54912480ee
During normal m4 parsing, m4 outputs a blank line for each define() call. This results in the first roughly 500 lines of the .tmp files for each module being largely blank lines. Adding divert() calls to the m4 generation for generated_definitions redirects this output, so the beginning of the actual policy appears near the top of the .tmp files. Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
229 lines
8.0 KiB
Plaintext
229 lines
8.0 KiB
Plaintext
########################################
|
|
#
|
|
# Rules and Targets for building modular policies
|
|
#
|
|
|
|
all_modules := $(base_mods) $(mod_mods) $(off_mods)
|
|
all_interfaces := $(all_modules:.te=.if)
|
|
enabled_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(base_mods:.te=.mod.fc) $(mod_mods:.te=.mod.fc)))
|
|
|
|
base_pkg := $(builddir)base.pp
|
|
base_fc := $(builddir)base.fc
|
|
base_conf := $(builddir)base.conf
|
|
base_mod := $(tmpdir)/base.mod
|
|
|
|
users_extra := $(tmpdir)/users_extra
|
|
|
|
base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
|
|
|
base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(ctx_defaults) $(poldir)/mls $(poldir)/mcs $(policycaps)
|
|
base_te_files := $(base_mods)
|
|
base_post_te_files := $(user_files) $(poldir)/constraints
|
|
base_fc_files := $(base_mods:.te=.fc)
|
|
|
|
mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
|
|
|
|
# policy packages to install
|
|
instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
|
|
|
|
# search layer dirs for source files
|
|
vpath %.te $(all_layers)
|
|
vpath %.if $(all_layers)
|
|
vpath %.fc $(all_layers)
|
|
|
|
.SECONDARY: $(enabled_mod_fc:.mod.fc=.mod) $(enabled_mod_fc)
|
|
|
|
########################################
|
|
#
|
|
# default action: create all module packages
|
|
#
|
|
default: policy
|
|
|
|
all policy: base modules
|
|
|
|
base: $(base_pkg)
|
|
|
|
modules: $(mod_pkgs)
|
|
|
|
install: $(instpkg) $(appfiles)
|
|
|
|
########################################
|
|
#
|
|
# Load all configured modules
|
|
#
|
|
load: $(instpkg) $(appfiles)
|
|
# make sure two directories exist since they are not
|
|
# created by semanage
|
|
@echo "Loading configured modules."
|
|
@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
|
|
$(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
|
|
|
|
########################################
|
|
#
|
|
# Install policy packages
|
|
#
|
|
$(modpkgdir)/%.pp: $(builddir)%.pp
|
|
@echo "Installing $(NAME) $(@F) policy package."
|
|
@$(INSTALL) -d -m 0755 $(@D)
|
|
$(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
|
|
|
|
########################################
|
|
#
|
|
# Build module packages
|
|
#
|
|
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te $(m4terminate)
|
|
@echo "Compiling $(NAME) $(@F) module"
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
|
|
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
|
|
|
$(tmpdir)/%.mod.fc: $(m4support) %.fc
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@
|
|
|
|
$(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
|
|
@echo "Creating $(NAME) $(@F) policy package"
|
|
@test -d $(builddir) || mkdir -p $(builddir)
|
|
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
|
|
|
|
$(tmpdir)/all_mods.fc: $(enabled_mod_fc)
|
|
$(verbose) cat $^ > $@
|
|
|
|
########################################
|
|
#
|
|
# Create a base module package
|
|
#
|
|
$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
|
|
@echo "Creating $(NAME) base module package"
|
|
@test -d $(builddir) || mkdir -p $(builddir)
|
|
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
|
|
|
|
$(base_mod): $(base_conf)
|
|
@echo "Compiling $(NAME) base module"
|
|
$(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@
|
|
|
|
$(tmpdir)/seusers: $(seusers)
|
|
@mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
|
|
|
|
$(users_extra): $(m4support) $(user_files)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
|
|
$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
|
|
|
|
########################################
|
|
#
|
|
# Construct a base.conf
|
|
#
|
|
$(base_conf): $(base_sections)
|
|
@echo "Creating $(NAME) base module $(@F)"
|
|
@test -d $(@D) || mkdir -p $(@D)
|
|
$(verbose) cat $^ > $@
|
|
|
|
$(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy
|
|
$(tmpdir)/pre_te_files.conf: $(base_pre_te_files)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
|
|
$(tmpdir)/generated_definitions.conf:
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
# define all available object classes
|
|
@cat $(m4divert) > $@
|
|
$(verbose) $(genperm) $(avs) $(secclass) >> $@
|
|
$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
|
|
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
|
|
@cat $(m4undivert) >> $@
|
|
|
|
$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
|
|
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
|
|
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
|
|
$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
@cat $(m4divert) > $@
|
|
$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
|
|
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
|
|
@cat $(m4undivert) >> $@
|
|
|
|
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
|
|
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(m4terminate)
|
|
ifeq "$(strip $(base_te_files))" ""
|
|
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
|
endif
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
|
|
|
|
$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
|
|
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
|
|
# extract attributes and put them first. extract post te stuff
|
|
# like genfscon and put last.
|
|
$(tmpdir)/all_attrs_types.conf: $(tmpdir)/all_te_files.conf
|
|
$(verbose) $(get_type_attr_decl) $^ | $(SORT) > $@
|
|
|
|
$(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
|
|
$(verbose) cat $(tmpdir)/post_te_files.conf > $@
|
|
# these have to run individually because order matters:
|
|
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
|
|
$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
|
|
$(verbose) $(comment_move_decl) $^ > $@
|
|
|
|
########################################
|
|
#
|
|
# Construct a base.fc
|
|
#
|
|
$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp
|
|
$(verbose) $(fcsort) $< $@
|
|
|
|
$(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)
|
|
ifeq ($(base_fc_files),)
|
|
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
|
endif
|
|
@echo "Creating $(NAME) base module file contexts."
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
|
|
########################################
|
|
#
|
|
# Appconfig files
|
|
#
|
|
$(appdir)/customizable_types: $(base_conf)
|
|
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
|
|
@$(INSTALL) -d -m 0755 $(@D)
|
|
$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
|
|
|
|
########################################
|
|
#
|
|
# Validate linking and expanding of modules
|
|
#
|
|
validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc
|
|
@echo "Validating policy linking."
|
|
$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $(base_pkg) $(mod_pkgs)
|
|
$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
|
|
@echo "Validating policy file contexts."
|
|
$(verbose) $(SETFILES) -q -c $(tmpdir)/policy.bin $(tmpdir)/all_mods.fc
|
|
@echo "Success."
|
|
|
|
########################################
|
|
#
|
|
# Clean the sources
|
|
#
|
|
clean:
|
|
$(verbose) rm -f $(base_conf)
|
|
$(verbose) rm -f $(base_fc)
|
|
$(verbose) rm -f $(builddir)*.pp
|
|
$(verbose) rm -f $(net_contexts)
|
|
$(verbose) rm -fR $(tmpdir)
|
|
|
|
.PHONY: default all policy base modules install load clean validate
|