debuggers.hg

view tools/flask/policy/Makefile @ 22848:6341fe0f4e5a

Added tag 4.1.0-rc2 for changeset 9dca60d88c63
author Keir Fraser <keir@xen.org>
date Tue Jan 25 14:06:55 2011 +0000 (2011-01-25)
parents 8f98581c2dd1
children
line source
1 #
2 # Makefile for the security policy.
3 #
4 # Targets:
5 #
6 # install - compile and install the policy configuration.
7 # load - compile, install, and load the policy configuration.
8 # reload - compile, install, and load/reload the policy configuration.
9 # policy - compile the policy configuration locally for testing/development.
10 #
11 # The default target is 'policy'.
12 #
14 ########################################
15 #
16 # Configurable portions of the Makefile
17 #
19 # Policy version
20 # By default, checkpolicy will create the highest
21 # version policy it supports. Setting this will
22 # override the version.
23 # OUTPUT_POLICY = 24
25 # Policy Type
26 # xen
27 # xen-mls
28 TYPE = xen
30 # Policy Name
31 # If set, this will be used as the policy
32 # name. Otherwise xenpolicy will be
33 # used for the name.
34 # NAME = xenpolicy
36 # Number of MLS Sensitivities
37 # The sensitivities will be s0 to s(MLS_SENS-1).
38 # Dominance will be in increasing numerical order
39 # with s0 being lowest.
40 # MLS_SENS = 16
42 # Number of MLS Categories
43 # The categories will be c0 to c(MLS_CATS-1).
44 # MLS_CATS = 256
46 # Uncomment this to disable command echoing
47 # QUIET:=@
49 ########################################
50 #
51 # NO OPTIONS BELOW HERE
52 #
54 # executable paths
55 PREFIX := /usr
56 BINDIR := $(PREFIX)/bin
57 SBINDIR := $(PREFIX)/sbin
58 CHECKPOLICY := $(BINDIR)/checkpolicy
59 LOADPOLICY := $(SBINDIR)/flask-loadpolicy
61 # policy source layout
62 POLDIR := policy
63 MODDIR := $(POLDIR)/modules
64 FLASKDIR := $(POLDIR)/flask
65 SECCLASS := $(FLASKDIR)/security_classes
66 ISIDS := $(FLASKDIR)/initial_sids
67 AVS := $(FLASKDIR)/access_vectors
69 # config file paths
70 GLOBALTUN := $(POLDIR)/global_tunables
71 GLOBALBOOL := $(POLDIR)/global_booleans
72 MOD_CONF := $(POLDIR)/modules.conf
73 TUNABLES := $(POLDIR)/tunables.conf
74 BOOLEANS := $(POLDIR)/booleans.conf
76 # install paths
78 DESTDIR = /boot
79 INSTALLDIR = $(DESTDIR)
80 LOADPATH = $(INSTALLDIR)/$(POLVER)
82 # default MLS sensitivity and category settings.
83 MLS_SENS ?= 16
84 MLS_CATS ?= 256
86 # enable MLS if requested.
87 ifneq ($(findstring -mls,$(TYPE)),)
88 M4PARAM += -D enable_mls
89 CHECKPOLICY += -M
90 endif
92 ifeq ($(NAME),)
93 NAME := xenpolicy
94 endif
96 PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
98 ifneq ($(OUTPUT_POLICY),)
99 CHECKPOLICY += -c $(OUTPUT_POLICY)
100 POLVER = $(NAME).$(OUTPUT_POLICY)
101 else
102 POLVER +=$(NAME).$(PV)
103 endif
106 # determine the policy version and current kernel version if possible
107 M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D hide_broken_symptoms
109 M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
111 ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
113 # sort here since it removes duplicates, which can happen
114 # when a generated file is already generated
115 DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)))
117 # modules.conf setting for policy configuration
118 MODENABLED := on
120 # extract settings from modules.conf
121 ENABLED_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
123 ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS))
125 ALL_INTERFACES := $(ALL_MODULES:.te=.if)
126 ALL_TE_FILES := $(ALL_MODULES)
128 PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
129 POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
131 POLICY_SECTIONS := tmp/pre_te_files.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
133 ########################################
134 #
135 # default action: build policy locally
136 #
137 default: policy
139 policy: $(POLVER)
141 install: $(LOADPATH)
143 load: tmp/load
145 ########################################
146 #
147 # Build a binary policy locally
148 #
149 $(POLVER): policy.conf
150 @echo "Compiling $(NAME) $(POLVER)"
151 $(QUIET) $(CHECKPOLICY) $^ -o $@
152 # Uncomment line below to enable policies for devices
153 # $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@
155 ########################################
156 #
157 # Install a binary policy
158 #
159 $(LOADPATH): policy.conf
160 @echo "Compiling and installing $(NAME) $(LOADPATH)"
161 $(QUIET) $(CHECKPOLICY) $^ -o $@
162 # Uncomment line below to enable policies for devices
163 # $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@
165 ########################################
166 #
167 # Load the binary policy
168 #
169 tmp/load: reload
170 reload: $(LOADPATH) $(FCPATH)
171 @echo "Loading $(NAME) $(LOADPATH)"
172 $(QUIET) $(LOADPOLICY) $(LOADPATH)
173 @touch tmp/load
175 ########################################
176 #
177 # Construct a monolithic policy.conf
178 #
179 policy.conf: $(POLICY_SECTIONS)
180 @echo "Creating $(NAME) policy.conf"
181 # checkpolicy can use the #line directives provided by -s for error reporting:
182 $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@
184 tmp/pre_te_files.conf: $(PRE_TE_FILES)
185 @test -d tmp || mkdir -p tmp
186 $(QUIET) cat $^ > $@
188 tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
189 ifeq ($(ALL_INTERFACES),)
190 $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file)
191 endif
192 @test -d tmp || mkdir -p tmp
193 $(QUIET) cat $^ | sed -e s/dollarsstar/\$$\*/g > $@
195 tmp/all_te_files.conf: $(ALL_TE_FILES)
196 ifeq ($(ALL_TE_FILES),)
197 $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file)
198 endif
199 @test -d tmp || mkdir -p tmp
200 $(QUIET) cat $^ > $@
202 tmp/post_te_files.conf: $(POST_TE_FILES)
203 @test -d tmp || mkdir -p tmp
204 $(QUIET) cat $^ > $@
206 # extract attributes and put them first. extract post te stuff
207 # like genfscon and put last. portcon, nodecon, and netifcon
208 # is delayed since they are generated by m4
209 tmp/all_attrs_types.conf tmp/all_post.conf: tmp/only_te_rules.conf
210 tmp/only_te_rules.conf: tmp/all_te_files.conf tmp/post_te_files.conf
211 $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
212 $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
213 $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
214 $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
215 $(QUIET) grep ^pirqcon tmp/all_te_files.conf >> \
216 tmp/all_post.conf || true
217 $(QUIET) grep ^ioportcon tmp/all_te_files.conf >> \
218 tmp/all_post.conf || true
219 $(QUIET) grep ^iomemcon tmp/all_te_files.conf >> \
220 tmp/all_post.conf || true
221 $(QUIET) grep ^pcidevicecon tmp/all_te_files.conf >> \
222 tmp/all_post.conf || true
223 $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e '/^sid /d' \
224 -e "/^pirqcon/d" -e "/^pcidevicecon/d" -e "/^ioportcon/d" \
225 -e "/^iomemcon/d" < tmp/all_te_files.conf \
226 > tmp/only_te_rules.conf
228 ########################################
229 #
230 # Remove the dontaudit rules from the policy.conf
231 #
232 enableaudit: policy.conf
233 @test -d tmp || mkdir -p tmp
234 @echo "Removing dontaudit rules from policy.conf"
235 $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
236 $(QUIET) mv tmp/policy.audit policy.conf
238 ########################################
239 #
240 # Clean the built policies.
241 #
242 clean:
243 rm -fR tmp
244 rm -f policy.conf
245 rm -f $(POLVER)
247 .PHONY: default policy install load reload enableaudit clean