-#
-# Makefile for the security policy.
-#
-# Targets:
-#
-# install - compile and install the policy configuration.
-# load - compile, install, and load the policy configuration.
-# reload - compile, install, and load/reload the policy configuration.
-# policy - compile the policy configuration locally for testing/development.
-#
-# The default target is 'policy'.
-#
+XEN_ROOT=$(CURDIR)/../../..
+include $(XEN_ROOT)/tools/Rules.mk
########################################
#
# Configurable portions of the Makefile
#
+########################################
-# Policy version
-# By default, checkpolicy will create the highest
-# version policy it supports. Setting this will
-# override the version.
-OUTPUT_POLICY = 24
-
-# Policy Type
-# xen
-# xen-mls
-TYPE = xen
-
-# Policy Name
-# If set, this will be used as the policy
-# name. Otherwise xenpolicy will be
-# used for the name.
-# NAME = xenpolicy
-
-# Number of MLS Sensitivities
-# The sensitivities will be s0 to s(MLS_SENS-1).
-# Dominance will be in increasing numerical order
-# with s0 being lowest.
-# MLS_SENS = 16
+CONFIG_MLS ?= n
-# Number of MLS Categories
+# Number of available MLS sensitivities and categories.
+# The sensitivities will be s0 to s(MLS_SENS-1). Dominance will be in
+# increasing numerical order with s0 being lowest.
+MLS_SENS ?= 16
# The categories will be c0 to c(MLS_CATS-1).
-# MLS_CATS = 256
+MLS_CATS ?= 256
-# Uncomment this to disable command echoing
-# QUIET:=@
+# executable paths
+CHECKPOLICY ?= checkpolicy
+M4 ?= m4
########################################
#
-# NO OPTIONS BELOW HERE
+# End of configuration options
#
+########################################
-# executable paths
-PREFIX := /usr
-BINDIR := $(PREFIX)/bin
-SBINDIR := $(PREFIX)/sbin
-CHECKPOLICY := $(BINDIR)/checkpolicy
-LOADPOLICY := $(SBINDIR)/flask-loadpolicy
+# Policy version
+# By default, checkpolicy creates the highest version policy it supports. Force
+# the use of version 24 which is the highest that Xen supports, and the first to
+# include the Xen policy type (needed for static device policy).
+OUTPUT_POLICY = 24
+
+POLICY_FILENAME = xenpolicy.$(OUTPUT_POLICY)
+POLICY_LOADPATH = $(DESTDIR)/boot
# policy source layout
POLDIR := policy
MODDIR := $(POLDIR)/modules
+
+# Classes and access vectors defined in the hypervisor. Changes to these require
+# a recompile of both the hypervisor and security policy.
FLASKDIR := ../../../xen/xsm/flask/policy
SECCLASS := $(FLASKDIR)/security_classes
-ISIDS := $(FLASKDIR)/initial_sids
+ISID_DECLS := $(FLASKDIR)/initial_sids
AVS := $(FLASKDIR)/access_vectors
+# Additional classes and access vectors defined by local policy
+SECCLASS += $(POLDIR)/security_classes
+AVS += $(POLDIR)/access_vectors
+
+# Other policy components
+M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt)
+MLSSUPPORT := $(POLDIR)/mls
+USERS := $(POLDIR)/users
+CONSTRAINTS := $(POLDIR)/constraints
+ISID_DEFS := $(POLDIR)/initial_sids
+
# config file paths
GLOBALTUN := $(POLDIR)/global_tunables
-GLOBALBOOL := $(POLDIR)/global_booleans
MOD_CONF := $(POLDIR)/modules.conf
-TUNABLES := $(POLDIR)/tunables.conf
-BOOLEANS := $(POLDIR)/booleans.conf
-
-# install paths
-
-DESTDIR = /boot
-INSTALLDIR = $(DESTDIR)
-LOADPATH = $(INSTALLDIR)/$(POLVER)
-# default MLS sensitivity and category settings.
-MLS_SENS ?= 16
-MLS_CATS ?= 256
+# checkpolicy can use the #line directives provided by -s for error reporting:
+M4PARAM := -D self_contained_policy -s
+CHECKPOLICY_PARAM := -t Xen -c $(OUTPUT_POLICY)
# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifneq ($(CONFIG_MLS),n)
M4PARAM += -D enable_mls
- CHECKPOLICY += -M
-endif
-
-ifeq ($(NAME),)
- NAME := xenpolicy
-endif
-
-PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
-
-ifneq ($(OUTPUT_POLICY),)
- CHECKPOLICY += -c $(OUTPUT_POLICY)
- POLVER = $(NAME).$(OUTPUT_POLICY)
-else
- POLVER +=$(NAME).$(PV)
+ CHECKPOLICY_PARAM += -M
endif
# Always define these because they are referenced even in non-MLS policy
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
-M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
+# Find modules
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
# sort here since it removes duplicates, which can happen
# when a generated file is already generated
-DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)))
+DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)))
# modules.conf setting for policy configuration
MODENABLED := on
ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS))
ALL_INTERFACES := $(ALL_MODULES:.te=.if)
-ALL_TE_FILES := $(ALL_MODULES)
-
-PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
-POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints $(POLDIR)/initial_sids
-POLICY_SECTIONS := $(PRE_TE_FILES) $(ALL_INTERFACES) $(GLOBALBOOL) $(GLOBALTUN) $(ALL_TE_FILES) $(POST_TE_FILES)
-
-########################################
-#
-# default action: build policy locally
-#
-default: policy
+# The order of these files is important
+POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS)
+POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT)
+POLICY_SECTIONS += $(ALL_INTERFACES)
+POLICY_SECTIONS += $(GLOBALTUN)
+POLICY_SECTIONS += $(ALL_MODULES)
+POLICY_SECTIONS += $(USERS) $(CONSTRAINTS) $(ISID_DEFS)
-policy: $(POLVER)
+all: $(POLICY_FILENAME)
-install: $(LOADPATH)
+install: $(POLICY_FILENAME)
+ $(INSTALL_DATA) $^ $(POLICY_LOADPATH)
-load: .load_stamp
+$(POLICY_FILENAME): policy.conf
+ $(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
-########################################
-#
-# Build a binary policy locally
-#
-$(POLVER): policy.conf
- @echo "Compiling $(NAME) $(POLVER)"
- $(QUIET) $(CHECKPOLICY) $^ -o $@
-# Uncomment line below to enable policies for devices
-# $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@
-
-########################################
-#
-# Install a binary policy
-#
-$(LOADPATH): policy.conf
- @echo "Compiling and installing $(NAME) $(LOADPATH)"
- $(QUIET) $(CHECKPOLICY) $^ -o $@
-# Uncomment line below to enable policies for devices
-# $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@
-
-########################################
-#
-# Load the binary policy
-#
-.load_stamp: reload
-reload: $(LOADPATH)
- @echo "Loading $(NAME) $(LOADPATH)"
- $(QUIET) $(LOADPOLICY) $(LOADPATH)
- @touch .load_stamp
-
-########################################
-#
-# Construct a monolithic policy.conf
-#
policy.conf: $(POLICY_SECTIONS)
- @echo "Creating $(NAME) policy.conf"
-# checkpolicy can use the #line directives provided by -s for error reporting:
- $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@
+ $(M4) $(M4PARAM) $^ > $@
-########################################
-#
-# Remove the dontaudit rules from the policy.conf
-#
-enableaudit: policy.conf
- @test -d tmp || mkdir -p tmp
- @echo "Removing dontaudit rules from policy.conf"
- $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
- $(QUIET) mv tmp/policy.audit policy.conf
-
-########################################
-#
-# Clean the built policies.
-#
clean:
- rm -fR tmp
- rm -f policy.conf
- rm -f $(POLVER)
+ $(RM) tmp policy.conf $(POLICY_FILENAME)
-.PHONY: default policy install load reload enableaudit clean
+.PHONY: all install clean
projects / xen.git / commitdiff