[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [Xense-devel][RFC][PATCH][3/4] Xen Security Modules: Flask module

The attached patch introduces the Flask XSM module.  The security
architecture provided by Flask is similar to the security architecture
found in SELinux, but Flask has undergone Xen nativization.  The Flask
XSM module is a work in progress.

The patch should apply cleanly to changeset 9694:d82a4c4d04d4 Xen
3.0.2-3 after application of the previous XSM patch from this series.

This patch default-enables Flask.  Additional configuration of Flask may
be done in Config.mk through the parameters FLASK_ENABLE, FLASK_DEVELOP,
FLASK_BOOTPARAM, and FLASK_AVC_STATS.

FLASK_ENABLE enables/disables the Flask module.  FLASK_DEVELOP
enables/disables the ability to set the enforcing status of Xen through
boot parameters passed to Xen.  If FLASK_DEVELOP is enabled, pass
flask_enforcing=1/0 to enable/disable enforcement in the Flask module.
This patch sets flask_enforcing=0 which leaves Flask in permissive mode.

FLASK_BOOTPARAM enables/disables the ability to enable/disable loading
of the Flask module at boot.  If FLASK_BOOTPARAM is enabled, pass
flask_enabled=1/0 to enable/disable the Flask module at boot.  Default
is flask_enabled=1 which causes the Flask module to be loaded.
flask_enabled=0 will cause the Dummy module to be loaded. 

FLASK_AVC_STATS enables/disables the ability to report cache stats for
Flask.  The default is FLASK_AVC_STATS enabled.  The values of the cache
stats can be read through the Flask's security hypercall.  The tool
chain to use the Flask hypercall is presently incomplete.

Policies can be written using the SELinux policy grammar and toolchain 
> 1.19 (policy version 20 and higher).  Fedora Core 5 and later versions
have the appropriate toolchain.  The compiled policy must be listed as
one of the bootloader modules after the dom0 kernel.

N.B.  XSM cannot have more than one module enabled at compile time.  It
is also untested to apply this patch at the same time as the previous
ACM patch.  Subsequent releases of XSM will remedy these issues.

Attachment: flask-xsm-xen-3.0.2-3.diff
Description: Text Data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.