[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xsm/flask: improve unknown permission handling

>>> On 25.11.14 at 19:05, <dgdegra@xxxxxxxxxxxxx> wrote:
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -135,6 +135,19 @@ static int get_irq_sid(int irq, u32 *sid, struct 
> avc_audit_data *ad)
>      return 0;
>  }
>  
> +static int avc_unknown_permission(const char* name, int id)

const char *name

> +{
> +    /* A guest making an invalid hypercall can trigger this message, so it 
> can't
> +     * be an ASSERT or BUG_ON, but normally it is caused by a missing case in
> +     * one of the switch statements below.
> +     */
> +    printk(XENLOG_G_ERR "FLASK: Unknown %s: %d.\n", name, id);

I think this ought to be XENLOG_G_WARNING when not returning
an error. E.g. switch printing and return code determination, use
the return code to select the correct log level, and return after
logging the message.

Jan

> +    if ( !flask_enforcing || security_get_allow_unknown() )
> +        return 0;
> +    else
> +        return -EPERM;
> +}
> +
>  static int flask_domain_alloc_security(struct domain *d)
>  {
>      struct domain_security_struct *dsec;



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.