From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: George Dunlap <dunlapg@umich.edu>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Wei Liu <wei.liu2@citrix.com>,
Ian Campbell <Ian.Campbell@citrix.com>,
M A Young <m.a.young@durham.ac.uk>
Subject: Re: (4.5-rc1) Problems using xl migrate
Date: Tue, 25 Nov 2014 13:03:34 -0500 [thread overview]
Message-ID: <5474C476.3080203@tycho.nsa.gov> (raw)
In-Reply-To: <CAFLBxZZFO+ms+TX4Gmchkb53CWL6EHeoGEcBKEgvMgx3AQaqvg@mail.gmail.com>
On 11/25/2014 05:07 AM, George Dunlap wrote:
> On Mon, Nov 24, 2014 at 10:05 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote:
>>> I do. The error is
>>> (XEN) flask_domctl: Unknown op 72
>>>
>>> Incidentally, Flask is running in permissive mode.
>>>
>>> Michael Young
>>>
>>
>> This means that the new domctl needs to be added to the switch statement
>> in flask/hooks.c. This error is triggered in permissive mode because it
>> is a code error rather than a policy error (which is what permissive mode
>> is intended to debug).
>
> If that's the case, should we make that a BUG_ON()? Or at least an
> ASSERT() (which will only bug when compiled with debug=y), followed by
> allow if in permissive mode, and deny if in enforcing mode?
>
> Having it default deny, even in permissive mode, breaks the "principle
> of least surprise", I think. :-)
>
> -George
Either one of these will allow a guest to crash the hypervisor by requesting
an undefined domctl, which is not really a good idea. Linux uses a flag in
the security policy which defines if unknown permissions are allowed or
denied; I will send a patch adding this to Xen's security server and using
it instead of -EPERM in the default case of the switch statements.
The patch adding this feature probably shouldn't be applied to 4.5, but I'll
send it anyway. I will also send a separate patch adding the 2 domctls.
--
Daniel De Graaf
National Security Agency
next prev parent reply other threads:[~2014-11-25 18:03 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-22 19:24 Problems using xl migrate M A Young
2014-11-24 0:07 ` M A Young
2014-11-24 11:50 ` George Dunlap
2014-11-24 12:06 ` M A Young
2014-11-24 12:21 ` Ian Campbell
2014-11-24 12:29 ` M A Young
2014-11-24 13:13 ` Andrew Cooper
2014-11-24 14:09 ` Wei Liu
2014-11-24 14:13 ` Andrew Cooper
2014-11-25 8:52 ` M A Young
2014-11-25 9:15 ` Wei Liu
2014-11-25 22:16 ` M A Young
2014-11-25 22:32 ` Andrew Cooper
2014-11-24 12:25 ` George Dunlap
2014-11-24 12:41 ` Wei Liu
2014-11-24 13:15 ` Andrew Cooper
2014-11-24 14:32 ` (4.5-rc1) " M A Young
2014-11-24 14:43 ` Andrew Cooper
2014-11-24 14:55 ` Ian Campbell
2014-11-24 19:28 ` Daniel De Graaf
2014-11-24 20:12 ` M A Young
2014-11-24 22:05 ` Daniel De Graaf
2014-11-25 10:07 ` George Dunlap
2014-11-25 18:03 ` Daniel De Graaf [this message]
2014-11-25 18:17 ` Konrad Rzeszutek Wilk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5474C476.3080203@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=Ian.Campbell@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=dunlapg@umich.edu \
--cc=m.a.young@durham.ac.uk \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.