[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 11/17] flask: improve unknown permission handling



On 6/20/16 9:04 AM, Daniel De Graaf wrote:
> When an unknown domctl, sysctl, or other operation is encountered in the
> FLASK security server, use the allow_unknown bit in the security policy
> to decide if the permission should be allowed or denied.  This allows
> new operations to be tested without needing to immediately add security
> checks; however, it is not flexible enough to avoid adding the actual
> permission checks.  An error message is printed to the hypervisor
> console when this fallback is encountered.
> 
> This patch will allow operations that are not handled by the existing
> hooks only if the policy was compiled with "checkpolicy -U allow".  In
> previous releases, this bit did nothing, and the default remains to deny
> the unknown operations.
> 
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Reviewed-by: Doug Goldstein <cardoe@xxxxxxxxxx>

-- 
Doug Goldstein

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.