[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

To: Jan Beulich <JBeulich@xxxxxxxx>
From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Date: Thu, 9 Jun 2016 12:53:39 -0400
Cc: xen-devel@xxxxxxxxxxxxx
Delivery-date: Thu, 09 Jun 2016 16:54:05 +0000
Ironport-phdr: 9a23:Imt8MRGeRGt0ahWNqBQ68p1GYnF86YWxBRYc798ds5kLTJ75rsywAkXT6L1XgUPTWs2DsrQf27uQ7P2rCDNIyK3CmU5BWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4Ov7yUtaLyZ/nhqbtptaCPE1hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYPlc3mhyJFiezF7W78a0+4N/oWwL46pyv+YJa6jxfrw5QLpEF3xmdjltvIy4iAPHBTeryjNcFz9O00kAPw+Qzhj8Fr38ry/7veo1jAuwMNDyTLs0cS+/9KotQxjt3nQpLTk8pU3ejM19iOp3rVqOvRV2zcaAbI6ZOfVkd4vBbNgaQixHRc8XWCtfVNDvJ7ATBvYMaL4L57L2oEED+F7nX1Gh
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 06/09/2016 12:15 PM, Jan Beulich wrote:

On 09.06.16 at 16:47, <dgdegra@xxxxxxxxxxxxx> wrote:

--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -132,6 +132,23 @@ config FLASK

          If unsure, say Y.

+config XSM_POLICY
+       bool "Compile Xen with a built-in security policy"
+       default y
+       depends on XSM
+       ---help---
+         This includes a default XSM policy in the hypervisor so that the
+         bootloader does not need to load a policy to get sane behavior from an
+         XSM-enabled hypervisor.  If this is disabled, a policy must be
+         provided by the bootloader or by Domain 0.  Even if this is enabled, a
+         policy provided by the bootloader will override it.
+
+         This requires that the SELinux policy compiler (checkpolicy) be
+         available when compiling the hypervisor; if this tool is not found, no
+         policy will be added.
+
+         If unsure, say Y.
+
 config FLASK_AVC_STATS
        def_bool y
        depends on FLASK


Placing this between FLASK and FLASK_AVC_STATS will break proper
menuconfig representation of the latter afaict.

Jan


This option isn't visible in menuconfig.  Should I make it visible?

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
  - From: Doug Goldstein

References:
- [Xen-devel] [PATCH 00/15] XSM/FLASK updates for 4.8
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
  - From: Daniel De Graaf
- Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH 00/11] Honour XEN_{LOG, RUN}_DIR in various places
Next by Date: Re: [Xen-devel] [PATCH 00/11] Honour XEN_{LOG, RUN}_DIR in various places
Previous by thread: Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
Next by thread: Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.