xsm/flask: remove inherited class attributes

The ability to declare common permission blocks shared across multiple
classes is not currently used in Xen. Currently, support for this
feature is broken in the header generation scripts, and it is not
expected that this feature will be used in the future, so remove the
dead code.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

3 files changed, 2 insertions, 106 deletions

diff --git a/tools/flask/policy/policy/flask/Makefile b/tools/flask/policy/policy/flask/Makefile
index 970b9fedce..5f57e88810 100644
--- a/tools/flask/policy/policy/flask/Makefile
+++ b/tools/flask/policy/policy/flask/Makefile
@@ -14,7 +14,7 @@ FLASK_H_DEPEND = security_classes initial_sids
 AV_H_DEPEND = access_vectors
 
 FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+AV_H_FILES = av_perm_to_string.h av_permissions.h
 ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
 
 all:  $(ALL_H_FILES)
diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors
index 5901911d18..a884312b01 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -1,22 +1,7 @@
 #
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-#
-# Define a common prefix for file access vectors.
-#
-
-
-#
 # Define the access vectors.
 #
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
+# class class_name { permission_name ... }
 
 class xen
 {
diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh b/tools/flask/policy/policy/flask/mkaccess_vector.sh
index b5da734b04..43a60a79e3 100644
--- a/tools/flask/policy/policy/flask/mkaccess_vector.sh
+++ b/tools/flask/policy/policy/flask/mkaccess_vector.sh
@@ -10,50 +10,21 @@ shift
 
 # output files
 av_permissions="av_permissions.h"
-av_inherit="av_inherit.h"
-common_perm_to_string="common_perm_to_string.h"
 av_perm_to_string="av_perm_to_string.h"
 
 cat $* | $awk "
 BEGIN	{
 		outfile = \"$av_permissions\"
-		inheritfile = \"$av_inherit\"
-		cpermfile = \"$common_perm_to_string\"
 		avpermfile = \"$av_perm_to_string\"
 		"'
 		nextstate = "COMMON_OR_AV";
 		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
-		printf("/* This file is automatically generated.  Do not edit. */\n") > inheritfile;
-		printf("/* This file is automatically generated.  Do not edit. */\n") > cpermfile;
 		printf("/* This file is automatically generated.  Do not edit. */\n") > avpermfile;
 ;
 	}
 /^[ \t]*#/	{ 
 			next;
 		}
-$1 == "common"	{ 
-			if (nextstate != "COMMON_OR_AV")
-			{
-				printf("Parse error:  Unexpected COMMON definition on line %d\n", NR);
-				next;	
-			}
-
-			if ($2 in common_defined)
-			{
-				printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
-				next;
-			}	
-			common_defined[$2] = 1;
-
-			tclass = $2;
-			common_name = $2; 
-			permission = 1;
-
-			printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
-
-			nextstate = "COMMON-OPENBRACKET";
-			next;
-		}
 $1 == "class"	{
 			if (nextstate != "COMMON_OR_AV" &&
 			    nextstate != "CLASS_OR_CLASS-OPENBRACKET")
@@ -71,62 +42,11 @@ $1 == "class"	{
 			} 
 			av_defined[tclass] = 1;
 
-			inherits = "";
 			permission = 1;
 
 			nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
 			next;
 		}
-$1 == "inherits" {			
-			if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
-			{
-				printf("Parse error:  Unexpected INHERITS definition on line %d\n", NR);
-				next;	
-			}
-
-			if (!($2 in common_defined))
-			{
-				printf("COMMON %s is not defined (line %d).\n", $2, NR);
-				next;
-			}
-
-			inherits = $2;
-			permission = common_base[$2];
-
-			for (combined in common_perms)
-			{
-				split(combined,separate, SUBSEP);
-				if (separate[1] == inherits)
-				{
-					inherited_perms[common_perms[combined]] = separate[2];
-				}
-			}
-
-                        j = 1;
-                        for (i in inherited_perms) {
-                            ind[j] = i + 0;
-                            j++;
-                        }
-                        n = asort(ind);
-			for (i = 1; i <= n; i++) {
-				perm = inherited_perms[ind[i]];
-				printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; 
-				spaces = 40 - (length(perm) + length(tclass));
-				if (spaces < 1)
-				      spaces = 1;
-				for (j = 0; j < spaces; j++) 
-					printf(" ") > outfile; 
-				printf("0x%08xUL\n", ind[i]) > outfile; 
-			}
-			printf("\n") > outfile;
-                        for (i in ind) delete ind[i];
-                        for (i in inherited_perms) delete inherited_perms[i];
-
-			printf("   S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; 
-
-			nextstate = "CLASS_OR_CLASS-OPENBRACKET";
-			next;
-		}
 $1 == "{"	{ 
 			if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
 			    nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
@@ -177,15 +97,6 @@ $1 == "{"	{
 
 				av_perms[tclass,$1] = permission;
 		
-				if (inherits != "")
-				{
-					if ((inherits,$1) in common_perms)
-					{
-						printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
-						next;
-					}
-				}
-
 				printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; 
 
 				printf("   S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;