From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefano Stabellini <sstabellini@kernel.org>
Subject: Re: RFC: Adding a section to the Xen security policy
 about what constitutes a vulnerability
Date: Thu, 5 Jan 2017 13:57:48 -0800 (PST)
Message-ID: <alpine.DEB.2.10.1701051353060.2866@sstabellini-ThinkPad-X260>
References: <CAFLBxZauObmgdhWJxBvUicbXgOURsHYdt+5BqdURrveUObRLjw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <CAFLBxZauObmgdhWJxBvUicbXgOURsHYdt+5BqdURrveUObRLjw@mail.gmail.com>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
To: George Dunlap <george.dunlap@citrix.com>
Cc: "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
List-Id: xen-devel@lists.xenproject.org

T24gV2VkLCA0IEphbiAyMDE3LCBHZW9yZ2UgRHVubGFwIHdyb3RlOgo+IFRoZSBYZW4gU2VjdXJp
dHkgVGVhbSBoYXMgZGVhbHQgd2l0aCBhIG51bWJlciBvZiBpc3N1ZXMgcmVjZW50bHkgd2hlcmUK
PiBpdCB3YXNuJ3QgZXhhY3RseSBjbGVhciB3aGV0aGVyIHdlIHNob3VsZCBpc3N1ZSBhbiBhZHZp
c29yeSBvciBub3Q6Cj4gdGhlIFhlbiBTZWN1cml0eSBSZXNwb25zZSBQcm9jZXNzIG9ubHkgbWVu
dGlvbmVzICIndnVsbmVyYWJpbGl0aWVzIiwKPiB3aXRob3V0IHNwZWNpZnlpbmcgd2hhdCBjb25z
dGl0dXRlcyBhIHZ1bG5lcmFiaWxpdHkuCj4gCj4gSXNzdWluZyBhZHZpc29yaWVzIGhhcyBhIGNv
c3Q6IEl0IGNvc3RzIHRoZSBzZWN1cml0eSB0ZWFtIHNpZ25pZmljYW50Cj4gYW1vdW50cyBvZiB0
aW1lIHRvIGNyYWZ0IGFuZCBzZW5kIHRoZSBhZHZpc29yaWVzOyBpdCBjb3N0cyBtYW55IG9mIG91
cgo+IGRvd25zdHJlYW1zIHRpbWUgdG8gYXBwbHksIGJ1aWxkLCBhbmQgdGVzdCBwYXRjaGVzOyBh
bmQgZXZlcnkgYWR2aXNvcnkKPiBoYXMgdGhlIHJpc2sgdGhhdCBpdCB3aWxsIGJlIHBpY2tlZCB1
cCBhbmQgYmxvd24gb3V0IG9mIHByb3BvcnRpb24gYnkKPiB0aGUgbWVkaWEuICBTbyB3ZSB3YW50
IHRvIG1ha2Ugc3VyZSB0byBvbmx5IGlzc3VlIGFkdmlzb3JpZXMgZm9yCj4gaXNzdWVzIHRoYXQg
YXJlIHdvcnRoIHRoZSBjb3N0Lgo+IAo+IFdlIHdvdWxkIGxpa2UgZ3VpZGVsaW5lcyBmcm9tIHRo
