selinux: comparison no_shm_selinux/Enrich.thy

equal deleted inserted replaced

-:0a68c605ae79
+:e79e3a8a4ceb
 theory Enrich
 imports Main Flask Static Init_prop Valid_prop Tainted_prop Delete_prop Co2sobj_prop S2ss_prop S2ss_prop2
 Temp
 begin
+(* objects that need dynamic indexing, all nature-numbers *)
 datatype t_enrich_obj =
 E_proc "t_process"
 | E_file "t_file"
 | E_fd   "t_process" "t_fd"
 | E_inum "nat"
 | E_msgq "t_msgq"
 | E_msg  "t_msgq"    "t_msg"
 context tainting_s begin
+fun no_del_event:: "t_event list \<Rightarrow> bool"
+where
+"no_del_event [] = True"
+| "no_del_event (Kill p p' # \<tau>)  = False"
+| "no_del_event (Exit p # s) = False"
+| "no_del_event (CloseFd p fd # \<tau>) = False"
+| "no_del_event (UnLink p f # \<tau>) = False"
+| "no_del_event (Rmdir p f # \<tau>)  = False"
+(*
+| "no_del_event (Rename p f f' # \<tau>)  = False"
+*)
+| "no_del_event (RemoveMsgq p q # \<tau>) = False"
+(*
+| "no_del_event (RecvMsg p q m # \<tau>)  = False"
+*)
+| "no_del_event (_ # \<tau>) = no_del_event \<tau>"
+fun all_inums :: "t_state \<Rightarrow> t_inode_num set"
+where
+"all_inums [] = current_inode_nums []"
+| "all_inums (Open p f flags fd opt # s) = (
+case opt of
+None \<Rightarrow> all_inums s
+| Some i \<Rightarrow> all_inums s \<union> {i} )"
+| "all_inums (Mkdir p f i # s) = (all_inums s \<union> {i})"
+| "all_inums (CreateSock p af st fd i # s) = (all_inums s \<union> {i})"
+| "all_inums (Accept p fd addr lport fd' i # s) = (all_inums s \<union> {i})"
+| "all_inums (_ # s) = all_inums s"
+fun all_fds :: "t_state \<Rightarrow> t_process \<Rightarrow> t_fd set"
+where
+"all_fds [] = init_fds_of_proc"
+| "all_fds (Open p f flags fd ipt # s) = (all_fds s) (p := all_fds s p \<union> {fd})"
+| "all_fds (CreateSock p sf st fd i # s) = (all_fds s) (p := all_fds s p \<union> {fd})"
+| "all_fds (Accept p fd' raddr port fd i # s) = (all_fds s) (p := all_fds s p \<union> {fd})"
+| "all_fds (Clone p p' fds # s) = (all_fds s) (p' := fds)"
+| "all_fds (_ # s) = all_fds s"
+fun all_msgqs:: "t_state \<Rightarrow> t_msgq set"
+where
+"all_msgqs [] = init_msgqs"
+| "all_msgqs (CreateMsgq p q # s) = all_msgqs s \<union> {q}"
+| "all_msgqs (e # s) = all_msgqs s"
+fun all_msgs:: "t_state \<Rightarrow> t_msgq \<Rightarrow> t_msg set"
+where
+"all_msgs [] q = set (init_msgs_of_queue q)"
+| "all_msgs (CreateMsgq p q # s) q' = (if q' = q then {} else all_msgs s q')"
+| "all_msgs (SendMsg p q m # s) q' = (if q' = q then all_msgs s q \<union> {m} else all_msgs s q')"
+| "all_msgs (_ # s) q' = all_msgs s q'"
+fun all_files:: "t_state \<Rightarrow> t_file set"
+where
+"all_files [] = init_files "
+| "all_files (Open p f flags fd opt # s) = (if opt = None then all_files s else (all_files s \<union> {f}))"
+| "all_files (Mkdir p f inum # s) = all_files s \<union> {f}"
+| "all_files (LinkHard p f f' # s) = all_files s \<union> {f'}"
+| "all_files (e # s) = all_files s"
+fun notin_all:: "t_state \<Rightarrow> t_enrich_obj \<Rightarrow> bool"
+where
+"notin_all s (E_proc p)  = (p \<notin> all_procs s)"
+| "notin_all s (E_file f)  = (f \<notin> all_files s \<and> (\<exists> pf. parent f = Some pf \<and> is_dir s pf))"
+| "notin_all s (E_fd p fd) = (fd \<notin> all_fds s p)"
+| "notin_all s (E_inum i)  = (i \<notin> all_inums s)"
+| "notin_all s (E_msgq q)  = (q \<notin> all_msgqs s)"
+| "notin_all s (E_msg q m) = (m \<notin> all_msgs s q)"
+lemma not_all_procs_cons:
+"p \<notin> all_procs (e # s) \<Longrightarrow> p \<notin> all_procs s"
+by (case_tac e, auto)
+lemma not_all_procs_prop:
+"\<lbrakk>p' \<notin> all_procs s; p \<in> current_procs s; valid s\<rbrakk> \<Longrightarrow> p' \<noteq> p"
+apply (induct s, rule notI, simp)
+apply (frule vt_grant_os, frule vd_cons, frule not_all_procs_cons, simp, rule notI)
+apply (case_tac a, auto)
+done
+lemma not_all_procs_prop2:
+"p' \<notin> all_procs s \<Longrightarrow> p' \<notin> init_procs"
+apply (induct s, simp)
+by (case_tac a, auto)
+lemma not_all_procs_prop3:
+"p' \<notin> all_procs s \<Longrightarrow> p' \<notin> current_procs s"
+apply (induct s, simp)
+by (case_tac a, auto)
+fun enrich_not_alive :: "t_state \<Rightarrow> t_enrich_obj \<Rightarrow> t_enrich_obj \<Rightarrow> bool"
+where
+"enrich_not_alive s obj (E_file f)  = (f \<notin> current_files s \<and> E_file f \<noteq> obj)"
+| "enrich_not_alive s obj (E_proc p)  = (p \<notin> current_procs s \<and> E_proc p \<noteq> obj)"
+| "enrich_not_alive s obj (E_fd p fd) = ((p \<in> current_procs s \<longrightarrow> fd \<notin> current_proc_fds s p) \<and> E_fd p fd \<noteq> obj)"
+| "enrich_not_alive s obj (E_msgq q)  = (q \<notin> current_msgqs s \<and> E_msgq q \<noteq> obj)"
+| "enrich_not_alive s obj (E_inum i)  = (i \<notin> current_inode_nums s \<and> E_inum i \<noteq> obj)"
+| "enrich_not_alive s obj (E_msg q m) = ((q \<in> current_msgqs s \<longrightarrow> m \<notin> set (msgs_of_queue s q)) \<and> E_msg q m \<noteq> obj)"
+lemma file_has_parent: "\<lbrakk>is_file s f; valid s\<rbrakk> \<Longrightarrow> \<exists> pf. is_dir s pf \<and> parent f = Some pf"
+apply (case_tac f)
+apply (simp, drule root_is_dir', simp+)
+apply (simp add:parentf_is_dir_prop2)
+done
 (* enrich s target_proc duplicated_pro *)
 fun enrich_proc :: "t_state \<Rightarrow> t_process \<Rightarrow> t_process \<Rightarrow> t_state"
 where
 "enrich_proc [] tp dp = []"
 else Open p f flags fd opt # (enrich_proc s tp dp))"
 | "enrich_proc (ReadFile p fd # s) tp dp = (
 if (tp = p)
 then ReadFile dp fd # ReadFile p fd # (enrich_proc s tp dp)
 else ReadFile p fd # (enrich_proc s tp dp))"
+(*
 | "enrich_proc (CloseFd p fd # s) tp dp = (
 if (tp = p \<and> fd \<in> proc_file_fds s p)
 then CloseFd dp fd # CloseFd p fd # (enrich_proc s tp dp)
 else CloseFd p fd # (enrich_proc s tp dp))"
+*)
 (*
 | "enrich_proc (Attach p h flag # s) tp dp = (
 if (tp = p)
 then Attach dp h flag # Attach p h flag # (enrich_proc s tp dp)
 else Attach p h flag # (enrich_proc s tp dp))"
 | "enrich_proc (Detach p h # s) tp dp = (
 if (tp = p)
 then Detach dp h # Detach p h # (enrich_proc s tp dp)
 else Detach p h # (enrich_proc s tp dp))"
 *)
+(*
 | "enrich_proc (Kill p p' # s) tp dp = (
 if (tp = p') then Kill p p' # s
 else Kill p p' # (enrich_proc s tp dp))"
 | "enrich_proc (Exit p # s) tp dp = (
 if (tp = p) then Exit p # s
 else Exit p # (enrich_proc s tp dp))"
+*)
 | "enrich_proc (e # s) tp dp = e # (enrich_proc s tp dp)"
+definition is_created_proc:: "t_state \<Rightarrow> t_process \<Rightarrow> bool"
+where
+"is_created_proc s p \<equiv> p \<in> current_procs s \<and> (p \<in> init_procs \<longrightarrow> died (O_proc p) s)"
+definition is_created_proc':: "t_state \<Rightarrow> t_process \<Rightarrow> bool"
+where
+"is_created_proc' s p \<equiv> p \<in> current_procs s \<and> p \<notin> init_procs"
+lemma no_del_died:
+"\<lbrakk>no_del_event s; died obj s\<rbrakk> \<Longrightarrow> (\<exists> p fd. obj = O_fd p fd \<or> obj = O_tcp_sock (p, fd) \<or> obj = O_udp_sock (p, fd))
+\<or> (\<exists> q m. obj = O_msg q m) "
+apply (induct s)
+apply simp
+apply (case_tac a)
+apply (auto split:option.splits)
+done
+lemma no_del_created_eq:
+"no_del_event s \<Longrightarrow> is_created_proc s p = is_created_proc' s p"
+apply (induct s)
+apply (simp add:is_created_proc_def is_created_proc'_def)
+apply (case_tac a)
+apply (auto simp add:is_created_proc_def is_created_proc'_def dest:no_del_died)
+done
 lemma enrich_search_check:
 assumes grant: "search_check s (up, rp, tp) f"
 and cf2sf: "\<forall> f. f \<in> current_files s \<longrightarrow> cf2sfile s' f = cf2sfile s f"
 and vd: "valid s" and f_in: "is_file s f"  and f_in': "is_file s' f"
 qed
 thus ?thesis using grant
 by (auto simp:inherit_fds_check_def inherit_fds_check_ctxt_def)
 qed
-lemma not_all_procs_cons:
-"p \<notin> all_procs (e # s) \<Longrightarrow> p \<notin> all_procs s"
-by (case_tac e, auto)
-lemma not_all_procs_prop:
-"\<lbrakk>p' \<notin> all_procs s; p \<in> current_procs s; valid s\<rbrakk> \<Longrightarrow> p' \<noteq> p"
-apply (induct s, rule notI, simp)
-apply (frule vt_grant_os, frule vd_cons, frule not_all_procs_cons, simp, rule notI)
-apply (case_tac a, auto)
-done
-fun enrich_not_alive :: "t_state \<Rightarrow> t_enrich_obj \<Rightarrow> bool"
-where
-"enrich_not_alive s (E_file f) = (f \<notin> current_files s)"
-| "enrich_not_alive s (E_proc p) = (p \<notin> current_procs s)"
-| "enrich_not_alive s (E_fd p fd) = (p \<in> current_procs s \<longrightarrow> fd \<notin> current_proc_fds s p)"
-| "enrich_not_alive s (E_msgq q) = (q \<notin> current_msgqs s)"
-| "enrich_not_alive s (E_inum i) = (i \<notin> current_inode_nums s)"
-| "enrich_not_alive s (E_msg q m) = (q \<in> current_msgqs s \<longrightarrow> m \<notin> set (msgs_of_queue s q))"
-lemma file_has_parent: "\<lbrakk>is_file s f; valid s\<rbrakk> \<Longrightarrow> \<exists> pf. is_dir s pf \<and> parent f = Some pf"
-apply (case_tac f)
-apply (simp, drule root_is_dir', simp+)
-apply (simp add:parentf_is_dir_prop2)
-done
 lemma enrich_valid_intro_cons:
-assumes vs': "valid s'"
+assumes vs': "valid s'" and vd': "valid (e # s)"
-and os: "os_grant s e" and grant: "grant s e" and vd: "valid s"
 and alive: "\<forall> obj. alive s obj \<longrightarrow> alive s' obj"
-and alive': "\<forall> obj. enrich_not_alive s obj \<longrightarrow> enrich_not_alive s' obj"
+and alive': "\<forall> obj. enrich_not_alive s obj' obj \<longrightarrow> enrich_not_alive s' obj' obj"
 and hungs: "files_hung_by_del s' = files_hung_by_del s"
 and cp2sp: "\<forall> p. p \<in> current_procs s \<longrightarrow> cp2sproc s' p = cp2sproc s p"
 and cf2sf: "\<forall> f. f \<in> current_files s \<longrightarrow> cf2sfile s' f = cf2sfile s f"
 and cq2sq: "\<forall> q. q \<in> current_msgqs s \<longrightarrow> cq2smsgq s' q = cq2smsgq s q"
 and ffd_remain: "\<forall> p fd f. file_of_proc_fd s p fd = Some f \<longrightarrow> file_of_proc_fd s' p fd = Some f"
 and fflags_remain: "\<forall> p fd flags. flags_of_proc_fd s p fd = Some flags \<longrightarrow> flags_of_proc_fd s' p fd = Some flags"
 and sms_remain: "\<forall> q. msgs_of_queue s' q = msgs_of_queue s q"
 (* and empty_remain: "\<forall> f. dir_is_empty s f \<longrightarrow> dir_is_empty s' f" *)
 and cfd2sfd: "\<forall> p fd. fd \<in> proc_file_fds s p \<longrightarrow> cfd2sfd s' p fd = cfd2sfd s p fd"
+and nodel: "no_del_event (e # s)"
+and notin_all: "notin_all (e # s) obj'"
 shows "valid (e # s')"
-proof (cases e)
+proof-
-case (Execve p f fds)
+from vd' have os: "os_grant s e" and grant: "grant s e" and vd: "valid s"
-have p_in: "p \<in> current_procs s'" using os alive
+by (auto dest:vt_grant_os vt_grant vd_cons)
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:Execve)
-have f_in: "is_file s' f" using os alive
-apply (erule_tac x = "O_file f" in allE)
-by (auto simp:Execve)
-have fd_in: "fds \<subseteq> proc_file_fds s' p" using os alive ffd_remain
-by (auto simp:Execve proc_file_fds_def)
-have "os_grant s' e" using p_in f_in fd_in by (simp add:Execve)
-moreover have "grant s' e"
-proof-
-from grant obtain up rp tp uf rf tf
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
-by (simp add:Execve split:option.splits, blast)
-with grant obtain pu nr nt where p3: "npctxt_execve (up, rp, tp) (uf, rf, tf) = Some (pu, nr, nt)"
-by (simp add:Execve split:option.splits del:npctxt_execve.simps, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:Execve co2sobj.simps cp2sproc_def split:option.splits)
-from os have f_in': "is_file s f" by (simp add:Execve)
-from vd os have "\<exists> sf. cf2sfile s f = Some sf"
-by (auto dest!:is_file_in_current current_file_has_sfile simp:Execve)
-hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)" using f_in f_in' p2 cf2sf
-apply (erule_tac x = f in allE)
-apply (auto dest:is_file_in_current simp:cf2sfile_def split:option.splits)
-apply (case_tac f, simp)
-apply (drule_tac s = s in root_is_dir', simp add:vd, simp+)
-done
-have "inherit_fds_check s' (pu, nr, nt) p fds"
-proof-
-have "fds \<subseteq> proc_file_fds s' p" using os ffd_remain Execve
-by (auto simp:proc_file_fds_def)
-thus ?thesis using Execve grant vd cfd2sfd p1 p2 p3 os
-apply (rule_tac s = s in enrich_inherit_fds_check)
-by (simp_all split:option.splits)
-qed
-moreover have "search_check s' (pu, rp, tp) f"
-using p1 p2 p2' vd cf2sf f_in' grant Execve p3 f_in
-apply (rule_tac s = s in enrich_search_check)
-by (simp_all split:option.splits)
-ultimately show ?thesis using p1' p2' p3
-apply (simp add:Execve split:option.splits)
-using grant Execve p1 p2
-by (simp add:Execve grant p1 p2)
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (Clone p p' fds)
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:Clone)
-have p'_not_in: "p' \<notin> current_procs s'" using os alive'
-apply (erule_tac x = "E_proc p'" in allE)
-by (auto simp:Clone)
-have fd_in: "fds \<subseteq> proc_file_fds s' p" using os alive ffd_remain
-by (auto simp:Clone proc_file_fds_def)
-have "os_grant s' e" using p_in p'_not_in fd_in by (simp add:Clone)
-moreover have "grant s' e"
-proof-
-from grant obtain up rp tp
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-apply (simp add:Clone split:option.splits)
-by (case_tac a, auto)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:Clone co2sobj.simps cp2sproc_def split:option.splits)
-have p2: "inherit_fds_check s' (up, rp, tp) p fds"
-proof-
-have "fds \<subseteq> proc_file_fds s' p" using os ffd_remain Clone
-by (auto simp:proc_file_fds_def)
-thus ?thesis using Clone grant vd cfd2sfd p1 os
-apply (rule_tac s = s in enrich_inherit_fds_check)
-by (simp_all split:option.splits)
-qed
-show ?thesis using p1 p2 p1' grant
-by (simp add:Clone)
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (Kill p p')
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:Kill)
-have p'_in: "p' \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p'" in allE)
-by (auto simp:Kill)
-have "os_grant s' e" using p_in p'_in by (simp add:Kill)
-moreover have "grant s' e"
-proof-
-from grant obtain up rp tp up' rp' tp'
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p'1: "sectxt_of_obj s (O_proc p') = Some (up', rp', tp')"
-apply (simp add:Kill split:option.splits)
-by (case_tac a, case_tac aa, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:Kill co2sobj.simps cp2sproc_def split:option.splits)
-from p'1 have p'1': "sectxt_of_obj s' (O_proc p') = Some (up', rp', tp')"
-using os cp2sp
-apply (erule_tac x = p' in allE)
-by (auto simp:Kill co2sobj.simps cp2sproc_def split:option.splits)
-show ?thesis using p1 p'1 p1' p'1' grant
-by (simp add:Kill)
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (Ptrace p p')
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:Ptrace)
-have p'_in: "p' \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p'" in allE)
-by (auto simp:Ptrace)
-have "os_grant s' e" using p_in p'_in by (simp add:Ptrace)
-moreover have "grant s' e"
-proof-
-from grant obtain up rp tp up' rp' tp'
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p'1: "sectxt_of_obj s (O_proc p') = Some (up', rp', tp')"
-apply (simp add:Ptrace split:option.splits)
-by (case_tac a, case_tac aa, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:Ptrace co2sobj.simps cp2sproc_def split:option.splits)
-from p'1 have p'1': "sectxt_of_obj s' (O_proc p') = Some (up', rp', tp')"
-using os cp2sp
-apply (erule_tac x = p' in allE)
-by (auto simp:Ptrace co2sobj.simps cp2sproc_def split:option.splits)
-show ?thesis using p1 p'1 p1' p'1' grant
-by (simp add:Ptrace)
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (Exit p)
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:Exit)
-have "os_grant s' e" using p_in by (simp add:Exit)
-moreover have "grant s' e"
-by (simp add:Exit)
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (Open p f flags fd opt)
 show ?thesis
-proof (cases opt)
+proof (cases e)
-case None
+case (Execve p f fds)
 have p_in: "p \<in> current_procs s'" using os alive
 apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:Open None)
+by (auto simp:Execve)
 have f_in: "is_file s' f" using os alive
 apply (erule_tac x = "O_file f" in allE)
-by (auto simp:Open None)
+by (auto simp:Execve)
-have fd_not_in: "fd \<notin> current_proc_fds s' p"
+have fd_in: "fds \<subseteq> proc_file_fds s' p" using os alive ffd_remain
-using os alive' p_in
+by (auto simp:Execve proc_file_fds_def)
-apply (erule_tac x = "E_fd p fd" in allE)
+have "os_grant s' e" using p_in f_in fd_in by (simp add:Execve)
-by (simp add:Open None)
+moreover have "grant s' e"
-have "os_grant s' e" using p_in f_in fd_not_in os
-by (simp add:Open None)
-moreover have "grant s' e"
 proof-
 from grant obtain up rp tp uf rf tf
 where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
 and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
-apply (simp add:Open None split:option.splits)
+by (simp add:Execve split:option.splits, blast)
-by (case_tac a, case_tac aa, blast)
+with grant obtain pu nr nt where p3: "npctxt_execve (up, rp, tp) (uf, rf, tf) = Some (pu, nr, nt)"
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+by (simp add:Execve split:option.splits del:npctxt_execve.simps, blast)
-using os cp2sp
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-apply (erule_tac x = p in allE)
+using os cp2sp
-by (auto simp:Open None co2sobj.simps cp2sproc_def split:option.splits)
+apply (erule_tac x = p in allE)
-from os have f_in': "is_file s f" by (simp add:Open None)
+by (auto simp:Execve co2sobj.simps cp2sproc_def split:option.splits)
+from os have f_in': "is_file s f" by (simp add:Execve)
 from vd os have "\<exists> sf. cf2sfile s f = Some sf"
-by (auto dest!:is_file_in_current current_file_has_sfile simp:Open None)
+by (auto dest!:is_file_in_current current_file_has_sfile simp:Execve)
 hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)" using f_in f_in' p2 cf2sf
 apply (erule_tac x = f in allE)
 apply (auto dest:is_file_in_current simp:cf2sfile_def split:option.splits)
 apply (case_tac f, simp)
 apply (drule_tac s = s in root_is_dir', simp add:vd, simp+)
 done
-have "search_check s' (up, rp, tp) f"
+have "inherit_fds_check s' (pu, nr, nt) p fds"
-using p1 p2 p2' vd cf2sf f_in' grant Open None f_in
+proof-
+have "fds \<subseteq> proc_file_fds s' p" using os ffd_remain Execve
+by (auto simp:proc_file_fds_def)
+thus ?thesis using Execve grant vd cfd2sfd p1 p2 p3 os
+apply (rule_tac s = s in enrich_inherit_fds_check)
+by (simp_all split:option.splits)
+qed
+moreover have "search_check s' (pu, rp, tp) f"
+using p1 p2 p2' vd cf2sf f_in' grant Execve p3 f_in
 apply (rule_tac s = s in enrich_search_check)
 by (simp_all split:option.splits)
-thus ?thesis using p1' p2'
+ultimately show ?thesis using p1' p2' p3
-apply (simp add:Open None split:option.splits)
+apply (simp add:Execve split:option.splits)
-using grant Open None p1 p2
+using grant Execve p1 p2
+by (simp add:Execve grant p1 p2)
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (Clone p p' fds)
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:Clone)
+have p'_not_in: "p' \<notin> current_procs s'" using  alive' notin_all os Clone
+apply (erule_tac x = "E_proc p'" in allE)
+apply (auto dest:not_all_procs_prop3)
+done
+have fd_in: "fds \<subseteq> proc_file_fds s' p" using os alive ffd_remain
+by (auto simp:Clone proc_file_fds_def)
+have "os_grant s' e" using p_in p'_not_in fd_in by (simp add:Clone)
+moreover have "grant s' e"
+proof-
+from grant obtain up rp tp
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+apply (simp add:Clone split:option.splits)
+by (case_tac a, auto)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:Clone co2sobj.simps cp2sproc_def split:option.splits)
+have p2: "inherit_fds_check s' (up, rp, tp) p fds"
+proof-
+have "fds \<subseteq> proc_file_fds s' p" using os ffd_remain Clone
+by (auto simp:proc_file_fds_def)
+thus ?thesis using Clone grant vd cfd2sfd p1 os
+apply (rule_tac s = s in enrich_inherit_fds_check)
+by (simp_all split:option.splits)
+qed
+show ?thesis using p1 p2 p1' grant
+by (simp add:Clone)
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (Kill p p')
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:Kill)
+have p'_in: "p' \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p'" in allE)
+by (auto simp:Kill)
+have "os_grant s' e" using p_in p'_in by (simp add:Kill)
+moreover have "grant s' e"
+proof-
+from grant obtain up rp tp up' rp' tp'
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+and p'1: "sectxt_of_obj s (O_proc p') = Some (up', rp', tp')"
+apply (simp add:Kill split:option.splits)
+by (case_tac a, case_tac aa, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:Kill co2sobj.simps cp2sproc_def split:option.splits)
+from p'1 have p'1': "sectxt_of_obj s' (O_proc p') = Some (up', rp', tp')"
+using os cp2sp
+apply (erule_tac x = p' in allE)
+by (auto simp:Kill co2sobj.simps cp2sproc_def split:option.splits)
+show ?thesis using p1 p'1 p1' p'1' grant
+by (simp add:Kill)
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (Ptrace p p')
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:Ptrace)
+have p'_in: "p' \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p'" in allE)
+by (auto simp:Ptrace)
+have "os_grant s' e" using p_in p'_in by (simp add:Ptrace)
+moreover have "grant s' e"
+proof-
+from grant obtain up rp tp up' rp' tp'
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+and p'1: "sectxt_of_obj s (O_proc p') = Some (up', rp', tp')"
+apply (simp add:Ptrace split:option.splits)
+by (case_tac a, case_tac aa, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:Ptrace co2sobj.simps cp2sproc_def split:option.splits)
+from p'1 have p'1': "sectxt_of_obj s' (O_proc p') = Some (up', rp', tp')"
+using os cp2sp
+apply (erule_tac x = p' in allE)
+by (auto simp:Ptrace co2sobj.simps cp2sproc_def split:option.splits)
+show ?thesis using p1 p'1 p1' p'1' grant
+by (simp add:Ptrace)
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (Exit p)
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:Exit)
+have "os_grant s' e" using p_in by (simp add:Exit)
+moreover have "grant s' e"
+by (simp add:Exit)
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (Open p f flags fd opt)
+show ?thesis
+proof (cases opt)
+case None
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:Open None)
+have f_in: "is_file s' f" using os alive
+apply (erule_tac x = "O_file f" in allE)
+by (auto simp:Open None)
+have fd_not_in: "fd \<notin> current_proc_fds s' p"
+using os alive' p_in notin_all Open None
+apply (erule_tac x = "E_fd p fd" in allE)
+apply (case_tac obj')
+by auto
+have "os_grant s' e" using p_in f_in fd_not_in os
+by (simp add:Open None)
+moreover have "grant s' e"
+proof-
+from grant obtain up rp tp uf rf tf
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
+apply (simp add:Open None split:option.splits)
+by (case_tac a, case_tac aa, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:Open None co2sobj.simps cp2sproc_def split:option.splits)
+from os have f_in': "is_file s f" by (simp add:Open None)
+from vd os have "\<exists> sf. cf2sfile s f = Some sf"
+by (auto dest!:is_file_in_current current_file_has_sfile simp:Open None)
+hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)" using f_in f_in' p2 cf2sf
+apply (erule_tac x = f in allE)
+apply (auto dest:is_file_in_current simp:cf2sfile_def split:option.splits)
+apply (case_tac f, simp)
+apply (drule_tac s = s in root_is_dir', simp add:vd, simp+)
+done
+have "search_check s' (up, rp, tp) f"
+using p1 p2 p2' vd cf2sf f_in' grant Open None f_in
+apply (rule_tac s = s in enrich_search_check)
+by (simp_all split:option.splits)
+thus ?thesis using p1' p2'
+apply (simp add:Open None split:option.splits)
+using grant Open None p1 p2
+by simp
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (Some inum)
+from os obtain pf where pf_in_s: "is_dir s pf" and parent: "parent f = Some pf"
+by (auto simp:Open Some)
+have pf_in: "is_dir s' pf" using pf_in_s alive
+apply (erule_tac x = "O_dir pf" in allE)
 by simp
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:Open Some)
+have f_not_in: "f \<notin> current_files s'" using os alive' Open Some notin_all
+apply (erule_tac x = "E_file f" in allE)
+apply (case_tac obj')
+by auto
+have fd_not_in: "fd \<notin> current_proc_fds s' p"
+using os alive' p_in Open Some notin_all
+apply (erule_tac x = "E_fd p fd" in allE)
+apply (case_tac obj', auto)
+done
+have inum_not_in: "inum \<notin> current_inode_nums s'"
+using os alive' Open Some notin_all
+apply (erule_tac x = "E_inum inum" in allE)
+by (case_tac obj', auto)
+have "os_grant s' e" using p_in pf_in parent f_not_in fd_not_in inum_not_in os
+by (simp add:Open Some hungs)
+moreover have "grant s' e"
+proof-
+from grant parent obtain up rp tp uf rf tf
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+and p2: "sectxt_of_obj s (O_dir pf) = Some (uf, rf, tf)"
+apply (simp add:Open Some split:option.splits)
+by (case_tac a, case_tac aa, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:Open Some co2sobj.simps cp2sproc_def split:option.splits)
+from vd os pf_in_s have "\<exists> sf. cf2sfile s pf = Some sf"
+by (auto dest!:is_dir_in_current current_file_has_sfile simp:Open Some)
+hence p2': "sectxt_of_obj s' (O_dir pf) = Some (uf, rf, tf)" using p2 cf2sf pf_in pf_in_s
+apply (erule_tac x = pf in allE)
+apply (erule exE, frule_tac s = s in is_dir_in_current, simp)
+apply (drule is_dir_not_file, drule is_dir_not_file)
+apply (auto simp:cf2sfile_def split:option.splits)
+apply (case_tac pf, simp_all)
+by (simp add:sroot_def root_sec_remains vd vs')
+have "search_check s' (up, rp, tp) pf"
+using p1 p2 p2' vd cf2sf pf_in grant Open Some pf_in_s parent vs'
+apply (rule_tac s = s in enrich_search_check')
+by (simp_all split:option.splits)
+thus ?thesis using p1' p2' parent
+apply (simp add:Open Some split:option.splits)
+using grant Open Some p1 p2
+by simp
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+qed
+next
+case (ReadFile p fd)
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:ReadFile)
+have fd_in: "fd \<in> current_proc_fds s' p" using os alive
+apply (erule_tac x = "O_fd p fd" in allE)
+by (auto simp:ReadFile)
+obtain f where ffd: "file_of_proc_fd s p fd = Some f"
+using os ReadFile by auto
+hence f_in_s: "is_file s f" using vd
+by (auto intro:file_of_pfd_is_file)
+obtain flags where fflag: "flags_of_proc_fd s p fd = Some flags"
+using os ReadFile by auto
+have ffd_in: "file_of_proc_fd s' p fd = Some f"
+using ffd_remain ffd by auto
+hence f_in: "is_file s' f" using vs'
+by (auto intro:file_of_pfd_is_file)
+have flags_in: "flags_of_proc_fd s' p fd = Some flags"
+using fflags_remain fflag by auto
+have "os_grant s' e" using p_in fd_in ffd_in flags_in fflag os f_in
+by (auto simp add:ReadFile is_file_in_current)
+moreover have "grant s' e"
+proof-
+from grant ffd obtain up rp tp uf rf tf ufd rfd tfd
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
+and p3: "sectxt_of_obj s (O_fd p fd) = Some (ufd, rfd, tfd)"
+apply (simp add:ReadFile split:option.splits)
+by (case_tac a, case_tac aa, case_tac ab, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:ReadFile co2sobj.simps cp2sproc_def split:option.splits)
+from vd f_in_s have "\<exists> sf. cf2sfile s f = Some sf"
+by (auto dest!:is_file_in_current current_file_has_sfile)
+hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)" using f_in f_in_s p2 cf2sf
+apply (erule_tac x = f in allE)
+apply (auto dest:is_file_in_current simp:cf2sfile_def split:option.splits)
+apply (case_tac f, simp)
+apply (drule_tac s = s in root_is_dir', simp add:vd, simp+)
+done
+have p3': "sectxt_of_obj s' (O_fd p fd) = Some (ufd, rfd, tfd)"
+using cfd2sfd ffd_in ffd p3 f_in f_in_s vd
+apply (erule_tac x = p in allE)
+apply (erule_tac x = fd in allE)
+apply (simp add:proc_file_fds_def)
+apply (auto simp:cfd2sfd_def fflag flags_in p3 split:option.splits
+dest!:current_file_has_sfile' simp:is_file_in_current)
+done
+show ?thesis using p1' p2' p3' ffd_in ffd
+apply (simp add:ReadFile split:option.splits)
+using grant p1 p2 p3 ReadFile
+by simp
 qed
 ultimately show ?thesis using vs'
 by (erule_tac valid.intros(2), simp+)
 next
-case (Some inum)
+case (WriteFile p fd)
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:WriteFile)
+have fd_in: "fd \<in> current_proc_fds s' p" using os alive
+apply (erule_tac x = "O_fd p fd" in allE)
+by (auto simp:WriteFile)
+obtain f where ffd: "file_of_proc_fd s p fd = Some f"
+using os WriteFile by auto
+hence f_in_s: "is_file s f" using vd
+by (auto intro:file_of_pfd_is_file)
+obtain flags where fflag: "flags_of_proc_fd s p fd = Some flags"
+using os WriteFile by auto
+have ffd_in: "file_of_proc_fd s' p fd = Some f"
+using ffd_remain ffd by auto
+hence f_in: "is_file s' f" using vs'
+by (auto intro:file_of_pfd_is_file)
+have flags_in: "flags_of_proc_fd s' p fd = Some flags"
+using fflags_remain fflag by auto
+have "os_grant s' e" using p_in fd_in ffd_in flags_in fflag os f_in
+by (auto simp add:WriteFile is_file_in_current)
+moreover have "grant s' e"
+proof-
+from grant ffd obtain up rp tp uf rf tf ufd rfd tfd
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
+and p3: "sectxt_of_obj s (O_fd p fd) = Some (ufd, rfd, tfd)"
+apply (simp add:WriteFile split:option.splits)
+by (case_tac a, case_tac aa, case_tac ab, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:WriteFile co2sobj.simps cp2sproc_def split:option.splits)
+from vd f_in_s have "\<exists> sf. cf2sfile s f = Some sf"
+by (auto dest!:is_file_in_current current_file_has_sfile)
+hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)" using f_in f_in_s p2 cf2sf
+apply (erule_tac x = f in allE)
+apply (auto dest:is_file_in_current simp:cf2sfile_def split:option.splits)
+apply (case_tac f, simp)
+apply (drule_tac s = s in root_is_dir', simp add:vd, simp+)
+done
+have p3': "sectxt_of_obj s' (O_fd p fd) = Some (ufd, rfd, tfd)"
+using cfd2sfd ffd_in ffd p3 f_in f_in_s vd
+apply (erule_tac x = p in allE)
+apply (erule_tac x = fd in allE)
+apply (simp add:proc_file_fds_def)
+apply (auto simp:cfd2sfd_def fflag flags_in p3 split:option.splits
+dest!:current_file_has_sfile' simp:is_file_in_current)
+done
+show ?thesis using p1' p2' p3' ffd_in ffd
+apply (simp add:WriteFile split:option.splits)
+using grant p1 p2 p3 WriteFile
+by simp
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (CloseFd p fd)
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:CloseFd)
+have fd_in: "fd \<in> current_proc_fds s' p" using os alive
+apply (erule_tac x = "O_fd p fd" in allE)
+by (auto simp:CloseFd)
+have "os_grant s' e" using p_in fd_in
+by (auto simp add:CloseFd)
+moreover have "grant s' e"
+by(simp add:CloseFd)
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (UnLink p f)
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:UnLink)
+have f_in: "is_file s' f" using os alive
+apply (erule_tac x = "O_file f" in allE)
+by (auto simp:UnLink)
+from os vd obtain pf where pf_in_s: "is_dir s pf"
+and parent: "parent f = Some pf"
+by (auto simp:UnLink dest!:file_has_parent)
+from pf_in_s alive have pf_in: "is_dir s' pf"
+apply (erule_tac x = "O_dir pf" in allE)
+by (auto simp:UnLink)
+have "os_grant s' e" using p_in f_in os
+by (simp add:UnLink hungs)
+moreover have "grant s' e"
+proof-
+from grant parent obtain up rp tp uf rf tf upf rpf tpf
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
+and p3: "sectxt_of_obj s (O_dir pf) = Some (upf, rpf, tpf)"
+apply (simp add:UnLink split:option.splits)
+by (case_tac a, case_tac aa, case_tac ab, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:UnLink co2sobj.simps cp2sproc_def split:option.splits)
+from vd os pf_in_s have "\<exists> sf. cf2sfile s f = Some sf"
+by (auto dest!:is_file_in_current current_file_has_sfile simp:UnLink)
+hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)"
+using p2 cf2sf f_in os parent
+apply (erule_tac x = f in allE)
+apply (erule exE, clarsimp simp:UnLink)
+apply (frule_tac s = s in is_file_in_current, simp)
+by (auto simp:cf2sfile_def split:option.splits)
+from vd os pf_in_s have "\<exists> sf. cf2sfile s pf = Some sf"
+by (auto dest!:is_dir_in_current current_file_has_sfile simp:UnLink)
+hence p3': "sectxt_of_obj s' (O_dir pf) = Some (upf, rpf, tpf)" using p3 cf2sf pf_in pf_in_s
+apply (erule_tac x = pf in allE)
+apply (erule exE, frule_tac s = s in is_dir_in_current, simp)
+apply (drule is_dir_not_file, drule is_dir_not_file)
+apply (auto simp:cf2sfile_def split:option.splits)
+apply (case_tac pf, simp_all)
+by (simp add:sroot_def root_sec_remains vd vs')
+have "search_check s' (up, rp, tp) f"
+using p1 p2 p2' vd cf2sf f_in grant UnLink os parent vs'
+apply (rule_tac s = s in enrich_search_check)
+by (simp_all split:option.splits)
+thus ?thesis using p1' p2' p3' parent
+apply (simp add:UnLink split:option.splits)
+using grant UnLink p1 p2 p3
+by simp
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (Rmdir p f)
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:Rmdir)
+have f_in: "is_dir s' f" using os alive
+apply (erule_tac x = "O_dir f" in allE)
+by (auto simp:Rmdir dir_is_empty_def)
+have not_root: "f \<noteq> []" using os
+by (auto simp:Rmdir)
+from os vd obtain pf where pf_in_s: "is_dir s pf"
+and parent: "parent f = Some pf"
+apply (auto simp:Rmdir dir_is_empty_def)
+apply (case_tac f, simp+)
+apply (drule parentf_is_dir_prop1, auto)
+done
+from pf_in_s alive have pf_in: "is_dir s' pf"
+apply (erule_tac x = "O_dir pf" in allE)
+by (auto simp:Rmdir)
+have empty_in: "dir_is_empty s' f" using os Rmdir notin_all
+apply (clarsimp simp add:dir_is_empty_def f_in)
+using alive'
+apply (erule_tac x = "E_file f'" in allE)
+apply simp
+apply (erule disjE)
+apply (erule_tac x = f' in allE, simp)
+apply (case_tac obj', simp_all)
+apply (clarsimp)
+apply (drule_tac f' = f in parent_ancen)
+apply (simp, rule notI, simp add:noJ_Anc)
+apply (case_tac "f = pf")
+using vd' Rmdir
+apply (simp_all add:is_dir_rmdir)
+apply (erule_tac x = pf in allE)
+apply (drule_tac f = pf in is_dir_in_current)
+apply (simp add:noJ_Anc)
+done
+have "os_grant s' e" using p_in f_in os empty_in
+by (simp add:Rmdir hungs)
+moreover have "grant s' e"
+proof-
+from grant parent obtain up rp tp uf rf tf upf rpf tpf
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+and p2: "sectxt_of_obj s (O_dir f) = Some (uf, rf, tf)"
+and p3: "sectxt_of_obj s (O_dir pf) = Some (upf, rpf, tpf)"
+apply (simp add:Rmdir split:option.splits)
+by (case_tac a, case_tac aa, case_tac ab, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:Rmdir co2sobj.simps cp2sproc_def split:option.splits)
+from vd os pf_in_s have "\<exists> sf. cf2sfile s f = Some sf"
+by (auto dest!:is_dir_in_current current_file_has_sfile simp:dir_is_empty_def Rmdir)
+hence p2': "sectxt_of_obj s' (O_dir f) = Some (uf, rf, tf)"
+using p2 cf2sf f_in os parent
+apply (erule_tac x = f in allE)
+apply (erule exE, clarsimp simp:Rmdir dir_is_empty_def)
+apply (frule_tac s = s in is_dir_in_current, simp)
+apply (drule is_dir_not_file, drule is_dir_not_file)
+by (auto simp:cf2sfile_def split:option.splits)
+from vd os pf_in_s have "\<exists> sf. cf2sfile s pf = Some sf"
+by (auto dest!:is_dir_in_current current_file_has_sfile simp:Rmdir)
+hence p3': "sectxt_of_obj s' (O_dir pf) = Some (upf, rpf, tpf)" using p3 cf2sf pf_in pf_in_s
+apply (erule_tac x = pf in allE)
+apply (erule exE, frule_tac s = s in is_dir_in_current, simp)
+apply (drule is_dir_not_file, drule is_dir_not_file)
+apply (auto simp:cf2sfile_def split:option.splits)
+apply (case_tac pf, simp_all)
+by (simp add:sroot_def root_sec_remains vd vs')
+have "search_check s' (up, rp, tp) f"
+using p1 p2 p2' vd cf2sf f_in grant Rmdir os parent vs'
+apply (rule_tac s = s in enrich_search_check')
+by (simp_all add:dir_is_empty_def split:option.splits)
+thus ?thesis using p1' p2' p3' parent
+apply (simp add:Rmdir split:option.splits)
+using grant Rmdir p1 p2 p3
+by simp
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (Mkdir p f inum)
 from os obtain pf where pf_in_s: "is_dir s pf" and parent: "parent f = Some pf"
-by (auto simp:Open Some)
+by (auto simp:Mkdir)
 have pf_in: "is_dir s' pf" using pf_in_s alive
 apply (erule_tac x = "O_dir pf" in allE)
 by simp
 have p_in: "p \<in> current_procs s'" using os alive
 apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:Open Some)
+by (auto simp:Mkdir)
-have f_not_in: "f \<notin> current_files s'" using os alive'
+have f_not_in: "f \<notin> current_files s'" using os alive' Mkdir notin_all
 apply (erule_tac x = "E_file f" in allE)
-by (auto simp:Open Some)
+by (auto)
-have fd_not_in: "fd \<notin> current_proc_fds s' p"
-using os alive' p_in
-apply (erule_tac x = "E_fd p fd" in allE)
-by (simp add:Open Some)
 have inum_not_in: "inum \<notin> current_inode_nums s'"
-using os alive'
+using os alive' Mkdir notin_all
 apply (erule_tac x = "E_inum inum" in allE)
-by (simp add:Open Some)
+by (auto)
-have "os_grant s' e" using p_in pf_in parent f_not_in fd_not_in inum_not_in os
+have "os_grant s' e" using p_in pf_in parent f_not_in os inum_not_in
-by (simp add:Open Some hungs)
+by (simp add:Mkdir hungs)
 moreover have "grant s' e"
 proof-
 from grant parent obtain up rp tp uf rf tf
 where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
 and p2: "sectxt_of_obj s (O_dir pf) = Some (uf, rf, tf)"
-apply (simp add:Open Some split:option.splits)
+apply (simp add:Mkdir split:option.splits)
 by (case_tac a, case_tac aa, blast)
 from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
 using os cp2sp
 apply (erule_tac x = p in allE)
-by (auto simp:Open Some co2sobj.simps cp2sproc_def split:option.splits)
+by (auto simp:Mkdir co2sobj.simps cp2sproc_def split:option.splits)
 from vd os pf_in_s have "\<exists> sf. cf2sfile s pf = Some sf"
-by (auto dest!:is_dir_in_current current_file_has_sfile simp:Open Some)
+by (auto dest!:is_dir_in_current current_file_has_sfile simp:Mkdir)
 hence p2': "sectxt_of_obj s' (O_dir pf) = Some (uf, rf, tf)" using p2 cf2sf pf_in pf_in_s
 apply (erule_tac x = pf in allE)
 apply (erule exE, frule_tac s = s in is_dir_in_current, simp)
 apply (drule is_dir_not_file, drule is_dir_not_file)
 apply (auto simp:cf2sfile_def split:option.splits)
 apply (case_tac pf, simp_all)
 by (simp add:sroot_def root_sec_remains vd vs')
 have "search_check s' (up, rp, tp) pf"
-using p1 p2 p2' vd cf2sf pf_in grant Open Some pf_in_s parent vs'
+using p1 p2 p2' vd cf2sf pf_in grant Mkdir pf_in_s parent vs'
 apply (rule_tac s = s in enrich_search_check')
+apply (simp_all split:option.splits)
+done
+thus ?thesis using p1' p2' parent
+apply (simp add:Mkdir split:option.splits)
+using grant Mkdir p1 p2
+apply simp
+done
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (LinkHard p f f')
+from os obtain pf where pf_in_s: "is_dir s pf" and parent: "parent f' = Some pf"
+by (auto simp:LinkHard)
+have pf_in: "is_dir s' pf" using pf_in_s alive
+apply (erule_tac x = "O_dir pf" in allE)
+by simp
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:LinkHard)
+have f'_not_in: "f' \<notin> current_files s'" using os alive' LinkHard notin_all
+apply (erule_tac x = "E_file f'" in allE)
+by (auto simp:LinkHard)
+have f_in: "is_file s' f" using os alive
+apply (erule_tac x = "O_file f" in allE)
+by (auto simp:LinkHard)
+have "os_grant s' e" using p_in pf_in parent os f_in f'_not_in
+by (simp add:LinkHard hungs)
+moreover have "grant s' e"
+proof-
+from grant parent obtain up rp tp uf rf tf upf rpf tpf
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
+and p3: "sectxt_of_obj s (O_dir pf) = Some (upf, rpf, tpf)"
+apply (simp add:LinkHard split:option.splits)
+by (case_tac a, case_tac aa, case_tac ab, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:LinkHard co2sobj.simps cp2sproc_def split:option.splits)
+from vd os pf_in_s have "\<exists> sf. cf2sfile s f = Some sf"
+by (auto dest!:is_file_in_current current_file_has_sfile simp:LinkHard)
+hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)"
+using p2 cf2sf f_in os parent
+apply (erule_tac x = f in allE)
+apply (erule exE, clarsimp simp:LinkHard)
+apply (frule_tac s = s in is_file_in_current, simp)
+apply (auto simp:cf2sfile_def split:option.splits)
+apply (case_tac f, simp)
+by (drule_tac s = s in root_is_dir', simp add:vd, simp+)
+from vd os pf_in_s have "\<exists> sf. cf2sfile s pf = Some sf"
+by (auto dest!:is_dir_in_current current_file_has_sfile simp:LinkHard)
+hence p3': "sectxt_of_obj s' (O_dir pf) = Some (upf, rpf, tpf)" using p3 cf2sf pf_in pf_in_s
+apply (erule_tac x = pf in allE)
+apply (erule exE, frule_tac s = s in is_dir_in_current, simp)
+apply (drule is_dir_not_file, drule is_dir_not_file)
+apply (auto simp:cf2sfile_def split:option.splits)
+apply (case_tac pf, simp_all)
+by (simp add:sroot_def root_sec_remains vd vs')
+have "search_check s' (up, rp, tp) f"
+using p1 p2 p2' vd cf2sf f_in grant LinkHard os parent vs'
+apply (rule_tac s = s in enrich_search_check)
 by (simp_all split:option.splits)
-thus ?thesis using p1' p2' parent
+moreover have "search_check s' (up, rp, tp) pf"
-apply (simp add:Open Some split:option.splits)
+using p1 p3 p3' vd cf2sf pf_in grant LinkHard os parent vs'
-using grant Open Some p1 p2
+apply (rule_tac s = s in enrich_search_check')
+apply (simp_all split:option.splits)
+done
+ultimately show ?thesis using p1' p2' p3' parent
+apply (simp add:LinkHard split:option.splits)
+using grant LinkHard p1 p2 p3
+apply simp
+done
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (Truncate p f len)
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:Truncate)
+have f_in: "is_file s' f" using os alive
+apply (erule_tac x = "O_file f" in allE)
+by (auto simp:Truncate)
+have "os_grant s' e" using p_in f_in by (simp add:Truncate)
+moreover have "grant s' e"
+proof-
+from grant obtain up rp tp uf rf tf
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
+apply (simp add:Truncate split:option.splits)
+by (case_tac a, case_tac aa, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:Truncate co2sobj.simps cp2sproc_def split:option.splits)
+from os have f_in': "is_file s f" by (simp add:Truncate)
+from vd os have "\<exists> sf. cf2sfile s f = Some sf"
+by (auto dest!:is_file_in_current current_file_has_sfile simp:Truncate)
+hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)" using f_in f_in' p2 cf2sf
+apply (erule_tac x = f in allE)
+apply (auto dest:is_file_in_current simp:cf2sfile_def split:option.splits)
+apply (case_tac f, simp)
+apply (drule_tac s = s in root_is_dir', simp add:vd, simp+)
+done
+have "search_check s' (up, rp, tp) f"
+using p1 p2 p2' vd cf2sf f_in' grant Truncate f_in
+apply (rule_tac s = s in enrich_search_check)
+by (simp_all split:option.splits)
+thus ?thesis using p1' p2'
+apply (simp add:Truncate split:option.splits)
+using grant Truncate p1 p2
+by (simp add:Truncate grant p1 p2)
+qed
+ultimately show ?thesis using vs'
+by (erule_tac valid.intros(2), simp+)
+next
+case (CreateMsgq p q)
+have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:CreateMsgq)
+have q_not_in: "q \<notin> current_msgqs s'" using os alive' CreateMsgq notin_all
+apply (erule_tac x = "E_msgq q" in allE)
+by auto
+have "os_grant s' e" using p_in q_not_in by (simp add:CreateMsgq)
+moreover have "grant s' e"
+proof-
+from grant obtain up rp tp
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+apply (simp add:CreateMsgq split:option.splits)
+by (case_tac a, blast)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+using os cp2sp
+apply (erule_tac x = p in allE)
+by (auto simp:CreateMsgq co2sobj.simps cp2sproc_def split:option.splits)
+show ?thesis using p1'
+apply (simp add:CreateMsgq split:option.splits)
+using grant CreateMsgq p1
 by simp
 qed
 ultimately show ?thesis using vs'
 by (erule_tac valid.intros(2), simp+)
-qed
+next
-next
+case (RemoveMsgq p q)
-case (ReadFile p fd)
+have p_in: "p \<in> current_procs s'" using os alive
-have p_in: "p \<in> current_procs s'" using os alive
+apply (erule_tac x = "O_proc p" in allE)
-apply (erule_tac x = "O_proc p" in allE)
+by (auto simp:RemoveMsgq)
-by (auto simp:ReadFile)
+have q_in: "q \<in> current_msgqs s'" using os alive
-have fd_in: "fd \<in> current_proc_fds s' p" using os alive
+apply (erule_tac x = "O_msgq q" in allE)
-apply (erule_tac x = "O_fd p fd" in allE)
-by (auto simp:ReadFile)
-obtain f where ffd: "file_of_proc_fd s p fd = Some f"
-using os ReadFile by auto
-hence f_in_s: "is_file s f" using vd
-by (auto intro:file_of_pfd_is_file)
-obtain flags where fflag: "flags_of_proc_fd s p fd = Some flags"
-using os ReadFile by auto
-have ffd_in: "file_of_proc_fd s' p fd = Some f"
-using ffd_remain ffd by auto
-hence f_in: "is_file s' f" using vs'
-by (auto intro:file_of_pfd_is_file)
-have flags_in: "flags_of_proc_fd s' p fd = Some flags"
-using fflags_remain fflag by auto
-have "os_grant s' e" using p_in fd_in ffd_in flags_in fflag os f_in
-by (auto simp add:ReadFile is_file_in_current)
-moreover have "grant s' e"
-proof-
-from grant ffd obtain up rp tp uf rf tf ufd rfd tfd
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
-and p3: "sectxt_of_obj s (O_fd p fd) = Some (ufd, rfd, tfd)"
-apply (simp add:ReadFile split:option.splits)
-by (case_tac a, case_tac aa, case_tac ab, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:ReadFile co2sobj.simps cp2sproc_def split:option.splits)
-from vd f_in_s have "\<exists> sf. cf2sfile s f = Some sf"
-by (auto dest!:is_file_in_current current_file_has_sfile)
-hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)" using f_in f_in_s p2 cf2sf
-apply (erule_tac x = f in allE)
-apply (auto dest:is_file_in_current simp:cf2sfile_def split:option.splits)
-apply (case_tac f, simp)
-apply (drule_tac s = s in root_is_dir', simp add:vd, simp+)
-done
-have p3': "sectxt_of_obj s' (O_fd p fd) = Some (ufd, rfd, tfd)"
-using cfd2sfd ffd_in ffd p3 f_in f_in_s vd
-apply (erule_tac x = p in allE)
-apply (erule_tac x = fd in allE)
-apply (simp add:proc_file_fds_def)
-apply (auto simp:cfd2sfd_def fflag flags_in p3 split:option.splits
-dest!:current_file_has_sfile' simp:is_file_in_current)
-done
-show ?thesis using p1' p2' p3' ffd_in ffd
-apply (simp add:ReadFile split:option.splits)
-using grant p1 p2 p3 ReadFile
-by simp
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (WriteFile p fd)
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:WriteFile)
-have fd_in: "fd \<in> current_proc_fds s' p" using os alive
-apply (erule_tac x = "O_fd p fd" in allE)
-by (auto simp:WriteFile)
-obtain f where ffd: "file_of_proc_fd s p fd = Some f"
-using os WriteFile by auto
-hence f_in_s: "is_file s f" using vd
-by (auto intro:file_of_pfd_is_file)
-obtain flags where fflag: "flags_of_proc_fd s p fd = Some flags"
-using os WriteFile by auto
-have ffd_in: "file_of_proc_fd s' p fd = Some f"
-using ffd_remain ffd by auto
-hence f_in: "is_file s' f" using vs'
-by (auto intro:file_of_pfd_is_file)
-have flags_in: "flags_of_proc_fd s' p fd = Some flags"
-using fflags_remain fflag by auto
-have "os_grant s' e" using p_in fd_in ffd_in flags_in fflag os f_in
-by (auto simp add:WriteFile is_file_in_current)
-moreover have "grant s' e"
-proof-
-from grant ffd obtain up rp tp uf rf tf ufd rfd tfd
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
-and p3: "sectxt_of_obj s (O_fd p fd) = Some (ufd, rfd, tfd)"
-apply (simp add:WriteFile split:option.splits)
-by (case_tac a, case_tac aa, case_tac ab, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:WriteFile co2sobj.simps cp2sproc_def split:option.splits)
-from vd f_in_s have "\<exists> sf. cf2sfile s f = Some sf"
-by (auto dest!:is_file_in_current current_file_has_sfile)
-hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)" using f_in f_in_s p2 cf2sf
-apply (erule_tac x = f in allE)
-apply (auto dest:is_file_in_current simp:cf2sfile_def split:option.splits)
-apply (case_tac f, simp)
-apply (drule_tac s = s in root_is_dir', simp add:vd, simp+)
-done
-have p3': "sectxt_of_obj s' (O_fd p fd) = Some (ufd, rfd, tfd)"
-using cfd2sfd ffd_in ffd p3 f_in f_in_s vd
-apply (erule_tac x = p in allE)
-apply (erule_tac x = fd in allE)
-apply (simp add:proc_file_fds_def)
-apply (auto simp:cfd2sfd_def fflag flags_in p3 split:option.splits
-dest!:current_file_has_sfile' simp:is_file_in_current)
-done
-show ?thesis using p1' p2' p3' ffd_in ffd
-apply (simp add:WriteFile split:option.splits)
-using grant p1 p2 p3 WriteFile
-by simp
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (CloseFd p fd)
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:CloseFd)
-have fd_in: "fd \<in> current_proc_fds s' p" using os alive
-apply (erule_tac x = "O_fd p fd" in allE)
-by (auto simp:CloseFd)
-have "os_grant s' e" using p_in fd_in
-by (auto simp add:CloseFd)
-moreover have "grant s' e"
-by(simp add:CloseFd)
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (UnLink p f)
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:UnLink)
-have f_in: "is_file s' f" using os alive
-apply (erule_tac x = "O_file f" in allE)
-by (auto simp:UnLink)
-from os vd obtain pf where pf_in_s: "is_dir s pf"
-and parent: "parent f = Some pf"
-by (auto simp:UnLink dest!:file_has_parent)
-from pf_in_s alive have pf_in: "is_dir s' pf"
-apply (erule_tac x = "O_dir pf" in allE)
-by (auto simp:UnLink)
-have "os_grant s' e" using p_in f_in os
-by (simp add:UnLink hungs)
-moreover have "grant s' e"
-proof-
-from grant parent obtain up rp tp uf rf tf upf rpf tpf
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
-and p3: "sectxt_of_obj s (O_dir pf) = Some (upf, rpf, tpf)"
-apply (simp add:UnLink split:option.splits)
-by (case_tac a, case_tac aa, case_tac ab, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:UnLink co2sobj.simps cp2sproc_def split:option.splits)
-from vd os pf_in_s have "\<exists> sf. cf2sfile s f = Some sf"
-by (auto dest!:is_file_in_current current_file_has_sfile simp:UnLink)
-hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)"
-using p2 cf2sf f_in os parent
-apply (erule_tac x = f in allE)
-apply (erule exE, clarsimp simp:UnLink)
-apply (frule_tac s = s in is_file_in_current, simp)
-by (auto simp:cf2sfile_def split:option.splits)
-from vd os pf_in_s have "\<exists> sf. cf2sfile s pf = Some sf"
-by (auto dest!:is_dir_in_current current_file_has_sfile simp:UnLink)
-hence p3': "sectxt_of_obj s' (O_dir pf) = Some (upf, rpf, tpf)" using p3 cf2sf pf_in pf_in_s
-apply (erule_tac x = pf in allE)
-apply (erule exE, frule_tac s = s in is_dir_in_current, simp)
-apply (drule is_dir_not_file, drule is_dir_not_file)
-apply (auto simp:cf2sfile_def split:option.splits)
-apply (case_tac pf, simp_all)
-by (simp add:sroot_def root_sec_remains vd vs')
-have "search_check s' (up, rp, tp) f"
-using p1 p2 p2' vd cf2sf f_in grant UnLink os parent vs'
-apply (rule_tac s = s in enrich_search_check)
-by (simp_all split:option.splits)
-thus ?thesis using p1' p2' p3' parent
-apply (simp add:UnLink split:option.splits)
-using grant UnLink p1 p2 p3
-by simp
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (Rmdir p f)
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:Rmdir)
-have f_in: "is_dir s' f" using os alive
-apply (erule_tac x = "O_dir f" in allE)
-by (auto simp:Rmdir dir_is_empty_def)
-have not_root: "f \<noteq> []" using os
-by (auto simp:Rmdir)
-from os vd obtain pf where pf_in_s: "is_dir s pf"
-and parent: "parent f = Some pf"
-apply (auto simp:Rmdir dir_is_empty_def)
-apply (case_tac f, simp+)
-apply (drule parentf_is_dir_prop1, auto)
-done
-from pf_in_s alive have pf_in: "is_dir s' pf"
-apply (erule_tac x = "O_dir pf" in allE)
-by (auto simp:Rmdir)
-have empty_in: "dir_is_empty s' f" using os
-apply (simp add:dir_is_empty_def f_in)
-apply auto using alive'
-apply (erule_tac x = "E_file f'" in allE)
-by (simp add:Rmdir dir_is_empty_def)
-have "os_grant s' e" using p_in f_in os empty_in
-by (simp add:Rmdir hungs)
-moreover have "grant s' e"
-proof-
-from grant parent obtain up rp tp uf rf tf upf rpf tpf
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p2: "sectxt_of_obj s (O_dir f) = Some (uf, rf, tf)"
-and p3: "sectxt_of_obj s (O_dir pf) = Some (upf, rpf, tpf)"
-apply (simp add:Rmdir split:option.splits)
-by (case_tac a, case_tac aa, case_tac ab, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:Rmdir co2sobj.simps cp2sproc_def split:option.splits)
-from vd os pf_in_s have "\<exists> sf. cf2sfile s f = Some sf"
-by (auto dest!:is_dir_in_current current_file_has_sfile simp:dir_is_empty_def Rmdir)
-hence p2': "sectxt_of_obj s' (O_dir f) = Some (uf, rf, tf)"
-using p2 cf2sf f_in os parent
-apply (erule_tac x = f in allE)
-apply (erule exE, clarsimp simp:Rmdir dir_is_empty_def)
-apply (frule_tac s = s in is_dir_in_current, simp)
-apply (drule is_dir_not_file, drule is_dir_not_file)
-by (auto simp:cf2sfile_def split:option.splits)
-from vd os pf_in_s have "\<exists> sf. cf2sfile s pf = Some sf"
-by (auto dest!:is_dir_in_current current_file_has_sfile simp:Rmdir)
-hence p3': "sectxt_of_obj s' (O_dir pf) = Some (upf, rpf, tpf)" using p3 cf2sf pf_in pf_in_s
-apply (erule_tac x = pf in allE)
-apply (erule exE, frule_tac s = s in is_dir_in_current, simp)
-apply (drule is_dir_not_file, drule is_dir_not_file)
-apply (auto simp:cf2sfile_def split:option.splits)
-apply (case_tac pf, simp_all)
-by (simp add:sroot_def root_sec_remains vd vs')
-have "search_check s' (up, rp, tp) f"
-using p1 p2 p2' vd cf2sf f_in grant Rmdir os parent vs'
-apply (rule_tac s = s in enrich_search_check')
-by (simp_all add:dir_is_empty_def split:option.splits)
-thus ?thesis using p1' p2' p3' parent
-apply (simp add:Rmdir split:option.splits)
-using grant Rmdir p1 p2 p3
-by simp
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (Mkdir p f inum)
-from os obtain pf where pf_in_s: "is_dir s pf" and parent: "parent f = Some pf"
-by (auto simp:Mkdir)
-have pf_in: "is_dir s' pf" using pf_in_s alive
-apply (erule_tac x = "O_dir pf" in allE)
-by simp
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:Mkdir)
-have f_not_in: "f \<notin> current_files s'" using os alive'
-apply (erule_tac x = "E_file f" in allE)
-by (auto simp:Mkdir)
-have inum_not_in: "inum \<notin> current_inode_nums s'"
-using os alive'
-apply (erule_tac x = "E_inum inum" in allE)
-by (simp add:Mkdir)
-have "os_grant s' e" using p_in pf_in parent f_not_in os inum_not_in
-by (simp add:Mkdir hungs)
-moreover have "grant s' e"
-proof-
-from grant parent obtain up rp tp uf rf tf
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p2: "sectxt_of_obj s (O_dir pf) = Some (uf, rf, tf)"
-apply (simp add:Mkdir split:option.splits)
-by (case_tac a, case_tac aa, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:Mkdir co2sobj.simps cp2sproc_def split:option.splits)
-from vd os pf_in_s have "\<exists> sf. cf2sfile s pf = Some sf"
-by (auto dest!:is_dir_in_current current_file_has_sfile simp:Mkdir)
-hence p2': "sectxt_of_obj s' (O_dir pf) = Some (uf, rf, tf)" using p2 cf2sf pf_in pf_in_s
-apply (erule_tac x = pf in allE)
-apply (erule exE, frule_tac s = s in is_dir_in_current, simp)
-apply (drule is_dir_not_file, drule is_dir_not_file)
-apply (auto simp:cf2sfile_def split:option.splits)
-apply (case_tac pf, simp_all)
-by (simp add:sroot_def root_sec_remains vd vs')
-have "search_check s' (up, rp, tp) pf"
-using p1 p2 p2' vd cf2sf pf_in grant Mkdir pf_in_s parent vs'
-apply (rule_tac s = s in enrich_search_check')
-apply (simp_all split:option.splits)
-done
-thus ?thesis using p1' p2' parent
-apply (simp add:Mkdir split:option.splits)
-using grant Mkdir p1 p2
-apply simp
-done
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (LinkHard p f f')
-from os obtain pf where pf_in_s: "is_dir s pf" and parent: "parent f' = Some pf"
-by (auto simp:LinkHard)
-have pf_in: "is_dir s' pf" using pf_in_s alive
-apply (erule_tac x = "O_dir pf" in allE)
-by simp
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:LinkHard)
-have f'_not_in: "f' \<notin> current_files s'" using os alive'
-apply (erule_tac x = "E_file f'" in allE)
-by (auto simp:LinkHard)
-have f_in: "is_file s' f" using os alive
-apply (erule_tac x = "O_file f" in allE)
-by (auto simp:LinkHard)
-have "os_grant s' e" using p_in pf_in parent os f_in f'_not_in
-by (simp add:LinkHard hungs)
-moreover have "grant s' e"
-proof-
-from grant parent obtain up rp tp uf rf tf upf rpf tpf
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
-and p3: "sectxt_of_obj s (O_dir pf) = Some (upf, rpf, tpf)"
-apply (simp add:LinkHard split:option.splits)
-by (case_tac a, case_tac aa, case_tac ab, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:LinkHard co2sobj.simps cp2sproc_def split:option.splits)
-from vd os pf_in_s have "\<exists> sf. cf2sfile s f = Some sf"
-by (auto dest!:is_file_in_current current_file_has_sfile simp:LinkHard)
-hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)"
-using p2 cf2sf f_in os parent
-apply (erule_tac x = f in allE)
-apply (erule exE, clarsimp simp:LinkHard)
-apply (frule_tac s = s in is_file_in_current, simp)
-apply (auto simp:cf2sfile_def split:option.splits)
-apply (case_tac f, simp)
-by (drule_tac s = s in root_is_dir', simp add:vd, simp+)
-from vd os pf_in_s have "\<exists> sf. cf2sfile s pf = Some sf"
-by (auto dest!:is_dir_in_current current_file_has_sfile simp:LinkHard)
-hence p3': "sectxt_of_obj s' (O_dir pf) = Some (upf, rpf, tpf)" using p3 cf2sf pf_in pf_in_s
-apply (erule_tac x = pf in allE)
-apply (erule exE, frule_tac s = s in is_dir_in_current, simp)
-apply (drule is_dir_not_file, drule is_dir_not_file)
-apply (auto simp:cf2sfile_def split:option.splits)
-apply (case_tac pf, simp_all)
-by (simp add:sroot_def root_sec_remains vd vs')
-have "search_check s' (up, rp, tp) f"
-using p1 p2 p2' vd cf2sf f_in grant LinkHard os parent vs'
-apply (rule_tac s = s in enrich_search_check)
-by (simp_all split:option.splits)
-moreover have "search_check s' (up, rp, tp) pf"
-using p1 p3 p3' vd cf2sf pf_in grant LinkHard os parent vs'
-apply (rule_tac s = s in enrich_search_check')
-apply (simp_all split:option.splits)
-done
-ultimately show ?thesis using p1' p2' p3' parent
-apply (simp add:LinkHard split:option.splits)
-using grant LinkHard p1 p2 p3
-apply simp
-done
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (Truncate p f len)
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:Truncate)
-have f_in: "is_file s' f" using os alive
-apply (erule_tac x = "O_file f" in allE)
-by (auto simp:Truncate)
-have "os_grant s' e" using p_in f_in by (simp add:Truncate)
-moreover have "grant s' e"
-proof-
-from grant obtain up rp tp uf rf tf
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p2: "sectxt_of_obj s (O_file f) = Some (uf, rf, tf)"
-apply (simp add:Truncate split:option.splits)
-by (case_tac a, case_tac aa, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:Truncate co2sobj.simps cp2sproc_def split:option.splits)
-from os have f_in': "is_file s f" by (simp add:Truncate)
-from vd os have "\<exists> sf. cf2sfile s f = Some sf"
-by (auto dest!:is_file_in_current current_file_has_sfile simp:Truncate)
-hence p2': "sectxt_of_obj s' (O_file f) = Some (uf, rf, tf)" using f_in f_in' p2 cf2sf
-apply (erule_tac x = f in allE)
-apply (auto dest:is_file_in_current simp:cf2sfile_def split:option.splits)
-apply (case_tac f, simp)
-apply (drule_tac s = s in root_is_dir', simp add:vd, simp+)
-done
-have "search_check s' (up, rp, tp) f"
-using p1 p2 p2' vd cf2sf f_in' grant Truncate f_in
-apply (rule_tac s = s in enrich_search_check)
-by (simp_all split:option.splits)
-thus ?thesis using p1' p2'
-apply (simp add:Truncate split:option.splits)
-using grant Truncate p1 p2
-by (simp add:Truncate grant p1 p2)
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (CreateMsgq p q)
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:CreateMsgq)
-have q_not_in: "q \<notin> current_msgqs s'" using os alive'
-apply (erule_tac x = "E_msgq q" in allE)
-by (simp add:CreateMsgq)
-have "os_grant s' e" using p_in q_not_in by (simp add:CreateMsgq)
-moreover have "grant s' e"
-proof-
-from grant obtain up rp tp
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-apply (simp add:CreateMsgq split:option.splits)
-by (case_tac a, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:CreateMsgq co2sobj.simps cp2sproc_def split:option.splits)
-show ?thesis using p1'
-apply (simp add:CreateMsgq split:option.splits)
-using grant CreateMsgq p1
-by simp
-qed
-ultimately show ?thesis using vs'
-by (erule_tac valid.intros(2), simp+)
-next
-case (RemoveMsgq p q)
-have p_in: "p \<in> current_procs s'" using os alive
-apply (erule_tac x = "O_proc p" in allE)
-by (auto simp:RemoveMsgq)
-have q_in: "q \<in> current_msgqs s'" using os alive
-apply (erule_tac x = "O_msgq q" in allE)
-by (simp add:RemoveMsgq)
-have "os_grant s' e" using p_in q_in by (simp add:RemoveMsgq)
-moreover have "grant s' e"
-proof-
-from grant obtain up rp tp uq rq tq
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-and p2: "sectxt_of_obj s (O_msgq q) = Some (uq, rq, tq)"
-apply (simp add:RemoveMsgq split:option.splits)
-by (case_tac a, case_tac aa, blast)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-using os cp2sp
-apply (erule_tac x = p in allE)
-by (auto simp:RemoveMsgq co2sobj.simps cp2sproc_def split:option.splits)
-from p2 have p2': "sectxt_of_obj s' (O_msgq q) = Some (uq, rq, tq)"
-using os cq2sq vd
-apply (erule_tac x = q in allE)
-by (auto simp:RemoveMsgq co2sobj.simps cq2smsgq_def dest!:current_has_sms' split:option.splits)
-show ?thesis using p1' p2' grant p1 p2
 by (simp add:RemoveMsgq)
-qed
+have "os_grant s' e" using p_in q_in by (simp add:RemoveMsgq)
-ultimately show ?thesis using vs'
+moreover have "grant s' e"
-by (erule_tac valid.intros(2), simp+)
+proof-
-next
+from grant obtain up rp tp uq rq tq
-case (SendMsg p q m)
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-have p_in: "p \<in> current_procs s'" using os alive
+and p2: "sectxt_of_obj s (O_msgq q) = Some (uq, rq, tq)"
-apply (erule_tac x = "O_proc p" in allE)
+apply (simp add:RemoveMsgq split:option.splits)
-by (auto simp:SendMsg)
+by (case_tac a, case_tac aa, blast)
-have q_in: "q \<in> current_msgqs s'" using os alive
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-apply (erule_tac x = "O_msgq q" in allE)
+using os cp2sp
-by (simp add:SendMsg)
+apply (erule_tac x = p in allE)
-have m_not_in: "m \<notin> set (msgs_of_queue s' q)" using os alive'
+by (auto simp:RemoveMsgq co2sobj.simps cp2sproc_def split:option.splits)
-apply (erule_tac x = "E_msg q m" in allE)
+from p2 have p2': "sectxt_of_obj s' (O_msgq q) = Some (uq, rq, tq)"
-by (simp add:SendMsg q_in)
+using os cq2sq vd
-have "os_grant s' e" using p_in q_in m_not_in
+apply (erule_tac x = q in allE)
-by (simp add:SendMsg)
+by (auto simp:RemoveMsgq co2sobj.simps cq2smsgq_def dest!:current_has_sms' split:option.splits)
-moreover have "grant s' e"
+show ?thesis using p1' p2' grant p1 p2
-proof-
+by (simp add:RemoveMsgq)
-from grant obtain up rp tp uq rq tq
+qed
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+ultimately show ?thesis using vs'
-and p2: "sectxt_of_obj s (O_msgq q) = Some (uq, rq, tq)"
+by (erule_tac valid.intros(2), simp+)
-apply (simp add:SendMsg split:option.splits)
+next
-by (case_tac a, case_tac aa, blast)
+case (SendMsg p q m)
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+have p_in: "p \<in> current_procs s'" using os alive
-using os cp2sp
+apply (erule_tac x = "O_proc p" in allE)
-apply (erule_tac x = p in allE)
+by (auto simp:SendMsg)
-by (auto simp:SendMsg co2sobj.simps cp2sproc_def split:option.splits)
+have q_in: "q \<in> current_msgqs s'" using os alive
-from p2 have p2': "sectxt_of_obj s' (O_msgq q) = Some (uq, rq, tq)"
+apply (erule_tac x = "O_msgq q" in allE)
-using os cq2sq vd
-apply (erule_tac x = q in allE)
-by (auto simp:SendMsg co2sobj.simps cq2smsgq_def dest!:current_has_sms' split:option.splits)
-show ?thesis using p1' p2' grant p1 p2
 by (simp add:SendMsg)
-qed
+have m_not_in: "m \<notin> set (msgs_of_queue s' q)" using os alive' notin_all SendMsg q_in
-ultimately show ?thesis using vs'
+apply (erule_tac x = "E_msg q m" in allE)
-by (erule_tac valid.intros(2), simp+)
+apply (case_tac obj')
-next
+by auto
-case (RecvMsg p q m)
+have "os_grant s' e" using p_in q_in m_not_in
-have p_in: "p \<in> current_procs s'" using os alive
+by (simp add:SendMsg)
-apply (erule_tac x = "O_proc p" in allE)
+moreover have "grant s' e"
-by (auto simp:RecvMsg)
