[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] xsm: also panic upon "flask=enforcing" when XSM_FLASK=n

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 29 May 2020 11:34:40 +0200
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Paul Durrant <paul@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>, Daniel de Graaf <dgdegra@xxxxxxxxxxxxx>
Delivery-date: Fri, 29 May 2020 09:34:54 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

While the behavior to ignore this option without FLASK support was
properly documented, it is still somewhat surprising to someone using
this option and then still _not_ getting the assumed security. Add a
2nd handler for the command line option for the XSM_FLASK=n case, and
invoke panic() when the option is specified (and not subsequently
overridden by "flask=disabled").

Suggested-by: Ian Jackson <ian.jackson@xxxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -998,8 +998,9 @@ to use the default.
 > Default: `enforcing`
 
 Specify how the FLASK security server should be configured.  This option is 
only
-available if the hypervisor was compiled with FLASK support.  This can be
-enabled by running either:
+available if the hypervisor was compiled with FLASK support, except that
+`flask=enforcing` will still keep the hypervisor from successfully booting even
+without FLASK support.  FLASK support can be enabled by running either:
 - make -C xen config and enabling XSM and FLASK.
 - make -C xen menuconfig and enabling 'FLux Advanced Security Kernel support' 
and 'Xen Security Modules support'
 
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -211,7 +211,33 @@ int __init register_xsm(struct xsm_opera
     return 0;
 }
 
-#endif
+#endif /* CONFIG_XSM */
+
+#ifndef CONFIG_XSM_FLASK
+static bool __initdata _flask_enforcing;
+
+static int __init parse_flask_param(const char *s)
+{
+    if ( !strcmp(s, "enforcing") )
+        _flask_enforcing = true;
+    else if ( !strcmp(s, "disabled") )
+        _flask_enforcing = false;
+    else
+        return -EINVAL;
+
+    return 0;
+}
+custom_param("flask", parse_flask_param);
+
+static int __init check_flask_enforcing(void)
+{
+    if ( _flask_enforcing )
+        panic("\"flask=enforcing\" specified without FLASK support\n");
+
+    return 0;
+}
+__initcall(check_flask_enforcing);
+#endif /* !CONFIG_XSM_FLASK */
 
 long do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
 {

Follow-Ups:
- Re: [PATCH] xsm: also panic upon "flask=enforcing" when XSM_FLASK=n
  - From: Andrew Cooper

Prev by Date: [xen-unstable-smoke test] 150465: regressions - trouble: blocked/fail
Next by Date: Re: [RFC PATCH 1/1] xen: Use a global mapping for runstate
Previous by thread: [xen-unstable-smoke test] 150465: regressions - trouble: blocked/fail
Next by thread: Re: [PATCH] xsm: also panic upon "flask=enforcing" when XSM_FLASK=n
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.