From nobody Thu Oct 30 18:25:56 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1753725374; cv=none;
	d=zohomail.com; s=zohoarc;
	b=TCFSG73IFMAW3wi9uNPZHcInyEpacrY4S54zu9cLlF5icxTglSPFQNjEMzXJ9bVvQGmlybkKqyeDdxwQUYT/XzRvg3L82E/PsX7X/xKMdBhCH0ZNy4HLFLuLf3yhO8OSCwaws3WT66tyVfITD5Qoa73rO2yo3dLrUqoAmOkqiVs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1753725374;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=O2QsoSixqiO30KRHgdek0SA+oshRTfHy/b6VwZ47sdo=;
	b=b4DHr5XPJoJYIapTxgH6VTwmOtbGW37HcbraLNPOt1b0oQtmUBGLk7YPfl6z50oQIahNagALmuT8Vxe+j9phIFNu/sJGcKA5GHB2CRV7gXHNY298dXsd9GeOiDylQRdcApVRn4C4X6upSIcmTbsikiVQw04vsuUsP7lADFdOJ38=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1753725374701359.3506858409355;
 Mon, 28 Jul 2025 10:56:14 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1061810.1427393 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1ugS4t-0002eZ-PK; Mon, 28 Jul 2025 17:55:59 +0000
Received: by outflank-mailman (output) from mailman id 1061810.1427393;
 Mon, 28 Jul 2025 17:55:59 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1ugS4t-0002ds-L3; Mon, 28 Jul 2025 17:55:59 +0000
Received: by outflank-mailman (input) for mailman id 1061810;
 Mon, 28 Jul 2025 17:55:58 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=YAI4=2J=cloud.com=andrew.cooper@srs-se1.protection.inumbo.net>)
 id 1ugS4s-0002bc-G5
 for xen-devel@lists.xenproject.org; Mon, 28 Jul 2025 17:55:58 +0000
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com
 [2a00:1450:4864:20::331])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 1d35e40e-6bdc-11f0-a31e-13f23c93f187;
 Mon, 28 Jul 2025 19:55:57 +0200 (CEST)
Received: by mail-wm1-x331.google.com with SMTP id
 5b1f17b1804b1-45622a1829eso16387655e9.1
 for <xen-devel@lists.xenproject.org>; Mon, 28 Jul 2025 10:55:57 -0700 (PDT)
Received: from localhost.localdomain (host-195-149-20-212.as13285.net.
 [195.149.20.212]) by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-458705bcb96sm169306385e9.21.2025.07.28.10.55.55
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 28 Jul 2025 10:55:56 -0700 (PDT)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 1d35e40e-6bdc-11f0-a31e-13f23c93f187
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=citrix.com; s=google; t=1753725357; x=1754330157;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=O2QsoSixqiO30KRHgdek0SA+oshRTfHy/b6VwZ47sdo=;
        b=Risp7LhPu1doPnlEPUZt6mgvvUHOL2fOskzm9+am9QfD0cqeEHWyxqt8fdo/LPvDQk
         4yLS0ReemlIV1MqKjLzwxCDcKcdeUc7MUQ0gnH3cpsb53aEuiNclSBRY/gyqRSU7pGb0
         Mx8oesl712Mn5h9JXmaRRM6vff+dQoIh1E9kY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1753725357; x=1754330157;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=O2QsoSixqiO30KRHgdek0SA+oshRTfHy/b6VwZ47sdo=;
        b=j6w9eLE0Qbm6YgtyvJDrObQIh/yEtM2IFEB6ug8zCa1zREZZr0mbv9B/2sRZE0ms4M
         3dDGT9SfJ4rvg8wXUBDtouuKtSNC+O6FESar6AM9IFQOqSwAmQuPvqQXrmB3fG5DHV0J
         ZtvLtXo6jcNdoeil3h3vmK9veCmlA8+EFgNvoM2szLYe0tTgVaDuGmFpPK2ivHSKPpMX
         0h+KaDR6MLIw/nlfDItCFKeU3Ta9eeZ8fmEW2Cv9akZk7hWL/QSY4ur0L8QDyUYPD2Gr
         DIR9vXz+efULfEAx1kuzhvithuONtEHpdiGdSxG7kIL2NR+crsYVA9qQscz03yv7anHv
         tTXQ==
X-Gm-Message-State: AOJu0Ywu3OTjHNSUcdzCyDwet45QFqqv6E79NloHKUsoQAeYh1QYXEsA
	buh+DASkwYr6kyygh88C2GGUc959DspIGxiM3egnktNPyt7gwlALmdHIOKoaA3WiKjJSscOKYA2
	ICZkllLI=
X-Gm-Gg: ASbGncuVit4v2Lr3SJEJwJOfaaQivbzxkB4QxvTr15PPuf3oUEry+BTMgzSIdkPsu+c
	o/BxfGSwXYLM6YZORBP8YYdCErBJ9U2nww3hvbQFiVzfW2g7OruT6MbiajZ1aU2jKrmnmP4hur7
	ePO82KyvFGdLIFCAqatAjIbvKh7FR7PMHKR6ucFCLLUjSp1KhqNwldEF+csjVBf/CP8eIMrBthu
	3wmj/2St03H6910Iy5sU+gJI9a9qkfC0xS2jFY+33wzAbCexlfzmwOYdig5vY5BSr9zivaRECOV
	5UB/2F2jsOX4EbiZWt31LBhKPXOr77zpgbGMjDgiae7kyr2BhdDhALOlpA6q7uJUoMJWHVr48z6
	oAC87IBkW5M89uC2dYdMQjjIBthlHf5csZVShaAtyVUUzDCdGTxcL3lD6Dx8ZoYHoT2kBboPwOk
	kO
X-Google-Smtp-Source: 
 AGHT+IEq3HGDiABSD+VVmxvZ3BmacOFX1nlQyBy44/x7VzSCQwa1+G7asYmctvD2ZUuDR9DHPHOq2w==
X-Received: by 2002:a05:600c:1e2a:b0:43d:b3:fb1 with SMTP id
 5b1f17b1804b1-45876556336mr103542415e9.27.1753725356722;
        Mon, 28 Jul 2025 10:55:56 -0700 (PDT)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	"Daniel P . Smith" <dpsmith@apertussolutions.com>
Subject: [PATCH 1/3] tools/flask: Strip trailing whitespace
Date: Mon, 28 Jul 2025 18:55:46 +0100
Message-Id: <20250728175548.3199177-2-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250728175548.3199177-1-andrew.cooper3@citrix.com>
References: <20250728175548.3199177-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1753725376803116600
Content-Type: text/plain; charset="utf-8"

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
CC: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 tools/flask/policy/modules/modules.conf           | 2 +-
 tools/flask/policy/modules/vm_role.cons           | 4 ++--
 tools/flask/policy/policy/mls                     | 2 +-
 tools/flask/policy/policy/support/misc_macros.spt | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tools/flask/policy/modules/modules.conf b/tools/flask/policy/m=
odules/modules.conf
index 6dba0a3d9172..1b6975551ab4 100644
--- a/tools/flask/policy/modules/modules.conf
+++ b/tools/flask/policy/modules/modules.conf
@@ -42,7 +42,7 @@ xenstore =3D on
 all_system_role =3D on
=20
 # Example users, roles, and constraints for user-based separation.
-#=20
+#
 # The three users defined here can set up grant/event channel communication
 # (vchan, device frontend/backend) between their own VMs, but cannot set u=
p a
 # channel to a VM under a different user.
diff --git a/tools/flask/policy/modules/vm_role.cons b/tools/flask/policy/m=
odules/vm_role.cons
index 3847ec1afa4e..ac38217f4641 100644
--- a/tools/flask/policy/modules/vm_role.cons
+++ b/tools/flask/policy/modules/vm_role.cons
@@ -3,7 +3,7 @@
 #
 # constrain class_set perm_set expression ;
 #
-# expression : ( expression )=20
+# expression : ( expression )
 #	     | not expression
 #	     | expression and expression
 #	     | expression or expression
@@ -17,7 +17,7 @@
 #	     | t1 op names
 #	     | t2 op names
 #
-# op : =3D=3D | !=3D=20
+# op : =3D=3D | !=3D
 # role_op : =3D=3D | !=3D | eq | dom | domby | incomp
 #
 # names : name | { name_list }
diff --git a/tools/flask/policy/policy/mls b/tools/flask/policy/policy/mls
index 9290a76ae9bc..c4b74c10cda7 100644
--- a/tools/flask/policy/policy/mls
+++ b/tools/flask/policy/policy/mls
@@ -1,6 +1,6 @@
 ifdef(`enable_mls',`
 #
-# Define sensitivities=20
+# Define sensitivities
 #
 # Domination of sensitivities is in increasin
 # numerical order, with s0 being the lowest
diff --git a/tools/flask/policy/policy/support/misc_macros.spt b/tools/flas=
k/policy/policy/support/misc_macros.spt
index 3116db92fbed..4c3be036c6e9 100644
--- a/tools/flask/policy/policy/support/misc_macros.spt
+++ b/tools/flask/policy/policy/support/misc_macros.spt
@@ -21,7 +21,7 @@ define(`ifndef',`ifdef(`$1',`$3',`$2')')
 #
 # __endline__
 #
-# dummy macro to insert a newline.  used for=20
+# dummy macro to insert a newline.  used for
 # errprint, so the close parentheses can be
 # indented correctly.
 #
--=20
2.39.5
From nobody Thu Oct 30 18:25:56 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1753725379; cv=none;
	d=zohomail.com; s=zohoarc;
	b=FZzURvJZsl4Xigp0yd7nPSWSCBiZdIYGrl8+b+MtiKDEq3X91dd1BIwyRxhCfleqo5RQZ7eLxniYnhs+lvro+HAmdYXI3uc7dPuU+RhQp+eJUDGjlx7I6eT2vIt1jwMKVWqtcMrjAfdIwanETCXsEq+ffFyImRBNrCU23Uj9pQE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1753725379;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=gz1TvXq1kq8bB0MflQ77AJAntpl897s6sr2Ax3LETXE=;
	b=KDqHmlHPLY7PDmAK1ueZDKsOK4OOHjm8GhEatZ1Ahfa31J53kN8yOmS4UPwXyZx/1gucaEmxxRvKJOgMRRJ9iX16h3p5giZAe0Me7swBKFIk5Sr9Bb7ADVYQ+ZDiX3C2kesVJnKM8PTZJjZ3Gj/qJcS0QM/srW3PMhExOBtr15M=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1753725379515240.38837726400243;
 Mon, 28 Jul 2025 10:56:19 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1061811.1427409 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1ugS4u-00033C-VQ; Mon, 28 Jul 2025 17:56:00 +0000
Received: by outflank-mailman (output) from mailman id 1061811.1427409;
 Mon, 28 Jul 2025 17:56:00 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1ugS4u-000335-Ss; Mon, 28 Jul 2025 17:56:00 +0000
Received: by outflank-mailman (input) for mailman id 1061811;
 Mon, 28 Jul 2025 17:55:59 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=YAI4=2J=cloud.com=andrew.cooper@srs-se1.protection.inumbo.net>)
 id 1ugS4t-0002bc-G5
 for xen-devel@lists.xenproject.org; Mon, 28 Jul 2025 17:55:59 +0000
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com
 [2a00:1450:4864:20::32f])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 1dc79a2c-6bdc-11f0-a31e-13f23c93f187;
 Mon, 28 Jul 2025 19:55:58 +0200 (CEST)
Received: by mail-wm1-x32f.google.com with SMTP id
 5b1f17b1804b1-45617887276so27601235e9.2
 for <xen-devel@lists.xenproject.org>; Mon, 28 Jul 2025 10:55:58 -0700 (PDT)
Received: from localhost.localdomain (host-195-149-20-212.as13285.net.
 [195.149.20.212]) by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-458705bcb96sm169306385e9.21.2025.07.28.10.55.56
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 28 Jul 2025 10:55:57 -0700 (PDT)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 1dc79a2c-6bdc-11f0-a31e-13f23c93f187
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=citrix.com; s=google; t=1753725358; x=1754330158;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=gz1TvXq1kq8bB0MflQ77AJAntpl897s6sr2Ax3LETXE=;
        b=v/nwv42VEMpv79tavDT1c5tv4mSShs+YgNsiUlGXzGZ9jr9ZnYLcE/hiNxuJMu0+py
         5r2TlqpdQcBsJKukqmh86pTDEUleBDU5WN0tj34tHm+DJO0ZdDUECkoNsgacH0ay0OV4
         omWbhIFDOhadQprm0wj0q/6vv8iffI7b8SJ+w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1753725358; x=1754330158;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=gz1TvXq1kq8bB0MflQ77AJAntpl897s6sr2Ax3LETXE=;
        b=JUPSOyqjvpxXb5VvMWXZHkPwWHXQsrpkBpBBobHb0c3lrRydmCNt4esk1XRbySIC9J
         EELKd9wbMZ3Gno8MRHHS0FvLS6O3AobRNbWfX8RUoD8GJK8vvdL0LJgeS4rNTxhF0aZV
         /0M5g2c1sbKp9A117MY5UtkRCg8p5u25qTpkfuPTuZbWXBsEDgXJ3/yxdH7Ob0enff//
         YdjTC/IGGPoIVqt4UG4woerZhvGJxqNgA//iiI4dt/Dn6ybcZ+owdGmN/xiATPedmLay
         YGGXXz6lx6iJYsK/J9sDbZzIqjLTKuQXDtkMO770ZKdMILEKhtQ4rJ2dNNLx/GaHiv+Y
         h/Rw==
X-Gm-Message-State: AOJu0YzrAFjKGQUfXR/yeeGUvp7pu4d8vvVH/N1yXE6aV2gfLJJ1j6ze
	nRao5NOrzpTLa7quCkB/7RJ6Sb58nB32VrcVW22Xc0Mlh2ESOqKhYTkYmEJ79M8mFKrw1YfTmMK
	v7oaRIe8=
X-Gm-Gg: ASbGnctEi6MWjRv6Dm9iNZmzJYxnHptwiW7LmYcDSyF7bghbK2xYT5qWyIPwwiRbmDd
	+NvJmtTf/XI6j7ITNLVQniEVH62+MLFr3zBdYcciNC2xC63c1TMxfQlWNy4HBbbffr032wftDXG
	YIUzFykucL5H2EgWg2b8uw2OS2sG9NQam5g1CO72I3o/A3fQJDiuVAy4vxZrEqJDKOAzwJktsP3
	UuySrhJlCqpCeP93etjldLvxq3t+lB092OCQizjL90IqgyRJZy6cWweM7WU1Y5TvZ++iFiHhlBH
	I3FwN69/rSNJG2y6VuhE0J6b3IH13MNfUzbsGIIqK640Y9ZYy89Mpj8iCkxjrZOqJh3cMWNDzcZ
	809nrQsVTF4C1Vanu8AwiGA1+nPkAxlBE7Xvhz+qqzr0CLdwd+iSKc7WLruIK+U7Yu1F4ymnmXp
	Bs
X-Google-Smtp-Source: 
 AGHT+IFgr5ZtLzyP9+5c9Il15sALQIotEeuH3N/hau1/J0QVtdWY+5Vgfvvnqc0aipiAZemZsuysVA==
X-Received: by 2002:a05:600c:8b8c:b0:456:2d06:618a with SMTP id
 5b1f17b1804b1-4587911e684mr100549615e9.18.1753725357739;
        Mon, 28 Jul 2025 10:55:57 -0700 (PDT)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	"Daniel P . Smith" <dpsmith@apertussolutions.com>
Subject: [PATCH 2/3] tools/flask: Use tabs uniformly
Date: Mon, 28 Jul 2025 18:55:47 +0100
Message-Id: <20250728175548.3199177-3-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250728175548.3199177-1-andrew.cooper3@citrix.com>
References: <20250728175548.3199177-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1753725380750116600
Content-Type: text/plain; charset="utf-8"

Most indentation is with tabs, but a few spaces have slipped in.  Switch th=
em
back to tabs.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
CC: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 tools/flask/policy/modules/xen.if | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules=
/xen.if
index cff51febbfdf..cfa11b27b786 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -95,7 +95,7 @@ define(`manage_domain', `
 			getaddrsize pause unpause trigger shutdown destroy
 			setaffinity setdomainmaxmem getscheduler resume
 			setpodtarget getpodtarget getpagingmempool setpagingmempool };
-    allow $1 $2:domain2 { set_vnumainfo dt_overlay get_domain_state };
+	allow $1 $2:domain2 { set_vnumainfo dt_overlay get_domain_state };
 ')
=20
 # migrate_domain_out(priv, target)
@@ -182,9 +182,9 @@ define(`make_device_model', `
 #   Allow a device to be used by a domain
 #   only if an IOMMU provides isolation.
 define(`use_device_iommu', `
-    allow $1 $1_self:mmu exchange;
-    allow $1 $2:resource use_iommu;
-    allow $1 domio_t:mmu { map_read map_write };
+	allow $1 $1_self:mmu exchange;
+	allow $1 $2:resource use_iommu;
+	allow $1 domio_t:mmu { map_read map_write };
 ')
=20
 # use_device_iommu_nointremap(domain, device)
@@ -193,30 +193,30 @@ define(`use_device_iommu', `
 #   interrupt remapping.
 #   Allows acceptance of (typically older) less isolating hardware.
 define(`use_device_iommu_nointremap', `
-    allow $1 $1_self:mmu exchange;
-    allow $1 $2:resource { use_iommu use_iommu_nointremap };
-    allow $1 domio_t:mmu { map_read map_write };
+	allow $1 $1_self:mmu exchange;
+	allow $1 $2:resource { use_iommu use_iommu_nointremap };
+	allow $1 domio_t:mmu { map_read map_write };
 ')
=20
 # use_device_noiommu(domain, device)
 #   Allow a device to be used by a domain
 #   even without an IOMMU available.
 define(`use_device_noiommu', `
-    allow $1 $1_self:mmu exchange;
-    allow $1 $2:resource { use_iommu use_iommu_nointremap use_noiommu };
-    allow $1 domio_t:mmu { map_read map_write };
+	allow $1 $1_self:mmu exchange;
+	allow $1 $2:resource { use_iommu use_iommu_nointremap use_noiommu };
+	allow $1 domio_t:mmu { map_read map_write };
 ')
=20
 # admin_device(domain, device)
 #   Allow a device to be used and delegated by a domain
 define(`admin_device', `
-    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem =
add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug =
};
-    allow $1 $2:hvm bind_irq;
-    use_device_noiommu($1, $2)
+	allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add=
_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug };
+	allow $1 $2:hvm bind_irq;
+	use_device_noiommu($1, $2)
 ')
=20
 # delegate_devices(priv-domain, target-domain)
 #   Allow devices to be delegated
 define(`delegate_devices', `
-    allow $1 $2:resource { add remove };
+	allow $1 $2:resource { add remove };
 ')
--=20
2.39.5
From nobody Thu Oct 30 18:25:56 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1753725379; cv=none;
	d=zohomail.com; s=zohoarc;
	b=K6VA7gdzA8KWYZJ5QUOxySiWuEfxee61UtCtkTXmElxEsT5I3XBfmgDs30ItMPXb6LDkE+OGAFoQ5bgFkFRSl/8cE8FS8m4JFv8O4Bl4UnqKrrVhwgOd0U02LMlHFiS/a7j0YklxN5V3iMVUFzTMPafTSZM+x0q5XGa7GiqdIeQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1753725379;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=WXIq2BiMJ8kiOav4jMFA7pxHkH9LWuXuzwkMI7XzXig=;
	b=FYVgZ5PvRW+TaLTqqvrg4LC4V7uQRsP3lTXup/XSYN/DNn46mrbugz6Frop+3zWju84vKg+7RIGjIHglI0d09uh8iLeKNdH6nN2mt9hJvwHN9UZvi+oM36m39HpM13sCtrV91j1SWfvGEvj7qPD0ssdWRfZB+0VozEo/dBlyfxc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1753725379720435.50423573469936;
 Mon, 28 Jul 2025 10:56:19 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1061812.1427418 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1ugS4y-0003Jf-5i; Mon, 28 Jul 2025 17:56:04 +0000
Received: by outflank-mailman (output) from mailman id 1061812.1427418;
 Mon, 28 Jul 2025 17:56:04 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1ugS4y-0003JW-2p; Mon, 28 Jul 2025 17:56:04 +0000
Received: by outflank-mailman (input) for mailman id 1061812;
 Mon, 28 Jul 2025 17:56:02 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=YAI4=2J=cloud.com=andrew.cooper@srs-se1.protection.inumbo.net>)
 id 1ugS4w-0003HT-G9
 for xen-devel@lists.xenproject.org; Mon, 28 Jul 2025 17:56:02 +0000
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com
 [2a00:1450:4864:20::329])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 1e6bfbe6-6bdc-11f0-b895-0df219b8e170;
 Mon, 28 Jul 2025 19:55:59 +0200 (CEST)
Received: by mail-wm1-x329.google.com with SMTP id
 5b1f17b1804b1-455b00339c8so29244585e9.3
 for <xen-devel@lists.xenproject.org>; Mon, 28 Jul 2025 10:55:59 -0700 (PDT)
Received: from localhost.localdomain (host-195-149-20-212.as13285.net.
 [195.149.20.212]) by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-458705bcb96sm169306385e9.21.2025.07.28.10.55.57
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 28 Jul 2025 10:55:58 -0700 (PDT)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 1e6bfbe6-6bdc-11f0-b895-0df219b8e170
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=citrix.com; s=google; t=1753725359; x=1754330159;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WXIq2BiMJ8kiOav4jMFA7pxHkH9LWuXuzwkMI7XzXig=;
        b=a/mBx10aJxExWhz/giDzxPkZC01gdBGCRbsng1vFFNtW0RdFltpnBjaWCOl/DzgjTt
         h8xbPQp0qkFhomepfUfr5KRMQ9gzGXflFdxuw05xLcPu0Dq8p8HnQaryIEq36wMK0iNX
         6+9i/3pJxq2PgNSXmiXAYwiXcl7PqVq43zTfA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1753725359; x=1754330159;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WXIq2BiMJ8kiOav4jMFA7pxHkH9LWuXuzwkMI7XzXig=;
        b=Hh9wyw4S/5OR46FNTiXVOCHd8IADgtv4tXdXXtlE5zErBbKs+vUdCixdFMvaifFTai
         r/gq/sqkRq7Nx2x9AnGIy0psT0VFYlvYhIoDbspbzRxDgJGlc46hiEZ7X+hRpfxswzrP
         RGr7IhcYDFJPhnJhKqwz7n9naIkAebrhBZBIX8KF9ErImaPk8J78/8NA00DR5Dtxg98P
         6Enu9+B8b4TZ/sHFjZJF6P5OdY6tNjyxE/bIeeTPZGuRlOzn8XP1HeP5aFUD1JE/SgYJ
         M2iYXFdGFhVFQGjbfmmb1KUOifeAArfCsjMuT15gfw4vif+H1k1OQGTWJ+OJmbEa7ZrC
         CNWg==
X-Gm-Message-State: AOJu0Yzur4qwdo8wxYWQZP46cL1Ae+Eeh13i1jCesN/xZvPRG1bQIojE
	Xia0ygUcy8SJhxTcxkrnK4yP2A7vv59oue7SnScU7n3bHJc1D8Wd5LAV4KbrU94HNtNgAXQtQAc
	z1esUops=
X-Gm-Gg: ASbGncsZXN7AaeO90uNZwFMU7N8m7+yqZmO7EpplOfLiX5eyRf6WdmmnqMhlG6obFwi
	N6YZYxTen6VHNRrHC2guv4NYowhcUrGbRrmsGiCtXULoCxIXNEsJid/HR1Hf/HGUi2LWYnXUw4A
	d3QkFaDMc+qQJdQLjtAolGvbnV4RcGw/P6iL6mDEMJUsacA4KxkZn8OoYmh7SxIK/KeU6/UdmGE
	Ckq9IF46I11RYeOZbeJtoV9iSNJBrcMDYQHTHY0Bo06j7LoPo0iqgVwu0ANBaWdL3JzEc2lAxCg
	ctr+VY/0RIZScLwVRJ4eWOw5UzSMw392lXc0TywASHJKXCEF+Dpb3bcWy+d4OW5X7tEm95l9jBb
	tV42iv+prhLMiCav+betJImojjasVfay0Zan2EzzChN+tfbf28iY9S7OaqbibRvoY2XCh6ndyj3
	rg
X-Google-Smtp-Source: 
 AGHT+IGSgaxgZy51NS0Acuc3SEbt/uIMveA0tMDfDamycM1VLb/8082j0rKeuMRYWn1657GVNka20Q==
X-Received: by 2002:a05:600c:c166:b0:43c:ea1a:720a with SMTP id
 5b1f17b1804b1-458762fcb80mr75742235e9.1.1753725358746;
        Mon, 28 Jul 2025 10:55:58 -0700 (PDT)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	"Daniel P . Smith" <dpsmith@apertussolutions.com>
Subject: [PATCH 3/3] tools/flask: Reformat allow declarations
Date: Mon, 28 Jul 2025 18:55:48 +0100
Message-Id: <20250728175548.3199177-4-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250728175548.3199177-1-andrew.cooper3@citrix.com>
References: <20250728175548.3199177-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1753725381170116600
Content-Type: text/plain; charset="utf-8"

Having multiple values wrapped onto as few lines as practical is good for
space efficiency, but causes complex collisions for hypercall backports and
local policy changes.  Reformat to use one value per line.

No functional change, only whitespace changes.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Daniel P. Smith <dpsmith@apertussolutions.com>
---
CC: Daniel P. Smith <dpsmith@apertussolutions.com>
---
 tools/flask/policy/modules/dom0.te     | 122 ++++++++++---
 tools/flask/policy/modules/xen.if      | 241 +++++++++++++++++++++----
 tools/flask/policy/modules/xen.te      |  25 ++-
 tools/flask/policy/modules/xenstore.te |   6 +-
 4 files changed, 327 insertions(+), 67 deletions(-)

diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/module=
s/dom0.te
index ccadbd6469db..ad2b4f9ea75f 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -7,23 +7,61 @@
 #
 ##########################################################################=
######
 allow dom0_t xen_t:xen {
-	settime tbufcontrol readconsole clearconsole perfcontrol mtrr_add
-	mtrr_del mtrr_read microcode physinfo quirk writeconsole readapic
-	writeapic privprofile nonprivprofile kexec firmware sleep frequency
-	getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op
-	getscheduler setscheduler hypfs_op
+	settime
+	tbufcontrol
+	readconsole
+	clearconsole
+	perfcontrol
+	mtrr_add
+	mtrr_del
+	mtrr_read
+	microcode
+	physinfo
+	quirk
+	writeconsole
+	readapic
+	writeapic
+	privprofile
+	nonprivprofile
+	kexec
+	firmware
+	sleep
+	frequency
+	getidle
+	debug
+	getcpuinfo
+	heap
+	pm_op
+	mca_op
+	lockprof
+	cpupool_op
+	getscheduler
+	setscheduler
+	hypfs_op
 };
 allow dom0_t xen_t:xen2 {
-	resource_op psr_cmt_op psr_alloc pmu_ctrl get_symbol
-	get_cpu_levelling_caps get_cpu_featureset livepatch_op
-	coverage_op get_dom0_console
+	resource_op
+	psr_cmt_op
+	psr_alloc
+	pmu_ctrl
+	get_symbol
+	get_cpu_levelling_caps
+	get_cpu_featureset
+	livepatch_op
+	coverage_op
+	get_dom0_console
 };
=20
 # Allow dom0 to use all XENVER_ subops that have checks.
 # Note that dom0 is part of domain_type so this has duplicates.
 allow dom0_t xen_t:version {
-	xen_extraversion xen_compile_info xen_capabilities
-	xen_changeset xen_pagesize xen_guest_handle xen_commandline
+	xen_extraversion
+	xen_compile_info
+	xen_capabilities
+	xen_changeset
+	xen_pagesize
+	xen_guest_handle
+	xen_commandline
 	xen_build_id
 };
=20
@@ -32,41 +70,83 @@ allow dom0_t xen_t:mmu memorymap;
 # Allow dom0 to use these domctls on itself. For domctls acting on other
 # domains, see the definitions of create_domain and manage_domain.
 allow dom0_t dom0_t:domain {
-	setvcpucontext max_vcpus setaffinity getaffinity getscheduler
-	getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
-	setdebugging hypercall settime setaddrsize getaddrsize trigger
-	getpodtarget setpodtarget getpagingmempool setpagingmempool set_misc_info
+	setvcpucontext
+	max_vcpus
+	setaffinity
+	getaffinity
+	getscheduler
+	getdomaininfo
+	getvcpuinfo
+	getvcpucontext
+	setdomainmaxmem
+	setdomainhandle
+	setdebugging
+	hypercall
+	settime
+	setaddrsize
+	getaddrsize
+	trigger
+	getpodtarget
+	setpodtarget
+	getpagingmempool
+	setpagingmempool
+	set_misc_info
 	set_virq_handler
 };
 allow dom0_t dom0_t:domain2 {
-	set_cpu_policy gettsc settsc setscheduler set_vnumainfo
-	get_vnumainfo psr_cmt_op psr_alloc get_cpu_policy dt_overlay
+	set_cpu_policy
+	gettsc
+	settsc
+	setscheduler
+	set_vnumainfo
+	get_vnumainfo
+	psr_cmt_op
+	psr_alloc
+	get_cpu_policy
+	dt_overlay
 	get_domain_state
 };
-allow dom0_t dom0_t:resource { add remove };
+allow dom0_t dom0_t:resource {
+	add
+	remove
+};
=20
 # These permissions allow using the FLASK security server to compute access
 # checks locally, which could be used by a domain or service (such as xens=
tore)
 # that does not have its own security server to make access decisions base=
d on
 # Xen's security policy.
 allow dom0_t security_t:security {
-	compute_av compute_create compute_member compute_relabel
+	compute_av
+	compute_create
+	compute_member
+	compute_relabel
 };
=20
 # Allow string/SID conversions (for "xl list -Z" and similar)
 allow dom0_t security_t:security check_context;
=20
 # Allow flask-label-pci to add and change labels
-allow dom0_t security_t:security { add_ocontext del_ocontext };
+allow dom0_t security_t:security {
+	add_ocontext
+	del_ocontext
+};
=20
 # Allow performance parameters of the security server to be tweaked
 allow dom0_t security_t:security setsecparam;
=20
 # Allow changing the security policy
-allow dom0_t security_t:security { load_policy setenforce setbool };
+allow dom0_t security_t:security {
+	load_policy
+	setenforce
+	setbool
+};
=20
 # Audit policy change events even when they are allowed
-auditallow dom0_t security_t:security { load_policy setenforce setbool };
+auditallow dom0_t security_t:security {
+	load_policy
+	setenforce
+	setbool
+};
=20
 # Allow dom0 to report platform configuration changes back to the hypervis=
or
 allow dom0_t xen_t:resource setup;
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules=
/xen.if
index cfa11b27b786..ef7d8f438c65 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -6,9 +6,25 @@
 #
 ##########################################################################=
######
 define(`declare_domain_common', `
-	allow $1 $2:grant { query setup };
-	allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp=
 mmuext_op };
-	allow $1 $2:hvm { getparam setparam altp2mhvm_op };
+	allow $1 $2:grant {
+		query
+		setup
+	};
+	allow $1 $2:mmu {
+		adjust
+		physmap
+		map_read
+		map_write
+		stat
+		pinpage
+		updatemp
+		mmuext_op
+	};
+	allow $1 $2:hvm {
+		getparam
+		setparam
+		altp2mhvm_op
+	};
 	allow $1 $2:domain2 get_vnumainfo;
 ')
=20
@@ -46,22 +62,65 @@ define(`declare_build_label', `
 ')
=20
 define(`create_domain_common', `
-	allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
-			getdomaininfo hypercall setvcpucontext getscheduler
-			getvcpuinfo getaddrsize getaffinity setaffinity
-			settime setdomainhandle getvcpucontext set_misc_info
-			getpagingmempool setpagingmempool };
-	allow $1 $2:domain2 { set_cpu_policy settsc setscheduler setclaim
-			set_vnumainfo get_vnumainfo cacheflush
-			psr_cmt_op psr_alloc soft_reset
-			resource_map get_cpu_policy vuart_op set_llc_colors
-			get_domain_state };
+	allow $1 $2:domain {
+		create
+		max_vcpus
+		setdomainmaxmem
+		setaddrsize
+		getdomaininfo
+		hypercall
+		setvcpucontext
+		getscheduler
+		getvcpuinfo
+		getaddrsize
+		getaffinity
+		setaffinity
+		settime
+		setdomainhandle
+		getvcpucontext
+		set_misc_info
+		getpagingmempool
+		setpagingmempool
+	};
+	allow $1 $2:domain2 {
+		set_cpu_policy
+		settsc
+		setscheduler
+		setclaim
+		set_vnumainfo
+		get_vnumainfo
+		cacheflush
+		psr_cmt_op
+		psr_alloc
+		soft_reset
+		resource_map
+		get_cpu_policy
+		vuart_op
+		set_llc_colors
+		get_domain_state
+	};
 	allow $1 $2:security check_context;
 	allow $1 $2:shadow enable;
-	allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmu=
ext_op updatemp };
+	allow $1 $2:mmu {
+		map_read
+		map_write
+		adjust
+		memorymap
+		physmap
+		pinpage
+		mmuext_op
+		updatemp
+	};
 	allow $1 $2:grant setup;
-	allow $1 $2:hvm { getparam hvmctl sethvmc
-			setparam altp2mhvm altp2mhvm_op dm };
+	allow $1 $2:hvm {
+		getparam
+		hvmctl
+		sethvmc
+		setparam
+		altp2mhvm
+		altp2mhvm_op
+		dm
+	};
 ')
=20
 # xen_build_domain(target)
@@ -91,11 +150,30 @@ define(`create_domain_build_label', `
 # manage_domain(priv, target)
 #   Allow managing a running domain
 define(`manage_domain', `
-	allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
-			getaddrsize pause unpause trigger shutdown destroy
-			setaffinity setdomainmaxmem getscheduler resume
-			setpodtarget getpodtarget getpagingmempool setpagingmempool };
-	allow $1 $2:domain2 { set_vnumainfo dt_overlay get_domain_state };
+	allow $1 $2:domain {
+		getdomaininfo
+		getvcpuinfo
+		getaffinity
+		getaddrsize
+		pause
+		unpause
+		trigger
+		shutdown
+		destroy
+		setaffinity
+		setdomainmaxmem
+		getscheduler
+		resume
+		setpodtarget
+		getpodtarget
+		getpagingmempool
+		setpagingmempool
+	};
+	allow $1 $2:domain2 {
+		set_vnumainfo
+		dt_overlay
+		get_domain_state
+	};
 ')
=20
 # migrate_domain_out(priv, target)
@@ -103,11 +181,27 @@ define(`manage_domain', `
 #   (inbound migration is the same as domain creation)
 define(`migrate_domain_out', `
 	allow $1 domxen_t:mmu map_read;
-	allow $1 $2:hvm { gethvmc getparam };
-	allow $1 $2:mmu { stat pageinfo map_read };
-	allow $1 $2:domain { getaddrsize getvcpucontext pause destroy };
+	allow $1 $2:hvm {
+		gethvmc
+		getparam
+	};
+	allow $1 $2:mmu {
+		stat
+		pageinfo
+		map_read
+	};
+	allow $1 $2:domain {
+		getaddrsize
+		getvcpucontext
+		pause
+		destroy
+	};
 	allow $1 $2:domain2 gettsc;
-	allow $1 $2:shadow { enable disable logdirty };
+	allow $1 $2:shadow {
+		enable
+		disable
+		logdirty
+	};
 ')
=20
 ##########################################################################=
######
@@ -120,8 +214,14 @@ define(`migrate_domain_out', `
 #   This allows an event channel to be created from domains with labels
 #   <source> to <dest> and will label it <chan-label>
 define(`create_channel', `
-	allow $1 $3:event { create send status };
-	allow $3 $2:event { bind };
+	allow $1 $3:event {
+		create
+		send
+		status
+	};
+	allow $3 $2:event {
+		bind
+	};
 ')
=20
 # domain_event_comms(dom1, dom2)
@@ -135,8 +235,18 @@ define(`domain_event_comms', `
 #   Allow two domain types to communicate using grants and event channels
 define(`domain_comms', `
 	domain_event_comms($1, $2)
-	allow $1 $2:grant { map_read map_write copy unmap };
-	allow $2 $1:grant { map_read map_write copy unmap };
+	allow $1 $2:grant {
+		map_read
+		map_write
+		copy
+		unmap
+	};
+	allow $2 $1:grant {
+		map_read
+		map_write
+		copy
+		unmap
+	};
 ')
=20
 # domain_self_comms(domain)
@@ -144,7 +254,12 @@ define(`domain_comms', `
 #   and event channels
 define(`domain_self_comms', `
 	create_channel($1, $1_self, $1_channel)
-	allow $1 $1_self:grant { map_read map_write copy unmap };
+	allow $1 $1_self:grant {
+		map_read
+		map_write
+		copy
+		unmap
+	};
 ')
=20
 # device_model(dm_dom, hvm_dom)
@@ -159,9 +274,23 @@ define(`device_model', `
 	create_channel($2, $1, $2_channel)
 	allow $1 $2_channel:event create;
=20
-	allow $1 $2_target:domain { getdomaininfo shutdown };
-	allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack };
-	allow $1 $2_target:hvm { getparam setparam hvmctl dm };
+	allow $1 $2_target:domain {
+		getdomaininfo
+		shutdown
+	};
+	allow $1 $2_target:mmu {
+		map_read
+		map_write
+		adjust
+		physmap
+		target_hack
+	};
+	allow $1 $2_target:hvm {
+		getparam
+		setparam
+		hvmctl
+		dm
+	};
 	allow $1 $2_target:domain2 resource_map;
 ')
=20
@@ -184,7 +313,10 @@ define(`make_device_model', `
 define(`use_device_iommu', `
 	allow $1 $1_self:mmu exchange;
 	allow $1 $2:resource use_iommu;
-	allow $1 domio_t:mmu { map_read map_write };
+	allow $1 domio_t:mmu {
+		map_read
+		map_write
+	};
 ')
=20
 # use_device_iommu_nointremap(domain, device)
@@ -194,8 +326,14 @@ define(`use_device_iommu', `
 #   Allows acceptance of (typically older) less isolating hardware.
 define(`use_device_iommu_nointremap', `
 	allow $1 $1_self:mmu exchange;
-	allow $1 $2:resource { use_iommu use_iommu_nointremap };
-	allow $1 domio_t:mmu { map_read map_write };
+	allow $1 $2:resource {
+		use_iommu
+		use_iommu_nointremap
+	};
+	allow $1 domio_t:mmu {
+		map_read
+		map_write
+	};
 ')
=20
 # use_device_noiommu(domain, device)
@@ -203,14 +341,34 @@ define(`use_device_iommu_nointremap', `
 #   even without an IOMMU available.
 define(`use_device_noiommu', `
 	allow $1 $1_self:mmu exchange;
-	allow $1 $2:resource { use_iommu use_iommu_nointremap use_noiommu };
-	allow $1 domio_t:mmu { map_read map_write };
+	allow $1 $2:resource {
+		use_iommu
+		use_iommu_nointremap
+		use_noiommu
+	};
+	allow $1 domio_t:mmu {
+		map_read
+		map_write
+	};
 ')
=20
 # admin_device(domain, device)
 #   Allow a device to be used and delegated by a domain
 define(`admin_device', `
-	allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add=
_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug };
+	allow $1 $2:resource {
+		setup
+		stat_device
+		add_device
+		add_irq
+		add_iomem
+		add_ioport
+		remove_device
+		remove_irq
+		remove_iomem
+		remove_ioport
+		plug
+		unplug
+	};
 	allow $1 $2:hvm bind_irq;
 	use_device_noiommu($1, $2)
 ')
@@ -218,5 +376,8 @@ define(`admin_device', `
 # delegate_devices(priv-domain, target-domain)
 #   Allow devices to be delegated
 define(`delegate_devices', `
-	allow $1 $2:resource { add remove };
+	allow $1 $2:resource {
+		add
+		remove
+	};
 ')
diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules=
/xen.te
index de98206fdd89..1427f81b0d7b 100644
--- a/tools/flask/policy/modules/xen.te
+++ b/tools/flask/policy/modules/xen.te
@@ -52,7 +52,11 @@ type device_t, resource_type;
=20
 # Domain destruction can result in some access checks for actions performe=
d by
 # the hypervisor.  These should always be allowed.
-allow xen_t resource_type : resource { remove_irq remove_ioport remove_iom=
em };
+allow xen_t resource_type : resource {
+	remove_irq
+	remove_ioport
+	remove_iomem
+};
=20
 ##########################################################################=
######
 #
@@ -65,15 +69,26 @@ allow xen_t resource_type : resource { remove_irq remov=
e_ioport remove_iomem };
 ##########################################################################=
######
=20
 # Domains must be declared using domain_type
-neverallow * ~domain_type:domain { create transition };
+neverallow * ~domain_type:domain {
+	create
+	transition
+};
=20
 # Resources must be declared using resource_type
-neverallow * ~resource_type:resource { use use_iommu use_iommu_nointremap
-                                       use_noiommu };
+neverallow * ~resource_type:resource {
+	use
+	use_iommu
+	use_iommu_nointremap
+	use_noiommu
+};
=20
 # Events must use event_type (see create_channel for a template)
 neverallow ~event_type *:event bind;
-neverallow * ~event_type:event { create send status };
+neverallow * ~event_type:event {
+	create
+	send
+	status
+};
=20
 ##########################################################################=
######
 #
diff --git a/tools/flask/policy/modules/xenstore.te b/tools/flask/policy/mo=
dules/xenstore.te
index 49de53ebe2a5..776c2748698e 100644
--- a/tools/flask/policy/modules/xenstore.te
+++ b/tools/flask/policy/modules/xenstore.te
@@ -19,7 +19,11 @@ allow xenstore_t domain_type:domain2 get_domain_state;
 # rule between xenstore_t and every domain type that talks to xenstore
 create_channel(xenstore_t, domain_type, xenstore_t_channel)
 allow event_type xenstore_t: event bind;
-allow xenstore_t domain_type:grant { map_read map_write unmap };
+allow xenstore_t domain_type:grant {
+	map_read
+	map_write
+	unmap
+};
=20
 # Xenstore is a utility domain, so it should use the system role
 role system_r types xenstore_t;
--=20
2.39.5