+proof-
-have q_in: "q \<in> current_msgqs s'" using os alive
+from grant obtain up rp tp uq rq tq
-apply (erule_tac x = "O_msgq q" in allE)
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-by (simp add:RecvMsg)
+and p2: "sectxt_of_obj s (O_msgq q) = Some (uq, rq, tq)"
-have m_in: "m = hd (msgs_of_queue s' q)"
+apply (simp add:SendMsg split:option.splits)
-and sms_not_empty: "msgs_of_queue s' q \<noteq> []"
+by (case_tac a, case_tac aa, blast)
-using os sms_remain
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-by (auto simp:RecvMsg)
+using os cp2sp
-have "os_grant s' e" using p_in q_in m_in sms_not_empty os
+apply (erule_tac x = p in allE)
-by (simp add:RecvMsg)
+by (auto simp:SendMsg co2sobj.simps cp2sproc_def split:option.splits)
-moreover have "grant s' e"
+from p2 have p2': "sectxt_of_obj s' (O_msgq q) = Some (uq, rq, tq)"
-proof-
+using os cq2sq vd
-from grant obtain up rp tp uq rq tq um rm tm
+apply (erule_tac x = q in allE)
-where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
+by (auto simp:SendMsg co2sobj.simps cq2smsgq_def dest!:current_has_sms' split:option.splits)
-and p2: "sectxt_of_obj s (O_msgq q) = Some (uq, rq, tq)"
+show ?thesis using p1' p2' grant p1 p2
-and p3: "sectxt_of_obj s (O_msg q m) = Some (um, rm, tm)"
+by (simp add:SendMsg)
-apply (simp add:RecvMsg split:option.splits)
+qed
-by (case_tac a, case_tac aa, case_tac ab, blast)
+ultimately show ?thesis using vs'
-from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
+by (erule_tac valid.intros(2), simp+)
-using os cp2sp
+next
-apply (erule_tac x = p in allE)
+case (RecvMsg p q m)
-by (auto simp:RecvMsg co2sobj.simps cp2sproc_def split:option.splits)
+have p_in: "p \<in> current_procs s'" using os alive
-from p2 have p2': "sectxt_of_obj s' (O_msgq q) = Some (uq, rq, tq)"
+apply (erule_tac x = "O_proc p" in allE)
-using os cq2sq vd
+by (auto simp:RecvMsg)
-apply (erule_tac x = q in allE)
+have q_in: "q \<in> current_msgqs s'" using os alive
-by (auto simp:RecvMsg co2sobj.simps cq2smsgq_def dest!:current_has_sms' split:option.splits)
+apply (erule_tac x = "O_msgq q" in allE)
-from p3 have p3': "sectxt_of_obj s' (O_msg q m) = Some (um, rm, tm)"
+by (simp add:RecvMsg)
-using sms_remain cq2sq vd os p2 p2' p3
+have m_in: "m = hd (msgs_of_queue s' q)"
-apply (erule_tac x = q in allE)
+and sms_not_empty: "msgs_of_queue s' q \<noteq> []"
-apply (erule_tac x = q in allE)
+using os sms_remain
-apply (clarsimp simp:RecvMsg)
+by (auto simp:RecvMsg)
-apply (simp add:cq2smsgq_def split:option.splits if_splits)
+have "os_grant s' e" using p_in q_in m_in sms_not_empty os
-apply (drule current_has_sms', simp, simp)
-apply (case_tac "msgs_of_queue s q", simp)
-apply (simp add:cqm2sms.simps split:option.splits)
-apply (auto simp add:cm2smsg_def split:option.splits if_splits)[1]
-apply (case_tac "msgs_of_queue s q", simp)
-apply (simp add:cqm2sms.simps split:option.splits)
-apply (auto simp add:cm2smsg_def split:option.splits if_splits)[1]
-done
-show ?thesis using p1' p2' p3' grant p1 p2 p3
 by (simp add:RecvMsg)
-qed
+moreover have "grant s' e"
-ultimately show ?thesis using vs'
+proof-
-by (erule_tac valid.intros(2), simp+)
+from grant obtain up rp tp uq rq tq um rm tm
-next
+where p1: "sectxt_of_obj s (O_proc p) = Some (up, rp, tp)"
-case (CreateSock p af st fd inum)
+and p2: "sectxt_of_obj s (O_msgq q) = Some (uq, rq, tq)"
-show ?thesis using grant
+and p3: "sectxt_of_obj s (O_msg q m) = Some (um, rm, tm)"
-by (simp add:CreateSock)
+apply (simp add:RecvMsg split:option.splits)
-next
+by (case_tac a, case_tac aa, case_tac ab, blast)
-case (Bind p fd addr)
+from p1 have p1': "sectxt_of_obj s' (O_proc p) = Some (up, rp, tp)"
-show ?thesis using grant
+using os cp2sp
-by (simp add:Bind)
+apply (erule_tac x = p in allE)
-next
+by (auto simp:RecvMsg co2sobj.simps cp2sproc_def split:option.splits)
-case (Connect p fd addr)
+from p2 have p2': "sectxt_of_obj s' (O_msgq q) = Some (uq, rq, tq)"
-show ?thesis using grant
+using os cq2sq vd
-by (simp add:Connect)
+apply (erule_tac x = q in allE)
-next
+by (auto simp:RecvMsg co2sobj.simps cq2smsgq_def dest!:current_has_sms' split:option.splits)
-case (Listen p fd)
+from p3 have p3': "sectxt_of_obj s' (O_msg q m) = Some (um, rm, tm)"
-show ?thesis using grant
+using sms_remain cq2sq vd os p2 p2' p3
-by (simp add:Listen)
+apply (erule_tac x = q in allE)
-next
+apply (erule_tac x = q in allE)
-case (Accept p fd addr port fd' inum)
+apply (clarsimp simp:RecvMsg)
-show ?thesis using grant
+apply (simp add:cq2smsgq_def split:option.splits if_splits)
-by (simp add:Accept)
+apply (drule current_has_sms', simp, simp)
-next
+apply (case_tac "msgs_of_queue s q", simp)
-case (SendSock p fd)
+apply (simp add:cqm2sms.simps split:option.splits)
-show ?thesis using grant
+apply (auto simp add:cm2smsg_def split:option.splits if_splits)[1]
-by (simp add:SendSock)
+apply (case_tac "msgs_of_queue s q", simp)
-next
+apply (simp add:cqm2sms.simps split:option.splits)
-case (RecvSock p fd)
+apply (auto simp add:cm2smsg_def split:option.splits if_splits)[1]
-show ?thesis using grant
+done
-by (simp add:RecvSock)
+show ?thesis using p1' p2' p3' grant p1 p2 p3
-next
+by (simp add:RecvMsg)
-case (Shutdown p fd how)
+qed
-show ?thesis using grant
+ultimately show ?thesis using vs'
-by (simp add:Shutdown)
+by (erule_tac valid.intros(2), simp+)
-qed
+next
+case (CreateSock p af st fd inum)
-lemma not_all_procs_prop2:
+show ?thesis using grant
-"p' \<notin> all_procs s \<Longrightarrow> p' \<notin> init_procs"
+by (simp add:CreateSock)
-apply (induct s, simp)
+next
-by (case_tac a, auto)
+case (Bind p fd addr)
+show ?thesis using grant
-lemma not_all_procs_prop3:
+by (simp add:Bind)
-"p' \<notin> all_procs s \<Longrightarrow> p' \<notin> current_procs s"
+next
-apply (induct s, simp)
+case (Connect p fd addr)
-by (case_tac a, auto)
+show ?thesis using grant
+by (simp add:Connect)
-definition is_created_proc:: "t_state \<Rightarrow> t_process \<Rightarrow> bool"
+next
-where
+case (Listen p fd)
-"is_created_proc s p \<equiv> p \<in> current_procs s \<and> (p \<in> init_procs \<longrightarrow> died (O_proc p) s)"
+show ?thesis using grant
+by (simp add:Listen)
+next
+case (Accept p fd addr port fd' inum)
+show ?thesis using grant
+by (simp add:Accept)
+next
+case (SendSock p fd)
+show ?thesis using grant
+by (simp add:SendSock)
+next
+case (RecvSock p fd)
+show ?thesis using grant
+by (simp add:RecvSock)
+next
+case (Shutdown p fd how)
+show ?thesis using grant
+by (simp add:Shutdown)
+qed
+qed
 lemma created_proc_clone:
 "valid (Clone p p' fds # s) \<Longrightarrow>
 is_created_proc (Clone p p' fds # s) tp = (if (tp = p') then True else is_created_proc s tp)"
 apply (drule vt_grant_os)
 apply (case_tac a, auto simp:is_created_proc_def proc_file_fds_def
 dest:not_all_procs_prop3 split:if_splits option.splits)
 done
 lemma enrich_proc_dup_ffd':
-"\<lbrakk>file_of_proc_fd (enrich_proc s p p') p' fd = Some f; is_created_proc s p; p' \<notin> all_procs s; valid s\<rbrakk>
+"\<lbrakk>file_of_proc_fd (enrich_proc s p p') p' fd = Some f; is_created_proc s p; p' \<notin> all_procs s;
+no_del_event s; valid s\<rbrakk>
 \<Longrightarrow> file_of_proc_fd s p fd = Some f"
 apply (induct s, simp add:is_created_proc_def)
 apply (frule vt_grant_os, frule vd_cons)
 apply (case_tac a, auto simp:is_created_proc_def proc_file_fds_def
 dest:not_all_procs_prop3 split:if_splits option.splits)
 done
+lemma enrich_proc_dup_ffd_eq:
+"\<lbrakk>is_created_proc s p; p' \<notin> all_procs s; no_del_event s; valid s\<rbrakk>
+\<Longrightarrow> file_of_proc_fd (enrich_proc s p p') p' fd = file_of_proc_fd s p fd"
+apply (case_tac "file_of_proc_fd s p fd")
+apply (case_tac[!] "file_of_proc_fd (enrich_proc s p p') p' fd")
+apply (auto dest:enrich_proc_dup_ffd enrich_proc_dup_ffd')
+done
 lemma current_fflag_in_fds:
 "\<lbrakk>flags_of_proc_fd s p fd = Some flag; valid s\<rbrakk> \<Longrightarrow> fd \<in> current_proc_fds s p"
 apply (induct s arbitrary:p)
 apply (simp add:flags_of_proc_fd.simps file_of_proc_fd.simps init_oflags_prop2)
 apply (case_tac a, auto simp:is_created_proc_def proc_file_fds_def is_creat_flag_def
 dest:not_all_procs_prop3 split:if_splits option.splits)
 done
 lemma enrich_proc_dup_ffds:
-"\<lbrakk>is_created_proc s p; p' \<notin> all_procs s; valid s\<rbrakk>
+"\<lbrakk>is_created_proc s p; p' \<notin> all_procs s; no_del_event s; valid s\<rbrakk>
 \<Longrightarrow> proc_file_fds (enrich_proc s p p') p' = proc_file_fds s p"
 apply (auto simp:proc_file_fds_def)
 apply (rule_tac x = f in exI)
 apply (erule enrich_proc_dup_ffd', simp+)
 apply (rule_tac x = f in exI)
 apply (erule enrich_proc_dup_ffd, simp+)
 done
 lemma enrich_proc_dup_ffds_eq_fds:
-"\<lbrakk>is_created_proc s p; p' \<notin> all_procs s; valid s\<rbrakk>
+"\<lbrakk>is_created_proc s p; p' \<notin> all_procs s; no_del_event s; valid s\<rbrakk>
 \<Longrightarrow> current_proc_fds (enrich_proc s p p') p' = proc_file_fds s p"
 apply (induct s arbitrary:p)
 apply (simp add: is_created_proc_def)
 apply (frule not_all_procs_prop3)
 apply (frule vd_cons, frule vt_grant_os, case_tac a)

changeset 83	e79e3a8a4ceb
parent 82	0a68c605ae79
child 84	cebdef333899