From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Ian Campbell <Ian.Campbell@citrix.com>,
Dario Faggioli <dario.faggioli@citrix.com>
Cc: Marcus.Granado@eu.citrix.com, andre.przywara@amd.com,
msw@amazon.com, anil@recoil.org, George.Dunlap@eu.citrix.com,
Andrew.Cooper3@citrix.com, juergen.gross@ts.fujitsu.com,
Ian.Jackson@eu.citrix.com, xen-devel@lists.xen.org,
JBeulich@suse.com, Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: [PATCH RFC] flask: move policy header sources into hypervisor
Date: Tue, 9 Oct 2012 14:31:53 -0400 [thread overview]
Message-ID: <1349807513-10923-1-git-send-email-dgdegra@tycho.nsa.gov> (raw)
In-Reply-To: <1349801565.21847.228.camel@zakaz.uk.xensource.com>
Ian Campbell wrote:
[...]
>>> +++ b/xen/xsm/flask/include/av_perm_to_string.h
> Also, in that case why is this file checked in?
This patch fixes the autogenerated files, but doesn't fully wire them in
to things like "make clean" or .{git,hg}ignore. I don't see an obvious
way to clean generated header files in Xen's build system; perhaps
someone who knows the build system better can point out the right way to
wire this up.
--------------------------------------->8----------------------------
Rather than keeping around headers that are autogenerated in order to
avoid adding build dependencies from xen/ to files in tools/, move the
relevant parts of the FLASK policy into the hypervisor tree and generate
the headers as part of the hypervisor's build.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/policy/Makefile | 2 +-
tools/flask/policy/policy/flask/Makefile | 41 ------
xen/xsm/flask/Makefile | 21 +++
xen/xsm/flask/include/av_perm_to_string.h | 147 -------------------
xen/xsm/flask/include/av_permissions.h | 157 ---------------------
xen/xsm/flask/include/class_to_string.h | 15 --
xen/xsm/flask/include/flask.h | 35 -----
xen/xsm/flask/include/initial_sid_to_string.h | 16 ---
.../flask => xen/xsm/flask/policy}/access_vectors | 0
.../flask => xen/xsm/flask/policy}/initial_sids | 0
.../xsm/flask/policy}/mkaccess_vector.sh | 4 +-
.../flask => xen/xsm/flask/policy}/mkflask.sh | 6 +-
.../xsm/flask/policy}/security_classes | 0
13 files changed, 27 insertions(+), 417 deletions(-)
delete mode 100644 tools/flask/policy/policy/flask/Makefile
delete mode 100644 xen/xsm/flask/include/av_perm_to_string.h
delete mode 100644 xen/xsm/flask/include/av_permissions.h
delete mode 100644 xen/xsm/flask/include/class_to_string.h
delete mode 100644 xen/xsm/flask/include/flask.h
delete mode 100644 xen/xsm/flask/include/initial_sid_to_string.h
rename {tools/flask/policy/policy/flask => xen/xsm/flask/policy}/access_vectors (100%)
rename {tools/flask/policy/policy/flask => xen/xsm/flask/policy}/initial_sids (100%)
rename {tools/flask/policy/policy/flask => xen/xsm/flask/policy}/mkaccess_vector.sh (97%)
rename {tools/flask/policy/policy/flask => xen/xsm/flask/policy}/mkflask.sh (95%)
rename {tools/flask/policy/policy/flask => xen/xsm/flask/policy}/security_classes (100%)
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index 5c25cbe..3f5aa38 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -61,7 +61,7 @@ LOADPOLICY := $(SBINDIR)/flask-loadpolicy
# policy source layout
POLDIR := policy
MODDIR := $(POLDIR)/modules
-FLASKDIR := $(POLDIR)/flask
+FLASKDIR := ../../../xen/xsm/flask/policy
SECCLASS := $(FLASKDIR)/security_classes
ISIDS := $(FLASKDIR)/initial_sids
AVS := $(FLASKDIR)/access_vectors
diff --git a/tools/flask/policy/policy/flask/Makefile b/tools/flask/policy/policy/flask/Makefile
deleted file mode 100644
index 5f57e88..0000000
--- a/tools/flask/policy/policy/flask/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-# flask needs to know where to export the libselinux headers.
-LIBSEL ?= ../../libselinux
-
-# flask needs to know where to export the kernel headers.
-LINUXDIR ?= ../../../linux-2.6
-
-AWK = awk
-
-CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
- else if [ -x /bin/bash ]; then echo /bin/bash; \
- else echo sh; fi ; fi)
-
-FLASK_H_DEPEND = security_classes initial_sids
-AV_H_DEPEND = access_vectors
-
-FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_perm_to_string.h av_permissions.h
-ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
-
-all: $(ALL_H_FILES)
-
-$(FLASK_H_FILES): $(FLASK_H_DEPEND)
- $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
-
-$(AV_H_FILES): $(AV_H_DEPEND)
- $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
-
-tolib: all
- install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
- install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
-
-tokern: all
- install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
-
-install: all
-
-relabel:
-
-clean:
- rm -f $(FLASK_H_FILES)
- rm -f $(AV_H_FILES)
diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index 92fb410..238495a 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -5,3 +5,24 @@ obj-y += flask_op.o
subdir-y += ss
CFLAGS += -I./include
+
+AWK = awk
+
+CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+ else if [ -x /bin/bash ]; then echo /bin/bash; \
+ else echo sh; fi ; fi)
+
+FLASK_H_DEPEND = policy/security_classes policy/initial_sids
+AV_H_DEPEND = policy/access_vectors
+
+FLASK_H_FILES = include/flask.h include/class_to_string.h include/initial_sid_to_string.h
+AV_H_FILES = include/av_perm_to_string.h include/av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+
+$(obj-y) ss/built_in.o: $(ALL_H_FILES)
+
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
+ $(CONFIG_SHELL) policy/mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+
+$(AV_H_FILES): $(AV_H_DEPEND)
+ $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h
deleted file mode 100644
index c3f2370..0000000
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ /dev/null
@@ -1,147 +0,0 @@
-/* This file is automatically generated. Do not edit. */
- S_(SECCLASS_XEN, XEN__SCHEDULER, "scheduler")
- S_(SECCLASS_XEN, XEN__SETTIME, "settime")
- S_(SECCLASS_XEN, XEN__TBUFCONTROL, "tbufcontrol")
- S_(SECCLASS_XEN, XEN__READCONSOLE, "readconsole")
- S_(SECCLASS_XEN, XEN__CLEARCONSOLE, "clearconsole")
- S_(SECCLASS_XEN, XEN__PERFCONTROL, "perfcontrol")
- S_(SECCLASS_XEN, XEN__MTRR_ADD, "mtrr_add")
- S_(SECCLASS_XEN, XEN__MTRR_DEL, "mtrr_del")
- S_(SECCLASS_XEN, XEN__MTRR_READ, "mtrr_read")
- S_(SECCLASS_XEN, XEN__MICROCODE, "microcode")
- S_(SECCLASS_XEN, XEN__PHYSINFO, "physinfo")
- S_(SECCLASS_XEN, XEN__QUIRK, "quirk")
- S_(SECCLASS_XEN, XEN__WRITECONSOLE, "writeconsole")
- S_(SECCLASS_XEN, XEN__READAPIC, "readapic")
- S_(SECCLASS_XEN, XEN__WRITEAPIC, "writeapic")
- S_(SECCLASS_XEN, XEN__PRIVPROFILE, "privprofile")
- S_(SECCLASS_XEN, XEN__NONPRIVPROFILE, "nonprivprofile")
- S_(SECCLASS_XEN, XEN__KEXEC, "kexec")
- S_(SECCLASS_XEN, XEN__FIRMWARE, "firmware")
- S_(SECCLASS_XEN, XEN__SLEEP, "sleep")
- S_(SECCLASS_XEN, XEN__FREQUENCY, "frequency")
- S_(SECCLASS_XEN, XEN__GETIDLE, "getidle")
- S_(SECCLASS_XEN, XEN__DEBUG, "debug")
- S_(SECCLASS_XEN, XEN__GETCPUINFO, "getcpuinfo")
- S_(SECCLASS_XEN, XEN__HEAP, "heap")
- S_(SECCLASS_XEN, XEN__PM_OP, "pm_op")
- S_(SECCLASS_XEN, XEN__MCA_OP, "mca_op")
- S_(SECCLASS_XEN, XEN__LOCKPROF, "lockprof")
- S_(SECCLASS_XEN, XEN__CPUPOOL_OP, "cpupool_op")
- S_(SECCLASS_XEN, XEN__SCHED_OP, "sched_op")
- S_(SECCLASS_XEN, XEN__TMEM_OP, "tmem_op")
- S_(SECCLASS_XEN, XEN__TMEM_CONTROL, "tmem_control")
- S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUCONTEXT, "setvcpucontext")
- S_(SECCLASS_DOMAIN, DOMAIN__PAUSE, "pause")
- S_(SECCLASS_DOMAIN, DOMAIN__UNPAUSE, "unpause")
- S_(SECCLASS_DOMAIN, DOMAIN__RESUME, "resume")
- S_(SECCLASS_DOMAIN, DOMAIN__CREATE, "create")
- S_(SECCLASS_DOMAIN, DOMAIN__TRANSITION, "transition")
- S_(SECCLASS_DOMAIN, DOMAIN__MAX_VCPUS, "max_vcpus")
- S_(SECCLASS_DOMAIN, DOMAIN__DESTROY, "destroy")
- S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUAFFINITY, "setvcpuaffinity")
- S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUAFFINITY, "getvcpuaffinity")
- S_(SECCLASS_DOMAIN, DOMAIN__SCHEDULER, "scheduler")
- S_(SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO, "getdomaininfo")
- S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUINFO, "getvcpuinfo")
- S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUCONTEXT, "getvcpucontext")
- S_(SECCLASS_DOMAIN, DOMAIN__SETDOMAINMAXMEM, "setdomainmaxmem")
- S_(SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE, "setdomainhandle")
- S_(SECCLASS_DOMAIN, DOMAIN__SETDEBUGGING, "setdebugging")
- S_(SECCLASS_DOMAIN, DOMAIN__HYPERCALL, "hypercall")
- S_(SECCLASS_DOMAIN, DOMAIN__SETTIME, "settime")
- S_(SECCLASS_DOMAIN, DOMAIN__SET_TARGET, "set_target")
- S_(SECCLASS_DOMAIN, DOMAIN__SHUTDOWN, "shutdown")
- S_(SECCLASS_DOMAIN, DOMAIN__SETADDRSIZE, "setaddrsize")
- S_(SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE, "getaddrsize")
- S_(SECCLASS_DOMAIN, DOMAIN__TRIGGER, "trigger")
- S_(SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT, "getextvcpucontext")
- S_(SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT, "setextvcpucontext")
- S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE, "getvcpuextstate")
- S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE, "setvcpuextstate")
- S_(SECCLASS_DOMAIN, DOMAIN__GETPODTARGET, "getpodtarget")
- S_(SECCLASS_DOMAIN, DOMAIN__SETPODTARGET, "setpodtarget")
- S_(SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO, "set_misc_info")
- S_(SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER, "set_virq_handler")
- S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, "relabelfrom")
- S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, "relabelto")
- S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, "relabelself")
- S_(SECCLASS_DOMAIN2, DOMAIN2__MAKE_PRIV_FOR, "make_priv_for")
- S_(SECCLASS_DOMAIN2, DOMAIN2__SET_AS_TARGET, "set_as_target")
- S_(SECCLASS_DOMAIN2, DOMAIN2__SET_CPUID, "set_cpuid")
- S_(SECCLASS_DOMAIN2, DOMAIN2__GETTSC, "gettsc")
- S_(SECCLASS_DOMAIN2, DOMAIN2__SETTSC, "settsc")
- S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc")
- S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
- S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")
- S_(SECCLASS_HVM, HVM__GETPARAM, "getparam")
- S_(SECCLASS_HVM, HVM__PCILEVEL, "pcilevel")
- S_(SECCLASS_HVM, HVM__IRQLEVEL, "irqlevel")
- S_(SECCLASS_HVM, HVM__PCIROUTE, "pciroute")
- S_(SECCLASS_HVM, HVM__BIND_IRQ, "bind_irq")
- S_(SECCLASS_HVM, HVM__CACHEATTR, "cacheattr")
- S_(SECCLASS_HVM, HVM__TRACKDIRTYVRAM, "trackdirtyvram")
- S_(SECCLASS_HVM, HVM__HVMCTL, "hvmctl")
- S_(SECCLASS_HVM, HVM__MEM_EVENT, "mem_event")
- S_(SECCLASS_HVM, HVM__MEM_SHARING, "mem_sharing")
- S_(SECCLASS_HVM, HVM__AUDIT_P2M, "audit_p2m")
- S_(SECCLASS_HVM, HVM__SEND_IRQ, "send_irq")
- S_(SECCLASS_HVM, HVM__SHARE_MEM, "share_mem")
- S_(SECCLASS_EVENT, EVENT__BIND, "bind")
- S_(SECCLASS_EVENT, EVENT__SEND, "send")
- S_(SECCLASS_EVENT, EVENT__STATUS, "status")
- S_(SECCLASS_EVENT, EVENT__NOTIFY, "notify")
- S_(SECCLASS_EVENT, EVENT__CREATE, "create")
- S_(SECCLASS_EVENT, EVENT__RESET, "reset")
- S_(SECCLASS_GRANT, GRANT__MAP_READ, "map_read")
- S_(SECCLASS_GRANT, GRANT__MAP_WRITE, "map_write")
- S_(SECCLASS_GRANT, GRANT__UNMAP, "unmap")
- S_(SECCLASS_GRANT, GRANT__TRANSFER, "transfer")
- S_(SECCLASS_GRANT, GRANT__SETUP, "setup")
- S_(SECCLASS_GRANT, GRANT__COPY, "copy")
- S_(SECCLASS_GRANT, GRANT__QUERY, "query")
- S_(SECCLASS_MMU, MMU__MAP_READ, "map_read")
- S_(SECCLASS_MMU, MMU__MAP_WRITE, "map_write")
- S_(SECCLASS_MMU, MMU__PAGEINFO, "pageinfo")
- S_(SECCLASS_MMU, MMU__PAGELIST, "pagelist")
- S_(SECCLASS_MMU, MMU__ADJUST, "adjust")
- S_(SECCLASS_MMU, MMU__STAT, "stat")
- S_(SECCLASS_MMU, MMU__TRANSLATEGP, "translategp")
- S_(SECCLASS_MMU, MMU__UPDATEMP, "updatemp")
- S_(SECCLASS_MMU, MMU__PHYSMAP, "physmap")
- S_(SECCLASS_MMU, MMU__PINPAGE, "pinpage")
- S_(SECCLASS_MMU, MMU__MFNLIST, "mfnlist")
- S_(SECCLASS_MMU, MMU__MEMORYMAP, "memorymap")
- S_(SECCLASS_MMU, MMU__REMOTE_REMAP, "remote_remap")
- S_(SECCLASS_MMU, MMU__MMUEXT_OP, "mmuext_op")
- S_(SECCLASS_MMU, MMU__EXCHANGE, "exchange")
- S_(SECCLASS_SHADOW, SHADOW__DISABLE, "disable")
- S_(SECCLASS_SHADOW, SHADOW__ENABLE, "enable")
- S_(SECCLASS_SHADOW, SHADOW__LOGDIRTY, "logdirty")
- S_(SECCLASS_RESOURCE, RESOURCE__ADD, "add")
- S_(SECCLASS_RESOURCE, RESOURCE__REMOVE, "remove")
- S_(SECCLASS_RESOURCE, RESOURCE__USE, "use")
- S_(SECCLASS_RESOURCE, RESOURCE__ADD_IRQ, "add_irq")
- S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IRQ, "remove_irq")
- S_(SECCLASS_RESOURCE, RESOURCE__ADD_IOPORT, "add_ioport")
- S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IOPORT, "remove_ioport")
- S_(SECCLASS_RESOURCE, RESOURCE__ADD_IOMEM, "add_iomem")
- S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_IOMEM, "remove_iomem")
- S_(SECCLASS_RESOURCE, RESOURCE__STAT_DEVICE, "stat_device")
- S_(SECCLASS_RESOURCE, RESOURCE__ADD_DEVICE, "add_device")
- S_(SECCLASS_RESOURCE, RESOURCE__REMOVE_DEVICE, "remove_device")
- S_(SECCLASS_RESOURCE, RESOURCE__PLUG, "plug")
- S_(SECCLASS_RESOURCE, RESOURCE__UNPLUG, "unplug")
- S_(SECCLASS_RESOURCE, RESOURCE__SETUP, "setup")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
- S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
- S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
- S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
- S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
- S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
- S_(SECCLASS_SECURITY, SECURITY__ADD_OCONTEXT, "add_ocontext")
- S_(SECCLASS_SECURITY, SECURITY__DEL_OCONTEXT, "del_ocontext")
diff --git a/xen/xsm/flask/include/av_permissions.h b/xen/xsm/flask/include/av_permissions.h
deleted file mode 100644
index 65302e8..0000000
--- a/xen/xsm/flask/include/av_permissions.h
+++ /dev/null
@@ -1,157 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-#define XEN__SCHEDULER 0x00000001UL
-#define XEN__SETTIME 0x00000002UL
-#define XEN__TBUFCONTROL 0x00000004UL
-#define XEN__READCONSOLE 0x00000008UL
-#define XEN__CLEARCONSOLE 0x00000010UL
-#define XEN__PERFCONTROL 0x00000020UL
-#define XEN__MTRR_ADD 0x00000040UL
-#define XEN__MTRR_DEL 0x00000080UL
-#define XEN__MTRR_READ 0x00000100UL
-#define XEN__MICROCODE 0x00000200UL
-#define XEN__PHYSINFO 0x00000400UL
-#define XEN__QUIRK 0x00000800UL
-#define XEN__WRITECONSOLE 0x00001000UL
-#define XEN__READAPIC 0x00002000UL
-#define XEN__WRITEAPIC 0x00004000UL
-#define XEN__PRIVPROFILE 0x00008000UL
-#define XEN__NONPRIVPROFILE 0x00010000UL
-#define XEN__KEXEC 0x00020000UL
-#define XEN__FIRMWARE 0x00040000UL
-#define XEN__SLEEP 0x00080000UL
-#define XEN__FREQUENCY 0x00100000UL
-#define XEN__GETIDLE 0x00200000UL
-#define XEN__DEBUG 0x00400000UL
-#define XEN__GETCPUINFO 0x00800000UL
-#define XEN__HEAP 0x01000000UL
-#define XEN__PM_OP 0x02000000UL
-#define XEN__MCA_OP 0x04000000UL
-#define XEN__LOCKPROF 0x08000000UL
-#define XEN__CPUPOOL_OP 0x10000000UL
-#define XEN__SCHED_OP 0x20000000UL
-#define XEN__TMEM_OP 0x40000000UL
-#define XEN__TMEM_CONTROL 0x80000000UL
-
-#define DOMAIN__SETVCPUCONTEXT 0x00000001UL
-#define DOMAIN__PAUSE 0x00000002UL
-#define DOMAIN__UNPAUSE 0x00000004UL
-#define DOMAIN__RESUME 0x00000008UL
-#define DOMAIN__CREATE 0x00000010UL
-#define DOMAIN__TRANSITION 0x00000020UL
-#define DOMAIN__MAX_VCPUS 0x00000040UL
-#define DOMAIN__DESTROY 0x00000080UL
-#define DOMAIN__SETVCPUAFFINITY 0x00000100UL
-#define DOMAIN__GETVCPUAFFINITY 0x00000200UL
-#define DOMAIN__SCHEDULER 0x00000400UL
-#define DOMAIN__GETDOMAININFO 0x00000800UL
-#define DOMAIN__GETVCPUINFO 0x00001000UL
-#define DOMAIN__GETVCPUCONTEXT 0x00002000UL
-#define DOMAIN__SETDOMAINMAXMEM 0x00004000UL
-#define DOMAIN__SETDOMAINHANDLE 0x00008000UL
-#define DOMAIN__SETDEBUGGING 0x00010000UL
-#define DOMAIN__HYPERCALL 0x00020000UL
-#define DOMAIN__SETTIME 0x00040000UL
-#define DOMAIN__SET_TARGET 0x00080000UL
-#define DOMAIN__SHUTDOWN 0x00100000UL
-#define DOMAIN__SETADDRSIZE 0x00200000UL
-#define DOMAIN__GETADDRSIZE 0x00400000UL
-#define DOMAIN__TRIGGER 0x00800000UL
-#define DOMAIN__GETEXTVCPUCONTEXT 0x01000000UL
-#define DOMAIN__SETEXTVCPUCONTEXT 0x02000000UL
-#define DOMAIN__GETVCPUEXTSTATE 0x04000000UL
-#define DOMAIN__SETVCPUEXTSTATE 0x08000000UL
-#define DOMAIN__GETPODTARGET 0x10000000UL
-#define DOMAIN__SETPODTARGET 0x20000000UL
-#define DOMAIN__SET_MISC_INFO 0x40000000UL
-#define DOMAIN__SET_VIRQ_HANDLER 0x80000000UL
-
-#define DOMAIN2__RELABELFROM 0x00000001UL
-#define DOMAIN2__RELABELTO 0x00000002UL
-#define DOMAIN2__RELABELSELF 0x00000004UL
-#define DOMAIN2__MAKE_PRIV_FOR 0x00000008UL
-#define DOMAIN2__SET_AS_TARGET 0x00000010UL
-#define DOMAIN2__SET_CPUID 0x00000020UL
-#define DOMAIN2__GETTSC 0x00000040UL
-#define DOMAIN2__SETTSC 0x00000080UL
-
-#define HVM__SETHVMC 0x00000001UL
-#define HVM__GETHVMC 0x00000002UL
-#define HVM__SETPARAM 0x00000004UL
-#define HVM__GETPARAM 0x00000008UL
-#define HVM__PCILEVEL 0x00000010UL
-#define HVM__IRQLEVEL 0x00000020UL
-#define HVM__PCIROUTE 0x00000040UL
-#define HVM__BIND_IRQ 0x00000080UL
-#define HVM__CACHEATTR 0x00000100UL
-#define HVM__TRACKDIRTYVRAM 0x00000200UL
-#define HVM__HVMCTL 0x00000400UL
-#define HVM__MEM_EVENT 0x00000800UL
-#define HVM__MEM_SHARING 0x00001000UL
-#define HVM__AUDIT_P2M 0x00002000UL
-#define HVM__SEND_IRQ 0x00004000UL
-#define HVM__SHARE_MEM 0x00008000UL
-
-#define EVENT__BIND 0x00000001UL
-#define EVENT__SEND 0x00000002UL
-#define EVENT__STATUS 0x00000004UL
-#define EVENT__NOTIFY 0x00000008UL
-#define EVENT__CREATE 0x00000010UL
-#define EVENT__RESET 0x00000020UL
-
-#define GRANT__MAP_READ 0x00000001UL
-#define GRANT__MAP_WRITE 0x00000002UL
-#define GRANT__UNMAP 0x00000004UL
-#define GRANT__TRANSFER 0x00000008UL
-#define GRANT__SETUP 0x00000010UL
-#define GRANT__COPY 0x00000020UL
-#define GRANT__QUERY 0x00000040UL
-
-#define MMU__MAP_READ 0x00000001UL
-#define MMU__MAP_WRITE 0x00000002UL
-#define MMU__PAGEINFO 0x00000004UL
-#define MMU__PAGELIST 0x00000008UL
-#define MMU__ADJUST 0x00000010UL
-#define MMU__STAT 0x00000020UL
-#define MMU__TRANSLATEGP 0x00000040UL
-#define MMU__UPDATEMP 0x00000080UL
-#define MMU__PHYSMAP 0x00000100UL
-#define MMU__PINPAGE 0x00000200UL
-#define MMU__MFNLIST 0x00000400UL
-#define MMU__MEMORYMAP 0x00000800UL
-#define MMU__REMOTE_REMAP 0x00001000UL
-#define MMU__MMUEXT_OP 0x00002000UL
-#define MMU__EXCHANGE 0x00004000UL
-
-#define SHADOW__DISABLE 0x00000001UL
-#define SHADOW__ENABLE 0x00000002UL
-#define SHADOW__LOGDIRTY 0x00000004UL
-
-#define RESOURCE__ADD 0x00000001UL
-#define RESOURCE__REMOVE 0x00000002UL
-#define RESOURCE__USE 0x00000004UL
-#define RESOURCE__ADD_IRQ 0x00000008UL
-#define RESOURCE__REMOVE_IRQ 0x00000010UL
-#define RESOURCE__ADD_IOPORT 0x00000020UL
-#define RESOURCE__REMOVE_IOPORT 0x00000040UL
-#define RESOURCE__ADD_IOMEM 0x00000080UL
-#define RESOURCE__REMOVE_IOMEM 0x00000100UL
-#define RESOURCE__STAT_DEVICE 0x00000200UL
-#define RESOURCE__ADD_DEVICE 0x00000400UL
-#define RESOURCE__REMOVE_DEVICE 0x00000800UL
-#define RESOURCE__PLUG 0x00001000UL
-#define RESOURCE__UNPLUG 0x00002000UL
-#define RESOURCE__SETUP 0x00004000UL
-
-#define SECURITY__COMPUTE_AV 0x00000001UL
-#define SECURITY__COMPUTE_CREATE 0x00000002UL
-#define SECURITY__COMPUTE_MEMBER 0x00000004UL
-#define SECURITY__CHECK_CONTEXT 0x00000008UL
-#define SECURITY__LOAD_POLICY 0x00000010UL
-#define SECURITY__COMPUTE_RELABEL 0x00000020UL
-#define SECURITY__COMPUTE_USER 0x00000040UL
-#define SECURITY__SETENFORCE 0x00000080UL
-#define SECURITY__SETBOOL 0x00000100UL
-#define SECURITY__SETSECPARAM 0x00000200UL
-#define SECURITY__ADD_OCONTEXT 0x00000400UL
-#define SECURITY__DEL_OCONTEXT 0x00000800UL
-
diff --git a/xen/xsm/flask/include/class_to_string.h b/xen/xsm/flask/include/class_to_string.h
deleted file mode 100644
index 7716645..0000000
--- a/xen/xsm/flask/include/class_to_string.h
+++ /dev/null
@@ -1,15 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-/*
- * Security object class definitions
- */
- S_("null")
- S_("xen")
- S_("domain")
- S_("domain2")
- S_("hvm")
- S_("mmu")
- S_("resource")
- S_("shadow")
- S_("event")
- S_("grant")
- S_("security")
diff --git a/xen/xsm/flask/include/flask.h b/xen/xsm/flask/include/flask.h
deleted file mode 100644
index 3bff998..0000000
--- a/xen/xsm/flask/include/flask.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-#ifndef _SELINUX_FLASK_H_
-#define _SELINUX_FLASK_H_
-
-/*
- * Security object class definitions
- */
-#define SECCLASS_XEN 1
-#define SECCLASS_DOMAIN 2
-#define SECCLASS_DOMAIN2 3
-#define SECCLASS_HVM 4
-#define SECCLASS_MMU 5
-#define SECCLASS_RESOURCE 6
-#define SECCLASS_SHADOW 7
-#define SECCLASS_EVENT 8
-#define SECCLASS_GRANT 9
-#define SECCLASS_SECURITY 10
-
-/*
- * Security identifier indices for initial entities
- */
-#define SECINITSID_XEN 1
-#define SECINITSID_DOM0 2
-#define SECINITSID_DOMIO 3
-#define SECINITSID_DOMXEN 4
-#define SECINITSID_UNLABELED 5
-#define SECINITSID_SECURITY 6
-#define SECINITSID_IOPORT 7
-#define SECINITSID_IOMEM 8
-#define SECINITSID_IRQ 9
-#define SECINITSID_DEVICE 10
-
-#define SECINITSID_NUM 10
-
-#endif
diff --git a/xen/xsm/flask/include/initial_sid_to_string.h b/xen/xsm/flask/include/initial_sid_to_string.h
deleted file mode 100644
index 814f4bf..0000000
--- a/xen/xsm/flask/include/initial_sid_to_string.h
+++ /dev/null
@@ -1,16 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-static char *initial_sid_to_string[] =
-{
- "null",
- "xen",
- "dom0",
- "domio",
- "domxen",
- "unlabeled",
- "security",
- "ioport",
- "iomem",
- "irq",
- "device",
-};
-
diff --git a/tools/flask/policy/policy/flask/access_vectors b/xen/xsm/flask/policy/access_vectors
similarity index 100%
rename from tools/flask/policy/policy/flask/access_vectors
rename to xen/xsm/flask/policy/access_vectors
diff --git a/tools/flask/policy/policy/flask/initial_sids b/xen/xsm/flask/policy/initial_sids
similarity index 100%
rename from tools/flask/policy/policy/flask/initial_sids
rename to xen/xsm/flask/policy/initial_sids
diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh b/xen/xsm/flask/policy/mkaccess_vector.sh
similarity index 97%
rename from tools/flask/policy/policy/flask/mkaccess_vector.sh
rename to xen/xsm/flask/policy/mkaccess_vector.sh
index 43a60a7..8ec87f7 100644
--- a/tools/flask/policy/policy/flask/mkaccess_vector.sh
+++ b/xen/xsm/flask/policy/mkaccess_vector.sh
@@ -9,8 +9,8 @@ awk=$1
shift
# output files
-av_permissions="av_permissions.h"
-av_perm_to_string="av_perm_to_string.h"
+av_permissions="include/av_permissions.h"
+av_perm_to_string="include/av_perm_to_string.h"
cat $* | $awk "
BEGIN {
diff --git a/tools/flask/policy/policy/flask/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh
similarity index 95%
rename from tools/flask/policy/policy/flask/mkflask.sh
rename to xen/xsm/flask/policy/mkflask.sh
