From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Campbell Subject: Re: [PATCH] xsm/flask: Handle policy load failures properly Date: Tue, 24 Feb 2015 10:21:34 +0000 Message-ID: <1424773294.27930.296.camel@citrix.com> References: <1424707899-18101-1-git-send-email-dgdegra@tycho.nsa.gov> <20150223164823.GD20083@zion.uk.xensource.com> <54EB6930.2040703@tycho.nsa.gov> <1424767648.32223.3.camel@citrix.com> <54EC44FA.2090005@linaro.org> <1424770748.27930.266.camel@citrix.com> <54EC4999.6000505@linaro.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YQCcV-0004hd-Sj for xen-devel@lists.xenproject.org; Tue, 24 Feb 2015 10:21:39 +0000 In-Reply-To: <54EC4999.6000505@linaro.org> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Julien Grall Cc: xen-devel@lists.xenproject.org, Daniel De Graaf , Wei Liu List-Id: xen-devel@lists.xenproject.org On Tue, 2015-02-24 at 09:51 +0000, Julien Grall wrote: > > On 24/02/2015 09:39, Ian Campbell wrote: > > On Tue, 2015-02-24 at 09:31 +0000, Julien Grall wrote: > >> > >> On 24/02/2015 08:47, Ian Campbell wrote: > >>> On Mon, 2015-02-23 at 12:53 -0500, Daniel De Graaf wrote: > >>>> When no policy is loaded, the FLASK policy is equivalent to an allow-all > >>>> policy; see xen/xsm/flask/ss/services.c:security_compute_av where it > >>>> bails out if !ss_initialized. It could be considered as either enforcing > >>>> or being permissive with an allow-all policy, but the actual access is > >>>> the same. > >>> > >>> Do you think anyone would want an option to be provided which causes Xen > >>> to fail to boot if a proper policy isn't provided (and loaded)? Similar > >>> to how iommu=force works. > >>> > >>> I can see how osstest testcases for xsm might want this to avoid > >>> accidentally testing with no policy, but not sure if it would be > >>> considered generally useful enough to be added. > >> > >> I think it would make sense to panic when flask_enforcing is enabled and > >> the policy is not loaded or valid. > > > > That would stop you running in enforcing mode with a late loaded policy. > > A separate flag to enforce boot time loading was what I was thinking of. > > You can enforce the policy later via xl setenforce. Ah, good. > So if someone wants to load a policy later and enforced it, he would > have to call : > - xl loadpolicy > - xl setenforce > > IHMO, when you set flask_enforcing on the command line, you expect to > pass a policy via the bootloader. That doesn't seem unreasonable -- Daniel what do you think?