Re: [PATCH] libxl: assigned a default ssid_label (XSM label) to guests

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Ian Campbell <ian.campbell@citrix.com>
Cc: Julien Grall <julien.grall@citrix.com>,
	ian.jackson@eu.citrix.com, wei.liu2@citrix.com,
	xen-devel@lists.xen.org
Subject: Re: [PATCH] libxl: assigned a default ssid_label (XSM label) to guests
Date: Mon, 18 May 2015 18:37:32 -0400	[thread overview]
Message-ID: <555A69AC.6080603@tycho.nsa.gov> (raw)
In-Reply-To: <1431952728.4944.51.camel@citrix.com>

On 05/18/2015 08:38 AM, Ian Campbell wrote:
> On Fri, 2015-05-15 at 10:39 +0100, Ian Campbell wrote:
>>> The header file defining these SIDs is buried in the hypervisor source
>>> tree (xen/xsm/flask/include/flask.h) and is only generated during a build
>>> with XSM enabled.  It may be simpler to define the value in a shared header
>>> and add a BUILD_BUG_ON somewhere in the flask code to check for mismatches.
>>
>> I was about to ask about this. Short of a pretty serious change to the
>> build a BUILD_BUG_ON seems like a reasonable approach.
>
> To what extent is a user's customized (e.g. potentially clean room
> implemented) policy required to match what goes on here? I suspect the
> answer is "fully" and that any custom policy must therefore use exactly
> the policy/security_classes and policy/initial_sids as was used when Xen
> was built.

When rewriting the security policy, xen/xsm/flask/policy/initial_sids is
expected to remain unchanged, while tools/flask/policy/policy/initial_sids
can be modified to suit the types defined in the rewritten policy.  This
applies to all the files split between the two directories.

> If this coupling already exists then I see no particular harm in
> extending it to the tools as well, although I think I might see about
> making the header available for checking even in non-xsm builds (since I
> don't really want to add an xsm compile time option to the tools, nor to
> rely on the xsm builds catching errors for non-xsm usage).
>
> BTW, I seem to have two of each of security_classes and initial_sids in
> my tree, one in tools/flask/policy/policy/ and the other in
> xen/xsm/flask/policy/ and they appear to differ.
>
> The xen initial_sids appears to be derived from the tools one, whereas
> security_classes looks different.

The security_classes and access_vectors in the local policy (tools/...)
are intended to be used by components outside the hypervisor that do not
implement their own security policy.  The current example policy defines
a class for xenstore permissions, but since xenstore does not actually
use this, it is just an example.

-- 
Daniel De Graaf
National Security Agency

next prev parent reply	other threads:[~2015-05-18 22:37 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-14 10:33 [PATCH] libxl: assigned a default ssid_label (XSM label) to guests Ian Campbell
2015-05-14 11:21 ` Julien Grall
2015-05-14 11:54   ` Ian Campbell
2015-05-14 14:18     ` Julien Grall
2015-05-14 23:09     ` Daniel De Graaf
2015-05-15  9:39       ` Ian Campbell
2015-05-15 17:09         ` Daniel De Graaf
2015-05-18 10:56           ` Ian Campbell
2015-05-18 12:38         ` Ian Campbell
2015-05-18 22:37           ` Daniel De Graaf [this message]
2015-05-19 10:43             ` Ian Campbell
2015-05-14 11:58 ` Wei Liu
2015-05-14 12:32   ` Ian Campbell
2015-05-14 12:39     ` Wei Liu
2015-05-14 14:05       ` Julien Grall
2015-05-14 14:11         ` Ian Campbell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=555A69AC.6080603@tycho.nsa.gov \
    --to=dgdegra@tycho.nsa.gov \
    --cc=ian.campbell@citrix.com \
    --cc=ian.jackson@eu.citrix.com \
    --cc=julien.grall@citrix.com \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.