[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

  • To: 'Jan Beulich' <JBeulich@xxxxxxxx>
  • From: "DeGraaf, Daniel G" <dgdegra@xxxxxxx>
  • Date: Tue, 2 Oct 2018 17:39:02 +0000
  • Accept-language: en-US
  • Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, George Dunlap <dunlapg@xxxxxxxxx>
  • Delivery-date: Tue, 02 Oct 2018 17:39:24 +0000
  • Ironport-phdr: 9a23:3VaVQRfYHFZxydQqgrGXgxm1lGMj4u6mDksu8pMizoh2WeGdxcWyYh7h7PlgxGXEQZ/co6odzbaO7Oa4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahY75+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v9LlgRgP2hygbNj456GDXhdJ2jKJHuxKquhhzz5fJbI2JKPZye6XQct0ARWpFQ81fSSpPDI2hZIcLFuYNI/pUo4z7qlATrxWxGBOsCfvvxDFWm3H2waM03ecgEQ7a0wIvEMkDsGjPo9jxKKseTfy5wavOwD7eb/1WwzD96I3Qfxwvr/+DQ7N+cdDLxkY1GQPJlkibp4L/MDOT1+QCrWyb5PdhW+6hlmUqrBx+ojeyycgyhYnJnJgax0vC9SVi2ok5P9K4SEllYdO9FpZbqiKUN5NuT88/X21kojg2xqAGtJKhYiQG1pYqywTCZ/GEboSE+g/vWPqLLTtmmX5oeKiziwi8/EWi0OHwSNS43EhSoiZYk9TBsmoB2wLT58WIUPdw/12t1SiA2g3T7OxPPFo6mrDBK5E7x749jp8TsUPeESDogEj2l6qWdlk8+uiv9uTnfq3qpp+COI9wjQHzKqMglNG9D+omKwQAXmqV9fml2LLt8kP0XKlGguMsnqbFt5DaP9wbqrS/Aw9OyIkv8Rm/DzC40NgAnHkHKkxKeA6fgoT0J13COu70Aeq/jli2jjtn2fLLMqf8DpjOM3TPiLLhcqx8605Yxgoz19df55dMB74cL/L8R1H+tNPCDhAjKAG0xf3nB89n2oMRXmKPHLeVMLnOvl+Q+uIvP+6MaZcItzbgLfgl4+ThjWc2mVIGYKmp2JoXZ2y4Hvh8PUqWfGfsiM8bEWgWpgo+UPDqiFqaXDBXenu9Qb885jU6CI26DYfOXZutgKGa3CilBJFZemdGClWUG3fya4qEQ+sMaD6VIsJ5nT0LS76hR5Y82h6wqg/11b5nI/HQ+i0ZrpLjyMN16/fclB4s8zx0F96d02aPT25qgmwIWyU63KdloUxymR+/1v03ofVeXfZe+vdIWQd1fcr+5eFnD9H5WiraY8yEDl2hR4P1Lys2S4d779IheU90FZHqohnF3ieuS5Bf3+iHC5A5/bjV937qLoByzGiQh/pptEUvXsYabT7uvaV47QWGQteTy0g=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AdRackitRcLHrul2RgCx2p4ikS8rCw==
  • Thread-topic: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

> From: Jan Beulich <JBeulich@xxxxxxxx>
> >>> On 28.09.18 at 21:13, <dgdegra@xxxxxxxxxxxxx> wrote:
> > These entries are not always sorted by checkpolicy.  Enforce the sorting
> > (which can be done manually if using an unpatched checkpolicy) when
> > loading the policy so that later uses by the security server do not
> > incorrectly use the initial sid.
> "Enforce the sorting" could mean two things - sorting what's unsorted,
> or (as you do) raise an error. Isn't raising an error here possibly going
> to impact systems which currently work?
> Jan

A system whose iomemcon entries are unsorted is currently not enforcing the 
intended security policy.  It normally ends up enforcing a more restrictive 
policy, but not always (it depends on what you allow access to the default 
label). My guess is that anyone impacted by this problem would have noticed 
when they added the rule and it had no effect. However, I do agree this could 
cause an error on currently-working systems that do things like add iomemcon 
entries that they don't use.

Are you suggesting an update to the commit message to make this breakage clear, 
or does the problem need to be fixed in the hypervisor? It would be possible to 
sort the entries as they're added, but that's not as easy as just detecting the 
mis-sort (since they're a linked list), and the policy creation process should 
have already sorted them (except that that part was missing).
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.