diff mbox

[5/5] flask/policy: comment out unused xenstore example

Message ID 1464015933-26891-6-git-send-email-dgdegra@tycho.nsa.gov (mailing list archive)
State New, archived
Headers show

Commit Message

Daniel De Graaf May 23, 2016, 3:05 p.m. UTC
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
 tools/flask/policy/policy/access_vectors   | 32 +++++++++++++++---------------
 tools/flask/policy/policy/security_classes |  2 +-
 2 files changed, 17 insertions(+), 17 deletions(-)

Comments

Konrad Rzeszutek Wilk June 7, 2016, 7:45 p.m. UTC | #1
On Mon, May 23, 2016 at 11:05:33AM -0400, Daniel De Graaf wrote:
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Would it be good to include in the description something like:

"You should be using the xenstore stubdomain".?

Thanks.
> ---
>  tools/flask/policy/policy/access_vectors   | 32 +++++++++++++++---------------
>  tools/flask/policy/policy/security_classes |  2 +-
>  2 files changed, 17 insertions(+), 17 deletions(-)
> 
> diff --git a/tools/flask/policy/policy/access_vectors b/tools/flask/policy/policy/access_vectors
> index 4fd61f1..8cca192 100644
> --- a/tools/flask/policy/policy/access_vectors
> +++ b/tools/flask/policy/policy/access_vectors
> @@ -6,19 +6,19 @@
>  # Note: this is an example; the xenstore daemon provided with Xen does
>  # not yet include XSM support, and the exact permissions may be defined
>  # differently if such support is added.
> -class xenstore {
> -	# read from keys owned by the target domain (if permissions allow)
> -	read
> -	# write to keys owned by the target domain (if permissions allow)
> -	write
> -	# change permissions of a key owned by the target domain
> -	chmod
> -	# change the owner of a key which was owned by the target domain
> -	chown_from
> -	# change the owner of a key to the target domain
> -	chown_to
> -	# access a key owned by the target domain without permission
> -	override
> -	# introduce a domain
> -	introduce
> -}
> +#class xenstore {
> +#	# read from keys owned by the target domain (if permissions allow)
> +#	read
> +#	# write to keys owned by the target domain (if permissions allow)
> +#	write
> +#	# change permissions of a key owned by the target domain
> +#	chmod
> +#	# change the owner of a key which was owned by the target domain
> +#	chown_from
> +#	# change the owner of a key to the target domain
> +#	chown_to
> +#	# access a key owned by the target domain without permission
> +#	override
> +#	# introduce a domain
> +#	introduce
> +#}
> diff --git a/tools/flask/policy/policy/security_classes b/tools/flask/policy/policy/security_classes
> index 56595e8..069faea 100644
> --- a/tools/flask/policy/policy/security_classes
> +++ b/tools/flask/policy/policy/security_classes
> @@ -5,4 +5,4 @@
>  # security policy.
>  #
>  # Access vectors for these classes must be defined in the access_vectors file.
> -class xenstore
> +#class xenstore
> -- 
> 2.5.5
>
Daniel De Graaf June 7, 2016, 7:51 p.m. UTC | #2
On 06/07/2016 03:45 PM, Konrad Rzeszutek Wilk wrote:
> On Mon, May 23, 2016 at 11:05:33AM -0400, Daniel De Graaf wrote:
>> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
> Would it be good to include in the description something like:
>
> "You should be using the xenstore stubdomain".?
>
> Thanks.

This is unrelated to the xenstore stubdomain; these permissions were
never actually used.  They were pulled from an earlier design document
for a xenstore daemon that added security permissions to xenstore keys
and operations, but this was never a part of upstream Xen.
Konrad Rzeszutek Wilk June 7, 2016, 8:02 p.m. UTC | #3
On Tue, Jun 07, 2016 at 03:51:20PM -0400, Daniel De Graaf wrote:
> On 06/07/2016 03:45 PM, Konrad Rzeszutek Wilk wrote:
> >On Mon, May 23, 2016 at 11:05:33AM -0400, Daniel De Graaf wrote:
> >>Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> >
> >Would it be good to include in the description something like:
> >
> >"You should be using the xenstore stubdomain".?
> >
> >Thanks.
> 
> This is unrelated to the xenstore stubdomain; these permissions were
> never actually used.  They were pulled from an earlier design document
> for a xenstore daemon that added security permissions to xenstore keys
> and operations, but this was never a part of upstream Xen.
> 

Would it be just easier to delete it?
Daniel De Graaf June 7, 2016, 8:04 p.m. UTC | #4
On 06/07/2016 04:02 PM, Konrad Rzeszutek Wilk wrote:
> On Tue, Jun 07, 2016 at 03:51:20PM -0400, Daniel De Graaf wrote:
>> On 06/07/2016 03:45 PM, Konrad Rzeszutek Wilk wrote:
>>> On Mon, May 23, 2016 at 11:05:33AM -0400, Daniel De Graaf wrote:
>>>> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>>>
>>> Would it be good to include in the description something like:
>>>
>>> "You should be using the xenstore stubdomain".?
>>>
>>> Thanks.
>>
>> This is unrelated to the xenstore stubdomain; these permissions were
>> never actually used.  They were pulled from an earlier design document
>> for a xenstore daemon that added security permissions to xenstore keys
>> and operations, but this was never a part of upstream Xen.
>>
>
> Would it be just easier to delete it?
>

That works too.  It was left as an example so that it could be added
back in the future easily, but git history is easy enough to find.
diff mbox

Patch

diff --git a/tools/flask/policy/policy/access_vectors b/tools/flask/policy/policy/access_vectors
index 4fd61f1..8cca192 100644
--- a/tools/flask/policy/policy/access_vectors
+++ b/tools/flask/policy/policy/access_vectors
@@ -6,19 +6,19 @@ 
 # Note: this is an example; the xenstore daemon provided with Xen does
 # not yet include XSM support, and the exact permissions may be defined
 # differently if such support is added.
-class xenstore {
-	# read from keys owned by the target domain (if permissions allow)
-	read
-	# write to keys owned by the target domain (if permissions allow)
-	write
-	# change permissions of a key owned by the target domain
-	chmod
-	# change the owner of a key which was owned by the target domain
-	chown_from
-	# change the owner of a key to the target domain
-	chown_to
-	# access a key owned by the target domain without permission
-	override
-	# introduce a domain
-	introduce
-}
+#class xenstore {
+#	# read from keys owned by the target domain (if permissions allow)
+#	read
+#	# write to keys owned by the target domain (if permissions allow)
+#	write
+#	# change permissions of a key owned by the target domain
+#	chmod
+#	# change the owner of a key which was owned by the target domain
+#	chown_from
+#	# change the owner of a key to the target domain
+#	chown_to
+#	# access a key owned by the target domain without permission
+#	override
+#	# introduce a domain
+#	introduce
+#}
diff --git a/tools/flask/policy/policy/security_classes b/tools/flask/policy/policy/security_classes
index 56595e8..069faea 100644
--- a/tools/flask/policy/policy/security_classes
+++ b/tools/flask/policy/policy/security_classes
@@ -5,4 +5,4 @@ 
 # security policy.
 #
 # Access vectors for these classes must be defined in the access_vectors file.
-class xenstore
+#class xenstore