[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] xsm/flask: Handle policy load failures properly



On 02/24/2015 05:11 AM, Jan Beulich wrote:
On 23.02.15 at 20:00, <dgdegra@xxxxxxxxxxxxx> wrote:
--- a/xen/xsm/flask/flask_op.c
+++ b/xen/xsm/flask/flask_op.c
@@ -506,6 +506,7 @@ static int flask_security_load(struct xen_flask_load *load)
  {
      int ret;
      void *buf = NULL;
+    int is_reload = ss_initialized;

I realize ss_initialized is int, but both it and the variable here are
really supposed to be bool_t.

OK, I will change the definition I added.

@@ -530,6 +531,10 @@ static int flask_security_load(struct xen_flask_load *load)
      if ( ret )
          goto out;

+    if ( !is_reload )
+        printk("Flask: Starting in %s mode.\n",
+            flask_enforcing ? "enforcing" : "permissive");

Do you really need this message here and ...

This one is only shown if you are doing a late policy load, and...


@@ -1643,14 +1641,17 @@ static __init int flask_init(void)
      if ( register_xsm(&flask_ops) )
          panic("Flask: Unable to register with XSM");

-    ret = security_load_policy(policy_buffer, policy_size);
+    if ( policy_size == 0 )
+    {
+        printk("Flask: Access controls disabled until policy is loaded.\n");
+        return;
+    }

-    if ( flask_enforcing )
-        printk("Flask:  Starting in enforcing mode.\n");
-    else
-        printk("Flask:  Starting in permissive mode.\n");
+    if ( security_load_policy(policy_buffer, policy_size) )
+        panic("Flask: Unable to load XSM policy");

-    return ret;
+    printk("Flask: Starting in %s mode.\n",
+        flask_enforcing ? "enforcing" : "permissive");

... here again?

This one is only shown if doing a policy load via the bootloader.

Also I'd appreciate if the printk()-s here could get proper XENLOG_*
attached.

Will do.  I think I will also send a cleanup patch to remove the rather
useless marker messages "Flask:  Initializing." and "AVC INITIALIZED";
they convey no useful information.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.