Setting up XSM/Flask for XEN

make -C xen menuconfig

Common Features --> XSM

Then at boot time,

#4.9.1 flask_enforcing=1 // 0
#4.10.0 flask=enforcing // disabled

Note. XEN 4.9.1 compiled from the drakvuf git submodules does not warn about flask_enforcing being unknown. So either it is enabled in the micro-kernel configuration (?) or it just does not warn about it. XEN 4.10.0 warns when you try enabling it while it is not compiled in.

Then review the issues,

xl dmesg | grep avc
#?? xl dmesg | audit2allow

Review the active policies per guest,

xl list -Z

• XSM/FLASK Configuration / https://xenbits.xen.org/docs/4.10-testing/misc/xsm-flask.txt
• https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK#Booting_Xen_with_FLASK
• Intro to the Advanced Security Features of the Xen Project Hypervisor - Russell Pavlicek, Citrix / https://www.youtube.com/watch?v=nxzr6U_f6UA
• https://fossies.org/diffs/xen/4.9.1_vs_4.10.0/xen/xsm/flask/policy/access_vectors-diff.html