Re: [Xen-devel] [PATCH 13/17] xen: move FLASK entry under XSM in Kconfig

2016-06-20 Thread Doug Goldstein 
On 6/20/16 10:28 AM, Jan Beulich wrote:
 On 20.06.16 at 17:11,  wrote:
>> On 06/20/2016 10:46 AM, Doug Goldstein wrote:
>>> On 6/20/16 9:04 AM, Daniel De Graaf wrote:
 Since enabling XSM is required to enable FLASK, place the option for
 FLASK below the one for XSM.  In addition, since it does not make sense
 to enable XSM without any XSM providers, and FLASK is the only XSM
 provider, hide the option to disable FLASK under EXPERT.

 Signed-off-by: Daniel De Graaf 
 ---
>>>
 @@ -137,6 +119,25 @@ config XSM

  If unsure, say N.

 +config FLASK
 +  def_bool y
 +  bool "FLux Advanced Security Kernel support" if EXPERT = "y"
>>>
>>> Ok. Here's the real review. I think you want the prompt to be optional
>>> if EXPERT is enabled then I think you need to use "prompt" instead of
>>> "bool". You've already got this set to a bool with the "def_bool" line.
>>
>> OK.  This version also apparently works, since I tested it, but if
>> prompt is the preferred keyword I'll change it.
> 
> Yeah, the bool is redundant here. It should be either a
> def_bool/prompt pair, or a bool/default one. Personally I'd prefer
> the latter, but since Doug asked for the former that's fine too.
> 
> Jan
> 

I'm honestly in different.

-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 13/17] xen: move FLASK entry under XSM in Kconfig

2016-06-20 Thread Jan Beulich 
>>> On 20.06.16 at 17:11,  wrote:
> On 06/20/2016 10:46 AM, Doug Goldstein wrote:
>> On 6/20/16 9:04 AM, Daniel De Graaf wrote:
>>> Since enabling XSM is required to enable FLASK, place the option for
>>> FLASK below the one for XSM.  In addition, since it does not make sense
>>> to enable XSM without any XSM providers, and FLASK is the only XSM
>>> provider, hide the option to disable FLASK under EXPERT.
>>>
>>> Signed-off-by: Daniel De Graaf 
>>> ---
>>
>>> @@ -137,6 +119,25 @@ config XSM
>>>
>>>   If unsure, say N.
>>>
>>> +config FLASK
>>> +   def_bool y
>>> +   bool "FLux Advanced Security Kernel support" if EXPERT = "y"
>>
>> Ok. Here's the real review. I think you want the prompt to be optional
>> if EXPERT is enabled then I think you need to use "prompt" instead of
>> "bool". You've already got this set to a bool with the "def_bool" line.
> 
> OK.  This version also apparently works, since I tested it, but if
> prompt is the preferred keyword I'll change it.

Yeah, the bool is redundant here. It should be either a
def_bool/prompt pair, or a bool/default one. Personally I'd prefer
the latter, but since Doug asked for the former that's fine too.

Jan


___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 13/17] xen: move FLASK entry under XSM in Kconfig

2016-06-20 Thread Daniel De Graaf 

On 06/20/2016 10:46 AM, Doug Goldstein wrote:

On 6/20/16 9:04 AM, Daniel De Graaf wrote:

Since enabling XSM is required to enable FLASK, place the option for
FLASK below the one for XSM.  In addition, since it does not make sense
to enable XSM without any XSM providers, and FLASK is the only XSM
provider, hide the option to disable FLASK under EXPERT.

Signed-off-by: Daniel De Graaf 
---



@@ -137,6 +119,25 @@ config XSM

  If unsure, say N.

+config FLASK
+   def_bool y
+   bool "FLux Advanced Security Kernel support" if EXPERT = "y"


Ok. Here's the real review. I think you want the prompt to be optional
if EXPERT is enabled then I think you need to use "prompt" instead of
"bool". You've already got this set to a bool with the "def_bool" line.


OK.  This version also apparently works, since I tested it, but if
prompt is the preferred keyword I'll change it.

--
Daniel De Graaf
National Security Agency

___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 13/17] xen: move FLASK entry under XSM in Kconfig

2016-06-20 Thread Doug Goldstein 
On 6/20/16 9:04 AM, Daniel De Graaf wrote:
> Since enabling XSM is required to enable FLASK, place the option for
> FLASK below the one for XSM.  In addition, since it does not make sense
> to enable XSM without any XSM providers, and FLASK is the only XSM
> provider, hide the option to disable FLASK under EXPERT.
> 
> Signed-off-by: Daniel De Graaf 
> ---

> @@ -137,6 +119,25 @@ config XSM
>  
> If unsure, say N.
>  
> +config FLASK
> + def_bool y
> + bool "FLux Advanced Security Kernel support" if EXPERT = "y"

Ok. Here's the real review. I think you want the prompt to be optional
if EXPERT is enabled then I think you need to use "prompt" instead of
"bool". You've already got this set to a bool with the "def_bool" line.

-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 13/17] xen: move FLASK entry under XSM in Kconfig

2016-06-20 Thread Doug Goldstein 
On 6/20/16 9:41 AM, Doug Goldstein wrote:
> On 6/20/16 9:04 AM, Daniel De Graaf wrote:
>> Since enabling XSM is required to enable FLASK, place the option for
>> FLASK below the one for XSM.  In addition, since it does not make sense
>> to enable XSM without any XSM providers, and FLASK is the only XSM
>> provider, hide the option to disable FLASK under EXPERT.
>>
>> Signed-off-by: Daniel De Graaf 
>> ---
>>  xen/common/Kconfig | 37 +++--
>>  1 file changed, 19 insertions(+), 18 deletions(-)
>>
>> diff --git a/xen/common/Kconfig b/xen/common/Kconfig
>> index cd59574..6a51fd5 100644
>> --- a/xen/common/Kconfig
>> +++ b/xen/common/Kconfig
>> @@ -11,24 +11,6 @@ config COMPAT
>>  config CORE_PARKING
>>  bool
>>  
>> -config FLASK
>> -bool "FLux Advanced Security Kernel support"
>> -default y
>> -depends on XSM
>> ----help---
>> -  Enables the FLASK (FLux Advanced Security Kernel) support which
>> -  provides a mandatory access control framework by which security
>> -  enforcement, isolation, and auditing can be achieved with fine
>> -  granular control via a security policy.
>> -
>> -  If unsure, say N.
>> -
> 
> 
> 
>>  
>> +config FLASK
>> +def_bool y
>> +bool "FLux Advanced Security Kernel support" if EXPERT = "y"
> 
> Why did FLASK become dependent on EXPERT? It wasn't previously.
> 

Gah. Helps to read the commit message. Ignore the noise.

-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 13/17] xen: move FLASK entry under XSM in Kconfig

2016-06-20 Thread Doug Goldstein 
On 6/20/16 9:04 AM, Daniel De Graaf wrote:
> Since enabling XSM is required to enable FLASK, place the option for
> FLASK below the one for XSM.  In addition, since it does not make sense
> to enable XSM without any XSM providers, and FLASK is the only XSM
> provider, hide the option to disable FLASK under EXPERT.
> 
> Signed-off-by: Daniel De Graaf 
> ---
>  xen/common/Kconfig | 37 +++--
>  1 file changed, 19 insertions(+), 18 deletions(-)
> 
> diff --git a/xen/common/Kconfig b/xen/common/Kconfig
> index cd59574..6a51fd5 100644
> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -11,24 +11,6 @@ config COMPAT
>  config CORE_PARKING
>   bool
>  
> -config FLASK
> - bool "FLux Advanced Security Kernel support"
> - default y
> - depends on XSM
> - ---help---
> -   Enables the FLASK (FLux Advanced Security Kernel) support which
> -   provides a mandatory access control framework by which security
> -   enforcement, isolation, and auditing can be achieved with fine
> -   granular control via a security policy.
> -
> -   If unsure, say N.
> -



>  
> +config FLASK
> + def_bool y
> + bool "FLux Advanced Security Kernel support" if EXPERT = "y"

Why did FLASK become dependent on EXPERT? It wasn't previously.

-- 
Doug Goldstein



signature.asc
Description: OpenPGP digital signature
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] [PATCH 13/17] xen: move FLASK entry under XSM in Kconfig

2016-06-20 Thread Daniel De Graaf 
Since enabling XSM is required to enable FLASK, place the option for
FLASK below the one for XSM.  In addition, since it does not make sense
to enable XSM without any XSM providers, and FLASK is the only XSM
provider, hide the option to disable FLASK under EXPERT.

Signed-off-by: Daniel De Graaf 
---
 xen/common/Kconfig | 37 +++--
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index cd59574..6a51fd5 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -11,24 +11,6 @@ config COMPAT
 config CORE_PARKING
bool
 
-config FLASK
-   bool "FLux Advanced Security Kernel support"
-   default y
-   depends on XSM
-   ---help---
- Enables the FLASK (FLux Advanced Security Kernel) support which
- provides a mandatory access control framework by which security
- enforcement, isolation, and auditing can be achieved with fine
- granular control via a security policy.
-
- If unsure, say N.
-
-config FLASK_AVC_STATS
-   def_bool y
-   depends on FLASK
-   ---help---
- Maintain statistics on the access vector cache
-
 # Select HAS_DEVICE_TREE if device tree is supported
 config HAS_DEVICE_TREE
bool
@@ -137,6 +119,25 @@ config XSM
 
  If unsure, say N.
 
+config FLASK
+   def_bool y
+   bool "FLux Advanced Security Kernel support" if EXPERT = "y"
+   depends on XSM
+   ---help---
+ Enables FLASK (FLux Advanced Security Kernel) as the access control
+ mechanism used by the XSM framework.  This provides a mandatory access
+ control framework by which security enforcement, isolation, and
+ auditing can be achieved with fine granular control via a security
+ policy.
+
+ If unsure, say Y.
+
+config FLASK_AVC_STATS
+   def_bool y
+   depends on FLASK
+   ---help---
+ Maintain statistics on the access vector cache
+
 # Enable schedulers
 menu "Schedulers"
visible if EXPERT = "y"
-- 
2.7.4


___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel