[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v5] Merge IS_PRIV checks into XSM hooks



At 09:45 +0000 on 19 Nov (1353318334), Jan Beulich wrote:
> As to getting the series applied, I suppose that'll be a little difficult,
> as it mixes changes to various parts of the tree, and hence no
> single maintainer would generally be able to apply the whole series
> without respective other parts fully acked by the corresponding
> maintainers. Is there a way to either indicate eventual fully
> standalone patches, or order/split it so that at least tools side and
> hypervisor side changes are separated from one another, or mixed
> patches all go at the beginning or end of the series?

This whole series makes me very uncomfortable.  I can see its usefulness,
and as a supporter of disaggregations I like the idea of fine-grained
control, but it really does obscure the security checks, and makes it
less likely that people implementing new operations will get their
security checks right.

Since there are only a small number of default checks (IS_PRIV,
IS_PRIV_FOR, self-only, ???), I wonder whether they could be explicitly
included in the xsm invocation (as some sort of 'enum
xsm-default-policy' argument), to make it clear what's going on without
the reader having to grobble around in xsm files?

Cheers,

Tim.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.