From: Anshul Makkar <anshul.makkar@citrix.com>
To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
Daniel De Graaf <dgdegra@tycho.nsa.gov>,
Ian Jackson <Ian.Jackson@citrix.com>,
"jbeulich@suse.com" <jbeulich@suse.com>
Cc: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
"cardoe@cardoe.com" <cardoe@cardoe.com>,
Andrew Cooper <Andrew.Cooper3@citrix.com>
Subject: Re: [PATCH] flask: change default state to enforcing
Date: Tue, 15 Mar 2016 14:48:42 +0000 [thread overview]
Message-ID: <465aec1f25a84187b9c386f6040a87cd@AMSPEX02CL03.citrite.net> (raw)
In-Reply-To: <20160310191225.GC18675@char.us.oracle.com>
-----Original Message-----
From: Xen-devel [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Konrad Rzeszutek Wilk
Sent: 10 March 2016 19:12
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>; Ian Jackson <Ian.Jackson@citrix.com>; jbeulich@suse.com
Cc: xen-devel@lists.xenproject.org; cardoe@cardoe.com; Andrew Cooper <Andrew.Cooper3@citrix.com>
Subject: Re: [Xen-devel] [PATCH] flask: change default state to enforcing
On Thu, Mar 10, 2016 at 01:30:29PM -0500, Daniel De Graaf wrote:
I've added Ian and Jan on the email as scripts/get_maintainer.pl spits out their names (Oddly not yours?)
> The previous default of "permissive" is meant for developing or
> debugging a disaggregated system. However, this default makes it too
> easy to accidentally boot a machine in this state, which does not
> place any restrictions on guests. This is not suitable for normal
> systems because any guest can perform any operation (including
> operations like rebooting the machine, kexec, and reading or writing
> another domain's memory).
>
> This change will cause the boot to fail if you do not specify an XSM
> policy during boot; if you need to load a policy from dom0, use the
> "flask=late" boot parameter.
>
> Originally by Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>; modified
> to also change the default value of flask_enforcing so that the policy
> is not still in permissive mode. This also removes the (no longer
> documented) command line argument directly changing that variable
> since it has been superseded by the flask= parameter.
>
Reviwed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> .. however:
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> ---
>
> docs/misc/xen-command-line.markdown | 2 +-
> docs/misc/xsm-flask.txt | 12 ++++++------
> xen/xsm/flask/flask_op.c | 8 +++++---
> 3 files changed, 12 insertions(+), 10 deletions(-)
>
> diff --git a/docs/misc/xen-command-line.markdown
> b/docs/misc/xen-command-line.markdown
> index ca77e3b..9e77f8a 100644
> --- a/docs/misc/xen-command-line.markdown
> +++ b/docs/misc/xen-command-line.markdown
> @@ -662,7 +662,7 @@ to use the default.
> ### flask
> > `= permissive | enforcing | late | disabled`
>
> -> Default: `permissive`
> +> Default: `enforcing`
>
> Specify how the FLASK security server should be configured. This
> option is only available if the hypervisor was compiled with XSM
> support (which can be enabled diff --git a/docs/misc/xsm-flask.txt
> b/docs/misc/xsm-flask.txt index fb2fe9f..00a2b13 100644
> --- a/docs/misc/xsm-flask.txt
> +++ b/docs/misc/xsm-flask.txt
> @@ -283,12 +283,12 @@ for passthrough, run:
>
> This command must be rerun on each boot or after any policy reload.
>
> -The example policy was only tested with simple domain creation and
> may be -missing rules allowing accesses by dom0 or domU when a number
> of hypervisor -features are used. When first loading or writing a
> policy, you should run FLASK -in permissive mode (the default) and
> check the Xen logs (xl dmesg) for AVC -denials before using it in
> enforcing mode (flask_enforcing=1 on the command -line, or xl setenforce).
> +When first loading or writing a policy, you should run FLASK in
> +permissive mode (flask=permissive on the command line) and check the
> +Xen logs (xl dmesg) for AVC denials before using it in enforcing mode
> +(the default value of the boot parameter, which can also be changed
> +using xl setenforce). When using the default types for domains
> +(domU_t), the example policy shipped with Xen should allow the same operations on or between domains as when not using FLASK.
>
>
> MLS/MCS policy
> diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c index
> f4f5dd1..cdb462c 100644
> --- a/xen/xsm/flask/flask_op.c
> +++ b/xen/xsm/flask/flask_op.c
> @@ -25,12 +25,11 @@
> #define _copy_to_guest copy_to_guest
> #define _copy_from_guest copy_from_guest
>
> -enum flask_bootparam_t __read_mostly flask_bootparam =
> FLASK_BOOTPARAM_PERMISSIVE;
> +enum flask_bootparam_t __read_mostly flask_bootparam =
> +FLASK_BOOTPARAM_ENFORCING;
> static void parse_flask_param(char *s); custom_param("flask",
> parse_flask_param);
>
> -bool_t __read_mostly flask_enforcing = 0;
> -boolean_param("flask_enforcing", flask_enforcing);
> +bool_t __read_mostly flask_enforcing = 1;
Since you set that to the default value should the parse_flask_param 'flask_enforcing = 1' for the 'enforcing' and 'late' be removed?
(If you agree, the committer could do it).
>
> #define MAX_POLICY_SIZE 0x4000000
>
> @@ -76,7 +75,10 @@ static void __init parse_flask_param(char *s)
> else if ( !strcmp(s, "disabled") )
> flask_bootparam = FLASK_BOOTPARAM_DISABLED;
> else if ( !strcmp(s, "permissive") )
> + {
> + flask_enforcing = 0;
> flask_bootparam = FLASK_BOOTPARAM_PERMISSIVE;
> + }
> else
> flask_bootparam = FLASK_BOOTPARAM_INVALID; }
> --
> 2.5.0
>
There is no need to explicitly set flask_enforcing=0.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-03-15 15:04 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-09 1:51 XSM permissive by default Konrad Rzeszutek Wilk
2016-03-09 2:11 ` Doug Goldstein
2016-03-09 13:24 ` Andrew Cooper
2016-03-09 21:17 ` Konrad Rzeszutek Wilk
2016-03-09 22:09 ` Daniel De Graaf
2016-03-10 2:40 ` Doug Goldstein
2016-03-10 17:10 ` Konrad Rzeszutek Wilk
2016-03-10 17:34 ` Doug Goldstein
2016-03-10 17:44 ` Andrew Cooper
2016-03-10 18:30 ` [PATCH] flask: change default state to enforcing Daniel De Graaf
2016-03-10 19:12 ` Konrad Rzeszutek Wilk
2016-03-10 19:37 ` Daniel De Graaf
2016-03-15 14:48 ` Anshul Makkar [this message]
2016-03-11 9:07 ` Jan Beulich
2016-03-11 14:58 ` Konrad Rzeszutek Wilk
2016-03-11 15:39 ` Daniel De Graaf
2016-03-11 15:43 ` Jan Beulich
2016-03-11 15:51 ` Daniel De Graaf
2016-04-04 17:12 ` XSM permissive by default Ian Jackson
2016-04-05 8:03 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=465aec1f25a84187b9c386f6040a87cd@AMSPEX02CL03.citrite.net \
--to=anshul.makkar@citrix.com \
--cc=Andrew.Cooper3@citrix.com \
--cc=Ian.Jackson@citrix.com \
--cc=cardoe@cardoe.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=jbeulich@suse.com \
--cc=konrad.wilk@oracle.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).