_name,$1] = permission; + + printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; + + printf(" S_(\"%s\")\n", $1) > cpermfile; + } + else + { + if ((tclass,$1) in av_perms) + { + printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); + next; + } + + av_perms[tclass,$1] = permission; + + printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; + + printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; + } + + spaces = 40 - (length($1) + length(tclass)); + if (spaces < 1) + spaces = 1; + + for (i = 0; i < spaces; i++) + printf(" ") > outfile; + printf("0x%08xUL\n", permission) > outfile; + permission = permission * 2; + } +$1 == "}" { + if (nextstate != "CLASS-CLOSEBRACKET" && + nextstate != "COMMON-CLOSEBRACKET") + { + printf("Parse error: Unexpected } on line %d\n", NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + common_base[common_name] = permission; + printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; + } + + printf("\n") > outfile; + + nextstate = "COMMON_OR_AV"; + } +END { + if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") + printf("Parse error: Unexpected end of file\n"); + + }' + +# FLASK diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh new file mode 100644 index 0000000..e8d8fb5 --- /dev/null +++ b/xen/xsm/flask/policy/mkflask.sh @@ -0,0 +1,95 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift 1 + +# output file +output_file="include/flask.h" +debug_file="include/class_to_string.h" +debug_file2="include/initial_sid_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$output_file\" + debugfile = \"$debug_file\" + debugfile2 = \"$debug_file2\" + "' + nextstate = "CLASS"; + + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + + printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; + printf("#define _SELINUX_FLASK_H_\n") > outfile; + printf("\n/*\n * Security object class definitions\n */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; + printf("/*\n * Security object class definitions\n */\n") > debugfile; + printf(" S_(\"null\")\n") > debugfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; + printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; + printf(" \"null\",\n") > debugfile2; + } +/^[ \t]*#/ { + next; + } +$1 == "class" { + if (nextstate != "CLASS") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + if ($2 in class_found) + { + printf("Duplicate class definition for %s on line %d.\n", $2, NR); + next; + } + class_found[$2] = 1; + + class_value++; + + printf("#define SECCLASS_%s", toupper($2)) > outfile; + for (i = 0; i < 40 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", class_value) > outfile; + + printf(" S_(\"%s\")\n", $2) > debugfile; + } +$1 == "sid" { + if (nextstate == "CLASS") + { + nextstate = "SID"; + printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; + } + + if ($2 in sid_found) + { + printf("Duplicate SID definition for %s on line %d.\n", $2, NR); + next; + } + sid_found[$2] = 1; + sid_value++; + + printf("#define SECINITSID_%s", toupper($2)) > outfile; + for (i = 0; i < 37 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf(" \"%s\",\n", $2) > debugfile2; + } +END { + if (nextstate != "SID") + printf("Parse error: Unexpected end of file\n"); + + printf("\n#define SECINITSID_NUM") > outfile; + for (i = 0; i < 34; i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf("\n#endif\n") > outfile; + printf("};\n\n") > debugfile2; + }' + +# FLASK diff --git a/xen/xsm/flask/policy/security_classes b/xen/xsm/flask/policy/security_classes new file mode 100644 index 0000000..ef134a7 --- /dev/null +++ b/xen/xsm/flask/policy/security_classes @@ -0,0 +1,21 @@ +# FLASK + +# +# Define the security object classes +# + +# Classes marked as userspace are classes +# for userspace object managers + +class xen +class domain +class domain2 +class hvm +class mmu +class resource +class shadow +class event +class grant +class security + +# FLASK -- 1.7.11.7 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |