1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
XEN_ROOT=$(CURDIR)/../../..
include $(XEN_ROOT)/tools/Rules.mk
########################################
#
# Configurable portions of the Makefile
#
########################################
CONFIG_MLS ?= n
# Number of available MLS sensitivities and categories.
# The sensitivities will be s0 to s(MLS_SENS-1). Dominance will be in
# increasing numerical order with s0 being lowest.
MLS_SENS ?= 16
# The categories will be c0 to c(MLS_CATS-1).
MLS_CATS ?= 256
# executable paths
CHECKPOLICY ?= checkpolicy
M4 ?= m4
########################################
#
# End of configuration options
#
########################################
# Policy version
# By default, checkpolicy creates the highest version policy it supports. Force
# the use of version 24 which is the highest that Xen supports, and the first to
# include the Xen policy type (needed for static device policy).
OUTPUT_POLICY = 24
POLICY_FILENAME = xenpolicy.$(OUTPUT_POLICY)
POLICY_LOADPATH = $(DESTDIR)/boot
# policy source layout
POLDIR := policy
MODDIR := $(POLDIR)/modules
# Classes and access vectors defined in the hypervisor. Changes to these require
# a recompile of both the hypervisor and security policy.
FLASKDIR := ../../../xen/xsm/flask/policy
SECCLASS := $(FLASKDIR)/security_classes
ISID_DECLS := $(FLASKDIR)/initial_sids
AVS := $(FLASKDIR)/access_vectors
# Additional classes and access vectors defined by local policy
SECCLASS += $(POLDIR)/security_classes
AVS += $(POLDIR)/access_vectors
# Other policy components
M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt)
MLSSUPPORT := $(POLDIR)/mls
USERS := $(POLDIR)/users
CONSTRAINTS := $(POLDIR)/constraints
ISID_DEFS := $(POLDIR)/initial_sids
# config file paths
GLOBALTUN := $(POLDIR)/global_tunables
MOD_CONF := $(POLDIR)/modules.conf
# checkpolicy can use the #line directives provided by -s for error reporting:
M4PARAM := -D self_contained_policy -s
CHECKPOLICY_PARAM := -t Xen -c $(OUTPUT_POLICY)
# enable MLS if requested.
ifneq ($(CONFIG_MLS),n)
M4PARAM += -D enable_mls
CHECKPOLICY_PARAM += -M
endif
# Always define these because they are referenced even in non-MLS policy
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
# Find modules
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
# sort here since it removes duplicates, which can happen
# when a generated file is already generated
DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)))
# modules.conf setting for policy configuration
MODENABLED := on
# extract settings from modules.conf
ENABLED_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS))
ALL_INTERFACES := $(ALL_MODULES:.te=.if)
# The order of these files is important
POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS)
POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT)
POLICY_SECTIONS += $(ALL_INTERFACES)
POLICY_SECTIONS += $(GLOBALTUN)
POLICY_SECTIONS += $(ALL_MODULES)
POLICY_SECTIONS += $(USERS) $(CONSTRAINTS) $(ISID_DEFS)
all: $(POLICY_FILENAME)
install: $(POLICY_FILENAME)
$(INSTALL_DATA) $^ $(POLICY_LOADPATH)
$(POLICY_FILENAME): policy.conf
$(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
policy.conf: $(POLICY_SECTIONS)
$(M4) $(M4PARAM) $^ > $@
clean:
$(RM) tmp policy.conf $(POLICY_FILENAME)
.PHONY: all install clean
|