Re: [Xen-devel] [PATCH] xsm/flask: Handle policy load failures properly

[Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>]

On 02/23/2015 11:48 AM, Wei Liu wrote:
> On Mon, Feb 23, 2015 at 11:11:39AM -0500, Daniel De Graaf wrote:
> [...]
> > -    if ( flask_enforcing )
> > +    if ( ret && policy_size )
> > +        panic("Flask: Unable to load XSM policy");
> > +
> > +    if ( ret )
> > +        printk("Flask:  Starting with no policy loaded.\n");
> > +    else if ( flask_enforcing )
> >           printk("Flask:  Starting in enforcing mode.\n");
> I have a question with regard to XSM in general.
>
> This branching gives me the impression that if no policy is provided
> flask is not enforced even if you have flask_enforned=1. What mode is it
> in? Enforcing or permissive? Is it in permissive mode until a policy is
> loaded? Is it enforcing dummy policy (though it appears to pass every
> check)?
>
> Wei.
When no policy is loaded, the FLASK policy is equivalent to an allow-all
policy; see xen/xsm/flask/ss/services.c:security_compute_av where it
bails out if !ss_initialized.  It could be considered as either enforcing
or being permissive with an allow-all policy, but the actual access is
the same.

When a policy is loaded later, the value of flask_enforcing will be used
to decide if the policy is applied in enforcing or permissive mode; by
that time, the value could also have been changed using xl setenforce.

I decided to make the messages exclusive so that you could more easily
tell by looking at a single line if the policy was loaded and enforced
correctly.  Combining both pieces of information in a single line like
the following would also work, if you think this would be better:

printk("Flask: Starting with%s policy loaded in %s mode.\n",
       ret ? " no" : "", flask_enforcing ? "enforcing" : "permissive");

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel