While the behavior to ignore this option without FLASK support was
properly documented, it is still somewhat surprising to someone using
this option and then still _not_ getting the assumed security. Add a
2nd handler for the command line option for the XSM_FLASK=n case, and
invoke panic() when the option is specified (and not subsequently
overridden by "flask=disabled").
Suggested-by: Ian Jackson <ian.jackson@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -998,8 +998,9 @@ to use the default.
> Default: `enforcing`
Specify how the FLASK security server should be configured. This option is only
-available if the hypervisor was compiled with FLASK support. This can be
-enabled by running either:
+available if the hypervisor was compiled with FLASK support, except that
+`flask=enforcing` will still keep the hypervisor from successfully booting even
+without FLASK support. FLASK support can be enabled by running either:
- make -C xen config and enabling XSM and FLASK.
- make -C xen menuconfig and enabling 'FLux Advanced Security Kernel support' and 'Xen Security Modules support'
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -211,7 +211,33 @@ int __init register_xsm(struct xsm_opera
return 0;
}
-#endif
+#endif /* CONFIG_XSM */
+
+#ifndef CONFIG_XSM_FLASK
+static bool __initdata _flask_enforcing;
+
+static int __init parse_flask_param(const char *s)
+{
+ if ( !strcmp(s, "enforcing") )
+ _flask_enforcing = true;
+ else if ( !strcmp(s, "disabled") )
+ _flask_enforcing = false;
+ else
+ return -EINVAL;
+
+ return 0;
+}
+custom_param("flask", parse_flask_param);
+
+static int __init check_flask_enforcing(void)
+{
+ if ( _flask_enforcing )
+ panic("\"flask=enforcing\" specified without FLASK support\n");
+
+ return 0;
+}
+__initcall(check_flask_enforcing);
+#endif /* !CONFIG_XSM_FLASK */
long do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
{
properly documented, it is still somewhat surprising to someone using
this option and then still _not_ getting the assumed security. Add a
2nd handler for the command line option for the XSM_FLASK=n case, and
invoke panic() when the option is specified (and not subsequently
overridden by "flask=disabled").
Suggested-by: Ian Jackson <ian.jackson@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -998,8 +998,9 @@ to use the default.
> Default: `enforcing`
Specify how the FLASK security server should be configured. This option is only
-available if the hypervisor was compiled with FLASK support. This can be
-enabled by running either:
+available if the hypervisor was compiled with FLASK support, except that
+`flask=enforcing` will still keep the hypervisor from successfully booting even
+without FLASK support. FLASK support can be enabled by running either:
- make -C xen config and enabling XSM and FLASK.
- make -C xen menuconfig and enabling 'FLux Advanced Security Kernel support' and 'Xen Security Modules support'
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -211,7 +211,33 @@ int __init register_xsm(struct xsm_opera
return 0;
}
-#endif
+#endif /* CONFIG_XSM */
+
+#ifndef CONFIG_XSM_FLASK
+static bool __initdata _flask_enforcing;
+
+static int __init parse_flask_param(const char *s)
+{
+ if ( !strcmp(s, "enforcing") )
+ _flask_enforcing = true;
+ else if ( !strcmp(s, "disabled") )
+ _flask_enforcing = false;
+ else
+ return -EINVAL;
+
+ return 0;
+}
+custom_param("flask", parse_flask_param);
+
+static int __init check_flask_enforcing(void)
+{
+ if ( _flask_enforcing )
+ panic("\"flask=enforcing\" specified without FLASK support\n");
+
+ return 0;
+}
+__initcall(check_flask_enforcing);
+#endif /* !CONFIG_XSM_FLASK */
long do_xsm_op (XEN_GUEST_HANDLE_PARAM(xsm_op_t) op)
{