On 02/24/2015 05:11 AM, Jan Beulich wrote:
On 23.02.15 at 20:00, <dgde...@tycho.nsa.gov> wrote:--- a/xen/xsm/flask/flask_op.c +++ b/xen/xsm/flask/flask_op.c @@ -506,6 +506,7 @@ static int flask_security_load(struct xen_flask_load *load) { int ret; void *buf = NULL; + int is_reload = ss_initialized;I realize ss_initialized is int, but both it and the variable here are really supposed to be bool_t.
OK, I will change the definition I added.
@@ -530,6 +531,10 @@ static int flask_security_load(struct xen_flask_load *load) if ( ret ) goto out; + if ( !is_reload ) + printk("Flask: Starting in %s mode.\n", + flask_enforcing ? "enforcing" : "permissive");Do you really need this message here and ...
This one is only shown if you are doing a late policy load, and...
@@ -1643,14 +1641,17 @@ static __init int flask_init(void) if ( register_xsm(&flask_ops) ) panic("Flask: Unable to register with XSM"); - ret = security_load_policy(policy_buffer, policy_size); + if ( policy_size == 0 ) + { + printk("Flask: Access controls disabled until policy is loaded.\n"); + return; + } - if ( flask_enforcing ) - printk("Flask: Starting in enforcing mode.\n"); - else - printk("Flask: Starting in permissive mode.\n"); + if ( security_load_policy(policy_buffer, policy_size) ) + panic("Flask: Unable to load XSM policy"); - return ret; + printk("Flask: Starting in %s mode.\n", + flask_enforcing ? "enforcing" : "permissive");... here again?
This one is only shown if doing a policy load via the bootloader.
Also I'd appreciate if the printk()-s here could get proper XENLOG_* attached.
Will do. I think I will also send a cleanup patch to remove the rather useless marker messages "Flask: Initializing." and "AVC INITIALIZED"; they convey no useful information. -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
