On 6/20/16 9:04 AM, Daniel De Graaf wrote: > When an unknown domctl, sysctl, or other operation is encountered in the > FLASK security server, use the allow_unknown bit in the security policy > to decide if the permission should be allowed or denied. This allows > new operations to be tested without needing to immediately add security > checks; however, it is not flexible enough to avoid adding the actual > permission checks. An error message is printed to the hypervisor > console when this fallback is encountered. > > This patch will allow operations that are not handled by the existing > hooks only if the policy was compiled with "checkpolicy -U allow". In > previous releases, this bit did nothing, and the default remains to deny > the unknown operations. > > Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov>
Reviewed-by: Doug Goldstein <car...@cardoe.com> -- Doug Goldstein
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
