This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-changelog] [xen-unstable] [XSM][FLASK] basic documentation and a ty

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] [XSM][FLASK] basic documentation and a type cast error for x86_64
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Feb 2009 07:50:13 -0800
Delivery-date: Fri, 13 Feb 2009 07:50:09 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1234517638 0
# Node ID 766b3763ad1b9b9af67de41cebdcd14739da7b70
# Parent  67d9d2a4b98851250836954d290f0735f1641d37
[XSM][FLASK] basic documentation and a type cast error for x86_64

  - A simple txt howto based on previous list discussions and observations
  - A oneliner patch to address a compiler type cast error for x86_64

Signed-off-by: George S. Coker, II <gscoker@xxxxxxxxxxxxxx>
 docs/misc/xsm-flask.txt     |  148 ++++++++++++++++++++++++++++++++++++++++++++
 xen/xsm/flask/ss/policydb.c |    4 -
 2 files changed, 150 insertions(+), 2 deletions(-)

diff -r 67d9d2a4b988 -r 766b3763ad1b docs/misc/xsm-flask.txt
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/docs/misc/xsm-flask.txt   Fri Feb 13 09:33:58 2009 +0000
@@ -0,0 +1,148 @@
+These notes are compiled from xen-devel questions and postings that have 
+since the inclusion of XSM.  These notes are not intended to be definitive
+documentation but should address many common problems that arrise when
+experimenting with XSM:FLASK.
+Xen XSM:FLASK configuration
+1) cd xen-unstable.hg
+2) edit Config.mk in the toplevel xen directory as follows:
+       XSM_ENABLE ?= y
+       FLASK_ENABLE ?= y
+       ACM_SECURITY ?= n
+NB: Only one security module can be selected at a time.  If no module is
+selected, then the default DUMMY module will be enforced.  The DUMMY module
+only exercises the security framework and does not enforce any security
+policies.  Changing the security module selection will require recompiling xen.
+These settings will also configure the corresponding toolchain support.  
+3) make xen
+4) make tools
+Xen XSM:FLASK policy
+These instructions will enable the configuration and build of the sample 
+The sample policy provides the MINIMUM policy necessary to boot a
+paravirtualized dom0 and create a paravirtualized domU.  Many of the 
+default capabilities and usages supported by dom0/domU are disallowed by the
+sample policy.  Further, the policy is comprised of a limited number of types 
+must be adjusted to meet the specific security goals of the installation. 
+Modification of the policy is straightforward and is covered in a later 
+NB: The policy is not automatically built as part of the tool support because 
+of an external dependancy on the checkpolicy compiler.  The FLASK policy uses 
+the same syntax and structure as SELinux and compiling the policy relies on 
+the SELinux policy toolchain.  This toolchain is available under many 
+distributions as well as the following URL,
+1) cd xen-unstable.hg/tools/flask/policy
+2) make policy
+3) cp policy.20 /boot/xenpolicy.20
+4) edit /etc/grub.conf, add a module line to the xen entry,
+       module /xenpolicy.20
+5) reboot, and select the updated xen entry
+NB: The module entry can be inserted on any line after the xen kernel line.  
+configurations use the last module entry or the module entry that immediately 
+follows the xen kernel entry.
+Xen configuration of xend
+1) cd /etc/xen
+2) edit xend-config.sxp
+3) uncomment the line containing the key:value pair entry, 
+       #(xsm_module_name dummy)
+4) change the value entry to 'flask'
+       (xsm_module_name flask)
+5) restart xend
+Creating policy controlled domains
+2) Edit the domain config file and add the following entry,
+       access_control = ["policy=,label=system_u:object_r:domU_t"]
+NB: The 'policy' field is not used by XSM:FLASK.  The 'label' must exist in 
+loaded policy. 'system_u:object_r:domU_t' is one of the existing labels from 
+the sample policy and shown for example purposes.
+2) Create the domain using the 'xm create' command.
+3) Use the 'xm list -l' command to list the running domains and their labels.
+Updating the XSM:FLASK policy
+It is recommended that the XSM:FLASK policy be tailored to meet the specific
+security goals of the platform.  The policy is tailored by editing the xen.te 
+file in the 'policy' subdirectory.
+1) cd xen-unstable.hg/tools/flask/policy
+2) edit policy/modules/xen/xen.te - make changes to support platform security 
+3) make policy
+4) cp policy.20 /boot/xenpolicy.20
+5) reboot
+Alternatively, one may reload the policy using the 'flask_loadpolicy' tool
+installed by the xen tools.
+1) flask_loadpolicy policy.20
+NB: The sample policy permits policy reloads as well as general manipulation of
+the Flask security server only from dom0.  The policy can be tailored further 
+restrict policy reloads and other manipulations to boot-time only, by removing 
+the corresponding statements from the policy.
+Enforcing the XSM:FLASK policy
+By default, XSM:FLASK is compiled and installed in permissive mode.  This
+configuration will allow an XSM:FLASK system to start in enforcing mode.
+1) edit /etc/grub.conf
+2) append the parameter 'flask_enforcing=1' to the xen kernel line.
+3) reboot, and select the updated xen entry
+Additional notes on XSM:FLASK
+1) xen command line parameters
+       a) flask_enforcing
+       The default value for flask_enforcing is '0'.  This parameter causes 
+       platform to boot in permissive mode which means that the policy is 
+       but not enforced.  This mode is often helpful for developing new 
+       and policies as the policy violations are reported on the xen console 
+       may be viewed in dom0 through 'xm dmesg'.
+       To boot the platform into enforcing mode, which means that the policy is
+       loaded and enforced, append 'flask_enforcing=1' on the grub line.
+       This parameter may also be changed through the flask hyercall.
+       b) flask_enabled
+       The default value for flask_enabled is '1'.  This parameter causes the
+       platform to enable the FLASK security module under the XSM framework.
+       The parameter may be enabled/disabled only once per boot.  If the 
+       is set to '0', only a reboot can re-enable flask.  When flask_enabled 
is '0'
+       the DUMMY module is enforced.
+       This parameter may also be changed through the flask hypercall.  But may
+       only be performed once per boot.
diff -r 67d9d2a4b988 -r 766b3763ad1b xen/xsm/flask/ss/policydb.c
--- a/xen/xsm/flask/ss/policydb.c       Fri Feb 13 09:32:02 2009 +0000
+++ b/xen/xsm/flask/ss/policydb.c       Fri Feb 13 09:33:58 2009 +0000
@@ -1515,8 +1515,8 @@ int policydb_read(struct policydb *p, vo
     if ( len != strlen(POLICYDB_STRING) )
         printk(KERN_ERR "security:  policydb string length %d does not "
-               "match expected length %Zu\n",
-               len, (u32) strlen(POLICYDB_STRING));
+               "match expected length %lu\n",
+               len, strlen(POLICYDB_STRING));
         goto bad;
     policydb_str = xmalloc_array(char, len + 1);

Xen-changelog mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] [XSM][FLASK] basic documentation and a type cast error for x86_64, Xen patchbot-unstable <=