6 files changed, 6 insertions, 143 deletions

diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c
index 44240a9282..7fede00fc7 100644
--- a/xen/xsm/flask/avc.c
+++ b/xen/xsm/flask/avc.c
@@ -45,28 +45,11 @@ static const char *class_to_string[] = {
 #undef S_
 };
 
-#define TB_(s) static const char * s [] = {
-#define TE_(s) };
-#define S_(s) s,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-static const struct av_inherit av_inherit[] = {
-#define S_(c, i, b) { .tclass = c, .common_pts = common_##i##_perm_to_string, \
-                      .common_base = b },
-#include "av_inherit.h"
-#undef S_
-};
-
 const struct selinux_class_perm selinux_class_perm = {
     .av_perm_to_string = av_perm_to_string,
     .av_pts_len = ARRAY_SIZE(av_perm_to_string),
     .class_to_string = class_to_string,
     .cts_len = ARRAY_SIZE(class_to_string),
-    .av_inherit = av_inherit,
-    .av_inherit_len = ARRAY_SIZE(av_inherit)
 };
 
 #define AVC_CACHE_SLOTS            512
@@ -181,8 +164,6 @@ static void avc_printk(struct avc_dump_buf *buf, const char *fmt, ...)
  */
 static void avc_dump_av(struct avc_dump_buf *buf, u16 tclass, u32 av)
 {
-    const char **common_pts = NULL;
-    u32 common_base = 0;
     int i, i2, perm;
 
     if ( av == 0 )
@@ -191,29 +172,9 @@ static void avc_dump_av(struct avc_dump_buf *buf, u16 tclass, u32 av)
         return;
     }
 
-    for ( i = 0; i < ARRAY_SIZE(av_inherit); i++ )
-    {
-        if (av_inherit[i].tclass == tclass)
-        {
-            common_pts = av_inherit[i].common_pts;
-            common_base = av_inherit[i].common_base;
-            break;
-        }
-    }
-
     avc_printk(buf, " {");
     i = 0;
     perm = 1;
-    while ( perm < common_base )
-    {
-        if (perm & av)
-        {
-            avc_printk(buf, " %s", common_pts[i]);
-            av &= ~perm;
-        }
-        i++;
-        perm <<= 1;
-    }
 
     while ( i < sizeof(av) * 8 )
     {
diff --git a/xen/xsm/flask/include/av_inherit.h b/xen/xsm/flask/include/av_inherit.h
deleted file mode 100644
index 321ffe7f3c..0000000000
--- a/xen/xsm/flask/include/av_inherit.h
+++ /dev/null
@@ -1 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
diff --git a/xen/xsm/flask/include/avc_ss.h b/xen/xsm/flask/include/avc_ss.h
index ea4e98c47e..a3d7d1ef07 100644
--- a/xen/xsm/flask/include/avc_ss.h
+++ b/xen/xsm/flask/include/avc_ss.h
@@ -16,19 +16,11 @@ struct av_perm_to_string {
     const char *name;
 };
 
-struct av_inherit {
-    const char **common_pts;
-    u32 common_base;
-    u16 tclass;
-};
-
 struct selinux_class_perm {
     const struct av_perm_to_string *av_perm_to_string;
     u32 av_pts_len;
     u32 cts_len;
     const char **class_to_string;
-    const struct av_inherit *av_inherit;
-    u32 av_inherit_len;
 };
 
 extern const struct selinux_class_perm selinux_class_perm;
diff --git a/xen/xsm/flask/include/common_perm_to_string.h b/xen/xsm/flask/include/common_perm_to_string.h
deleted file mode 100644
index 321ffe7f3c..0000000000
--- a/xen/xsm/flask/include/common_perm_to_string.h
+++ /dev/null
@@ -1 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c
index 26097b967a..fefcd59171 100644
--- a/xen/xsm/flask/ss/policydb.c
+++ b/xen/xsm/flask/ss/policydb.c
@@ -254,14 +254,6 @@ out_free_symtab:
 
 static int common_index(void *key, void *datum, void *datap)
 {
-    struct policydb *p;
-    struct common_datum *comdatum;
-
-    comdatum = datum;
-    p = datap;
-    if ( !comdatum->value || comdatum->value > p->p_commons.nprim )
-        return -EINVAL;
-    p->p_common_val_to_name[comdatum->value - 1] = key;
     return 0;
 }
 
@@ -382,8 +374,7 @@ static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) =
 };
 
 /*
- * Define the common val_to_name array and the class
- * val_to_name and val_to_struct arrays in a policy
+ * Define the class val_to_name and val_to_struct arrays in a policy
  * database structure.
  *
  * Caller must clean up upon failure.
@@ -392,18 +383,6 @@ static int policydb_index_classes(struct policydb *p)
 {
     int rc;
 
-    p->p_common_val_to_name =
-        xmalloc_array(char *, p->p_commons.nprim);
-    if ( !p->p_common_val_to_name )
-    {
-        rc = -ENOMEM;
-        goto out;
-    }
-
-    rc = hashtab_map(p->p_commons.table, common_index, p);
-    if ( rc )
-        goto out;
-
     p->class_val_to_struct =
         xmalloc_array(struct class_datum *, p->p_classes.nprim);
     if ( !p->class_val_to_struct )
@@ -1200,26 +1179,9 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
 
     if ( len2 )
     {
-        cladatum->comkey = xmalloc_array(char, len2 + 1);
-        if ( !cladatum->comkey )
-        {
-            rc = -ENOMEM;
-            goto bad;
-        }
-        rc = next_entry(cladatum->comkey, fp, len2);
-        if ( rc < 0 )
-            goto bad;
-        cladatum->comkey[len2] = 0;
-
-        cladatum->comdatum = hashtab_search(p->p_commons.table,
-                            cladatum->comkey);
-        if ( !cladatum->comdatum )
-        {
-            printk(KERN_ERR "Flask:  unknown common %s\n",
-                   cladatum->comkey);
-            rc = -EINVAL;
-            goto bad;
-        }
+        printk(KERN_ERR "Flask:  classes with common prefixes are not supported\n");
+        rc = -EINVAL;
+        goto bad;
     }
     for ( i = 0; i < nel; i++ )
     {
diff --git a/xen/xsm/flask/ss/services.c b/xen/xsm/flask/ss/services.c
index 363f586a7d..1bf3b0c0d7 100644
--- a/xen/xsm/flask/ss/services.c
+++ b/xen/xsm/flask/ss/services.c
@@ -1167,10 +1167,10 @@ int security_change_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid)
  */
 static int validate_classes(struct policydb *p)
 {
-    int i, j;
+    int i;
     struct class_datum *cladatum;
     struct perm_datum *perdatum;
-    u32 nprim, tmp, common_pts_len, perm_val, pol_val;
+    u32 nprim, perm_val, pol_val;
     u16 class_val;
     const struct selinux_class_perm *kdefs = &selinux_class_perm;
     const char *def_class, *def_perm, *pol_class;
@@ -1233,56 +1233,6 @@ static int validate_classes(struct policydb *p)
             return -EINVAL;
         }
     }
-    for ( i = 0; i < kdefs->av_inherit_len; i++ )
-    {
-        class_val = kdefs->av_inherit[i].tclass;
-        if ( class_val > p->p_classes.nprim )
-            continue;
-        pol_class = p->p_class_val_to_name[class_val-1];
-        cladatum = hashtab_search(p->p_classes.table, pol_class);
-        BUG_ON( !cladatum );
-        if ( !cladatum->comdatum )
-        {
-            printk(KERN_ERR
-            "Flask:  class %s should have an inherits clause but does not\n",
-                   pol_class);
-            return -EINVAL;
-        }
-        tmp = kdefs->av_inherit[i].common_base;
-        common_pts_len = 0;
-        while ( !(tmp & 0x01) )
-        {
-            common_pts_len++;
-            tmp >>= 1;
-        }
-        perms = &cladatum->comdatum->permissions;
-        for ( j = 0; j < common_pts_len; j++ )
-        {
-            def_perm = kdefs->av_inherit[i].common_pts[j];
-            if ( j >= perms->nprim )
-            {
-                printk(KERN_INFO
-                "Flask:  permission %s in class %s not defined in policy\n",
-                       def_perm, pol_class);
-                return -EINVAL;
-            }
-            perdatum = hashtab_search(perms->table, def_perm);
-            if ( perdatum == NULL )
-            {
-                printk(KERN_ERR
-                       "Flask:  permission %s in class %s not found in policy\n",
-                       def_perm, pol_class);
-                return -EINVAL;
-            }
-            if ( perdatum->value != j + 1 )
-            {
-                printk(KERN_ERR
-                      "Flask:  permission %s in class %s has incorrect value\n",
-                       def_perm, pol_class);
-                return -EINVAL;
-            }
-        }
-    }
     return 0;
 }