[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data


  • To: Jan Beulich <JBeulich@xxxxxxxx>
  • From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Date: Thu, 9 Jun 2016 12:53:39 -0400
  • Cc: xen-devel@xxxxxxxxxxxxx
  • Delivery-date: Thu, 09 Jun 2016 16:54:05 +0000
  • Ironport-phdr: 9a23:Imt8MRGeRGt0ahWNqBQ68p1GYnF86YWxBRYc798ds5kLTJ75rsywAkXT6L1XgUPTWs2DsrQf27uQ7P2rCDNIyK3CmU5BWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4Ov7yUtaLyZ/nhqbtptaCPE1hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYPlc3mhyJFiezF7W78a0+4N/oWwL46pyv+YJa6jxfrw5QLpEF3xmdjltvIy4iAPHBTeryjNcFz9O00kAPw+Qzhj8Fr38ry/7veo1jAuwMNDyTLs0cS+/9KotQxjt3nQpLTk8pU3ejM19iOp3rVqOvRV2zcaAbI6ZOfVkd4vBbNgaQixHRc8XWCtfVNDvJ7ATBvYMaL4L57L2oEED+F7nX1Gh
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 06/09/2016 12:15 PM, Jan Beulich wrote:
On 09.06.16 at 16:47, <dgdegra@xxxxxxxxxxxxx> wrote:
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -132,6 +132,23 @@ config FLASK

          If unsure, say Y.

+config XSM_POLICY
+       bool "Compile Xen with a built-in security policy"
+       default y
+       depends on XSM
+       ---help---
+         This includes a default XSM policy in the hypervisor so that the
+         bootloader does not need to load a policy to get sane behavior from an
+         XSM-enabled hypervisor.  If this is disabled, a policy must be
+         provided by the bootloader or by Domain 0.  Even if this is enabled, a
+         policy provided by the bootloader will override it.
+
+         This requires that the SELinux policy compiler (checkpolicy) be
+         available when compiling the hypervisor; if this tool is not found, no
+         policy will be added.
+
+         If unsure, say Y.
+
 config FLASK_AVC_STATS
        def_bool y
        depends on FLASK

Placing this between FLASK and FLASK_AVC_STATS will break proper
menuconfig representation of the latter afaict.

Jan

This option isn't visible in menuconfig.  Should I make it visible?

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.