[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2] flask: change default state to enforcing
On Wed, Apr 06, 2016 at 03:35:59PM -0400, Daniel De Graaf wrote: > The previous default of "permissive" is meant for developing or > debugging a disaggregated system. However, this default makes it too > easy to accidentally boot a machine in this state, which does not place > any restrictions on guests. This is not suitable for normal systems > because any guest can perform any operation (including operations like > rebooting the machine, kexec, and reading or writing another domain's > memory). > > This change will cause the boot to fail if you do not specify an XSM > policy during boot; if you need to load a policy from dom0, use the > "flask=late" boot parameter. > > Original patch by Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>; modified > to also change the default value of flask_enforcing so that the policy > is not still in permissive mode. This also removes the (no longer > documented) command line argument directly changing that variable since > it has been superseded by the flask= parameter. > > Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> Reviewed and applied. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |