[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data

To: Doug Goldstein <cardoe@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>
From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Date: Fri, 10 Jun 2016 10:50:54 -0400
Cc: xen-devel@xxxxxxxxxxxxx
Delivery-date: Fri, 10 Jun 2016 14:51:02 +0000
Ironport-phdr: 9a23:Kw5QlBPPTCNov0FXvpsl6mtUPXoX/o7sNwtQ0KIMzox0Kf79rarrMEGX3/hxlliBBdydsKIVzbWJ+P+7EUU7or+/81k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZvIaytQ8iJ35XxiL/5pMabSj4LrQT+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf9d32JiKAHbtR/94sCt4MwrqHwI6LoJvvRNWqTifqk+UacQTHF/azh0t/DxsVH/aSfHpj5GCiRF2iZPViTC8R6ycZD1vjDmu+t7kH2RNNf6Sr0cUj2446BmDhTvjXFDfxww9in9h9F0jalb6EaDjRFix4/fYKmOKeFzOKjaeIVJa3BGW5N9XipAD4f0Q4ZHIPAINOgQ+4Xyq1YBtxKWGRinBOSpzCRBwHDxw/tpgKwaDQja0Vl4TJo1u3POoYCwbf1KXA==
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 06/09/2016 05:54 PM, Doug Goldstein wrote:

On 6/9/16 11:53 AM, Daniel De Graaf wrote:

On 06/09/2016 12:15 PM, Jan Beulich wrote:

On 09.06.16 at 16:47, <dgdegra@xxxxxxxxxxxxx> wrote:

--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -132,6 +132,23 @@ config FLASK

       If unsure, say Y.

+config XSM_POLICY
+    bool "Compile Xen with a built-in security policy"
+    default y
+    depends on XSM
+    ---help---
+      This includes a default XSM policy in the hypervisor so that the
+      bootloader does not need to load a policy to get sane behavior
from an
+      XSM-enabled hypervisor.  If this is disabled, a policy must be
+      provided by the bootloader or by Domain 0.  Even if this is
enabled, a
+      policy provided by the bootloader will override it.
+
+      This requires that the SELinux policy compiler (checkpolicy) be
+      available when compiling the hypervisor; if this tool is not
found, no
+      policy will be added.
+
+      If unsure, say Y.
+
 config FLASK_AVC_STATS
     def_bool y
     depends on FLASK


Placing this between FLASK and FLASK_AVC_STATS will break proper
menuconfig representation of the latter afaict.

Jan


This option isn't visible in menuconfig.  Should I make it visible?


I believe I actually had that as an outstanding question to you on the
series that introduced that flag.


At the time I didn't see the need for it to be visible.  Since it's come
up again, I think it should either be made visible (in a distinct patch),
but maybe limited to EXPERT=y.  Otherwise, it seems like the option and
its #ifdefs should be removed: there's no point in having the option if
it's not possible to adjust it.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH 00/15] XSM/FLASK updates for 4.8
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
  - From: Daniel De Graaf
- Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
  - From: Daniel De Graaf
- Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
  - From: Doug Goldstein

Prev by Date: [Xen-devel] [PATCH] xen/x86: Always print processor information at boot
Next by Date: Re: [Xen-devel] compilation fail, xen staging-4.6, vnc.c, qemu-tradintional issues under ubuntu 16.04
Previous by thread: Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
Next by thread: Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.