[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [OSSTEST PATCH RFC v1 00/12] XSM test cases for OSSTest

On 09/22/2014 10:11 AM, Wei Liu wrote:
Hi all

This patch series attempts to duplicate some Debian smoke test for XSM in Xen.

This looks good to me, and should help shake out policy errors better than
manual testing - which, as you found, has missed a few operations.

4. In-tree default policy is too strict

For PV guest test case, it can successfully create a guest, but fails at
saving. Xen log says "permission denied".

For QEMU upstream HVM guest, QEMU segfaults with NULL pointer dereference.

For QEMU traditional HVM guest, guest crashes with triple fault.

I have yet tried to debug HVM test cases. Presumably the failures are combined
effect of the enforced XSM policy and some QEMU bugs. It's likely to take some
time to figure out what went wrong. The bug fix and policy tuning is orthogonal
to the test case itself though.

Fixes to the XSM policy can either be made iteratively until the tests pass, or
all at once with the hypervisor in permissive mode.  In permissive mode, the
hypervisor will remove duplicate AVCs and may also get further along successful
code paths that require more permissions.  However, the tests are probably best
done in enforcing mode (as written), since I expect most failures will be due to
a single permission missing.

Daniel De Graaf
National Security Agency

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.