similar to: [PATCH] flask: add tools/flask/utils/flask-label-pci to .hgignore

These patches update the example FLASK policy shipped with Xen and enable its build if the required tools are present. The third patch requires rerunning autoconf to update tools/configure. [PATCH 1/3] flask/policy: sort dom0 accesses [PATCH 2/3] flask/policy: rework policy build system [PATCH 3/3] tools/flask: add FLASK policy to build

# HG changeset patch # User Wei Liu <wei.liu2@citrix.com> # Date 1329922671 0 # Node ID bb2986677df84b9709a60aea7e70ffd9f9e23f76 # Parent d433a9cb0089683b8f75458807c5437341f2cdcc Add gtags target for xen/Makefile. Also update .hgignore. Signed-off-by: Wei Liu <wei.liu2@citrix.com> diff --git a/.hgignore b/.hgignore --- a/.hgignore +++ b/.hgignore @@ -23,6 +23,7 @@ ^\.config$ ^\.pc

- The patch does away with the autogenerated xsm.py file and introduces a config parameter in xend-config.sxp to determine the security module. The parameter is (xsm_module_name {acm, dummy, flask}). The default setting/option is dummy. .hgignore is also updated to stop ignoring xsm.py on commits. - The patch has created an xsconstant for XS_POLICY_FLASK and updated the toolchain to check the

Fix formatting of Flask AVC audit messages so that existing policy tools can parse them. After applying, ''xm dmesg | audit2allow'' yields the expected result. Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: George S. Coker, II <gscoker@alpha.ncsc.mil> --- xen/xsm/flask/avc.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)

I notice that the Flask / ACM security module support has been enabled in the latest Debian Xen packages. I'm afraid I think this is a mistake. In our opinion this code is of very poor quality. It is certainly ill-tested and not widely used. We (Xensource/Citrix) have received more than one serious vulnerability report, of problems which make an installation with the Flask support compiled

Hello all, I am trying to get a xenstore/oxenstore (oxenstore is mirage based) stubdom to get to work on Xen 4.2.1. I know that I need to set XSM/FLASK rules and so I have compiled 4.2.1 with XSM and FLASK. I already talked with Daniel de Graaf (on the mailinglists) and Steven Maresca on IRC about this thing. Daniel already wrote a XSM/FLASK ruleset in this thread:

The FLASK security checks for resource ranges were not implemented correctly - only the permissions on the endpoints of a range were checked, instead of all items contained in the range. This would allow certain resources (I/O ports, I/O memory) to be used by domains in contravention to security policy. This also corrects a bug where adding overlapping resource ranges did not trigger an error.

This patch implements the Flask tools for the xen control plane (xm & xend). The patch also refactors the ACM toolchain so that a common security API (based on the existing ACM toolchain) is exported to xm and xend. To create a domain with the Flask module, add the following (for example) to a domain''s configuration file access_control =

This adds two more permissions to the default Flask policy to get a VM with a network interface to work. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel

Adds support for assigning a label to domains, obtaining and setting the current enforcing mode, and loading a policy with xl command when the Flask XSM is in use. libxl.c | 1 libxl.idl | 3 - xl.h | 3 + xl_cmdimpl.c | 171 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- xl_cmdtable.c | 18 +++++- 5 files changed, 187 insertions(+), 9

Adds support for assigning a label to domains, obtaining and setting the current enforcing mode, and loading a policy with xl command and libxl header when the Flask XSM is in use. Adheres to the changes made by the patch to remove exposure of libxenctrl/libxenstore headers via libxl.h. tools/libxl/libxl_flask.c | 71 ++++++++++++++++++ tools/libxl/Makefile | 2

Hi folks, I am new to install xen 4.1.0-rc6-pre version on RHEL 6.2. When installing xen tools flask, I got an error said “No rule to make target ‘/usr/lib/gcc/x86-64-redhat-linux/4.1.2/include/stddef.h”, but I am using gcc 4.4..6. How to fix this? Thanks & Best Regards Shengkai _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org

This patch set adds XSM security labels to useful debugging output locations, and fixes some assumptions that all interrupts behaved like GSI interrupts (which had useful non-dynamic IDs). It also cleans up the policy build process and adds an example of how to use the user field in the security context. Debug output: [PATCH 01/10] xsm: Add security labels to event-channel dump [PATCH 02/10] xsm:

Hi all, i want to know about the following things: 1.unloading XSM policy. -xl loadpolicy xenpolicy.24 to load the policy. For unloading is there any command is available.? 2. i want to know any analysis tool is available for XSM policy. 3. Apart from wiki.org/XSM any other tutorial is available for developing own XSM policy.? Thanks and regards, cooldharma06.

Prevent xl from doing any operation if xend daemon is running. That prevents bugs that happened when xl and xend raced to close a domain. Changes since v1: * Add documentation to xl man page. * Permit the execution of commands that don''t modify anything. * Indent error message. Cc: george.dunlap@eu.citrix.com Cc: ian.jackson@eu.citrix.com Signed-off-by: Roger Pau Monne

# HG changeset patch # User Olaf Hering <olaf@aepfle.de> # Date 1328707901 -3600 # Node ID b730f1f980bdc1edcebf7dbbbb5253ccafcd8c04 # Parent 3574f4d67843733ccaabab5f8ebb859c99d7314a remove references to removed libflask from setup.py Build in SLES11 SP1/2 fails after libflask removal. > building ''flask'' extension > error: ../../tools/flask/libflask/libflask.so: No

xenapi.out needs to be ignored and removed on clean; tools/ioemu/i386-dm/Makefile is a soft link and should be ignored. Signed-off-by: Alex Williamson <alex.williamson@hp.com> -- diff -r dba5f548b894 .hgignore --- a/.hgignore Mon Mar 24 14:25:52 2008 -0600 +++ b/.hgignore Mon Mar 24 16:27:21 2008 -0600 @@ -58,6 +58,7 @@ ^docs/user/user\.html$ ^docs/xen-api/vm_lifecycle.eps$

Renato, Kristof, I confirm this is due to the latest Flask --- Flask-0.11 was released this weekend --- and for some unknown (to me at least) reason, although LNT's requirements.txt pins Flask to version 0.10.1, pip installs Flask-0.11. Forcing Flask to 0.10.1 gets the situation back to normal. Reading pip's documentation makes me think it's not able to resolve dependencies

I honestly do not know how to fix that --- I would otherwise I've committed a fix. I've been able to hack it locally exploiting the very same lit limitation then the one we're stumbling on (i.e it does not resolve dependency correctly and only pick-up the first constraint). You need to make sure the Flask constraint is seen first, even before using the requirements.txt so on the

On 30 May 2016 at 12:25, Arnaud De Grandmaison <Arnaud.DeGrandmaison at arm.com> wrote: > I confirm this is due to the latest Flask --- Flask-0.11 was released this > weekend --- and for some unknown (to me at least) reason, although LNT's > requirements.txt pins Flask to version 0.10.1, pip installs Flask-0.11. > Forcing Flask to 0.10.1 gets the situation back to normal. Do