Re: [Xen-devel] Questions about the in-tree Flask policy

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

On Tue, 2014-09-23 at 10:49 +0100, Wei Liu wrote:
> On Mon, Sep 22, 2014 at 04:23:01PM -0400, Daniel De Graaf wrote:
> [...]
> > >I tried to look at the policy file(s), only to find out that there's a
> > >bunch of files that have excessive amount of information. I'm certainly
> > >not an XSM expert and have no intention to become one at the moment. :-)
> > 
> > True, and you shouldn't have to be an expert to report errors (your current
> > report was exactly what was needed to fix the policy).
> > 
> > In the future, any AVC denied messages in the output when under normal test
> > operation (i.e. not when a VM is misbehaving) should be treated as a bug in
> > the XSM policy even when it doesn't cause real failures.  Usually, the 
> > answer
> 
> Cool, this is exactly what I needed to know. :-)
> 
> > is to add the permission to the proper part of the policy, and the denial
> > will cause operations to break (like the above errors).  In some other 
> > cases,
> > such as cacheflush, the process continues but was not able to perform an
> > important operation.  If this is something that can be easily added to the
> > test script as a failure condition, that would be helpful (but this is
> > certainly not a prerequisite for adding the tests in the first place).
> > 
> 
> Off the top of my head I couldn't figure out a quick way to add in this
> kind of failure condition.

Some sort of ts-logs-check which grepped logs/dmesg etc for red flags,
such as these AVC failures, "segfault at c0ffee ip 0000000000400623 sp
00007fff9548ac90 error 4 in conftest", kernel BUG/WARNING/oops etc might
be interesting

>  Let's leave it for the moment.

Agreed.

> 
> Wei.
> 
> > -- 
> > Daniel De Graaf
> > National Security Agency



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel