Re: [Xen-devel] [PATCH] xsm/flask: Handle policy load failures properly

[Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>]

On 02/24/2015 05:21 AM, Ian Campbell wrote:
> On Tue, 2015-02-24 at 09:51 +0000, Julien Grall wrote:
> > On 24/02/2015 09:39, Ian Campbell wrote:
> > > On Tue, 2015-02-24 at 09:31 +0000, Julien Grall wrote:
> > > > On 24/02/2015 08:47, Ian Campbell wrote:
> > > > > On Mon, 2015-02-23 at 12:53 -0500, Daniel De Graaf wrote:
> > > > > > When no policy is loaded, the FLASK policy is equivalent to an allow-all
> > > > > > policy; see xen/xsm/flask/ss/services.c:security_compute_av where it
> > > > > > bails out if !ss_initialized.  It could be considered as either enforcing
> > > > > > or being permissive with an allow-all policy, but the actual access is
> > > > > > the same.
> > > > > Do you think anyone would want an option to be provided which causes Xen
> > > > > to fail to boot if a proper policy isn't provided (and loaded)? Similar
> > > > > to how iommu=force works.
> > > > >
> > > > > I can see how osstest testcases for xsm might want this to avoid
> > > > > accidentally testing with no policy, but not sure if it would be
> > > > > considered generally useful enough to be added.
> > > > I think it would make sense to panic when flask_enforcing is enabled and
> > > > the policy is not loaded or valid.
> > > That would stop you running in enforcing mode with a late loaded policy.
> > > A separate flag to enforce boot time loading was what I was thinking of.
> > You can enforce the policy later via xl setenforce.
> Ah, good.
>
> > So if someone wants to load a policy later and enforced it, he would
> > have to call :
> >         - xl loadpolicy
> >         - xl setenforce
> >
> > IHMO, when you set flask_enforcing on the command line, you expect to
> > pass a policy via the bootloader.
> That doesn't seem unreasonable -- Daniel what do you think?
This seems a reasonable solution if we don't want to change how the boot
parameters are set up.

Another alternative would be to change flask_enforcing/flask_enabled to
a single "flask=" parameter with options:
 disabled - revert to dummy (no XSM) policy, same as flask_enabled=0
 develop/permissive - a missing or broken policy does not panic
 enforce/enforcing/force - require policy to be loaded at boot time
 late/load - bootloader policy is not used; later loadpolicy is enforcing

The default would be "permissive" as in the existing hypervisor.  This
would be more flexible, but I'm not sure it is worth breaking existing
command lines and changing documentation to implement.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel