Xen project Mailing List

Re: [Xen-devel] XSM permissive by default.

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>

Date: Wed, 9 Mar 2016 16:17:35 -0500

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, dgdegra@xxxxxxxxxxxxx

Delivery-date: Wed, 09 Mar 2016 21:18:17 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, Mar 09, 2016 at 01:24:15PM +0000, Andrew Cooper wrote: > On 09/03/16 01:51, Konrad Rzeszutek Wilk wrote: > > Hey, > > > > I was wondering if it we should change the default flask_bootparam > > option from permissive to disabled? > > > > The reason being is that I was startled to see that my xSplice > > code was able to patch the hypervisor from within an PV guest! > > > > Further testing showed that I could do 'xl debug-keys R' from > > within the guests. This being possible with released 4.6 if I have > > XSM enabled. > > > > All of this is due to the fact that I had forgotten to load the policy, > > but Xen just told me: > > > > Flask: Access controls disabled until policy is loaded. > > > > which is an understatement. I somehow had expected that if no > > policy was loaded it would revert to the dummy one which has the > > same permission as the non-XSM build. Ha! What a surprise.. > > > > Now that the XSM is enabled via config it becomes much more > > easy to enable it.. > > > > Or perhaps change the code to flask so that if there are any s/flask/dummy/ > > errors loading the policy it uses the dummy one? > > By the looks of it, "permissive" shouldn't be an available option at all. > > If a misconfiguration occurs, the behaviour should revert back to the > current "dom0 all powerful, everything else unprivileged" state which > currently exists without XSM. Looking deeper in the code I believe it should be possible to swap from the 'flask_ops' to the 'dummy_ops' (which is what you have without XSM) if there is a failure during booting to load the policy file (or the person simply forgot to include it). However it was not clear to me whether changing the ops from dummy_ops to flask_ops during runtime (When the policy being loaded) would work. It looks like it should be possible as FLASK_DISABLE does it.. Or whether one can FLASK_LOAD if the ops are dummy_ops instead of flask_ops. I will try to spin out a patch for this next week. > > ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.