[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen XSM/FLASK policy, grub defaults, etc.




> On May 29, 2020, at 11:50 AM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote:
> 
> George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
>>> On May 27, 2020, at 4:41 PM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote:
>>> 3. Failing that, Xen should provide some other mechanism which would
>>> enable something like update-grub to determine whether a particular
>>> hypervisor can sensibly be run with a policy file and flask=enforcing.
>> 
>> So you want update-grub to check whether *the Xen binary it’s creating 
>> entries for* has FLASK enabled.  We generally include the Xen config used to 
>> build the hypervisor — could we have it check for CONFIG_XSM_FLASK?
> 
> That would be a possibility.  Including kernel configs has gone out of
> fashion but I think most distros ship them.
> 
> Are we confident that this config name will remain stable ?

Before taking this approach, we should probably agree to declare it stable, and 
write a comment to that effect in the Kconfig files.

> 
> And I guess if the .config can't be found then the XSM boot entry
> should be included ?

It looks like at the moment experimental config entries are “unpersons” without 
CONFIG_EXPERIMENTAL=y; at least, `rm .config && make defconfig && grep -i 
flask` doesn’t turn up anything for me.

 -George

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.