From patchwork Wed Apr 6 19:35:59 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel De Graaf X-Patchwork-Id: 8765111 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 1AFCDC0553 for ; Wed, 6 Apr 2016 19:38:42 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 17923201E4 for ; Wed, 6 Apr 2016 19:38:41 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 17EE1201CD for ; Wed, 6 Apr 2016 19:38:40 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1antFG-0002cS-Dc; Wed, 06 Apr 2016 19:36:06 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1antFF-0002cM-9i for xen-devel@lists.xenproject.org; Wed, 06 Apr 2016 19:36:05 +0000 Received: from [85.158.137.68] by server-3.bemta-3.messagelabs.com id A0/47-03294-42565075; Wed, 06 Apr 2016 19:36:04 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrMLMWRWlGSWpSXmKPExsXCoZPKqaucyhp usOSjlcX3LZOZHBg9Dn+4whLAGMWamZeUX5HAmnHy9XXmgl0qFUe2tTM3MM6U62Lk5JAQ0Jfo 7fnJDGILCWxglDh3s7qLkQvI3sooceTnPHaQBJuArsSCgyuZQGwRASWJe6smM4EUMQtMYZRom NvNApIQFrCR+PtwCZjNIqAq8XPVG7BmXgEXiRetJxkhtslJbNuyB8oWkZj49z3bBEbuBYwMqx g1ilOLylKLdA0N9ZKKMtMzSnITM3N0DQ2M9XJTi4sT01NzEpOK9ZLzczcxAj3MAAQ7GFf/djr EKMnBpCTKmxbBGi7El5SfUpmRWJwRX1Sak1p8iFGGg0NJglcpBSgnWJSanlqRlpkDDDWYtAQH j5IIryBImre4IDG3ODMdInWKUZdjy4Iba5mEWPLy81KlxHkzk4GKBECKMkrz4EbAwv4So6yUM C8j0FFCPAWpRbmZJajyrxjFORiVhHnNQFbxZOaVwG16BXQEE9AR9cJMIEeUJCKkpBoYKxzn6e 64EbxZ+JaBtv2rx47/WJN+rt/J3bThXIPOuq8rZQ5fVF+2Y3uIZW/VwUy/087dr7n733M+mi5 1XfdNwQSxDwVfXz//3jrveOx89853Ij4HNnmxLHM92GBmN3d6vM3dk5f13/70Lf2TGZc1sUQ+ 5/mTb1OC7gS3bCi6/9n/87En3+1iDyqxFGckGmoxFxUnAgCY4j4WdgIAAA== X-Env-Sender: dgdegra@tycho.nsa.gov X-Msg-Ref: server-6.tower-31.messagelabs.com!1459971362!7168035!1 X-Originating-IP: [8.44.101.9] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.28; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30061 invoked from network); 6 Apr 2016 19:36:03 -0000 Received: from smtp.nsa.gov (HELO emvm-gh1-uea09.nsa.gov) (8.44.101.9) by server-6.tower-31.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 6 Apr 2016 19:36:03 -0000 X-TM-IMSS-Message-ID: <5c07fedb0008a8b6@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id 5c07fedb0008a8b6 ; Wed, 6 Apr 2016 15:35:02 -0400 Received: from moss-nexus.infosec.tycho.ncsc.mil (moss-nexus [192.168.25.48]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u36Ja0V6001344; Wed, 6 Apr 2016 15:36:00 -0400 From: Daniel De Graaf To: xen-devel@lists.xenproject.org Date: Wed, 6 Apr 2016 15:35:59 -0400 Message-Id: <1459971359-5902-1-git-send-email-dgdegra@tycho.nsa.gov> X-Mailer: git-send-email 2.5.5 X-TM-AS-MML: disable Cc: andrew.cooper3@citrix.com, Daniel De Graaf , cardoe@cardoe.com, Ian.Jackson@eu.citrix.com Subject: [Xen-devel] [PATCH v2] flask: change default state to enforcing X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The previous default of "permissive" is meant for developing or debugging a disaggregated system. However, this default makes it too easy to accidentally boot a machine in this state, which does not place any restrictions on guests. This is not suitable for normal systems because any guest can perform any operation (including operations like rebooting the machine, kexec, and reading or writing another domain's memory). This change will cause the boot to fail if you do not specify an XSM policy during boot; if you need to load a policy from dom0, use the "flask=late" boot parameter. Original patch by Konrad Rzeszutek Wilk ; modified to also change the default value of flask_enforcing so that the policy is not still in permissive mode. This also removes the (no longer documented) command line argument directly changing that variable since it has been superseded by the flask= parameter. Signed-off-by: Daniel De Graaf --- Changes from v1: move the setting of flask_enforcing to flask_init instead of needing to set and reset it in parse_flask_param. docs/misc/xen-command-line.markdown | 2 +- docs/misc/xsm-flask.txt | 12 ++++++------ xen/xsm/flask/flask_op.c | 11 ++--------- xen/xsm/flask/hooks.c | 3 +++ 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index ca77e3b..9e77f8a 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -662,7 +662,7 @@ to use the default. ### flask > `= permissive | enforcing | late | disabled` -> Default: `permissive` +> Default: `enforcing` Specify how the FLASK security server should be configured. This option is only available if the hypervisor was compiled with XSM support (which can be enabled diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt index fb2fe9f..00a2b13 100644 --- a/docs/misc/xsm-flask.txt +++ b/docs/misc/xsm-flask.txt @@ -283,12 +283,12 @@ for passthrough, run: This command must be rerun on each boot or after any policy reload. -The example policy was only tested with simple domain creation and may be -missing rules allowing accesses by dom0 or domU when a number of hypervisor -features are used. When first loading or writing a policy, you should run FLASK -in permissive mode (the default) and check the Xen logs (xl dmesg) for AVC -denials before using it in enforcing mode (flask_enforcing=1 on the command -line, or xl setenforce). +When first loading or writing a policy, you should run FLASK in permissive mode +(flask=permissive on the command line) and check the Xen logs (xl dmesg) for AVC +denials before using it in enforcing mode (the default value of the boot +parameter, which can also be changed using xl setenforce). When using the +default types for domains (domU_t), the example policy shipped with Xen should +allow the same operations on or between domains as when not using FLASK. MLS/MCS policy diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c index 3c9c99e..ea903a7 100644 --- a/xen/xsm/flask/flask_op.c +++ b/xen/xsm/flask/flask_op.c @@ -25,12 +25,11 @@ #define _copy_to_guest copy_to_guest #define _copy_from_guest copy_from_guest -enum flask_bootparam_t __read_mostly flask_bootparam = FLASK_BOOTPARAM_PERMISSIVE; +enum flask_bootparam_t __read_mostly flask_bootparam = FLASK_BOOTPARAM_ENFORCING; static void parse_flask_param(char *s); custom_param("flask", parse_flask_param); -bool_t __read_mostly flask_enforcing = 0; -boolean_param("flask_enforcing", flask_enforcing); +bool_t __read_mostly flask_enforcing = 1; #define MAX_POLICY_SIZE 0x4000000 @@ -64,15 +63,9 @@ extern struct xsm_operations *original_ops; static void __init parse_flask_param(char *s) { if ( !strcmp(s, "enforcing") ) - { - flask_enforcing = 1; flask_bootparam = FLASK_BOOTPARAM_ENFORCING; - } else if ( !strcmp(s, "late") ) - { - flask_enforcing = 1; flask_bootparam = FLASK_BOOTPARAM_LATELOAD; - } else if ( !strcmp(s, "disabled") ) flask_bootparam = FLASK_BOOTPARAM_DISABLED; else if ( !strcmp(s, "permissive") ) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 1eaec58..118c3e6 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1845,6 +1845,9 @@ static __init void flask_init(void) return; case FLASK_BOOTPARAM_PERMISSIVE: + flask_enforcing = 0; + break; + case FLASK_BOOTPARAM_ENFORCING: case FLASK_BOOTPARAM_LATELOAD: break;