xsm: Move flask policy files into hypervisor (missed from earlier commit).

Signed-off-by: Keir Fraser <keir@xen.org>

--HG--
rename : tools/flask/policy/policy/flask/access_vectors => xen/xsm/flask/policy/access_vectors
rename : tools/flask/policy/policy/flask/initial_sids => xen/xsm/flask/policy/initial_sids
rename : tools/flask/policy/policy/flask/mkaccess_vector.sh => xen/xsm/flask/policy/mkaccess_vector.sh
rename : tools/flask/policy/policy/flask/mkflask.sh => xen/xsm/flask/policy/mkflask.sh
rename : tools/flask/policy/policy/flask/security_classes => xen/xsm/flask/policy/security_classes

5 files changed, 448 insertions, 0 deletions

diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
new file mode 100644
index 0000000000..c7e29abb32
--- /dev/null
+++ b/xen/xsm/flask/policy/access_vectors
@@ -0,0 +1,178 @@
+#
+# Define the access vectors.
+#
+# class class_name { permission_name ... }
+
+class xen
+{
+	scheduler
+	settime
+	tbufcontrol
+	readconsole
+	clearconsole
+	perfcontrol
+	mtrr_add
+	mtrr_del
+	mtrr_read
+	microcode
+	physinfo
+	quirk
+    writeconsole
+    readapic
+    writeapic
+    privprofile
+    nonprivprofile
+    kexec
+	firmware
+	sleep
+	frequency
+	getidle
+	debug
+	getcpuinfo
+	heap
+	pm_op
+	mca_op
+	lockprof
+	cpupool_op
+	sched_op
+}
+
+class domain
+{
+	setvcpucontext
+	pause
+	unpause
+    resume
+    create
+    transition
+    max_vcpus
+    destroy
+    setvcpuaffinity
+	getvcpuaffinity
+	scheduler
+	getdomaininfo
+	getvcpuinfo
+	getvcpucontext
+	setdomainmaxmem
+	setdomainhandle
+	setdebugging
+	hypercall
+    settime
+    set_target
+    shutdown
+    setaddrsize
+    getaddrsize
+	trigger
+	getextvcpucontext
+	setextvcpucontext
+	getvcpuextstate
+	setvcpuextstate
+	getpodtarget
+	setpodtarget
+	set_misc_info
+	set_virq_handler
+}
+
+class domain2
+{
+	relabelfrom
+	relabelto
+	relabelself
+}
+
+class hvm
+{
+    sethvmc
+    gethvmc
+    setparam
+    getparam
+    pcilevel
+    irqlevel
+    pciroute
+	bind_irq
+	cacheattr
+    trackdirtyvram
+    hvmctl
+    mem_event
+    mem_sharing
+}
+
+class event
+{
+	bind
+	send
+	status
+	notify
+	create
+    reset
+}
+
+class grant
+{
+	map_read
+	map_write
+	unmap
+	transfer
+	setup
+    copy
+    query
+}
+
+class mmu
+{
+	map_read
+	map_write
+	pageinfo
+	pagelist
+    adjust
+    stat
+    translategp
+	updatemp
+    physmap
+    pinpage
+    mfnlist
+    memorymap
+    remote_remap
+}
+
+class shadow
+{
+	disable
+	enable
+    logdirty
+}
+
+class resource
+{
+	add
+	remove
+	use
+	add_irq
+	remove_irq
+	add_ioport
+	remove_ioport
+	add_iomem
+	remove_iomem
+	stat_device
+	add_device
+	remove_device
+	plug
+	unplug
+	setup
+}
+
+class security
+{
+	compute_av
+	compute_create
+	compute_member
+	check_context
+	load_policy
+	compute_relabel
+	compute_user
+	setenforce
+	setbool
+	setsecparam
+        add_ocontext
+        del_ocontext
+}
diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids
new file mode 100644
index 0000000000..e508bde976
--- /dev/null
+++ b/xen/xsm/flask/policy/initial_sids
@@ -0,0 +1,16 @@
+# FLASK
+
+#
+# Define initial security identifiers 
+#
+sid xen
+sid dom0
+sid domio
+sid domxen
+sid unlabeled
+sid security
+sid ioport
+sid iomem
+sid irq
+sid device
+# FLASK
diff --git a/xen/xsm/flask/policy/mkaccess_vector.sh b/xen/xsm/flask/policy/mkaccess_vector.sh
new file mode 100644
index 0000000000..8ec87f7b8c
--- /dev/null
+++ b/xen/xsm/flask/policy/mkaccess_vector.sh
@@ -0,0 +1,138 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift
+
+# output files
+av_permissions="include/av_permissions.h"
+av_perm_to_string="include/av_perm_to_string.h"
+
+cat $* | $awk "
+BEGIN	{
+		outfile = \"$av_permissions\"
+		avpermfile = \"$av_perm_to_string\"
+		"'
+		nextstate = "COMMON_OR_AV";
+		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
+		printf("/* This file is automatically generated.  Do not edit. */\n") > avpermfile;
+;
+	}
+/^[ \t]*#/	{ 
+			next;
+		}
+$1 == "class"	{
+			if (nextstate != "COMMON_OR_AV" &&
+			    nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+			{
+				printf("Parse error:  Unexpected class definition on line %d\n", NR);
+				next;	
+			}
+
+			tclass = $2;
+
+			if (tclass in av_defined)
+			{
+				printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
+				next;
+			} 
+			av_defined[tclass] = 1;
+
+			permission = 1;
+
+			nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
+			next;
+		}
+$1 == "{"	{ 
+			if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
+			    nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
+			    nextstate != "COMMON-OPENBRACKET")
+			{
+				printf("Parse error:  Unexpected { on line %d\n", NR);
+				next;
+			}
+
+			if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
+				nextstate = "CLASS-CLOSEBRACKET";
+
+			if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