ZSBjb21tdW5pdHkgYWJvdXQgd2hhdCBzb3J0cyBvZiBpc3N1ZXMKPiBzaG91bGQgYmUgY29uc2lk
ZXJlZCBzZWN1cml0eSBpc3N1ZXMgKGFuZCB0aHVzIHdpbGwgaGF2ZSBhZHZpc29yaWVzCj4gaXNz
dWVkKS4gIEJlbG93IGlzIGEgZHJhZnQgb2YgYSBzZWN0aW9uIEkqIGFtIHByb3Bvc2luZyB0byBi
ZSBhZGRlZCB0bwo+IHRoZSBYZW4gU2VjdXJpdHkgUG9saWN5LCBqdXN0IHVuZGVyIHRoZSBzZWN0
aW9uICJTcGVjaWZpYyBQcm9jZXNzIi4KPiAKPiBNb3N0IG9mIGl0IGlzIGp1c3QgZW5jb2Rpbmcg
bG9uZy1lc3RhYmxpc2hlZCBwcmFjdGljZS4gIEJ1dCB0aGVyZSBhcmUKPiB0d28ga2V5IGNoYW5n
ZXMgYW5kIC8gb3IgY2xhcmlmaWNhdGlvbnMgdGhhdCBkZXNlcnZlIGF0dGVudGlvbiBhbmQKPiBk
aXNjdXNzaW9uOiBjcml0ZXJpYSAyYyAobGVha2luZyBvZiBtdW5kYW5lIGluZm9ybWF0aW9uIHdp
bGwgbm90IGJlCj4gY29uc2lkZXJlZCBhIHNlY3VyaXR5IGlzc3VlIHVubGVzcyBpdCBtYXkgY29u
dGFpbiBzZW5zaXRpdmUgZ3Vlc3Qgb3IKPiB1c2VyIGRhdGEpLCBhbmQgNCAoaWYgbm8ga25vd24g
b3BlcmF0aW5nIHN5c3RlbXMgYXJlIHZ1bG5lcmFibGUgdG8gYQo+IGJ1Zywgbm8gYWR2aXNvcnkg
d2lsbCBiZSBpc3N1ZWQpLgo+IAo+IFBsZWFzZSBnaXZlIGZlZWRiYWNrLiAgVGhhbmtzIQo+IAo+
ICogVGhpcyBoYXMgbXkgb3duIHByb3Bvc2FsOyBpdCBpcyBpbnNwaXJlZCBieSBkaXNjdXNzaW9u
cyB0aGUgc2VjdXJpdHkKPiB0ZWFtIGhhcyBoYWQsIGJ1dCBpdCBoYXMgbm90IGJlZW4gdmV0dGVk
IGJ5IHRoZW0uCj4gCj4gPT09PQo+IAo+ICMgU2NvcGUgb2YgdnVsbmVyYWJpbGl0aWVzIGNvdmVy
ZWQgYnkgdGhpcyBwcm9jZXNzCj4gCj4gQWxsIHNlY3VyaXR5IGlzc3VlcyBhcmUgYnVncywgYnV0
IG5vdCBhbGwgYnVncyBhcmUgc2VjdXJpdHkgaXNzdWVzLgo+IFRoaXMgc2VjdGlvbiBpcyBtZWFu
dCB0byBiZSBhIGd1aWRlIGZyb20gdGhlIFhlbiBjb21tdW5pdHkgdG8gdGhlIFhlbgo+IHNlY3Vy
aXR5IHJlc3BvbnNlIHRlYW0gcmVnYXJkaW5nIHdoaWNoIGJ1Z3Mgc2hvdWxkIGhhdmUgYWR2aXNv
cmllcwo+IGlzc3VlZCBmb3IgdGhlbS4gIERpc2NvdmVyZXJzIGFyZSBlbmNvdXJhZ2VkIHRvIGVy
ciBvbiB0aGUgc2lkZSBvZgo+IGNhdXRpb24gYW5kIHJlcG9ydCBhbnkgcG90ZW50aWFsIHZ1bG5l
cmFiaWxpdGllcyB0byB0aGUgc2VjdXJpdHkgdGVhbS4KPiBUaGVzZSBndWlkZWxpbmVzIGFyZSBu
b3QgbWVhbnQgdG8gYmUgc2V0IGluIHN0b25lOyBpZiB0aGV5IGRvIG5vdCBmaXQKPiB5b3VyIG5l
