From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH] xsm/flask: Handle policy load failures properly Date: Mon, 23 Feb 2015 18:11:33 +0000 Message-ID: <54EB6D55.3040704@citrix.com> References: <1424707899-18101-1-git-send-email-dgdegra@tycho.nsa.gov> <20150223164823.GD20083@zion.uk.xensource.com> <54EB6930.2040703@tycho.nsa.gov> <20150223180018.GF20083@zion.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YPxW5-0003y3-00 for xen-devel@lists.xenproject.org; Mon, 23 Feb 2015 18:14:01 +0000 In-Reply-To: <20150223180018.GF20083@zion.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Wei Liu , Daniel De Graaf Cc: xen-devel@lists.xenproject.org, julien.grall@linaro.org List-Id: xen-devel@lists.xenproject.org On 23/02/15 18:00, Wei Liu wrote: > On Mon, Feb 23, 2015 at 12:53:52PM -0500, Daniel De Graaf wrote: >> On 02/23/2015 11:48 AM, Wei Liu wrote: >>> On Mon, Feb 23, 2015 at 11:11:39AM -0500, Daniel De Graaf wrote: >>> [...] >>>> - if ( flask_enforcing ) >>>> + if ( ret && policy_size ) >>>> + panic("Flask: Unable to load XSM policy"); >>>> + >>>> + if ( ret ) >>>> + printk("Flask: Starting with no policy loaded.\n"); >>>> + else if ( flask_enforcing ) >>>> printk("Flask: Starting in enforcing mode.\n"); >>> I have a question with regard to XSM in general. >>> >>> This branching gives me the impression that if no policy is provided >>> flask is not enforced even if you have flask_enforned=1. What mode is it >>> in? Enforcing or permissive? Is it in permissive mode until a policy is >>> loaded? Is it enforcing dummy policy (though it appears to pass every >>> check)? >>> >>> Wei. >> When no policy is loaded, the FLASK policy is equivalent to an allow-all >> policy; see xen/xsm/flask/ss/services.c:security_compute_av where it >> bails out if !ss_initialized. It could be considered as either enforcing >> or being permissive with an allow-all policy, but the actual access is >> the same. >> >> When a policy is loaded later, the value of flask_enforcing will be used >> to decide if the policy is applied in enforcing or permissive mode; by >> that time, the value could also have been changed using xl setenforce. >> > Thanks for the explanation. > >> I decided to make the messages exclusive so that you could more easily >> tell by looking at a single line if the policy was loaded and enforced >> correctly. Combining both pieces of information in a single line like >> the following would also work, if you think this would be better: >> >> printk("Flask: Starting with%s policy loaded in %s mode.\n", >> ret ? " no" : "", flask_enforcing ? "enforcing" : "permissive"); >> > Yes, I think this is clearer. Thanks. One possible string out of that printk is "Starting with no policy loaded in permissive mode" which is ambiguous. Perhaps: "Flask: Starting in %s mode. Policy is %s loaded" with s/no/not/ ? ~Andrew