|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 19/23] flask: move policy headers into hypervisor
Rather than keeping around headers that are autogenerated in order to
avoid adding build dependencies from xen/ to files in tools/, move the
relevant parts of the FLASK policy into the hypervisor tree and generate
the headers as part of the hypervisor's build.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
.gitignore | 5 +
.hgignore | 5 +
tools/flask/policy/Makefile | 2 +-
tools/flask/policy/policy/flask/Makefile | 41 -----
tools/flask/policy/policy/flask/access_vectors | 190 ---------------------
tools/flask/policy/policy/flask/initial_sids | 16 --
tools/flask/policy/policy/flask/mkaccess_vector.sh | 138 ---------------
tools/flask/policy/policy/flask/mkflask.sh | 95 -----------
tools/flask/policy/policy/flask/security_classes | 21 ---
xen/xsm/flask/Makefile | 25 +++
xen/xsm/flask/include/av_perm_to_string.h | 147 ----------------
xen/xsm/flask/include/av_permissions.h | 157 -----------------
xen/xsm/flask/include/class_to_string.h | 15 --
xen/xsm/flask/include/flask.h | 35 ----
xen/xsm/flask/include/initial_sid_to_string.h | 16 --
xen/xsm/flask/policy/access_vectors | 190 +++++++++++++++++++++
xen/xsm/flask/policy/initial_sids | 16 ++
xen/xsm/flask/policy/mkaccess_vector.sh | 138 +++++++++++++++
xen/xsm/flask/policy/mkflask.sh | 95 +++++++++++
xen/xsm/flask/policy/security_classes | 21 +++
20 files changed, 496 insertions(+), 872 deletions(-)
delete mode 100644 tools/flask/policy/policy/flask/Makefile
delete mode 100644 tools/flask/policy/policy/flask/access_vectors
delete mode 100644 tools/flask/policy/policy/flask/initial_sids
delete mode 100644 tools/flask/policy/policy/flask/mkaccess_vector.sh
delete mode 100644 tools/flask/policy/policy/flask/mkflask.sh
delete mode 100644 tools/flask/policy/policy/flask/security_classes
delete mode 100644 xen/xsm/flask/include/av_perm_to_string.h
delete mode 100644 xen/xsm/flask/include/av_permissions.h
delete mode 100644 xen/xsm/flask/include/class_to_string.h
delete mode 100644 xen/xsm/flask/include/flask.h
delete mode 100644 xen/xsm/flask/include/initial_sid_to_string.h
create mode 100644 xen/xsm/flask/policy/access_vectors
create mode 100644 xen/xsm/flask/policy/initial_sids
create mode 100644 xen/xsm/flask/policy/mkaccess_vector.sh
create mode 100644 xen/xsm/flask/policy/mkflask.sh
create mode 100644 xen/xsm/flask/policy/security_classes
diff --git a/.gitignore b/.gitignore
index f6edc43..aac7a14 100644
--- a/.gitignore
+++ b/.gitignore
@@ -309,6 +309,11 @@ xen/include/xen/banner.h
xen/include/xen/compile.h
xen/tools/figlet/figlet
xen/tools/symbols
+xen/xsm/flask/include/av_perm_to_string.h
+xen/xsm/flask/include/av_permissions.h
+xen/xsm/flask/include/class_to_string.h
+xen/xsm/flask/include/flask.h
+xen/xsm/flask/include/initial_sid_to_string.h
xen/xen
xen/xen-syms
xen/xen.*
diff --git a/.hgignore b/.hgignore
index 344792a..5ed903f 100644
--- a/.hgignore
+++ b/.hgignore
@@ -339,6 +339,11 @@
^xen/include/xen/compile\.h$
^xen/tools/figlet/figlet$
^xen/tools/symbols$
+^xen/xsm/flask/include/av_perm_to_string\.h$
+^xen/xsm/flask/include/av_permissions\.h$
+^xen/xsm/flask/include/class_to_string\.h$
+^xen/xsm/flask/include/flask\.h$
+^xen/xsm/flask/include/initial_sid_to_string\.h$
^xen/xen$
^xen/xen-syms$
^xen/xen\..*$
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index 5c25cbe..3f5aa38 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -61,7 +61,7 @@ LOADPOLICY := $(SBINDIR)/flask-loadpolicy
# policy source layout
POLDIR := policy
MODDIR := $(POLDIR)/modules
-FLASKDIR := $(POLDIR)/flask
+FLASKDIR := ../../../xen/xsm/flask/policy
SECCLASS := $(FLASKDIR)/security_classes
ISIDS := $(FLASKDIR)/initial_sids
AVS := $(FLASKDIR)/access_vectors
diff --git a/tools/flask/policy/policy/flask/Makefile
b/tools/flask/policy/policy/flask/Makefile
deleted file mode 100644
index 5f57e88..0000000
--- a/tools/flask/policy/policy/flask/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-# flask needs to know where to export the libselinux headers.
-LIBSEL ?= ../../libselinux
-
-# flask needs to know where to export the kernel headers.
-LINUXDIR ?= ../../../linux-2.6
-
-AWK = awk
-
-CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
- else if [ -x /bin/bash ]; then echo /bin/bash; \
- else echo sh; fi ; fi)
-
-FLASK_H_DEPEND = security_classes initial_sids
-AV_H_DEPEND = access_vectors
-
-FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_perm_to_string.h av_permissions.h
-ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
-
-all: $(ALL_H_FILES)
-
-$(FLASK_H_FILES): $(FLASK_H_DEPEND)
- $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
-
-$(AV_H_FILES): $(AV_H_DEPEND)
- $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
-
-tolib: all
- install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
- install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h
av_perm_to_string.h $(LIBSEL)/src
-
-tokern: all
- install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
-
-install: all
-
-relabel:
-
-clean:
- rm -f $(FLASK_H_FILES)
- rm -f $(AV_H_FILES)
diff --git a/tools/flask/policy/policy/flask/access_vectors
b/tools/flask/policy/policy/flask/access_vectors
deleted file mode 100644
index 7a7e253..0000000
--- a/tools/flask/policy/policy/flask/access_vectors
+++ /dev/null
@@ -1,190 +0,0 @@
-#
-# Define the access vectors.
-#
-# class class_name { permission_name ... }
-
-class xen
-{
- scheduler
- settime
- tbufcontrol
- readconsole
- clearconsole
- perfcontrol
- mtrr_add
- mtrr_del
- mtrr_read
- microcode
- physinfo
- quirk
- writeconsole
- readapic
- writeapic
- privprofile
- nonprivprofile
- kexec
- firmware
- sleep
- frequency
- getidle
- debug
- getcpuinfo
- heap
- pm_op
- mca_op
- lockprof
- cpupool_op
- sched_op
- tmem_op
- tmem_control
-}
-
-class domain
-{
- setvcpucontext
- pause
- unpause
- resume
- create
- transition
- max_vcpus
- destroy
- setvcpuaffinity
- getvcpuaffinity
- scheduler
- getdomaininfo
- getvcpuinfo
- getvcpucontext
- setdomainmaxmem
- setdomainhandle
- setdebugging
- hypercall
- settime
- set_target
- shutdown
- setaddrsize
- getaddrsize
- trigger
- getextvcpucontext
- setextvcpucontext
- getvcpuextstate
- setvcpuextstate
- getpodtarget
- setpodtarget
- set_misc_info
- set_virq_handler
-}
-
-class domain2
-{
- relabelfrom
- relabelto
- relabelself
- make_priv_for
- set_as_target
- set_cpuid
- gettsc
- settsc
-}
-
-class hvm
-{
- sethvmc
- gethvmc
- setparam
- getparam
- pcilevel
- irqlevel
- pciroute
- bind_irq
- cacheattr
- trackdirtyvram
- hvmctl
- mem_event
- mem_sharing
- audit_p2m
- send_irq
- share_mem
-}
-
-class event
-{
- bind
- send
- status
- notify
- create
- reset
-}
-
-class grant
-{
- map_read
- map_write
- unmap
- transfer
- setup
- copy
- query
-}
-
-class mmu
-{
- map_read
- map_write
- pageinfo
- pagelist
- adjust
- stat
- translategp
- updatemp
- physmap
- pinpage
- mfnlist
- memorymap
- remote_remap
- mmuext_op
- exchange
-}
-
-class shadow
-{
- disable
- enable
- logdirty
-}
-
-class resource
-{
- add
- remove
- use
- add_irq
- remove_irq
- add_ioport
- remove_ioport
- add_iomem
- remove_iomem
- stat_device
- add_device
- remove_device
- plug
- unplug
- setup
-}
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce
- setbool
- setsecparam
- add_ocontext
- del_ocontext
-}
diff --git a/tools/flask/policy/policy/flask/initial_sids
b/tools/flask/policy/policy/flask/initial_sids
deleted file mode 100644
index e508bde..0000000
--- a/tools/flask/policy/policy/flask/initial_sids
+++ /dev/null
@@ -1,16 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-sid xen
-sid dom0
-sid domio
-sid domxen
-sid unlabeled
-sid security
-sid ioport
-sid iomem
-sid irq
-sid device
-# FLASK
diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh
b/tools/flask/policy/policy/flask/mkaccess_vector.sh
deleted file mode 100644
index 43a60a7..0000000
--- a/tools/flask/policy/policy/flask/mkaccess_vector.sh
+++ /dev/null
@@ -1,138 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift
-
-# output files
-av_permissions="av_permissions.h"
-av_perm_to_string="av_perm_to_string.h"
-
-cat $* | $awk "
-BEGIN {
- outfile = \"$av_permissions\"
- avpermfile = \"$av_perm_to_string\"
- "'
- nextstate = "COMMON_OR_AV";
- printf("/* This file is automatically generated. Do not edit.
*/\n") > outfile;
- printf("/* This file is automatically generated. Do not edit.
*/\n") > avpermfile;
-;
- }
-/^[ \t]*#/ {
- next;
- }
-$1 == "class" {
- if (nextstate != "COMMON_OR_AV" &&
- nextstate != "CLASS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected class
definition on line %d\n", NR);
- next;
- }
-
- tclass = $2;
-
- if (tclass in av_defined)
- {
- printf("Duplicate access vector definition for
%s on line %d\n", tclass, NR);
- next;
- }
- av_defined[tclass] = 1;
-
- permission = 1;
-
- nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
- next;
- }
-$1 == "{" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
- nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
- nextstate != "COMMON-OPENBRACKET")
- {
- printf("Parse error: Unexpected { on line
%d\n", NR);
- next;
- }
-
- if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
- nextstate = "CLASS-CLOSEBRACKET";
-
- if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
- nextstate = "CLASS-CLOSEBRACKET";
-
- if (nextstate == "COMMON-OPENBRACKET")
- nextstate = "COMMON-CLOSEBRACKET";
- }
-/[a-z][a-z_]*/ {
- if (nextstate != "COMMON-CLOSEBRACKET" &&
- nextstate != "CLASS-CLOSEBRACKET")
- {
- printf("Parse error: Unexpected symbol %s on
line %d\n", $1, NR);
- next;
- }
-
- if (nextstate == "COMMON-CLOSEBRACKET")
- {
- if ((common_name,$1) in common_perms)
- {
- printf("Duplicate permission %s for
common %s on line %d.\n", $1, common_name, NR);
- next;
- }
-
- common_perms[common_name,$1] = permission;
-
- printf("#define COMMON_%s__%s",
toupper(common_name), toupper($1)) > outfile;
-
- printf(" S_(\"%s\")\n", $1) > cpermfile;
- }
- else
- {
- if ((tclass,$1) in av_perms)
- {
- printf("Duplicate permission %s for %s
on line %d.\n", $1, tclass, NR);
- next;
- }
-
- av_perms[tclass,$1] = permission;
-
- printf("#define %s__%s", toupper(tclass),
toupper($1)) > outfile;
-
- printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n",
toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
- }
-
- spaces = 40 - (length($1) + length(tclass));
- if (spaces < 1)
- spaces = 1;
-
- for (i = 0; i < spaces; i++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", permission) > outfile;
- permission = permission * 2;
- }
-$1 == "}" {
- if (nextstate != "CLASS-CLOSEBRACKET" &&
- nextstate != "COMMON-CLOSEBRACKET")
- {
- printf("Parse error: Unexpected } on line
%d\n", NR);
- next;
- }
-
- if (nextstate == "COMMON-CLOSEBRACKET")
- {
- common_base[common_name] = permission;
- printf("TE_(common_%s_perm_to_string)\n\n",
common_name) > cpermfile;
- }
-
- printf("\n") > outfile;
-
- nextstate = "COMMON_OR_AV";
- }
-END {
- if (nextstate != "COMMON_OR_AV" && nextstate !=
"CLASS_OR_CLASS-OPENBRACKET")
- printf("Parse error: Unexpected end of file\n");
-
- }'
-
-# FLASK
diff --git a/tools/flask/policy/policy/flask/mkflask.sh
b/tools/flask/policy/policy/flask/mkflask.sh
deleted file mode 100644
index 9c84754..0000000
--- a/tools/flask/policy/policy/flask/mkflask.sh
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift 1
-
-# output file
-output_file="flask.h"
-debug_file="class_to_string.h"
-debug_file2="initial_sid_to_string.h"
-
-cat $* | $awk "
-BEGIN {
- outfile = \"$output_file\"
- debugfile = \"$debug_file\"
- debugfile2 = \"$debug_file2\"
- "'
- nextstate = "CLASS";
-
- printf("/* This file is automatically generated. Do not edit.
*/\n") > outfile;
-
- printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
- printf("#define _SELINUX_FLASK_H_\n") > outfile;
- printf("\n/*\n * Security object class definitions\n */\n") >
outfile;
- printf("/* This file is automatically generated. Do not edit.
*/\n") > debugfile;
- printf("/*\n * Security object class definitions\n */\n") >
debugfile;
- printf(" S_(\"null\")\n") > debugfile;
- printf("/* This file is automatically generated. Do not edit.
*/\n") > debugfile2;
- printf("static char *initial_sid_to_string[] =\n{\n") >
debugfile2;
- printf(" \"null\",\n") > debugfile2;
- }
-/^[ \t]*#/ {
- next;
- }
-$1 == "class" {
- if (nextstate != "CLASS")
- {
- printf("Parse error: Unexpected class
definition on line %d\n", NR);
- next;
- }
-
- if ($2 in class_found)
- {
- printf("Duplicate class definition for %s on
line %d.\n", $2, NR);
- next;
- }
- class_found[$2] = 1;
-
- class_value++;
-
- printf("#define SECCLASS_%s", toupper($2)) > outfile;
- for (i = 0; i < 40 - length($2); i++)
- printf(" ") > outfile;
- printf("%d\n", class_value) > outfile;
-
- printf(" S_(\"%s\")\n", $2) > debugfile;
- }
-$1 == "sid" {
- if (nextstate == "CLASS")
- {
- nextstate = "SID";
- printf("\n/*\n * Security identifier indices for
initial entities\n */\n") > outfile;
- }
-
- if ($2 in sid_found)
- {
- printf("Duplicate SID definition for %s on line
%d.\n", $2, NR);
- next;
- }
- sid_found[$2] = 1;
- sid_value++;
-
- printf("#define SECINITSID_%s", toupper($2)) > outfile;
- for (i = 0; i < 37 - length($2); i++)
- printf(" ") > outfile;
- printf("%d\n", sid_value) > outfile;
- printf(" \"%s\",\n", $2) > debugfile2;
- }
-END {
- if (nextstate != "SID")
- printf("Parse error: Unexpected end of file\n");
-
- printf("\n#define SECINITSID_NUM") > outfile;
- for (i = 0; i < 34; i++)
- printf(" ") > outfile;
- printf("%d\n", sid_value) > outfile;
- printf("\n#endif\n") > outfile;
- printf("};\n\n") > debugfile2;
- }'
-
-# FLASK
diff --git a/tools/flask/policy/policy/flask/security_classes
b/tools/flask/policy/policy/flask/security_classes
deleted file mode 100644
index ef134a7..0000000
--- a/tools/flask/policy/policy/flask/security_classes
+++ /dev/null
@@ -1,21 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class xen
-class domain
-class domain2
-class hvm
-class mmu
-class resource
-class shadow
-class event
-class grant
-class security
-
-# FLASK
diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index 92fb410..1256512 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -5,3 +5,28 @@ obj-y += flask_op.o
subdir-y += ss
CFLAGS += -I./include
+
+AWK = awk
+
+CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+ else if [ -x /bin/bash ]; then echo /bin/bash; \
+ else echo sh; fi ; fi)
+
+FLASK_H_DEPEND = policy/security_classes policy/initial_sids
+AV_H_DEPEND = policy/access_vectors
+
+FLASK_H_FILES = include/flask.h include/class_to_string.h
include/initial_sid_to_string.h
+AV_H_FILES = include/av_perm_to_string.h include/av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+
+$(obj-y) ss/built_in.o: $(ALL_H_FILES)
+
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
+ $(CONFIG_SHELL) policy/mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+
+$(AV_H_FILES): $(AV_H_DEPEND)
+ $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+
+.PHONY: clean
+clean::
+ rm -f $(ALL_H_FILES) *.o $(DEPS)
diff --git a/xen/xsm/flask/include/av_perm_to_string.h
b/xen/xsm/flask/include/av_perm_to_string.h
deleted file mode 100644
index c3f2370..0000000
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ /dev/null
@@ -1,147 +0,0 @@
-/* This file is automatically generated. Do not edit. */
- S_(SECCLASS_XEN, XEN__SCHEDULER, "scheduler")
- S_(SECCLASS_XEN, XEN__SETTIME, "settime")
- S_(SECCLASS_XEN, XEN__TBUFCONTROL, "tbufcontrol")
- S_(SECCLASS_XEN, XEN__READCONSOLE, "readconsole")
- S_(SECCLASS_XEN, XEN__CLEARCONSOLE, "clearconsole")
- S_(SECCLASS_XEN, XEN__PERFCONTROL, "perfcontrol")
- S_(SECCLASS_XEN, XEN__MTRR_ADD, "mtrr_add")
- S_(SECCLASS_XEN, XEN__MTRR_DEL, "mtrr_del")
- S_(SECCLASS_XEN, XEN__MTRR_READ, "mtrr_read")
- S_(SECCLASS_XEN, XEN__MICROCODE, "microcode")
- S_(SECCLASS_XEN, XEN__PHYSINFO, "physinfo")
- S_(SECCLASS_XEN, XEN__QUIRK, "quirk")
- S_(SECCLASS_XEN, XEN__WRITECONSOLE, "writeconsole")
- S_(SECCLASS_XEN, XEN__READAPIC, "readapic")
- S_(SECCLASS_XEN, XEN__WRITEAPIC, "writeapic")
- S_(SECCLASS_XEN, XEN__PRIVPROFILE, "privprofile")
- S_(SECCLASS_XEN, XEN__NONPRIVPROFILE, "nonprivprofile")
- S_(SECCLASS_XEN, XEN__KEXEC, "kexec")
- S_(SECCLASS_XEN, XEN__FIRMWARE, "firmware")
- S_(SECCLASS_XEN, XEN__SLEEP, "sleep")
- S_(SECCLASS_XEN, XEN__FREQUENCY, "frequency")
- S_(SECCLASS_XEN, XEN__GETIDLE, "getidle")
- S_(SECCLASS_XEN, XEN__DEBUG, "debug")
- S_(SECCLASS_XEN, XEN__GETCPUINFO, "getcpuinfo")
- S_(SECCLASS_XEN, XEN__HEAP, "heap")
- S_(SECCLASS_XEN, XEN__PM_OP, "pm_op")
- S_(SECCLASS_XEN, XEN__MCA_OP, "mca_op")
- S_(SECCLASS_XEN, XEN__LOCKPROF, "lockprof")
- S_(SECCLASS_XEN, XEN__CPUPOOL_OP, "cpupool_op")
- S_(SECCLASS_XEN, XEN__SCHED_OP, "sched_op")
- S_(SECCLASS_XEN, XEN__TMEM_OP, "tmem_op")
- S_(SECCLASS_XEN, XEN__TMEM_CONTROL, "tmem_control")
- S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUCONTEXT, "setvcpucontext")
- S_(SECCLASS_DOMAIN, DOMAIN__PAUSE, "pause")
- S_(SECCLASS_DOMAIN, DOMAIN__UNPAUSE, "unpause")
- S_(SECCLASS_DOMAIN, DOMAIN__RESUME, "resume")
- S_(SECCLASS_DOMAIN, DOMAIN__CREATE, "create")
- S_(SECCLASS_DOMAIN, DOMAIN__TRANSITION, "transition")
- S_(SECCLASS_DOMAIN, DOMAIN__MAX_VCPUS, "max_vcpus")
- S_(SECCLASS_DOMAIN, DOMAIN__DESTROY, "destroy")
- S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUAFFINITY, "setvcpuaffinity")
- S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUAFFINITY, "getvcpuaffinity")
- S_(SECCLASS_DOMAIN, DOMAIN__SCHEDULER, "scheduler")
- S_(SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO, "getdomaininfo")
- S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUINFO, "getvcpuinfo")
- S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUCONTEXT, "getvcpucontext")
- S_(SECCLASS_DOMAIN, DOMAIN__SETDOMAINMAXMEM, "setdomainmaxmem")
- S_(SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE, "setdomainhandle")
- S_(SECCLASS_DOMAIN, DOMAIN__SETDEBUGGING, "setdebugging")
- S_(SECCLASS_DOMAIN, DOMAIN__HYPERCALL, "hypercall")
- S_(SECCLASS_DOMAIN, DOMAIN__SETTIME, "settime")
- S_(SECCLASS_DOMAIN, DOMAIN__SET_TARGET, "set_target")
- S_(SECCLASS_DOMAIN, DOMAIN__SHUTDOWN, "shutdown")
- S_(SECCLASS_DOMAIN, DOMAIN__SETADDRSIZE, "setaddrsize")
- S_(SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE, "getaddrsize")
- S_(SECCLASS_DOMAIN, DOMAIN__TRIGGER, "trigger")
- S_(SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT, "getextvcpucontext")
- S_(SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT, "setextvcpucontext")
- S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE, "getvcpuextstate")
- S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE, "setvcpuextstate")
- S_(SECCLASS_DOMAIN, DOMAIN__GETPODTARGET, "getpodtarget")
- S_(SECCLASS_DOMAIN, DOMAIN__SETPODTARGET, "setpodtarget")
- S_(SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO, "set_misc_info")
- S_(SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER, "set_virq_handler")
- S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, "relabelfrom")
- S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, "relabelto")
- S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, "relabelself")
- S_(SECCLASS_DOMAIN2, DOMAIN2__MAKE_PRIV_FOR, "make_priv_for")
- S_(SECCLASS_DOMAIN2, DOMAIN2__SET_AS_TARGET, "set_as_target")
- S_(SECCLASS_DOMAIN2, DOMAIN2__SET_CPUID, "set_cpuid")
- S_(SECCLASS_DOMAIN2, DOMAIN2__GETTSC, "gettsc")
- S_(SECCLASS_DOMAIN2, DOMAIN2__SETTSC, "settsc")
- S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc")
- S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
- S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")
- S_(SECCLASS_HVM, HVM__GETPARAM, "getparam")
- S_(SECCLASS_HVM, HVM__PCILEVEL, "pcilevel")
- S_(SECCLASS_HVM, HVM__IRQLEVEL, "irqlevel")
- S_(SECCLASS_HVM, HVM__PCIROUTE, "pciroute")
- S_(SECCLASS_HVM, HVM__BIND_IRQ, "bind_irq")
- S_(SECCLASS_HVM, HVM__CACHEATTR, "cacheattr")
- S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram")
- S_(SECCLASS_HVM, HVM__HVMCTL, "hvmctl")
- S_(SECCLASS_HVM, HVM__MEM_EVENT, "mem_event")
- S_(SECCLASS_HVM, HVM__MEM_SHARING, "mem_sharing")
- S_(SECCLASS_HVM, HVM__AUDIT_P2M, "audit_p2m")
- S_(SECCLASS_HVM, HVM__SEND_IRQ, "send_irq")
- S_(SECCLASS_HVM, HVM__SHARE_MEM, "share_mem")
- S_(SECCLASS_EVENT, EVENT__BIND, "bind")
- S_(SECCLASS_EVENT, EVENT__SEND, "send")
- S_(SECCLASS_EVENT, EVENT__STATUS, "status")
- S_(SECCLASS_EVENT, EVENT__NOTIFY, "notify")
- S_(SECCLASS_EVENT, EVENT__CREATE, "create")
- S_(SECCLASS_EVENT, EVENT__RESET, "reset")
- S_(SECCLASS_GRANT, GRANT__MAP_READ, "map_read")
- S_(SECCLASS_GRANT, GRANT__MAP_WRITE, "map_write")
- S_(SECCLASS_GRANT, GRANT__UNMAP, "unmap")
