xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Jan Beulich <jbeulich@suse.com>
To: Anthony PERARD <anthony.perard@citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	George Dunlap <george.dunlap@citrix.com>,
	Ian Jackson <iwj@xenproject.org>, Julien Grall <julien@xen.org>,
	Stefano Stabellini <sstabellini@kernel.org>, Wei Liu <wl@xen.org>,
	xen-devel@lists.xenproject.org
Subject: Re: [XEN PATCH v2] xen: allow XSM_FLASK_POLICY only if checkpolicy binary is available
Date: Mon, 19 Jul 2021 09:37:06 +0200	[thread overview]
Message-ID: <aada0028-ff60-9f59-5d87-a023ecd35d11@suse.com> (raw)
In-Reply-To: <20210716123812.494081-1-anthony.perard@citrix.com>

On 16.07.2021 14:38, Anthony PERARD wrote:
> This will help prevent the CI loop from having build failures when
> `checkpolicy` isn't available, when doing "randconfig" jobs.
> 
> Also, move the check out of Config.mk and into xen/ build system.
> Nothing in tools/ is using that information as it's done by
> ./configure.
> 
> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
> ---
> We might want to have a new Makefile for this kind of check that
> Kconfig is going to use, just to keep the main Makefile a bit cleaner.
> But maybe another time, if more are comming.
> 
> v2:
> - move check to Makefile

I'm afraid I don't understand:

> --- a/xen/Makefile
> +++ b/xen/Makefile
> @@ -17,6 +17,8 @@ export XEN_BUILD_HOST	?= $(shell hostname)
>  PYTHON_INTERPRETER	:= $(word 1,$(shell which python3 python python2 2>/dev/null) python)
>  export PYTHON		?= $(PYTHON_INTERPRETER)
>  
> +export CHECKPOLICY	?= checkpolicy
> +
>  export BASEDIR := $(CURDIR)
>  export XEN_ROOT := $(BASEDIR)/..
>  
> @@ -156,6 +158,8 @@ CFLAGS += $(CLANG_FLAGS)
>  export CLANG_FLAGS
>  endif
>  
> +export HAS_CHECKPOLICY := $(call success,$(CHECKPOLICY) -h 2>&1 | grep -q xen)

While the setting indeed gets obtained in a Makefile now, ...

> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -235,8 +235,8 @@ config XSM_FLASK_AVC_STATS
>  
>  config XSM_FLASK_POLICY
>  	bool "Compile Xen with a built-in FLASK security policy"
> -	default y if "$(XEN_HAS_CHECKPOLICY)" = "y"
> -	depends on XSM_FLASK
> +	default y
> +	depends on XSM_FLASK && "$(HAS_CHECKPOLICY)"

... it's still used as a Kconfig dependency. This in particular
does not address George's concern about a setting silently getting
turned off behind the back of the person having enabled it (and
this could happen at any time, not just during the initial build,
where one might still remember to diff .config against
.config.old). The minimal thing imo is some kind of warning then.
Even better would be if the setting was left unchanged and the
build would fail; a solution for randconfig would then still be
needed of course. If we wanted to go this route, a tristate type
for the values may be unavoidable, along the lines of what Jürgen
has suggested. I wouldn't think of a global override though, but
a distinction of the origin of each option's setting. This might
be as simple as y vs Y for "positive" values and "# CONFIG_...
is not set" present (for visible options) or absent (for options
the user can't control) for "negative" ones. But yes, this would
likely be an intrusive change _and_ it would not be clear how to
transform existing .config-s, so is unlikely to be suitable for
the immediate issue at hand.

Jan



  parent reply	other threads:[~2021-07-19  7:37 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-14 16:17 [XEN PATCH] xen: allow XSM_FLASK_POLICY only if checkpolicy binary is available Anthony PERARD
2021-07-14 16:51 ` Jason Andryuk
2021-07-14 17:09 ` Andrew Cooper
2021-07-15  6:25 ` Jan Beulich
2021-07-16 12:36   ` Anthony PERARD
2021-07-16 13:15   ` Andrew Cooper
2021-07-16 14:34     ` Jan Beulich
2021-07-16 16:23     ` Anthony PERARD
2021-07-16 12:38 ` [XEN PATCH v2] " Anthony PERARD
2021-07-16 13:00   ` Andrew Cooper
2021-07-19  7:37   ` Jan Beulich [this message]
2021-07-19 10:47     ` Anthony PERARD
2021-07-19 11:04       ` Jan Beulich
2021-07-19 14:33         ` George Dunlap
2021-07-16 15:26 ` [XEN PATCH] " George Dunlap
2021-07-16 15:50   ` Juergen Gross
2021-07-16 15:56   ` Anthony PERARD
2021-07-16 16:14   ` Andrew Cooper
2021-07-19  7:10     ` Jan Beulich
2021-07-16 16:27   ` Anthony PERARD

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aada0028-ff60-9f59-5d87-a023ecd35d11@suse.com \
    --to=jbeulich@suse.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=anthony.perard@citrix.com \
    --cc=george.dunlap@citrix.com \
    --cc=iwj@xenproject.org \
    --cc=julien@xen.org \
    --cc=sstabellini@kernel.org \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).