WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

[Xen-devel][Xense-devel][PATCH][XSM][2/4] Xen Security Modules Flask Mod

To: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel][Xense-devel][PATCH][XSM][2/4] Xen Security Modules Flask Module
From: "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
Date: Thu, 08 Mar 2007 10:28:47 -0500
Delivery-date: Thu, 08 Mar 2007 07:29:00 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
This patch implements the Flask XSM module.  The security architecture
provided by Flask is similar to the security architecture found in
SELinux, but Flask has undergone Xen nativization.  The Flask module
implements a security function for each of the XSM hooks.  A development
policy will be provided in a separate post.

This patch default-enables Flask.  Additional configuration of Flask may
be done in Config.mk through the parameters FLASK_ENABLE, FLASK_DEVELOP,
FLASK_BOOTPARAM, and FLASK_AVC_STATS.

FLASK_ENABLE enables/disables the Flask module.  FLASK_DEVELOP
enables/disables the ability to set the enforcing status of Xen through
boot parameters passed to Xen.  If FLASK_DEVELOP is enabled, pass
flask_enforcing=1/0 to enable/disable policy enforcement in the Flask
module.  This patch sets flask_enforcing=0 which leaves Flask in
permissive mode.

FLASK_BOOTPARAM enables/disables the ability to enable/disable loading
of the Flask module at boot.  If FLASK_BOOTPARAM is enabled, pass
flask_enabled=1/0 to enable/disable the Flask module at boot.  Default
is flask_enabled=1 which causes the Flask module to be loaded.
flask_enabled=0 will cause the dummy module to be loaded. 

FLASK_AVC_STATS enables/disables the ability to report cache stats for
Flask.  The default is FLASK_AVC_STATS enabled.  The values of the cache
stats can be read through the Flask's security hypercall.  The tool
chain to use the Flask hypercall is presently incomplete.

Policies can be written using the SELinux policy grammar and toolchain 
> 1.19 (policy version 20).  Fedora Core 5 and later versions
have the appropriate toolchain.  The compiled policy must be listed as
one of the bootloader modules after the dom0 kernel.

N.B.  XSM cannot have more than one module enabled at compile time.

Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx>

Attachment: flask-xsm-030707-xen-14282.diff
Description: Text Data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>