+				nextstate = "CLASS-CLOSEBRACKET";
+
+			if (nextstate == "COMMON-OPENBRACKET")
+				nextstate = "COMMON-CLOSEBRACKET";
+		}
+/[a-z][a-z_]*/	{
+			if (nextstate != "COMMON-CLOSEBRACKET" &&
+			    nextstate != "CLASS-CLOSEBRACKET")
+			{
+				printf("Parse error:  Unexpected symbol %s on line %d\n", $1, NR);		
+				next;
+			}
+
+			if (nextstate == "COMMON-CLOSEBRACKET")
+			{
+				if ((common_name,$1) in common_perms)
+				{
+					printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
+					next;
+				}
+
+				common_perms[common_name,$1] = permission;
+
+				printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; 
+
+				printf("    S_(\"%s\")\n", $1) > cpermfile;
+			}
+			else
+			{
+				if ((tclass,$1) in av_perms)
+				{
+					printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
+					next;
+				}
+
+				av_perms[tclass,$1] = permission;
+		
+				printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; 
+
+				printf("   S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; 
+			}
+
+			spaces = 40 - (length($1) + length(tclass));
+			if (spaces < 1)
+			      spaces = 1;
+
+			for (i = 0; i < spaces; i++) 
+				printf(" ") > outfile; 
+			printf("0x%08xUL\n", permission) > outfile; 
+			permission = permission * 2;
+		}
+$1 == "}"	{
+			if (nextstate != "CLASS-CLOSEBRACKET" && 
+			    nextstate != "COMMON-CLOSEBRACKET")
+			{
+				printf("Parse error:  Unexpected } on line %d\n", NR);
+				next;
+			}
+
+			if (nextstate == "COMMON-CLOSEBRACKET")
+			{
+				common_base[common_name] = permission;
+				printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; 
+			}
+
+			printf("\n") > outfile;
+
+			nextstate = "COMMON_OR_AV";
+		}
+END	{
+		if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+			printf("Parse error:  Unexpected end of file\n");
+
+	}'
+
+# FLASK
diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh
new file mode 100644
index 0000000000..e8d8fb5d2c
--- /dev/null
+++ b/xen/xsm/flask/policy/mkflask.sh
@@ -0,0 +1,95 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift 1
+
+# output file
+output_file="include/flask.h"
+debug_file="include/class_to_string.h"
+debug_file2="include/initial_sid_to_string.h"
+
+cat $* | $awk "
+BEGIN	{
+		outfile = \"$output_file\"
+		debugfile = \"$debug_file\"
+		debugfile2 = \"$debug_file2\"
+		"'
+		nextstate = "CLASS";
+
+		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
+
+		printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+		printf("#define _SELINUX_FLASK_H_\n") > outfile;
+		printf("\n/*\n * Security object class definitions\n */\n") > outfile;
+		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile;
+		printf("/*\n * Security object class definitions\n */\n") > debugfile;
+		printf("    S_(\"null\")\n") > debugfile;
+		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile2;
+		printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
+		printf("    \"null\",\n") > debugfile2;
+	}
+/^[ \t]*#/	{ 
+			next;
+		}
+$1 == "class"	{ 
+			if (nextstate != "CLASS")
+			{
+				printf("Parse error:  Unexpected class definition on line %d\n", NR);
+				next;	
+			}
+
+			if ($2 in class_found)
+			{
+				printf("Duplicate class definition for %s on line %d.\n", $2, NR);
+				next;
+			}	
+			class_found[$2] = 1;
+
+			class_value++;
+
+			printf("#define SECCLASS_%s", toupper($2)) > outfile;
+			for (i = 0; i < 40 - length($2); i++) 
+				printf(" ") > outfile; 
+			printf("%d\n", class_value) > outfile; 
+
+			printf("    S_(\"%s\")\n", $2) > debugfile;
+		}
+$1 == "sid"	{ 
+			if (nextstate == "CLASS")
+			{
+			    nextstate = "SID";
+			    printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;			    
+			}
+
+			if ($2 in sid_found)
+			{
+				printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
+				next;
+			}	
+			sid_found[$2] = 1;
+			sid_value++;
+
+			printf("#define SECINITSID_%s", toupper($2)) > outfile;
+			for (i = 0; i < 37 - length($2); i++) 
+				printf(" ") > outfile; 
+			printf("%d\n", sid_value) > outfile; 
+			printf("    \"%s\",\n", $2) > debugfile2;
+		}
+END	{
+		if (nextstate != "SID")
+			printf("Parse error:  Unexpected end of file\n");
+
+		printf("\n#define SECINITSID_NUM") > outfile;
+		for (i = 0; i < 34; i++) 
+			printf(" ") > outfile; 
+		printf("%d\n", sid_value) > outfile; 
+		printf("\n#endif\n") > outfile;
+		printf("};\n\n") > debugfile2;
+	}'
+
+# FLASK
diff --git a/xen/xsm/flask/policy/security_classes b/xen/xsm/flask/policy/security_classes
new file mode 100644
index 0000000000..ef134a7457
--- /dev/null
+++ b/xen/xsm/flask/policy/security_classes
@@ -0,0 +1,21 @@
+# FLASK
+
+#
+# Define the security object classes 
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class xen
+class domain
+class domain2
+class hvm
+class mmu
+class resource
+class shadow
+class event
+class grant
+class security
+
+# FLASK