diff -r 924ab7a4e7fa -r 271e9818b6f6 simple_selinux/Temp.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/simple_selinux/Temp.thy Mon Dec 02 10:52:40 2013 +0800 @@ -0,0 +1,233 @@ +theory Temp +imports Static_type OS_type_def Flask_type Flask Static +begin + +context tainting_s + +begin + +definition update_ss :: "t_static_state \ t_sobject \ t_sobject \ t_static_state" +where + "update_ss ss so so' \ if (is_many so) then ss \ {so'} else (ss - {so}) \ {so'}" + +definition add_ss :: "t_static_state \ t_sobject \ t_static_state" +where + "add_ss ss so \ ss \ {so}" + +definition del_ss :: "t_static_state \ t_sobject \ t_static_state" +where + "del_ss ss so \ if (is_many so) then ss else ss - {so}" + + +definition update_ss_shms :: "t_static_state \ t_sproc \ bool \ t_static_state" +where + "update_ss_shms ss spfrom tag \ {sobj. \ sobj' \ ss. + (case sobj' of + S_proc sp tagp \ if (info_flow_sshm spfrom sp) + then if (is_many_sproc sp) + then (sobj = S_proc sp tagp \ sobj = S_proc sp (tagp \ tag)) + else (sobj = S_proc sp (tagp \ tag)) + else (sobj = S_proc sp tag) + | _ \ sobj = sobj')}" + + + +(* all reachable static states(sobjects set) *) +inductive_set static :: "t_static_state set" +where + s_init: "init_static_state \ static" +| s_execve: "\ss \ static; S_proc (pi, pctxt, fds, shms) tagp \ ss; S_file sfs tagf \ ss; + (fi,fsec,pfsec,asecs) \ sfs; npctxt_execve pctxt fsec = Some pctxt'; + grant_execve pctxt fsec pctxt'; search_check_s pctxt (fi,fsec,pfsec,asecs) True; + inherit_fds_check_s pctxt' fds'; fds' \ fds\ + \ (update_ss ss (S_proc (pi, pctxt, fds, shms) tagp) + (S_proc (pi, pctxt', fds', {}) (tagp \ tagf))) \ static" +| s_clone: "\ss \ static; S_proc (pi, pctxt, fds, shms) tagp \ ss; + permission_check pctxt pctxt C_process P_fork; + inherit_fds_check_s pctxt fds'; fds' \ fds; + inherit_shms_check_s pctxt shms'; shms' \ shms\ + \ (add_ss ss (S_proc (Created, pctxt, fds', shms') tagp)) \ static" +| s_kill: "\ss \ static; S_proc (pi, pctxt, fds, shms) tagp \ ss; + S_proc (pi', pctxt', fds', shms') tagp' \ ss; + permission_check pctxt pctxt' C_process P_sigkill\ + \ (del_ss ss (S_proc (pi', pctxt', fds', shms') tagp')) \ static" +| s_ptrace: "\ss \ static; S_proc sp tagp \ ss; S_proc sp' tagp' \ ss; + permission_check (sextxt_of_sproc sp) (sectxt_of_sproc sp') C_process P_ptrace\ + \ (update_ss_shms (update_ss_shms ss sp tagp) sp' tagp') \ static" +| s_exit: "\ss \ static; S_proc sp tagp \ ss\ \ (del_ss ss (S_proc sp tagp)) \ static" +| s_open: "\ss \ static; S_proc (pi, pctxt, fds, shms) tagp \ ss; S_file sfs tagf \ ss; sf \ sfs; + search_check_s pctxt sf True; \ is_creat_excl_flag flags; + oflags_check flags pctxt (sectxt_of_sfile sf); permission_check pctxt pctxt C_fd P_setattr\ + \ (update_ss ss (S_proc (pi, pctxt, fds, shms) tagp) + (S_proc (pi, pctxt, fds \ {(pctxt,flags,sf)}, shms) tagp)) \ static" +| s_open': "\ss \ static; S_proc (pi, pctxt, fds, shms) tagp \ ss; is_creat_excl_flag flags; + S_dir (pfi,fsec,pfsec,asecs) \ ss; search_check_s pctxt (pfi,fsec,pfsec,asecs) False; + nfsec = nfctxt_create pctxt fsec C_file; oflags_check flags pctxt nfsec; + permission_check pctxt fsec C_dir P_add_rename; permission_check pctxt pctxt C_fd P_setattr\ + \ (update_ss (add_ss ss (S_file {(Created, nfsec, Some fsec, asecs \ {fsec})} tagp)) + (S_proc (pi, pctxt, fds, shms) tagp) + (S_proc (pi, pctxt, fds \ {(pctxt, flags, (Created, nfsec, Some fsec, asecs \ {fsec}))}, shms) tagp) + ) \ static" +| S_readf: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; (fdctxt,flags,sf) \ fds; + permission_check pctxt fdctxt C_fd P_setattr; S_file sfs tagf \ ss; sf \ sfs; + permission_check pctxt (sectxt_of_sfile sf) C_file P_read; is_read_flag flags\ + \ (update_ss_shms ss (pi, pctxt,fds,shms) (tagp \ tagf)) \ static" +| S_writef: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; (fdctxt,flags,sf) \ fds; + permission_check pctxt fdctxt C_fd P_setattr; sf \ sfs; S_file sfs tagf \ ss; + permission_check pctxt (sectxt_of_sfile sf) C_file P_write; is_write_flag flags\ + \ (update_ss ss (S_file sfs tagf) (S_file sfs (tagp \ tagf))) \ static" +| S_unlink: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_file sfs tagf \ ss; + (Init f,fsec,Some pfsec,asecs) \ sfs; + search_check_s pctxt (Init f,fsec,Some pfsec,asecs) True; + permission_check pctxt fsec C_file P_unlink; + permission_check pctxt pfsec C_dir P_remove_name\ + \ ((ss - {S_file sfs tagf}) \ {S_file (sfs - {(Init f,fsec,Some pfsec,asecs)}) tagf}) \ static" +| S_rmdir: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; + S_dir (fi,fsec,Some pfsec,asecs) \ ss; + search_check_s pctxt (fi,fsec,Some pfsec,asecs) False; + permission_check pctxt fsec C_dir P_rmdir; + permission_check pctxt pfsec C_dir P_remove_name\ + \ (del_ss ss (S_dir (fi,fsec,Some pfsec,asecs))) \ static" +| S_mkdir: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_dir (fi,fsec,pfsec,asecs) \ ss; + search_check_s pctxt (fi,fsec,pfsec,asecs) False; + permission_check pctxt (nfctxt_create pctxt fsec C_dir) C_dir P_create; + permission_check pctxt fsec C_dir P_add_name\ + \ (add_ss ss (S_dir (Created,nfctxt_create pctxt fsec C_dir,Some fsec,asecs \ {fsec}))) \ static" +| s_link: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_dir (pfi,pfsec,ppfsec,asecs) \ ss; + S_file sfs tagf \ ss; sf \ sfs; nfsec = nfctxt_create pctxt pfsec C_file; + search_check_s pctxt (pfi,pfsec,ppfsec,asecs) False; search_check_s pctxt sf True; + permission_check pctxt (sectxt_of_sfile sf) C_file P_link; + permission_check pctxt pfsec C_dir P_add_name\ + \ (update_ss ss (S_file sfs tagf) + (S_file (sfs \ {(Created,nfsec,Some pfsec, asecs \ {pfsec})}) tagf)) \ static" +| s_trunc: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_file sfs tagf \ ss; sf \ sfs; + search_check_s pctxt sf True; permission_check pctxt (sectxt_of_sfile sf) C_file P_setattr\ + \ (update_ss ss (S_file sfs tagf) (S_file sfs (tagf \ tagp))) \ static" +(* +| s_rename: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_file sfs tagf \ ss; + (sf#spf') \ sfs; S_dir spf tagpf \ ss; \((sf#spf') \ (sf#spf)); + search_check_s pctxt spf False; search_check_s pctxt (sf#spf') True; + sectxt_of_sfile (sf#spf') = Some fctxt; sectxt_of_sfile spf = Some pfctxt; + permission_check pctxt fctxt C_file P_rename; + permission_check pctxt pfctxt C_dir P_add_name; + ss_rename ss (sf#spf') (sf#spf) ss'; + ss_rename_no_same_fname ss (sf#spf') (sf#spf)\ + \ ss' \ static" +| s_rename': "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_dir (sf#spf') tagf \ ss; + S_dir spf tagpf \ ss; \((sf#spf') \ (sf#spf)); + search_check_s pctxt spf False; search_check_s pctxt (sf#spf') True; + sectxt_of_sfile (sf#spf') = Some fctxt; sectxt_of_sfile spf = Some pfctxt; + permission_check pctxt fctxt C_dir P_reparent; + permission_check pctxt pfctxt C_dir P_add_name; + ss_rename ss (sf#spf') (sf#spf) ss'; + ss_rename_no_same_fname ss (sf#spf') (sf#spf)\ + \ ss' \ static" +*) +| s_createq: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; + permission_check pctxt pctxt C_msgq P_associate; + permission_check pctxt pctxt C_msgq P_create\ + \ (add_ss ss (S_msgq (Created,pctxt,[]))) \ static" +| s_sendmsg: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_msgq (qi,qctxt,sms) \ ss; + permission_check pctxt qctxt C_msgq P_enqueue; + permission_check pctxt qctxt C_msgq P_write; + permission_check pctxt pctxt C_msg P_create\ + \ (update_ss ss (S_msgq (qi,qctxt,sms)) + (S_msgq (qi,qctxt,sms @ [(Created, pctxt, tagp)]))) \ static" +| s_recvmsg: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; + S_msgq (qi,qctxt,(mi,mctxt,tagm)#sms) \ ss; + permission_check pctxt qctxt C_msgq P_read; + permission_check pctxt mctxt C_msg P_receive\ + \ (update_ss (update_ss_shms ss (pi,pctxt,fds,shms) (tagp \ tagm)) + (S_msgq (qi, qctxt, (mi, mctxt, tagm)#sms)) + (S_msgq (qi, qctxt, sms))) \ static" +| s_removeq: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_msgq (qi,qctxt,sms) \ ss; + permission_check pctxt qctxt C_msgq P_destroy\ + \ (del_ss ss (S_msgq (qi,qctxt,sms))) \ static" +| s_createh: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; + permission_check pctxt pctxt C_shm P_associate; + permission_check pctxt pctxt C_shm P_create\ + \ (add_ss ss (S_shm (Created, pctxt))) \ static" +| s_attach: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_shm (hi,hctxt) \ ss; + if flag = SHM_RDONLY then permission_check pctxt hctxt C_shm P_read + else (permission_check pctxt hctxt C_shm P_read \ + permission_check pctxt hctxt C_shm P_write)\ + \ (update_ss ss (S_proc (pi,pctxt,fds,shms) tagp) + (S_proc (pi,pctxt,fds,shms \ {((hi,hctxt),flag)}) tagp)) \ static" +| s_detach: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_shm sh \ ss; + (sh,flag) \ shms; \ is_many_sshm sh\ + \ (update_ss ss (S_proc (pi,pctxt,fds,shms) tagp) + (S_proc (pi,pctxt,fds,shms - {(sh,flag)}) tagp)) \ static" +| s_deleteh: "\ss \ static; S_proc (pi,pctxt,fds,shms) tagp \ ss; S_shm (hi,hctxt) \ ss; + permission_check pctxt hctxt C_shm P_destroy; \ is_many_sshm sh\ + \ (remove_sproc_sshm (del_ss ss (S_shm (hi,hctxt))) (hi,hctxt)) \ static" + + +fun tainted_s :: "t_static_state \ t_sobject \ bool" +where + "tainted_s ss (S_proc sp tag) = (S_proc sp tag \ ss \ tag = True)" +| "tainted_s ss (S_file sfs tag) = (S_file sfs tag \ ss \ tag = True)" +(* +| "tainted_s ss (S_msg (qi, sec, sms) (mi, secm, tag)) = + (S_msgq (qi, sec, sms) \ ss \ (mi,secm,tag) \ set sms \ tag = True)" +*) +| "tainted_s ss _ = False" + +(* +fun tainted_s :: "t_object \ t_static_state \ bool" +where + "tainted_s (O_proc p) ss = (\ sp. S_proc sp True \ ss \ sproc_related p sp)" +| "tainted_s (O_file f) ss = (\ sfs sf. S_file sfs True \ ss \ sf \ sfs \ sfile_related f sf)" +| "tainted_s (O_msg q m) ss = (\ sq. S_msgq sq \ ss \ smsgq_smsg_relatainted q m sq)" +| "tainted_s _ ss = False" +*) + +definition taintable_s :: "t_object \ bool" +where + "taintable_s obj \ \ ss \ static. \ sobj. tainted_s ss sobj \ init_obj_related sobj obj \ init_alive obj" + +(* this definition is wrong, cause process can exited from static-world +definition deletable_s :: "t_object \ bool" +where + "deletable_s obj \ init_alive obj \ (\ ss \ static. \ sobj \ ss. \ init_obj_related sobj obj)" +*) + +fun deleted_s :: "t_sproc \ t_object \ bool" +where + "deleted_s (pi, pctxt, fds, shms) (O_proc p) = (pi \ Init p \ permission_check pctxt " + +definition deletable_s :: "t_object \ bool" + "deletable_s obj \ init_alive obj \ (\ ss \ static. \ sp tagp. S_proc sp tagp \ ss \ deleted_s sp obj)" + +definition undeletable_s :: "t_object \ bool" +where + "undeletable_s obj \ init_alive obj \ (\ ss \ static. \ sobj \ ss. init_obj_related sobj obj)" + +definition init_ss_eq:: "t_static_state \ t_static_state \ bool" (infix "\" 100) +where + "ss \ ss' \ ss \ ss' \ {sobj. is_init_sobj sobj \ sobj \ ss'} \ ss" + +lemma [simp]: "ss \ ss" +by (auto simp:init_ss_eq_def) + +definition init_ss_in:: "t_static_state \ t_static_state set \ bool" (infix "\" 101) +where + "ss \ sss \ \ ss' \ sss. ss \ ss'" + +lemma s2ss_included_sobj: + "\alive s obj; co2sobj s obj= Some sobj\ \ sobj \ (s2ss s)" +by (simp add:s2ss_def, rule_tac x = obj in exI, simp) + +lemma init_ss_in_prop: + "\s2ss s \ static; co2sobj s obj = Some sobj; alive s obj; init_obj_related sobj obj\ + \ \ ss \ static. sobj \ ss" +apply (simp add:init_ss_in_def init_ss_eq_def) +apply (erule bexE, erule conjE) +apply (rule_tac x = ss' in bexI, auto dest!:s2ss_included_sobj) +done + + + + +end + +end \ No newline at end of file