From mboxrd@z Thu Jan  1 00:00:00 1970
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: Re: (4.5-rc1) Problems using xl migrate
Date: Tue, 25 Nov 2014 13:17:46 -0500
Message-ID: <20141125181746.GB4005@laptop.dumpdata.com>
References: <alpine.DEB.2.00.1411221847340.26346@procyon.dur.ac.uk>
	<20141124124143.GA11483@zion.uk.xensource.com>
	<54732F8E.4060507@citrix.com>
	<alpine.GSO.2.00.1411241430180.1328@algedi.dur.ac.uk>
	<547343F4.80509@citrix.com>
	<alpine.DEB.2.00.1411242007460.17736@procyon.dur.ac.uk>
	<5473ABA2.6080901@tycho.nsa.gov>
	<CAFLBxZZFO+ms+TX4Gmchkb53CWL6EHeoGEcBKEgvMgx3AQaqvg@mail.gmail.com>
	<5474C476.3080203@tycho.nsa.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Content-Disposition: inline
In-Reply-To: <5474C476.3080203@tycho.nsa.gov>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Wei Liu <wei.liu2@citrix.com>, Ian Campbell <Ian.Campbell@citrix.com>, Andrew Cooper <andrew.cooper3@citrix.com>, George Dunlap <dunlapg@umich.edu>, "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>, M A Young <m.a.young@durham.ac.uk>
List-Id: xen-devel@lists.xenproject.org

On Tue, Nov 25, 2014 at 01:03:34PM -0500, Daniel De Graaf wrote:
> On 11/25/2014 05:07 AM, George Dunlap wrote:
> >On Mon, Nov 24, 2014 at 10:05 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
> >>>I do. The error is
> >>>(XEN) flask_domctl: Unknown op 72
> >>>
> >>>Incidentally, Flask is running in permissive mode.
> >>>
> >>>      Michael Young
> >>>
> >>
> >>This means that the new domctl needs to be added to the switch statement
> >>in flask/hooks.c.  This error is triggered in permissive mode because it
> >>is a code error rather than a policy error (which is what permissive mode
> >>is intended to debug).
> >
> >If that's the case, should we make that a BUG_ON()?  Or at least an
> >ASSERT() (which will only bug when compiled with debug=y), followed by
> >allow if in permissive mode, and deny if in enforcing mode?
> >
> >Having it default deny, even in permissive mode, breaks the "principle
> >of least surprise", I think. :-)
> >
> >  -George
> Either one of these will allow a guest to crash the hypervisor by requesting
> an undefined domctl, which is not really a good idea.  Linux uses a flag in
> the security policy which defines if unknown permissions are allowed or
> denied; I will send a patch adding this to Xen's security server and using
> it instead of -EPERM in the default case of the switch statements.

Thought I think that for the DEBUG case we want to still be boldly
told about it so we can fix it.
> 
> The patch adding this feature probably shouldn't be applied to 4.5, but I'll
> send it anyway.  I will also send a separate patch adding the 2 domctls.
> 
> -- 
> Daniel De Graaf
> National Security Agency
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel