xsm: clean up initial SIDs

The domU SID is never used before a policy load, and so does not
belong in the initial_sids list.

The PIRQ SID is now incorrectly named; it should simply be called IRQ.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

diff --git a/tools/flask/policy/policy/flask/initial_sids b/tools/flask/policy/policy/flask/initial_sids
index 9b78fba49cda67d1b6681d1e33478bfe6ae1fcc6..e508bde97697910bc4178ea10760070228dc7758 100644 (file)
--- a/tools/flask/policy/policy/flask/initial_sids
+++ b/tools/flask/policy/policy/flask/initial_sids
@@ -5,13 +5,12 @@
 #
 sid xen
 sid dom0
-sid domU
 sid domio
 sid domxen
 sid unlabeled
 sid security
 sid ioport
 sid iomem
-sid pirq
+sid irq
 sid device
 # FLASK

diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index d12af740cfff1428cfeea70ba82afb8bf60fb60a..1b508987f27a4529d89de0eb37c46604033e2c49 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -70,10 +70,10 @@ define(`create_passthrough_resource', `
         allow $1 $2:resource {add remove};
         allow $1 ioport_t:resource {add_ioport use};
         allow $1 iomem_t:resource {add_iomem use};
-        allow $1 pirq_t:resource  {add_irq use};
+        allow $1 irq_t:resource  {add_irq use};
         allow $1 domio_t:mmu {map_read map_write};
         allow $2 domio_t:mmu {map_write};
-        allow $2 pirq_t:resource {use};
+        allow $2 irq_t:resource {use};
         allow $1 $3:resource {add_irq add_iomem add_ioport remove_irq remove_iomem remove_ioport use add_device remove_device};
         allow $2 $3:resource {use add_ioport add_iomem remove_ioport remove_iomem};
         allow $2 $3:mmu {map_read map_write};

diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 8113467080630d9ce81236d4674da8f2a08c9cfa..1a7f29ad72bc5d6ab8d72f0ab4d2fab4a703b57f 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -16,7 +16,7 @@ type unlabeled_t, domain_type;
 
 type security_t, domain_type;
 
-type pirq_t, resource_type;
+type irq_t, resource_type;
 type ioport_t, resource_type;
 type iomem_t, resource_type;
 type device_t, resource_type;
@@ -43,8 +43,8 @@ allow xen_t ioport_t:resource {add_ioport remove_ioport};
 allow dom0_t ioport_t:resource {use};
 allow xen_t iomem_t:resource {add_iomem remove_iomem};
 allow dom0_t iomem_t:resource {use};
-allow xen_t pirq_t:resource {add_irq remove_irq};
-allow dom0_t pirq_t:resource { add_irq remove_irq use};
+allow xen_t irq_t:resource {add_irq remove_irq};
+allow dom0_t irq_t:resource { add_irq remove_irq use};
 allow dom0_t dom0_t:resource { add remove };
 allow dom0_t xen_t:xen firmware;
 
@@ -140,12 +140,11 @@ manage_domain(dom0_t, domHU_t)
 ################################################################################
 sid xen gen_context(system_u:system_r:xen_t,s0)
 sid dom0 gen_context(system_u:system_r:dom0_t,s0)
-sid domU gen_context(system_u:system_r:domU_t,s0)
 sid domxen gen_context(system_u:system_r:domxen_t,s0)
 sid domio gen_context(system_u:system_r:domio_t,s0)
 sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
 sid security gen_context(system_u:system_r:security_t,s0)
-sid pirq gen_context(system_u:object_r:pirq_t,s0)
+sid irq gen_context(system_u:object_r:irq_t,s0)
 sid iomem gen_context(system_u:object_r:iomem_t,s0)
 sid ioport gen_context(system_u:object_r:ioport_t,s0)
 sid device gen_context(system_u:object_r:device_t,s0)

diff --git a/xen/xsm/flask/include/flask.h b/xen/xsm/flask/include/flask.h
index 333edcde7e12dfc4f1207b4596d96e27f273faf3..6d29c5a0ef64ac441cbb7091fd7ede30cc1067c8 100644 (file)
--- a/xen/xsm/flask/include/flask.h
+++ b/xen/xsm/flask/include/flask.h
@@ -20,16 +20,15 @@
  */
 #define SECINITSID_XEN                                  1
 #define SECINITSID_DOM0                                 2
-#define SECINITSID_DOMU                                 3
-#define SECINITSID_DOMIO                                4
-#define SECINITSID_DOMXEN                               5
-#define SECINITSID_UNLABELED                            6
-#define SECINITSID_SECURITY                             7
-#define SECINITSID_IOPORT                               8
-#define SECINITSID_IOMEM                                9
-#define SECINITSID_PIRQ                                 10
-#define SECINITSID_DEVICE                               11
+#define SECINITSID_DOMIO                                3
+#define SECINITSID_DOMXEN                               4
+#define SECINITSID_UNLABELED                            5
+#define SECINITSID_SECURITY                             6
+#define SECINITSID_IOPORT                               7
+#define SECINITSID_IOMEM                                8
+#define SECINITSID_IRQ                                  9
+#define SECINITSID_DEVICE                               10
 
-#define SECINITSID_NUM                                  11
+#define SECINITSID_NUM                                  10
 
 #endif

diff --git a/xen/xsm/flask/include/initial_sid_to_string.h b/xen/xsm/flask/include/initial_sid_to_string.h
index 3bf8ff2731580f12fc28414c101747ac78363f0f..814f4bf0578d0714acfa2cc5035c92f4fbe4c792 100644 (file)
--- a/xen/xsm/flask/include/initial_sid_to_string.h
+++ b/xen/xsm/flask/include/initial_sid_to_string.h
@@ -4,14 +4,13 @@ static char *initial_sid_to_string[] =
     "null",
     "xen",
     "dom0",
-    "domU",
     "domio",
     "domxen",
     "unlabeled",
     "security",
     "ioport",
     "iomem",
-    "pirq",
+    "irq",
     "device",
 };
 

diff --git a/xen/xsm/flask/ss/services.c b/xen/xsm/flask/ss/services.c
index 1eb8e4ce1ebffd798174a779f10ceb31150c3eea..c810e9b38772ce9820c4a6da07a7dd79e91ecf57 100644 (file)
--- a/xen/xsm/flask/ss/services.c
+++ b/xen/xsm/flask/ss/services.c
@@ -1546,7 +1546,7 @@ int security_irq_sid(int pirq, u32 *out_sid)
     }
     else
     {
-        *out_sid = SECINITSID_PIRQ;
+        *out_sid = SECINITSID_IRQ;
     }
 
 out: