Implement WERROR build option to treat warnings as errors.

Add this to all Travis-CI builds.

.travis.yml

@@ -6,24 +6,24 @@ matrix:
   fast_finish: true
 
 env:
-  - TYPE=standard DISTRO=redhat MONOLITHIC=y SYSTEMD=y
-  - TYPE=standard DISTRO=redhat MONOLITHIC=n SYSTEMD=y
-  - TYPE=standard DISTRO=debian MONOLITHIC=y SYSTEMD=y
-  - TYPE=standard DISTRO=debian MONOLITHIC=n SYSTEMD=y
-  - TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=n
-  - TYPE=standard DISTRO=gentoo MONOLITHIC=n SYSTEMD=n
-  - TYPE=mcs DISTRO=redhat MONOLITHIC=y SYSTEMD=y
-  - TYPE=mcs DISTRO=redhat MONOLITHIC=n SYSTEMD=y
-  - TYPE=mcs DISTRO=debian MONOLITHIC=y SYSTEMD=y
-  - TYPE=mcs DISTRO=debian MONOLITHIC=n SYSTEMD=y
-  - TYPE=mcs DISTRO=gentoo MONOLITHIC=y SYSTEMD=n
-  - TYPE=mcs DISTRO=gentoo MONOLITHIC=n SYSTEMD=n
-  - TYPE=mls DISTRO=redhat MONOLITHIC=y SYSTEMD=y
-  - TYPE=mls DISTRO=redhat MONOLITHIC=n SYSTEMD=y
-  - TYPE=mls DISTRO=debian MONOLITHIC=y SYSTEMD=y
-  - TYPE=mls DISTRO=debian MONOLITHIC=n SYSTEMD=y
-  - TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=n
-  - TYPE=mls DISTRO=gentoo MONOLITHIC=n SYSTEMD=n
+  - TYPE=standard DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y
+  - TYPE=standard DISTRO=redhat MONOLITHIC=n SYSTEMD=y WERROR=y
+  - TYPE=standard DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y
+  - TYPE=standard DISTRO=debian MONOLITHIC=n SYSTEMD=y WERROR=y
+  - TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
+  - TYPE=standard DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y
+  - TYPE=mcs DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y
+  - TYPE=mcs DISTRO=redhat MONOLITHIC=n SYSTEMD=y WERROR=y
+  - TYPE=mcs DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y
+  - TYPE=mcs DISTRO=debian MONOLITHIC=n SYSTEMD=y WERROR=y
+  - TYPE=mcs DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
+  - TYPE=mcs DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y
+  - TYPE=mls DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y
+  - TYPE=mls DISTRO=redhat MONOLITHIC=n SYSTEMD=y WERROR=y
+  - TYPE=mls DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y
+  - TYPE=mls DISTRO=debian MONOLITHIC=n SYSTEMD=y WERROR=y
+  - TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
+  - TYPE=mls DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y
 
 # Uncomment to use Travis-CI container infrastructure (https://docs.travis-ci.com/user/ci-environment/)
 sudo: false

Makefile

@@ -106,6 +106,7 @@ gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
 m4iferror := $(support)/iferror.m4
 m4divert := $(support)/divert.m4
 m4undivert := $(support)/undivert.m4
+m4terminate := $(support)/fatal_error.m4
 # use our own genhomedircon to make sure we have a known usable one,
 # so policycoreutils updates are not required (RHEL4)
 genhomedircon := $(PYTHON) -E $(support)/genhomedircon
@@ -212,6 +213,10 @@ ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
 endif
 
+ifeq "$(WERROR)" "y"
+	M4PARAM += -D m4_werror
+endif
+
 ifeq "$(UBAC)" "y"
 	M4PARAM += -D enable_ubac
 endif

README

@@ -138,6 +138,10 @@ QUIET			Boolean.  If set, the build system will only display
 			status messages and error messages.  This option has no
 			effect on policy.
 
+WERROR			Boolean.  If set, the build system will treat warnings
+			as errors.  If any warnings are encountered, the build
+			will fail.
+
 
 3) Reference Policy Files and Directories
 All directories relative to the root of the Reference Policy sources directory.

Rules.modular

@@ -70,7 +70,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
 #
 # Build module packages
 #
-$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te $(m4terminate)
 	@echo "Compiling $(NAME) $(@F) module"
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
@@ -140,7 +140,7 @@ $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
 	@echo "divert" >> $@
 
 $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
-$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files)
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(m4terminate)
 ifeq "$(strip $(base_te_files))" ""
 	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
 endif

Rules.monolithic

@@ -125,7 +125,7 @@ $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
 	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
 	@echo "divert" >> $@
 
-$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files)
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(m4terminate)
 ifeq "$(strip $(all_te_files))" ""
 	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
 endif

build.conf

@@ -79,3 +79,6 @@ MCS_CATS = 1024
 # Set this to y to only display status messages
 # during build.
 QUIET = n
+
+# Set this to treat warnings as errors.
+WERROR = n

policy/support/misc_macros.spt

@@ -34,16 +34,15 @@ define(`__endline__',`
 #
 # print a warning message
 #
-define(`refpolicywarn',`errprint(__file__:__line__: Warning: `$1'__endline__)')
+define(`refpolicywarn',`errprint(__file__:__line__: Warning: `$1'__endline__) ifdef(`m4_werror',`define(`m4_fatal_error')')')
 
 ########################################
 #
 # refpolerr(message)
 #
-# print an error message.  does not
-# make anything fail.
+# print an error message.
 #
-define(`refpolicyerr',`errprint(__file__:__line__: Error: `$1'__endline__)')
+define(`refpolicyerr',`errprint(__file__:__line__: Error: `$1'__endline__) define(`m4_fatal_error')')
 
 ########################################
 #

support/fatal_error.m4

@@ -0,0 +1,2 @@
+ifdef(`m4_werror',`errprint(__file__: Notice: Treating warnings as errors.__endline__)')
+ifdef(`m4_fatal_error',`m4exit(`1')')