[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xsm/flask: improve unknown permission handling

On 04/12/14 11:12, George Dunlap wrote:
> On 12/04/2014 10:37 AM, David Vrabel wrote:
>> On 03/12/14 18:42, Andrew Cooper wrote:
>>> XSA-37 was only an XSA because the rules at the time were unclear as
>>> whether it was an issue or not.  At the same time, the rules were
>>> clarified to state that issues in a debug build only are not security
>>> issues.
>> Given that we occasionally ask our customers to run debug versions of
>> Xen to diagnose particular problems I think this policy should change
>> (if not by the Xen project security team, then at least internally).
> Well given that debug builds *already*, by design, crash on a lot of
> things that don't crash in production, then you are already increasing
> their risk of a host crash just by giving them that build.  If
> increasing the risk of a host crash isn't acceptable, then you should
> stop giving them debug builds.

I disagree.  ASSERTs will cause Xen to fail more /predictably/.  A bug
that would trigger an ASSERT will most likely cause a less predictable
failure later on in a non-debug Xen.

> Alternately, maybe we can add an option either at compile time or at
> boot time for ASSERTs not to crash for your situation.

Making ASSERT not crash doesn't help (see above).

> But the fact that we have ASSERTs at all mean that we *expect* debug
> builds to crash.  If that's not what we want we need to get rid of the
> ASSERTs entirely.



Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.