From: Wei Liu <wei.liu2@citrix.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: xen-devel@lists.xenproject.org, julien.grall@linaro.org,
Wei Liu <wei.liu2@citrix.com>
Subject: Re: [PATCH] xsm/flask: Handle policy load failures properly
Date: Mon, 23 Feb 2015 18:00:18 +0000 [thread overview]
Message-ID: <20150223180018.GF20083@zion.uk.xensource.com> (raw)
In-Reply-To: <54EB6930.2040703@tycho.nsa.gov>
On Mon, Feb 23, 2015 at 12:53:52PM -0500, Daniel De Graaf wrote:
> On 02/23/2015 11:48 AM, Wei Liu wrote:
> >On Mon, Feb 23, 2015 at 11:11:39AM -0500, Daniel De Graaf wrote:
> >[...]
> >>- if ( flask_enforcing )
> >>+ if ( ret && policy_size )
> >>+ panic("Flask: Unable to load XSM policy");
> >>+
> >>+ if ( ret )
> >>+ printk("Flask: Starting with no policy loaded.\n");
> >>+ else if ( flask_enforcing )
> >> printk("Flask: Starting in enforcing mode.\n");
> >
> >I have a question with regard to XSM in general.
> >
> >This branching gives me the impression that if no policy is provided
> >flask is not enforced even if you have flask_enforned=1. What mode is it
> >in? Enforcing or permissive? Is it in permissive mode until a policy is
> >loaded? Is it enforcing dummy policy (though it appears to pass every
> >check)?
> >
> >Wei.
>
> When no policy is loaded, the FLASK policy is equivalent to an allow-all
> policy; see xen/xsm/flask/ss/services.c:security_compute_av where it
> bails out if !ss_initialized. It could be considered as either enforcing
> or being permissive with an allow-all policy, but the actual access is
> the same.
>
> When a policy is loaded later, the value of flask_enforcing will be used
> to decide if the policy is applied in enforcing or permissive mode; by
> that time, the value could also have been changed using xl setenforce.
>
Thanks for the explanation.
> I decided to make the messages exclusive so that you could more easily
> tell by looking at a single line if the policy was loaded and enforced
> correctly. Combining both pieces of information in a single line like
> the following would also work, if you think this would be better:
>
> printk("Flask: Starting with%s policy loaded in %s mode.\n",
> ret ? " no" : "", flask_enforcing ? "enforcing" : "permissive");
>
Yes, I think this is clearer. Thanks.
Wei.
> --
> Daniel De Graaf
> National Security Agency
next prev parent reply other threads:[~2015-02-23 18:00 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-23 16:11 [PATCH] xsm/flask: Handle policy load failures properly Daniel De Graaf
2015-02-23 16:48 ` Wei Liu
2015-02-23 17:53 ` Daniel De Graaf
2015-02-23 18:00 ` Wei Liu [this message]
2015-02-23 18:11 ` Andrew Cooper
2015-02-24 8:47 ` Ian Campbell
2015-02-24 9:31 ` Julien Grall
2015-02-24 9:39 ` Ian Campbell
2015-02-24 9:51 ` Julien Grall
2015-02-24 10:21 ` Ian Campbell
2015-02-24 15:53 ` Daniel De Graaf
2015-02-27 14:03 ` Julien Grall
2015-03-02 14:06 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150223180018.GF20083@zion.uk.xensource.com \
--to=wei.liu2@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=julien.grall@linaro.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.