ZWRzIGFzIGEgdXNlciwgcGxlYXNlIHJhaXNlIHRoZSBpc3N1ZSBvbiB4ZW4tZGV2ZWwuCj4gCj4g
RXZlcnkgcG90ZW50aWFsIHZ1bG5lcmFiaWxpdHkgd2lsbCBoYXZlIGEgc291cmNlIGNvbnRleHQs
IGFuIGVmZmVjdCwKPiBhbmQgYSB0YXJnZXQgZWZmZWN0IGNvbnRleHQuICBGb3IgaW5zdGFuY2Us
IGEgYnVnIG1heSBhbGxvdyBhIGd1ZXN0Cj4gdXNlciAoc291cmNlIGNvbnRleHQpIHRvIGVzY2Fs
YXRlIHRoZWlyIHByaXZpbGVnZXMgKGVmZmVjdCkgdG8gdGhhdCBvZgo+IHRoZSBndWVzdCBrZXJu
ZWwgKHRhcmdldCBjb250ZXh0KTsgb3IgaXQgbWF5IGFsbG93IGEgZ3Vlc3QKPiBhZG1pbmlzdHJh
dG9yIChzb3VyY2UgY29udGV4dCkgdG8gc2V2ZXJlbHkgZGVncmFkZSB0aGUgZGlzawo+IHBlcmZv
cm1hbmNlIChlZmZlY3QpIG9mIGFub3RoZXIgZ3Vlc3QgKHRhcmdldCBjb250ZXh0KS4KPiAKPiBP
bmx5IHRoZSBmb2xsb3dpbmcgc291cmNlL3RhcmdldCBjb250ZXh0IHBhaXJzIHdpbGwgYmUgY29u
c2lkZXJlZAo+IHZ1bG5lcmFiaWxpdGllczoKPiAKPiAxYS4gVGhlIHNvdXJjZSBpcyB0aGUgZ3Vl
c3QgdXNlcnNwYWNlLCBndWVzdCBrZXJuZWwsIG9yIFFFTVUgc3R1YmRvbWFpbiwKPiBhbmQgdGhl
IHRhcmdldCBpcyB0aGUgaHlwZXJ2aXNvciwgZG9tMCBhbmQgdG9vbHN0YWNrLgo+IAo+IDFiLiBU
aGUgc291cmNlIGlzIHRoZSBndWVzdCB1c2Vyc3BhY2UsIGd1ZXN0IGtlcm5lbCwgb3IgUUVNVQo+
IHN0dWJkb21haW4sIGFuZCB0aGUgdGFyZ2V0IGlzIGFub3RoZXIgZ3Vlc3QuCj4gCj4gMWMuIFRo
ZSBzb3VyY2UgaXMgZ3Vlc3QgdXNlcnNwYWNlLCBhbmQgdGhlIHRhcmdldCBpcyB0aGUgZ3Vlc3Qg
a2VybmVsLAo+IG9yIG90aGVyIGd1ZXN0IHVzZXJzcGFjZSBwcm9jZXNzZXMuCj4gCj4gVGhpcyBt
ZWFucywgZm9yIGluc3RhbmNlLCB0aGF0IGJ1ZyB3aGljaCBhbGxvd3MgYSBndWVzdCBrZXJuZWwg
dG8KPiBwZXJmb3JtIGEgRG9TIG9uIGl0c2VsZiB3aWxsIG5vdCBiZSBjb25zaWRlcmVkIGEgc2Vj
dXJpdHkKPiB2dWxuZXJhYmlsaXR5LiAgSXQgYWxzbyBtZWFucywgYXQgdGhlIG1vbWVudCwgdGhh
dCB0aGUgc2VjdXJpdHkgdGVhbQo+IHdpbGwgbm90IGlzc3VlIGFkdmlzb3JpZXMgZm9yIGhpZ2hs
eSBkaXNhZ2dyZWdhdGVkIGVudmlyb25tZW50cy4KPiAKPiBPbmx5IHNvbWUgZWZmZWN0cyBhcmUg
Y29uc2lkZXJlZCB2dWxuZXJhYmlsaXRpZXM7IGFuZCB3aGV0aGVyIHRoZXkgYXJlCj4gdnVsbmVy
