From: Jan Beulich Date: Fri, 8 Jan 2016 16:35:30 +0000 (+0100) Subject: Revert "convert FLASK_ENABLE to Kconfig" X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~1982 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/success/%22http:/www.example.com/cgi/success?a=commitdiff_plain;h=f7347a282420a5edc74afb31e7c42c2765f24de5;p=xen.git Revert "convert FLASK_ENABLE to Kconfig" This reverts commit b36bf230270baba4f0fe35b230ea8b80ebb2c4a7, as osstest needs to be ready first. --- diff --git a/Config.mk b/Config.mk index 13159188cc..a3be5ed91d 100644 --- a/Config.mk +++ b/Config.mk @@ -214,6 +214,7 @@ EMBEDDED_EXTRA_CFLAGS += -fno-exceptions # Enable XSM security module (by default, Flask). XSM_ENABLE ?= n +FLASK_ENABLE ?= $(XSM_ENABLE) XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles # All the files at that location were downloaded from elsewhere on diff --git a/INSTALL b/INSTALL index c51447bdfe..b7e426c085 100644 --- a/INSTALL +++ b/INSTALL @@ -278,11 +278,7 @@ PYTHON_PREFIX_ARG= The hypervisor may be build with XSM support, which can be changed with the following variables. XSM_ENABLE=y - -The hypervisor may be build with Flask support, which can be changed -by running: -make -C xen menuconfig -and enabling Flask in the 'Common Features' menu. +FLASK_ENABLE=y Do a build for coverage. coverage=y diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt index f2f0fd47d7..7249f402c3 100644 --- a/docs/misc/xsm-flask.txt +++ b/docs/misc/xsm-flask.txt @@ -172,9 +172,8 @@ Setting up FLASK ---------------- Xen must be compiled with XSM and FLASK enabled; by default, the security -framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE to -"y" and running 'make -C xen menuconfig' and enabling FLASK inside 'Common -Features'; this change requires a make clean and rebuild. +framework is disabled. Edit Config.mk or the .config file to set XSM_ENABLE and +FLASK_ENABLE to "y"; this change requires a make clean and rebuild. FLASK uses only one domain configuration parameter (seclabel) defining the full security label of the newly created domain. If using the example policy, diff --git a/xen/Rules.mk b/xen/Rules.mk index 9e4e6ff5dc..f7ddc69d8e 100644 --- a/xen/Rules.mk +++ b/xen/Rules.mk @@ -53,6 +53,7 @@ CFLAGS += -pipe -g -D__XEN__ -include $(BASEDIR)/include/xen/config.h CFLAGS += '-D__OBJECT_FILE__="$@"' CFLAGS-$(XSM_ENABLE) += -DXSM_ENABLE +CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE CFLAGS-$(verbose) += -DVERBOSE CFLAGS-$(crash_debug) += -DCRASH_DEBUG CFLAGS-$(perfc) += -DPERF_COUNTERS diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 6373b7f3eb..046e257497 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -8,17 +8,6 @@ config COMPAT HVM and PV guests. HVMLoader makes 32-bit hypercalls irrespective of the destination runmode of the guest. -config FLASK - bool "FLux Advanced Security Kernel support" - default n - --help--- - Enables the FLASK (FLux Advanced Security Kernel) support which - provides a mandatory access control framework by which security - enforcement, isolation, and auditing can be achieved with fine - granular control via a security policy. - - If unsure, say N. - # Select HAS_DEVICE_TREE if device tree is supported config HAS_DEVICE_TREE bool diff --git a/xen/include/Makefile b/xen/include/Makefile index 9c8188b5f0..94ba3d8dcd 100644 --- a/xen/include/Makefile +++ b/xen/include/Makefile @@ -28,7 +28,7 @@ headers-$(CONFIG_X86) += compat/arch-x86/xen.h headers-$(CONFIG_X86) += compat/arch-x86/xen-$(compat-arch-y).h headers-$(CONFIG_X86) += compat/hvm/hvm_vcpu.h headers-y += compat/arch-$(compat-arch-y).h compat/pmu.h compat/xlat.h -headers-$(CONFIG_FLASK) += compat/xsm/flask_op.h +headers-$(FLASK_ENABLE) += compat/xsm/flask_op.h cppflags-y := -include public/xen-compat.h cppflags-$(CONFIG_X86) += -m32 diff --git a/xen/include/xen/config.h b/xen/include/xen/config.h index bba015ac06..75955999a6 100644 --- a/xen/include/xen/config.h +++ b/xen/include/xen/config.h @@ -86,7 +86,7 @@ #define mk_unsigned_long(x) x #endif /* !__ASSEMBLY__ */ -#ifdef CONFIG_FLASK +#ifdef FLASK_ENABLE #define XSM_MAGIC 0xf97cff8c /* Maintain statistics on the access vector cache */ #define FLASK_AVC_STATS 1 diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 6ea3cc7cc8..fc61fc3be4 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -119,7 +119,7 @@ struct evtchn */ void *generic; #endif -#ifdef CONFIG_FLASK +#ifdef FLASK_ENABLE /* * Inlining the contents of the structure for FLASK avoids unneeded * allocations, and on 64-bit platforms with only FLASK enabled, diff --git a/xen/xsm/Makefile b/xen/xsm/Makefile index d29e71c3a4..16c13b507f 100644 --- a/xen/xsm/Makefile +++ b/xen/xsm/Makefile @@ -4,4 +4,4 @@ obj-y += xsm_policy.o obj-y += dummy.o endif -subdir-$(CONFIG_FLASK) += flask +subdir-$(FLASK_ENABLE) += flask