5 files changed, 168 insertions, 2 deletions

diff --git a/config/Tools.mk.in b/config/Tools.mk.in
index 3967e7d773..c69c7d2bec 100644
--- a/config/Tools.mk.in
+++ b/config/Tools.mk.in
@@ -46,6 +46,7 @@ GIT_HTTP            := @githttp@
 XENSTAT_XENTOP      := @monitors@
 LIBXENAPI_BINDINGS  := @xenapi@
 OCAML_TOOLS         := @ocamltools@
+FLASK_POLICY        := @xsmpolicy@
 CONFIG_MINITERM     := @miniterm@
 CONFIG_LOMOUNT      := @lomount@
 CONFIG_OVMF         := @ovmf@
diff --git a/m4/checkpolicy.m4 b/m4/checkpolicy.m4
new file mode 100644
index 0000000000..f727a7d31a
--- /dev/null
+++ b/m4/checkpolicy.m4
@@ -0,0 +1,12 @@
+AC_DEFUN([AC_PROG_CHECKPOLICY],
+[dnl
+  # check for a checkpolicy binary with support for -t xen
+  AC_CHECK_TOOL([CHECKPOLICY],[checkpolicy],[no])
+
+  if test "$CHECKPOLICY" != "no"; then
+     CHECKPOLICYHELP=`$CHECKPOLICY -h | grep xen`
+     if test "$CHECKPOLICYHELP" = ""; then
+        CHECKPOLICY=no
+     fi
+  fi
+])
diff --git a/tools/configure b/tools/configure
index 66d588a1f8..068fb75128 100755
--- a/tools/configure
+++ b/tools/configure
@@ -620,6 +620,7 @@ GREP
 CPP
 pyconfig
 PYTHONPATH
+CHECKPOLICY
 OCAMLFIND
 OCAMLBUILD
 OCAMLDOC
@@ -667,6 +668,7 @@ rombios
 ovmf
 lomount
 miniterm
+xsmpolicy
 ocamltools
 xenapi
 monitors
@@ -724,6 +726,7 @@ enable_githttp
 enable_monitors
 enable_xenapi
 enable_ocamltools
+enable_xsmpolicy
 enable_miniterm
 enable_lomount
 enable_ovmf
@@ -1382,6 +1385,7 @@ Optional Features:
                           is ENABLED)
   --enable-xenapi         Enable Xen API Bindings (default is DISABLED)
   --disable-ocamltools    Disable Ocaml tools (default is ENABLED)
+  --disable-xsmpolicy     Disable XSM policy compilation (default is ENABLED)
   --enable-miniterm       Enable miniterm (default is DISABLED)
   --enable-lomount        Enable lomount (default is DISABLED)
   --enable-ovmf           Enable OVMF (default is DISABLED)
@@ -2308,6 +2312,8 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
 
 
 
+
+
 # pkg.m4 - Macros to locate and utilise pkg-config.            -*- Autoconf -*-
 # serial 1 (pkg-config-0.24)
 #
@@ -2488,6 +2494,29 @@ ocamltools=$ax_cv_ocamltools
 
 
 
+# Check whether --enable-xsmpolicy was given.
+if test "${enable_xsmpolicy+set}" = set; then :
+  enableval=$enable_xsmpolicy;
+fi
+
+
+if test "x$enable_xsmpolicy" = "xno"; then :
+
+    ax_cv_xsmpolicy="n"
+
+elif test "x$enable_xsmpolicy" = "xyes"; then :
+
+    ax_cv_xsmpolicy="y"
+
+elif test -z $ax_cv_xsmpolicy; then :
+
+    ax_cv_xsmpolicy="y"
+
+fi
+xsmpolicy=$ax_cv_xsmpolicy
+
+
+
 # Check whether --enable-miniterm was given.
 if test "${enable_miniterm+set}" = set; then :
   enableval=$enable_miniterm;
@@ -4904,6 +4933,120 @@ fi
 fi
 
 fi
+if test "x$xsmpolicy" = "xy"; then :
+
+      # check for a checkpolicy binary with support for -t xen
+  if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}checkpolicy", so it can be a program name with args.
+set dummy ${ac_tool_prefix}checkpolicy; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_CHECKPOLICY+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CHECKPOLICY"; then
+  ac_cv_prog_CHECKPOLICY="$CHECKPOLICY" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CHECKPOLICY="${ac_tool_prefix}checkpolicy"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+CHECKPOLICY=$ac_cv_prog_CHECKPOLICY
+if test -n "$CHECKPOLICY"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CHECKPOLICY" >&5
+$as_echo "$CHECKPOLICY" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_CHECKPOLICY"; then
+  ac_ct_CHECKPOLICY=$CHECKPOLICY
+  # Extract the first word of "checkpolicy", so it can be a program name with args.
+set dummy checkpolicy; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if test "${ac_cv_prog_ac_ct_CHECKPOLICY+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_CHECKPOLICY"; then
+  ac_cv_prog_ac_ct_CHECKPOLICY="$ac_ct_CHECKPOLICY" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CHECKPOLICY="checkpolicy"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CHECKPOLICY=$ac_cv_prog_ac_ct_CHECKPOLICY
+if test -n "$ac_ct_CHECKPOLICY"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CHECKPOLICY" >&5
+$as_echo "$ac_ct_CHECKPOLICY" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_CHECKPOLICY" = x; then
+    CHECKPOLICY="no"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    CHECKPOLICY=$ac_ct_CHECKPOLICY
+  fi
+else
+  CHECKPOLICY="$ac_cv_prog_CHECKPOLICY"
+fi
+
+
+  if test "$CHECKPOLICY" != "no"; then
+     CHECKPOLICYHELP=`$CHECKPOLICY -h | grep xen`
+     if test "$CHECKPOLICYHELP" = ""; then
+        CHECKPOLICY=no
+     fi
+  fi
+
+    if test "x$CHECKPOLICY" = "xno"; then :
+
+        if test "x$enable_xsmpolicy" = "xyes"; then :
+
+            as_fn_error $? "XSM policy compilation enabled, but unable to find checkpolicy" "$LINENO" 5
+fi
+        xsmpolicy="n"
+
+fi
+
+fi
 # Extract the first word of "bash", so it can be a program name with args.
 set dummy bash; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
diff --git a/tools/configure.ac b/tools/configure.ac
index de5d085974..0d384087f4 100644
--- a/tools/configure.ac
+++ b/tools/configure.ac
@@ -28,6 +28,7 @@ m4_include([../m4/path_or_fail.m4])
 m4_include([../m4/python_version.m4])
 m4_include([../m4/python_devel.m4])
 m4_include([../m4/ocaml.m4])
+m4_include([../m4/checkpolicy.m4])
 m4_include([../m4/set_cflags_ldflags.m4])
 m4_include([../m4/uuid.m4])
 m4_include([../m4/pkg.m4])
@@ -42,6 +43,7 @@ AX_ARG_DEFAULT_DISABLE([githttp], [Download GIT repositories via HTTP])
 AX_ARG_DEFAULT_ENABLE([monitors], [Disable xenstat and xentop monitoring tools])
 AX_ARG_DEFAULT_DISABLE([xenapi], [Enable Xen API Bindings])
 AX_ARG_DEFAULT_ENABLE([ocamltools], [Disable Ocaml tools])
+AX_ARG_DEFAULT_ENABLE([xsmpolicy], [Disable XSM policy compilation])
 AX_ARG_DEFAULT_DISABLE([miniterm], [Enable miniterm])
 AX_ARG_DEFAULT_DISABLE([lomount], [Enable lomount])
 AX_ARG_DEFAULT_DISABLE([ovmf], [Enable OVMF])
@@ -93,6 +95,14 @@ AS_IF([test "x$ocamltools" = "xy"], [
         ocamltools="n"
     ])
 ])
+AS_IF([test "x$xsmpolicy" = "xy"], [
+    AC_PROG_CHECKPOLICY
+    AS_IF([test "x$CHECKPOLICY" = "xno"], [
+        AS_IF([test "x$enable_xsmpolicy" = "xyes"], [
+            AC_MSG_ERROR([XSM policy compilation enabled, but unable to find checkpolicy])])
+        xsmpolicy="n"
+    ])
+])
 AX_PATH_PROG_OR_FAIL([BASH], [bash])
 AS_IF([echo "$PYTHON" | grep -q "^/"], [
     PYTHONPATH=$PYTHON
diff --git a/tools/flask/Makefile b/tools/flask/Makefile
index add9035ed8..bc77a06c6b 100644
--- a/tools/flask/Makefile
+++ b/tools/flask/Makefile
@@ -1,8 +1,8 @@
 XEN_ROOT = $(CURDIR)/../..
 include $(XEN_ROOT)/tools/Rules.mk
 
-SUBDIRS :=
-SUBDIRS += utils
+SUBDIRS-y := utils
+SUBDIRS-$(FLASK_POLICY) += policy
 
 .PHONY: all clean install
 all clean install: %: subdirs-%