From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH] xsm/flask: improve unknown permission handling Date: Thu, 27 Nov 2014 15:33:50 +0000 Message-ID: <5477445E.4040803@citrix.com> References: <1416938704-17884-1-git-send-email-dgdegra@tycho.nsa.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: George Dunlap , Daniel De Graaf Cc: "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org On 27/11/14 15:23, George Dunlap wrote: > On Tue, Nov 25, 2014 at 6:05 PM, Daniel De Graaf wrote: >> When an unknown domctl, sysctl, or other operation is encountered in the >> FLASK security server, use the allow_unknown bit in the security policy >> (set by running checkpolicy -U allow) to decide if the permission should >> be allowed or denied. This allows new operations to be tested without >> needing to immediately add security checks; however, it is not flexible >> enough to avoid adding the actual permission checks. An error message >> is printed to the hypervisor console when this fallback is encountered. > Thanks -- I do think as Konrad said however, that when building with > debug=y, we want the failure to be more obvious. A crash is probably > the best thing. > > I guess we want something like the following after the printk in > avc_unknown_permission()? > > #ifndef NDEBUG > BUG(); > #endif ASSERT(!"Flask default policy error"); provides rather more information in the panic message, and avoids the #ifdefs. ~Andrew