[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data

To: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
From: Julien Grall <julien.grall@xxxxxxx>
Date: Fri, 24 Jun 2016 18:44:33 +0100
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx, Jan Beulich <JBeulich@xxxxxxxx>
Delivery-date: Fri, 24 Jun 2016 17:44:42 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hi Daniel,

On 24/06/16 18:34, Daniel De Graaf wrote:

On 06/24/2016 12:50 PM, Konrad Rzeszutek Wilk wrote:

On Fri, Jun 24, 2016 at 05:30:32PM +0100, Julien Grall wrote:

diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index 12fc3a9..eefd37c 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -27,6 +27,23 @@ $(FLASK_H_FILES): $(FLASK_H_DEPEND)
 $(AV_H_FILES): $(AV_H_DEPEND)
     $(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)

+ifeq ($(CONFIG_XSM_POLICY),y)
+HAS_CHECKPOLICY := $(shell checkpolicy -h 2>&1 | grep -q xen &&
echo y || echo n)
+
+obj-$(HAS_CHECKPOLICY) += policy.o


I would have expect a warning (if not an error) here to tell the user
that
checkpolicy is not available. Otherwise it may take some time to the
user to
understand why the policy is not loaded/present. Because if you
enable XSM,
you don't necessarily check which other options have been enabled by
default.


Good point! And we should probably update the INSTALL document too to
mention
that you need checkpoint tool!


The dependency on checkpolicy is called out in the Kconfig item that
enables this option.

AFAICT, the dependency is only called out for CONFIG_XSM_POLICY.However, this option is enabled by default if CONFIG_XSM is selected.

User may not read what was enabled by default because of CONFIG_XSMselected.

In any case, silently disable an option is a bad idea and will likelycause trouble in the future if we ever decide to enable XSM by default.Another use case would be, a user post his .config on the ML asking whythe policy is not loaded.


Regards,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v2 00/17] XSM/FLASK updates for 4.8
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
  - From: Daniel De Graaf
- Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
  - From: Julien Grall
- Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
  - From: Konrad Rzeszutek Wilk
- Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
  - From: Daniel De Graaf

Prev by Date: Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
Next by Date: Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
Previous by thread: Re: [Xen-devel] [PATCH 17/17] xsm: add a default policy to .init.data
Next by thread: [Xen-devel] [PATCH 09/17] flask: remove unused AVC callback functions
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.