- S_(SECCLASS_GRANT, GRANT__TRANSFER, "transfer")
- S_(SECCLASS_GRANT, GRANT__SETUP, "setup")
- S_(SECCLASS_GRANT, GRANT__COPY, "copy")
- S_(SECCLASS_GRANT, GRANT__QUERY, "query")
- S_(SECCLASS_MMU, MMU__MAP_READ, "map_read")
- S_(SECCLASS_MMU, MMU__MAP_WRITE, "map_write")
- S_(SECCLASS_MMU, MMU__PAGEINFO, "pageinfo")
- S_(SECCLASS_MMU, MMU__PAGELIST, "pagelist")
- S_(SECCLASS_MMU, MMU__ADJUST, "adjust")
- S_(SECCLASS_MMU, MMU__STAT, "stat")
- S_(SECCLASS_MMU, MMU__TRANSLATEGP, "translategp")
- S_(SECCLASS_MMU, MMU__UPDATEMP, "updatemp")
- S_(SECCLASS_MMU, MMU__PHYSMAP, "physmap")
- S_(SECCLASS_MMU, MMU__PINPAGE, "pinpage")
- S_(SECCLASS_MMU, MMU__MFNLIST, "mfnlist")
- S_(SECCLASS_MMU, MMU__MEMORYMAP, "memorymap")
- S_(SECCLASS_MMU, MMU__REMOTE_REMAP, "remote_remap")
- S_(SECCLASS_MMU, MMU__MMUEXT_OP, "mmuext_op")
- S_(SECCLASS_MMU, MMU__EXCHANGE, "exchange")
- S_(SECCLASS_SHADOW, SHADOW__DISABLE, "disable")
- S_(SECCLASS_SHADOW, SHADOW__ENABLE, "enable")
- S_(SECCLASS_SHADOW, SHADOW__LOGDIRTY, "logdirty")
- S_(SECCLASS_RESOURCE, RESOURCE__ADD, "add")
- S_(SECCLASS_RESOURCE, RESOURCE__REMOVE, "remove")
- S_(SECCLASS_RESOURCE, RESOURCE__USE, "use")
- S_(SECCLASS_RESOURCE, RESOURCE__ADD_IRQ, "add_irq")
- S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IRQ, "remove_irq")
- S_(SECCLASS_RESOURCE, RESOURCE__ADD_IOPORT, "add_ioport")
- S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IOPORT, "remove_ioport")
- S_(SECCLASS_RESOURCE, RESOURCE__ADD_IOMEM, "add_iomem")
- S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IOMEM, "remove_iomem")
- S_(SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, "stat_device")
- S_(SECCLASS_RESOURCE, RESOURCE__ADD_DEVICE, "add_device")
- S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_DEVICE, "remove_device")
- S_(SECCLASS_RESOURCE, RESOURCE__PLUG, "plug")
- S_(SECCLASS_RESOURCE, RESOURCE__UNPLUG, "unplug")
- S_(SECCLASS_RESOURCE, RESOURCE__SETUP, "setup")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
- S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
- S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
- S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
- S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
- S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
- S_(SECCLASS_SECURITY, SECURITY__ADD_OCONTEXT, "add_ocontext")
- S_(SECCLASS_SECURITY, SECURITY__DEL_OCONTEXT, "del_ocontext")
diff --git a/xen/xsm/flask/include/av_permissions.h
b/xen/xsm/flask/include/av_permissions.h
deleted file mode 100644
index 65302e8..0000000
--- a/xen/xsm/flask/include/av_permissions.h
+++ /dev/null
@@ -1,157 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-#define XEN__SCHEDULER 0x00000001UL
-#define XEN__SETTIME 0x00000002UL
-#define XEN__TBUFCONTROL 0x00000004UL
-#define XEN__READCONSOLE 0x00000008UL
-#define XEN__CLEARCONSOLE 0x00000010UL
-#define XEN__PERFCONTROL 0x00000020UL
-#define XEN__MTRR_ADD 0x00000040UL
-#define XEN__MTRR_DEL 0x00000080UL
-#define XEN__MTRR_READ 0x00000100UL
-#define XEN__MICROCODE 0x00000200UL
-#define XEN__PHYSINFO 0x00000400UL
-#define XEN__QUIRK 0x00000800UL
-#define XEN__WRITECONSOLE 0x00001000UL
-#define XEN__READAPIC 0x00002000UL
-#define XEN__WRITEAPIC 0x00004000UL
-#define XEN__PRIVPROFILE 0x00008000UL
-#define XEN__NONPRIVPROFILE 0x00010000UL
-#define XEN__KEXEC 0x00020000UL
-#define XEN__FIRMWARE 0x00040000UL
-#define XEN__SLEEP 0x00080000UL
-#define XEN__FREQUENCY 0x00100000UL
-#define XEN__GETIDLE 0x00200000UL
-#define XEN__DEBUG 0x00400000UL
-#define XEN__GETCPUINFO 0x00800000UL
-#define XEN__HEAP 0x01000000UL
-#define XEN__PM_OP 0x02000000UL
-#define XEN__MCA_OP 0x04000000UL
-#define XEN__LOCKPROF 0x08000000UL
-#define XEN__CPUPOOL_OP 0x10000000UL
-#define XEN__SCHED_OP 0x20000000UL
-#define XEN__TMEM_OP 0x40000000UL
-#define XEN__TMEM_CONTROL 0x80000000UL
-
-#define DOMAIN__SETVCPUCONTEXT 0x00000001UL
-#define DOMAIN__PAUSE 0x00000002UL
-#define DOMAIN__UNPAUSE 0x00000004UL
-#define DOMAIN__RESUME 0x00000008UL
-#define DOMAIN__CREATE 0x00000010UL
-#define DOMAIN__TRANSITION 0x00000020UL
-#define DOMAIN__MAX_VCPUS 0x00000040UL
-#define DOMAIN__DESTROY 0x00000080UL
-#define DOMAIN__SETVCPUAFFINITY 0x00000100UL
-#define DOMAIN__GETVCPUAFFINITY 0x00000200UL
-#define DOMAIN__SCHEDULER 0x00000400UL
-#define DOMAIN__GETDOMAININFO 0x00000800UL
-#define DOMAIN__GETVCPUINFO 0x00001000UL
-#define DOMAIN__GETVCPUCONTEXT 0x00002000UL
-#define DOMAIN__SETDOMAINMAXMEM 0x00004000UL
