Re: [Xen-devel] [PATCH for-4.8] flask: build policy in different locations

2016-11-04 Thread Wei Liu 
On Thu, Nov 03, 2016 at 03:22:19PM +, Wei Liu wrote:
> On Thu, Nov 03, 2016 at 11:17:59AM -0400, Daniel De Graaf wrote:
> > On 10/28/2016 11:17 AM, Wei Liu wrote:
> > >The flask policy can be build twice -- one for hypervisor and one for
> > >tools.
> > >
> > >Before this patch, everything is built inside tools/flask/policy
> > >directory.  It is possible to have a race to write to the same output
> > >file when running parallel builds.
> > >
> > >Prepend output file names with FLASK_BUILD_DIR. Hypervisor and tools
> > >build will set that variable to different directories, so that we can
> > >be safe from races.
> > >
> > >Adjust other bits of the build system as needed.
> > >
> > >Signed-off-by: Wei Liu 
> > 
> > Acked-by: Daniel De Graaf 
> > 
> 
> Thanks.
> 
> > Pulling the definition of POLICY_FILENAME out of Makefile.common might
> > remove the need for the cmp||cp line in the xen-side Makefile, but that
> > probably belongs in another patch.
> > 
> 
> Yes, I think that's better done with another patch.
> 
> I will remove the redundant "tmp" in Makefile.common as discussed with
> Jan and commit the updated patch with your ack.

Now applied.

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH for-4.8] flask: build policy in different locations

2016-11-03 Thread Wei Liu 
On Thu, Nov 03, 2016 at 11:17:59AM -0400, Daniel De Graaf wrote:
> On 10/28/2016 11:17 AM, Wei Liu wrote:
> >The flask policy can be build twice -- one for hypervisor and one for
> >tools.
> >
> >Before this patch, everything is built inside tools/flask/policy
> >directory.  It is possible to have a race to write to the same output
> >file when running parallel builds.
> >
> >Prepend output file names with FLASK_BUILD_DIR. Hypervisor and tools
> >build will set that variable to different directories, so that we can
> >be safe from races.
> >
> >Adjust other bits of the build system as needed.
> >
> >Signed-off-by: Wei Liu 
> 
> Acked-by: Daniel De Graaf 
> 

Thanks.

> Pulling the definition of POLICY_FILENAME out of Makefile.common might
> remove the need for the cmp||cp line in the xen-side Makefile, but that
> probably belongs in another patch.
> 

Yes, I think that's better done with another patch.

I will remove the redundant "tmp" in Makefile.common as discussed with
Jan and commit the updated patch with your ack.

Wei.

> -- 
> Daniel De Graaf
> National Security Agency

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH for-4.8] flask: build policy in different locations

2016-11-03 Thread Daniel De Graaf 

On 10/28/2016 11:17 AM, Wei Liu wrote:

The flask policy can be build twice -- one for hypervisor and one for
tools.

Before this patch, everything is built inside tools/flask/policy
directory.  It is possible to have a race to write to the same output
file when running parallel builds.

Prepend output file names with FLASK_BUILD_DIR. Hypervisor and tools
build will set that variable to different directories, so that we can
be safe from races.

Adjust other bits of the build system as needed.

Signed-off-by: Wei Liu 


Acked-by: Daniel De Graaf 

Pulling the definition of POLICY_FILENAME out of Makefile.common might
remove the need for the cmp||cp line in the xen-side Makefile, but that
probably belongs in another patch.

--
Daniel De Graaf
National Security Agency

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH for-4.8] flask: build policy in different locations

2016-11-02 Thread Wei Liu 
On Fri, Oct 28, 2016 at 04:17:17PM +0100, Wei Liu wrote:
> The flask policy can be build twice -- one for hypervisor and one for
> tools.
> 
> Before this patch, everything is built inside tools/flask/policy
> directory.  It is possible to have a race to write to the same output
> file when running parallel builds.
> 
> Prepend output file names with FLASK_BUILD_DIR. Hypervisor and tools
> build will set that variable to different directories, so that we can
> be safe from races.
> 
> Adjust other bits of the build system as needed.
> 
> Signed-off-by: Wei Liu 
> ---
> Cc: Daniel De Graaf 
> Cc: Ian Jackson 
> Cc: Wei Liu 

Daniel and Ian, do you have opinions on this patch?

Wei.

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH for-4.8] flask: build policy in different locations

2016-10-28 Thread Wei Liu 
On Fri, Oct 28, 2016 at 09:32:19AM -0600, Jan Beulich wrote:
> >>> On 28.10.16 at 17:17,  wrote:
> > --- a/.gitignore
> > +++ b/.gitignore
> > @@ -285,6 +285,8 @@ xen/xsm/flask/include/av_permissions.h
> >  xen/xsm/flask/include/class_to_string.h
> >  xen/xsm/flask/include/flask.h
> >  xen/xsm/flask/include/initial_sid_to_string.h
> > +xen/xsm/flask/policy.*
> > +xen/xsm/flask/xenpolicy-*
> 
> The two entries getting added here aren't in line with ...
> 
> >  clean:
> > -   $(RM) tmp policy.conf $(POLICY_FILENAME)
> > +   $(RM) $(FLASK_BUILD_DIR)/tmp $(FLASK_BUILD_DIR)/policy.conf 
> > $(POLICY_FILENAME)
> 
> ... the altered tmp removal here. I can't, however, tell which side
> needs updating.
> 

tmp should be removed because there is no such thing.

Wei.

> Jan
> 

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH for-4.8] flask: build policy in different locations

2016-10-28 Thread Jan Beulich 
>>> On 28.10.16 at 17:17,  wrote:
> --- a/.gitignore
> +++ b/.gitignore
> @@ -285,6 +285,8 @@ xen/xsm/flask/include/av_permissions.h
>  xen/xsm/flask/include/class_to_string.h
>  xen/xsm/flask/include/flask.h
>  xen/xsm/flask/include/initial_sid_to_string.h
> +xen/xsm/flask/policy.*
> +xen/xsm/flask/xenpolicy-*

The two entries getting added here aren't in line with ...

>  clean:
> - $(RM) tmp policy.conf $(POLICY_FILENAME)
> + $(RM) $(FLASK_BUILD_DIR)/tmp $(FLASK_BUILD_DIR)/policy.conf 
> $(POLICY_FILENAME)

... the altered tmp removal here. I can't, however, tell which side
needs updating.

Jan

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[Xen-devel] [PATCH for-4.8] flask: build policy in different locations

2016-10-28 Thread Wei Liu 
The flask policy can be build twice -- one for hypervisor and one for
tools.

Before this patch, everything is built inside tools/flask/policy
directory.  It is possible to have a race to write to the same output
file when running parallel builds.

Prepend output file names with FLASK_BUILD_DIR. Hypervisor and tools
build will set that variable to different directories, so that we can
be safe from races.

Adjust other bits of the build system as needed.

Signed-off-by: Wei Liu 
---
Cc: Daniel De Graaf 
Cc: Ian Jackson 
Cc: Wei Liu 
---
 .gitignore |  2 ++
 tools/flask/policy/Makefile|  2 ++
 tools/flask/policy/Makefile.common | 12 
 xen/xsm/flask/Makefile |  7 ---
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/.gitignore b/.gitignore
index 6e5955e..a2f34a1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -285,6 +285,8 @@ xen/xsm/flask/include/av_permissions.h
 xen/xsm/flask/include/class_to_string.h
 xen/xsm/flask/include/flask.h
 xen/xsm/flask/include/initial_sid_to_string.h
+xen/xsm/flask/policy.*
+xen/xsm/flask/xenpolicy-*
 tools/flask/policy/policy.conf
 tools/flask/policy/xenpolicy-*
 xen/xen
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index bead199..2fa8392 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -1,4 +1,6 @@
 XEN_ROOT=$(CURDIR)/../../..
 include $(XEN_ROOT)/tools/Rules.mk
 
+FLASK_BUILD_DIR=$(CURDIR)
+
 include $(CURDIR)/Makefile.common
diff --git a/tools/flask/policy/Makefile.common 
b/tools/flask/policy/Makefile.common
index 312dec9..6d3ae3b 100644
--- a/tools/flask/policy/Makefile.common
+++ b/tools/flask/policy/Makefile.common
@@ -3,6 +3,10 @@
 
 XEN_ROOT=$(CURDIR)/../../..
 
+ifeq ($(FLASK_BUILD_DIR),)
+$(error FLASK_BUILD_DIR not set)
+endif
+
 
 #
 # Configurable portions of the Makefile
@@ -31,7 +35,7 @@ OUTPUT_POLICY ?= $(BEST_POLICY_VER)
 #
 
 
-POLICY_FILENAME = xenpolicy-$(shell $(MAKE) -C $(XEN_ROOT)/xen xenversion 
--no-print-directory)
+POLICY_FILENAME = $(FLASK_BUILD_DIR)/xenpolicy-$(shell $(MAKE) -C 
$(XEN_ROOT)/xen xenversion --no-print-directory)
 POLICY_LOADPATH = /boot
 
 # List of policy versions supported by the hypervisor
@@ -114,14 +118,14 @@ install: $(POLICY_FILENAME)
$(INSTALL_DIR) $(DESTDIR)/$(POLICY_LOADPATH)
$(INSTALL_DATA) $^ $(DESTDIR)/$(POLICY_LOADPATH)
 
-$(POLICY_FILENAME): policy.conf
+$(POLICY_FILENAME): $(FLASK_BUILD_DIR)/policy.conf
$(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
 
-policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
+$(FLASK_BUILD_DIR)/policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
$(M4) $(M4PARAM) $(POLICY_SECTIONS) > $@
 
 clean:
-   $(RM) tmp policy.conf $(POLICY_FILENAME)
+   $(RM) $(FLASK_BUILD_DIR)/tmp $(FLASK_BUILD_DIR)/policy.conf 
$(POLICY_FILENAME)
 
 distclean: clean
 
diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index 0ed7d7b..898cc20 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -29,10 +29,11 @@ $(AV_H_FILES): $(AV_H_DEPEND)
 
 obj-$(CONFIG_XSM_POLICY) += policy.o
 
-POLICY_SRC := $(XEN_ROOT)/tools/flask/policy/xenpolicy-$(XEN_FULLVERSION)
+FLASK_BUILD_DIR := $(CURDIR)
+POLICY_SRC := $(FLASK_BUILD_DIR)/xenpolicy-$(XEN_FULLVERSION)
 
 policy.bin: FORCE
-   $(MAKE) -f $(XEN_ROOT)/tools/flask/policy/Makefile.common -C 
$(XEN_ROOT)/tools/flask/policy
+   $(MAKE) -f $(XEN_ROOT)/tools/flask/policy/Makefile.common -C 
$(XEN_ROOT)/tools/flask/policy FLASK_BUILD_DIR=$(FLASK_BUILD_DIR)
cmp -s $(POLICY_SRC) $@ || cp $(POLICY_SRC) $@
 
 policy.c: policy.bin gen-policy.py
@@ -40,4 +41,4 @@ policy.c: policy.bin gen-policy.py
 
 .PHONY: clean
 clean::
-   rm -f $(ALL_H_FILES) *.o $(DEPS) policy.c policy.bin
+   rm -f $(ALL_H_FILES) *.o $(DEPS) policy.* $(POLICY_SRC)
-- 
2.1.4


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel