similar to: [PATCH] [Flask] Add 2 permissions to the default flask policy to get a VIF-enabled guest to work

I have just committed the patch below. Ian. # HG changeset patch # User Ian Jackson <Ian.Jackson@eu.citrix.com> # Date 1323712783 0 # Node ID 7ca56cca09ade16645fb4806be2c5b2b0bc3332b # Parent 7e90178b8bbfd2f78e8f4c6d593a2fb233350f41 flask: add tools/flask/utils/flask-label-pci to .hgignore This was apparently forgotten in 24353:448c48326d6b Signed-off-by: Ian Jackson

These patches update the example FLASK policy shipped with Xen and enable its build if the required tools are present. The third patch requires rerunning autoconf to update tools/configure. [PATCH 1/3] flask/policy: sort dom0 accesses [PATCH 2/3] flask/policy: rework policy build system [PATCH 3/3] tools/flask: add FLASK policy to build

Fix formatting of Flask AVC audit messages so that existing policy tools can parse them. After applying, ''xm dmesg | audit2allow'' yields the expected result. Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: George S. Coker, II <gscoker@alpha.ncsc.mil> --- xen/xsm/flask/avc.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)

I notice that the Flask / ACM security module support has been enabled in the latest Debian Xen packages. I'm afraid I think this is a mistake. In our opinion this code is of very poor quality. It is certainly ill-tested and not widely used. We (Xensource/Citrix) have received more than one serious vulnerability report, of problems which make an installation with the Flask support compiled

Hello all, I am trying to get a xenstore/oxenstore (oxenstore is mirage based) stubdom to get to work on Xen 4.2.1. I know that I need to set XSM/FLASK rules and so I have compiled 4.2.1 with XSM and FLASK. I already talked with Daniel de Graaf (on the mailinglists) and Steven Maresca on IRC about this thing. Daniel already wrote a XSM/FLASK ruleset in this thread:

The FLASK security checks for resource ranges were not implemented correctly - only the permissions on the endpoints of a range were checked, instead of all items contained in the range. This would allow certain resources (I/O ports, I/O memory) to be used by domains in contravention to security policy. This also corrects a bug where adding overlapping resource ranges did not trigger an error.

- This minor patch implements the missing stub function security_label_to_details in the dummy module. This stub function is necessary to create domains with network interfaces for modules that do not implement the security_label_to_details function. Signed-off-by: George Coker <gscoker@alpha.ncsc.mil> _______________________________________________ Xen-devel mailing list

This patch implements the Flask tools for the xen control plane (xm & xend). The patch also refactors the ACM toolchain so that a common security API (based on the existing ACM toolchain) is exported to xm and xend. To create a domain with the Flask module, add the following (for example) to a domain''s configuration file access_control =

This fixes the xapi test case 02 with those parts that currently do not work disabled with ''if 0:'' Signed-off-by: Stefan Berger <stefanb@us.ibm.com> Index: root/xen-unstable.hg/tools/xm-test/tests/xapi/02_xapi-vbd_basic.py =================================================================== --- root.orig/xen-unstable.hg/tools/xm-test/tests/xapi/02_xapi-vbd_basic.py +++

This patch rewrites the rtc/timeoffset entry so the VM''s record can be retrieved with the Java xmlrpc library. If the entry is ''None'' it upsets the xmlrpc parser. This fixes it, though maybe there''s a better place in xend to place similar code. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> _______________________________________________ Xen-devel

This enables the usage of a bootloader, i.e., pygrub, when starting a domain using xm in Xen-API mode. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel

Adds support for assigning a label to domains, obtaining and setting the current enforcing mode, and loading a policy with xl command when the Flask XSM is in use. libxl.c | 1 libxl.idl | 3 - xl.h | 3 + xl_cmdimpl.c | 171 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- xl_cmdtable.c | 18 +++++- 5 files changed, 187 insertions(+), 9

Adds support for assigning a label to domains, obtaining and setting the current enforcing mode, and loading a policy with xl command and libxl header when the Flask XSM is in use. Adheres to the changes made by the patch to remove exposure of libxenctrl/libxenstore headers via libxl.h. tools/libxl/libxl_flask.c | 71 ++++++++++++++++++ tools/libxl/Makefile | 2

This patch adds a TPM device model to the qemu dm for fully virtualized VMs. It is enabled in the VM only if the user requests a TPM device in the vm configuration file using the ''vtpm=[...]'' line. It enables the qemu device model command line with a ''vtpm_instance <instance number>'' parameter. Signed-off-by: David Safford <safford@watson.ibm.com>

Hi folks, I am new to install xen 4.1.0-rc6-pre version on RHEL 6.2. When installing xen tools flask, I got an error said “No rule to make target ‘/usr/lib/gcc/x86-64-redhat-linux/4.1.2/include/stddef.h”, but I am using gcc 4.4..6. How to fix this? Thanks & Best Regards Shengkai _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org

This patch adds TCG BIOS extensions to the high memory area along with some often-used libc utility functions. The TCG extensions are described here: https://www.trustedcomputinggroup.org/specs/PCClient/TCG_PCClientImplementationforBIOS_1-20_1-00.pdf I have tried to keep the patching with rombios.c to a minimum, but some amount of code needs to be inserted at various locations. The code is

The following test case does local migration 3 times in a loop. I currently see the following error output on x86-64 (only!) inside the guest (change debugMe in line 68 of xm-test/lib/XmTestLib/Console.py to True): @%@%> XENBUS error -12 while reading message XENBUS error -12 while reading message XENBUS unexpected type [1325400064], expected [4] XENBUS error -12 while reading message XENBUS

This patch enables the labeling of (disk-type) resources with the special label __INACCESSIBLE__ to prevent unlabeled domains from accessing them. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel

This patch fixes Linux 2.6.18 compilation on x86-64 and also works on i386. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel

This patch: * adds a C-based security policy translation tool to Xen (secpol_xml2bin) and removes the current Java security policy translator (Java dependencies). The C-based tool integrates into the Xen source tree build and install (using gnome libxml2 for XML parsing). See install.txt. * introduces security labels and related tools. Users can now use semantic-rich label names to put