George S. Coker, II
2006-Dec-20 14:08 UTC
[Xen-devel] [Xense-devel] [PATCH] [2/4] Flask XSM Module
This patch implements the Flask XSM module. The security architecture provided by Flask is similar to the security architecture found in SELinux, but Flask has undergone Xen nativization. The Flask module implements a security function for each of the XSM hooks. A development policy will be provided in a separate post. This patch default-enables Flask. Additional configuration of Flask may be done in Config.mk through the parameters FLASK_ENABLE, FLASK_DEVELOP, FLASK_BOOTPARAM, and FLASK_AVC_STATS. FLASK_ENABLE enables/disables the Flask module. FLASK_DEVELOP enables/disables the ability to set the enforcing status of Xen through boot parameters passed to Xen. If FLASK_DEVELOP is enabled, pass flask_enforcing=1/0 to enable/disable policy enforcement in the Flask module. This patch sets flask_enforcing=0 which leaves Flask in permissive mode. FLASK_BOOTPARAM enables/disables the ability to enable/disable loading of the Flask module at boot. If FLASK_BOOTPARAM is enabled, pass flask_enabled=1/0 to enable/disable the Flask module at boot. Default is flask_enabled=1 which causes the Flask module to be loaded. flask_enabled=0 will cause the dummy module to be loaded. FLASK_AVC_STATS enables/disables the ability to report cache stats for Flask. The default is FLASK_AVC_STATS enabled. The values of the cache stats can be read through the Flask''s security hypercall. The tool chain to use the Flask hypercall is presently incomplete. Policies can be written using the SELinux policy grammar and toolchain> 1.19 (policy version 20). Fedora Core 5 and later versionshave the appropriate toolchain. The compiled policy must be listed as one of the bootloader modules after the dom0 kernel. N.B. XSM cannot have more than one module enabled at compile time. Signed-off-by: George Coker <gscoker@alpha.ncsc.mil> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel