[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] flask: create unified "flask=" boot parameter
commit b5f90278f5a5c9658a481a99f6a18bf4badba616 Author: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> AuthorDate: Tue Mar 10 13:50:24 2015 +0100 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Mar 10 13:50:24 2015 +0100 flask: create unified "flask=" boot parameter This unifies the flask_enforcing and flask_enabled boot parameters into a single parameter with additional states. Defined options are: enforcing - require policy to be loaded at boot time and enforce it permissive - a missing or broken policy does not panic disabled - revert to dummy (no XSM) policy. Was flask_enabled=0 late - bootloader policy is not used; later loadpolicy is enforcing The default mode remains "permissive" and the flask_enforcing boot parameter is retained for compatibility. If flask_enforcing=1 is specified and flask= is not, the bootloader policy will be loaded in enforcing mode if present, but errors will disable access controls until a successful loadpolicy instead of causing a panic at boot. Suggested-by: Julien Grall <julien.grall@xxxxxxxxxx> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- docs/man/xl.pod.1 | 4 ++-- docs/misc/xen-command-line.markdown | 30 +++++++++++++++++++++++++----- docs/misc/xsm-flask.txt | 29 ----------------------------- xen/xsm/flask/flask_op.c | 34 ++++++++++++++++++++++++++++++---- xen/xsm/flask/hooks.c | 32 +++++++++++++++++++++++--------- xen/xsm/flask/include/avc.h | 2 +- xen/xsm/flask/include/security.h | 10 +++++++++- 7 files changed, 90 insertions(+), 51 deletions(-) diff --git a/docs/man/xl.pod.1 b/docs/man/xl.pod.1 index cd80ffc..198ee2b 100644 --- a/docs/man/xl.pod.1 +++ b/docs/man/xl.pod.1 @@ -1441,8 +1441,8 @@ Determine if the FLASK security module is loaded and enforcing its policy. =item B<setenforce> I<1|0|Enforcing|Permissive> Enable or disable enforcing of the FLASK access controls. The default is -permissive and can be changed using the flask_enforcing option on the -hypervisor's command line. +permissive, but this can be changed to enforcing by specifying "flask=enforcing" +or "flask=late" on the hypervisor's command line. =item B<loadpolicy> I<policy-file> diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index e125212..5044da1 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -638,11 +638,31 @@ hardware domain is architecture dependent. Note that specifying zero as domU value means zero, while for dom0 it means to use the default. -### flask\_enabled -> `= <integer>` - -### flask\_enforcing -> `= <integer>` +### flask +> `= permissive | enforcing | late | disabled` + +> Default: `permissive` + +Specify how the FLASK security server should be configured. This option is only +available if the hypervisor was compiled with XSM support (which can be enabled +by setting XSM\_ENABLE = y in .config). + +* `permissive`: This is intended for development and is not suitable for use + with untrusted guests. If a policy is provided by the bootloader, it will be + loaded; errors will be reported to the ring buffer but will not prevent + booting. The policy can be changed to enforcing mode using "xl setenforce". +* `enforcing`: This requires a security policy to be provided by the bootloader + and will enter enforcing mode prior to the creation of domain 0. If a valid + policy is not provided, the hypervisor will not continue booting. +* `late`: This disables loading of the security policy from the bootloader. + FLASK will be enabled but will not enforce access controls until a policy is + loaded by a domain using "xl loadpolicy". Once a policy is loaded, FLASK will + run in enforcing mode unless "xl setenforce" has changed that setting. +* `disabled`: This causes the XSM framework to revert to the dummy module. The + dummy module provides the same security policy as is used when compiling the + hypervisor without support for XSM. The xsm\_op hypercall can also be used to + switch to this mode after boot, but there is no way to re-enable FLASK once + the dummy module is loaded. ### font > `= <height>` where height is `8x8 | 8x14 | 8x16` diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt index 9559028..ab05913 100644 --- a/docs/misc/xsm-flask.txt +++ b/docs/misc/xsm-flask.txt @@ -396,32 +396,3 @@ the ranges being denied to more easily determine what resources are required. When running in permissive mode, only the first denial of a given source/destination is printed to the log, so labeling devices using this method may require multiple passes to find all required ranges. - -Additional notes on XSM:FLASK ------------------------------ - -1) xen command line parameters - - a) flask_enforcing - - The default value for flask_enforcing is '0'. This parameter causes the - platform to boot in permissive mode which means that the policy is loaded - but not enforced. This mode is often helpful for developing new systems - and policies as the policy violations are reported on the xen console and - may be viewed in dom0 through 'xl dmesg'. - - To boot the platform into enforcing mode, which means that the policy is - loaded and enforced, append 'flask_enforcing=1' on the grub line. - - This parameter may also be changed through the flask hypercall. - - b) flask_enabled - - The default value for flask_enabled is '1'. This parameter causes the - platform to enable the FLASK security module under the XSM framework. - The parameter may be enabled/disabled only once per boot. If the parameter - is set to '0', only a reboot can re-enable flask. When flask_enabled is '0' - the DUMMY module is enforced. - - This parameter may also be changed through the flask hypercall. But may - only be performed once per boot. diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c index 0e89360..84c7fec 100644 --- a/xen/xsm/flask/flask_op.c +++ b/xen/xsm/flask/flask_op.c @@ -24,11 +24,12 @@ #define _copy_to_guest copy_to_guest #define _copy_from_guest copy_from_guest -int flask_enforcing = 0; -integer_param("flask_enforcing", flask_enforcing); +enum flask_bootparam_t __read_mostly flask_bootparam = FLASK_BOOTPARAM_PERMISSIVE; +static void parse_flask_param(char *s); +custom_param("flask", parse_flask_param); -int flask_enabled = 1; -integer_param("flask_enabled", flask_enabled); +bool_t __read_mostly flask_enforcing = 0; +boolean_param("flask_enforcing", flask_enforcing); #define MAX_POLICY_SIZE 0x4000000 @@ -60,6 +61,26 @@ extern int ss_initialized; extern struct xsm_operations *original_ops; +static void __init parse_flask_param(char *s) +{ + if ( !strcmp(s, "enforcing") ) + { + flask_enforcing = 1; + flask_bootparam = FLASK_BOOTPARAM_ENFORCING; + } + else if ( !strcmp(s, "late") ) + { + flask_enforcing = 1; + flask_bootparam = FLASK_BOOTPARAM_LATELOAD; + } + else if ( !strcmp(s, "disabled") ) + flask_bootparam = FLASK_BOOTPARAM_DISABLED; + else if ( !strcmp(s, "permissive") ) + flask_bootparam = FLASK_BOOTPARAM_PERMISSIVE; + else + flask_bootparam = FLASK_BOOTPARAM_INVALID; +} + static int domain_has_security(struct domain *d, u32 perms) { struct domain_security_struct *dsec; @@ -502,6 +523,7 @@ static int flask_security_load(struct xen_flask_load *load) { int ret; void *buf = NULL; + bool_t is_reload = ss_initialized; ret = domain_has_security(current->domain, SECURITY__LOAD_POLICY); if ( ret ) @@ -526,6 +548,10 @@ static int flask_security_load(struct xen_flask_load *load) if ( ret ) goto out; + if ( !is_reload ) + printk(XENLOG_INFO "Flask: Policy loaded, continuing in %s mode.\n", + flask_enforcing ? "enforcing" : "permissive"); + xfree(bool_pending_values); bool_pending_values = NULL; ret = 0; diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index dad5deb..05dafed 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1628,15 +1628,23 @@ static struct xsm_operations flask_ops = { static __init void flask_init(void) { - int ret = 0; + int ret = -ENOENT; - if ( !flask_enabled ) + switch ( flask_bootparam ) { - printk("Flask: Disabled at boot.\n"); + case FLASK_BOOTPARAM_DISABLED: + printk(XENLOG_INFO "Flask: Disabled at boot.\n"); return; - } - printk("Flask: Initializing.\n"); + case FLASK_BOOTPARAM_PERMISSIVE: + case FLASK_BOOTPARAM_ENFORCING: + case FLASK_BOOTPARAM_LATELOAD: + break; + + case FLASK_BOOTPARAM_INVALID: + default: + panic("Flask: Invalid value for flask= boot parameter.\n"); + } avc_init(); @@ -1644,12 +1652,18 @@ static __init void flask_init(void) if ( register_xsm(&flask_ops) ) panic("Flask: Unable to register with XSM"); - ret = security_load_policy(policy_buffer, policy_size); + if ( policy_size && flask_bootparam != FLASK_BOOTPARAM_LATELOAD ) + ret = security_load_policy(policy_buffer, policy_size); + + if ( ret && flask_bootparam == FLASK_BOOTPARAM_ENFORCING ) + panic("Unable to load FLASK policy"); - if ( flask_enforcing ) - printk("Flask: Starting in enforcing mode.\n"); + if ( ret ) + printk(XENLOG_INFO "Flask: Access controls disabled until policy is loaded.\n"); + else if ( flask_enforcing ) + printk(XENLOG_INFO "Flask: Starting in enforcing mode.\n"); else - printk("Flask: Starting in permissive mode.\n"); + printk(XENLOG_INFO "Flask: Starting in permissive mode.\n"); } xsm_initcall(flask_init); diff --git a/xen/xsm/flask/include/avc.h b/xen/xsm/flask/include/avc.h index a00a6eb..c7a99fc 100644 --- a/xen/xsm/flask/include/avc.h +++ b/xen/xsm/flask/include/avc.h @@ -17,7 +17,7 @@ #include "av_permissions.h" #include "security.h" -extern int flask_enforcing; +extern bool_t flask_enforcing; /* * An entry in the AVC. diff --git a/xen/xsm/flask/include/security.h b/xen/xsm/flask/include/security.h index dea0143..d07bae0 100644 --- a/xen/xsm/flask/include/security.h +++ b/xen/xsm/flask/include/security.h @@ -35,7 +35,15 @@ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE #define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY -extern int flask_enabled; +enum flask_bootparam_t { + FLASK_BOOTPARAM_PERMISSIVE, + FLASK_BOOTPARAM_ENFORCING, + FLASK_BOOTPARAM_LATELOAD, + FLASK_BOOTPARAM_DISABLED, + FLASK_BOOTPARAM_INVALID, +}; + +extern enum flask_bootparam_t flask_bootparam; extern int flask_mls_enabled; int security_load_policy(void * data, size_t len); -- generated by git-patchbot for /home/xen/git/xen.git#master _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |