On 11/25/2014 05:07 AM, George Dunlap wrote:
On Mon, Nov 24, 2014 at 10:05 PM, Daniel De Graaf <dgde...@tycho.nsa.gov> wrote:
I do. The error is
(XEN) flask_domctl: Unknown op 72
Incidentally, Flask is running in permissive mode.
Michael Young
This means that the new domctl needs to be added to the switch statement
in flask/hooks.c. This error is triggered in permissive mode because it
is a code error rather than a policy error (which is what permissive mode
is intended to debug).
If that's the case, should we make that a BUG_ON()? Or at least an
ASSERT() (which will only bug when compiled with debug=y), followed by
allow if in permissive mode, and deny if in enforcing mode?
Having it default deny, even in permissive mode, breaks the "principle
of least surprise", I think. :-)
-George
Either one of these will allow a guest to crash the hypervisor by requesting
an undefined domctl, which is not really a good idea. Linux uses a flag in
the security policy which defines if unknown permissions are allowed or
denied; I will send a patch adding this to Xen's security server and using
it instead of -EPERM in the default case of the switch statements.
The patch adding this feature probably shouldn't be applied to 4.5, but I'll
send it anyway. I will also send a separate patch adding the 2 domctls.
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
