selinux: comparison Flask.thy

equal deleted inserted replaced

-:5f86fb3ddd44
+:811e3028d169
 | "get_parentfs_ctxts s (f#pf) =
 (case (get_parentfs_ctxts s pf, sectxt_of_obj s (O_dir (f#pf))) of
 (Some ctxts, Some ctxt) \<Rightarrow> Some (ctxt#ctxts)
 | _ \<Rightarrow> None)"
+definition search_check_ctxt::
+"security_context_t \<Rightarrow> security_context_t \<Rightarrow> security_context_t set \<Rightarrow> bool \<Rightarrow> bool"
+where
+"search_check_ctxt pctxt fctxt asecs if_file \<equiv> (
+if if_file
+then search_check_file pctxt fctxt \<and> search_check_allp pctxt asecs
+else search_check_dir  pctxt fctxt \<and> search_check_allp pctxt asecs )"
 fun search_check :: "t_state \<Rightarrow> security_context_t \<Rightarrow> t_file \<Rightarrow> bool"
 where
 "search_check s pctxt [] =
 (case (sectxt_of_obj s (O_dir [])) of
-Some fctxt \<Rightarrow> search_check_dir pctxt fctxt
+Some fctxt \<Rightarrow> search_check_ctxt pctxt fctxt {} False
 | _          \<Rightarrow> False)"
 | "search_check s pctxt (f#pf) =
 (if (is_file s (f#pf))
 then (case (sectxt_of_obj s (O_file (f#pf)), get_parentfs_ctxts s pf) of
-(Some fctxt, Some pfctxts) \<Rightarrow> (search_check_file pctxt fctxt \<and> search_check_allp pctxt (set pfctxts))
+(Some fctxt, Some pfctxts) \<Rightarrow> search_check_ctxt pctxt fctxt (set pfctxts) True
 | _ \<Rightarrow> False)
 else (case (sectxt_of_obj s (O_dir (f#pf)), get_parentfs_ctxts s pf) of
-(Some fctxt, Some pfctxts) \<Rightarrow> (search_check_dir pctxt fctxt \<and> search_check_allp pctxt (set pfctxts))
+(Some fctxt, Some pfctxts) \<Rightarrow> search_check_ctxt pctxt fctxt (set pfctxts) False
 | _ \<Rightarrow> False))"
 (* this means we should prove every current fd has a security context! *)
 definition sectxts_of_fds :: "t_state \<Rightarrow> t_process \<Rightarrow> t_fd set \<Rightarrow> security_context_t set"
 where
 "sectxts_of_fds s p fds \<equiv> {ctxt. \<exists> fd \<in> fds. sectxt_of_obj s (O_fd p fd) = Some ctxt}"
+definition inherit_fds_check_ctxt:: "security_context_t \<Rightarrow> security_context_t set \<Rightarrow> bool"
+where
+"inherit_fds_check_ctxt p fds \<equiv> (\<forall> ctxt \<in> fds. permission_check p ctxt C_fd P_inherit)"
 definition inherit_fds_check :: "t_state \<Rightarrow> security_context_t \<Rightarrow> t_process \<Rightarrow> t_fd set \<Rightarrow> bool"
 where
-"inherit_fds_check s npsectxt p fds \<equiv>
+"inherit_fds_check s npsectxt p fds \<equiv> inherit_fds_check_ctxt npsectxt (sectxts_of_fds s p fds)"
-(\<forall> ctxt \<in> sectxts_of_fds s p fds. permission_check npsectxt ctxt C_fd P_inherit)"
 fun npctxt_execve :: "security_context_t \<Rightarrow> security_context_t \<Rightarrow> security_context_t option"
 where
 "npctxt_execve (pu,pr,pt) (fu,fr,ft) =
 (case (role_transition pr ft) of
 definition sectxts_of_shms :: "t_state \<Rightarrow> t_shm set \<Rightarrow> security_context_t set"
 where
 "sectxts_of_shms s shms \<equiv> {ctxt. \<exists> h \<in> shms. sectxt_of_obj s (O_shm h) = Some ctxt}"
+definition inherit_shms_check_ctxt:: "security_context_t \<Rightarrow> security_context_t set \<Rightarrow> bool"
+where
+"inherit_shms_check_ctxt p shms \<equiv> (\<forall> ctxt \<in> shms. permission_check p ctxt C_shm P_inherit)"
 definition inherit_shms_check :: "t_state \<Rightarrow> security_context_t \<Rightarrow> t_shm set \<Rightarrow> bool"
 where
-"inherit_shms_check s npsectxt shms \<equiv>
+"inherit_shms_check s npsectxt shms \<equiv> inherit_shms_check_ctxt npsectxt (sectxts_of_shms s shms)"
-(\<forall> ctxt \<in> sectxts_of_shms s shms. permission_check npsectxt ctxt C_shm P_inherit)"
 fun perm_of_mflag :: "t_open_must_flag \<Rightarrow> permission_t set"
 where
 "perm_of_mflag OF_RDONLY = {P_read}"
 | "perm_of_mflag OF_WRONLY = {P_write}"

changeset 67	811e3028d169
parent 65	6f9a588bcfc4
child 68	742bed613245