xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Jan Beulich <jbeulich@suse.com>
To: Anthony PERARD <anthony.perard@citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	George Dunlap <george.dunlap@citrix.com>,
	Ian Jackson <iwj@xenproject.org>, Julien Grall <julien@xen.org>,
	Stefano Stabellini <sstabellini@kernel.org>, Wei Liu <wl@xen.org>,
	xen-devel@lists.xenproject.org
Subject: Re: [XEN PATCH v2] xen: allow XSM_FLASK_POLICY only if checkpolicy binary is available
Date: Mon, 19 Jul 2021 13:04:50 +0200	[thread overview]
Message-ID: <97e99661-2b03-22fb-018b-a40c48b86a0c@suse.com> (raw)
In-Reply-To: <YPVYJqKBEmlAwnME@perard>

On 19.07.2021 12:47, Anthony PERARD wrote:
> On Mon, Jul 19, 2021 at 09:37:06AM +0200, Jan Beulich wrote:
>> On 16.07.2021 14:38, Anthony PERARD wrote:
>>> +export HAS_CHECKPOLICY := $(call success,$(CHECKPOLICY) -h 2>&1 | grep -q xen)
>>
>> While the setting indeed gets obtained in a Makefile now, ...
>>
>>> --- a/xen/common/Kconfig
>>> +++ b/xen/common/Kconfig
>>> @@ -235,8 +235,8 @@ config XSM_FLASK_AVC_STATS
>>>  
>>>  config XSM_FLASK_POLICY
>>>  	bool "Compile Xen with a built-in FLASK security policy"
>>> -	default y if "$(XEN_HAS_CHECKPOLICY)" = "y"
>>> -	depends on XSM_FLASK
>>> +	default y
>>> +	depends on XSM_FLASK && "$(HAS_CHECKPOLICY)"
>>
>> ... it's still used as a Kconfig dependency. This in particular
>> does not address George's concern about a setting silently getting
>> turned off behind the back of the person having enabled it (and
> 
> This patch v2 wasn't meant to address George's concern which didn't
> exist at the time this v2 was sent... I was trying to address yours.
> 
> But it seems that "George's concern" is part of your issues with
> Kconfig too, which I missed when trying to right this v2.
> 
> Anyway, those two patches are the only way I'm going to try to fix the
> random build failure in the GitLab CI, I'm not going to try to fix
> issues with the use of Kconfig for now. In the mean time either v1 or v2
> is committed, or will just keep getting random build failure in the
> GitLab CI.

Fair enough. I actually think that randconfig shouldn't act quite as
randomly as it does. But what's sensible as behavior there really
depends heavily on the future intentions with .config. If we follow
Linux'es model (which Andrew advocates for), its randomness would be
limited by options which could get randomly set getting further
altered by environmental conditions. Hence that would limit what can
actually be tested, but it would avoid failures resulting from the
environment not matching the chose settings.

Otoh with our current model (largely, leaving aside the few
environment checks we've already got) what is being asked for is
what is going to get built. But failure from environmental
constraints shouldn't be treated the same as failure from bad
interaction of options; it's (aiui) the latter which randconfig is
supposed to point out.

Jan



  reply	other threads:[~2021-07-19 11:05 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-14 16:17 [XEN PATCH] xen: allow XSM_FLASK_POLICY only if checkpolicy binary is available Anthony PERARD
2021-07-14 16:51 ` Jason Andryuk
2021-07-14 17:09 ` Andrew Cooper
2021-07-15  6:25 ` Jan Beulich
2021-07-16 12:36   ` Anthony PERARD
2021-07-16 13:15   ` Andrew Cooper
2021-07-16 14:34     ` Jan Beulich
2021-07-16 16:23     ` Anthony PERARD
2021-07-16 12:38 ` [XEN PATCH v2] " Anthony PERARD
2021-07-16 13:00   ` Andrew Cooper
2021-07-19  7:37   ` Jan Beulich
2021-07-19 10:47     ` Anthony PERARD
2021-07-19 11:04       ` Jan Beulich [this message]
2021-07-19 14:33         ` George Dunlap
2021-07-16 15:26 ` [XEN PATCH] " George Dunlap
2021-07-16 15:50   ` Juergen Gross
2021-07-16 15:56   ` Anthony PERARD
2021-07-16 16:14   ` Andrew Cooper
2021-07-19  7:10     ` Jan Beulich
2021-07-16 16:27   ` Anthony PERARD

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=97e99661-2b03-22fb-018b-a40c48b86a0c@suse.com \
    --to=jbeulich@suse.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=anthony.perard@citrix.com \
    --cc=george.dunlap@citrix.com \
    --cc=iwj@xenproject.org \
    --cc=julien@xen.org \
    --cc=sstabellini@kernel.org \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).