|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xsm/flask: remove inherited class attributes
# HG changeset patch
# User Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
# Date 1347912607 -3600
# Node ID 6804e90926708152edecbf15e9b6689fbc402b52
# Parent c2578dd96b8318e108fff0f340411135dedaa47d
xsm/flask: remove inherited class attributes
The ability to declare common permission blocks shared across multiple
classes is not currently used in Xen. Currently, support for this
feature is broken in the header generation scripts, and it is not
expected that this feature will be used in the future, so remove the
dead code.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Committed-by: Keir Fraser <keir@xxxxxxx>
---
diff -r c2578dd96b83 -r 6804e9092670 tools/flask/policy/policy/flask/Makefile
--- a/tools/flask/policy/policy/flask/Makefile Mon Sep 17 21:06:02 2012 +0100
+++ b/tools/flask/policy/policy/flask/Makefile Mon Sep 17 21:10:07 2012 +0100
@@ -14,7 +14,7 @@ FLASK_H_DEPEND = security_classes initia
AV_H_DEPEND = access_vectors
FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h
av_permissions.h
+AV_H_FILES = av_perm_to_string.h av_permissions.h
ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
all: $(ALL_H_FILES)
diff -r c2578dd96b83 -r 6804e9092670
tools/flask/policy/policy/flask/access_vectors
--- a/tools/flask/policy/policy/flask/access_vectors Mon Sep 17 21:06:02
2012 +0100
+++ b/tools/flask/policy/policy/flask/access_vectors Mon Sep 17 21:10:07
2012 +0100
@@ -1,22 +1,7 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-#
-# Define a common prefix for file access vectors.
-#
-
-
#
# Define the access vectors.
#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
+# class class_name { permission_name ... }
class xen
{
diff -r c2578dd96b83 -r 6804e9092670
tools/flask/policy/policy/flask/mkaccess_vector.sh
--- a/tools/flask/policy/policy/flask/mkaccess_vector.sh Mon Sep 17
21:06:02 2012 +0100
+++ b/tools/flask/policy/policy/flask/mkaccess_vector.sh Mon Sep 17
21:10:07 2012 +0100
@@ -10,50 +10,21 @@ shift
# output files
av_permissions="av_permissions.h"
-av_inherit="av_inherit.h"
-common_perm_to_string="common_perm_to_string.h"
av_perm_to_string="av_perm_to_string.h"
cat $* | $awk "
BEGIN {
outfile = \"$av_permissions\"
- inheritfile = \"$av_inherit\"
- cpermfile = \"$common_perm_to_string\"
avpermfile = \"$av_perm_to_string\"
"'
nextstate = "COMMON_OR_AV";
printf("/* This file is automatically generated. Do not edit.
*/\n") > outfile;
- printf("/* This file is automatically generated. Do not edit.
*/\n") > inheritfile;
- printf("/* This file is automatically generated. Do not edit.
*/\n") > cpermfile;
printf("/* This file is automatically generated. Do not edit.
*/\n") > avpermfile;
;
}
/^[ \t]*#/ {
next;
}
-$1 == "common" {
- if (nextstate != "COMMON_OR_AV")
- {
- printf("Parse error: Unexpected COMMON
definition on line %d\n", NR);
- next;
- }
-
- if ($2 in common_defined)
- {
- printf("Duplicate COMMON definition for %s on
line %d.\n", $2, NR);
- next;
- }
- common_defined[$2] = 1;
-
- tclass = $2;
- common_name = $2;
- permission = 1;
-
- printf("TB_(common_%s_perm_to_string)\n", $2) >
cpermfile;
-
- nextstate = "COMMON-OPENBRACKET";
- next;
- }
$1 == "class" {
if (nextstate != "COMMON_OR_AV" &&
nextstate != "CLASS_OR_CLASS-OPENBRACKET")
@@ -71,62 +42,11 @@ BEGIN {
}
av_defined[tclass] = 1;
- inherits = "";
permission = 1;
nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
next;
}
-$1 == "inherits" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected INHERITS
definition on line %d\n", NR);
- next;
- }
-
- if (!($2 in common_defined))
- {
- printf("COMMON %s is not defined (line %d).\n",
$2, NR);
- next;
- }
-
- inherits = $2;
- permission = common_base[$2];
-
- for (combined in common_perms)
- {
- split(combined,separate, SUBSEP);
- if (separate[1] == inherits)
- {
- inherited_perms[common_perms[combined]]
= separate[2];
- }
- }
-
- j = 1;
- for (i in inherited_perms) {
- ind[j] = i + 0;
- j++;
- }
- n = asort(ind);
- for (i = 1; i <= n; i++) {
- perm = inherited_perms[ind[i]];
- printf("#define %s__%s", toupper(tclass),
toupper(perm)) > outfile;
- spaces = 40 - (length(perm) + length(tclass));
- if (spaces < 1)
- spaces = 1;
- for (j = 0; j < spaces; j++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", ind[i]) > outfile;
- }
- printf("\n") > outfile;
- for (i in ind) delete ind[i];
- for (i in inherited_perms) delete inherited_perms[i];
-
- printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n",
toupper(tclass), inherits, permission) > inheritfile;
-
- nextstate = "CLASS_OR_CLASS-OPENBRACKET";
- next;
- }
$1 == "{" {
if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
@@ -177,15 +97,6 @@ BEGIN {
av_perms[tclass,$1] = permission;
- if (inherits != "")
- {
- if ((inherits,$1) in common_perms)
- {
- printf("Permission %s in %s on
line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
- next;
- }
- }
-
printf("#define %s__%s", toupper(tclass),
toupper($1)) > outfile;
printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n",
toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
diff -r c2578dd96b83 -r 6804e9092670 xen/xsm/flask/avc.c
--- a/xen/xsm/flask/avc.c Mon Sep 17 21:06:02 2012 +0100
+++ b/xen/xsm/flask/avc.c Mon Sep 17 21:10:07 2012 +0100
@@ -45,28 +45,11 @@ static const char *class_to_string[] = {
#undef S_
};
-#define TB_(s) static const char * s [] = {
-#define TE_(s) };
-#define S_(s) s,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-static const struct av_inherit av_inherit[] = {
-#define S_(c, i, b) { .tclass = c, .common_pts = common_##i##_perm_to_string, \
- .common_base = b },
-#include "av_inherit.h"
-#undef S_
-};
-
const struct selinux_class_perm selinux_class_perm = {
.av_perm_to_string = av_perm_to_string,
.av_pts_len = ARRAY_SIZE(av_perm_to_string),
.class_to_string = class_to_string,
.cts_len = ARRAY_SIZE(class_to_string),
- .av_inherit = av_inherit,
- .av_inherit_len = ARRAY_SIZE(av_inherit)
};
#define AVC_CACHE_SLOTS 512
@@ -181,8 +164,6 @@ static void avc_printk(struct avc_dump_b
*/
static void avc_dump_av(struct avc_dump_buf *buf, u16 tclass, u32 av)
{
- const char **common_pts = NULL;
- u32 common_base = 0;
int i, i2, perm;
if ( av == 0 )
@@ -191,29 +172,9 @@ static void avc_dump_av(struct avc_dump_
return;
}
- for ( i = 0; i < ARRAY_SIZE(av_inherit); i++ )
- {
- if (av_inherit[i].tclass == tclass)
- {
- common_pts = av_inherit[i].common_pts;
- common_base = av_inherit[i].common_base;
- break;
- }
- }
-
avc_printk(buf, " {");
i = 0;
perm = 1;
- while ( perm < common_base )
- {
- if (perm & av)
- {
- avc_printk(buf, " %s", common_pts[i]);
- av &= ~perm;
- }
- i++;
- perm <<= 1;
- }
while ( i < sizeof(av) * 8 )
{
diff -r c2578dd96b83 -r 6804e9092670 xen/xsm/flask/include/av_inherit.h
--- a/xen/xsm/flask/include/av_inherit.h Mon Sep 17 21:06:02 2012 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1 +0,0 @@
-/* This file is automatically generated. Do not edit. */
diff -r c2578dd96b83 -r 6804e9092670 xen/xsm/flask/include/avc_ss.h
--- a/xen/xsm/flask/include/avc_ss.h Mon Sep 17 21:06:02 2012 +0100
+++ b/xen/xsm/flask/include/avc_ss.h Mon Sep 17 21:10:07 2012 +0100
@@ -16,19 +16,11 @@ struct av_perm_to_string {
const char *name;
};
-struct av_inherit {
- const char **common_pts;
- u32 common_base;
- u16 tclass;
-};
-
struct selinux_class_perm {
const struct av_perm_to_string *av_perm_to_string;
u32 av_pts_len;
u32 cts_len;
const char **class_to_string;
- const struct av_inherit *av_inherit;
- u32 av_inherit_len;
};
extern const struct selinux_class_perm selinux_class_perm;
diff -r c2578dd96b83 -r 6804e9092670
xen/xsm/flask/include/common_perm_to_string.h
--- a/xen/xsm/flask/include/common_perm_to_string.h Mon Sep 17 21:06:02
2012 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1 +0,0 @@
-/* This file is automatically generated. Do not edit. */
diff -r c2578dd96b83 -r 6804e9092670 xen/xsm/flask/ss/policydb.c
--- a/xen/xsm/flask/ss/policydb.c Mon Sep 17 21:06:02 2012 +0100
+++ b/xen/xsm/flask/ss/policydb.c Mon Sep 17 21:10:07 2012 +0100
@@ -254,14 +254,6 @@ out_free_symtab:
static int common_index(void *key, void *datum, void *datap)
{
- struct policydb *p;
- struct common_datum *comdatum;
-
- comdatum = datum;
- p = datap;
- if ( !comdatum->value || comdatum->value > p->p_commons.nprim )
- return -EINVAL;
- p->p_common_val_to_name[comdatum->value - 1] = key;
return 0;
}
@@ -382,8 +374,7 @@ static int (*index_f[SYM_NUM]) (void *ke
};
/*
- * Define the common val_to_name array and the class
- * val_to_name and val_to_struct arrays in a policy
+ * Define the class val_to_name and val_to_struct arrays in a policy
* database structure.
*
* Caller must clean up upon failure.
@@ -392,18 +383,6 @@ static int policydb_index_classes(struct
{
int rc;
- p->p_common_val_to_name =
- xmalloc_array(char *, p->p_commons.nprim);
- if ( !p->p_common_val_to_name )
- {
- rc = -ENOMEM;
- goto out;
- }
-
- rc = hashtab_map(p->p_commons.table, common_index, p);
- if ( rc )
- goto out;
-
p->class_val_to_struct =
xmalloc_array(struct class_datum *, p->p_classes.nprim);
if ( !p->class_val_to_struct )
@@ -1200,26 +1179,9 @@ static int class_read(struct policydb *p
if ( len2 )
{
- cladatum->comkey = xmalloc_array(char, len2 + 1);
- if ( !cladatum->comkey )
- {
- rc = -ENOMEM;
- goto bad;
- }
- rc = next_entry(cladatum->comkey, fp, len2);
- if ( rc < 0 )
- goto bad;
- cladatum->comkey[len2] = 0;
-
- cladatum->comdatum = hashtab_search(p->p_commons.table,
- cladatum->comkey);
- if ( !cladatum->comdatum )
- {
- printk(KERN_ERR "Flask: unknown common %s\n",
- cladatum->comkey);
- rc = -EINVAL;
- goto bad;
- }
+ printk(KERN_ERR "Flask: classes with common prefixes are not
supported\n");
+ rc = -EINVAL;
+ goto bad;
}
for ( i = 0; i < nel; i++ )
{
diff -r c2578dd96b83 -r 6804e9092670 xen/xsm/flask/ss/services.c
--- a/xen/xsm/flask/ss/services.c Mon Sep 17 21:06:02 2012 +0100
+++ b/xen/xsm/flask/ss/services.c Mon Sep 17 21:10:07 2012 +0100
@@ -1167,10 +1167,10 @@ int security_change_sid(u32 ssid, u32 ts
*/
static int validate_classes(struct policydb *p)
{
- int i, j;
+ int i;
struct class_datum *cladatum;
struct perm_datum *perdatum;
- u32 nprim, tmp, common_pts_len, perm_val, pol_val;
+ u32 nprim, perm_val, pol_val;
u16 class_val;
const struct selinux_class_perm *kdefs = &selinux_class_perm;
const char *def_class, *def_perm, *pol_class;
@@ -1233,56 +1233,6 @@ static int validate_classes(struct polic
return -EINVAL;
}
}
- for ( i = 0; i < kdefs->av_inherit_len; i++ )
- {
- class_val = kdefs->av_inherit[i].tclass;
- if ( class_val > p->p_classes.nprim )
- continue;
- pol_class = p->p_class_val_to_name[class_val-1];
- cladatum = hashtab_search(p->p_classes.table, pol_class);
- BUG_ON( !cladatum );
- if ( !cladatum->comdatum )
- {
- printk(KERN_ERR
- "Flask: class %s should have an inherits clause but does not\n",
- pol_class);
- return -EINVAL;
- }
- tmp = kdefs->av_inherit[i].common_base;
- common_pts_len = 0;
- while ( !(tmp & 0x01) )
- {
- common_pts_len++;
- tmp >>= 1;
- }
- perms = &cladatum->comdatum->permissions;
- for ( j = 0; j < common_pts_len; j++ )
- {
- def_perm = kdefs->av_inherit[i].common_pts[j];
- if ( j >= perms->nprim )
- {
- printk(KERN_INFO
- "Flask: permission %s in class %s not defined in policy\n",
- def_perm, pol_class);
- return -EINVAL;
- }
- perdatum = hashtab_search(perms->table, def_perm);
- if ( perdatum == NULL )
- {
- printk(KERN_ERR
- "Flask: permission %s in class %s not found in
policy\n",
- def_perm, pol_class);
- return -EINVAL;
- }
- if ( perdatum->value != j + 1 )
- {
- printk(KERN_ERR
- "Flask: permission %s in class %s has incorrect
value\n",
- def_perm, pol_class);
- return -EINVAL;
- }
- }
- }
return 0;
}
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |