templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK)
XSM is enabled by adding "flask=enforcing" as a Xen command line argument, and providing the policy file as a grub module. We make entries for both with and without XSM. If XSM is not compiled into Xen, then there are no policy files, so no change to the boot options. Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
parent
7a9b30143b
commit
a81401ff49
1 changed files with 24 additions and 0 deletions
|
@ -88,6 +88,11 @@ esac
|
|||
title_correction_code=
|
||||
|
||||
linux_entry ()
|
||||
{
|
||||
linux_entry_xsm "$@" false
|
||||
linux_entry_xsm "$@" true
|
||||
}
|
||||
linux_entry_xsm ()
|
||||
{
|
||||
os="$1"
|
||||
version="$2"
|
||||
|
@ -95,6 +100,18 @@ linux_entry ()
|
|||
type="$4"
|
||||
args="$5"
|
||||
xen_args="$6"
|
||||
xsm="$7"
|
||||
# If user wants to enable XSM support, make sure there's
|
||||
# corresponding policy file.
|
||||
if ${xsm} ; then
|
||||
xenpolicy="xenpolicy-$xen_version"
|
||||
if test ! -e "${xen_dirname}/${xenpolicy}" ; then
|
||||
return
|
||||
fi
|
||||
xen_args="$xen_args flask=enforcing"
|
||||
xen_version="$(gettext_printf "%s (XSM enabled)" "$xen_version")"
|
||||
# xen_version is used for messages only; actual file is xen_basename
|
||||
fi
|
||||
if [ -z "$boot_device_id" ]; then
|
||||
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
|
||||
fi
|
||||
|
@ -146,6 +163,13 @@ EOF
|
|||
sed "s/^/$submenu_indentation/" << EOF
|
||||
echo '$(echo "$message" | grub_quote)'
|
||||
${module_loader} --nounzip $(echo $initrd_path)
|
||||
EOF
|
||||
fi
|
||||
if test -n "${xenpolicy}" ; then
|
||||
message="$(gettext_printf "Loading XSM policy ...")"
|
||||
sed "s/^/$submenu_indentation/" << EOF
|
||||
echo '$(echo "$message" | grub_quote)'
|
||||
${module_loader} ${rel_dirname}/${xenpolicy}
|
||||
EOF
|
||||
fi
|
||||
sed "s/^/$submenu_indentation/" << EOF
|
||||
|
|
Loading…
Reference in a new issue