[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[XEN PATCH v2] xen: allow XSM_FLASK_POLICY only if checkpolicy binary is available


  • To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Anthony PERARD <anthony.perard@xxxxxxxxxx>
  • Date: Fri, 16 Jul 2021 13:38:12 +0100
  • Authentication-results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
  • Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "Ian Jackson" <iwj@xxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Fri, 16 Jul 2021 12:38:25 +0000
  • Ironport-hdrordr: A9a23:rBC09qlRUAYYIVjZWXQoZl/ymvLpDfLo3DAbv31ZSRFFG/Fw9/ rCoB17726QtN91YhsdcL+7V5VoLUmzyXcX2/hyAV7BZmnbUQKTRekP0WKL+Vbd8kbFh41gPM lbEpSXCLfLfCJHZcSR2njELz73quP3jJxBho3lvghQpRkBUdAF0+/gYDzranGfQmN9dP0EPa vZ3OVrjRy6d08aa8yqb0N1JNQq97Xw5fTbiQdtPW9f1DWz
  • Ironport-sdr: d0i5hlDDdkuS1jW/SZH+dj5FOAGRhLn3YoAu0aAJuiRWqU5YwrWy3NJfcS1wwul7wE/h7aWHRw QJLvsNnPNYRU5mp5d8yltE2+KiYoS8QmUq0GyAcT5kiGPRBwPqR7TDP+MU7pkrT+4j6cxAEZxN SNfUwN5qmdo1VuxBo1uFK3qkYbVEFyhusfu83tPgyTaNdXErLe9ZbN/bkneFPeFboY10aQ2pI8 SIqFM/t+2BKAlQ6SpXSMrb+trLlhXhsGX0AAfUT6Tld4wYYmA0VWzE2usJPpHtEk2RNIJJD2B3 TSM=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

This will help prevent the CI loop from having build failures when
`checkpolicy` isn't available, when doing "randconfig" jobs.

Also, move the check out of Config.mk and into xen/ build system.
Nothing in tools/ is using that information as it's done by
./configure.

Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
---
We might want to have a new Makefile for this kind of check that
Kconfig is going to use, just to keep the main Makefile a bit cleaner.
But maybe another time, if more are comming.

v2:
- move check to Makefile
---
 Config.mk          | 6 ------
 xen/Makefile       | 4 ++++
 xen/common/Kconfig | 4 ++--
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/Config.mk b/Config.mk
index d08fa8d60dd7..97d3633706b3 100644
--- a/Config.mk
+++ b/Config.mk
@@ -137,12 +137,6 @@ export XEN_HAS_BUILD_ID=y
 build_id_linker := --build-id=sha1
 endif
 
-ifndef XEN_HAS_CHECKPOLICY
-    CHECKPOLICY ?= checkpolicy
-    XEN_HAS_CHECKPOLICY := $(shell $(CHECKPOLICY) -h 2>&1 | grep -q xen && 
echo y || echo n)
-    export XEN_HAS_CHECKPOLICY
-endif
-
 define buildmakevars2shellvars
     export PREFIX="$(prefix)";                                            \
     export XEN_SCRIPT_DIR="$(XEN_SCRIPT_DIR)";                            \
diff --git a/xen/Makefile b/xen/Makefile
index 8023680ffbf2..045ddb18ad68 100644
--- a/xen/Makefile
+++ b/xen/Makefile
@@ -17,6 +17,8 @@ export XEN_BUILD_HOST ?= $(shell hostname)
 PYTHON_INTERPRETER     := $(word 1,$(shell which python3 python python2 
2>/dev/null) python)
 export PYTHON          ?= $(PYTHON_INTERPRETER)
 
+export CHECKPOLICY     ?= checkpolicy
+
 export BASEDIR := $(CURDIR)
 export XEN_ROOT := $(BASEDIR)/..
 
@@ -156,6 +158,8 @@ CFLAGS += $(CLANG_FLAGS)
 export CLANG_FLAGS
 endif
 
+export HAS_CHECKPOLICY := $(call success,$(CHECKPOLICY) -h 2>&1 | grep -q xen)
+
 export root-make-done := y
 endif # root-make-done
 
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 0ddd18e11af3..a5ef3814f531 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -235,8 +235,8 @@ config XSM_FLASK_AVC_STATS
 
 config XSM_FLASK_POLICY
        bool "Compile Xen with a built-in FLASK security policy"
-       default y if "$(XEN_HAS_CHECKPOLICY)" = "y"
-       depends on XSM_FLASK
+       default y
+       depends on XSM_FLASK && "$(HAS_CHECKPOLICY)"
        ---help---
          This includes a default XSM policy in the hypervisor so that the
          bootloader does not need to load a policy to get sane behavior from an
-- 
Anthony PERARD




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.