Rules.modular

   1 ########################################
   2 #
   3 # Rules and Targets for building modular policies
   4 #
   5
   6 all_modules := $(base_mods) $(mod_mods) $(off_mods)
   7 all_interfaces := $(all_modules:.te=.if)
   8
   9 base_pkg := $(builddir)base.pp
  10 base_fc := $(builddir)base.fc
  11 base_conf := $(builddir)base.conf
  12 base_mod := $(tmpdir)/base.mod
  13
  14 users_extra := $(tmpdir)/users_extra
  15
  16 base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
  17
  18 base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
  19 base_te_files := $(base_mods)
  20 base_post_te_files := $(user_files) $(poldir)/constraints
  21 base_fc_files := $(base_mods:.te=.fc)
  22
  23 mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
  24
  25 # policy packages to install
  26 instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
  27
  28 # search layer dirs for source files
  29 vpath %.te $(all_layers)
  30 vpath %.if $(all_layers)
  31 vpath %.fc $(all_layers)
  32
  33 # broken in make 3.81:
  34 #.SECONDARY:
  35
  36 ########################################
  37 #
  38 # default action: create all module packages
  39 #
  40 default: policy
  41
  42 all policy: base modules
  43
  44 base: $(base_pkg)
  45
  46 modules: $(mod_pkgs)
  47
  48 install: $(instpkg) $(appfiles)
  49
  50 ########################################
  51 #
  52 # Load all configured modules
  53 #
  54 load: $(instpkg) $(appfiles)
  55         @echo "Loading configured modules."
  56         $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
  57
  58 ########################################
  59 #
  60 # Install policy packages
  61 #
  62 $(modpkgdir)/%.pp: $(builddir)%.pp
  63         @mkdir -p $(modpkgdir)
  64         @echo "Installing $(NAME) $(@F) policy package."
  65         $(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
  66
  67 ########################################
  68 #
  69 # Build module packages
  70 #
  71 $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
  72         @echo "Compliling $(NAME) $(@F) module"
  73         @test -d $(tmpdir) || mkdir -p $(tmpdir)
  74         $(call peruser-expansion,$(basename $(@F)),$@.role)
  75         $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
  76         $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
  77
  78 $(tmpdir)/%.mod.fc: $(m4support) %.fc
  79         @test -d $(tmpdir) || mkdir -p $(tmpdir)
  80         $(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@
  81
  82 $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
  83         @echo "Creating $(NAME) $(@F) policy package"
  84         @test -d $(builddir) || mkdir -p $(builddir)
  85         $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
  86
  87 ########################################
  88 #
  89 # Create a base module package
  90 #
  91 $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(seusers) $(net_contexts)
  92         @echo "Creating $(NAME) base module package"
  93         @test -d $(builddir) || mkdir -p $(builddir)
  94         $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(seusers) -n $(net_contexts)
  95
  96 $(base_mod): $(base_conf)
  97         @echo "Compiling $(NAME) base module"
  98         $(verbose) $(CHECKMODULE) $^ -o $@
  99
 100 $(users_extra): $(m4support) $(user_files)
 101         @test -d $(tmpdir) || mkdir -p $(tmpdir)
 102         $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
 103                 $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
 104
 105 ########################################
 106 #
 107 # Construct a base.conf
 108 #
 109 $(base_conf): $(base_sections)
 110         @echo "Creating $(NAME) base module $(@F)"
 111         @test -d $(@D) || mkdir -p $(@D)
 112         $(verbose) cat $^ > $@
 113
 114 $(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy
 115 $(tmpdir)/pre_te_files.conf: $(base_pre_te_files)
 116         @test -d $(tmpdir) || mkdir -p $(tmpdir)
 117         $(verbose) $(M4) $(M4PARAM) $^ > $@
 118
 119 $(tmpdir)/generated_definitions.conf: $(base_te_files)
 120         @test -d $(tmpdir) || mkdir -p $(tmpdir)
 121 # define all available object classes
 122         $(verbose) $(genperm) $(avs) $(secclass) > $@
 123 # per-userdomain templates
 124         $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
 125         $(verbose) for i in $(patsubst %.te,%,$(base_mods)); do \
 126                 echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
 127                         >> $@ ;\
 128         done
 129         $(verbose) echo "')" >> $@
 130         $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
 131
 132 $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
 133 $(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
 134         $(verbose) $(M4) $(M4PARAM) $^ > $@
 135
 136 $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces)
 137         @test -d $(tmpdir) || mkdir -p $(tmpdir)
 138         @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(tmpdir)/iferror.m4
 139         @echo "divert(-1)" > $@
 140         $(verbose) $(M4) $^ $(tmpdir)/iferror.m4 >> $(tmpdir)/$(@F).tmp
 141         $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
 142         @echo "divert" >> $@
 143
 144 $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
 145 $(tmpdir)/rolemap.conf: $(rolemap)
 146         $(call parse-rolemap,base,$@)
 147
 148 $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
 149 $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
 150 ifeq "$(strip $(base_te_files))" ""
 151         $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
 152 endif
 153         @test -d $(tmpdir) || mkdir -p $(tmpdir)
 154         $(verbose) $(M4) $(M4PARAM) -s $^ > $@
 155
 156 $(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
 157 $(tmpdir)/post_te_files.conf: $(m4support) $(base_post_te_files)
 158         @test -d $(tmpdir) || mkdir -p $(tmpdir)
 159         $(verbose) $(M4) $(M4PARAM) $^ > $@
 160
 161 # extract attributes and put them first. extract post te stuff
 162 # like genfscon and put last.
 163 $(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
 164         $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
 165         $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
 166 # these have to run individually because order matters:
 167         $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
 168         $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
 169         $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
 170         $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
 171         $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
 172         $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
 173         $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
 174
 175 ########################################
 176 #
 177 # Construct a base.fc
 178 #
 179 $(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort)
 180         $(verbose) $(fcsort) $< $@
 181
 182 $(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)
 183 ifeq ($(base_fc_files),)
 184         $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
 185 endif
 186         @echo "Creating $(NAME) base module file contexts."
 187         @test -d $(tmpdir) || mkdir -p $(tmpdir)
 188         $(verbose) $(M4) $(M4PARAM) $^ > $@
 189
 190 ########################################
 191 #
 192 # Remove the dontaudit rules from the base.conf
 193 #
 194 enableaudit: $(base_conf)
 195         @test -d $(tmpdir) || mkdir -p $(tmpdir)
 196         @echo "Removing dontaudit rules from $(^F)"
 197         $(verbose) $(GREP) -v dontaudit $(base_conf) > $(tmpdir)/base.audit
 198         $(verbose) mv $(tmpdir)/base.audit $(base_conf)
 199
 200 ########################################
 201 #
 202 # Appconfig files
 203 #
 204 $(appdir)/customizable_types: $(base_conf)
 205         @mkdir -p $(appdir)
 206         $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
 207         $(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
 208
 209 ########################################
 210 #
 211 # Validate linking and expanding of modules
 212 #
 213 validate: $(base_pkg) $(mod_pkgs)
 214         @echo "Validating policy linking."
 215         $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
 216         $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
 217         @echo "Success."
 218
 219 ########################################
 220 #
 221 # Clean the sources
 222 #
 223 clean:
 224         rm -f $(base_conf)
 225         rm -f $(base_fc)
 226         rm -f $(builddir)*.pp
 227         rm -f $(net_contexts)
 228         rm -fR $(tmpdir)
 229
 230 .PHONY: default all policy base modules install load clean validate