Re: [Xen-devel] [PATCH v2] xsm/flask: Handle policy load failures properly

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 23.02.15 at 20:00, <dgdegra@xxxxxxxxxxxxx> wrote:
> --- a/xen/xsm/flask/flask_op.c
> +++ b/xen/xsm/flask/flask_op.c
> @@ -506,6 +506,7 @@ static int flask_security_load(struct xen_flask_load 
> *load)
>  {
>      int ret;
>      void *buf = NULL;
> +    int is_reload = ss_initialized;

I realize ss_initialized is int, but both it and the variable here are
really supposed to be bool_t.

> @@ -530,6 +531,10 @@ static int flask_security_load(struct xen_flask_load 
> *load)
>      if ( ret )
>          goto out;
>  
> +    if ( !is_reload )
> +        printk("Flask: Starting in %s mode.\n",
> +            flask_enforcing ? "enforcing" : "permissive");

Do you really need this message here and ...

> @@ -1643,14 +1641,17 @@ static __init int flask_init(void)
>      if ( register_xsm(&flask_ops) )
>          panic("Flask: Unable to register with XSM");
>  
> -    ret = security_load_policy(policy_buffer, policy_size);
> +    if ( policy_size == 0 )
> +    {
> +        printk("Flask: Access controls disabled until policy is loaded.\n");
> +        return;
> +    }
>  
> -    if ( flask_enforcing )
> -        printk("Flask:  Starting in enforcing mode.\n");
> -    else
> -        printk("Flask:  Starting in permissive mode.\n");
> +    if ( security_load_policy(policy_buffer, policy_size) )
> +        panic("Flask: Unable to load XSM policy");
>  
> -    return ret;
> +    printk("Flask: Starting in %s mode.\n",
> +        flask_enforcing ? "enforcing" : "permissive");

... here again?

Also I'd appreciate if the printk()-s here could get proper XENLOG_*
attached.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel