From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Ian Campbell <Ian.Campbell@citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>
Cc: xen-devel@lists.xen.org, Wei Liu <wei.liu2@citrix.com>,
M A Young <m.a.young@durham.ac.uk>
Subject: Re: (4.5-rc1) Problems using xl migrate
Date: Mon, 24 Nov 2014 14:28:08 -0500 [thread overview]
Message-ID: <547386C8.7060405@tycho.nsa.gov> (raw)
In-Reply-To: <1416840918.8878.4.camel@citrix.com>
On 11/24/2014 09:55 AM, Ian Campbell wrote:
> On Mon, 2014-11-24 at 14:43 +0000, Andrew Cooper wrote:
>> On 24/11/14 14:32, M A Young wrote:
>>> On Mon, 24 Nov 2014, Andrew Cooper wrote:
>>>> Is XSM in use? I can't think of any other reason why that hypercall
>>>> would fail with EPERM.
>>>
>>> XSM is built in (I wanted to allow the option of people using it) but
>>> I didn't think it was active.
>>
>> I don't believe there is any concept of "available but not active",
>
> I think there is, the "dummy" policy which is loaded when there is no
> explicit policy given should behave as if xsm were disabled. AIUI all
> the XSM_* and xsm_default_action stuff is supposed to semi automatically
> ensure this is the case at compile time. CC-ing Daniel to confirm/deny.
Yes. The case where XSM is enabled at compile time but using the dummy
module is supposed to produce identical behavior to disabling XSM at
compile time.
The hypervisor parameter flask_enabled controls this run-time switching.
>> which probably means that the default policy is missing an entry for
>> this hypercall.
>
> That said domctl is XSM_OTHER, which basically means "special one off
> handling" I think. But it basically turns into XSM_DM_PRIV for a small
> handful of subops and XSM_PRIV for the rest. Since this is a migration
> the relevant domain is certainly PRIV I think.
>
> Ian.
>
>> Can you check the hypervisor console around this failure and see whether
>> a flask error concerning domctl 72 is reported?
>>
>> ~Andrew
If you get any mention of AVC messages, then FLASK is active and the dummy
policy is not being used. The FLASK security server can be active without
loading a policy: this is intended to allow dom0 to load the XSM policy in
cases where it is not possible to have the bootloader do it (which is the
preferred method).
If FLASK is active, then any domctl not in the list of handled domctls (see
the large switch statement in xsm/flask/hooks.c) will return -EPERM and
will print an error to the hypervisor console, as Andrew pointed out.
--
Daniel De Graaf
National Security Agency
next prev parent reply other threads:[~2014-11-24 19:28 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-22 19:24 Problems using xl migrate M A Young
2014-11-24 0:07 ` M A Young
2014-11-24 11:50 ` George Dunlap
2014-11-24 12:06 ` M A Young
2014-11-24 12:21 ` Ian Campbell
2014-11-24 12:29 ` M A Young
2014-11-24 13:13 ` Andrew Cooper
2014-11-24 14:09 ` Wei Liu
2014-11-24 14:13 ` Andrew Cooper
2014-11-25 8:52 ` M A Young
2014-11-25 9:15 ` Wei Liu
2014-11-25 22:16 ` M A Young
2014-11-25 22:32 ` Andrew Cooper
2014-11-24 12:25 ` George Dunlap
2014-11-24 12:41 ` Wei Liu
2014-11-24 13:15 ` Andrew Cooper
2014-11-24 14:32 ` (4.5-rc1) " M A Young
2014-11-24 14:43 ` Andrew Cooper
2014-11-24 14:55 ` Ian Campbell
2014-11-24 19:28 ` Daniel De Graaf [this message]
2014-11-24 20:12 ` M A Young
2014-11-24 22:05 ` Daniel De Graaf
2014-11-25 10:07 ` George Dunlap
2014-11-25 18:03 ` Daniel De Graaf
2014-11-25 18:17 ` Konrad Rzeszutek Wilk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=547386C8.7060405@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=Ian.Campbell@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=m.a.young@durham.ac.uk \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.