index 9c84754..e8d8fb5 100644
--- a/tools/flask/policy/policy/flask/mkflask.sh
+++ b/xen/xsm/flask/policy/mkflask.sh
@@ -9,9 +9,9 @@ awk=$1
shift 1
# output file
-output_file="flask.h"
-debug_file="class_to_string.h"
-debug_file2="initial_sid_to_string.h"
+output_file="include/flask.h"
+debug_file="include/class_to_string.h"
+debug_file2="include/initial_sid_to_string.h"
cat $* | $awk "
BEGIN {
diff --git a/tools/flask/policy/policy/flask/security_classes b/xen/xsm/flask/policy/security_classes
similarity index 100%
rename from tools/flask/policy/policy/flask/security_classes
rename to xen/xsm/flask/policy/security_classes
--
1.7.11.4
next prev parent reply other threads:[~2012-10-09 18:31 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-05 14:08 [PATCH 0 of 8] NUMA Awareness for the Credit Scheduler Dario Faggioli
2012-10-05 14:08 ` [PATCH 1 of 8] xen, libxc: rename xenctl_cpumap to xenctl_bitmap Dario Faggioli
2012-10-09 15:59 ` George Dunlap
2012-10-05 14:08 ` [PATCH 2 of 8] xen, libxc: introduce node maps and masks Dario Faggioli
2012-10-09 15:59 ` George Dunlap
2012-10-05 14:08 ` [PATCH 3 of 8] xen: let the (credit) scheduler know about `node affinity` Dario Faggioli
2012-10-05 14:25 ` Jan Beulich
2012-10-09 10:29 ` Dario Faggioli
2012-10-09 11:10 ` Keir Fraser
2012-10-09 9:53 ` Juergen Gross
2012-10-09 10:21 ` Dario Faggioli
2012-10-09 16:29 ` George Dunlap
2012-10-05 14:08 ` [PATCH 4 of 8] xen: allow for explicitly specifying node-affinity Dario Faggioli
2012-10-09 16:47 ` George Dunlap
2012-10-09 16:52 ` Ian Campbell
2012-10-09 18:31 ` Daniel De Graaf [this message]
2012-10-10 8:38 ` [PATCH RFC] flask: move policy header sources into hypervisor Ian Campbell
2012-10-10 8:44 ` Dario Faggioli
2012-10-10 14:03 ` Daniel De Graaf
2012-10-10 14:39 ` Dario Faggioli
2012-10-10 15:32 ` Daniel De Graaf
2012-10-09 17:17 ` [PATCH 4 of 8] xen: allow for explicitly specifying node-affinity Dario Faggioli
2012-10-05 14:08 ` [PATCH 5 of 8] libxc: " Dario Faggioli
2012-10-05 14:08 ` [PATCH 6 of 8] libxl: " Dario Faggioli
2012-10-05 14:08 ` [PATCH 7 of 8] libxl: automatic placement deals with node-affinity Dario Faggioli
2012-10-10 10:55 ` George Dunlap
2012-10-05 14:08 ` [PATCH 8 of 8] xl: add node-affinity to the output of `xl list` Dario Faggioli
2012-10-05 16:36 ` Ian Jackson
2012-10-09 11:07 ` Dario Faggioli
2012-10-09 15:03 ` Ian Jackson
2012-10-10 8:46 ` Dario Faggioli
2012-10-08 19:43 ` [PATCH 0 of 8] NUMA Awareness for the Credit Scheduler Dan Magenheimer
2012-10-09 10:45 ` Dario Faggioli
2012-10-09 20:20 ` Matt Wilson
2012-10-10 16:18 ` Dario Faggioli
2012-10-09 10:02 ` Juergen Gross
2012-10-10 11:00 ` George Dunlap
2012-10-10 12:28 ` Dario Faggioli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1349807513-10923-1-git-send-email-dgdegra@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=Andrew.Cooper3@citrix.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=Marcus.Granado@eu.citrix.com \
--cc=andre.przywara@amd.com \
--cc=anil@recoil.org \
--cc=dario.faggioli@citrix.com \
--cc=juergen.gross@ts.fujitsu.com \
--cc=msw@amazon.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.