-#define DOMAIN__SETDOMAINHANDLE 0x00008000UL
-#define DOMAIN__SETDEBUGGING 0x00010000UL
-#define DOMAIN__HYPERCALL 0x00020000UL
-#define DOMAIN__SETTIME 0x00040000UL
-#define DOMAIN__SET_TARGET 0x00080000UL
-#define DOMAIN__SHUTDOWN 0x00100000UL
-#define DOMAIN__SETADDRSIZE 0x00200000UL
-#define DOMAIN__GETADDRSIZE 0x00400000UL
-#define DOMAIN__TRIGGER 0x00800000UL
-#define DOMAIN__GETEXTVCPUCONTEXT 0x01000000UL
-#define DOMAIN__SETEXTVCPUCONTEXT 0x02000000UL
-#define DOMAIN__GETVCPUEXTSTATE 0x04000000UL
-#define DOMAIN__SETVCPUEXTSTATE 0x08000000UL
-#define DOMAIN__GETPODTARGET 0x10000000UL
-#define DOMAIN__SETPODTARGET 0x20000000UL
-#define DOMAIN__SET_MISC_INFO 0x40000000UL
-#define DOMAIN__SET_VIRQ_HANDLER 0x80000000UL
-
-#define DOMAIN2__RELABELFROM 0x00000001UL
-#define DOMAIN2__RELABELTO 0x00000002UL
-#define DOMAIN2__RELABELSELF 0x00000004UL
-#define DOMAIN2__MAKE_PRIV_FOR 0x00000008UL
-#define DOMAIN2__SET_AS_TARGET 0x00000010UL
-#define DOMAIN2__SET_CPUID 0x00000020UL
-#define DOMAIN2__GETTSC 0x00000040UL
-#define DOMAIN2__SETTSC 0x00000080UL
-
-#define HVM__SETHVMC 0x00000001UL
-#define HVM__GETHVMC 0x00000002UL
-#define HVM__SETPARAM 0x00000004UL
-#define HVM__GETPARAM 0x00000008UL
-#define HVM__PCILEVEL 0x00000010UL
-#define HVM__IRQLEVEL 0x00000020UL
-#define HVM__PCIROUTE 0x00000040UL
-#define HVM__BIND_IRQ 0x00000080UL
-#define HVM__CACHEATTR 0x00000100UL
-#define HVM__TRACKDIRTYVRAM 0x00000200UL
-#define HVM__HVMCTL 0x00000400UL
-#define HVM__MEM_EVENT 0x00000800UL
-#define HVM__MEM_SHARING 0x00001000UL
-#define HVM__AUDIT_P2M 0x00002000UL
-#define HVM__SEND_IRQ 0x00004000UL
-#define HVM__SHARE_MEM 0x00008000UL
-
-#define EVENT__BIND 0x00000001UL
-#define EVENT__SEND 0x00000002UL
-#define EVENT__STATUS 0x00000004UL
-#define EVENT__NOTIFY 0x00000008UL
-#define EVENT__CREATE 0x00000010UL
-#define EVENT__RESET 0x00000020UL
-
-#define GRANT__MAP_READ 0x00000001UL
-#define GRANT__MAP_WRITE 0x00000002UL
-#define GRANT__UNMAP 0x00000004UL
-#define GRANT__TRANSFER 0x00000008UL
-#define GRANT__SETUP 0x00000010UL
-#define GRANT__COPY 0x00000020UL
-#define GRANT__QUERY 0x00000040UL
-
-#define MMU__MAP_READ 0x00000001UL
-#define MMU__MAP_WRITE 0x00000002UL
-#define MMU__PAGEINFO 0x00000004UL
-#define MMU__PAGELIST 0x00000008UL
-#define MMU__ADJUST 0x00000010UL
-#define MMU__STAT 0x00000020UL
-#define MMU__TRANSLATEGP 0x00000040UL
-#define MMU__UPDATEMP 0x00000080UL
-#define MMU__PHYSMAP 0x00000100UL
-#define MMU__PINPAGE 0x00000200UL
-#define MMU__MFNLIST 0x00000400UL
-#define MMU__MEMORYMAP 0x00000800UL
-#define MMU__REMOTE_REMAP 0x00001000UL
-#define MMU__MMUEXT_OP 0x00002000UL
-#define MMU__EXCHANGE 0x00004000UL
-
-#define SHADOW__DISABLE 0x00000001UL
-#define SHADOW__ENABLE 0x00000002UL
-#define SHADOW__LOGDIRTY 0x00000004UL
-
-#define RESOURCE__ADD 0x00000001UL
-#define RESOURCE__REMOVE 0x00000002UL
-#define RESOURCE__USE 0x00000004UL
-#define RESOURCE__ADD_IRQ 0x00000008UL
-#define RESOURCE__REMOVE_IRQ 0x00000010UL
-#define RESOURCE__ADD_IOPORT 0x00000020UL
-#define RESOURCE__REMOVE_IOPORT 0x00000040UL
-#define RESOURCE__ADD_IOMEM 0x00000080UL
-#define RESOURCE__REMOVE_IOMEM 0x00000100UL
-#define RESOURCE__STAT_DEVICE 0x00000200UL
-#define RESOURCE__ADD_DEVICE 0x00000400UL
-#define RESOURCE__REMOVE_DEVICE 0x00000800UL
-#define RESOURCE__PLUG 0x00001000UL
-#define RESOURCE__UNPLUG 0x00002000UL
-#define RESOURCE__SETUP 0x00004000UL
-
-#define SECURITY__COMPUTE_AV 0x00000001UL
-#define SECURITY__COMPUTE_CREATE 0x00000002UL
-#define SECURITY__COMPUTE_MEMBER 0x00000004UL
-#define SECURITY__CHECK_CONTEXT 0x00000008UL
-#define SECURITY__LOAD_POLICY 0x00000010UL
-#define SECURITY__COMPUTE_RELABEL 0x00000020UL
-#define SECURITY__COMPUTE_USER 0x00000040UL
-#define SECURITY__SETENFORCE 0x00000080UL
-#define SECURITY__SETBOOL 0x00000100UL
-#define SECURITY__SETSECPARAM 0x00000200UL
-#define SECURITY__ADD_OCONTEXT 0x00000400UL
-#define SECURITY__DEL_OCONTEXT 0x00000800UL
-
diff --git a/xen/xsm/flask/include/class_to_string.h
b/xen/xsm/flask/include/class_to_string.h
deleted file mode 100644
index 7716645..0000000
--- a/xen/xsm/flask/include/class_to_string.h
+++ /dev/null
@@ -1,15 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-/*
- * Security object class definitions
- */
- S_("null")
- S_("xen")
- S_("domain")
- S_("domain2")
- S_("hvm")
- S_("mmu")
- S_("resource")
- S_("shadow")
- S_("event")
- S_("grant")
- S_("security")
diff --git a/xen/xsm/flask/include/flask.h b/xen/xsm/flask/include/flask.h
deleted file mode 100644
index 3bff998..0000000
--- a/xen/xsm/flask/include/flask.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-#ifndef _SELINUX_FLASK_H_
-#define _SELINUX_FLASK_H_
-
-/*
- * Security object class definitions
- */
-#define SECCLASS_XEN 1
-#define SECCLASS_DOMAIN 2
-#define SECCLASS_DOMAIN2 3
-#define SECCLASS_HVM 4
-#define SECCLASS_MMU 5
-#define SECCLASS_RESOURCE 6
-#define SECCLASS_SHADOW 7
-#define SECCLASS_EVENT 8
-#define SECCLASS_GRANT 9
-#define SECCLASS_SECURITY 10
-
-/*
- * Security identifier indices for initial entities
- */
-#define SECINITSID_XEN 1
-#define SECINITSID_DOM0 2
-#define SECINITSID_DOMIO 3
-#define SECINITSID_DOMXEN 4
-#define SECINITSID_UNLABELED 5
-#define SECINITSID_SECURITY 6
-#define SECINITSID_IOPORT 7
-#define SECINITSID_IOMEM 8
-#define SECINITSID_IRQ 9
-#define SECINITSID_DEVICE 10
-
-#define SECINITSID_NUM 10
-
-#endif
diff --git a/xen/xsm/flask/include/initial_sid_to_string.h
b/xen/xsm/flask/include/initial_sid_to_string.h
deleted file mode 100644
index 814f4bf..0000000
--- a/xen/xsm/flask/include/initial_sid_to_string.h
+++ /dev/null
@@ -1,16 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-static char *initial_sid_to_string[] =
-{
- "null",
- "xen",
- "dom0",
- "domio",
- "domxen",
- "unlabeled",
- "security",
- "ioport",
- "iomem",
- "irq",
- "device",
-};
-
diff --git a/xen/xsm/flask/policy/access_vectors
b/xen/xsm/flask/policy/access_vectors
new file mode 100644
index 0000000..7a7e253
--- /dev/null
+++ b/xen/xsm/flask/policy/access_vectors
@@ -0,0 +1,190 @@
+#
+# Define the access vectors.
+#
+# class class_name { permission_name ... }
+
+class xen
+{
+ scheduler
+ settime
+ tbufcontrol
+ readconsole
+ clearconsole
+ perfcontrol
+ mtrr_add
+ mtrr_del
+ mtrr_read
+ microcode
+ physinfo
+ quirk
+ writeconsole
+ readapic
+ writeapic
+ privprofile
+ nonprivprofile
+ kexec
+ firmware
+ sleep
+ frequency
+ getidle
+ debug
+ getcpuinfo
+ heap
+ pm_op
+ mca_op
+ lockprof
+ cpupool_op
+ sched_op
+ tmem_op
+ tmem_control
+}
+
+class domain
+{
+ setvcpucontext
+ pause
+ unpause
+ resume
+ create
+ transition
+ max_vcpus
+ destroy
+ setvcpuaffinity
+ getvcpuaffinity
+ scheduler
+ getdomaininfo
+ getvcpuinfo
+ getvcpucontext
+ setdomainmaxmem
+ setdomainhandle
+ setdebugging
+ hypercall
+ settime
+ set_target
+ shutdown
+ setaddrsize
+ getaddrsize
+ trigger
+ getextvcpucontext
+ setextvcpucontext
+ getvcpuextstate
+ setvcpuextstate
+ getpodtarget
+ setpodtarget
+ set_misc_info
+ set_virq_handler
+}
+
+class domain2
+{
+ relabelfrom
+ relabelto
+ relabelself
+ make_priv_for
+ set_as_target
+ set_cpuid
+ gettsc
+ settsc
+}
+
+class hvm
+{
+ sethvmc
+ gethvmc
+ setparam
+ getparam
+ pcilevel
+ irqlevel
+ pciroute
+ bind_irq
+ cacheattr
+ trackdirtyvram
+ hvmctl
+ mem_event
+ mem_sharing
+ audit_p2m
+ send_irq
+ share_mem
+}
+
+class event
+{
+ bind
+ send
+ status
+ notify
+ create
+ reset
+}
+
+class grant
+{
+ map_read
+ map_write
+ unmap
+ transfer
+ setup
+ copy
+ query
+}
+
+class mmu
+{
+ map_read
+ map_write
+ pageinfo
+ pagelist
+ adjust
+ stat
+ translategp
+ updatemp
+ physmap
+ pinpage
+ mfnlist
+ memorymap
+ remote_remap
+ mmuext_op
+ exchange
+}
+
+class shadow
+{
+ disable
+ enable
+ logdirty
+}
+
+class resource
+{
+ add
+ remove
+ use
+ add_irq
+ remove_irq
+ add_ioport
+ remove_ioport
+ add_iomem
+ remove_iomem
+ stat_device
+ add_device
+ remove_device
+ plug
+ unplug
+ setup
+}
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce
+ setbool
+ setsecparam
+ add_ocontext
+ del_ocontext
+}
diff --git a/xen/xsm/flask/policy/initial_sids
b/xen/xsm/flask/policy/initial_sids
new file mode 100644
index 0000000..e508bde
--- /dev/null
+++ b/xen/xsm/flask/policy/initial_sids
@@ -0,0 +1,16 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+sid xen
+sid dom0
+sid domio
+sid domxen
+sid unlabeled
+sid security
+sid ioport
+sid iomem
+sid irq
+sid device
+# FLASK
diff --git a/xen/xsm/flask/policy/mkaccess_vector.sh
b/xen/xsm/flask/policy/mkaccess_vector.sh
new file mode 100644
index 0000000..8ec87f7
--- /dev/null
+++ b/xen/xsm/flask/policy/mkaccess_vector.sh
@@ -0,0 +1,138 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift
+
+# output files
+av_permissions="include/av_permissions.h"
+av_perm_to_string="include/av_perm_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$av_permissions\"
+ avpermfile = \"$av_perm_to_string\"
+ "'
+ nextstate = "COMMON_OR_AV";
+ printf("/* This file is automatically generated. Do not edit.
*/\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit.
*/\n") > avpermfile;
+;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "COMMON_OR_AV" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected class
definition on line %d\n", NR);
+ next;
+ }
+
+ tclass = $2;
+
+ if (tclass in av_defined)
+ {
+ printf("Duplicate access vector definition for
%s on line %d\n", tclass, NR);
+ next;
+ }
+ av_defined[tclass] = 1;
+
+ permission = 1;
+
+ nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "{" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "COMMON-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected { on line
%d\n", NR);
+ next;
+ }
+
+ if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "COMMON-OPENBRACKET")
+ nextstate = "COMMON-CLOSEBRACKET";
+ }
+/[a-z][a-z_]*/ {
+ if (nextstate != "COMMON-CLOSEBRACKET" &&
+ nextstate != "CLASS-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected symbol %s on
line %d\n", $1, NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ if ((common_name,$1) in common_perms)
+ {
+ printf("Duplicate permission %s for
common %s on line %d.\n", $1, common_name, NR);
+ next;
+ }
+
+ common_perms[common_name,$1] = permission;
+
+ printf("#define COMMON_%s__%s",
toupper(common_name), toupper($1)) > outfile;
+
+ printf(" S_(\"%s\")\n", $1) > cpermfile;
+ }
+ else
+ {
+ if ((tclass,$1) in av_perms)
+ {
+ printf("Duplicate permission %s for %s
on line %d.\n", $1, tclass, NR);
+ next;
+ }
+
+ av_perms[tclass,$1] = permission;
+
+ printf("#define %s__%s", toupper(tclass),
toupper($1)) > outfile;
+
+ printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n",
toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
+ }
+
+ spaces = 40 - (length($1) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+
+ for (i = 0; i < spaces; i++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", permission) > outfile;
+ permission = permission * 2;
+ }
+$1 == "}" {
+ if (nextstate != "CLASS-CLOSEBRACKET" &&
+ nextstate != "COMMON-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected } on line
%d\n", NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ common_base[common_name] = permission;
+ printf("TE_(common_%s_perm_to_string)\n\n",
common_name) > cpermfile;
+ }
+
+ printf("\n") > outfile;
+
+ nextstate = "COMMON_OR_AV";
+ }
+END {
+ if (nextstate != "COMMON_OR_AV" && nextstate !=
"CLASS_OR_CLASS-OPENBRACKET")
+ printf("Parse error: Unexpected end of file\n");
+
+ }'
+
+# FLASK
diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh
new file mode 100644
index 0000000..e8d8fb5
--- /dev/null
+++ b/xen/xsm/flask/policy/mkflask.sh
@@ -0,0 +1,95 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift 1
+
+# output file
+output_file="include/flask.h"
+debug_file="include/class_to_string.h"
+debug_file2="include/initial_sid_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$output_file\"
+ debugfile = \"$debug_file\"
+ debugfile2 = \"$debug_file2\"
+ "'
+ nextstate = "CLASS";
+
+ printf("/* This file is automatically generated. Do not edit.
*/\n") > outfile;
+
+ printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+ printf("#define _SELINUX_FLASK_H_\n") > outfile;
+ printf("\n/*\n * Security object class definitions\n */\n") >
outfile;
+ printf("/* This file is automatically generated. Do not edit.
*/\n") > debugfile;
+ printf("/*\n * Security object class definitions\n */\n") >
debugfile;
+ printf(" S_(\"null\")\n") > debugfile;
+ printf("/* This file is automatically generated. Do not edit.
*/\n") > debugfile2;
+ printf("static char *initial_sid_to_string[] =\n{\n") >
debugfile2;
+ printf(" \"null\",\n") > debugfile2;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "CLASS")
+ {
+ printf("Parse error: Unexpected class
definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in class_found)
+ {
+ printf("Duplicate class definition for %s on
line %d.\n", $2, NR);
+ next;
+ }
+ class_found[$2] = 1;
+
+ class_value++;
+
+ printf("#define SECCLASS_%s", toupper($2)) > outfile;
+ for (i = 0; i < 40 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", class_value) > outfile;
+
+ printf(" S_(\"%s\")\n", $2) > debugfile;
+ }
+$1 == "sid" {
+ if (nextstate == "CLASS")
+ {
+ nextstate = "SID";
+ printf("\n/*\n * Security identifier indices for
initial entities\n */\n") > outfile;
+ }
+
+ if ($2 in sid_found)
+ {
+ printf("Duplicate SID definition for %s on line
%d.\n", $2, NR);
+ next;
+ }
+ sid_found[$2] = 1;
+ sid_value++;
+
+ printf("#define SECINITSID_%s", toupper($2)) > outfile;
+ for (i = 0; i < 37 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf(" \"%s\",\n", $2) > debugfile2;
+ }
+END {
+ if (nextstate != "SID")
+ printf("Parse error: Unexpected end of file\n");
+
+ printf("\n#define SECINITSID_NUM") > outfile;
+ for (i = 0; i < 34; i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf("\n#endif\n") > outfile;
+ printf("};\n\n") > debugfile2;
+ }'
+
+# FLASK
diff --git a/xen/xsm/flask/policy/security_classes
b/xen/xsm/flask/policy/security_classes
new file mode 100644
index 0000000..ef134a7
--- /dev/null
+++ b/xen/xsm/flask/policy/security_classes
@@ -0,0 +1,21 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class xen
+class domain
+class domain2
+class hvm
+class mmu
+class resource
+class shadow
+class event
+class grant
+class security
+
+# FLASK
--
1.7.11.7
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |