[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel][Xense-devel][PATCH][XSM][2/4] Xen Security Modules Flask Module



This patch implements the Flask XSM module.  The security architecture
provided by Flask is similar to the security architecture found in
SELinux, but Flask has undergone Xen nativization.  The Flask module
implements a security function for each of the XSM hooks.  A development
policy will be provided in a separate post.

This patch default-enables Flask.  Additional configuration of Flask may
be done in Config.mk through the parameters FLASK_ENABLE, FLASK_DEVELOP,
FLASK_BOOTPARAM, and FLASK_AVC_STATS.

FLASK_ENABLE enables/disables the Flask module.  FLASK_DEVELOP
enables/disables the ability to set the enforcing status of Xen through
boot parameters passed to Xen.  If FLASK_DEVELOP is enabled, pass
flask_enforcing=1/0 to enable/disable policy enforcement in the Flask
module.  This patch sets flask_enforcing=0 which leaves Flask in
permissive mode.

FLASK_BOOTPARAM enables/disables the ability to enable/disable loading
of the Flask module at boot.  If FLASK_BOOTPARAM is enabled, pass
flask_enabled=1/0 to enable/disable the Flask module at boot.  Default
is flask_enabled=1 which causes the Flask module to be loaded.
flask_enabled=0 will cause the dummy module to be loaded. 

FLASK_AVC_STATS enables/disables the ability to report cache stats for
Flask.  The default is FLASK_AVC_STATS enabled.  The values of the cache
stats can be read through the Flask's security hypercall.  The tool
chain to use the Flask hypercall is presently incomplete.

Policies can be written using the SELinux policy grammar and toolchain 
> 1.19 (policy version 20).  Fedora Core 5 and later versions
have the appropriate toolchain.  The compiled policy must be listed as
one of the bootloader modules after the dom0 kernel.

N.B.  XSM cannot have more than one module enabled at compile time.

Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx>

Attachment: flask-xsm-030707-xen-14282.diff
Description: Text Data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.