1# This file is referenced by both hypervisor build and tools build
2# so there shouldn't be any tools specific things here.
3
4XEN_ROOT=$(CURDIR)/../../..
5
6ifeq ($(FLASK_BUILD_DIR),)
7$(error FLASK_BUILD_DIR not set)
8endif
9
10########################################
11#
12# Configurable portions of the Makefile
13#
14########################################
15
16CONFIG_MLS ?= n
17
18# Number of available MLS sensitivities and categories.
19# The sensitivities will be s0 to s(MLS_SENS-1).  Dominance will be in
20# increasing numerical order with s0 being lowest.
21MLS_SENS ?= 16
22# The categories will be c0 to c(MLS_CATS-1).
23MLS_CATS ?= 256
24
25# executable paths
26CHECKPOLICY ?= checkpolicy
27M4 ?= m4
28
29# Output security policy version.  Leave unset to autodetect.
30OUTPUT_POLICY ?= $(BEST_POLICY_VER)
31
32########################################
33#
34# End of configuration options
35#
36########################################
37
38POLICY_FILENAME = $(FLASK_BUILD_DIR)/xenpolicy-$(shell $(MAKE) -C $(XEN_ROOT)/xen xenversion --no-print-directory)
39POLICY_LOADPATH = /boot
40
41# List of policy versions supported by the hypervisor
42POLICY_VER_LIST_HV = 24 30
43
44# policy source layout
45POLDIR := policy
46MODDIR := modules
47
48# Classes and access vectors defined in the hypervisor. Changes to these require
49# a recompile of both the hypervisor and security policy.
50FLASKDIR := ../../../xen/xsm/flask/policy
51SECCLASS := $(FLASKDIR)/security_classes
52ISID_DECLS := $(FLASKDIR)/initial_sids
53AVS := $(FLASKDIR)/access_vectors
54
55# Additional classes and access vectors defined by local policy
56SECCLASS += $(POLDIR)/security_classes
57AVS += $(POLDIR)/access_vectors
58
59# Other policy components
60M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt)
61MLSSUPPORT := $(POLDIR)/mls
62USERS := $(POLDIR)/users
63ISID_DEFS := $(POLDIR)/initial_sids
64DEV_OCONS := $(POLDIR)/device_contexts
65
66# config file paths
67GLOBALTUN := $(POLDIR)/global_tunables
68MOD_CONF := $(MODDIR)/modules.conf
69
70# checkpolicy can use the #line directives provided by -s for error reporting:
71M4PARAM := -D self_contained_policy -s
72
73# The output of checkpolicy -V is "30 (compatibility range 30-15)", and the
74# first word of the output is the maximum policy version supported.
75CHECKPOLICY_VER_MAX := $(firstword $(shell $(CHECKPOLICY) -V))
76
77# Find the highest version supported by both the hypervisor and checkpolicy
78BEST_POLICY_VER := $(shell best=24; for ver in $(POLICY_VER_LIST_HV); do if test $$ver -le $(CHECKPOLICY_VER_MAX); then best=$$ver; fi; done; echo $$best)
79
80CHECKPOLICY_PARAM := -t Xen -c $(OUTPUT_POLICY)
81
82# enable MLS if requested.
83ifneq ($(CONFIG_MLS),n)
84	M4PARAM += -D enable_mls
85	CHECKPOLICY_PARAM += -M
86endif
87
88# Always define these because they are referenced even in non-MLS policy
89M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
90
91
92# modules.conf setting for policy configuration
93MODENABLED := on
94
95# extract settings from modules.conf
96ENABLED_LIST := $(shell awk '/^[ \t]*[a-z]/{ if ($$3 == "$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null)
97
98# Modules must provide a .te file, although it could be empty
99ALL_MODULES := $(foreach mod,$(ENABLED_LIST),$(MODDIR)/$(mod).te)
100
101# Modules may also provide interfaces and constraint definitions
102ALL_INTERFACES := $(wildcard $(ALL_MODULES:.te=.if))
103ALL_CONSTRAINTS := $(wildcard $(ALL_MODULES:.te=.cons))
104
105# The order of these files is important
106POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS)
107POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT)
108POLICY_SECTIONS += $(ALL_INTERFACES)
109POLICY_SECTIONS += $(GLOBALTUN)
110POLICY_SECTIONS += $(ALL_MODULES)
111POLICY_SECTIONS += $(USERS)
112POLICY_SECTIONS += $(ALL_CONSTRAINTS)
113POLICY_SECTIONS += $(ISID_DEFS) $(DEV_OCONS)
114
115all: $(POLICY_FILENAME)
116
117install: $(POLICY_FILENAME)
118	$(INSTALL_DIR) $(DESTDIR)/$(POLICY_LOADPATH)
119	$(INSTALL_DATA) $^ $(DESTDIR)/$(POLICY_LOADPATH)
120
121uninstall:
122	rm -f $(DESTDIR)/$(POLICY_LOADPATH)/$(POLICY_FILENAME)
123
124$(POLICY_FILENAME): $(FLASK_BUILD_DIR)/policy.conf
125	$(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
126
127$(FLASK_BUILD_DIR)/policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
128	$(M4) $(M4PARAM) $(POLICY_SECTIONS) > $@
129
130clean:
131	$(RM) $(FLASK_BUILD_DIR)/policy.conf $(POLICY_FILENAME)
132
133distclean: clean
134
135.PHONY: all install clean distclean uninstall
136