# HG changeset patch # User chunhan # Date 1388473033 -28800 # Node ID 8d18cfc845ddf946b7f8d3ebb190db8b346d413d # Parent 690636b7b6f1f82212a90ba1a17f4a53a0c9048b remove init message queue diff -r 690636b7b6f1 -r 8d18cfc845dd no_shm_selinux/Co2sobj_prop.thy --- a/no_shm_selinux/Co2sobj_prop.thy Mon Dec 30 23:41:58 2013 +0800 +++ b/no_shm_selinux/Co2sobj_prop.thy Tue Dec 31 14:57:13 2013 +0800 @@ -80,9 +80,11 @@ lemmas cm2smsg_simps = cm2smsg_nil_prop cm2smsg_sendmsg cm2smsg_recvmsg1' cm2smsg_recvmsg2' cm2smsg_removemsgq cm2smsg_other +(* lemma init_cm2smsg_has_smsg: "\m \ set (init_msgs_of_queue q); q \ init_msgqs\ \ \ sm. init_cm2smsg q m = Some sm" by (auto simp:init_cm2smsg_def split:option.splits dest:init_msg_has_ctxt) +*) lemma hd_set_prop1: "hd l \ set l \ l = []" @@ -262,7 +264,7 @@ apply (frule vd_cons, frule vt_grant_os) apply (frule cqm2sms_createmsgq) apply (rule ext, auto simp:cq2smsgq_def sec_createmsgq - split:option.splits if_splits dest:not_died_init_msgq) + split:option.splits if_splits) done lemma cq2smsg_sendmsg: diff -r 690636b7b6f1 -r 8d18cfc845dd no_shm_selinux/Enrich.thy --- a/no_shm_selinux/Enrich.thy Mon Dec 30 23:41:58 2013 +0800 +++ b/no_shm_selinux/Enrich.thy Tue Dec 31 14:57:13 2013 +0800 @@ -141,77 +141,6 @@ apply (simp add:parentf_is_dir_prop2) done -(* enrich s target_proc duplicated_pro *) -fun enrich_proc :: "t_state \ t_process \ t_process \ t_state" -where - "enrich_proc [] tp dp = []" -| "enrich_proc (Execve p f fds # s) tp dp = ( - if (tp = p) - then Execve dp f (fds \ proc_file_fds s p) # Execve p f fds # (enrich_proc s tp dp) - else Execve p f fds # (enrich_proc s tp dp))" -| "enrich_proc (Clone p p' fds # s) tp dp = ( - if (tp = p') - then Clone p dp (fds \ proc_file_fds s p) # Clone p p' fds # s - else Clone p p' fds # (enrich_proc s tp dp))" -| "enrich_proc (Open p f flags fd opt # s) tp dp = ( - if (tp = p) - then Open dp f (remove_create_flag flags) fd None # Open p f flags fd opt # (enrich_proc s tp dp) - else Open p f flags fd opt # (enrich_proc s tp dp))" -| "enrich_proc (ReadFile p fd # s) tp dp = ( - if (tp = p) - then ReadFile dp fd # ReadFile p fd # (enrich_proc s tp dp) - else ReadFile p fd # (enrich_proc s tp dp))" -(* -| "enrich_proc (CloseFd p fd # s) tp dp = ( - if (tp = p \ fd \ proc_file_fds s p) - then CloseFd dp fd # CloseFd p fd # (enrich_proc s tp dp) - else CloseFd p fd # (enrich_proc s tp dp))" -*) -(* -| "enrich_proc (Attach p h flag # s) tp dp = ( - if (tp = p) - then Attach dp h flag # Attach p h flag # (enrich_proc s tp dp) - else Attach p h flag # (enrich_proc s tp dp))" -| "enrich_proc (Detach p h # s) tp dp = ( - if (tp = p) - then Detach dp h # Detach p h # (enrich_proc s tp dp) - else Detach p h # (enrich_proc s tp dp))" -*) -(* -| "enrich_proc (Kill p p' # s) tp dp = ( - if (tp = p') then Kill p p' # s - else Kill p p' # (enrich_proc s tp dp))" -| "enrich_proc (Exit p # s) tp dp = ( - if (tp = p) then Exit p # s - else Exit p # (enrich_proc s tp dp))" -*) -| "enrich_proc (e # s) tp dp = e # (enrich_proc s tp dp)" - -definition is_created_proc:: "t_state \ t_process \ bool" -where - "is_created_proc s p \ p \ current_procs s \ (p \ init_procs \ died (O_proc p) s)" - -definition is_created_proc':: "t_state \ t_process \ bool" -where - "is_created_proc' s p \ p \ current_procs s \ p \ init_procs" - -lemma no_del_died: - "\no_del_event s; died obj s\ \ (\ p fd. obj = O_fd p fd \ obj = O_tcp_sock (p, fd) \ obj = O_udp_sock (p, fd)) - \ (\ q m. obj = O_msg q m) " -apply (induct s) -apply simp -apply (case_tac a) -apply (auto split:option.splits) -done - -lemma no_del_created_eq: - "no_del_event s \ is_created_proc s p = is_created_proc' s p" -apply (induct s) -apply (simp add:is_created_proc_def is_created_proc'_def) -apply (case_tac a) -apply (auto simp add:is_created_proc_def is_created_proc'_def dest:no_del_died) -done - lemma enrich_search_check: assumes grant: "search_check s (up, rp, tp) f" and cf2sf: "\ f. f \ current_files s \ cf2sfile s' f = cf2sfile s f" @@ -1248,74 +1177,44 @@ qed qed -lemma created_proc_clone: - "valid (Clone p p' fds # s) \ - is_created_proc (Clone p p' fds # s) tp = (if (tp = p') then True else is_created_proc s tp)" -apply (drule vt_grant_os) -apply (auto simp:is_created_proc_def dest:not_all_procs_prop2) -using not_died_init_proc -by auto - -lemma created_proc_exit: - "is_created_proc (Exit p # s) tp = (if (tp = p) then False else is_created_proc s tp)" -by (simp add:is_created_proc_def) - -lemma created_proc_kill: - "is_created_proc (Kill p p' # s) tp = (if (tp = p') then False else is_created_proc s tp)" -by (simp add:is_created_proc_def) +lemma current_proc_fds_in_curp: + "\fd \ current_proc_fds s p; valid s\ \ p \ current_procs s" +apply (induct s) +apply (simp add:init_fds_of_proc_prop1) +apply (frule vt_grant_os, frule vd_cons) +apply (case_tac a, auto split:if_splits option.splits) +done -lemma created_proc_other: - "\\ p p' fds. e \ Clone p p' fds; - \ p. e \ Exit p; - \ p p'. e \ Kill p p'\ \ is_created_proc (e # s) tp = is_created_proc s tp" -by (case_tac e, auto simp:is_created_proc_def) - -lemmas is_created_proc_simps = created_proc_clone created_proc_exit created_proc_kill created_proc_other -(* - - - - - (p \ current_procs s \ co2sobj (enrich_proc s p p') (O_proc p') = co2sobj (enrich_proc s p p') (O_proc p)) \ - (\ obj. alive s obj \ alive (enrich_proc s p p') obj) \ - (\ p'. p' \ current_procs s \ cp2sproc (enrich_proc s p p') p' = cp2sproc s p) \ - (\ f. f \ current_files s \ cf2sfile (enrich_proc s p p') f = cf2sfile s f) \ - (Tainted (enrich_proc s p p') = (Tainted s \ (if (O_proc p \ Tainted s) then {O_proc p'} else {})))"*) - -lemma enrich_proc_dup_in: - "\is_created_proc s p; p' \ all_procs s; valid s\ - \ p' \ current_procs (enrich_proc s p p')" -apply (induct s, simp add:is_created_proc_def) -apply (frule vt_grant_os, frule vd_cons) -apply (case_tac a, auto simp:is_created_proc_def dest:not_all_procs_prop3) +lemma get_parentfs_ctxts_prop: + "\get_parentfs_ctxts s (a # f) = Some ctxts; sectxt_of_obj s (O_dir f) = Some ctxt; valid s\ + \ ctxt \ set (ctxts)" +apply (induct f) +apply (auto split:option.splits) done -lemma enrich_proc_dup_ffd: - "\file_of_proc_fd s p fd = Some f; is_created_proc s p; p' \ all_procs s; valid s\ - \ file_of_proc_fd (enrich_proc s p p') p' fd = Some f" -apply (induct s, simp add:is_created_proc_def) -apply (frule vt_grant_os, frule vd_cons) -apply (case_tac a, auto simp:is_created_proc_def proc_file_fds_def - dest:not_all_procs_prop3 split:if_splits option.splits) -done +lemma search_check_allp_intro: + "\search_check s sp pf; get_parentfs_ctxts s pf = Some ctxts; valid s; is_dir s pf\ + \ search_check_allp sp (set ctxts)" +apply (case_tac pf) +apply (simp split:option.splits if_splits add:search_check_allp_def) +apply (rule ballI) +apply (auto simp:search_check_ctxt_def search_check_dir_def split:if_splits option.splits) +apply (auto simp:search_check_allp_def search_check_file_def) +apply (frule is_dir_not_file, simp) +done -lemma enrich_proc_dup_ffd': - "\file_of_proc_fd (enrich_proc s p p') p' fd = Some f; is_created_proc s p; p' \ all_procs s; - no_del_event s; valid s\ - \ file_of_proc_fd s p fd = Some f" -apply (induct s, simp add:is_created_proc_def) -apply (frule vt_grant_os, frule vd_cons) -apply (case_tac a, auto simp:is_created_proc_def proc_file_fds_def - dest:not_all_procs_prop3 split:if_splits option.splits) -done +lemma search_check_leveling_f: + "\search_check s sp pf; parent f = Some pf; is_file s f; valid s; + sectxt_of_obj s (O_file f) = Some fctxt; search_check_file sp fctxt\ + \ search_check s sp f" +apply (case_tac f, simp+) +apply (auto split:option.splits simp:search_check_ctxt_def) +apply (frule parentf_is_dir_prop2, simp) +apply (erule get_pfs_secs_prop, simp) +apply (erule_tac search_check_allp_intro, simp_all) +apply (simp add:parentf_is_dir_prop2) +done -lemma enrich_proc_dup_ffd_eq: - "\is_created_proc s p; p' \ all_procs s; no_del_event s; valid s\ - \ file_of_proc_fd (enrich_proc s p p') p' fd = file_of_proc_fd s p fd" -apply (case_tac "file_of_proc_fd s p fd") -apply (case_tac[!] "file_of_proc_fd (enrich_proc s p p') p' fd") -apply (auto dest:enrich_proc_dup_ffd enrich_proc_dup_ffd') -done lemma current_fflag_in_fds: "\flags_of_proc_fd s p fd = Some flag; valid s\ \ fd \ current_proc_fds s p" @@ -1333,37 +1232,6 @@ apply (auto split:if_splits option.splits dest:proc_fd_in_fds) done -lemma enrich_proc_dup_fflags: - "\flags_of_proc_fd s p fd = Some flag; is_created_proc s p; p' \ all_procs s; valid s\ - \ flags_of_proc_fd (enrich_proc s p p') p' fd = Some (remove_create_flag flag) \ - flags_of_proc_fd (enrich_proc s p p') p' fd = Some flag" -apply (induct s arbitrary:p, simp add:is_created_proc_def) -apply (frule vt_grant_os, frule vd_cons) -apply (case_tac a, auto simp:is_created_proc_def proc_file_fds_def is_creat_flag_def - dest:not_all_procs_prop3 split:if_splits option.splits) -done - -lemma enrich_proc_dup_ffds: - "\is_created_proc s p; p' \ all_procs s; no_del_event s; valid s\ - \ proc_file_fds (enrich_proc s p p') p' = proc_file_fds s p" -apply (auto simp:proc_file_fds_def) -apply (rule_tac x = f in exI) -apply (erule enrich_proc_dup_ffd', simp+) -apply (rule_tac x = f in exI) -apply (erule enrich_proc_dup_ffd, simp+) -done - -lemma enrich_proc_dup_ffds_eq_fds: - "\is_created_proc s p; p' \ all_procs s; no_del_event s; valid s\ - \ current_proc_fds (enrich_proc s p p') p' = proc_file_fds s p" -apply (induct s arbitrary:p) -apply (simp add: is_created_proc_def) -apply (frule not_all_procs_prop3) -apply (frule vd_cons, frule vt_grant_os, case_tac a) -apply (auto split:if_splits option.splits dest:proc_fd_in_fds set_mp not_all_procs_prop3 - simp:proc_file_fds_def is_created_proc_def) -done - lemma oflags_check_remove_create: "oflags_check flags sp sf \ oflags_check (remove_create_flag flags) sp sf" apply (case_tac flags) diff -r 690636b7b6f1 -r 8d18cfc845dd no_shm_selinux/Enrich2.thy --- a/no_shm_selinux/Enrich2.thy Mon Dec 30 23:41:58 2013 +0800 +++ b/no_shm_selinux/Enrich2.thy Tue Dec 31 14:57:13 2013 +0800 @@ -5,44 +5,147 @@ context tainting_s begin -(* \ *) -lemma current_proc_fds_in_curp: - "\fd \ current_proc_fds s p; valid s\ \ p \ current_procs s" + +fun enrich_msgq :: "t_state \ t_msgq \ t_msgq \ t_state" +where + "enrich_msgq [] tq dq = []" +| "enrich_msgq (CreateMsgq p q # s) tq dq = + (if (tq = q) + then (CreateMsgq p dq # CreateMsgq p q # s) + else CreateMsgq p q # (enrich_msgq s tq dq))" +| "enrich_msgq (SendMsg p q m # s) tq dq = + (if (tq = q) + then (SendMsg p dq m # SendMsg p q m # (enrich_msgq s tq dq)) + else SendMsg p q m # (enrich_msgq s tq dq))" +| "enrich_msgq (RecvMsg p q m # s) tq dq = + (if (tq = q) + then (RecvMsg p dq m # RecvMsg p q m # (enrich_msgq s tq dq)) + else RecvMsg p q m # (enrich_msgq s tq dq))" +| "enrich_msgq (e # s) tq dq = e # (enrich_msgq s tq dq)" + + + +(* enrich s target_proc duplicated_pro *) +fun enrich_proc :: "t_state \ t_process \ t_process \ t_state" +where + "enrich_proc [] tp dp = []" +| "enrich_proc (Execve p f fds # s) tp dp = ( + if (tp = p) + then Execve dp f (fds \ proc_file_fds s p) # Execve p f fds # (enrich_proc s tp dp) + else Execve p f fds # (enrich_proc s tp dp))" +| "enrich_proc (Clone p p' fds # s) tp dp = ( + if (tp = p') + then Clone p dp (fds \ proc_file_fds s p) # Clone p p' fds # s + else Clone p p' fds # (enrich_proc s tp dp))" +| "enrich_proc (Open p f flags fd opt # s) tp dp = ( + if (tp = p) + then Open dp f (remove_create_flag flags) fd None # Open p f flags fd opt # (enrich_proc s tp dp) + else Open p f flags fd opt # (enrich_proc s tp dp))" +| "enrich_proc (ReadFile p fd # s) tp dp = ( + if (tp = p) + then ReadFile dp fd # ReadFile p fd # (enrich_proc s tp dp) + else ReadFile p fd # (enrich_proc s tp dp))" +(* +| "enrich_proc (CloseFd p fd # s) tp dp = ( + if (tp = p \ fd \ proc_file_fds s p) + then CloseFd dp fd # CloseFd p fd # (enrich_proc s tp dp) + else CloseFd p fd # (enrich_proc s tp dp))" +*) +(* +| "enrich_proc (Attach p h flag # s) tp dp = ( + if (tp = p) + then Attach dp h flag # Attach p h flag # (enrich_proc s tp dp) + else Attach p h flag # (enrich_proc s tp dp))" +| "enrich_proc (Detach p h # s) tp dp = ( + if (tp = p) + then Detach dp h # Detach p h # (enrich_proc s tp dp) + else Detach p h # (enrich_proc s tp dp))" +*) +(* +| "enrich_proc (Kill p p' # s) tp dp = ( + if (tp = p') then Kill p p' # s + else Kill p p' # (enrich_proc s tp dp))" +| "enrich_proc (Exit p # s) tp dp = ( + if (tp = p) then Exit p # s + else Exit p # (enrich_proc s tp dp))" +*) +| "enrich_proc (e # s) tp dp = e # (enrich_proc s tp dp)" + +definition is_created_proc:: "t_state \ t_process \ bool" +where + "is_created_proc s p \ p \ current_procs s \ (p \ init_procs \ died (O_proc p) s)" + +definition is_created_proc':: "t_state \ t_process \ bool" +where + "is_created_proc' s p \ p \ current_procs s \ p \ init_procs" + +lemma created_proc_clone: + "valid (Clone p p' fds # s) \ + is_created_proc (Clone p p' fds # s) tp = (if (tp = p') then True else is_created_proc s tp)" +apply (drule vt_grant_os) +apply (auto simp:is_created_proc_def dest:not_all_procs_prop2) +using not_died_init_proc +by auto + +lemma created_proc_exit: + "is_created_proc (Exit p # s) tp = (if (tp = p) then False else is_created_proc s tp)" +by (simp add:is_created_proc_def) + +lemma created_proc_kill: + "is_created_proc (Kill p p' # s) tp = (if (tp = p') then False else is_created_proc s tp)" +by (simp add:is_created_proc_def) + +lemma created_proc_other: + "\\ p p' fds. e \ Clone p p' fds; + \ p. e \ Exit p; + \ p p'. e \ Kill p p'\ \ is_created_proc (e # s) tp = is_created_proc s tp" +by (case_tac e, auto simp:is_created_proc_def) + +lemmas is_created_proc_simps = created_proc_clone created_proc_exit created_proc_kill created_proc_other + +lemma no_del_died: + "\no_del_event s; died obj s\ \ (\ p fd. obj = O_fd p fd \ obj = O_tcp_sock (p, fd) \ obj = O_udp_sock (p, fd)) + \ (\ q m. obj = O_msg q m) " apply (induct s) -apply (simp add:init_fds_of_proc_prop1) -apply (frule vt_grant_os, frule vd_cons) -apply (case_tac a, auto split:if_splits option.splits) -done - -lemma get_parentfs_ctxts_prop: - "\get_parentfs_ctxts s (a # f) = Some ctxts; sectxt_of_obj s (O_dir f) = Some ctxt; valid s\ - \ ctxt \ set (ctxts)" -apply (induct f) +apply simp +apply (case_tac a) apply (auto split:option.splits) done -lemma search_check_allp_intro: - "\search_check s sp pf; get_parentfs_ctxts s pf = Some ctxts; valid s; is_dir s pf\ - \ search_check_allp sp (set ctxts)" -apply (case_tac pf) -apply (simp split:option.splits if_splits add:search_check_allp_def) -apply (rule ballI) -apply (auto simp:search_check_ctxt_def search_check_dir_def split:if_splits option.splits) -apply (auto simp:search_check_allp_def search_check_file_def) -apply (frule is_dir_not_file, simp) +lemma no_del_created_eq: + "no_del_event s \ is_created_proc s p = is_created_proc' s p" +apply (induct s) +apply (simp add:is_created_proc_def is_created_proc'_def) +apply (case_tac a) +apply (auto simp add:is_created_proc_def is_created_proc'_def dest:no_del_died) +done + +lemma enrich_proc_dup_in: + "\is_created_proc s p; p' \ all_procs s; valid s\ + \ p' \ current_procs (enrich_proc s p p')" +apply (induct s, simp add:is_created_proc_def) +apply (frule vt_grant_os, frule vd_cons) +apply (case_tac a, auto simp:is_created_proc_def dest:not_all_procs_prop3) done -lemma search_check_leveling_f: - "\search_check s sp pf; parent f = Some pf; is_file s f; valid s; - sectxt_of_obj s (O_file f) = Some fctxt; search_check_file sp fctxt\ - \ search_check s sp f" -apply (case_tac f, simp+) -apply (auto split:option.splits simp:search_check_ctxt_def) -apply (frule parentf_is_dir_prop2, simp) -apply (erule get_pfs_secs_prop, simp) -apply (erule_tac search_check_allp_intro, simp_all) -apply (simp add:parentf_is_dir_prop2) -done +lemma enrich_proc_dup_ffd: + "\file_of_proc_fd s p fd = Some f; is_created_proc s p; p' \ all_procs s; valid s\ + \ file_of_proc_fd (enrich_proc s p p') p' fd = Some f" +apply (induct s, simp add:is_created_proc_def) +apply (frule vt_grant_os, frule vd_cons) +apply (case_tac a, auto simp:is_created_proc_def proc_file_fds_def + dest:not_all_procs_prop3 split:if_splits option.splits) +done + +lemma enrich_proc_dup_ffd': + "\file_of_proc_fd (enrich_proc s p p') p' fd = Some f; is_created_proc s p; p' \ all_procs s; + no_del_event s; valid s\ + \ file_of_proc_fd s p fd = Some f" +apply (induct s, simp add:is_created_proc_def) +apply (frule vt_grant_os, frule vd_cons) +apply (case_tac a, auto simp:is_created_proc_def proc_file_fds_def + dest:not_all_procs_prop3 split:if_splits option.splits) +done lemma enrich_proc_dup_ffds': "\fd \ current_proc_fds (enrich_proc s p p') p'; is_created_proc s p; p' \ all_procs s; no_del_event s; valid s\ @@ -51,6 +154,46 @@ apply (simp add:proc_file_fds_def) done +lemma enrich_proc_dup_ffd_eq: + "\is_created_proc s p; p' \ all_procs s; no_del_event s; valid s\ + \ file_of_proc_fd (enrich_proc s p p') p' fd = file_of_proc_fd s p fd" +apply (case_tac "file_of_proc_fd s p fd") +apply (case_tac[!] "file_of_proc_fd (enrich_proc s p p') p' fd") +apply (auto dest:enrich_proc_dup_ffd enrich_proc_dup_ffd') +done + + +lemma enrich_proc_dup_fflags: + "\flags_of_proc_fd s p fd = Some flag; is_created_proc s p; p' \ all_procs s; valid s\ + \ flags_of_proc_fd (enrich_proc s p p') p' fd = Some (remove_create_flag flag) \ + flags_of_proc_fd (enrich_proc s p p') p' fd = Some flag" +apply (induct s arbitrary:p, simp add:is_created_proc_def) +apply (frule vt_grant_os, frule vd_cons) +apply (case_tac a, auto simp:is_created_proc_def proc_file_fds_def is_creat_flag_def + dest:not_all_procs_prop3 split:if_splits option.splits) +done + +lemma enrich_proc_dup_ffds: + "\is_created_proc s p; p' \ all_procs s; no_del_event s; valid s\ + \ proc_file_fds (enrich_proc s p p') p' = proc_file_fds s p" +apply (auto simp:proc_file_fds_def) +apply (rule_tac x = f in exI) +apply (erule enrich_proc_dup_ffd', simp+) +apply (rule_tac x = f in exI) +apply (erule enrich_proc_dup_ffd, simp+) +done + +lemma enrich_proc_dup_ffds_eq_fds: + "\is_created_proc s p; p' \ all_procs s; no_del_event s; valid s\ + \ current_proc_fds (enrich_proc s p p') p' = proc_file_fds s p" +apply (induct s arbitrary:p) +apply (simp add: is_created_proc_def) +apply (frule not_all_procs_prop3) +apply (frule vd_cons, frule vt_grant_os, case_tac a) +apply (auto split:if_splits option.splits dest:proc_fd_in_fds set_mp not_all_procs_prop3 + simp:proc_file_fds_def is_created_proc_def) +done + lemma enrich_proc_cur_inof: "\valid s; no_del_event s\ \ inum_of_file (enrich_proc s p p') f = inum_of_file s f" apply (induct s arbitrary:f) diff -r 690636b7b6f1 -r 8d18cfc845dd no_shm_selinux/Finite_current.thy --- a/no_shm_selinux/Finite_current.thy Mon Dec 30 23:41:58 2013 +0800 +++ b/no_shm_selinux/Finite_current.thy Tue Dec 31 14:57:13 2013 +0800 @@ -92,6 +92,12 @@ apply (case_tac a, auto simp: init_finite_sets) done +lemma maxium_queue: + "valid s \ length (msgs_of_queue s q) \ max_queue" +apply (induct s) +apply (simp add:init_msgq_valid) +apply (frule vt_grant_os, frule vd_cons, case_tac a, auto) +done lemma finite_option: "finite {x. \ y. f x = Some y} \ finite {y. \ x. f x = Some y}" apply (drule_tac h = f in finite_imageI) diff -r 690636b7b6f1 -r 8d18cfc845dd no_shm_selinux/Flask.thy --- a/no_shm_selinux/Flask.thy Mon Dec 30 23:41:58 2013 +0800 +++ b/no_shm_selinux/Flask.thy Tue Dec 31 14:57:13 2013 +0800 @@ -135,8 +135,11 @@ *) and init_socket_state :: "t_socket \ t_sock_state" +(* and init_msgqs :: "t_msgq set" and init_msgs_of_queue:: "t_msgq \ t_msg list" +*) + and max_queue :: "nat" (* and init_shms :: "t_shm set" and init_procs_of_shm :: "t_shm \ (t_process \ t_shm_attach_flag) set" @@ -162,8 +165,12 @@ and init_procs_has_shm: "\ p h flag. (p,flag) \ init_procs_of_shm h \ p \ init_procs \ h \ init_shms \ init_flag_of_proc_shm p h = Some flag" and init_shmflag_has_proc: "\ p h flag. init_flag_of_proc_shm p h = Some flag \ (p, flag) \ init_procs_of_shm h" *) + +(* and init_msgs_distinct: "\ q. distinct (init_msgs_of_queue q)" and init_msgs_valid: "\ m q. m \ set (init_msgs_of_queue q) \ q \ init_msgqs" + and init_msgq_valid: "\ q. length (init_msgs_of_queue q) \ max_queue" +*) and init_socket_has_inode: "\ p fd. (p, fd) \ init_sockets \ \ im. init_inum_of_socket (p, fd) = Some im \ p \ init_procs \ fd \ init_fds_of_proc p \ init_file_of_proc_fd p fd = None" and inos_has_sock_tag: "\ s im. init_inum_of_socket s = Some im \ s \ init_sockets \ (\ tag. init_itag_of_inum im = Some tag \ is_sock_itag tag)" @@ -174,7 +181,7 @@ and init_netobj_has_raddr: "\ s. after_conacc (init_netobj_state s) \ init_netobj_remoteaddr s \ None" *) - and init_finite_sets: "finite init_files \ finite init_procs \ (\ p. finite (init_fds_of_proc p)) \ finite init_shms \ finite init_msgqs \ finite init_users" + and init_finite_sets: "finite init_files \ finite init_procs \ (\ p. finite (init_fds_of_proc p)) \ finite init_shms \ finite init_users" (* finite init_msgqs *) begin @@ -226,8 +233,8 @@ (* | "init_alive (O_shm h) = (h \ init_shms)" *) -| "init_alive (O_msgq q) = (q \ init_msgqs)" -| "init_alive (O_msg q m) = (m \ set (init_msgs_of_queue q) \ q \ init_msgqs)" +| "init_alive (O_msgq q) = False" (* (q \ init_msgqs) *) +| "init_alive (O_msg q m) = False" (* (m \ set (init_msgs_of_queue q) \ q \ init_msgqs)" *) (************ system listeners, event-related ***********) @@ -512,14 +519,14 @@ fun current_msgqs :: "t_state \ t_msgq set" where - "current_msgqs [] = init_msgqs" + "current_msgqs [] = {}" (* init_msgqs *) | "current_msgqs (CreateMsgq p q # \) = insert q (current_msgqs \)" | "current_msgqs (RemoveMsgq p q # \) = (current_msgqs \) - {q}" | "current_msgqs (_ # \) = current_msgqs \" fun msgs_of_queue :: "t_state \ t_msgq \ t_msg list" where - "msgs_of_queue [] = init_msgs_of_queue" + "msgs_of_queue [] = (\ x. [])" (* init_msgs_of_queue*) | "msgs_of_queue (CreateMsgq p q # \) = (msgs_of_queue \)(q := [])" | "msgs_of_queue (SendMsg p q m # \) = (msgs_of_queue \)(q := msgs_of_queue \ q @ [m])" | "msgs_of_queue (RecvMsg p q m # \) = (msgs_of_queue \)(q := tl (msgs_of_queue \ q))" @@ -720,7 +727,8 @@ | "os_grant \ (CreateMsgq p q) = (p \ current_procs \ \ q \ (current_msgqs \))" | "os_grant \ (SendMsg p q m) = - (p \ current_procs \ \ q \ current_msgqs \ \ m \ (set (msgs_of_queue \ q)))" + (p \ current_procs \ \ q \ current_msgqs \ \ m \ (set (msgs_of_queue \ q)) \ + length (msgs_of_queue \ q) < max_queue)" | "os_grant \ (RecvMsg p q m) = (p \ current_procs \ \ q \ current_msgqs \ \ m = hd (msgs_of_queue \ q) \ msgs_of_queue \ q \ [])" | "os_grant \ (RemoveMsgq p q) = @@ -1477,7 +1485,8 @@ "valid []" | "\valid s; os_grant s e; grant s e\ \ valid (e # s)" -(* tobj: object that can be tainted *) + +(* tobj: object that can be tainted fun tobj_in_init :: "t_object \ bool" where "tobj_in_init (O_proc p) = (p \ init_procs)" @@ -1489,6 +1498,8 @@ | "tobj_in_init (O_msg q m) = (m \ set (init_msgs_of_queue q) \ q \ init_msgqs)" *) | "tobj_in_init _ = False" (* other kind of obj cannot be tainted *) +*) + (* no use fun no_del_event:: "t_event list \ bool" diff -r 690636b7b6f1 -r 8d18cfc845dd no_shm_selinux/Init_prop.thy --- a/no_shm_selinux/Init_prop.thy Mon Dec 30 23:41:58 2013 +0800 +++ b/no_shm_selinux/Init_prop.thy Tue Dec 31 14:57:13 2013 +0800 @@ -334,13 +334,13 @@ lemma init_alive_node: "n \ init_nodes \ init_alive (O_node n)" by simp (* lemma init_alive_shm: "h \ init_shms \ init_alive (O_shm h)" by simp -*) lemma init_alive_msgq: "q \ init_msgqs \ init_alive (O_msgq q)" by simp lemma init_alive_msg: "\m \ set (init_msgs_of_queue q); q \ init_msgqs\ \ init_alive (O_msg q m)" by simp +*) lemmas init_alive_intros = init_alive_proc init_alive_file init_alive_dir init_alive_fd - init_alive_tcp init_alive_udp init_alive_node init_alive_msgq init_alive_msg (*init_alive_shm*) + init_alive_tcp init_alive_udp init_alive_node (*init_alive_msgq init_alive_msg*) (*init_alive_shm*) lemma init_file_type_prop1: "is_init_file f \ \ t. init_type_of_obj (O_file f) = Some t" @@ -541,6 +541,7 @@ by (rule notI, drule init_shm_has_ctxt, simp) *) +(* lemma init_msgq_has_ctxt: "q \ init_msgqs \ \ sec. init_sectxt_of_obj (O_msgq q) = Some sec" apply (simp add:init_sectxt_of_obj_def split:option.splits) @@ -560,6 +561,7 @@ lemma init_msg_has_ctxt': "init_sectxt_of_obj (O_msg q m) = None \ m \ set (init_msgs_of_queue q) \ q \ init_msgqs" by (auto dest:init_msg_has_ctxt) +*) lemma init_rootf_has_ctxt: "\ sec. init_sectxt_of_obj (O_dir []) = Some sec" @@ -571,12 +573,12 @@ using init_rootf_has_ctxt by auto lemmas init_has_ctxt = init_file_has_ctxt init_dir_has_ctxt init_proc_has_ctxt init_fd_has_ctxt - init_node_has_ctxt init_tcp_has_ctxt init_udp_has_ctxt (* init_shm_has_ctxt *) init_msgq_has_ctxt - init_msg_has_ctxt init_rootf_has_ctxt + init_node_has_ctxt init_tcp_has_ctxt init_udp_has_ctxt (* init_shm_has_ctxt *) (* init_msgq_has_ctxt + init_msg_has_ctxt*) init_rootf_has_ctxt lemmas init_has_ctxt' = init_file_has_ctxt' init_dir_has_ctxt' init_proc_has_ctxt' init_fd_has_ctxt' - init_node_has_ctxt' init_tcp_has_ctxt' init_udp_has_ctxt' (* init_shm_has_ctxt' *) init_msgq_has_ctxt' - init_msg_has_ctxt' init_rootf_has_ctxt' + init_node_has_ctxt' init_tcp_has_ctxt' init_udp_has_ctxt' (* init_shm_has_ctxt' *) (*init_msgq_has_ctxt' + init_msg_has_ctxt'*) init_rootf_has_ctxt' lemma sec_of_root_valid: "init_sectxt_of_obj (O_dir []) = Some sec_of_root" @@ -668,6 +670,7 @@ apply (simp add:init_cp2sproc_def) by (case_tac sec, simp+) +(* lemma init_cqm2sms_has_sms_aux: "\ m \ set ms. init_sectxt_of_obj (O_msg q m) \ None \ (\ sms. init_cqm2sms q ms = Some sms)" by (induct ms, auto split:option.splits simp:init_cm2smsg_def) @@ -682,6 +685,7 @@ apply (frule init_msgq_has_ctxt, erule exE, drule init_cqm2sms_has_sms, erule exE) apply (simp add:init_cq2smsgq_def) by (case_tac sec, simp+) +*) lemma cf2sfile_nil_prop: "f \ init_files \ cf2sfile [] f = init_cf2sfile f" @@ -758,6 +762,7 @@ by (auto simp add:init_cp2sproc_def cp2sproc_def init_sectxt_prop cpfd2sfds_nil_prop (*cph2spshs_nil_prop*) split:option.splits) +(* lemma msg_has_sec_imp_init: "init_sectxt_of_obj (O_msg q m) = Some sec \ q \ init_msgqs \ m \ set (init_msgs_of_queue q)" apply (simp add:init_sectxt_of_obj_def split:option.splits) @@ -783,14 +788,15 @@ "cq2smsgq [] q = init_cq2smsgq q" by (auto simp add:cq2smsgq_def init_cq2smsgq_def init_sectxt_prop cqm2sms_nil_prop intro:msgq_has_sec_imp_init split:option.splits) +*) lemma co2sobj_nil_prop: "init_alive obj \ co2sobj [] obj = init_obj2sobj obj" apply (case_tac obj) -apply (auto simp add:cf2sfile_nil_prop cq2smsga_nil_prop cqm2sms_nil_prop tainted_nil_prop +apply (auto simp add:cf2sfile_nil_prop (*cq2smsga_nil_prop cqm2sms_nil_prop*) tainted_nil_prop cp2sproc_nil_prop cfs2sfiles_nil_prop is_init_dir_prop1 is_init_file_prop1 is_init_udp_sock_prop1 is_init_tcp_sock_prop1 (* ch2sshm_nil_prop *) - same_inode_nil_prop cm2smsg_nil_prop + same_inode_nil_prop (*cm2smsg_nil_prop *) dest:init_same_inode_prop1 split:option.splits) apply (rule_tac x = list in exI, simp add:init_same_inode_files_def) diff -r 690636b7b6f1 -r 8d18cfc845dd no_shm_selinux/ROOT --- a/no_shm_selinux/ROOT Mon Dec 30 23:41:58 2013 +0800 +++ b/no_shm_selinux/ROOT Tue Dec 31 14:57:13 2013 +0800 @@ -35,4 +35,10 @@ options [document = false] theories S2ss_prop - S2ss_prop2 \ No newline at end of file + S2ss_prop2 + +session "enrich" = "s2ss" + + options [document = false] + theories + Enrich + Enrich1 \ No newline at end of file diff -r 690636b7b6f1 -r 8d18cfc845dd no_shm_selinux/Static.thy --- a/no_shm_selinux/Static.thy Mon Dec 30 23:41:58 2013 +0800 +++ b/no_shm_selinux/Static.thy Tue Dec 31 14:57:13 2013 +0800 @@ -77,6 +77,7 @@ where "init_o2s_afs f \ {sec. \ f'. f' \ f \ init_sectxt_of_obj (O_dir f') = Some sec}" *) +(* definition init_cm2smsg :: "t_msgq \ t_msg \ t_smsg option" where "init_cm2smsg q m \ (case (init_sectxt_of_obj (O_msg q m)) of @@ -96,6 +97,7 @@ "init_cq2smsgq q \ (case (init_sectxt_of_obj (O_msgq q), init_cqm2sms q (init_msgs_of_queue q)) of (Some sec, Some sms) \ Some (Init q, sec, sms) | _ \ None)" +*) fun init_obj2sobj :: "t_object \ t_sobject option" where @@ -110,11 +112,13 @@ (case (init_cf2sfile f) of Some sf \ Some (S_dir sf) | _ \ None)" -| "init_obj2sobj (O_msgq q) = +| "init_obj2sobj (O_msgq q) = None" + +(* (case (init_cq2smsgq q) of Some sq \ Some (S_msgq sq) | _ \ None)" -(* + | "init_obj2sobj (O_shm h) = (case (init_ch2sshm h) of Some sh \ Some (S_shm sh) @@ -184,6 +188,7 @@ cpfd2sfds s p) | _ \ None)" +(* definition cm2smsg :: "t_state \ t_msgq \ t_msg \ t_smsg option" where "cm2smsg s q m \ (case (sectxt_of_obj s (O_msg q m)) of @@ -191,6 +196,13 @@ Some (if (\ died (O_msg q m) s \ m \ set (init_msgs_of_queue q)) then Init m else Created, sec, O_msg q m \ tainted s) | _ \ None)" +*) + +definition cm2smsg :: "t_state \ t_msgq \ t_msg \