* [PATCH for-4.8] flask: build policy in different locations
@ 2016-10-28 15:17 Wei Liu
2016-10-28 15:32 ` Jan Beulich
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Wei Liu @ 2016-10-28 15:17 UTC (permalink / raw)
To: Xen-devel; +Cc: Ian Jackson, Daniel De Graaf, Wei Liu
The flask policy can be build twice -- one for hypervisor and one for
tools.
Before this patch, everything is built inside tools/flask/policy
directory. It is possible to have a race to write to the same output
file when running parallel builds.
Prepend output file names with FLASK_BUILD_DIR. Hypervisor and tools
build will set that variable to different directories, so that we can
be safe from races.
Adjust other bits of the build system as needed.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>
---
.gitignore | 2 ++
tools/flask/policy/Makefile | 2 ++
tools/flask/policy/Makefile.common | 12 ++++++++----
xen/xsm/flask/Makefile | 7 ++++---
4 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/.gitignore b/.gitignore
index 6e5955e..a2f34a1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -285,6 +285,8 @@ xen/xsm/flask/include/av_permissions.h
xen/xsm/flask/include/class_to_string.h
xen/xsm/flask/include/flask.h
xen/xsm/flask/include/initial_sid_to_string.h
+xen/xsm/flask/policy.*
+xen/xsm/flask/xenpolicy-*
tools/flask/policy/policy.conf
tools/flask/policy/xenpolicy-*
xen/xen
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index bead199..2fa8392 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -1,4 +1,6 @@
XEN_ROOT=$(CURDIR)/../../..
include $(XEN_ROOT)/tools/Rules.mk
+FLASK_BUILD_DIR=$(CURDIR)
+
include $(CURDIR)/Makefile.common
diff --git a/tools/flask/policy/Makefile.common b/tools/flask/policy/Makefile.common
index 312dec9..6d3ae3b 100644
--- a/tools/flask/policy/Makefile.common
+++ b/tools/flask/policy/Makefile.common
@@ -3,6 +3,10 @@
XEN_ROOT=$(CURDIR)/../../..
+ifeq ($(FLASK_BUILD_DIR),)
+$(error FLASK_BUILD_DIR not set)
+endif
+
########################################
#
# Configurable portions of the Makefile
@@ -31,7 +35,7 @@ OUTPUT_POLICY ?= $(BEST_POLICY_VER)
#
########################################
-POLICY_FILENAME = xenpolicy-$(shell $(MAKE) -C $(XEN_ROOT)/xen xenversion --no-print-directory)
+POLICY_FILENAME = $(FLASK_BUILD_DIR)/xenpolicy-$(shell $(MAKE) -C $(XEN_ROOT)/xen xenversion --no-print-directory)
POLICY_LOADPATH = /boot
# List of policy versions supported by the hypervisor
@@ -114,14 +118,14 @@ install: $(POLICY_FILENAME)
$(INSTALL_DIR) $(DESTDIR)/$(POLICY_LOADPATH)
$(INSTALL_DATA) $^ $(DESTDIR)/$(POLICY_LOADPATH)
-$(POLICY_FILENAME): policy.conf
+$(POLICY_FILENAME): $(FLASK_BUILD_DIR)/policy.conf
$(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
-policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
+$(FLASK_BUILD_DIR)/policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
$(M4) $(M4PARAM) $(POLICY_SECTIONS) > $@
clean:
- $(RM) tmp policy.conf $(POLICY_FILENAME)
+ $(RM) $(FLASK_BUILD_DIR)/tmp $(FLASK_BUILD_DIR)/policy.conf $(POLICY_FILENAME)
distclean: clean
diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index 0ed7d7b..898cc20 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -29,10 +29,11 @@ $(AV_H_FILES): $(AV_H_DEPEND)
obj-$(CONFIG_XSM_POLICY) += policy.o
-POLICY_SRC := $(XEN_ROOT)/tools/flask/policy/xenpolicy-$(XEN_FULLVERSION)
+FLASK_BUILD_DIR := $(CURDIR)
+POLICY_SRC := $(FLASK_BUILD_DIR)/xenpolicy-$(XEN_FULLVERSION)
policy.bin: FORCE
- $(MAKE) -f $(XEN_ROOT)/tools/flask/policy/Makefile.common -C $(XEN_ROOT)/tools/flask/policy
+ $(MAKE) -f $(XEN_ROOT)/tools/flask/policy/Makefile.common -C $(XEN_ROOT)/tools/flask/policy FLASK_BUILD_DIR=$(FLASK_BUILD_DIR)
