From patchwork Wed Jun 29 15:09:01 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel De Graaf X-Patchwork-Id: 9205649 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 551E860752 for ; Wed, 29 Jun 2016 15:11:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4381328375 for ; Wed, 29 Jun 2016 15:11:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 35AF3285EF; Wed, 29 Jun 2016 15:11:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4E00028375 for ; Wed, 29 Jun 2016 15:11:35 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bIH76-0005NB-H3; Wed, 29 Jun 2016 15:09:16 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bIH75-0005N3-3f for xen-devel@lists.xenproject.org; Wed, 29 Jun 2016 15:09:15 +0000 Received: from [85.158.137.68] by server-12.bemta-3.messagelabs.com id AA/E1-32245-A94E3775; Wed, 29 Jun 2016 15:09:14 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPLMWRWlGSWpSXmKPExsXCoZPKqTvzSXG 4QfMbZYvvWyYzOTB6HP5whSWAMYo1My8pvyKBNaNl20TGgn1eFUcurWBtYNxk28XIwSEh4Cex dE1xFyMXB6fAJRaJt01r2LsYOYHiJxgltnfwgiSEBNoZJX6+WcsE4WxjlNjw/wErSBWbgK7Eg oMrmUBsEQEliXurJoMVMQusZJSY/WsTI8gKYQFrif0XykFqWARUJa40XQOr5xVwkZg6+zwTxD Y5iZvnOpknMPIsYGRYxahRnFpUllqka2Sgl1SUmZ5RkpuYmaNraGCsl5taXJyYnpqTmFSsl5y fu4kR6Pl6BgbGHYzNJ/wOMUpyMCmJ8m56UBwuxJeUn1KZkVicEV9UmpNafIhRhoNDSYL31yOg nGBRanpqRVpmDjAEYdISHDxKIrxRj4HSvMUFibnFmekQqVOMuhxbFtxYyyTEkpeflyolzvsRZ IYASFFGaR7cCFg8XGKUlRLmZWRgYBDiKUgtys0sQZV/xSjOwagkzOsEsoonM68EbtMroCOYgI 5gLgU7oiQRISXVwCjyKnWJ7dXH6269OqGecN56U4J4nNeegIY8803C0TN+SZ3len70xDoTmcX Pv7MHZeum7a87qaCve28aw3/jqoUvVi+qdFvqqhVxhFlRMm1CvGp5FueCf38POnY/bcuJFVC5 t/BZ45bpfvN1W4U9eBKm1q0/fuuur/q+0we+uLR1RzL55D2vM1RiKc5INNRiLipOBADMaQpKg gIAAA== X-Env-Sender: dgdegra@tycho.nsa.gov X-Msg-Ref: server-14.tower-31.messagelabs.com!1467212952!48013614!1 X-Originating-IP: [8.44.101.9] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.46; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28263 invoked from network); 29 Jun 2016 15:09:13 -0000 Received: from emsm-gh1-uea11.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) (8.44.101.9) by server-14.tower-31.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 29 Jun 2016 15:09:13 -0000 X-IronPort-AV: E=Sophos;i="5.26,547,1459814400"; d="scan'208";a="17287274" IronPort-PHdr: =?us-ascii?q?9a23=3ACZMbeBQWEd63vMI335B1hKLXy9psv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa64bBeN2/xhgRfzUJnB7Loc0qyN4vimADFLvs/JmUtBWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?= =?us-ascii?q?Ov7yUtaLyZ/mj6brptaMOk1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFm2dfv/SXn?= =?us-ascii?q?YUPPoyFEEzZerh0dEwXDqR33QJr1mi/7rfZmnjmXO9XsSrI5Uijk6L1kGzHyjy?= =?us-ascii?q?JSGzc/8WzTwuB9xI1BqRuv70hzzILZb5ucHOZvdaPaO9UBTCxOWdgHBH8JOZ+1?= =?us-ascii?q?c4ZaV7lJBu1ftYSo4gJU9RY=3D?= X-IPAS-Result: =?us-ascii?q?A2GrGgA343NX/wHyM5BbHAEBgyAiNH2nawGPToQFBRIFB4V?= =?us-ascii?q?6gTBMAQEBAQEBAgJiJ4IygwwOKIEpiDDDcTGPH4JfC0CCRwWIFpBvhgiINgKBZ?= =?us-ascii?q?4d2DIU6kANUgggcgWggMok+AQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 29 Jun 2016 15:09:06 +0000 Received: from moss-nexus.infosec.tycho.ncsc.mil (moss-nexus [192.168.25.48]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5TF95Og028235; Wed, 29 Jun 2016 11:09:06 -0400 From: Daniel De Graaf To: xen-devel@lists.xenproject.org Date: Wed, 29 Jun 2016 11:09:01 -0400 Message-Id: <1467212941-8265-1-git-send-email-dgdegra@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 Cc: Doug Goldstein , Daniel De Graaf , Ian Jackson , Jan Beulich Subject: [Xen-devel] [PATCH v3] xsm: add a default policy to .init.data X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP This adds a Kconfig option and support for including the XSM policy from tools/flask/policy in the hypervisor so that the bootloader does not need to provide a policy to get sane behavior from an XSM-enabled hypervisor. The policy provided by the bootloader, if present, will override the built-in policy. The XSM policy is not moved out of tools because that remains the primary location for installing and configuring the policy. Signed-off-by: Daniel De Graaf --- Changes from v2 (dropped acks and reviewed-by): - Drop linker script changes, use python binary-to-C file script - Make the config option always include the policy if selected - Note the new conditional dependency on checkpolicy in INSTALL INSTALL | 6 +++++- docs/misc/xen-command-line.markdown | 16 +++++++++------- docs/misc/xsm-flask.txt | 30 +++++++++++++++--------------- xen/common/Kconfig | 16 ++++++++++++++++ xen/xsm/flask/.gitignore | 1 + xen/xsm/flask/Makefile | 11 +++++++++++ xen/xsm/flask/gen-policy.py | 19 +++++++++++++++++++ xen/xsm/xsm_core.c | 22 +++++++++++++++++++++- 8 files changed, 97 insertions(+), 24 deletions(-) create mode 100644 xen/xsm/flask/.gitignore create mode 100644 xen/xsm/flask/gen-policy.py diff --git a/INSTALL b/INSTALL index 616a67a..703cfe7 100644 --- a/INSTALL +++ b/INSTALL @@ -272,7 +272,11 @@ PYTHON_PREFIX_ARG= The hypervisor may be build with XSM/Flask support, which can be changed by running: make -C xen menuconfig -and enabling XSM/Flask in the 'Common Features' menu. +and enabling XSM/Flask in the 'Common Features' menu. By default, this +selection will also enable compiling a built-in policy, which requires +the SELinux policy compiler (checkpolicy) to build. The location of +this executable can be set using its environment variable. +CHECKPOLICY= Do a build for coverage. coverage=y diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 2a088ca..5500242 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -712,13 +712,15 @@ enabled by running either: with untrusted guests. If a policy is provided by the bootloader, it will be loaded; errors will be reported to the ring buffer but will not prevent booting. The policy can be changed to enforcing mode using "xl setenforce". -* `enforcing`: This requires a security policy to be provided by the bootloader - and will enter enforcing mode prior to the creation of domain 0. If a valid - policy is not provided, the hypervisor will not continue booting. -* `late`: This disables loading of the security policy from the bootloader. - FLASK will be enabled but will not enforce access controls until a policy is - loaded by a domain using "xl loadpolicy". Once a policy is loaded, FLASK will - run in enforcing mode unless "xl setenforce" has changed that setting. +* `enforcing`: This will cause the security server to enter enforcing mode prior + to the creation of domain 0. If an valid policy is not provided by the + bootloader and no built-in policy is present, the hypervisor will not continue + booting. +* `late`: This disables loading of the built-in security policy or the policy + provided by the bootloader. FLASK will be enabled but will not enforce access + controls until a policy is loaded by a domain using "xl loadpolicy". Once a + policy is loaded, FLASK will run in enforcing mode unless "xl setenforce" has + changed that setting. * `disabled`: This causes the XSM framework to revert to the dummy module. The dummy module provides the same security policy as is used when compiling the hypervisor without support for XSM. The xsm\_op hypercall can also be used to diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt index 2f42585..62f15dd 100644 --- a/docs/misc/xsm-flask.txt +++ b/docs/misc/xsm-flask.txt @@ -141,21 +141,21 @@ only type enforcement is used and the user and role are set to system_u and system_r for all domains. The FLASK security framework is mostly configured using a security policy file. -This policy file is not normally generated during the Xen build process because -it relies on the SELinux compiler "checkpolicy"; run - - make -C tools/flask/policy - -to compile the example policy included with Xen. The policy is generated from -definition files under this directory. Most changes to security policy will -involve creating or modifying modules found in tools/flask/policy/modules/. The -modules.conf file there defines what modules are enabled and has short -descriptions of each module. - -The XSM policy file needs to be copied to /boot and loaded as a module by grub. -The exact position of the module does not matter as long as it is after the Xen -kernel; it is normally placed either just above the dom0 kernel or at the end. -Once dom0 is running, the policy can be reloaded using "xl loadpolicy". +It relies on the SELinux compiler "checkpolicy"; if this is available, the +policy will be compiled as part of the tools build. If hypervisor support for a +built-in policy is enabled ("Compile Xen with a built-in security policy"), the +policy will be built during the hypervisor build. + +The policy is generated from definition files in tools/flask/policy. Most +changes to security policy will involve creating or modifying modules found in +tools/flask/policy/modules/. The modules.conf file there defines what modules +are enabled and has short descriptions of each module. + +If not using the built-in policy, the XSM policy file needs to be copied to +/boot and loaded as a module by grub. The exact position and filename of the +module does not matter as long as it is after the Xen kernel; it is normally +placed either just above the dom0 kernel or at the end. Once dom0 is running, +the policy can be reloaded using "xl loadpolicy". The example policy included with Xen demonstrates most of the features of FLASK that can be used without dom0 disaggregation. The main types for domUs are: diff --git a/xen/common/Kconfig b/xen/common/Kconfig index daab832..f15ea78 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -143,6 +143,22 @@ config FLASK_AVC_STATS If unsure, say Y. +config XSM_POLICY + bool "Compile Xen with a built-in security policy" + default y + depends on XSM + ---help--- + This includes a default XSM policy in the hypervisor so that the + bootloader does not need to load a policy to get sane behavior from an + XSM-enabled hypervisor. If this is disabled, a policy must be + provided by the bootloader or by Domain 0. Even if this is enabled, a + policy provided by the bootloader will override it. + + This requires that the SELinux policy compiler (checkpolicy) be + available when compiling the hypervisor. + + If unsure, say Y. + # Enable schedulers menu "Schedulers" visible if EXPERT = "y" diff --git a/xen/xsm/flask/.gitignore b/xen/xsm/flask/.gitignore new file mode 100644 index 0000000..024edbe --- /dev/null +++ b/xen/xsm/flask/.gitignore @@ -0,0 +1 @@ +/policy.c diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile index 12fc3a9..6335a72 100644 --- a/xen/xsm/flask/Makefile +++ b/xen/xsm/flask/Makefile @@ -27,6 +27,17 @@ $(FLASK_H_FILES): $(FLASK_H_DEPEND) $(AV_H_FILES): $(AV_H_DEPEND) $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) +obj-$(CONFIG_XSM_POLICY) += policy.o + +POLICY_SRC := $(XEN_ROOT)/tools/flask/policy/xenpolicy-$(XEN_FULLVERSION) + +policy.bin: FORCE + $(MAKE) -C $(XEN_ROOT)/tools/flask/policy + cmp -s $(POLICY_SRC) $@ || cp $(POLICY_SRC) $@ + +policy.c: policy.bin gen-policy.py + $(PYTHON) gen-policy.py < $< > $@ + .PHONY: clean clean:: rm -f $(ALL_H_FILES) *.o $(DEPS) diff --git a/xen/xsm/flask/gen-policy.py b/xen/xsm/flask/gen-policy.py new file mode 100644 index 0000000..9602b0b --- /dev/null +++ b/xen/xsm/flask/gen-policy.py @@ -0,0 +1,19 @@ +#!/usr/bin/env python +import sys + +policy_size = 0 + +sys.stdout.write(""" +/* This file is autogenerated by gen_policy.py */ +#include + +const unsigned char xsm_init_policy[] __init = { +""") + +for char in sys.stdin.read(): + sys.stdout.write(" 0x%02x," % ord(char)) + policy_size = policy_size + 1 + if policy_size % 13 == 0: + sys.stdout.write("\n") + +sys.stdout.write("\n};\nconst int __init xsm_init_policy_size = %d;\n" % policy_size) diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c index 8df1a3c..93c7d43 100644 --- a/xen/xsm/xsm_core.c +++ b/xen/xsm/xsm_core.c @@ -36,6 +36,24 @@ static inline int verify(struct xsm_operations *ops) return 0; } +#ifdef CONFIG_XSM_POLICY +extern char xsm_init_policy[]; +extern int xsm_init_policy_size; +#else +#define xsm_init_policy 0 +#endif + +static void __init xsm_policy_init(void) +{ +#ifdef CONFIG_XSM_POLICY + if ( policy_size == 0 ) + { + policy_buffer = xsm_init_policy; + policy_size = xsm_init_policy_size; + } +#endif +} + static int __init xsm_core_init(void) { if ( verify(&dummy_xsm_ops) ) @@ -46,6 +64,7 @@ static int __init xsm_core_init(void) } xsm_ops = &dummy_xsm_ops; + xsm_policy_init(); flask_init(); return 0; @@ -98,7 +117,8 @@ int __init xsm_dt_init(void) ret = xsm_core_init(); - xfree(policy_buffer); + if ( policy_buffer != xsm_init_policy ) + xfree(policy_buffer); return ret; }