xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: xen-devel@lists.xen.org
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: [PATCH 06/17] flask/policy: remove unused example
Date: Mon, 20 Jun 2016 10:04:15 -0400	[thread overview]
Message-ID: <1466431466-28055-7-git-send-email-dgdegra@tycho.nsa.gov> (raw)
In-Reply-To: <1466431466-28055-1-git-send-email-dgdegra@tycho.nsa.gov>

The access vectors defined here have never been used by xenstore.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
---
 tools/flask/policy/policy/access_vectors   | 23 ++---------------------
 tools/flask/policy/policy/security_classes |  1 -
 2 files changed, 2 insertions(+), 22 deletions(-)

diff --git a/tools/flask/policy/policy/access_vectors b/tools/flask/policy/policy/access_vectors
index 4fd61f1..d9c69c0 100644
--- a/tools/flask/policy/policy/access_vectors
+++ b/tools/flask/policy/policy/access_vectors
@@ -1,24 +1,5 @@
 # Locally defined access vectors
 #
-# Define access vectors for the security classes defined in security_classes
+# Define access vectors for the security classes defined in security_classes.
+# Access vectors defined in this file should not be used by the hypervisor.
 #
-
-# Note: this is an example; the xenstore daemon provided with Xen does
-# not yet include XSM support, and the exact permissions may be defined
-# differently if such support is added.
-class xenstore {
-	# read from keys owned by the target domain (if permissions allow)
-	read
-	# write to keys owned by the target domain (if permissions allow)
-	write
-	# change permissions of a key owned by the target domain
-	chmod
-	# change the owner of a key which was owned by the target domain
-	chown_from
-	# change the owner of a key to the target domain
-	chown_to
-	# access a key owned by the target domain without permission
-	override
-	# introduce a domain
-	introduce
-}
diff --git a/tools/flask/policy/policy/security_classes b/tools/flask/policy/policy/security_classes
index 56595e8..0f0f9f3 100644
--- a/tools/flask/policy/policy/security_classes
+++ b/tools/flask/policy/policy/security_classes
@@ -5,4 +5,3 @@
 # security policy.
 #
 # Access vectors for these classes must be defined in the access_vectors file.
-class xenstore
-- 
2.7.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

  parent reply	other threads:[~2016-06-20 14:04 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-20 14:04 [PATCH v2 00/17] XSM/FLASK updates for 4.8 Daniel De Graaf
2016-06-20 14:04 ` [PATCH 01/17] flask/policy: split into modules Daniel De Graaf
2016-06-20 14:04 ` [PATCH 02/17] flask/policy: split out rules for system_r Daniel De Graaf
2016-06-20 14:04 ` [PATCH 03/17] flask/policy: move user definitions and constraints into modules Daniel De Graaf
2016-06-20 14:04 ` [PATCH 04/17] flask/policy: remove unused support for binary modules Daniel De Graaf
2016-06-20 14:04 ` [PATCH 05/17] flask/policy: xenstore stubdom policy Daniel De Graaf
2016-06-20 14:04 ` Daniel De Graaf [this message]
2016-06-20 14:04 ` [PATCH 07/17] flask: unify {get, set}vcpucontext permissions Daniel De Graaf
2016-06-20 14:27   ` Doug Goldstein
2016-06-20 14:35     ` Andrew Cooper
2016-06-20 14:50       ` Daniel De Graaf
2016-06-20 14:58         ` Andrew Cooper
2016-06-20 14:04 ` [PATCH 08/17] flask: remove unused secondary context in ocontext Daniel De Graaf
2016-06-20 14:30   ` Doug Goldstein
2016-06-20 14:04 ` [PATCH 09/17] flask: remove unused AVC callback functions Daniel De Graaf
2016-06-20 14:32   ` Doug Goldstein
2016-06-20 14:04 ` [PATCH 10/17] flask: remove xen_flask_userlist operation Daniel De Graaf
2016-06-20 14:19   ` Jan Beulich
2016-06-20 14:35   ` Doug Goldstein
2016-06-20 15:07     ` Daniel De Graaf
2016-06-20 15:16       ` Doug Goldstein
2016-06-20 14:04 ` [PATCH 11/17] flask: improve unknown permission handling Daniel De Graaf
2016-06-20 14:37   ` Doug Goldstein
2016-06-20 14:04 ` [PATCH 12/17] xen/xsm: remove .xsm_initcall.init section Daniel De Graaf
2016-06-20 14:38   ` Doug Goldstein
2016-06-21 15:21   ` Andrew Cooper
2016-06-21 15:41     ` Julien Grall
2016-06-21 16:03       ` Andrew Cooper
2016-06-20 14:04 ` [PATCH 13/17] xen: move FLASK entry under XSM in Kconfig Daniel De Graaf
2016-06-20 14:41   ` Doug Goldstein
2016-06-20 14:42     ` Doug Goldstein
2016-06-20 14:46   ` Doug Goldstein
2016-06-20 15:11     ` Daniel De Graaf
2016-06-20 15:28       ` Jan Beulich
2016-06-20 16:49         ` Doug Goldstein
2016-06-21 17:09   ` [PATCH 13/17 v3] " Daniel De Graaf
2016-06-24 14:43     ` Doug Goldstein
2016-06-20 14:04 ` [PATCH 14/17] xsm: annotate setup functions with __init Daniel De Graaf
2016-06-20 14:46   ` Doug Goldstein
2016-06-20 14:04 ` [PATCH 15/17] xsm: clean up unregistration Daniel De Graaf
2016-06-20 14:47   ` Doug Goldstein
2016-06-20 14:04 ` [PATCH 16/17] xen: Make FLASK_AVC_STATS kconfig option visible Daniel De Graaf
2016-06-20 14:49   ` Doug Goldstein
2016-06-20 14:04 ` [PATCH 17/17] xsm: add a default policy to .init.data Daniel De Graaf
2016-06-20 14:52   ` Doug Goldstein
2016-06-24 16:30   ` Julien Grall
2016-06-24 16:50     ` Konrad Rzeszutek Wilk
2016-06-24 17:34       ` Daniel De Graaf
2016-06-24 17:40         ` Konrad Rzeszutek Wilk
2016-06-24 17:42           ` Daniel De Graaf
2016-06-24 17:46             ` Konrad Rzeszutek Wilk
2016-06-24 18:02               ` Daniel De Graaf
2016-06-24 18:36                 ` Konrad Rzeszutek Wilk
2016-06-24 17:41         ` Konrad Rzeszutek Wilk
2016-06-24 17:47           ` Julien Grall
2016-06-24 17:44         ` Julien Grall
2016-06-21 15:24 ` [PATCH v2 00/17] XSM/FLASK updates for 4.8 Andrew Cooper
2016-06-27  9:48   ` Andrew Cooper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1466431466-28055-7-git-send-email-dgdegra@tycho.nsa.gov \
    --to=dgdegra@tycho.nsa.gov \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).