selinux: comparison no_shm_selinux/Enrich.thy

equal deleted inserted replaced

-:1ac0c3031ed2
+:0a68c605ae79
 apply (erule enrich_proc_dup_ffd', simp+)
 apply (rule_tac x = f in exI)
 apply (erule enrich_proc_dup_ffd, simp+)
 done
-lemma enrich_proc_prop:
+lemma enrich_proc_dup_ffds_eq_fds:
-"\<lbrakk>valid s; is_created_proc s p; p' \<notin> all_procs s\<rbrakk>
+"\<lbrakk>is_created_proc s p; p' \<notin> all_procs s; valid s\<rbrakk>
-\<Longrightarrow> valid (enrich_proc s p p') \<and>
+\<Longrightarrow> current_proc_fds (enrich_proc s p p') p' = proc_file_fds s p"
-(\<forall> obj. alive s obj \<longrightarrow> alive (enrich_proc s p p') obj) \<and>
+apply (induct s arbitrary:p)
-(\<forall> obj. enrich_not_alive s obj \<longrightarrow> enrich_not_alive (enrich_proc s p p') obj) \<and>
+apply (simp add: is_created_proc_def)
-(files_hung_by_del (enrich_proc s p p') = files_hung_by_del s) \<and>
+apply (frule not_all_procs_prop3)
-(\<forall> tp. tp \<in> current_procs s \<longrightarrow> cp2sproc (enrich_proc s p p') tp = cp2sproc s tp) \<and>
+apply (frule vd_cons, frule vt_grant_os, case_tac a)
-(\<forall> f. f \<in> current_files s \<longrightarrow> cf2sfile (enrich_proc s p p') f = cf2sfile s f) \<and>
+apply (auto split:if_splits option.splits dest:proc_fd_in_fds set_mp not_all_procs_prop3
-(\<forall> q. q \<in> current_msgqs s \<longrightarrow> cq2smsgq (enrich_proc s p p') q = cq2smsgq s q) \<and>
+simp:proc_file_fds_def is_created_proc_def)
-(\<forall> tp fd f. file_of_proc_fd s tp fd = Some f \<longrightarrow> file_of_proc_fd (enrich_proc s p p') tp fd = Some f) \<and>
+done
-(\<forall> tp fd flags. flags_of_proc_fd s tp fd = Some flags \<longrightarrow>
-flags_of_proc_fd (enrich_proc s p p') tp fd = Some flags) \<and>
+lemma oflags_check_remove_create:
-(\<forall> q. msgs_of_queue (enrich_proc s p p') q = msgs_of_queue s q) \<and>
+"oflags_check flags sp sf \<Longrightarrow> oflags_check (remove_create_flag flags) sp sf"
-(\<forall> tp fd. fd \<in> proc_file_fds s tp \<longrightarrow> cfd2sfd (enrich_proc s p p') tp fd = cfd2sfd s tp fd) \<and>
+apply (case_tac flags)
-(cp2sproc (enrich_proc s p p') p' = cp2sproc s p) \<and>
+apply (auto simp:oflags_check_def perms_of_flags_def perm_of_oflag_def split:bool.splits)
-(\<forall> fd. fd \<in> proc_file_fds s p \<longrightarrow> cfd2sfd (enrich_proc s p p') p' fd = cfd2sfd s p fd)"
+done
-proof (induct s)
-case Nil
+end
-thus ?case by (auto simp:is_created_proc_def)
-next
+end
-case (Cons e s)
-hence vd_cons: "valid (e # s)" and created_cons: "is_created_proc (e # s) p"
-and all_procs_cons: "p' \<notin> all_procs (e # s)" and vd: "valid s"
-and os: "os_grant s e" and grant: "grant s e"
-by (auto dest:vd_cons vt_grant_os vt_grant)
-from all_procs_cons have all_procs: "p' \<notin> all_procs s" by (case_tac e, auto)
-from Cons have pre: "is_created_proc s p \<Longrightarrow> valid (enrich_proc s p p') \<and>
-(\<forall>obj. alive s obj \<longrightarrow> alive (enrich_proc s p p') obj) \<and>
-(\<forall>obj. enrich_not_alive s obj \<longrightarrow> enrich_not_alive (enrich_proc s p p') obj) \<and>
-files_hung_by_del (enrich_proc s p p') = files_hung_by_del s \<and>
-(\<forall>tp. tp \<in> current_procs s \<longrightarrow> cp2sproc (enrich_proc s p p') tp = cp2sproc s tp) \<and>
-(\<forall>f. f \<in> current_files s \<longrightarrow> cf2sfile (enrich_proc s p p') f = cf2sfile s f) \<and>
-(\<forall>q. q \<in> current_msgqs s \<longrightarrow> cq2smsgq (enrich_proc s p p') q = cq2smsgq s q) \<and>
-(\<forall>tp fd f. file_of_proc_fd s tp fd = Some f \<longrightarrow> file_of_proc_fd (enrich_proc s p p') tp fd = Some f) \<and>
-(\<forall>tp fd flags.
-flags_of_proc_fd s tp fd = Some flags \<longrightarrow> flags_of_proc_fd (enrich_proc s p p') tp fd = Some flags) \<and>
-(\<forall>q. msgs_of_queue (enrich_proc s p p') q = msgs_of_queue s q) \<and>
-(\<forall>tp fd. fd \<in> proc_file_fds s tp \<longrightarrow> cfd2sfd (enrich_proc s p p') tp fd = cfd2sfd s tp fd) \<and>
-(cp2sproc (enrich_proc s p p') p' = cp2sproc s p) \<and>
-(\<forall> fd. fd \<in> proc_file_fds s p \<longrightarrow> cfd2sfd (enrich_proc s p p') p' fd = cfd2sfd s p fd)"
-using vd all_procs by auto
-have alive_pre: "is_created_proc s p \<Longrightarrow> (\<forall>obj. alive s obj \<longrightarrow> alive (enrich_proc s p p') obj)"
-using pre by simp
-hence curf_pre: "is_created_proc s p \<Longrightarrow> (\<forall>f. f \<in> current_files s \<longrightarrow> f \<in> current_files (enrich_proc s p p'))"
-using vd apply auto
-apply (drule is_file_or_dir, simp)
-apply (erule disjE)
-apply (erule_tac x = "O_file f" in allE, simp add:is_file_in_current)
-apply (erule_tac x = "O_dir f" in allE, simp add:is_dir_in_current)
-done
-have "valid (enrich_proc (e # s) p p')"
-proof-
-from pre have pre': "is_created_proc s p \<Longrightarrow> valid (enrich_proc s p p')" by simp
-have "is_created_proc s p \<Longrightarrow> valid (e # enrich_proc s p p')"
-apply (frule pre')
-apply (erule_tac s = s in enrich_valid_intro_cons)
-apply (simp_all add:os grant vd pre)
-done
-moreover have "\<And>f fds. \<lbrakk>valid (Execve p f fds # enrich_proc s p p'); is_created_proc s p;
-valid (Execve p f fds # s); p' \<notin> all_procs s\<rbrakk>
-\<Longrightarrow> valid (Execve p' f (fds \<inter> proc_file_fds s p) # Execve p f fds # enrich_proc s p p')"
-proof-
-fix f fds
-assume a1: "valid (Execve p f fds # enrich_proc s p p')" and a2: "is_created_proc s p"
-and a3: "valid (Execve p f fds # s)" and a0: "p' \<notin> all_procs s"
-have cp2sp: "\<forall> tp. tp \<in> current_procs s \<longrightarrow> cp2sproc (enrich_proc s p p') tp = cp2sproc s tp"
-and cf2sf: "\<forall> tf. tf \<in> current_files s \<longrightarrow> cf2sfile (enrich_proc s p p') tf = cf2sfile s tf"
-and cfd2sfd: "\<forall> tp tfd. tfd \<in> proc_file_fds s tp \<longrightarrow> cfd2sfd (enrich_proc s p p') tp tfd = cfd2sfd s tp tfd"
-and ffd_remain: "\<forall>tp fd f. file_of_proc_fd s tp fd = Some f \<longrightarrow>
-file_of_proc_fd (enrich_proc s p p') tp fd = Some f"
-and dup_sp: "cp2sproc (enrich_proc s p p') p' = cp2sproc s p"
-and dup_sfd: "\<forall> fd. fd \<in> proc_file_fds s p \<longrightarrow> cfd2sfd (enrich_proc s p p') p' fd = cfd2sfd s p fd"
-using pre a2 by auto
-show "valid (Execve p' f (fds \<inter> proc_file_fds s p) # Execve p f fds # enrich_proc s p p')"
-proof-
-from a0 a3 have a0': "p' \<noteq> p" by (auto dest!:vt_grant_os not_all_procs_prop3)
-from a3 have grant: "grant s (Execve p f fds)" and os: "os_grant s (Execve p f fds)"
-by (auto dest:vt_grant_os vt_grant simp del:os_grant.simps)
-have f_in: "is_file (enrich_proc s p p') f"
-proof-
-from pre a2
-have a4: "\<forall> obj. alive s obj \<longrightarrow> alive (enrich_proc s p p') obj"
-by (auto)
-show ?thesis using a3 a4
-apply (erule_tac x = "O_file f" in allE)
-by (auto dest:vt_grant_os)
-qed
-moreover have a5: "proc_file_fds s p \<subseteq> proc_file_fds (Execve p f fds # enrich_proc s p p') p'"
-using a3 a0'
-apply (frule_tac vt_grant_os)
-apply (auto simp:proc_file_fds_def)
-apply (rule_tac x = fa in exI)
-apply (erule enrich_proc_dup_ffd)
-apply (simp_all add:vd all_procs a2)
-done
-ultimately have "os_grant (Execve p f fds # enrich_proc s p p') (Execve p' f (fds \<inter> proc_file_fds s p))"
-apply (auto simp:is_file_simps enrich_proc_dup_in a2 vd all_procs a1 enrich_proc_dup_ffds)
-done
-moreover have "grant (Execve p f fds # enrich_proc s p p') (Execve p' f (fds \<inter> proc_file_fds s p))"
-proof-
-from grant obtain up rp tp uf rf tf
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
-by (simp split:option.splits, blast)
-with grant obtain pu nr nt where p3: "npctxt_execve (up, rp, tp) (uf, rf, tf) = Some (pu, nr, nt)"
-by (simp split:option.splits del:npctxt_execve.simps, blast)
-have p1': "sectxt_of_obj (Execve p f fds # enrich_proc s p p') (O_proc p') = Some (up, rp, tp)"
-using p1 dup_sp a1 a0'
-apply (simp add:sectxt_of_obj_simps)
-by (simp add:cp2sproc_def split:option.splits)
-from os have f_in': "is_file s f"  by simp
-from vd os have "\<exists> sf. cf2sfile s f = Some sf"
-by (auto dest!:is_file_in_current current_file_has_sfile)
-hence p2': "sectxt_of_obj (Execve p f fds # enrich_proc s p p') (O_file f) = Some (uf, rf, tf)"
-using f_in p2 cf2sf os a1
-apply (erule_tac x = f in allE)
-apply (auto dest:is_file_in_current simp:cf2sfile_def sectxt_of_obj_simps split:option.splits)
-apply (case_tac f, simp)
-apply (drule_tac s = s in root_is_dir', simp add:vd, simp+)
-done
-from dup_sfd a5 have "\<forall>fd. fd \<in> proc_file_fds s p \<longrightarrow>
-cfd2sfd (Execve p f fds # enrich_proc s p p') p' fd = cfd2sfd s p fd"
-apply (rule_tac allI)
-apply (erule_tac x = fd in allE, clarsimp)
-apply (drule set_mp, simp)
-apply (auto simp:cfd2sfd_execve proc_file_fds_def a1)
-done
-hence "inherit_fds_check (Execve p f fds # enrich_proc s p p') (up, nr, nt) p' (fds \<inter> proc_file_fds s p)"
-using grant os p1 p2 p3 vd
-apply (clarsimp)
-apply (rule_tac s = s and p = p and fds = fds in enrich_inherit_fds_check_dup)
-apply simp_all
-done
-moreover have "search_check (Execve p f fds # enrich_proc s p p') (up, rp, tp) f"
-using p1 p2 p2' vd cf2sf f_in f_in' grant p3 f_in a1
-apply (rule_tac s = s in enrich_search_check)
-apply (simp_all add:is_file_simps)
-apply (rule allI, rule impI, erule_tac x = fa in allE, simp)
-apply (drule_tac ff = fa in cf2sfile_other')
-by (auto simp:a2 curf_pre)
-ultimately show ?thesis
-using p1' p2' p3
-apply (simp split:option.splits)
-using grant p1 p2
-apply simp
-done
-qed
-ultimately show ?thesis using a1
-by (erule_tac valid.intros(2), auto)
-qed
-qed
-moreover have "\<And>tp fds. \<lbrakk>valid (Clone tp p fds # s); p' \<noteq> p; p' \<notin> all_procs s\<rbrakk> \<Longrightarrow>
-valid (Clone tp p' (fds \<inter> proc_file_fds s tp) # Clone tp p fds # s)"
-apply (frule vt_grant_os, frule vt_grant, drule not_all_procs_prop3)
-apply (rule valid.intros(2))
-apply (simp_all split:option.splits add:sectxt_of_obj_simps)
-apply (auto simp add:proc_file_fds_def)[1]
-apply (auto simp:inherit_fds_check_def sectxt_of_obj_simps sectxts_of_fds_def inherit_fds_check_ctxt_def)
-done
-moreover have "\<And>f flags fd opt. \<lbrakk>valid (Open p f flags fd opt # enrich_proc s p p');
-is_created_proc s p; valid (Open p f flags fd opt # s); p' \<notin> all_procs s\<rbrakk>
-\<Longrightarrow> valid (Open p' f (remove_create_flag flags) fd None # Open p f flags fd opt # enrich_proc s p p')"
-proof-
-fix f flags fd inum
-assume a1: "valid (Open p f flags fd inum # enrich_proc s p p')" and a2: "is_created_proc s p"
-and a3: "valid (Open p f flags fd inum # s)" and a4: "p' \<notin> all_procs s"
-show "valid (Open p' f (remove_create_flag flags) fd inum # Open p f flags fd inum # enrich_proc s p p')"
-proof (cases "
-apply (rule_tac valid.intros(2))
-apply (simp_all add:a1)
-sorry
-moreover have "\<And>fd. \<lbrakk>valid (CloseFd p fd # enrich_proc s p p'); is_created_proc s p;
-valid (CloseFd p fd # s); p' \<notin> all_procs s; fd \<in> proc_file_fds s p\<rbrakk>
-\<Longrightarrow> valid (CloseFd p' fd # CloseFd p fd # enrich_proc s p p')"
-proof-
-fix fd
-assume a1: "valid (CloseFd p fd # enrich_proc s p p')" and a2: "is_created_proc s p"
-and a3: "p' \<notin> all_procs s" and a4: "valid (CloseFd p fd # s)"
-and a5: "fd \<in> proc_file_fds s p"
-from a4 a3 have a0: "p' \<noteq> p" by (auto dest!:vt_grant_os not_all_procs_prop3)
-have "p' \<in> current_procs (enrich_proc s p p')"
-using a2 a3 vd
-by (auto intro:enrich_proc_dup_in)
-moreover have "fd \<in> current_proc_fds (enrich_proc s p p') p'"
-using a5 a2 a3 vd pre'
-apply (simp)
-apply (drule_tac s = "enrich_proc s p p'" and p = p' in file_fds_subset_pfds)
-apply (erule set_mp)
-apply (simp add:enrich_proc_dup_ffds)
-done
-ultimately show "valid (CloseFd p' fd # CloseFd p fd # enrich_proc s p p')"
-apply (rule_tac valid.intros(2))
-apply (simp_all add:a1 a0 a2 pre')
-done
-qed
-ultimately show ?thesis using created_cons vd_cons all_procs_cons
-apply (case_tac e)
-apply (auto simp:is_created_proc_simps split:if_splits)
-done
-qed
-moreover have "\<forall>obj. alive (e # s) obj \<longrightarrow> alive (enrich_proc (e # s) p p') obj"
-sorry
-moreover have "\<forall>obj. enrich_not_alive (e # s) obj \<longrightarrow> enrich_not_alive (enrich_proc (e # s) p p') obj"
-sorry
-moreover have "files_hung_by_del (enrich_proc (e # s) p p') = files_hung_by_del (e # s)"
-sorry
-moreover have "\<forall>p. p \<in> current_procs (e # s) \<longrightarrow> cp2sproc (enrich_proc (e # s) p p') p = cp2sproc (e # s) p"
-sorry
-moreover have "\<forall>f. f \<in> current_files (e # s) \<longrightarrow> cf2sfile (enrich_proc (e # s) p p') f = cf2sfile (e # s) f"
-sorry
-moreover have "\<forall>q. q \<in> current_msgqs (e # s) \<longrightarrow> cq2smsgq (enrich_proc (e # s) p p') q = cq2smsgq (e # s) q"
-sorry
-moreover have "\<forall>p fd f. file_of_proc_fd (e # s) p fd = Some f \<longrightarrow>
-file_of_proc_fd (enrich_proc (e # s) p p') p fd = Some f"
-sorry
-moreover have "\<forall>p fd flags. flags_of_proc_fd (e # s) p fd = Some flags \<longrightarrow>
-flags_of_proc_fd (enrich_proc (e # s) p p') p fd = Some flags"
-sorry
-moreover have "\<forall>q. msgs_of_queue (enrich_proc (e # s) p p') q = msgs_of_queue (e # s) q"
-sorry
-moreover have "\<forall>p fd. fd \<in> proc_file_fds (e # s) p \<longrightarrow>
-cfd2sfd (enrich_proc (e # s) p p') p fd = cfd2sfd (e # s) p fd"
-sorry
-ultimately show ?case
-by auto
-qed
-lemma enrich_proc_valid:
-"\<lbrakk>valid s; is_created_proc s p; p' \<notin> all_procs s\<rbrakk> \<Longrightarrow> valid (enrich_proc s p p')"
-by (auto dest:enrich_proc_prop)
-lemma enrich_proc_valid:
-"\<lbrakk>valid s; is_created_proc s p; p' \<notin> all_procs s\<rbrakk> \<Longrightarrow> "

changeset 82	0a68c605ae79
parent 81	1ac0c3031ed2
child 83	e79e3a8a4ceb