cmp -s $(POLICY_SRC) $@ || cp $(POLICY_SRC) $@
policy.c: policy.bin gen-policy.py
@@ -40,4 +41,4 @@ policy.c: policy.bin gen-policy.py
.PHONY: clean
clean::
- rm -f $(ALL_H_FILES) *.o $(DEPS) policy.c policy.bin
+ rm -f $(ALL_H_FILES) *.o $(DEPS) policy.* $(POLICY_SRC)
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH for-4.8] flask: build policy in different locations
2016-10-28 15:17 [PATCH for-4.8] flask: build policy in different locations Wei Liu
@ 2016-10-28 15:32 ` Jan Beulich
2016-10-28 15:39 ` Wei Liu
2016-11-02 10:16 ` Wei Liu
2016-11-03 15:17 ` Daniel De Graaf
2 siblings, 1 reply; 7+ messages in thread
From: Jan Beulich @ 2016-10-28 15:32 UTC (permalink / raw)
To: Wei Liu; +Cc: Xen-devel, Daniel De Graaf, Ian Jackson
>>> On 28.10.16 at 17:17, <wei.liu2@citrix.com> wrote:
> --- a/.gitignore
> +++ b/.gitignore
> @@ -285,6 +285,8 @@ xen/xsm/flask/include/av_permissions.h
> xen/xsm/flask/include/class_to_string.h
> xen/xsm/flask/include/flask.h
> xen/xsm/flask/include/initial_sid_to_string.h
> +xen/xsm/flask/policy.*
> +xen/xsm/flask/xenpolicy-*
The two entries getting added here aren't in line with ...
> clean:
> - $(RM) tmp policy.conf $(POLICY_FILENAME)
> + $(RM) $(FLASK_BUILD_DIR)/tmp $(FLASK_BUILD_DIR)/policy.conf $(POLICY_FILENAME)
... the altered tmp removal here. I can't, however, tell which side
needs updating.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-4.8] flask: build policy in different locations
2016-10-28 15:32 ` Jan Beulich
@ 2016-10-28 15:39 ` Wei Liu
0 siblings, 0 replies; 7+ messages in thread
From: Wei Liu @ 2016-10-28 15:39 UTC (permalink / raw)
To: Jan Beulich; +Cc: Ian Jackson, Daniel De Graaf, Wei Liu, Xen-devel
On Fri, Oct 28, 2016 at 09:32:19AM -0600, Jan Beulich wrote:
> >>> On 28.10.16 at 17:17, <wei.liu2@citrix.com> wrote:
> > --- a/.gitignore
> > +++ b/.gitignore
> > @@ -285,6 +285,8 @@ xen/xsm/flask/include/av_permissions.h
> > xen/xsm/flask/include/class_to_string.h
> > xen/xsm/flask/include/flask.h
> > xen/xsm/flask/include/initial_sid_to_string.h
> > +xen/xsm/flask/policy.*
> > +xen/xsm/flask/xenpolicy-*
>
> The two entries getting added here aren't in line with ...
>
> > clean:
> > - $(RM) tmp policy.conf $(POLICY_FILENAME)
> > + $(RM) $(FLASK_BUILD_DIR)/tmp $(FLASK_BUILD_DIR)/policy.conf $(POLICY_FILENAME)
>
> ... the altered tmp removal here. I can't, however, tell which side
> needs updating.
>
tmp should be removed because there is no such thing.
Wei.
> Jan
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-4.8] flask: build policy in different locations
2016-10-28 15:17 [PATCH for-4.8] flask: build policy in different locations Wei Liu
2016-10-28 15:32 ` Jan Beulich
@ 2016-11-02 10:16 ` Wei Liu
2016-11-03 15:17 ` Daniel De Graaf
2 siblings, 0 replies; 7+ messages in thread
From: Wei Liu @ 2016-11-02 10:16 UTC (permalink / raw)
To: Xen-devel; +Cc: Ian Jackson, Daniel De Graaf, Wei Liu
On Fri, Oct 28, 2016 at 04:17:17PM +0100, Wei Liu wrote:
> The flask policy can be build twice -- one for hypervisor and one for
> tools.
>
> Before this patch, everything is built inside tools/flask/policy
> directory. It is possible to have a race to write to the same output
> file when running parallel builds.
>
> Prepend output file names with FLASK_BUILD_DIR. Hypervisor and tools
> build will set that variable to different directories, so that we can
> be safe from races.
>
> Adjust other bits of the build system as needed.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> ---
> Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
> Cc: Wei Liu <wei.liu2@citrix.com>
Daniel and Ian, do you have opinions on this patch?
Wei.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-4.8] flask: build policy in different locations
2016-10-28 15:17 [PATCH for-4.8] flask: build policy in different locations Wei Liu
2016-10-28 15:32 ` Jan Beulich
2016-11-02 10:16 ` Wei Liu
@ 2016-11-03 15:17 ` Daniel De Graaf
2016-11-03 15:22 ` Wei Liu
2 siblings, 1 reply; 7+ messages in thread
From: Daniel De Graaf @ 2016-11-03 15:17 UTC (permalink / raw)
To: Wei Liu, Xen-devel; +Cc: Ian Jackson
On 10/28/2016 11:17 AM, Wei Liu wrote:
> The flask policy can be build twice -- one for hypervisor and one for
> tools.
>
> Before this patch, everything is built inside tools/flask/policy
> directory. It is possible to have a race to write to the same output
> file when running parallel builds.
>
> Prepend output file names with FLASK_BUILD_DIR. Hypervisor and tools
> build will set that variable to different directories, so that we can
> be safe from races.
>
> Adjust other bits of the build system as needed.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Pulling the definition of POLICY_FILENAME out of Makefile.common might
remove the need for the cmp||cp line in the xen-side Makefile, but that
probably belongs in another patch.
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-4.8] flask: build policy in different locations
2016-11-03 15:17 ` Daniel De Graaf
@ 2016-11-03 15:22 ` Wei Liu
2016-11-04 14:25 ` Wei Liu
0 siblings, 1 reply; 7+ messages in thread
From: Wei Liu @ 2016-11-03 15:22 UTC (permalink / raw)
To: Daniel De Graaf; +Cc: Xen-devel, Wei Liu, Ian Jackson
On Thu, Nov 03, 2016 at 11:17:59AM -0400, Daniel De Graaf wrote:
> On 10/28/2016 11:17 AM, Wei Liu wrote:
> >The flask policy can be build twice -- one for hypervisor and one for
> >tools.
> >
> >Before this patch, everything is built inside tools/flask/policy
> >directory. It is possible to have a race to write to the same output
> >file when running parallel builds.
> >
> >Prepend output file names with FLASK_BUILD_DIR. Hypervisor and tools
> >build will set that variable to different directories, so that we can
> >be safe from races.
> >
> >Adjust other bits of the build system as needed.
> >
> >Signed-off-by: Wei Liu <wei.liu2@citrix.com>
>
> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
Thanks.
> Pulling the definition of POLICY_FILENAME out of Makefile.common might
> remove the need for the cmp||cp line in the xen-side Makefile, but that
> probably belongs in another patch.
>
Yes, I think that's better done with another patch.
I will remove the redundant "tmp" in Makefile.common as discussed with
Jan and commit the updated patch with your ack.
Wei.
> --
> Daniel De Graaf
> National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-4.8] flask: build policy in different locations
2016-11-03 15:22 ` Wei Liu
@ 2016-11-04 14:25 ` Wei Liu
0 siblings, 0 replies; 7+ messages in thread
From: Wei Liu @ 2016-11-04 14:25 UTC (permalink / raw)
To: Daniel De Graaf; +Cc: Xen-devel, Wei Liu, Ian Jackson
On Thu, Nov 03, 2016 at 03:22:19PM +0000, Wei Liu wrote:
> On Thu, Nov 03, 2016 at 11:17:59AM -0400, Daniel De Graaf wrote:
> > On 10/28/2016 11:17 AM, Wei Liu wrote:
> > >The flask policy can be build twice -- one for hypervisor and one for
> > >tools.
> > >
> > >Before this patch, everything is built inside tools/flask/policy
> > >directory. It is possible to have a race to write to the same output
> > >file when running parallel builds.
> > >
> > >Prepend output file names with FLASK_BUILD_DIR. Hypervisor and tools
> > >build will set that variable to different directories, so that we can
> > >be safe from races.
> > >
> > >Adjust other bits of the build system as needed.
> > >
> > >Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> >
> > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> >
>
> Thanks.
>
> > Pulling the definition of POLICY_FILENAME out of Makefile.common might
> > remove the need for the cmp||cp line in the xen-side Makefile, but that
> > probably belongs in another patch.
> >
>
> Yes, I think that's better done with another patch.
>
> I will remove the redundant "tmp" in Makefile.common as discussed with
> Jan and commit the updated patch with your ack.
Now applied.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-11-04 14:26 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-28 15:17 [PATCH for-4.8] flask: build policy in different locations Wei Liu
2016-10-28 15:32 ` Jan Beulich
2016-10-28 15:39 ` Wei Liu
2016-11-02 10:16 ` Wei Liu
2016-11-03 15:17 ` Daniel De Graaf
2016-11-03 15:22 ` Wei Liu
2016-11-04 14:25 ` Wei Liu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.