On 3/8/16 7:51 PM, Konrad Rzeszutek Wilk wrote:
> Hey,
> 
> I was wondering if it we should change the default flask_bootparam
> option from permissive to disabled?
> 
> The reason being is that I was startled to see that my xSplice
> code was able to patch the hypervisor from within an PV guest!
> 
> Further testing showed that I could do 'xl debug-keys R' from
> within the guests. This being possible with released 4.6 if I have
> XSM enabled.
> 
> All of this is due to the fact that I had forgotten to load the policy,
> but Xen just told me:
> 
> Flask:  Access controls disabled until policy is loaded.
> 
> which is an understatement. I somehow had expected that if no
> policy was loaded it would revert to the dummy one which has the
> same permission as the non-XSM build. Ha! What a surprise..

That's certainly been my assumption as well.

> 
> Now that the XSM is enabled via config it becomes much more
> easy to enable it..
> 
> Or perhaps change the code to flask so that if there are any
> errors loading the policy it uses the dummy one?
> 

To me that's what that error message from flask meant so I think that's
the most sane default. Being in a worse state than if you had built
without it.

Machon, Something to consider for the Yocto builds as well.

-- 
Doug Goldstein