[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH] xen: allow XSM_FLASK_POLICY only if checkpolicy binary is available


  • To: Anthony PERARD <anthony.perard@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 15 Jul 2021 08:25:31 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Z9Mtv6ZSKdFakMelHl5mBwSqwqBhBedpI0ODq3Gc5Yk=; b=K5o6frgPSTw74W16RxiJCc+magXbWQks7U0/9ypwdFYUHeZ72MvZeVDfW+hmDkaAPRoIoMnnUFCgiQ71KdpZbn32taDxTTCP2LeAsKBApQGlA8QhBGHHzdbOGx2gj62phBUFE5AI+H0D8VGn7XKAlLeUWR1D+XDtA8AZB2FQIXVa6meMm6LjG0s83ZFKcDYsuvj+Hmpu4BWfblDJWy7B+oxOONayYt76t1Q08kO5A/4knIeEYOH1hZsk6zMC+PGsv4oswdtFbDODxAEIlwwVreaWi7WzMlsfuUy8FYP0bI2hLWa9qRpPH3+pQEtZzYpmrk4Ct7OyhO8CTa44/i7RkA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Yl66lkmxEyEYhB2byNp+O0y6c/faVAdmcJLwDV/cs/9QxWlIviGgvn/bMd93gsLHEPsAfyyyv52d9ASIv0ss8tY9F9CROvDo/8r9TQA5UFql0/bQaRpxqBLpGiBNOa+QWDJBX9lOIY3YRh6NQATcjbG3ijoOfDZezzaQKpD8XiGp7Wpl4WRmOUVEgElWtqLOlqRhelVWLdC2yl1HHLrJAMME9jq65Pnbd9zmRYiQBk9Ahqe/oGVX299QN10zbSCs8GN7/9aM4Qs3mTDd+Gz7jHSnH+um4CMfd5nke2+qrU80ONQHPL13vfpWgWUVdbdFB2Cw2Qf8N9dRI9yI+lYVxg==
  • Authentication-results: lists.xenproject.org; dkim=none (message not signed) header.d=none;lists.xenproject.org; dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 15 Jul 2021 06:25:51 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 14.07.2021 18:17, Anthony PERARD wrote:
> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -25,6 +25,9 @@ config GRANT_TABLE
>  config HAS_ALTERNATIVE
>       bool
>  
> +config HAS_CHECKPOLICY
> +     def_bool $(success,$(CHECKPOLICY) -h 2>&1 | grep -q xen)
> +

This is no different from other aspects of "Kconfig vs tool chain
capabilities" sent out last August to start a discussion about
whether we really want such. Besides Jürgen no-one cared to reply
iirc, which to me means no-one really cares one way or the other.
Which I didn't think was the case ... So here we are again, with
all the same questions still open.

I'm not going to nack the patch, because there's an immediate
purpose / need, but I also can't avoid commenting (and I won't
put my name on it in any positive way, i.e. also not as a
committer; if anything then to record my reservations).

Independent of this I'd like to raise the question of whether
the chosen placement is optimal. Other capability checks live
in xen/Kconfig.

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.