|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [GRUB PATCH 2/2] 20_linux_xen: Support Xen Security Modules (XSM/FLASK)
XSM is enabled by adding "flask=enforcing" as a Xen command line
argument, and providing the policy file as a grub module.
We make entries for both with and without XSM. If XSM is not compiled
into Xen, then there are no policy files, so no change to the boot
options.
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---
util/grub.d/20_linux_xen.in | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
index 30da49d66..7a092b898 100644
--- a/util/grub.d/20_linux_xen.in
+++ b/util/grub.d/20_linux_xen.in
@@ -94,6 +94,11 @@ esac
title_correction_code=
linux_entry ()
+{
+ linux_entry_xsm "$@" false
+ linux_entry_xsm "$@" true
+}
+linux_entry_xsm ()
{
os="$1"
version="$2"
@@ -101,6 +106,18 @@ linux_entry ()
type="$4"
args="$5"
xen_args="$6"
+ xsm="$7"
+ # If user wants to enable XSM support, make sure there's
+ # corresponding policy file.
+ if ${xsm} ; then
+ xenpolicy="xenpolicy-$xen_version"
+ if test ! -e "${xen_dirname}/${xenpolicy}" ; then
+ return
+ fi
+ xen_args="$xen_args flask=enforcing"
+ xen_version="$(gettext_printf "%s (XSM enabled)" "$xen_version")"
+ # xen_version is used for messages only; actual file is xen_basename
+ fi
if [ -z "$boot_device_id" ]; then
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
fi
@@ -154,6 +171,13 @@ EOF
sed "s/^/$submenu_indentation/" << EOF
echo '$(echo "$message" | grub_quote)'
${module_loader} --nounzip $(echo $initrd_path)
+EOF
+ fi
+ if test -n "${xenpolicy}" ; then
+ message="$(gettext_printf "Loading XSM policy ...")"
+ sed "s/^/$submenu_indentation/" << EOF
+ echo '$(echo "$message" | grub_quote)'
+ ${module_loader} ${rel_dirname}/${xenpolicy}
EOF
fi
sed "s/^/$submenu_indentation/" << EOF
--
2.20.1
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |