From: David Vrabel <david.vrabel@citrix.com>
To: George Dunlap <george.dunlap@eu.citrix.com>,
David Vrabel <david.vrabel@citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: [PATCH] xsm/flask: improve unknown permission handling
Date: Thu, 4 Dec 2014 11:24:15 +0000 [thread overview]
Message-ID: <5480445F.10407@citrix.com> (raw)
In-Reply-To: <548041A6.2030004@eu.citrix.com>
On 04/12/14 11:12, George Dunlap wrote:
> On 12/04/2014 10:37 AM, David Vrabel wrote:
>> On 03/12/14 18:42, Andrew Cooper wrote:
>>>
>>> XSA-37 was only an XSA because the rules at the time were unclear as
>>> whether it was an issue or not. At the same time, the rules were
>>> clarified to state that issues in a debug build only are not security
>>> issues.
>>
>> Given that we occasionally ask our customers to run debug versions of
>> Xen to diagnose particular problems I think this policy should change
>> (if not by the Xen project security team, then at least internally).
>
> Well given that debug builds *already*, by design, crash on a lot of
> things that don't crash in production, then you are already increasing
> their risk of a host crash just by giving them that build. If
> increasing the risk of a host crash isn't acceptable, then you should
> stop giving them debug builds.
I disagree. ASSERTs will cause Xen to fail more /predictably/. A bug
that would trigger an ASSERT will most likely cause a less predictable
failure later on in a non-debug Xen.
> Alternately, maybe we can add an option either at compile time or at
> boot time for ASSERTs not to crash for your situation.
Making ASSERT not crash doesn't help (see above).
> But the fact that we have ASSERTs at all mean that we *expect* debug
> builds to crash. If that's not what we want we need to get rid of the
> ASSERTs entirely.
????
David
prev parent reply other threads:[~2014-12-04 11:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-25 18:05 [PATCH] xsm/flask: improve unknown permission handling Daniel De Graaf
2014-11-27 10:42 ` Jan Beulich
2014-11-27 15:23 ` George Dunlap
2014-11-27 15:33 ` Andrew Cooper
2014-12-03 18:37 ` Daniel De Graaf
2014-12-03 18:42 ` Andrew Cooper
2014-12-04 10:37 ` David Vrabel
2014-12-04 11:12 ` George Dunlap
2014-12-04 11:24 ` David Vrabel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5480445F.10407@citrix.com \
--to=david.vrabel@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=george.dunlap@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.