From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Jan Beulich <JBeulich@suse.com>
Cc: andrew.cooper3@citrix.com, cardoe@cardoe.com,
xen-devel@lists.xenproject.org
Subject: Re: [PATCH] flask: change default state to enforcing
Date: Fri, 11 Mar 2016 10:51:25 -0500 [thread overview]
Message-ID: <56E2E97D.2050806@tycho.nsa.gov> (raw)
In-Reply-To: <56E2F5C302000078000DBA98@prv-mh.provo.novell.com>
On 03/11/2016 10:43 AM, Jan Beulich wrote:
>>>> On 11.03.16 at 16:39, <dgdegra@tycho.nsa.gov> wrote:
>> On 03/11/2016 04:07 AM, Jan Beulich wrote:
>>>>>> On 10.03.16 at 19:30, <dgdegra@tycho.nsa.gov> wrote:
>>>> This change will cause the boot to fail if you do not specify an XSM
>>>> policy during boot; if you need to load a policy from dom0, use the
>>>> "flask=late" boot parameter.
>>>
>>> And what mode is the system in until that happens? From the
>>> command line doc, I understand it would be in not-enforcing
>>> mode, but that seems contrary to the code (already before
>>> your change) setting flask_enforcing to 1 in that case.
>>
>> The FLASK code does not deny any actions until a policy has been loaded,
>> so the flask_enforcing value only takes effect then. With flask=late,
>> userspace code can also adjust the value (xl setenforce) before loading
>> the policy.
>
> So doesn't this leave the system again in an insecure state then?
>
> Jan
It does, at least until the policy is loaded. The point of "flask=late" is
that dom0 loads the policy early in boot, preferably before creating any
domains. Since all xen architectures now support loading the policy from
the bootloader, this is never a required mode of operation. We did discuss
preventing the creation of domains without a policy loaded to avoid making
this mistake, but since this is no longer the default, I don't think that
type of guard isnecessary.
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-03-11 15:51 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-09 1:51 XSM permissive by default Konrad Rzeszutek Wilk
2016-03-09 2:11 ` Doug Goldstein
2016-03-09 13:24 ` Andrew Cooper
2016-03-09 21:17 ` Konrad Rzeszutek Wilk
2016-03-09 22:09 ` Daniel De Graaf
2016-03-10 2:40 ` Doug Goldstein
2016-03-10 17:10 ` Konrad Rzeszutek Wilk
2016-03-10 17:34 ` Doug Goldstein
2016-03-10 17:44 ` Andrew Cooper
2016-03-10 18:30 ` [PATCH] flask: change default state to enforcing Daniel De Graaf
2016-03-10 19:12 ` Konrad Rzeszutek Wilk
2016-03-10 19:37 ` Daniel De Graaf
2016-03-15 14:48 ` Anshul Makkar
2016-03-11 9:07 ` Jan Beulich
2016-03-11 14:58 ` Konrad Rzeszutek Wilk
2016-03-11 15:39 ` Daniel De Graaf
2016-03-11 15:43 ` Jan Beulich
2016-03-11 15:51 ` Daniel De Graaf [this message]
2016-04-04 17:12 ` XSM permissive by default Ian Jackson
2016-04-05 8:03 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56E2E97D.2050806@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=cardoe@cardoe.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).