[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH v4] xen: rework `checkpolicy` detection when using "randconfig"


  • To: Anthony PERARD <anthony.perard@xxxxxxxxxx>
  • From: Luca Fancellu <luca.fancellu@xxxxxxx>
  • Date: Tue, 28 Sep 2021 15:46:13 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Uw24404JNd1u24V3rFXoaO/pES0wg+9Qv+JR9AwHK/o=; b=ZeXOZqjfZ/b2mYnVwDlbfPznrgXT8cbMDXKYuSXebsRKZ8ooFBSUfv2PE0lKDX4NN7HAgekCN3AvCZU0Whv0nTzkE55qR3nKb6CQtC5c1pLg9K/U0WZys7fCYIhDsD9PE48PI0BWArdK9WU1X3UQN07HFa1C7bu9lrQnJMwHQ7QzffIWaJNPwvLezK5skzu8KWZe7V2uDOX/UsrXIrnBW/438CXelPLCltGFOoYc/wgSVCsm/9sU65CxiM1mhaHTkXK+MMbvJtFvkaPDXHGNyuY3lqQWrm9Iu/pprSPBiiB/ejiL2bA5CmfvztfkR077+HHfqJ9u+/F4GfGzDMonDA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mPmSj1j+2U+h+wGWRr1SPffqQlfbJ/XI72dlUAUwQACiFxy58W1kF/TskRZTXjzNBDryFT24l95vTUziILh8S2GwwmxIer4KOtei5YvfLDCkdYIhznFYVv4On6wWDyNP24xsQXwbiWetrPia1Wyd6R37wA/AZkS8EcIUfBDqzVdbivJAIVnruI5u6XwnS4fq1JVMaUDR/HyQtj6Ldh/vXVANEISV1NiCg1q5Kgb5cRBJbIKU+NCsMA058b0HDkoy7VIug36hzgVLHtCcEI1yth7ERaxBNdiO0jARaYmLVXJvSQZzNu0NrZbpH4pkO/MtqJ6YLyJ3iv3EbmN2NVheyg==
  • Authentication-results-original: citrix.com; dkim=none (message not signed) header.d=none;citrix.com; dmarc=none action=none header.from=arm.com;
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Tue, 28 Sep 2021 14:46:55 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: citrix.com; dkim=none (message not signed) header.d=none;citrix.com; dmarc=none action=none header.from=arm.com;


> On 28 Sep 2021, at 09:39, Anthony PERARD <anthony.perard@xxxxxxxxxx> wrote:
> 
> This will help prevent the CI loop from having build failures when
> `checkpolicy` isn't available when doing "randconfig" jobs.
> 
> To prevent "randconfig" from selecting XSM_FLASK_POLICY when
> `checkpolicy` isn't available, we will actually override the config
> output with the use of KCONFIG_ALLCONFIG.
> 
> Doing this way still allow a user/developer to set XSM_FLASK_POLICY
> even when "checkpolicy" isn't available. It also prevent the build
> system from reset the config when "checkpolicy" isn't available
> anymore. And XSM_FLASK_POLICY is still selected automatically when
> `checkpolicy` is available.
> But this also work well for "randconfig", as it will not select
> XSM_FLASK_POLICY when "checkpolicy" is missing.
> 
> This patch allows to easily add more override which depends on the
> environment.
> 
> Also, move the check out of Config.mk and into xen/ build system.
> Nothing in tools/ is using that information as it's done by
> ./configure.
> 
> We named the new file ".allconfig.tmp" as ".*.tmp" are already ignored
> via .gitignore.
> 
> Remove '= y' in Kconfig as it isn't needed, only a value "y" is true,
> anything else is considered false.

I don’t know if it is true, I’m having a look here: 
https://www.kernel.org/doc/Documentation/kbuild/kconfig-language.txt

And the section “Menu dependencies” states that:

An expression can have a value of 'n', 'm' or 'y' (or 0, 1, 2
respectively for calculations).

So it seems to me that m and y are evaluated as true, am I wrong?

Cheers,
Luca

> 
> Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
> ---
> v4:
> - keep XEN_ prefix for HAS_CHECKPOLICY
> - rework .allconfig.tmp file generation, so it is easier to read.
> - remove .allconfig.tmp on clean, .*.tmp files aren't all cleaned yet,
>  maybe for another time.
> - add information about file name choice and Kconfig change in patch
>  description.
> 
> v3:
> - use KCONFIG_ALLCONFIG
> - don't override XSM_FLASK_POLICY value unless we do randconfig.
> - no more changes to the current behavior of kconfig, only to
>  randconfig.
> 
> v2 was "[XEN PATCH v2] xen: allow XSM_FLASK_POLICY only if checkpolicy binary 
> is available"
> ---
> Config.mk          |  6 ------
> xen/Makefile       | 20 +++++++++++++++++---
> xen/common/Kconfig |  2 +-
> 3 files changed, 18 insertions(+), 10 deletions(-)
> 
> diff --git a/Config.mk b/Config.mk
> index e85bf186547f..d5490e35d03d 100644
> --- a/Config.mk
> +++ b/Config.mk
> @@ -137,12 +137,6 @@ export XEN_HAS_BUILD_ID=y
> build_id_linker := --build-id=sha1
> endif
> 
> -ifndef XEN_HAS_CHECKPOLICY
> -    CHECKPOLICY ?= checkpolicy
> -    XEN_HAS_CHECKPOLICY := $(shell $(CHECKPOLICY) -h 2>&1 | grep -q xen && 
> echo y || echo n)
> -    export XEN_HAS_CHECKPOLICY
> -endif
> -
> define buildmakevars2shellvars
>     export PREFIX="$(prefix)";                                            \
>     export XEN_SCRIPT_DIR="$(XEN_SCRIPT_DIR)";                            \
> diff --git a/xen/Makefile b/xen/Makefile
> index f47423dacd9a..7c2ffce0fc77 100644
> --- a/xen/Makefile
> +++ b/xen/Makefile
> @@ -17,6 +17,8 @@ export XEN_BUILD_HOST       ?= $(shell hostname)
> PYTHON_INTERPRETER    := $(word 1,$(shell which python3 python python2 
> 2>/dev/null) python)
> export PYTHON         ?= $(PYTHON_INTERPRETER)
> 
> +export CHECKPOLICY   ?= checkpolicy
> +
> export BASEDIR := $(CURDIR)
> export XEN_ROOT := $(BASEDIR)/..
> 
> @@ -178,6 +180,8 @@ CFLAGS += $(CLANG_FLAGS)
> export CLANG_FLAGS
> endif
> 
> +export XEN_HAS_CHECKPOLICY := $(call success,$(CHECKPOLICY) -h 2>&1 | grep 
> -q xen)
> +
> export root-make-done := y
> endif # root-make-done
> 
> @@ -189,14 +193,24 @@ ifeq ($(config-build),y)
> # *config targets only - make sure prerequisites are updated, and descend
> # in tools/kconfig to make the *config target
> 
> +# Create a file for KCONFIG_ALLCONFIG which depends on the environment.
> +# This will be use by kconfig targets 
> allyesconfig/allmodconfig/allnoconfig/randconfig
> +filechk_kconfig_allconfig = \
> +    $(if $(findstring n,$(XEN_HAS_CHECKPOLICY)), echo 
> 'CONFIG_XSM_FLASK_POLICY=n';) \
> +    $(if $(KCONFIG_ALLCONFIG), cat $(KCONFIG_ALLCONFIG);) \
> +    :
> +
> +.allconfig.tmp: FORCE
> +     set -e; { $(call filechk_kconfig_allconfig); } > $@
> +
> config: FORCE
>       $(MAKE) $(kconfig) $@
> 
> # Config.mk tries to include .config file, don't try to remake it
> %/.config: ;
> 
> -%config: FORCE
> -     $(MAKE) $(kconfig) $@
> +%config: .allconfig.tmp FORCE
> +     $(MAKE) $(kconfig) KCONFIG_ALLCONFIG=$< $@
> 
> else # !config-build
> 
> @@ -368,7 +382,7 @@ _clean: delete-unfresh-files
>               -o -name "*.gcno" -o -name ".*.cmd" -o -name "lib.a" \) -exec 
> rm -f {} \;
>       rm -f include/asm $(TARGET) $(TARGET).gz $(TARGET).efi 
> $(TARGET).efi.map $(TARGET)-syms $(TARGET)-syms.map *~ core
>       rm -f asm-offsets.s include/asm-*/asm-offsets.h
> -     rm -f .banner
> +     rm -f .banner .allconfig.tmp
> 
> .PHONY: _distclean
> _distclean: clean
> diff --git a/xen/common/Kconfig b/xen/common/Kconfig
> index db687b1785e7..eb6c2edb7bfe 100644
> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -251,7 +251,7 @@ config XSM_FLASK_AVC_STATS
> 
> config XSM_FLASK_POLICY
>       bool "Compile Xen with a built-in FLASK security policy"
> -     default y if "$(XEN_HAS_CHECKPOLICY)" = "y"
> +     default y if "$(XEN_HAS_CHECKPOLICY)"
>       depends on XSM_FLASK
>       ---help---
>         This includes a default XSM policy in the hypervisor so that the
> -- 
> Anthony PERARD
> 
> 




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.