This module implements a simple, embedded domain specific language to create Components, privilage descriptions and labels from conjunctions of principal disjunctions.

A DCLabel consists of a secrecy Component and an integrity Component. The %% operator allows one to construct a DCLabel by joining a secrecy Component (on the left) with an integrity Component on the right. This is similar to dcLabel, except that the arguments can also be instances of ToComponent. For example, the following expresses data that can be exported by the principal "Alice" and written by anybody: "Alice" %% True. (The component True or dcTrue indicates a trivially satisfiable label component, which in this case means a label with no integrity guarantees.)

A Component or DCPrivDesc is created using the (\/) and (/\) operators. The disjunction operator (\/) is used to create a Clause from Principals, ByteStrings, or a disjunctive sub-expression. For example:

     p1 = principal "p1"
     p2 = principal "p2"
     p3 = principal "p3"
     e1 = p1 \/ p2
     e2 = e1 \/ "p4"

Similarly, the conjunction operator (/\) is used to create category-sets from Principals, ByteStrings, and conjunctive or disjunctive sub-expressions. For example:

     e3 = p1 \/ p2
     e4 = e1 /\ "p4" /\ p3

Note that because a clause consists of a disjunction of principals, and a component is composed of the conjunction of categories, (\/) binds more tightly than (/\).

Given two Components, one for secrecy and one for integrity, you can create a DCLabel with dcLabel. Given a DCPriv and DCPrivDesc you can create a new minted privilege with dcDelegatePriv.

Consider the following, example:

l1 = "Alice" \/ "Bob" /\ "Carla"
l2 = "Alice" /\ "Carla"
dc1 = dcLabel l1 l2
dc2 = dcLabel (toComponent "Djon") (toComponent "Alice")
pr = PrivTCB $ toComponent $ "Alice" /\ "Carla"

This will result in the following:

>>> dc1
"Carla" /\ ("Alice" \/ "Bob") %% "Alice" /\ "Carla"
>>> dc2
"Djon" %% "Alice"
>>> canFlowTo dc1 dc2
False
>>> canFlowToP pr dc1 dc2
True