From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Vrabel <david.vrabel@citrix.com>
Subject: Re: [PATCH] xsm/flask: improve unknown permission
	handling
Date: Thu, 4 Dec 2014 11:24:15 +0000
Message-ID: <5480445F.10407@citrix.com>
References: <1416938704-17884-1-git-send-email-dgdegra@tycho.nsa.gov>	<CAFLBxZY253TVWetxMAMCBzcRB3qvd490OOaHpQ1j7fqVyb-90g@mail.gmail.com>	<5477445E.4040803@citrix.com>	<547F584E.2090003@tycho.nsa.gov>
	<547F5998.6060904@citrix.com>	<54803986.4030208@citrix.com>
	<548041A6.2030004@eu.citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <548041A6.2030004@eu.citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: George Dunlap <george.dunlap@eu.citrix.com>, David Vrabel <david.vrabel@citrix.com>, Andrew Cooper <andrew.cooper3@citrix.com>, Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
List-Id: xen-devel@lists.xenproject.org

On 04/12/14 11:12, George Dunlap wrote:
> On 12/04/2014 10:37 AM, David Vrabel wrote:
>> On 03/12/14 18:42, Andrew Cooper wrote:
>>>
>>> XSA-37 was only an XSA because the rules at the time were unclear as
>>> whether it was an issue or not.  At the same time, the rules were
>>> clarified to state that issues in a debug build only are not security
>>> issues.
>>
>> Given that we occasionally ask our customers to run debug versions of
>> Xen to diagnose particular problems I think this policy should change
>> (if not by the Xen project security team, then at least internally).
> 
> Well given that debug builds *already*, by design, crash on a lot of
> things that don't crash in production, then you are already increasing
> their risk of a host crash just by giving them that build.  If
> increasing the risk of a host crash isn't acceptable, then you should
> stop giving them debug builds.

I disagree.  ASSERTs will cause Xen to fail more /predictably/.  A bug
that would trigger an ASSERT will most likely cause a less predictable
failure later on in a non-debug Xen.

> Alternately, maybe we can add an option either at compile time or at
> boot time for ASSERTs not to crash for your situation.

Making ASSERT not crash doesn't help (see above).

> But the fact that we have ASSERTs at all mean that we *expect* debug
> builds to crash.  If that's not what we want we need to get rid of the
> ASSERTs entirely.

????

David