[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] xsm: don't require configuring tools to build xen xsm blob

commit 88d61459827ba534fec5e8f099d737cb868c5b23
Author:     Wei Liu <wei.liu2@xxxxxxxxxx>
AuthorDate: Mon Jul 25 16:13:13 2016 +0100
Commit:     Wei Liu <wei.liu2@xxxxxxxxxx>
CommitDate: Mon Aug 1 09:06:07 2016 +0100

    xsm: don't require configuring tools to build xen xsm blob
    
    Starting from 08cffe66 ("xsm: add a default policy to .init.data") we
    can attach a xsm policy blob to hypervisor. To build that policy blob
    now hypervisor build system needs to enter tools directory.
    
    The expectation for hypervisor and tools build systems is different. We
    don't want xen build system to depend on configure but we want tools
    build system to. That commit broke this expectation because it required
    users to run configure before building hypervisor. This broke ARM build
    because ARM developers normally build hypervisor and tools separately
    (and possibly on different platforms). It can also break x86 if
    developers don't run configure before building hypervisor with XSM on.
    
    To fix it, move major part of tools/flask/policy/Makefile into
    Makefile.common and create tools only Makefile to include that common
    Makefile. Hypervisor Makefile will use Makefile.common to build xsm
    policy.
    
    Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
    Acked-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
    Tested-by: Julien Grall <julien.grall@xxxxxxx>
---
 tools/flask/policy/Makefile        | 124 +----------------------------------
 tools/flask/policy/Makefile.common | 128 +++++++++++++++++++++++++++++++++++++
 xen/xsm/flask/Makefile             |   2 +-
 3 files changed, 130 insertions(+), 124 deletions(-)

diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index 693eb10..bead199 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -1,126 +1,4 @@
 XEN_ROOT=$(CURDIR)/../../..
 include $(XEN_ROOT)/tools/Rules.mk
 
-########################################
-#
-# Configurable portions of the Makefile
-#
-########################################
-
-CONFIG_MLS ?= n
-
-# Number of available MLS sensitivities and categories.
-# The sensitivities will be s0 to s(MLS_SENS-1).  Dominance will be in
-# increasing numerical order with s0 being lowest.
-MLS_SENS ?= 16
-# The categories will be c0 to c(MLS_CATS-1).
-MLS_CATS ?= 256
-
-# executable paths
-CHECKPOLICY ?= checkpolicy
-M4 ?= m4
-
-# Output security policy version.  Leave unset to autodetect.
-OUTPUT_POLICY ?= $(BEST_POLICY_VER)
-
-########################################
-#
-# End of configuration options
-#
-########################################
-
-POLICY_FILENAME = xenpolicy-$(shell $(MAKE) -C $(XEN_ROOT)/xen xenversion 
--no-print-directory)
-POLICY_LOADPATH = /boot
-
-# List of policy versions supported by the hypervisor
-POLICY_VER_LIST_HV = 24 30
-
-# policy source layout
-POLDIR := policy
-MODDIR := modules
-
-# Classes and access vectors defined in the hypervisor. Changes to these 
require
-# a recompile of both the hypervisor and security policy.
-FLASKDIR := ../../../xen/xsm/flask/policy
-SECCLASS := $(FLASKDIR)/security_classes
-ISID_DECLS := $(FLASKDIR)/initial_sids
-AVS := $(FLASKDIR)/access_vectors
-
-# Additional classes and access vectors defined by local policy
-SECCLASS += $(POLDIR)/security_classes
-AVS += $(POLDIR)/access_vectors
-
-# Other policy components
-M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt)
-MLSSUPPORT := $(POLDIR)/mls
-USERS := $(POLDIR)/users
-ISID_DEFS := $(POLDIR)/initial_sids
-DEV_OCONS := $(POLDIR)/device_contexts
-
-# config file paths
-GLOBALTUN := $(POLDIR)/global_tunables
-MOD_CONF := $(MODDIR)/modules.conf
-
-# checkpolicy can use the #line directives provided by -s for error reporting:
-M4PARAM := -D self_contained_policy -s
-
-# The output of checkpolicy -V is "30 (compatibility range 30-15)", and the
-# first word of the output is the maximum policy version supported.
-CHECKPOLICY_VER_MAX := $(firstword $(shell $(CHECKPOLICY) -V))
-
-# Find the highest version supported by both the hypervisor and checkpolicy
-BEST_POLICY_VER := $(shell best=24; for ver in $(POLICY_VER_LIST_HV); do if 
test $$ver -le $(CHECKPOLICY_VER_MAX); then best=$$ver; fi; done; echo $$best)
-
-CHECKPOLICY_PARAM := -t Xen -c $(OUTPUT_POLICY)
-
-# enable MLS if requested.
-ifneq ($(CONFIG_MLS),n)
-       M4PARAM += -D enable_mls
-       CHECKPOLICY_PARAM += -M
-endif
-
-# Always define these because they are referenced even in non-MLS policy
-M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
-
-
-# modules.conf setting for policy configuration
-MODENABLED := on
-
-# extract settings from modules.conf
-ENABLED_LIST := $(shell awk '/^[ \t]*[a-z]/{ if ($$3 == "$(MODENABLED)") print 
$$1 }' $(MOD_CONF) 2> /dev/null)
-
-# Modules must provide a .te file, although it could be empty
-ALL_MODULES := $(foreach mod,$(ENABLED_LIST),$(MODDIR)/$(mod).te)
-
-# Modules may also provide interfaces and constraint definitions
-ALL_INTERFACES := $(wildcard $(ALL_MODULES:.te=.if))
-ALL_CONSTRAINTS := $(wildcard $(ALL_MODULES:.te=.cons))
-
-# The order of these files is important
-POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS)
-POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT)
-POLICY_SECTIONS += $(ALL_INTERFACES)
-POLICY_SECTIONS += $(GLOBALTUN)
-POLICY_SECTIONS += $(ALL_MODULES)
-POLICY_SECTIONS += $(USERS)
-POLICY_SECTIONS += $(ALL_CONSTRAINTS)
-POLICY_SECTIONS += $(ISID_DEFS) $(DEV_OCONS)
-
-all: $(POLICY_FILENAME)
-
-install: $(POLICY_FILENAME)
-       $(INSTALL_DIR) $(DESTDIR)/$(POLICY_LOADPATH)
-       $(INSTALL_DATA) $^ $(DESTDIR)/$(POLICY_LOADPATH)
-
-$(POLICY_FILENAME): policy.conf
-       $(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
-
-policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
-       $(M4) $(M4PARAM) $(POLICY_SECTIONS) > $@
-
-clean:
-       $(RM) tmp policy.conf $(POLICY_FILENAME)
-
-distclean: clean
-
-.PHONY: all install clean distclean
+include $(CURDIR)/Makefile.common
diff --git a/tools/flask/policy/Makefile.common 
b/tools/flask/policy/Makefile.common
new file mode 100644
index 0000000..312dec9
--- /dev/null
+++ b/tools/flask/policy/Makefile.common
@@ -0,0 +1,128 @@
+# This file is referenced by both hypervisor build and tools build
+# so there shouldn't be any tools specific things here.
+
+XEN_ROOT=$(CURDIR)/../../..
+
+########################################
+#
+# Configurable portions of the Makefile
+#
+########################################
+
+CONFIG_MLS ?= n
+
+# Number of available MLS sensitivities and categories.
+# The sensitivities will be s0 to s(MLS_SENS-1).  Dominance will be in
+# increasing numerical order with s0 being lowest.
+MLS_SENS ?= 16
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS ?= 256
+
+# executable paths
+CHECKPOLICY ?= checkpolicy
+M4 ?= m4
+
+# Output security policy version.  Leave unset to autodetect.
+OUTPUT_POLICY ?= $(BEST_POLICY_VER)
+
+########################################
+#
+# End of configuration options
+#
+########################################
+
+POLICY_FILENAME = xenpolicy-$(shell $(MAKE) -C $(XEN_ROOT)/xen xenversion 
--no-print-directory)
+POLICY_LOADPATH = /boot
+
+# List of policy versions supported by the hypervisor
+POLICY_VER_LIST_HV = 24 30
+
+# policy source layout
+POLDIR := policy
+MODDIR := modules
+
+# Classes and access vectors defined in the hypervisor. Changes to these 
require
+# a recompile of both the hypervisor and security policy.
+FLASKDIR := ../../../xen/xsm/flask/policy
+SECCLASS := $(FLASKDIR)/security_classes
+ISID_DECLS := $(FLASKDIR)/initial_sids
+AVS := $(FLASKDIR)/access_vectors
+
+# Additional classes and access vectors defined by local policy
+SECCLASS += $(POLDIR)/security_classes
+AVS += $(POLDIR)/access_vectors
+
+# Other policy components
+M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt)
+MLSSUPPORT := $(POLDIR)/mls
+USERS := $(POLDIR)/users
+ISID_DEFS := $(POLDIR)/initial_sids
+DEV_OCONS := $(POLDIR)/device_contexts
+
+# config file paths
+GLOBALTUN := $(POLDIR)/global_tunables
+MOD_CONF := $(MODDIR)/modules.conf
+
+# checkpolicy can use the #line directives provided by -s for error reporting:
+M4PARAM := -D self_contained_policy -s
+
+# The output of checkpolicy -V is "30 (compatibility range 30-15)", and the
+# first word of the output is the maximum policy version supported.
+CHECKPOLICY_VER_MAX := $(firstword $(shell $(CHECKPOLICY) -V))
+
+# Find the highest version supported by both the hypervisor and checkpolicy
+BEST_POLICY_VER := $(shell best=24; for ver in $(POLICY_VER_LIST_HV); do if 
test $$ver -le $(CHECKPOLICY_VER_MAX); then best=$$ver; fi; done; echo $$best)
+
+CHECKPOLICY_PARAM := -t Xen -c $(OUTPUT_POLICY)
+
+# enable MLS if requested.
+ifneq ($(CONFIG_MLS),n)
+       M4PARAM += -D enable_mls
+       CHECKPOLICY_PARAM += -M
+endif
+
+# Always define these because they are referenced even in non-MLS policy
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
+
+
+# modules.conf setting for policy configuration
+MODENABLED := on
+
+# extract settings from modules.conf
+ENABLED_LIST := $(shell awk '/^[ \t]*[a-z]/{ if ($$3 == "$(MODENABLED)") print 
$$1 }' $(MOD_CONF) 2> /dev/null)
+
+# Modules must provide a .te file, although it could be empty
+ALL_MODULES := $(foreach mod,$(ENABLED_LIST),$(MODDIR)/$(mod).te)
+
+# Modules may also provide interfaces and constraint definitions
+ALL_INTERFACES := $(wildcard $(ALL_MODULES:.te=.if))
+ALL_CONSTRAINTS := $(wildcard $(ALL_MODULES:.te=.cons))
+
+# The order of these files is important
+POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS)
+POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT)
+POLICY_SECTIONS += $(ALL_INTERFACES)
+POLICY_SECTIONS += $(GLOBALTUN)
+POLICY_SECTIONS += $(ALL_MODULES)
+POLICY_SECTIONS += $(USERS)
+POLICY_SECTIONS += $(ALL_CONSTRAINTS)
+POLICY_SECTIONS += $(ISID_DEFS) $(DEV_OCONS)
+
+all: $(POLICY_FILENAME)
+
+install: $(POLICY_FILENAME)
+       $(INSTALL_DIR) $(DESTDIR)/$(POLICY_LOADPATH)
+       $(INSTALL_DATA) $^ $(DESTDIR)/$(POLICY_LOADPATH)
+
+$(POLICY_FILENAME): policy.conf
+       $(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
+
+policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
+       $(M4) $(M4PARAM) $(POLICY_SECTIONS) > $@
+
+clean:
+       $(RM) tmp policy.conf $(POLICY_FILENAME)
+
+distclean: clean
+
+.PHONY: all install clean distclean
diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index a04f605..0ed7d7b 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -32,7 +32,7 @@ obj-$(CONFIG_XSM_POLICY) += policy.o
 POLICY_SRC := $(XEN_ROOT)/tools/flask/policy/xenpolicy-$(XEN_FULLVERSION)
 
 policy.bin: FORCE
-       $(MAKE) -C $(XEN_ROOT)/tools/flask/policy
+       $(MAKE) -f $(XEN_ROOT)/tools/flask/policy/Makefile.common -C 
$(XEN_ROOT)/tools/flask/policy
        cmp -s $(POLICY_SRC) $@ || cp $(POLICY_SRC) $@
 
 policy.c: policy.bin gen-policy.py
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.