[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

>>> "DeGraaf, Daniel G" <dgdegra@xxxxxxx> 10/02/18 7:39 PM >>>
>> From: Jan Beulich <JBeulich@xxxxxxxx>
>> >>> On 28.09.18 at 21:13, <dgdegra@xxxxxxxxxxxxx> wrote:
>> > These entries are not always sorted by checkpolicy.  Enforce the sorting
>> > (which can be done manually if using an unpatched checkpolicy) when
>> > loading the policy so that later uses by the security server do not
>> > incorrectly use the initial sid.
>> 
>> "Enforce the sorting" could mean two things - sorting what's unsorted,
>> or (as you do) raise an error. Isn't raising an error here possibly going
>> to impact systems which currently work?
>
>A system whose iomemcon entries are unsorted is currently not enforcing the
>intended security policy.  It normally ends up enforcing a more restrictive 
>policy,
>but not always (it depends on what you allow access to the default label). My
>guess is that anyone impacted by this problem would have noticed when they
>added the rule and it had no effect. However, I do agree this could cause an
>error on currently-working systems that do things like add iomemcon entries
>that they don't use.
>
>Are you suggesting an update to the commit message to make this breakage
>clear, or does the problem need to be fixed in the hypervisor? It would be
>possible to sort the entries as they're added, but that's not as easy as just
>detecting the mis-sort (since they're a linked list), and the policy creation
>process should have already sorted them (except that that part was missing).

I think resolving the ambiguity in the description is the minimal adjustment. If
that's what you want to go with (you're the maintainer after all), I think it 
would
suffice to suggest revised wording (or even merely your agreement for the
committer to make a respective adjustment), without necessarily re-submitting
the patch. Personally (but again, I'm not the maintainer of this code) I think 
it
would be better if the actual issue was addressed by doing the sorting. It could
be done with a warning logged, and perhaps with the warning suggesting that
the built-in sorting will/might go away again in a later release.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.