Xen project Mailing List

[XEN PATCH v2] xen: allow XSM_FLASK_POLICY only if checkpolicy binary is available

From: Anthony PERARD <anthony.perard@xxxxxxxxxx>

Date: Fri, 16 Jul 2021 13:38:12 +0100

Authentication-results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "Ian Jackson" <iwj@xxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Fri, 16 Jul 2021 12:38:25 +0000

Ironport-hdrordr: A9a23:rBC09qlRUAYYIVjZWXQoZl/ymvLpDfLo3DAbv31ZSRFFG/Fw9/ rCoB17726QtN91YhsdcL+7V5VoLUmzyXcX2/hyAV7BZmnbUQKTRekP0WKL+Vbd8kbFh41gPM lbEpSXCLfLfCJHZcSR2njELz73quP3jJxBho3lvghQpRkBUdAF0+/gYDzranGfQmN9dP0EPa vZ3OVrjRy6d08aa8yqb0N1JNQq97Xw5fTbiQdtPW9f1DWz

Ironport-sdr: d0i5hlDDdkuS1jW/SZH+dj5FOAGRhLn3YoAu0aAJuiRWqU5YwrWy3NJfcS1wwul7wE/h7aWHRw QJLvsNnPNYRU5mp5d8yltE2+KiYoS8QmUq0GyAcT5kiGPRBwPqR7TDP+MU7pkrT+4j6cxAEZxN SNfUwN5qmdo1VuxBo1uFK3qkYbVEFyhusfu83tPgyTaNdXErLe9ZbN/bkneFPeFboY10aQ2pI8 SIqFM/t+2BKAlQ6SpXSMrb+trLlhXhsGX0AAfUT6Tld4wYYmA0VWzE2usJPpHtEk2RNIJJD2B3 TSM=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

This will help prevent the CI loop from having build failures when `checkpolicy` isn't available, when doing "randconfig" jobs. Also, move the check out of Config.mk and into xen/ build system. Nothing in tools/ is using that information as it's done by ./configure. Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx> --- We might want to have a new Makefile for this kind of check that Kconfig is going to use, just to keep the main Makefile a bit cleaner. But maybe another time, if more are comming. v2: - move check to Makefile --- Config.mk | 6 ------ xen/Makefile | 4 ++++ xen/common/Kconfig | 4 ++-- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/Config.mk b/Config.mk index d08fa8d60dd7..97d3633706b3 100644 --- a/Config.mk +++ b/Config.mk @@ -137,12 +137,6 @@ export XEN_HAS_BUILD_ID=y build_id_linker := --build-id=sha1 endif -ifndef XEN_HAS_CHECKPOLICY - CHECKPOLICY ?= checkpolicy - XEN_HAS_CHECKPOLICY := $(shell $(CHECKPOLICY) -h 2>&1 | grep -q xen && echo y || echo n) - export XEN_HAS_CHECKPOLICY -endif - define buildmakevars2shellvars export PREFIX="$(prefix)"; \ export XEN_SCRIPT_DIR="$(XEN_SCRIPT_DIR)"; \ diff --git a/xen/Makefile b/xen/Makefile index 8023680ffbf2..045ddb18ad68 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -17,6 +17,8 @@ export XEN_BUILD_HOST ?= $(shell hostname) PYTHON_INTERPRETER := $(word 1,$(shell which python3 python python2 2>/dev/null) python) export PYTHON ?= $(PYTHON_INTERPRETER) +export CHECKPOLICY ?= checkpolicy + export BASEDIR := $(CURDIR) export XEN_ROOT := $(BASEDIR)/.. @@ -156,6 +158,8 @@ CFLAGS += $(CLANG_FLAGS) export CLANG_FLAGS endif +export HAS_CHECKPOLICY := $(call success,$(CHECKPOLICY) -h 2>&1 | grep -q xen) + export root-make-done := y endif # root-make-done diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 0ddd18e11af3..a5ef3814f531 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -235,8 +235,8 @@ config XSM_FLASK_AVC_STATS config XSM_FLASK_POLICY bool "Compile Xen with a built-in FLASK security policy" - default y if "$(XEN_HAS_CHECKPOLICY)" = "y" - depends on XSM_FLASK + default y + depends on XSM_FLASK && "$(HAS_CHECKPOLICY)" ---help--- This includes a default XSM policy in the hypervisor so that the bootloader does not need to load a policy to get sane behavior from an -- Anthony PERARD

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.