[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data



On 6/9/16 11:53 AM, Daniel De Graaf wrote:
> On 06/09/2016 12:15 PM, Jan Beulich wrote:
>>>>> On 09.06.16 at 16:47, <dgdegra@xxxxxxxxxxxxx> wrote:
>>> --- a/xen/common/Kconfig
>>> +++ b/xen/common/Kconfig
>>> @@ -132,6 +132,23 @@ config FLASK
>>>
>>>        If unsure, say Y.
>>>
>>> +config XSM_POLICY
>>> +    bool "Compile Xen with a built-in security policy"
>>> +    default y
>>> +    depends on XSM
>>> +    ---help---
>>> +      This includes a default XSM policy in the hypervisor so that the
>>> +      bootloader does not need to load a policy to get sane behavior
>>> from an
>>> +      XSM-enabled hypervisor.  If this is disabled, a policy must be
>>> +      provided by the bootloader or by Domain 0.  Even if this is
>>> enabled, a
>>> +      policy provided by the bootloader will override it.
>>> +
>>> +      This requires that the SELinux policy compiler (checkpolicy) be
>>> +      available when compiling the hypervisor; if this tool is not
>>> found, no
>>> +      policy will be added.
>>> +
>>> +      If unsure, say Y.
>>> +
>>>  config FLASK_AVC_STATS
>>>      def_bool y
>>>      depends on FLASK
>>
>> Placing this between FLASK and FLASK_AVC_STATS will break proper
>> menuconfig representation of the latter afaict.
>>
>> Jan
> 
> This option isn't visible in menuconfig.  Should I make it visible?
> 

I believe I actually had that as an outstanding question to you on the
series that introduced that flag.

-- 
Doug Goldstein

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.