diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-09-17 21:10:07 +0100 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-09-17 21:10:07 +0100 |
commit | 23ef6c3662d4a106117ea8c1370e6d5f8016a7db (patch) | |
tree | 56e16476adf8832f38cab5cf34b6ec0408471bcd /tools/flask | |
parent | c892426ce32dc68487613a95c1bf6441e8b15e43 (diff) | |
download | xen-23ef6c3662d4a106117ea8c1370e6d5f8016a7db.tar.gz xen-23ef6c3662d4a106117ea8c1370e6d5f8016a7db.tar.bz2 xen-23ef6c3662d4a106117ea8c1370e6d5f8016a7db.zip |
xsm/flask: remove inherited class attributes
The ability to declare common permission blocks shared across multiple
classes is not currently used in Xen. Currently, support for this
feature is broken in the header generation scripts, and it is not
expected that this feature will be used in the future, so remove the
dead code.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'tools/flask')
-rw-r--r-- | tools/flask/policy/policy/flask/Makefile | 2 | ||||
-rw-r--r-- | tools/flask/policy/policy/flask/access_vectors | 17 | ||||
-rw-r--r-- | tools/flask/policy/policy/flask/mkaccess_vector.sh | 89 |
3 files changed, 2 insertions, 106 deletions
diff --git a/tools/flask/policy/policy/flask/Makefile b/tools/flask/policy/policy/flask/Makefile index 970b9fedce..5f57e88810 100644 --- a/tools/flask/policy/policy/flask/Makefile +++ b/tools/flask/policy/policy/flask/Makefile @@ -14,7 +14,7 @@ FLASK_H_DEPEND = security_classes initial_sids AV_H_DEPEND = access_vectors FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h -AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h +AV_H_FILES = av_perm_to_string.h av_permissions.h ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) all: $(ALL_H_FILES) diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index 5901911d18..a884312b01 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -1,22 +1,7 @@ # -# Define common prefixes for access vectors -# -# common common_name { permission_name ... } - -# -# Define a common prefix for file access vectors. -# - - -# # Define the access vectors. # -# class class_name [ inherits common_name ] { permission_name ... } - - -# -# Define the access vector interpretation for file-related objects. -# +# class class_name { permission_name ... } class xen { diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh b/tools/flask/policy/policy/flask/mkaccess_vector.sh index b5da734b04..43a60a79e3 100644 --- a/tools/flask/policy/policy/flask/mkaccess_vector.sh +++ b/tools/flask/policy/policy/flask/mkaccess_vector.sh @@ -10,50 +10,21 @@ shift # output files av_permissions="av_permissions.h" -av_inherit="av_inherit.h" -common_perm_to_string="common_perm_to_string.h" av_perm_to_string="av_perm_to_string.h" cat $* | $awk " BEGIN { outfile = \"$av_permissions\" - inheritfile = \"$av_inherit\" - cpermfile = \"$common_perm_to_string\" avpermfile = \"$av_perm_to_string\" "' nextstate = "COMMON_OR_AV"; printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile; - printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile; printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; ; } /^[ \t]*#/ { next; } -$1 == "common" { - if (nextstate != "COMMON_OR_AV") - { - printf("Parse error: Unexpected COMMON definition on line %d\n", NR); - next; - } - - if ($2 in common_defined) - { - printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR); - next; - } - common_defined[$2] = 1; - - tclass = $2; - common_name = $2; - permission = 1; - - printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile; - - nextstate = "COMMON-OPENBRACKET"; - next; - } $1 == "class" { if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") @@ -71,62 +42,11 @@ $1 == "class" { } av_defined[tclass] = 1; - inherits = ""; permission = 1; nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; next; } -$1 == "inherits" { - if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET") - { - printf("Parse error: Unexpected INHERITS definition on line %d\n", NR); - next; - } - - if (!($2 in common_defined)) - { - printf("COMMON %s is not defined (line %d).\n", $2, NR); - next; - } - - inherits = $2; - permission = common_base[$2]; - - for (combined in common_perms) - { - split(combined,separate, SUBSEP); - if (separate[1] == inherits) - { - inherited_perms[common_perms[combined]] = separate[2]; - } - } - - j = 1; - for (i in inherited_perms) { - ind[j] = i + 0; - j++; - } - n = asort(ind); - for (i = 1; i <= n; i++) { - perm = inherited_perms[ind[i]]; - printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; - spaces = 40 - (length(perm) + length(tclass)); - if (spaces < 1) - spaces = 1; - for (j = 0; j < spaces; j++) - printf(" ") > outfile; - printf("0x%08xUL\n", ind[i]) > outfile; - } - printf("\n") > outfile; - for (i in ind) delete ind[i]; - for (i in inherited_perms) delete inherited_perms[i]; - - printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; - - nextstate = "CLASS_OR_CLASS-OPENBRACKET"; - next; - } $1 == "{" { if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && nextstate != "CLASS_OR_CLASS-OPENBRACKET" && @@ -177,15 +97,6 @@ $1 == "{" { av_perms[tclass,$1] = permission; - if (inherits != "") - { - if ((inherits,$1) in common_perms) - { - printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR); - next; - } - } - printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; |