[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
On 06/09/2016 05:54 PM, Doug Goldstein wrote: On 6/9/16 11:53 AM, Daniel De Graaf wrote:On 06/09/2016 12:15 PM, Jan Beulich wrote:On 09.06.16 at 16:47, <dgdegra@xxxxxxxxxxxxx> wrote:--- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -132,6 +132,23 @@ config FLASK If unsure, say Y. +config XSM_POLICY + bool "Compile Xen with a built-in security policy" + default y + depends on XSM + ---help--- + This includes a default XSM policy in the hypervisor so that the + bootloader does not need to load a policy to get sane behavior from an + XSM-enabled hypervisor. If this is disabled, a policy must be + provided by the bootloader or by Domain 0. Even if this is enabled, a + policy provided by the bootloader will override it. + + This requires that the SELinux policy compiler (checkpolicy) be + available when compiling the hypervisor; if this tool is not found, no + policy will be added. + + If unsure, say Y. + config FLASK_AVC_STATS def_bool y depends on FLASKPlacing this between FLASK and FLASK_AVC_STATS will break proper menuconfig representation of the latter afaict. JanThis option isn't visible in menuconfig. Should I make it visible?I believe I actually had that as an outstanding question to you on the series that introduced that flag. At the time I didn't see the need for it to be visible. Since it's come up again, I think it should either be made visible (in a distinct patch), but maybe limited to EXPERT=y. Otherwise, it seems like the option and its #ifdefs should be removed: there's no point in having the option if it's not possible to adjust it. -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |