On 06/09/2016 05:54 PM, Doug Goldstein wrote:
On 6/9/16 11:53 AM, Daniel De Graaf wrote:
On 06/09/2016 12:15 PM, Jan Beulich wrote:
On 09.06.16 at 16:47, <dgde...@tycho.nsa.gov> wrote:
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -132,6 +132,23 @@ config FLASK
If unsure, say Y.
+config XSM_POLICY
+ bool "Compile Xen with a built-in security policy"
+ default y
+ depends on XSM
+ ---help---
+ This includes a default XSM policy in the hypervisor so that the
+ bootloader does not need to load a policy to get sane behavior
from an
+ XSM-enabled hypervisor. If this is disabled, a policy must be
+ provided by the bootloader or by Domain 0. Even if this is
enabled, a
+ policy provided by the bootloader will override it.
+
+ This requires that the SELinux policy compiler (checkpolicy) be
+ available when compiling the hypervisor; if this tool is not
found, no
+ policy will be added.
+
+ If unsure, say Y.
+
config FLASK_AVC_STATS
def_bool y
depends on FLASK
Placing this between FLASK and FLASK_AVC_STATS will break proper
menuconfig representation of the latter afaict.
Jan
This option isn't visible in menuconfig. Should I make it visible?
I believe I actually had that as an outstanding question to you on the
series that introduced that flag.
At the time I didn't see the need for it to be visible. Since it's come
up again, I think it should either be made visible (in a distinct patch),
but maybe limited to EXPERT=y. Otherwise, it seems like the option and
its #ifdefs should be removed: there's no point in having the option if
it's not possible to adjust it.
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel