From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel De Graaf Subject: Re: [PATCH 2/2] flask: create unified "flask=" boot parameter Date: Fri, 06 Mar 2015 13:53:19 -0500 Message-ID: <54F9F79F.9040605@tycho.nsa.gov> References: <1425402019-6270-1-git-send-email-dgdegra@tycho.nsa.gov> <1425402019-6270-3-git-send-email-dgdegra@tycho.nsa.gov> <20150306122238.GM12103@zion.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTxNi-0008Vc-6t for xen-devel@lists.xenproject.org; Fri, 06 Mar 2015 18:53:54 +0000 In-Reply-To: <20150306122238.GM12103@zion.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Wei Liu Cc: xen-devel@lists.xenproject.org, julien.grall@linaro.org, ian.campbell@citrix.com List-Id: xen-devel@lists.xenproject.org On 03/06/2015 07:22 AM, Wei Liu wrote: > On Tue, Mar 03, 2015 at 12:00:19PM -0500, Daniel De Graaf wrote: > [...] >> diff --git a/docs/man/xl.pod.1 b/docs/man/xl.pod.1 >> index 6b89ba8..48b8f98 100644 >> --- a/docs/man/xl.pod.1 >> +++ b/docs/man/xl.pod.1 >> @@ -1441,8 +1441,8 @@ Determine if the FLASK security module is loaded and enforcing its policy. >> =item B I<1|0|Enforcing|Permissive> >> >> Enable or disable enforcing of the FLASK access controls. The default is >> -permissive and can be changed using the flask_enforcing option on the >> -hypervisor's command line. >> +permissive, but this can be changed to enforcing by specifying "flask=enforcing" >> +or "flask=late" on the hypervisor's command line. >> > > This part looks good to me. > >> =item B I >> >> diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt >> index 9559028..efe8d50 100644 >> --- a/docs/misc/xsm-flask.txt >> +++ b/docs/misc/xsm-flask.txt >> @@ -400,28 +400,26 @@ may require multiple passes to find all required ranges. >> Additional notes on XSM:FLASK >> ----------------------------- >> >> -1) xen command line parameters >> - >> - a) flask_enforcing >> - >> - The default value for flask_enforcing is '0'. This parameter causes the >> - platform to boot in permissive mode which means that the policy is loaded >> - but not enforced. This mode is often helpful for developing new systems >> - and policies as the policy violations are reported on the xen console and >> - may be viewed in dom0 through 'xl dmesg'. >> - >> - To boot the platform into enforcing mode, which means that the policy is >> - loaded and enforced, append 'flask_enforcing=1' on the grub line. >> - >> - This parameter may also be changed through the flask hypercall. >> - >> - b) flask_enabled >> - >> - The default value for flask_enabled is '1'. This parameter causes the >> - platform to enable the FLASK security module under the XSM framework. >> - The parameter may be enabled/disabled only once per boot. If the parameter >> - is set to '0', only a reboot can re-enable flask. When flask_enabled is '0' >> - the DUMMY module is enforced. >> - >> - This parameter may also be changed through the flask hypercall. But may >> - only be performed once per boot. >> +The xen command line accepts these values for the "flask=" parameter: >> + >> + * permissive [default] >> + This is intended for development and is not suitable for use with untrusted >> + guests. If a policy is provided by the bootloader, it will be loaded; >> + errors will be reported to the ring buffer but will not prevent booting. >> + The policy can be changed to enforcing mode using "xl setenforce". >> + * force or enforcing >> + This requires a security policy to be provided by the bootloader and will >> + enable enforcing prior to the creation of domain 0. If a valid policy is >> + not provided, the hypervisor will not continue booting. >> + * late >> + This disabled loading of the security policy from the bootloader. FLASK >> + will be enabled but will not enforce access controls until a policy is >> + loaded by a domain using "xl loadpolicy" or similar commands. Once a >> + policy is loaded, FLASK will run in enforcing mode unless "xl setenforce" >> + has disabled this. >> + * disabled >> + This causes the XSM framework to revert to the dummy module. The dummy >> + module provides the same security policy as is used when compiling the >> + hypervisor without support for XSM. The xsm_op hypercall can be used to >> + switch to this mode after boot, but there is no way to re-enable FLASK >> + once the dummy module is loaded. >> diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c >> index 0e89360..8db9b1e 100644 >> --- a/xen/xsm/flask/flask_op.c >> +++ b/xen/xsm/flask/flask_op.c >> @@ -24,11 +24,12 @@ >> #define _copy_to_guest copy_to_guest >> #define _copy_from_guest copy_from_guest >> >> -int flask_enforcing = 0; >> -integer_param("flask_enforcing", flask_enforcing); >> +int __read_mostly flask_bootparam = FLASK_BOOTPARAM_DEFAULT; >> +static void parse_flask_param(char *s); >> +custom_param("flask", parse_flask_param); >> >> -int flask_enabled = 1; >> -integer_param("flask_enabled", flask_enabled); > > I am of the opinion that we need to support old syntax. I don't know if > anyone is actually using xsm given the status it is in, so my opinion is > not very strong. > > Wei. This does support the old syntax for flask_enforcing, which is the more important/used of the two options. The flask_enabled option is only used to disable XSM without recompiling the hypervisor; since enabling XSM is not the default, I expect most people who do not use XSM will simply not enable it at compile time. It would not be hard to add another custom_param hook for flask_enabled to support the old syntax, if anyone thinks it is needed. -- Daniel De Graaf National Security Agency