From mboxrd@z Thu Jan 1 00:00:00 1970 From: Doug Goldstein Subject: Re: XSM permissive by default. Date: Wed, 9 Mar 2016 20:40:05 -0600 Message-ID: <56E0DE85.7000805@cardoe.com> References: <20160309015100.GA5420@localhost.localdomain> <56E023FF.1020706@citrix.com> <20160309211735.GA28919@char.us.oracle.com> <56E09F20.7090601@tycho.nsa.gov> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3054278579557181892==" Return-path: Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.84) (envelope-from ) id 1adqWM-0007W7-TP for xen-devel@lists.xenproject.org; Thu, 10 Mar 2016 02:40:15 +0000 Received: by mail-yw0-f172.google.com with SMTP id h129so56926397ywb.1 for ; Wed, 09 Mar 2016 18:40:12 -0800 (PST) In-Reply-To: <56E09F20.7090601@tycho.nsa.gov> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" To: Daniel De Graaf , Konrad Rzeszutek Wilk , Andrew Cooper Cc: xen-devel@lists.xenproject.org List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============3054278579557181892== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="5HfpJnACg7Q3AkUt1FQsi3i4kBe1FCpWb" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --5HfpJnACg7Q3AkUt1FQsi3i4kBe1FCpWb Content-Type: multipart/mixed; boundary="GsTMdn1F2dSsAHlkKRnIDrwAHCo9pJEbT" From: Doug Goldstein To: Daniel De Graaf , Konrad Rzeszutek Wilk , Andrew Cooper Cc: xen-devel@lists.xenproject.org Message-ID: <56E0DE85.7000805@cardoe.com> Subject: Re: [Xen-devel] XSM permissive by default. References: <20160309015100.GA5420@localhost.localdomain> <56E023FF.1020706@citrix.com> <20160309211735.GA28919@char.us.oracle.com> <56E09F20.7090601@tycho.nsa.gov> In-Reply-To: <56E09F20.7090601@tycho.nsa.gov> --GsTMdn1F2dSsAHlkKRnIDrwAHCo9pJEbT Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 3/9/16 4:09 PM, Daniel De Graaf wrote: > On 03/09/2016 04:17 PM, Konrad Rzeszutek Wilk wrote: >> On Wed, Mar 09, 2016 at 01:24:15PM +0000, Andrew Cooper wrote: >>> On 09/03/16 01:51, Konrad Rzeszutek Wilk wrote: >>>> Hey, >>>> >>>> I was wondering if it we should change the default flask_bootparam >>>> option from permissive to disabled? >>> >>> By the looks of it, "permissive" shouldn't be an available option at >>> all. >=20 > Permissive is meant for developing (or debugging) a disaggregated syste= m, > where the restrictions on non-dom0 would also break the system. Howeve= r, > I agree that it needs to be harder to end up in this mode by accident. >=20 > The simplest solution in my opinion is to change the boot parameter to > default to "flask=3Denforcing", which will fail the boot if a policy is= > not available prior to dom0 creation. This would require any setup > where the policy is loaded from userspace to explicitly specify > "flask=3Dlate", whereas they can currently get away with no parameter. >=20 > Another solution would be to default to "flask=3Dlate" and either deny = the > creation of domains if a policy is not present, or automatically revert= > to the dummy module on domain creation with no loaded policy. The latt= er > probably deserves a different name ("flask=3Dauto"?). >=20 Honestly I'm in favor of secure by default approach. Since Xen is not built with flask by default to me the sane approach would be to default the system to "flask=3Denforcing". "flask=3Dlate" not allowing the creation of domains sounds good but what if you're using a disaggregated dom0 with some domDs and one of them needs to be up to fetch your policy? Just a hypothetical. XSMs like LSMs just aren't meant to be swapped around at runtime and like Daniel points out if go down the road of swapping to the dummy module there could be further dragons and whose to say someone won't look at that and put something in that allows you to switch to another later on (yes I know there's only really 1 but I'm speaking of the hypothetical). --=20 Doug Goldstein --GsTMdn1F2dSsAHlkKRnIDrwAHCo9pJEbT-- --5HfpJnACg7Q3AkUt1FQsi3i4kBe1FCpWb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0 iQJ8BAEBCgBmBQJW4N6JXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTM5MEQ2RTNFMTkyNzlCNzVDMzIwOTVB MkJDMDNEQzg3RUQxQkQ0AAoJEKK8A9yH7RvU29oP/RlBWvS+8X9XLcjKMaXTxZp/ jM867u0r5ornKaI78RlBZmrIMrNt1HPOVbhsuSo4KF8DxsgjOpdLDuYgtMCi1vN+ IejnN8OncY4lNDzeMlxAaO2RAawYlwtrIinAxb6KwH+Mpfku7EPa5LH004bCHlLq hi1rLf0UgK/0hQkPULxU5Oyp33Yhlnpj6DQ5hJDw86bpjunVAl/sMRRWJ7c9rV24 PiUr4RVp8LbhjTfOZ4K2PzdkxbDgO0lT90dSf/OC45/iGEyU5fUHY2TU3osKxfn/ YCVmRkLJ24kGrCGnvfvNqyNJiXoFVLtl5NhpgaRG7lwBhpRpCz7fXtYIOWkKdwbj DBy4Ri6vnQLB2HhwuvNs9Gfv0vWXmcaaLFZCZrpxN8FzDutns0SjOB8rLBa7KqBE doWu5jHGrwvX7HP6sLG4gJzbc5unvqItoMstW8Cv8DO0RAoA2b185jnwFbexHrQU x7OeHNgL9iUbzcO97vIXkRqclqnBKM3+2ujWWeLHhfMsHg5i5DVpgI/nR1ExhW66 K2QxGlI8x1/YhWUqe5e6EOOVGy39PcloNW62gyZb1ybTMgoErGT6kg1FULON6DvL xDeRkO3era/Rv76uh+1jLjckosaOb4B75+PMkI8w60SD+PwIYEeWEr/eRT+bZ6Pa 3Qxn4X51lkyLrbNvdTR2 =ImjF -----END PGP SIGNATURE----- --5HfpJnACg7Q3AkUt1FQsi3i4kBe1FCpWb-- --===============3054278579557181892== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwOi8vbGlzdHMueGVuLm9y Zy94ZW4tZGV2ZWwK --===============3054278579557181892==--