[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] [XSM][FLASK] basic documentation and a type cast error for x86_64
# HG changeset patch # User Keir Fraser <keir.fraser@xxxxxxxxxx> # Date 1234517638 0 # Node ID 766b3763ad1b9b9af67de41cebdcd14739da7b70 # Parent 67d9d2a4b98851250836954d290f0735f1641d37 [XSM][FLASK] basic documentation and a type cast error for x86_64 - A simple txt howto based on previous list discussions and observations - A oneliner patch to address a compiler type cast error for x86_64 Signed-off-by: George S. Coker, II <gscoker@xxxxxxxxxxxxxx> --- docs/misc/xsm-flask.txt | 148 ++++++++++++++++++++++++++++++++++++++++++++ xen/xsm/flask/ss/policydb.c | 4 - 2 files changed, 150 insertions(+), 2 deletions(-) diff -r 67d9d2a4b988 -r 766b3763ad1b docs/misc/xsm-flask.txt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/docs/misc/xsm-flask.txt Fri Feb 13 09:33:58 2009 +0000 @@ -0,0 +1,148 @@ +These notes are compiled from xen-devel questions and postings that have occured +since the inclusion of XSM. These notes are not intended to be definitive +documentation but should address many common problems that arrise when +experimenting with XSM:FLASK. + +Xen XSM:FLASK configuration +--------------------------- + +1) cd xen-unstable.hg +2) edit Config.mk in the toplevel xen directory as follows: + + XSM_ENABLE ?= y + FLASK_ENABLE ?= y + ACM_SECURITY ?= n + +NB: Only one security module can be selected at a time. If no module is +selected, then the default DUMMY module will be enforced. The DUMMY module +only exercises the security framework and does not enforce any security +policies. Changing the security module selection will require recompiling xen. +These settings will also configure the corresponding toolchain support. + +3) make xen +4) make tools + + +Xen XSM:FLASK policy +-------------------- + +These instructions will enable the configuration and build of the sample policy. +The sample policy provides the MINIMUM policy necessary to boot a +paravirtualized dom0 and create a paravirtualized domU. Many of the +default capabilities and usages supported by dom0/domU are disallowed by the +sample policy. Further, the policy is comprised of a limited number of types and +must be adjusted to meet the specific security goals of the installation. +Modification of the policy is straightforward and is covered in a later section. + +NB: The policy is not automatically built as part of the tool support because +of an external dependancy on the checkpolicy compiler. The FLASK policy uses +the same syntax and structure as SELinux and compiling the policy relies on +the SELinux policy toolchain. This toolchain is available under many +distributions as well as the following URL, + + http://userspace.selinuxproject.org/releases/20080909/stable/checkpolicy-1.34.7.tar.gz + +1) cd xen-unstable.hg/tools/flask/policy +2) make policy +3) cp policy.20 /boot/xenpolicy.20 +4) edit /etc/grub.conf, add a module line to the xen entry, + + module /xenpolicy.20 + +5) reboot, and select the updated xen entry + +NB: The module entry can be inserted on any line after the xen kernel line. Typical +configurations use the last module entry or the module entry that immediately +follows the xen kernel entry. + +Xen configuration of xend +------------------------- + +1) cd /etc/xen +2) edit xend-config.sxp +3) uncomment the line containing the key:value pair entry, + + #(xsm_module_name dummy) + +4) change the value entry to 'flask' + + (xsm_module_name flask) + +5) restart xend + +Creating policy controlled domains +---------------------------------- + +2) Edit the domain config file and add the following entry, + + access_control = ["policy=,label=system_u:object_r:domU_t"] + +NB: The 'policy' field is not used by XSM:FLASK. The 'label' must exist in the +loaded policy. 'system_u:object_r:domU_t' is one of the existing labels from +the sample policy and shown for example purposes. + +2) Create the domain using the 'xm create' command. +3) Use the 'xm list -l' command to list the running domains and their labels. + +Updating the XSM:FLASK policy +----------------------------- + +It is recommended that the XSM:FLASK policy be tailored to meet the specific +security goals of the platform. The policy is tailored by editing the xen.te +file in the 'policy' subdirectory. + +1) cd xen-unstable.hg/tools/flask/policy +2) edit policy/modules/xen/xen.te - make changes to support platform security goals. +3) make policy +4) cp policy.20 /boot/xenpolicy.20 +5) reboot + +Alternatively, one may reload the policy using the 'flask_loadpolicy' tool +installed by the xen tools. + +1) flask_loadpolicy policy.20 + +NB: The sample policy permits policy reloads as well as general manipulation of +the Flask security server only from dom0. The policy can be tailored further to +restrict policy reloads and other manipulations to boot-time only, by removing +the corresponding statements from the policy. + +Enforcing the XSM:FLASK policy +------------------------------ + +By default, XSM:FLASK is compiled and installed in permissive mode. This +configuration will allow an XSM:FLASK system to start in enforcing mode. + +1) edit /etc/grub.conf +2) append the parameter 'flask_enforcing=1' to the xen kernel line. +3) reboot, and select the updated xen entry + + +Additional notes on XSM:FLASK +----------------------------- + +1) xen command line parameters + + a) flask_enforcing + + The default value for flask_enforcing is '0'. This parameter causes the + platform to boot in permissive mode which means that the policy is loaded + but not enforced. This mode is often helpful for developing new systems + and policies as the policy violations are reported on the xen console and + may be viewed in dom0 through 'xm dmesg'. + + To boot the platform into enforcing mode, which means that the policy is + loaded and enforced, append 'flask_enforcing=1' on the grub line. + + This parameter may also be changed through the flask hyercall. + + b) flask_enabled + + The default value for flask_enabled is '1'. This parameter causes the + platform to enable the FLASK security module under the XSM framework. + The parameter may be enabled/disabled only once per boot. If the parameter + is set to '0', only a reboot can re-enable flask. When flask_enabled is '0' + the DUMMY module is enforced. + + This parameter may also be changed through the flask hypercall. But may + only be performed once per boot. diff -r 67d9d2a4b988 -r 766b3763ad1b xen/xsm/flask/ss/policydb.c --- a/xen/xsm/flask/ss/policydb.c Fri Feb 13 09:32:02 2009 +0000 +++ b/xen/xsm/flask/ss/policydb.c Fri Feb 13 09:33:58 2009 +0000 @@ -1515,8 +1515,8 @@ int policydb_read(struct policydb *p, vo if ( len != strlen(POLICYDB_STRING) ) { printk(KERN_ERR "security: policydb string length %d does not " - "match expected length %Zu\n", - len, (u32) strlen(POLICYDB_STRING)); + "match expected length %lu\n", + len, strlen(POLICYDB_STRING)); goto bad; } policydb_str = xmalloc_array(char, len + 1); _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |