|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2] xsm/flask: Handle policy load failures properly
When the hypervisor is booted with an XSM policy containing an error
(such as a mismatched permission value), this error is mostly ignored
during boot. This causes FLASK to suspend security policy enforcement
until a policy is loaded, effectively allowing all access.
This patch adds a call to panic() if the policy load fails and a
security policy was specified. If no security policy was specified, the
existing behavior remains to allow systems to load the security policy
during the boot process with "xl loadpolicy". A distinct initialization
message has been added to distinguish this case from a successful policy
load in logs.
To clarify that the return value of XSM initcalls is ignored, this patch
also changes the return type of these functions to void.
Reported-by: Julien Grall <julien.grall@xxxxxxxxxx>
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
Changes from v1:
* Don't try to load policy when it is not present
* Clarified message when policy is not loaded at boot
* Added output on first policy load to match at-boot message
xen/include/xsm/xsm.h | 2 +-
xen/xsm/flask/flask_op.c | 5 +++++
xen/xsm/flask/hooks.c | 21 +++++++++++----------
3 files changed, 17 insertions(+), 11 deletions(-)
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 4ce089f..0437735 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -42,7 +42,7 @@ typedef enum xsm_default xsm_default_t;
extern char *policy_buffer;
extern u32 policy_size;
-typedef int (*xsm_initcall_t)(void);
+typedef void (*xsm_initcall_t)(void);
extern xsm_initcall_t __xsm_initcall_start[], __xsm_initcall_end[];
diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
index 7743aac..6fd5afa 100644
--- a/xen/xsm/flask/flask_op.c
+++ b/xen/xsm/flask/flask_op.c
@@ -506,6 +506,7 @@ static int flask_security_load(struct xen_flask_load *load)
{
int ret;
void *buf = NULL;
+ int is_reload = ss_initialized;
ret = domain_has_security(current->domain, SECURITY__LOAD_POLICY);
if ( ret )
@@ -530,6 +531,10 @@ static int flask_security_load(struct xen_flask_load *load)
if ( ret )
goto out;
+ if ( !is_reload )
+ printk("Flask: Starting in %s mode.\n",
+ flask_enforcing ? "enforcing" : "permissive");
+
xfree(bool_pending_values);
bool_pending_values = NULL;
ret = 0;
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index d48463f..7ce7fe9 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1625,14 +1625,12 @@ static struct xsm_operations flask_ops = {
#endif
};
-static __init int flask_init(void)
+static __init void flask_init(void)
{
- int ret = 0;
-
if ( !flask_enabled )
{
printk("Flask: Disabled at boot.\n");
- return 0;
+ return;
}
printk("Flask: Initializing.\n");
@@ -1643,14 +1641,17 @@ static __init int flask_init(void)
if ( register_xsm(&flask_ops) )
panic("Flask: Unable to register with XSM");
- ret = security_load_policy(policy_buffer, policy_size);
+ if ( policy_size == 0 )
+ {
+ printk("Flask: Access controls disabled until policy is loaded.\n");
+ return;
+ }
- if ( flask_enforcing )
- printk("Flask: Starting in enforcing mode.\n");
- else
- printk("Flask: Starting in permissive mode.\n");
+ if ( security_load_policy(policy_buffer, policy_size) )
+ panic("Flask: Unable to load XSM policy");
- return ret;
+ printk("Flask: Starting in %s mode.\n",
+ flask_enforcing ? "enforcing" : "permissive");
}
xsm_initcall(flask_init);
--
2.1.0
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |