ia64/xen-unstable

changeset 19210:766b3763ad1b

[XSM][FLASK] basic documentation and a type cast error for x86_64

- A simple txt howto based on previous list discussions and observations
- A oneliner patch to address a compiler type cast error for x86_64

Signed-off-by: George S. Coker, II <gscoker@alpha.ncsc.mil>
author Keir Fraser <keir.fraser@citrix.com>
date Fri Feb 13 09:33:58 2009 +0000 (2009-02-13)
parents 67d9d2a4b988
children 9ac547ed9455
files docs/misc/xsm-flask.txt xen/xsm/flask/ss/policydb.c
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/docs/misc/xsm-flask.txt	Fri Feb 13 09:33:58 2009 +0000
     1.3 @@ -0,0 +1,148 @@
     1.4 +These notes are compiled from xen-devel questions and postings that have occured
     1.5 +since the inclusion of XSM.  These notes are not intended to be definitive
     1.6 +documentation but should address many common problems that arrise when
     1.7 +experimenting with XSM:FLASK.
     1.8 +
     1.9 +Xen XSM:FLASK configuration
    1.10 +---------------------------
    1.11 +
    1.12 +1) cd xen-unstable.hg
    1.13 +2) edit Config.mk in the toplevel xen directory as follows:
    1.14 +
    1.15 +	XSM_ENABLE ?= y
    1.16 +	FLASK_ENABLE ?= y
    1.17 +	ACM_SECURITY ?= n
    1.18 +	
    1.19 +NB: Only one security module can be selected at a time.  If no module is
    1.20 +selected, then the default DUMMY module will be enforced.  The DUMMY module
    1.21 +only exercises the security framework and does not enforce any security
    1.22 +policies.  Changing the security module selection will require recompiling xen.
    1.23 +These settings will also configure the corresponding toolchain support.  
    1.24 +
    1.25 +3) make xen
    1.26 +4) make tools
    1.27 +
    1.28 +
    1.29 +Xen XSM:FLASK policy
    1.30 +--------------------
    1.31 +
    1.32 +These instructions will enable the configuration and build of the sample policy.
    1.33 +The sample policy provides the MINIMUM policy necessary to boot a
    1.34 +paravirtualized dom0 and create a paravirtualized domU.  Many of the 
    1.35 +default capabilities and usages supported by dom0/domU are disallowed by the
    1.36 +sample policy.  Further, the policy is comprised of a limited number of types and 
    1.37 +must be adjusted to meet the specific security goals of the installation. 
    1.38 +Modification of the policy is straightforward and is covered in a later section.
    1.39 +
    1.40 +NB: The policy is not automatically built as part of the tool support because 
    1.41 +of an external dependancy on the checkpolicy compiler.  The FLASK policy uses 
    1.42 +the same syntax and structure as SELinux and compiling the policy relies on 
    1.43 +the SELinux policy toolchain.  This toolchain is available under many 
    1.44 +distributions as well as the following URL,
    1.45 +
    1.46 +	http://userspace.selinuxproject.org/releases/20080909/stable/checkpolicy-1.34.7.tar.gz
    1.47 +
    1.48 +1) cd xen-unstable.hg/tools/flask/policy
    1.49 +2) make policy
    1.50 +3) cp policy.20 /boot/xenpolicy.20
    1.51 +4) edit /etc/grub.conf, add a module line to the xen entry,
    1.52 +
    1.53 +	module /xenpolicy.20
    1.54 +
    1.55 +5) reboot, and select the updated xen entry
    1.56 +
    1.57 +NB: The module entry can be inserted on any line after the xen kernel line.  Typical
    1.58 +configurations use the last module entry or the module entry that immediately 
    1.59 +follows the xen kernel entry.
    1.60 +
    1.61 +Xen configuration of xend
    1.62 +-------------------------
    1.63 +
    1.64 +1) cd /etc/xen
    1.65 +2) edit xend-config.sxp
    1.66 +3) uncomment the line containing the key:value pair entry, 
    1.67 +
    1.68 +	#(xsm_module_name dummy)
    1.69 +
    1.70 +4) change the value entry to 'flask'
    1.71 +
    1.72 +	(xsm_module_name flask)
    1.73 +
    1.74 +5) restart xend
    1.75 +
    1.76 +Creating policy controlled domains
    1.77 +----------------------------------
    1.78 +
    1.79 +2) Edit the domain config file and add the following entry,
    1.80 +
    1.81 +	access_control = ["policy=,label=system_u:object_r:domU_t"]
    1.82 +
    1.83 +NB: The 'policy' field is not used by XSM:FLASK.  The 'label' must exist in the 
    1.84 +loaded policy. 'system_u:object_r:domU_t' is one of the existing labels from 
    1.85 +the sample policy and shown for example purposes.
    1.86 +
    1.87 +2) Create the domain using the 'xm create' command.
    1.88 +3) Use the 'xm list -l' command to list the running domains and their labels.
    1.89 +
    1.90 +Updating the XSM:FLASK policy
    1.91 +-----------------------------
    1.92 +
    1.93 +It is recommended that the XSM:FLASK policy be tailored to meet the specific
    1.94 +security goals of the platform.  The policy is tailored by editing the xen.te 
    1.95 +file in the 'policy' subdirectory.
    1.96 +
    1.97 +1) cd xen-unstable.hg/tools/flask/policy
    1.98 +2) edit policy/modules/xen/xen.te - make changes to support platform security goals.
    1.99 +3) make policy
   1.100 +4) cp policy.20 /boot/xenpolicy.20
   1.101 +5) reboot
   1.102 +
   1.103 +Alternatively, one may reload the policy using the 'flask_loadpolicy' tool
   1.104 +installed by the xen tools.
   1.105 +
   1.106 +1) flask_loadpolicy policy.20
   1.107 +
   1.108 +NB: The sample policy permits policy reloads as well as general manipulation of
   1.109 +the Flask security server only from dom0.  The policy can be tailored further to
   1.110 +restrict policy reloads and other manipulations to boot-time only, by removing 
   1.111 +the corresponding statements from the policy.
   1.112 +
   1.113 +Enforcing the XSM:FLASK policy
   1.114 +------------------------------
   1.115 +
   1.116 +By default, XSM:FLASK is compiled and installed in permissive mode.  This
   1.117 +configuration will allow an XSM:FLASK system to start in enforcing mode.
   1.118 +
   1.119 +1) edit /etc/grub.conf
   1.120 +2) append the parameter 'flask_enforcing=1' to the xen kernel line.
   1.121 +3) reboot, and select the updated xen entry
   1.122 +
   1.123 +
   1.124 +Additional notes on XSM:FLASK
   1.125 +-----------------------------
   1.126 +
   1.127 +1) xen command line parameters
   1.128 +
   1.129 +	a) flask_enforcing
   1.130 +	
   1.131 +	The default value for flask_enforcing is '0'.  This parameter causes the 
   1.132 +	platform to boot in permissive mode which means that the policy is loaded 
   1.133 +	but not enforced.  This mode is often helpful for developing new systems 
   1.134 +	and policies as the policy violations are reported on the xen console and 
   1.135 +	may be viewed in dom0 through 'xm dmesg'.
   1.136 +	
   1.137 +	To boot the platform into enforcing mode, which means that the policy is
   1.138 +	loaded and enforced, append 'flask_enforcing=1' on the grub line.
   1.139 +	
   1.140 +	This parameter may also be changed through the flask hyercall.
   1.141 +	
   1.142 +	b) flask_enabled
   1.143 +	
   1.144 +	The default value for flask_enabled is '1'.  This parameter causes the
   1.145 +	platform to enable the FLASK security module under the XSM framework.
   1.146 +	The parameter may be enabled/disabled only once per boot.  If the parameter
   1.147 +	is set to '0', only a reboot can re-enable flask.  When flask_enabled is '0'
   1.148 +	the DUMMY module is enforced.
   1.149 +
   1.150 +	This parameter may also be changed through the flask hypercall.  But may
   1.151 +	only be performed once per boot.
     2.1 --- a/xen/xsm/flask/ss/policydb.c	Fri Feb 13 09:32:02 2009 +0000
     2.2 +++ b/xen/xsm/flask/ss/policydb.c	Fri Feb 13 09:33:58 2009 +0000
     2.3 @@ -1515,8 +1515,8 @@ int policydb_read(struct policydb *p, vo
     2.4      if ( len != strlen(POLICYDB_STRING) )
     2.5      {
     2.6          printk(KERN_ERR "security:  policydb string length %d does not "
     2.7 -               "match expected length %Zu\n",
     2.8 -               len, (u32) strlen(POLICYDB_STRING));
     2.9 +               "match expected length %lu\n",
    2.10 +               len, strlen(POLICYDB_STRING));
    2.11          goto bad;
    2.12      }
    2.13      policydb_str = xmalloc_array(char, len + 1);