YWJpbGl0aWVzIGRlcGVuZHMgb24gdGhlIHRhcmdldCBjb250ZXh0Ogo+IAo+IDJhLiBQcml2aWxl
Z2UgZXNjYWxhdGlvbjogY2F1c2luZyBhcmJpdHJhcnkgY29kZSB0byBiZSBydW4gaW4gdGhlIHRh
cmdldAo+IGNvbnRleHQuICBUaGlzIHdpbGwgYmUgY29uc2lkZXJlZCBhIHZ1bG5lcmFiaWxpdHkg
aW4gYWxsIGNhc2VzIGFib3ZlICgxYS1jKS4KPiAKPiAyYi4gRGVuaWFsIG9mIHNlcnZpY2U6IENh
dXNpbmcgdGVybWluYXRpb24gb2Ygb3Igc2lnbmlmaWNhbnQKPiBkZWdyYWRhdGlvbiBvZiBwZXJm
b3JtYW5jZSBpbiB0aGUgdGFyZ2V0IGNvbnRleHQuICBUaGlzIHdpbGwgYmUKPiBjb25zaWRlcmVk
IGEgdnVsbmVyYWJpbGl0eSBpbiBhbGwgY2FzZXMgYWJvdmUgKDFhLWMpLgo+IAo+IDJjLiBJbmZv
cm1hdGlvbiBsZWFrYWdlOiBUaGUgYXR0YWNrZXIgaW4gdGhlIHNvdXJjZSBjb250ZXh0IGlzIGFi
bGUgdG8KPiBvYnRhaW4gaW5mb3JtYXRpb24gZnJvbSB0aGUgdGFyZ2V0IGNvbnRleHQuICBUaGlz
IHdpbGwgYmUgY29uc2lkZXJlZCBhCj4gdnVsbmVyYWJpbGl0eSBpbiBhbGwgY2FzZXMgaW4gMWIg
YW5kIDFjLiAgSXQgd2lsbCBvbmx5IGJlIGNvbnNpZGVyZWQgYQo+IHZ1bG5lcmFiaWxpdHkgaW4g
dGhlIGNhc2Ugb2YgMWEgaWYgaW5mb3JtYXRpb24gb2J0YWluZWQgaXMgY29uc2lkZXJlZAo+IHNl
bnNpdGl2ZSBpbiBhbmQgb2YgaXRzZWxmOiBmb3IgZXhhbXBsZSwgaG9zdCBhZG1pbmlzdHJhdG9y
IHBhc3N3b3Jkcwo+IG9yIGluZm9ybWF0aW9uIGFib3V0IG90aGVyIHVzZXJzIG9uIHRoZSBob3N0
Lgo+IAo+IEluIHBhcnRpY3VsYXIsIGluZm9ybWF0aW9uIGxlYWthZ2UgZnJvbSBYZW4sIGRvbWFp
biAwLCBvciB0aGUKPiB0b29sc3RhY2sgdG8gYW4gdW5wcml2aWxlZ2VkIGd1ZXN0IHdpbGwgKm5v
dCogYmUgY29uc2lkZXJlZCBhCj4gdnVsbmVyYWJpbGl0eSB1bmxlc3MgdGhlcmUgaXMgYSBjaGFu
Y2UgdGhhdCB0aGF0IGluZm9ybWF0aW9uIG1heQo+IGNvbnRhaW4gaW5mb3JtYXRpb24gZnJvbSBh
IGd1ZXN0LCBvciBvdGhlciBzZW5zaXRpdmUgaW5mb3JtYXRpb24gZnJvbQo+IGRvbWFpbiAwLiAg
Rm9yIGluc3RhbmNlLCBjb3B5aW5nIHVuaW5pdGlhbGl6ZWQgZGF0YSBmcm9tIFhlbidzIHN0YWNr
Cj4gd2lsbCBnZW5lcmFsbHkgYmUgY29uc2lkZXJlZCBhIHZ1bG5lcmFiaWxpdHksIGJlY2F1c2Ug
aXQgbWF5IGNvbnRhaW4KPiBzdGFsZSBndWVzdCBkYXRhLiAgQnV0IGlmIGl0IGNhbiBiZSBzaG93
biB0aGF0IHRoZSBkYXRhIGNvcGllZCB3aWxsCj4gYWx3YXlzIGJlIFhlbi1pbnRlcm5hbCBpbmZv
cm1hdGlvbiAoZm9yIGluc3RhbmNlLCBwb2ludGVycyBvciBvdGhlcgo+IGludGVybmFsIHN0cnVj
dHVyZXMpLCB0aGVuIGFuIGFkdmlzb3J5IHdpbGwgbm90IGJlIGlzc3VlZC4gIFRoaXMgaXMKPiB0
aGUgY2FzZSBldmVuIGlmIHRoYXQgaW5mb3JtYXRpb24gY291bGQgYmUgdXNlZnVsIGluIG1ha2lu
ZyBhbm90aGVyCj4gZXhwbG9pdCBtb3JlIGVmZmVjdGl2ZSAoZm9yIGluc3RhbmNlLCBpZiBpdCBl
eHBvc2VkIHZpcnR1YWwgYWRkcmVzc2VzCj4gb2Ygc2Vuc2l0aXZlIGRhdGEgc3RydWN0dXJlcyku
Cj4gCj4gMy4gVGhlIHNlY3VyaXR5IHRlYW0gd2lsbCBvbmx5IGlzc3VlIGFkdmlzb3JpZXMgZm9y
IGNlcnRhaW4KPiBjb25maWd1cmF0aW9ucy4gIEJ1Z3MgaW4gWGVuIGZlYXR1cmVzIGxpc3RlZCBh
cyAiZXhwZXJpbWVudGFsIiBvcgo+ICJ0ZWNoIHByZXZpZXciIHdpbGwgbm90IGhhdmUgYWR2aXNv
cmllcyBpc3N1ZWQgZm9yIHRoZW0uICBCdWdzIGluIFFFTVUKPiB3aWxsIG9ubHkgaGF2ZSBhZHZp
c29yaWVzIGlzc3VlZCB3aGVuIGNvbmZpZ3VyZWQgYXMgZGVzY3JpYmVkIGluCj4gZG9jcy9taXNj
L3FlbXUteGVuLXNlY3VyaXR5Lgo+IAo+IDQuIFRoZSBzZWN1cml0eSB0ZWFtIHdpbGwgb25seSBp
c3N1ZSBhbiBhZHZpc29yeSBpZiB0aGVyZSBpcyBhIGtub3duCj4gY29tYmluYXRpb24gb2Ygc29m
dHdhcmUgaW4gd2hpY2ggdGhlIHZ1bG5lcmFiaWxpdHkgY2FuIGJlIGV4cGxvaXRlZC4KCisxIG9u
IHRoZSB3aG9sZSBkb2MsIHRoYW5rcyBHZW9yZ2UKCkknZCBhbHNvIGxpa2UgdG8gcG9pbnQgb3V0
IHRoYXQgdGhpcyB3b3JkaW5nIGFsc28gcHJldmVudHMgdGhlb3JldGljYWwKdnVsbmVyYWJpbGl0
aWVzLCBzdWNoIGFzIFhTQS0xNjYsIHRvIHR1cm4gaW50byBYU0FzLgoKCj4gSW4gbW9zdCBjYXNl
cywgdGhlIHNvZnR3YXJlIHdoaWNoIGNvbnRhaW5zIHRoZSBidWcgaXMgYWxzbyB0aGUgdGFyZ2V0
Cj4gb2YgdGhlIGF0dGFjazogdGhhdCBpcywgYSBidWcgaW4gWGVuIGFsbG93cyBhbiB1bnByaXZp
bGVnZWQgdXNlciB0bwo+IGNyYXNoIFhlbiwgYSBidWcgaW4gUUVNVSBhbGxvd3MgYW4gdW5wcml2
aWxlZ2VkIHVzZXIgdG8gZXNjYWxhdGUgaXRzCj4gcHJpdmlsZWdlcyB0byB0aGF0IG9mIHRoZSBR
RU1VIHByb2Nlc3MuICBJbiB0aGVzZSBjYXNlcyAidXNpbmcgWGVuIiBvcgo+ICJ1c2luZyBRRU1V
IiBpbXBsZXMgImJlaW5nIHZ1bG5lcmFibGUiLgo+IAo+IEJ1dCB0aGlzIGlzIG5vdCBhbHdheXMg
c286IGZvciBpbnN0YW5jZSwgYSBidWcgaW4gdGhlIFhlbiBpbnN0cnVjdGlvbgo+IGVtdWxhdG9y
IG1pZ2h0IGFsbG93IGEgZ3Vlc3QgdXNlciB0byBhdHRhY2sgdGhlIGd1ZXN0IGtlcm5lbCwgKmlm
KiB0aGUKPiBndWVzdCBrZXJuZWwgYmVoYXZlcyBpbiBhIGNlcnRhaW4gd2F5LCBidXQgbm90IGlm
IGl0IGJlaGF2ZXMgaW4gb3RoZXIKPiB3YXlzLiAgSW4gc3VjaCBhIGNhc2UsIGEgYnVnIHdpbGwg
b25seSBiZSBjb25zaWRlcmVkIGEgdnVsbmVyYWJpbGl0eQo+IGlmIHRoZXJlIGFyZSBrbm93biBv
cGVyYXRpbmcgc3lzdGVtcyBvbiB3aGljaCB0aGUgYXR0YWNrIGNhbiBiZQo+IGV4ZWN1dGVkLiAg
SWYgbm8gb3BlcmF0aW5nIHN5c3RlbSBjYW4gYmUgZm91bmQgd2hpY2ggYWxsb3dzIHN1Y2ggYW4K
PiBhdHRhY2ssIG5vIGFkdmlzb3J5IHdpbGwgYmUgaXNzdWVkLgo+IAo+IElmIGEgYnVnIHJlcXVp
cmVzIGEgdnVsbmVyYWJsZSBvcGVyYXRpbmcgc3lzdGVtIHRvIGJlIGV4cGxvaXRhYmxlLCB0aGUK
PiBYZW4gU2VjdXJpdHkgVGVhbSB3aWxsIHByby1hY3RpdmVseSBpbnZlc3RpZ2F0ZSB0aGUgdnVs
bmVyYWJpbGl0eSBvZgo+IHRoZSBmb2xsb3dpbmcgb3Blbi1zb3VyY2Ugb3BlcmF0aW5nIHN5c3Rl
bXM6IExpbnV4LCBPcGVuQlNELCBGcmVlQlNELAo+IGFuZCBOZXRCU0QuICBUaGUgc2VjdXJpdHkg
dGVhbSBtYXkgYWxzbyB0ZXN0IG9yIG90aGVyd2lzZSBpbnZlc3RpZ2F0ZQo+IHRoZSB2dWxuZXJh
YmlsaXR5IG9mIHNvbWUgcHJvcHJpZXRhcnkgb3BlcmF0aW5nIHN5c3RlbXMuCj4gCj4gKEFuIGV4
YW1wbGUgb2YgdGhpcyBzY2VuYXJpbyBpcyBYU0EtMTc2OiBUaGVyZSB3YXMgYSBidWcgaW4gdGhl
Cj4gaGFuZGxpbmcgb2YgdGhlIHBhZ2V0YWJsZSBQUyBiaXRzIGZvciBMMyBhbmQgTDQ7IGJ1dCBu
byBrbm93bgo+IG9wZXJhdGluZyBzeXN0ZW1zIHdlcmUgdnVsbmVyYWJsZSB0byBhbiBleHBsb2l0
IGFzIGEgcmVzdWx0IG9mIHRoZQo+IGJ1Zy4gIFVuZGVyIHRoZXNlIGd1aWRlbGluZXMsIFhTQS0x
NzYgd291bGQgbm90IGhhdmUgYmVlbiBpc3N1ZWQuKQo+IAo+IF9fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fCj4gWGVuLWRldmVsIG1haWxpbmcgbGlzdAo+IFhl
bi1kZXZlbEBsaXN0cy54ZW4ub3JnCj4gaHR0cHM6Ly9saXN0cy54ZW4ub3JnL3hlbi1kZXZlbAo+
IAoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRl
dmVsIG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3RzLnhl
bi5vcmcveGVuLWRldmVsCg==