diff -r b992684e9ff6 -r dcde836219bc obj2sobj_prop.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/obj2sobj_prop.thy Fri Apr 12 10:43:11 2013 +0100 @@ -0,0 +1,674 @@ +theory obj2sobj_prop +imports Main rc_theory os_rc deleted_prop +begin + +context tainting_s_complete begin + +(** file 2 sfile **) + +lemma init_son_deleted_D: + "\deleted (File pf) s; f # pf \ init_files; valid s\ \ deleted (File (f # pf)) s" +apply (induct s, simp) +by (frule valid_cons, frule valid_os, case_tac a, auto dest:init_notin_curf_deleted) + +lemma init_parent_undeleted_I: + "\\ deleted (File (f # pf)) s; f # pf \ init_files; valid s\ \ \ deleted (File pf) s" +by (rule notI, simp add:init_son_deleted_D) + +lemma source_dir_in_init: + "source_dir s f = Some sd \ sd \ init_files" +by (induct f, auto split:if_splits) + +lemma source_dir_of_init: "\source_dir [] f = Some sd; f \ init_files\ \ f = sd" +by (induct f, auto) + +lemma source_dir_of_init': "f \ init_files \ source_dir [] f = Some f" +by (induct f, auto) + +lemma init_not_curf_imp_deleted: + "\f \ init_files; f \ current_files s; valid s\ \ deleted (File f) s" +apply (induct s, simp) +apply (frule valid_cons, frule valid_os, case_tac a, auto) +done + +lemma source_dir_of_init'': + "\f \ init_files; \ deleted (File f) s; valid s\ \ source_dir s f = Some f" +by (induct f, auto) + + +lemma source_dir_createf: + "valid (CreateFile p (f#pf) # s) \ + source_dir (CreateFile p (f#pf) # s) = (source_dir s) ((f#pf) := source_dir s pf)" +apply (frule valid_os, frule valid_cons) +apply (rule ext, induct_tac x) +apply (auto dest:init_not_curf_imp_deleted) +done + +lemma source_dir_createf': + "valid (CreateFile p f # s) \ + source_dir (CreateFile p f # s) = (source_dir s) (f := (case (parent f) of + Some pf \ source_dir s pf + | _ \ None))" +apply (frule valid_os, case_tac f, simp+) +apply (drule source_dir_createf, auto) +done + +lemma source_dir_other: + "\valid (e # s); \ p f. e \ CreateFile p f; \ p f. e \ DeleteFile p f\ + \ source_dir (e#s) = source_dir s" +apply (rule ext, induct_tac x, simp) +apply (auto dest:not_deleted_cons_D) +apply (case_tac [!] e, auto) +done + +lemma source_dir_deletef: + "valid (DeleteFile p f # s) \ source_dir (DeleteFile p f # s) f' = + (if (source_dir s f') = Some f then parent f else (source_dir s f'))" +apply (frule valid_os, frule valid_cons) +apply (case_tac "f \ init_files") +apply (induct_tac f', simp) +apply (auto dest!:init_parent_undeleted_I intro:parent_file_in_init' + intro!: source_dir_of_init'')[1] +apply (induct_tac f', auto) +done + +lemma source_dir_deletef': + "valid (DeleteFile p f # s) \ source_dir (DeleteFile p f # s) = (\ f'. + (if (source_dir s f') = Some f then parent f else (source_dir s f')) )" +by (auto dest:source_dir_deletef) + +lemmas source_dir_simps = source_dir_of_init' source_dir_of_init'' source_dir_createf' + source_dir_deletef' source_dir_other + +declare source_dir.simps [simp del] + +lemma source_dir_is_ancient: + "source_dir s f = Some sd ==> sd \ f" +apply (induct f) +by (auto simp:source_dir.simps no_junior_def split:if_splits) + +lemma no_junior_trans: "\f \ f'; f' \ f''\ \ f \ f''" +by (auto elim:no_juniorE) + +lemma ancient_has_parent: + "[| f \ f'; f \ f'|] ==> \ sonf. parent sonf = Some f \ sonf \ f' " +apply (induct f') +apply (simp add:no_junior_def) +apply (case_tac "f = f'") +apply (rule_tac x = "a # f'" in exI, simp add:no_junior_def) +apply (frule no_junior_noteq, simp) +apply clarsimp +apply (rule_tac x = sonf in exI, simp add:no_junior_trans) +done + +lemma source_dir_prop: + "[|\fn. fn # f' \ current_files s; source_dir s f = Some f'; f \ current_files s; valid s|] + ==> f = f'" + apply (drule source_dir_is_ancient) + apply (case_tac "f = f'", simp) + apply (drule ancient_has_parent, simp, clarsimp) + apply (drule_tac ancient_file_in_current, simp+) + apply (case_tac sonf, auto) + done + +lemma current_file_has_sd: + "\f \ current_files s; valid s\ \ \ sd. source_dir s f = Some sd" +apply (induct s arbitrary:f, simp add:source_dir_of_init') +apply (frule valid_cons, frule valid_os, case_tac a, auto simp:source_dir_simps) +apply (case_tac list, simp) +apply (rule_tac f = f in cannot_del_root, simp+) +done + +lemma current_file_has_sd': + "\source_dir s f = None; valid s\ \ f \ current_files s" +by (rule notI, auto dest:current_file_has_sd) + +lemma current_file_has_sfile: + "\f \ current_files s; valid s\ \ \ et sd. cf2sfile s f = Some (et, sd)" +apply (frule current_file_has_sd, simp+) +apply (frule current_file_has_etype, auto) +done + +lemma current_file_has_sfile': + "\f \ current_files s; valid s\ \ \ sf. cf2sfile s f = Some sf" +by (auto dest:current_file_has_sfile) + +(* +lemma not_deleted_sf_remains: + "\f \ current_files s; \ deleted (File f) s; valid s\ \ " +*) + +lemma current_proc_has_sproc: + "\p \ current_procs s; valid s\ \ \ r fr pt u. cp2sproc s p = Some (r, fr, pt, u)" +apply (frule current_proc_has_role, simp+) +apply (frule current_proc_has_type, simp) +apply (frule current_proc_has_forcedrole, simp) +apply (frule current_proc_has_owner, auto) +done + +lemma current_proc_has_sproc': + "\p \ current_procs s; valid s\ \ \ sp. cp2sproc s p = Some sp" +by (auto dest!:current_proc_has_sproc) + +lemma current_ipc_has_sipc: + "\i \ current_ipcs s; valid s\ \ \ t. ci2sipc s i = Some t" +by (drule current_ipc_has_type, auto) + +lemma init_file_has_sobj: + "f \ init_files \ \ t sd. init_obj2sobj (File f) = SFile (t, sd) (Some f)" +by (frule init_file_has_etype, clarsimp) + +lemma init_proc_has_sobj: + assumes pinit:"p \ init_processes" + shows "\ r fr pt u. init_obj2sobj (Proc p) = SProc (r, fr, pt, u) (Some p)" +proof - + from pinit obtain r where "init_currentrole p = Some r" + using init_proc_has_role by (auto simp:bidirect_in_init_def) + moreover from pinit obtain fr where "init_proc_forcedrole p = Some fr" + using init_proc_has_frole by (auto simp:bidirect_in_init_def) + moreover from pinit obtain pt where "init_process_type p = Some pt" + using init_proc_has_type by (auto simp:bidirect_in_init_def) + moreover from pinit obtain u where "init_owner p = Some u" + using init_proc_has_owner by (auto simp:bidirect_in_init_def) + ultimately show ?thesis by auto +qed + +lemma init_ipc_has_sobj: + "i \ init_ipcs \ \ t. init_obj2sobj (IPC i) = SIPC t (Some i)" +using init_ipc_has_type +by (auto simp:bidirect_in_init_def) + +lemma init_obj_has_sobj: + "exists [] obj \ init_obj2sobj obj \ Unknown" +apply (case_tac obj) +apply (simp_all only:exists.simps current_procs.simps current_ipcs.simps current_files.simps) +apply (auto dest!:init_proc_has_sobj init_file_has_sobj init_ipc_has_sobj) +done + +lemma exists_obj_has_sobj: + "\exists s obj; valid s\ \ obj2sobj s obj \ Unknown" +apply (case_tac obj) +apply (auto dest!:current_ipc_has_sipc current_proc_has_sproc' current_file_has_sfile' + split:option.splits) +done + +lemma current_proc_has_srp: + "\p \ current_procs s; valid s\ \ \ srp. source_proc s p = Some srp" +apply (induct s arbitrary:p, simp) +by (frule valid_cons, frule valid_os, case_tac a, auto) + +lemma current_proc_has_sobj: + "\p \ current_procs s; valid s\ \ \ r fr t u srp. obj2sobj s (Proc p) = SProc (r,fr,t,u) (Some srp)" +apply (frule current_proc_has_sproc') +apply (auto dest:current_proc_has_srp) +done + +lemma current_file_has_sobj: + "\f \ current_files s; valid s\ \ \ t sd srf. obj2sobj s (File f) = SFile (t, sd) srf" +by (auto dest:current_file_has_sfile) + +lemma current_ipc_has_sobj: + "\i \ current_ipcs s; valid s\ \ \ t sri. obj2sobj s (IPC i) = SIPC t sri" +by (auto dest:current_ipc_has_sipc) + +lemma sobj_has_proc_role: + "obj2sobj s (Proc p) = SProc (r, fr, t, u) srp \ currentrole s p = Some r" +by (auto split:option.splits) + +lemma chown_role_aux_valid: + "\currentrole s p = Some r; proc_forcedrole s p = Some fr\ + \ chown_role_aux r fr u = currentrole (ChangeOwner p u # s) p" +by (auto split:t_role.splits simp:chown_role_aux_def dest:proc_forcedrole_valid) + +lemma chown_role_aux_valid': + "cp2sproc s p = Some (r, fr, t, u') \ chown_role_aux r fr u = currentrole (ChangeOwner p u # s) p" +by (rule chown_role_aux_valid, auto split:option.splits) + +lemma chown_type_aux_valid: + "\currentrole s p = Some r; currentrole (ChangeOwner p u # s) p = Some nr; type_of_process s p = Some t\ + \ type_of_process (ChangeOwner p u # s) p = Some (chown_type_aux r nr t)" +apply (auto split:option.splits t_rc_proc_type.splits + dest:default_process_create_type_valid + simp:chown_type_aux_def pot_def pct_def) +done + +lemma chown_type_aux_valid': + "\cp2sproc s p = Some (r, fr, t, u'); currentrole (ChangeOwner p u # s) p = Some nr\ + \ type_of_process (ChangeOwner p u # s) p = Some (chown_type_aux r nr t)" +by (rule chown_type_aux_valid, auto split:option.splits) + +lemma exec_type_aux_valid: + "\currentrole s p = Some r; type_of_process s p = Some t\ + \ type_of_process (Execute p f # s) p = Some (exec_type_aux r t)" +apply (auto split:option.splits t_rc_proc_type.splits + dest:default_process_execute_type_valid + simp:exec_type_aux_def pet_def) +done + +lemma exec_type_aux_valid': + "cp2sproc s p = Some (r, fr, t, u') \ type_of_process (Execute p f # s) p = Some (exec_type_aux r t)" +by (rule exec_type_aux_valid, auto split:option.splits) + +lemma non_initf_frole_inherit: + "\f \ init_files; f \ []\ \ forcedrole s f = Some InheritParentRole" +apply (induct s) defer +apply (case_tac a, auto) +apply (induct f, auto split:option.splits dest:init_frole_has_file) +done + +lemma non_initf_irole_inherit: + "\f \ init_files; f \ []\ \ initialrole s f = Some InheritParentRole" +apply (induct s) defer +apply (case_tac a, auto) +apply (induct f, auto split:option.splits dest:init_irole_has_file) +done + +lemma deleted_file_frole_inherit: + "\deleted (File f) s; f \ current_files s\ \ forcedrole s f = Some InheritParentRole" +apply (induct s, simp) +apply (case_tac a, auto) +done + +lemma deleted_file_irole_inherit: + "\deleted (File f) s; f \ current_files s\ \ initialrole s f = Some InheritParentRole" +apply (induct s, simp) +apply (case_tac a, auto) +done + +lemma sd_deter_efrole: + "\source_dir s f = Some sd; valid s; f \ current_files s\ + \ effforcedrole s f = effforcedrole s sd" +apply (induct f) +apply (drule source_dir_is_ancient, simp add:no_junior_def) +apply (simp add:source_dir.simps split:if_splits) +apply (frule parent_file_in_current', simp) +apply (case_tac "a # f \ init_files", simp) +apply (drule_tac deleted_file_frole_inherit, simp, simp add:effforcedrole_def) +apply (drule_tac s = s in non_initf_frole_inherit, simp, simp add:effforcedrole_def) +done + +lemma sd_deter_eirole: + "\source_dir s f = Some sd; valid s; f \ current_files s\ + \ effinitialrole s f = effinitialrole s sd" +apply (induct f) +apply (drule source_dir_is_ancient, simp add:no_junior_def) +apply (simp add:source_dir.simps split:if_splits) +apply (frule parent_file_in_current', simp) +apply (case_tac "a # f \ init_files", simp) +apply (drule_tac deleted_file_irole_inherit, simp, simp add:effinitialrole_def) +apply (drule_tac s = s in non_initf_irole_inherit, simp, simp add:effinitialrole_def) +done + +lemma undel_initf_keeps_frole: + "\f \ init_files; \ deleted (File f) s; valid s\ + \ forcedrole s f = init_file_forcedrole f" +apply (induct s, simp) +apply (frule valid_cons, frule valid_os, case_tac a) +apply (auto dest:init_notin_curf_deleted) +done + +lemma undel_initf_keeps_efrole: + "\f \ init_files; \ deleted (File f) s; valid s\ + \ effforcedrole s f = erole_functor init_file_forcedrole InheritUpMixed f" +apply (induct f) +apply (drule undel_initf_keeps_frole, simp, simp) +apply (simp add:effforcedrole_def) +apply (frule parent_file_in_init', frule init_parent_undeleted_I, simp+) +apply (drule undel_initf_keeps_frole, simp, simp) +apply (simp add:effforcedrole_def) +done + +lemma undel_initf_keeps_irole: + "\f \ init_files; \ deleted (File f) s; valid s\ + \ initialrole s f = init_file_initialrole f" +apply (induct s, simp) +apply (frule valid_cons, frule valid_os, case_tac a) +apply (auto dest:init_notin_curf_deleted) +done + +lemma undel_initf_keeps_eirole: + "\f \ init_files; \ deleted (File f) s; valid s\ + \ effinitialrole s f = erole_functor init_file_initialrole UseForcedRole f" +apply (induct f) +apply (drule undel_initf_keeps_irole, simp, simp) +apply (simp add:effinitialrole_def) +apply (frule parent_file_in_init', frule init_parent_undeleted_I, simp+) +apply (drule undel_initf_keeps_irole, simp, simp) +apply (simp add:effinitialrole_def) +done + +lemma source_dir_not_deleted: + "source_dir s f = Some sd \ \ deleted (File sd) s" +by (induct f, auto simp:source_dir.simps split:if_splits) + +lemma exec_role_aux_valid: + "\currentrole s p = Some r; source_dir s f = Some sd; owner s p = Some u; + f \ current_files s; valid s\ + \ exec_role_aux r sd u = currentrole (Execute p f # s) p" +apply (frule sd_deter_eirole, simp+, frule sd_deter_efrole, simp+) +apply (frule source_dir_in_init, drule source_dir_not_deleted) +apply (simp add:undel_initf_keeps_eirole undel_initf_keeps_efrole) +apply (frule file_has_effinitialrole, simp, frule file_has_effforcedrole, simp) +apply (auto split:option.splits t_role.splits simp:map_comp_def exec_role_aux_def + dest:effforcedrole_valid effinitialrole_valid) +done + +lemma exec_role_aux_valid': + "\cp2sproc s p = Some (r, fr, t, u); source_dir s f = Some sd; f \ current_files s; valid s\ + \ exec_role_aux r sd u = currentrole (Execute p f # s) p" +by (rule exec_role_aux_valid, auto split:option.splits) + +lemma cp2sproc_nil_init: + "init_obj2sobj (Proc p) = (case (cp2sproc [] p) of + Some sp \ SProc sp (Some p) + | _ \ Unknown)" +by (auto split:option.splits) + +lemma cf2sfile_nil_init: + "init_obj2sobj (File f) = (case (cf2sfile [] f) of + Some sf \ SFile sf (Some f) + | _ \ Unknown)" +apply (auto split:option.splits simp:etype_of_file_def) +apply (case_tac "f \ init_files", simp add:source_dir_of_init') +apply (induct f, simp+) +apply (case_tac "f \ init_files", simp add:source_dir_of_init') +apply (induct f, simp+) +done + +lemma ci2sipc_nil_init: + "init_obj2sobj (IPC i) = (case (ci2sipc [] i) of + Some si \ SIPC si (Some i) + | _ \ Unknown)" +by simp + +lemma obj2sobj_nil_init: + "exists [] obj \ obj2sobj [] obj = init_obj2sobj obj" +apply (case_tac obj) +apply (auto simp:cf2sfile_nil_init cp2sproc_nil_init ci2sipc_nil_init + source_dir_of_init' etype_of_file_def + split:if_splits option.splits) +done + +(**** cp2sproc simpset ****) + +lemma current_proc_has_role': + "\currentrole s p = None; valid s\ \ p \ current_procs s" +by (rule notI, auto dest:current_proc_has_role) + +lemma cp2sproc_chown: + assumes vs: "valid (ChangeOwner p u # s)" + shows "cp2sproc (ChangeOwner p u # s) = (cp2sproc s) + (p := (case (cp2sproc s p) of + Some (r,fr,pt,u') \ (case (chown_role_aux r fr u) of + Some nr \ Some (nr,fr,chown_type_aux r nr pt,u) + | _ \ None) + | _ \ None) + )" (is "?lhs = ?rhs") +proof- + have os: "os_grant s (ChangeOwner p u)" and vs': "valid s" using vs + by (auto dest:valid_cons valid_os) + have "\ x. x \ p \ ?lhs x = ?rhs x" + by (auto simp:type_of_process.simps split:option.splits t_role.splits) + moreover have "?lhs p = ?rhs p" + proof- + from os have p_in: "p \ current_procs s" by (simp+) + then obtain r fr t u' where csp: "cp2sproc s p = Some (r, fr, t, u')" using vs' + by (drule_tac current_proc_has_sproc, auto) + from os have "u \ init_users" by simp + hence "defrole u \ None" using init_user_has_role by (auto simp:bidirect_in_init_def) + then obtain nr where nrole:"chown_role_aux r fr u = Some nr" + by (case_tac fr, auto simp:chown_role_aux_def) + have nr_eq: "currentrole (ChangeOwner p u # s) p = chown_role_aux r fr u" + using csp by (auto simp:chown_role_aux_valid'[where u = u]) + moreover have "type_of_process (ChangeOwner p u # s) p = Some (chown_type_aux r nr t)" + using csp nrole nr_eq + by (rule_tac fr = fr and u' = u' in chown_type_aux_valid', simp+) + moreover have "proc_forcedrole (ChangeOwner p u # s) p = Some fr" + using csp by (auto split:option.splits) + moreover have "owner (ChangeOwner p u # s) p = Some u" by simp + ultimately have "cp2sproc (ChangeOwner p u # s) p = Some (nr, fr, chown_type_aux r nr t, u)" + using nrole by (simp) + thus ?thesis using csp nrole by simp + qed + ultimately show ?thesis by (rule_tac ext, auto) +qed + +lemma cp2sproc_crole: + "valid (ChangeRole p r # s) \ cp2sproc (ChangeRole p r # s) = (cp2sproc s) + (p := (case (cp2sproc s p) of + Some (r',fr,pt,u) \ Some (r,fr,pt,u) + | _ \ None) + )" +apply (frule valid_cons, frule valid_os, simp) +apply (frule current_proc_has_sproc, simp) +apply (rule ext, auto split:option.splits) +done + +lemma cp2sproc_exec: + assumes vs: "valid (Execute p f # s)" + shows "cp2sproc (Execute p f # s) = (cp2sproc s) + (p := (case (cp2sproc s p, source_dir s f) of + (Some (r,fr,pt,u), Some sd) \ ( + case (exec_role_aux r sd u, erole_functor init_file_forcedrole InheritUpMixed sd) of + (Some r', Some fr') \ Some (r', fr', exec_type_aux r pt, u) + | _ \ None ) + | _ \ None))" (is "?lhs = ?rhs") +proof- + have os: "os_grant s (Execute p f)" and vs': "valid s" using vs + by (auto dest:valid_cons valid_os) + have "\ x. x \ p \ ?lhs x = ?rhs x" + by (auto simp:type_of_process.simps split:option.splits t_role.splits) + moreover have "?lhs p = ?rhs p" + proof- + from os have p_in: "p \ current_procs s" by (simp+) + then obtain r fr t u where csp: "cp2sproc s p = Some (r, fr, t, u)" using vs' + by (drule_tac current_proc_has_sproc, auto) + from os have f_in: "f \ current_files s" by simp + then obtain sd where sdir: "source_dir s f = Some sd" using vs' + by (drule_tac current_file_has_sd, auto) + have "currentrole (Execute p f # s) p \ None" using vs p_in + by (rule_tac notI, drule_tac current_proc_has_role', simp+) + then obtain nr where nrole: "currentrole (Execute p f # s) p = Some nr" by auto + have "proc_forcedrole (Execute p f # s) p \ None" using vs p_in + by (rule_tac notI, drule_tac current_proc_has_forcedrole', simp+) + then obtain nfr where nfrole: "proc_forcedrole (Execute p f # s) p = Some nfr" by auto + have nr_eq: "currentrole (Execute p f # s) p = exec_role_aux r sd u" + using csp f_in sdir vs' by (simp only:exec_role_aux_valid') + moreover have "type_of_process (Execute p f # s) p = Some (exec_type_aux r t)" + using csp by (simp only:exec_type_aux_valid') + moreover have nfr_eq: "proc_forcedrole (Execute p f # s) p = + erole_functor init_file_forcedrole InheritUpMixed sd" + using sdir vs' f_in + apply (frule_tac source_dir_in_init, drule_tac source_dir_not_deleted) + by (simp add:undel_initf_keeps_efrole sd_deter_efrole) + moreover have "owner (Execute p f # s) p = Some u" using csp + by (auto split:option.splits) + ultimately have "cp2sproc (Execute p f # s) p = Some (nr, nfr, exec_type_aux r t, u)" + using nrole nfrole by (simp) + moreover have "exec_role_aux r sd u = Some nr" using nrole nr_eq by simp + moreover have "erole_functor init_file_forcedrole InheritUpMixed sd = Some nfr" + using nfrole nfr_eq by simp + ultimately show ?thesis using csp sdir by simp + qed + ultimately show ?thesis by (rule_tac ext, auto) +qed + +lemma cp2sproc_clone: + "valid (Clone p p' # s) \ cp2sproc (Clone p p' # s) = (cp2sproc s) (p' := + (case (cp2sproc s p) of + Some (r, fr, pt, u) \ Some (r, fr, clone_type_aux r pt, u) + | _ \ None))" +apply (frule valid_cons, frule valid_os) +apply (rule ext, auto split:option.splits t_rc_proc_type.splits + simp:pct_def clone_type_aux_def + dest:current_proc_has_type default_process_create_type_valid) +done + +lemma cp2sproc_other: + "\valid (e # s); \ p f. e \ Execute p f; \ p p'. e \ Clone p p'; + \ p r. e \ ChangeRole p r; \ p u. e \ ChangeOwner p u\ \ cp2sproc (e#s) = cp2sproc s" +by (case_tac e, auto) + +lemmas cp2sproc_simps = cp2sproc_exec cp2sproc_chown cp2sproc_crole cp2sproc_clone cp2sproc_other + +lemma obj2sobj_file: "obj2sobj s obj = SFile sf fopt \ \ f. obj = File f" +by (case_tac obj, case_tac [!] s, auto split:option.splits if_splits) + +lemma obj2sobj_proc: "obj2sobj s obj = SProc sp popt \ \ p. obj = Proc p" +by (case_tac obj, case_tac [!] s, auto split:option.splits if_splits) + +lemma obj2sobj_ipc: "obj2sobj s obj = SIPC si iopt \ \ i. obj = IPC i" +by (case_tac obj, case_tac [!] s, auto split:option.splits if_splits) + +lemma obj2sobj_file': + "\obj2sobj s (File f) = sobj; sobj \ Unknown\ \ \ sf srf. sobj = SFile sf srf" +by (case_tac sobj, case_tac [!] s, auto split:option.splits if_splits) + +lemma obj2sobj_proc': + "\obj2sobj s (Proc p) = sobj; sobj \ Unknown\ \ \ sp srp. sobj = SProc sp srp" +by (case_tac sobj, case_tac [!] s, auto split:option.splits if_splits) + +lemma obj2sobj_ipc': + "\obj2sobj s (IPC i) = sobj; sobj \ Unknown\ \ \ si sri. sobj = SIPC si sri" +by (case_tac sobj, case_tac [!] s, auto split:option.splits if_splits) + +lemma obj2sobj_file_remains_cons: + assumes vs: "valid (e#s)" and exf: "f \ current_files s" + and SF: "obj2sobj s (File f) = SFile sf srf" + and notdeled: "\ deleted (File f) (e#s)" + shows "obj2sobj (e#s) (File f) = SFile sf srf" +proof- + from vs have os:"os_grant s e" and vs': "valid s" + by (auto dest:valid_cons valid_os) + from notdeled exf have exf': "f \ current_files (e#s)" by (case_tac e, auto) + have "etype_of_file (e # s) f = etype_of_file s f" + using os vs vs' exf exf' + apply (case_tac e, auto simp:etype_of_file_def split:option.splits) + by (auto dest:ancient_file_in_current intro!:etype_aux_prop) + moreover have "source_dir (e # s) f = source_dir s f" + using os vs vs' exf exf' + by (case_tac e, auto simp:source_dir_simps dest:source_dir_prop) + ultimately show ?thesis using vs SF notdeled + by (auto split:if_splits option.splits dest:not_deleted_cons_D) +qed + +lemma obj2sobj_file_remains_cons': + "\valid (e#s); f \ current_files s; obj2sobj s (File f) = SFile sf srf; no_del_event (e#s)\ + \ obj2sobj (e#s) (File f) = SFile sf srf" +by (auto intro!:obj2sobj_file_remains_cons nodel_imp_un_deleted + simp del:obj2sobj.simps) + +lemma obj2sobj_file_remains': + "\obj2sobj s (File f) = sobj; sobj \ Unknown; valid (e#s); f \ current_files s; + no_del_event (e#s)\ \ obj2sobj (e#s) (File f) = sobj" +apply (frule obj2sobj_file', simp, (erule exE)+) +apply (simp del:obj2sobj.simps) +apply (erule obj2sobj_file_remains_cons', simp+) +done + +lemma obj2sobj_file_remains_app: + "\obj2sobj s (File f) = SFile sf srf; valid (s' @ s); f \ current_files s; + \ deleted (File f) (s'@s)\ \ obj2sobj (s'@s) (File f) = SFile sf srf" +apply (induct s', simp) +apply (simp only:cons_app_simp_aux) +apply (frule valid_cons, frule not_deleted_cons_D) +apply (drule_tac s = "s'@s" in obj2sobj_file_remains_cons, auto simp del:obj2sobj.simps) +apply (drule_tac obj = "File f" in not_deleted_imp_exists', simp+) +done + +lemma obj2sobj_file_remains_app': + "\obj2sobj s (File f) = SFile sf srf; valid (s' @ s); f \ current_files s; + no_del_event (s'@s)\ \ obj2sobj (s'@s) (File f) = SFile sf srf" +by (auto intro!:obj2sobj_file_remains_app nodel_imp_un_deleted + simp del:obj2sobj.simps) + +lemma obj2sobj_file_remains'': + "\obj2sobj s (File f) = sobj; sobj \ Unknown; valid (s'@s); f \ current_files s; + no_del_event (s'@s)\ \ obj2sobj (s'@s) (File f) = sobj" +apply (frule obj2sobj_file', simp, (erule exE)+) +apply (simp del:obj2sobj.simps) +apply (erule obj2sobj_file_remains_app', simp+) +done + +lemma obj2sobj_file_remains''': + "\obj2sobj s (File f) = sobj; sobj \ Unknown; valid (s'@s); f \ current_files s; + \deleted (File f) (s'@s)\ \ obj2sobj (s'@s) (File f) = sobj" +apply (frule obj2sobj_file', simp, (erule exE)+) +apply (simp del:obj2sobj.simps) +by (erule obj2sobj_file_remains_app, simp+) + +lemma obj2sobj_ipc_remains_cons: + "\valid (e#s); i \ current_ipcs s; obj2sobj s (IPC i) = SIPC si sri; \ deleted (IPC i) (e#s)\ + \ obj2sobj (e#s) (IPC i) = SIPC si sri" +apply (frule valid_cons, frule valid_os, case_tac e) +by (auto simp:ni_init_deled ni_notin_curi split:option.splits + dest!:current_proc_has_role') + +lemma obj2sobj_ipc_remains_cons': + "\valid (e#s); i \ current_ipcs s; obj2sobj s (IPC i) = SIPC si sri; no_del_event (e#s)\ + \ obj2sobj (e#s) (IPC i) = SIPC si sri" +by (auto intro!:obj2sobj_ipc_remains_cons nodel_imp_un_deleted + simp del:obj2sobj.simps) + +lemma obj2sobj_ipc_remains': + "\obj2sobj s (IPC i) = sobj; sobj \ Unknown; valid (e#s); i \ current_ipcs s; + no_del_event (e#s)\ \ obj2sobj (e#s) (IPC i) = sobj" +apply (frule obj2sobj_ipc', simp, (erule exE)+) +apply (simp del:obj2sobj.simps) +apply (erule obj2sobj_ipc_remains_cons', simp+) +done + +lemma obj2sobj_ipc_remains_app: + "\obj2sobj s (IPC i) = SIPC si sri; valid (s'@s); i \ current_ipcs s; \ deleted (IPC i) (s'@s)\ + \ obj2sobj (s'@s) (IPC i) = SIPC si sri" +apply (induct s', simp) +apply (simp only:cons_app_simp_aux) +apply (frule valid_cons, frule not_deleted_cons_D) +apply (drule_tac s = "s'@s" in obj2sobj_ipc_remains_cons, auto simp del:obj2sobj.simps) +apply (drule_tac obj = "IPC i" in not_deleted_imp_exists', simp+) +done + +lemma obj2sobj_ipc_remains_app': + "\obj2sobj s (IPC i) = SIPC si sri; valid (s'@s); i \ current_ipcs s; no_del_event (s'@s)\ + \ obj2sobj (s'@s) (IPC i) = SIPC si sri" +by (auto intro!:obj2sobj_ipc_remains_app nodel_imp_un_deleted + simp del:obj2sobj.simps) + +lemma obj2sobj_ipc_remains'': + "\obj2sobj s (IPC i) = sobj; sobj \ Unknown; valid (s'@s); i \ current_ipcs s; + no_del_event (s'@s)\ \ obj2sobj (s'@s) (IPC i) = sobj" +apply (frule obj2sobj_ipc', simp, (erule exE)+) +apply (simp del:obj2sobj.simps) +apply (erule obj2sobj_ipc_remains_app', simp+) +done + +lemma obj2sobj_ipc_remains''': + "\obj2sobj s (IPC i) = sobj; sobj \ Unknown; valid (s'@s); i \ current_ipcs s; + \ deleted (IPC i) (s'@s)\ \ obj2sobj (s'@s) (IPC i) = sobj" +apply (frule obj2sobj_ipc', simp, (erule exE)+) +apply (simp del:obj2sobj.simps) +apply (erule obj2sobj_ipc_remains_app, simp+) +done + +end + +context tainting_s_sound begin + +lemma cp2sproc_clone': + "valid (Clone p p' # s) \ cp2sproc (Clone p p' # s) = (cp2sproc s) (p' := cp2sproc s p)" +by (drule cp2sproc_clone, auto split:option.splits simp:clone_type_unchange clone_type_aux_def) + +lemmas cp2sproc_simps' = cp2sproc_exec cp2sproc_chown cp2sproc_crole cp2sproc_clone' cp2sproc_other + +lemma clone_sobj_keeps_same: + "valid (Clone p p' # s) \ obj2sobj (Clone p p' # s) (Proc p') = obj2sobj s (Proc p)" +apply (frule valid_cons, frule valid_os, clarsimp) +apply (auto split:option.splits t_rc_proc_type.splits + dest:current_proc_has_role current_proc_has_forcedrole + current_proc_has_type current_proc_has_owner default_process_create_type_valid + simp:pct_def clone_type_unchange) +done + +end + +end \ No newline at end of file