|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] flask: change default state to enforcing
On 03/10/2016 02:12 PM, Konrad Rzeszutek Wilk wrote: On Thu, Mar 10, 2016 at 01:30:29PM -0500, Daniel De Graaf wrote: I've added Ian and Jan on the email as scripts/get_maintainer.pl spits out their names (Oddly not yours?)The previous default of "permissive" is meant for developing or debugging a disaggregated system. However, this default makes it too easy to accidentally boot a machine in this state, which does not place any restrictions on guests. This is not suitable for normal systems because any guest can perform any operation (including operations like rebooting the machine, kexec, and reading or writing another domain's memory). This change will cause the boot to fail if you do not specify an XSM policy during boot; if you need to load a policy from dom0, use the "flask=late" boot parameter. Originally by Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>; modified to also change the default value of flask_enforcing so that the policy is not still in permissive mode. This also removes the (no longer documented) command line argument directly changing that variable since it has been superseded by the flask= parameter.Reviwed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> .. however: [...] Since you set that to the default value should the parse_flask_param 'flask_enforcing = 1' for the 'enforcing' and 'late' be removed? (If you agree, the committer could do it). Sure. I left them in so that a command line such as "flask=permissive flask=enforcing" would do the right thing, but I haven't checked that that is even possible. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |