[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen XSM/FLASK policy, grub defaults, etc.

On 29.05.2020 12:50, Ian Jackson wrote:
> George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
>>> On May 27, 2020, at 4:41 PM, Ian Jackson <ian.jackson@xxxxxxxxxx> wrote:
>>> 3. Failing that, Xen should provide some other mechanism which would
>>> enable something like update-grub to determine whether a particular
>>> hypervisor can sensibly be run with a policy file and flask=enforcing.
>> So you want update-grub to check whether *the Xen binary it’s creating 
>> entries for* has FLASK enabled.  We generally include the Xen config used to 
>> build the hypervisor — could we have it check for CONFIG_XSM_FLASK?
> That would be a possibility.  Including kernel configs has gone out of
> fashion but I think most distros ship them.
> Are we confident that this config name will remain stable ?

Well, if it's to be used like this, then we'll have to keep it
stable if at all possible. But that's the reason why I dislike
the .config grep-ing approach (not just for Xen, also for
Linux). It would imo be better if the binary included something
that can be queried. Such a "something" is then much more
logical to keep stable, imo. This "something" could be an ELF
note, for example (assuming a similar problem to the one here
doesn't exist for xen.efi, or else we'd need to find a solution
there, too).




Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.