|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH RFC v2] Add SUPPORT.md
On Tue, Sep 12, 2017 at 4:35 PM, Rich Persaud <persaur@xxxxxxxxx> wrote: >> On Sep 11, 2017, at 13:01, George Dunlap <george.dunlap@xxxxxxxxxx> wrote: >> >> +### XSM & FLASK >> + >> + Status: Experimental >> + >> +Compile time disabled >> + >> +### XSM & FLASK support for IS_PRIV >> + >> + Status: Experimental > > In which specific areas is XSM lacking in Functional completeness, Functional > stability and/or Interface stability, resulting in "Experimental" status? > What changes to XSM would be needed for it to qualify for "Supported" status? So first of all, I guess there's two "features" here: One is XSM / FLASK itself, which downstreams such OpenXT can use do make their own policies. The second is the "default FLASK policy", shipped with Xen, which has rules and labels for things in a "normal" Xen system: domUs, driver domains, stub domains, dom0, &c. There was a time when you could simply enable that and a basic Xen System would Just Work, and (in theory) would be more secure than the default Xen system. It probably makes sense to treat these separately. Two problems we have so far: The first is that the policy bitrots fairly quickly. At the moment we don't have proper testing, and we don't really have anyone that knows how to fix it if it does break. The second problem is that while functional testing can show that the default policy is *at least* as permissive as not having FLASK enabled at all, it's a lot more difficult to show that having FLASK enabled isn't in some cases *more permissive* than we would like to be by default. We've noticed issues before where enabling XSM accidentally gives a domU access to hypercalls or settings it wouldn't have access to otherwise. Absent some way of automatically catching these changes, we're not sure we could recommend people use the default policy, even if we had confidence (via testing) that it wouldn't break people's functionality on update. The "default policy bitrot" problem won't be one for you, because (as I understand it) you write your own custom policies. But the second issue should be more concerning: when you update to a new version of Xen, what confidence do you have that your old policies will still adequately restrict guests from dangerous new functionality? I think sorting the second question out is basically what it would take to call FLASK by itself (as opposed to the default policy) "Supported". (And if you can make an argument that this is already sorted, then we can list FLASK itself as "supported".) > If there will be no security support for features in Experimental status, > would Xen Project accept patches to fix XSM security issues? Could > downstream projects issue CVEs for XSM security issues, if these will not be > issued by Xen Project? Experimental status is about 1) our assessment of how reliable the feature is, and 2) whether we will issue XSAs if security-related bugs are found. We will of course accept patches to improve functionality, and it's likely that if someone only *reports* a bug that people on the list will be able to come up with a fix. Regarding CVEs, I guess what you care about is whether as our own CNA, the XenProject would be willing to issue CVEs for XSM security issues, and/or perhaps whether we would mind if you asked Mitre directly instead. That's slightly a different topic, which we should probably discuss when we become a CNA. But to give you an idea where I'm at, I think the question is: What kind of a bug do you think you'd issue a CVE for (and/or, an XSA)? -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |