similar to: [PATCHv3] libxl: Exposed Flask XSM functionality

Adds support for assigning a label to domains, obtaining and setting the current enforcing mode, and loading a policy with xl command when the Flask XSM is in use. libxl.c | 1 libxl.idl | 3 - xl.h | 3 + xl_cmdimpl.c | 171 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- xl_cmdtable.c | 18 +++++- 5 files changed, 187 insertions(+), 9

- This minor patch implements the missing stub function security_label_to_details in the dummy module. This stub function is necessary to create domains with network interfaces for modules that do not implement the security_label_to_details function. Signed-off-by: George Coker <gscoker@alpha.ncsc.mil> _______________________________________________ Xen-devel mailing list

This patch set adds XSM security labels to useful debugging output locations, and fixes some assumptions that all interrupts behaved like GSI interrupts (which had useful non-dynamic IDs). It also cleans up the policy build process and adds an example of how to use the user field in the security context. Debug output: [PATCH 01/10] xsm: Add security labels to event-channel dump [PATCH 02/10] xsm:

These patches update the example FLASK policy shipped with Xen and enable its build if the required tools are present. The third patch requires rerunning autoconf to update tools/configure. [PATCH 1/3] flask/policy: sort dom0 accesses [PATCH 2/3] flask/policy: rework policy build system [PATCH 3/3] tools/flask: add FLASK policy to build

Hi all, i want to know about the following things: 1.unloading XSM policy. -xl loadpolicy xenpolicy.24 to load the policy. For unloading is there any command is available.? 2. i want to know any analysis tool is available for XSM policy. 3. Apart from wiki.org/XSM any other tutorial is available for developing own XSM policy.? Thanks and regards, cooldharma06.

Fix formatting of Flask AVC audit messages so that existing policy tools can parse them. After applying, ''xm dmesg | audit2allow'' yields the expected result. Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: George S. Coker, II <gscoker@alpha.ncsc.mil> --- xen/xsm/flask/avc.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)

Hello all, I am trying to get a xenstore/oxenstore (oxenstore is mirage based) stubdom to get to work on Xen 4.2.1. I know that I need to set XSM/FLASK rules and so I have compiled 4.2.1 with XSM and FLASK. I already talked with Daniel de Graaf (on the mailinglists) and Steven Maresca on IRC about this thing. Daniel already wrote a XSM/FLASK ruleset in this thread:

This patch implements the Flask tools for the xen control plane (xm & xend). The patch also refactors the ACM toolchain so that a common security API (based on the existing ACM toolchain) is exported to xm and xend. To create a domain with the Flask module, add the following (for example) to a domain''s configuration file access_control =

The FLASK security checks for resource ranges were not implemented correctly - only the permissions on the endpoints of a range were checked, instead of all items contained in the range. This would allow certain resources (I/O ports, I/O memory) to be used by domains in contravention to security policy. This also corrects a bug where adding overlapping resource ranges did not trigger an error.

Hi community, there are some problems to start vTPM vtpm-stubdom following docs/misc/vtpm.txt. When I start vtpm-stbdom, the vtpmmgr-stubdom will print out: === ERROR[VTPM]: LoadKey failure: Unrecognized uuid! 69743ae0-9d4a-4ad6-9819-e602085b6792 ERROR[VTPM]: Failed to load key ERROR in vtpmmgr_LoadHashKey at vtpm_cmd_handler.c:78 code: TPM_BAD_PARAMETER. === I start vtpmmgr-stubdom with

Hi community, there are some problems to start vTPM vtpm-stubdom following docs/misc/vtpm.txt. When I start vtpm-stbdom, the vtpmmgr-stubdom will print out: === ERROR[VTPM]: LoadKey failure: Unrecognized uuid! 69743ae0-9d4a-4ad6-9819-e602085b6792 ERROR[VTPM]: Failed to load key ERROR in vtpmmgr_LoadHashKey at vtpm_cmd_handler.c:78 code: TPM_BAD_PARAMETER. === I start vtpmmgr-stubdom with

Changes from v3: - mini-os configuration files moved into stubdom/ - mini-os extra console support now a config option - Fewer #ifdefs - grant table setup uses hypercall bounce - Xenstore stub domain syslog support re-enabled Changes from v2: - configuration support added to mini-os build system - add mini-os support for conditionally compiling frontends, xenbus -

While compiling XEN with XSM_ENABLE=y and FLASK_ENABLE=y, I received the following error. gcc -O1 -fno-omit-frame-pointer -m64 -g -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement -Wno-unused-but-set-variable -fno-builtin -fno-common -Wredundant-decls -iwithprefix include -Werror -Wno-pointer-arith -pipe

Hello list, Using the mainline 3.5-rc6 kernel and yesterday''s xen-unstable, I''m having trouble passing in some PCI devices. Everything else works smoothly. Attached are some of the relevant logs and configurations. I did notice from the qemu logs that all the problematic devices have "IRQ type = INTx" whereas those that are working have "IRQ type =

Hi all, this patch series makes the necessary changes to make sure that the current ARM hypercall ABI can be used as-is on 64 bit ARM platforms: - it defines xen_ulong_t as uint64_t on ARM; - it introduces a new macro to handle guest pointers, called XEN_GUEST_HANDLE_PARAM (that has size 4 bytes on aarch and is going to have size 8 bytes on aarch64); - it replaces all the occurrences of

- The patch does away with the autogenerated xsm.py file and introduces a config parameter in xend-config.sxp to determine the security module. The parameter is (xsm_module_name {acm, dummy, flask}). The default setting/option is dummy. .hgignore is also updated to stop ignoring xsm.py on commits. - The patch has created an xsconstant for XS_POLICY_FLASK and updated the toolchain to check the

Hi all, this patch series makes the necessary changes to make sure that the current ARM hypercall ABI can be used as-is on 64 bit ARM platforms: - it defines xen_ulong_t as uint64_t on ARM; - it introduces a new macro to handle guest pointers, called XEN_GUEST_HANDLE_PARAM (that has size 4 bytes on aarch and is going to have size 8 bytes on aarch64); - it replaces all the occurrences of

Hi , When cw is used, dom0 reboots. Though I set quest memory size. I want to study into the cause. Please teach how to examine it. #xm create vm1.conf <-- OK #xm create vm4.conf <-- NO ................... <-- system boot #last root pts/1 myPC Tue Sep 25 11:25 - crash (09:01) reboot system boot 2.6.18-xen Tue Sep 25 20:06 (-8:-16) ~~~~~~~~~~~

I notice that the Flask / ACM security module support has been enabled in the latest Debian Xen packages. I'm afraid I think this is a mistake. In our opinion this code is of very poor quality. It is certainly ill-tested and not widely used. We (Xensource/Citrix) have received more than one serious vulnerability report, of problems which make an installation with the Flask support compiled

I have just committed the patch below. Ian. # HG changeset patch # User Ian Jackson <Ian.Jackson@eu.citrix.com> # Date 1323712783 0 # Node ID 7ca56cca09ade16645fb4806be2c5b2b0bc3332b # Parent 7e90178b8bbfd2f78e8f4c6d593a2fb233350f41 flask: add tools/flask/utils/flask-label-pci to .hgignore This was apparently forgotten in 24353:448c48326d6b Signed-off-by: Ian Jackson