From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: xen-devel@lists.xen.org
Subject: Re: [PATCH 06/15] flask/policy: remove unused example
Date: Fri, 17 Jun 2016 11:34:59 -0400 [thread overview]
Message-ID: <20160617153459.GD1340@char.us.oracle.com> (raw)
In-Reply-To: <1465483638-9489-7-git-send-email-dgdegra@tycho.nsa.gov>
On Thu, Jun 09, 2016 at 10:47:09AM -0400, Daniel De Graaf wrote:
> The access vectors defined here have never been used by xenstore.
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> ---
> tools/flask/policy/policy/access_vectors | 23 ++---------------------
> tools/flask/policy/policy/security_classes | 1 -
> 2 files changed, 2 insertions(+), 22 deletions(-)
>
> diff --git a/tools/flask/policy/policy/access_vectors b/tools/flask/policy/policy/access_vectors
> index 4fd61f1..d9c69c0 100644
> --- a/tools/flask/policy/policy/access_vectors
> +++ b/tools/flask/policy/policy/access_vectors
> @@ -1,24 +1,5 @@
> # Locally defined access vectors
> #
> -# Define access vectors for the security classes defined in security_classes
> +# Define access vectors for the security classes defined in security_classes.
> +# Access vectors defined in this file should not be used by the hypervisor.
> #
> -
> -# Note: this is an example; the xenstore daemon provided with Xen does
> -# not yet include XSM support, and the exact permissions may be defined
> -# differently if such support is added.
> -class xenstore {
> - # read from keys owned by the target domain (if permissions allow)
> - read
> - # write to keys owned by the target domain (if permissions allow)
> - write
> - # change permissions of a key owned by the target domain
> - chmod
> - # change the owner of a key which was owned by the target domain
> - chown_from
> - # change the owner of a key to the target domain
> - chown_to
> - # access a key owned by the target domain without permission
> - override
> - # introduce a domain
> - introduce
> -}
> diff --git a/tools/flask/policy/policy/security_classes b/tools/flask/policy/policy/security_classes
> index 56595e8..0f0f9f3 100644
> --- a/tools/flask/policy/policy/security_classes
> +++ b/tools/flask/policy/policy/security_classes
> @@ -5,4 +5,3 @@
> # security policy.
> #
> # Access vectors for these classes must be defined in the access_vectors file.
> -class xenstore
> --
> 2.5.5
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-06-17 15:34 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-09 14:47 [PATCH 00/15] XSM/FLASK updates for 4.8 Daniel De Graaf
2016-06-09 14:47 ` [PATCH 01/15] flask/policy: split into modules Daniel De Graaf
2016-06-14 18:55 ` Konrad Rzeszutek Wilk
2016-06-20 5:15 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 02/15] flask/policy: split out rules for system_r Daniel De Graaf
2016-06-14 19:08 ` Konrad Rzeszutek Wilk
2016-06-20 5:21 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 03/15] flask/policy: move user definitions and constraints into modules Daniel De Graaf
2016-06-17 15:28 ` Konrad Rzeszutek Wilk
2016-06-17 16:49 ` Daniel De Graaf
2016-06-20 5:22 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 04/15] flask/policy: remove unused support for binary modules Daniel De Graaf
2016-06-20 5:22 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 05/15] flask/policy: xenstore stubdom policy Daniel De Graaf
2016-06-17 15:34 ` Konrad Rzeszutek Wilk
2016-06-20 5:22 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 06/15] flask/policy: remove unused example Daniel De Graaf
2016-06-17 15:34 ` Konrad Rzeszutek Wilk [this message]
2016-06-20 5:23 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 07/15] flask: unify {get, set}vcpucontext permissions Daniel De Graaf
2016-06-17 15:37 ` Konrad Rzeszutek Wilk
2016-06-09 14:47 ` [PATCH 08/15] flask: remove unused secondary context in ocontext Daniel De Graaf
2016-06-09 16:01 ` Jan Beulich
2016-06-09 16:38 ` Daniel De Graaf
2016-06-09 14:47 ` [PATCH 09/15] flask: remove unused AVC callback functions Daniel De Graaf
2016-06-09 14:47 ` [PATCH 10/15] flask: remove xen_flask_userlist operation Daniel De Graaf
2016-06-09 16:07 ` Jan Beulich
2016-06-09 16:43 ` Daniel De Graaf
2016-06-10 6:51 ` Jan Beulich
2016-06-10 13:08 ` Daniel De Graaf
2016-06-10 14:28 ` Jan Beulich
2016-06-09 14:47 ` [PATCH 11/15] flask: improve unknown permission handling Daniel De Graaf
2016-06-17 15:45 ` Konrad Rzeszutek Wilk
2016-06-17 17:02 ` Daniel De Graaf
2016-06-17 17:13 ` Konrad Rzeszutek Wilk
2016-06-17 17:20 ` Daniel De Graaf
2016-06-09 14:47 ` [PATCH 12/15] xen/xsm: remove .xsm_initcall.init section Daniel De Graaf
2016-06-09 15:14 ` Andrew Cooper
2016-06-09 16:11 ` Jan Beulich
2016-06-09 16:42 ` Daniel De Graaf
2016-06-17 15:50 ` Konrad Rzeszutek Wilk
2016-06-17 17:04 ` Daniel De Graaf
2016-06-17 17:14 ` Konrad Rzeszutek Wilk
2016-06-17 17:18 ` Daniel De Graaf
2016-06-17 17:21 ` Konrad Rzeszutek Wilk
2016-06-17 23:17 ` Daniel De Graaf
2016-06-09 14:47 ` [PATCH 13/15] xsm: annotate setup functions with __init Daniel De Graaf
2016-06-09 15:15 ` Andrew Cooper
2016-06-09 14:47 ` [PATCH 14/15] xsm: clean up unregistration Daniel De Graaf
2016-06-09 15:16 ` Andrew Cooper
2016-06-17 15:51 ` Konrad Rzeszutek Wilk
2016-06-09 14:47 ` [PATCH 15/15] xsm: add a default policy to .init.data Daniel De Graaf
2016-06-09 15:30 ` Andrew Cooper
2016-06-09 16:58 ` Daniel De Graaf
2016-06-10 7:15 ` Jan Beulich
2016-06-09 16:15 ` Jan Beulich
2016-06-09 16:53 ` Daniel De Graaf
2016-06-09 21:54 ` Doug Goldstein
2016-06-10 14:50 ` Daniel De Graaf
2016-06-10 6:53 ` Jan Beulich
2016-06-17 15:54 ` Konrad Rzeszutek Wilk
2016-06-17 16:00 ` [PATCH 00/15] XSM/FLASK updates for 4.8 Konrad Rzeszutek Wilk
2016-06-20 5:40 ` Doug Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160617153459.GD1340@char.us.oracle.com \
--to=konrad.wilk@oracle.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.