[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH] xen: allow XSM_FLASK_POLICY only if checkpolicy binary is available

  • To: George Dunlap <George.Dunlap@xxxxxxxxxx>
  • From: Anthony PERARD <anthony.perard@xxxxxxxxxx>
  • Date: Fri, 16 Jul 2021 16:56:18 +0100
  • Authentication-results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "Andrew Cooper" <Andrew.Cooper3@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, "Jan Beulich" <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Fri, 16 Jul 2021 15:56:28 +0000
  • Ironport-hdrordr: A9a23:0TxUDqDfco6TIC3lHemU55DYdb4zR+YMi2TC1yhKKCC9Vvbo8P xG+85rsyMc6QxhPE3I9urtBEDtexzhHNtOkPAs1NSZLWzbUQmTXeJfBOLZqlWKcUDDH6xmpM VdmsBFeaXN5DNB7foSjjPXL+od
  • Ironport-sdr: 64+1SX+S6gVK3jLfp5qQLGDPIbWvh7DFFMXXlEQkLeszC0zHQapgIP3u24nYC5Wyoi7IJGc4VK zdAATMxfaN13t/5p6u5lyU7RMLYbmhLfOU/cCk6x3HBBx3wFaD/tzvBXebeM3uxlh/chjJY9EP 3E1WCCcfuUe1OzJbAumPQPAeIxeq8yEsgJFrNuFDTyEh8eDGRLDfY5WZ/xFgV3w7BrUvP9J+MP //5h43nZjFLLm9J2Qc7SCclROQtBantsisXWshRabIozYuqM4jLCzubom/rCqKFI2ZWt/auHqk 1HA=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Jul 16, 2021 at 04:26:39PM +0100, George Dunlap wrote:
> > On Jul 14, 2021, at 5:17 PM, Anthony PERARD <anthony.perard@xxxxxxxxxx> 
> > wrote:
> > 
> > This will help prevent the CI loop from having build failures when
> > `checkpolicy` isn't available, when doing "randconfig" jobs.
> Hang on, just to clarify what’s going on here.
> ‘randconfig’ is setting CONFIG_XSM_FLASK_POLICY in the .config file; and then 
> when the build happens, we error out because one of the required components 
> isn’t there.
> What this patch does is to make it so that if someone explicitly sets 
> CONFIG_XSM_FLASK_POLICY=y, but doesn’t have checkpolicy, the build system 
> will silently disable the policy behind their backs without telling them?
> Or does the randconfig test run kConfig one more time, at which point *then* 
> the .config will be disabled?
> The former I think is broken; the latter I think is fine.

That's right, Xen's build system is broken.

Kconfig doesn't say whether a given .config is correct or not, it
removes non existing CONFIG_* setting as well as those that are missing
dependencies. This isn't new, this is the default, this is how Linux is
using Kconfig.

But there's a way out of that.
There's an option to prevent Kconfig from updating .config, setting
KCONFIG_NOSILENTUPDATE in the environment (see docs/misc/kconfig.rst).
But that won't work as expected with the Xen build system because to
update the config via "syncconfig" doesn't prevent the build system from
building Xen (and probably fail later).
If it were working, build would fail, and user would have to run
"oldconfig" or other *config targets, and check the result (diff
.config.old .config).


Anthony PERARD



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.