[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xsm/flask: Handle policy load failures properly

On 24/02/2015 09:39, Ian Campbell wrote:
On Tue, 2015-02-24 at 09:31 +0000, Julien Grall wrote:

On 24/02/2015 08:47, Ian Campbell wrote:
On Mon, 2015-02-23 at 12:53 -0500, Daniel De Graaf wrote:
When no policy is loaded, the FLASK policy is equivalent to an allow-all
policy; see xen/xsm/flask/ss/services.c:security_compute_av where it
bails out if !ss_initialized.  It could be considered as either enforcing
or being permissive with an allow-all policy, but the actual access is
the same.

Do you think anyone would want an option to be provided which causes Xen
to fail to boot if a proper policy isn't provided (and loaded)? Similar
to how iommu=force works.

I can see how osstest testcases for xsm might want this to avoid
accidentally testing with no policy, but not sure if it would be
considered generally useful enough to be added.

I think it would make sense to panic when flask_enforcing is enabled and
the policy is not loaded or valid.

That would stop you running in enforcing mode with a late loaded policy.
A separate flag to enforce boot time loading was what I was thinking of.

You can enforce the policy later via xl setenforce.

So if someone wants to load a policy later and enforced it, he would have to call :
        - xl loadpolicy
        - xl setenforce

IHMO, when you set flask_enforcing on the command line, you expect to pass a policy via the bootloader.


Julien Grall

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.