[meta-selinux][PATCH] support policy module configuration at recipe level


Joe MacDonald
 

On highly storage-limited machines it may be beneficial to completely
remove some or all non-essential policy modules. refpolicy already
supports this with the 'no' option in modules.conf, so we'll just expose
this feature (with an appropriate warning) at the recipe-level.

Signed-off-by: Joe MacDonald <joe_macdonald@...>
---
.../refpolicy/refpolicy-minimum_2.20190201.bb | 10 ++++++++++
recipes-security/refpolicy/refpolicy-minimum_git.bb | 11 +++++++++++
recipes-security/refpolicy/refpolicy_common.inc | 10 ++++++++++
3 files changed, 31 insertions(+)

diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb b=
/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
index 40abe35..01c9fc0 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
@@ -44,6 +44,16 @@ EXTRA_POLICY_MODULES +=3D "mta"
# hostname_t, ping_t, netutils_t) from modules:
EXTRA_POLICY_MODULES +=3D "modutils consoletype hostname netutils"
=20
+# Add specific policy modules here that should be purged from the system
+# policy. Purged modules will not be built and will not be installed on=
the
+# target. To use them at some later time you must specifically build an=
d load
+# the modules by hand on the target.
+#
+# USE WITH CARE! With this feature it is easy to break your policy by p=
urging
+# core modules (eg. userdomain)
+#=20
+# PURGE_POLICY_MODULES +=3D "xdg xen"
+
POLICY_MODULES_MIN =3D "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
=20
# re-write the same func from refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipe=
s-security/refpolicy/refpolicy-minimum_git.bb
index 40abe35..3b3ca15 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -44,6 +44,17 @@ EXTRA_POLICY_MODULES +=3D "mta"
# hostname_t, ping_t, netutils_t) from modules:
EXTRA_POLICY_MODULES +=3D "modutils consoletype hostname netutils"
=20
+# Add specific policy modules here that should be purged from the system
+# policy. Purged modules will not be built and will not be installed on=
the
+# target. To use them at some later time you must specifically build an=
d load
+# the modules by hand on the target.
+#
+# USE WITH CARE! With this feature it is easy to break your policy by p=
urging
+# core modules (eg. userdomain)
+#=20
+# PURGE_POLICY_MODULES +=3D "xdg xen"
+
+
POLICY_MODULES_MIN =3D "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
=20
# re-write the same func from refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-se=
curity/refpolicy/refpolicy_common.inc
index 137ccee..2d9ace5 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -122,8 +122,18 @@ python __anonymous () {
d.setVar('DEFAULT_ENFORCING', 'permissive')
}
=20
+disable_policy_modules () {
+ for module in ${PURGE_POLICY_MODULES} ; do
+ sed -i "s/^\(\<${module}\>\) *=3D *.*$/\1 =3D off/" ${S}/policy/module=
s.conf
+ done
+}
+
do_compile() {
+ if [ -f "${WORKDIR}/modules.conf" ] ; then
+ cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
+ fi
oe_runmake conf
+ disable_policy_modules
oe_runmake policy
}
=20
--=20
2.20.1