From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Wei Liu <wei.liu2@citrix.com>, xen-devel@lists.xen.org
Cc: ian.jackson@eu.citrix.com, ian.campbell@citrix.com
Subject: Re: [OSSTEST PATCH RFC v1 00/12] XSM test cases for OSSTest
Date: Mon, 22 Sep 2014 16:23:03 -0400 [thread overview]
Message-ID: <54208527.3050909@tycho.nsa.gov> (raw)
In-Reply-To: <1411395121-6528-1-git-send-email-wei.liu2@citrix.com>
On 09/22/2014 10:11 AM, Wei Liu wrote:
> Hi all
>
> This patch series attempts to duplicate some Debian smoke test for XSM in Xen.
This looks good to me, and should help shake out policy errors better than
manual testing - which, as you found, has missed a few operations.
[...]
> 4. In-tree default policy is too strict
>
> For PV guest test case, it can successfully create a guest, but fails at
> saving. Xen log says "permission denied".
>
> For QEMU upstream HVM guest, QEMU segfaults with NULL pointer dereference.
>
> For QEMU traditional HVM guest, guest crashes with triple fault.
>
> I have yet tried to debug HVM test cases. Presumably the failures are combined
> effect of the enforced XSM policy and some QEMU bugs. It's likely to take some
> time to figure out what went wrong. The bug fix and policy tuning is orthogonal
> to the test case itself though.
Fixes to the XSM policy can either be made iteratively until the tests pass, or
all at once with the hypervisor in permissive mode. In permissive mode, the
hypervisor will remove duplicate AVCs and may also get further along successful
code paths that require more permissions. However, the tests are probably best
done in enforcing mode (as written), since I expect most failures will be due to
a single permission missing.
--
Daniel De Graaf
National Security Agency
prev parent reply other threads:[~2014-09-22 20:23 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-22 14:11 [OSSTEST PATCH RFC v1 00/12] XSM test cases for OSSTest Wei Liu
2014-09-22 14:11 ` [OSSTEST PATCH RFC v1 01/12] README: list chiark-utils-bin as requirement Wei Liu
2014-09-22 14:11 ` [OSSTEST PATCH RFC v1 02/12] gitignore: ignore images directory Wei Liu
2014-09-22 14:11 ` [OSSTEST PATCH RFC v1 03/12] ts-xen-build-prep: install checkpolicy Wei Liu
2014-09-22 14:11 ` [OSSTEST PATCH RFC v1 04/12] ts-xen-build: build with XSM support if requested Wei Liu
2014-09-22 14:11 ` [OSSTEST PATCH RFC v1 05/12] mfi-common: create build-$arch-xsm job Wei Liu
2014-09-24 10:38 ` Ian Campbell
2014-09-24 13:24 ` Wei Liu
2014-09-22 14:11 ` [OSSTEST PATCH RFC v1 06/12] Debian.pm: pass in XSM configuration to bootloader setup routines Wei Liu
2014-09-22 14:11 ` [OSSTEST PATCH RFC v1 07/12] Debian.pm: load flask policy in uboot Wei Liu
2014-09-24 10:39 ` Ian Campbell
2014-09-22 14:11 ` [OSSTEST PATCH RFC v1 08/12] ts-xen-install: install Xen with XSM support if requested Wei Liu
2014-09-24 10:41 ` Ian Campbell
2014-09-24 13:16 ` Wei Liu
2014-09-24 13:21 ` Wei Liu
2014-09-24 13:47 ` Ian Campbell
2014-09-24 13:55 ` Wei Liu
2014-09-22 14:11 ` [OSSTEST PATCH RFC v1 09/12] mfi-common: use XSM build if job name contains -xsm suffix Wei Liu
2014-09-22 14:11 ` [OSSTEST PATCH RFC v1 10/12] make-flight: create XSM test jobs Wei Liu
2014-09-24 11:00 ` Ian Campbell
2014-09-24 13:24 ` Wei Liu
2014-09-22 14:12 ` [OSSTEST PATCH RFC v1 11/12] ts-debian-install: add in seclabel if XSM is enabled Wei Liu
2014-09-24 11:01 ` Ian Campbell
2014-09-24 13:14 ` Wei Liu
2014-09-24 13:45 ` Ian Campbell
2014-09-22 14:12 ` [OSSTEST PATCH RFC v1 12/12] ts-debian-hvm-install: " Wei Liu
2014-09-22 20:23 ` Daniel De Graaf [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54208527.3050909@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).