From mboxrd@z Thu Jan  1 00:00:00 1970
From: Julien Grall <julien.grall@linaro.org>
Subject: Re: [PATCH] xsm/flask: Handle policy load failures
	properly
Date: Tue, 24 Feb 2015 09:51:21 +0000
Message-ID: <54EC4999.6000505@linaro.org>
References: <1424707899-18101-1-git-send-email-dgdegra@tycho.nsa.gov>		
	<20150223164823.GD20083@zion.uk.xensource.com>		
	<54EB6930.2040703@tycho.nsa.gov>
	<1424767648.32223.3.camel@citrix.com>	
	<54EC44FA.2090005@linaro.org>
	<1424770748.27930.266.camel@citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <julien.grall@linaro.org>) id 1YQC9F-0000Fk-Vc
	for xen-devel@lists.xenproject.org; Tue, 24 Feb 2015 09:51:26 +0000
Received: by wesu56 with SMTP id u56so24005244wes.10
	for <xen-devel@lists.xenproject.org>;
	Tue, 24 Feb 2015 01:51:23 -0800 (PST)
In-Reply-To: <1424770748.27930.266.camel@citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Campbell <ian.campbell@citrix.com>
Cc: xen-devel@lists.xenproject.org, Daniel De Graaf <dgdegra@tycho.nsa.gov>, Wei Liu <wei.liu2@citrix.com>
List-Id: xen-devel@lists.xenproject.org



On 24/02/2015 09:39, Ian Campbell wrote:
> On Tue, 2015-02-24 at 09:31 +0000, Julien Grall wrote:
>>
>> On 24/02/2015 08:47, Ian Campbell wrote:
>>> On Mon, 2015-02-23 at 12:53 -0500, Daniel De Graaf wrote:
>>>> When no policy is loaded, the FLASK policy is equivalent to an allow-all
>>>> policy; see xen/xsm/flask/ss/services.c:security_compute_av where it
>>>> bails out if !ss_initialized.  It could be considered as either enforcing
>>>> or being permissive with an allow-all policy, but the actual access is
>>>> the same.
>>>
>>> Do you think anyone would want an option to be provided which causes Xen
>>> to fail to boot if a proper policy isn't provided (and loaded)? Similar
>>> to how iommu=force works.
>>>
>>> I can see how osstest testcases for xsm might want this to avoid
>>> accidentally testing with no policy, but not sure if it would be
>>> considered generally useful enough to be added.
>>
>> I think it would make sense to panic when flask_enforcing is enabled and
>> the policy is not loaded or valid.
>
> That would stop you running in enforcing mode with a late loaded policy.
> A separate flag to enforce boot time loading was what I was thinking of.

You can enforce the policy later via xl setenforce.

So if someone wants to load a policy later and enforced it, he would 
have to call :
	- xl loadpolicy
	- xl setenforce

IHMO, when you set flask_enforcing on the command line, you expect to 
pass a policy via the bootloader.

Regards,

-- 
Julien Grall