[PATCH] xsm: don't require configuring tools to build xen xsm blob

[PATCH] xsm: don't require configuring tools to build xen xsm blob

[Wei Liu]

Starting from 08cffe66 ("xsm: add a default policy to .init.data") we
can attach a xsm policy blob to hypervisor. To build that policy blob
now hypervisor build system needs to enter tools directory.

The expectation for hypervisor and tools build systems is different. We
don't want xen build system to depend on configure but we want tools
build system to. That commit broke this expectation because it required
users to run configure before building hypervisor. This broke ARM build
because ARM developers normally build hypervisor and tools separately
(and possibly on different platforms). It can also break x86 if
developers don't run configure before building hypervisor with XSM on.

To fix it, move major part of tools/flask/policy/Makefile into
Makefile.common and create tools only Makefile to include that common
Makefile. Hypervisor Makefile will use Makefile.common to build xsm
policy.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Julien Grall <julien.grall@arm.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Doug Goldstein <cardoe@cardoe.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>

The flask/policy/Makefile is quite self-contained, hence this patch.

I tested with a failed .config from travis. It worked.

Comments are welcome.
---
 tools/flask/policy/Makefile        | 124 +----------------------------------
 tools/flask/policy/Makefile.common | 128 +++++++++++++++++++++++++++++++++++++
 xen/xsm/flask/Makefile             |   2 +-
 3 files changed, 130 insertions(+), 124 deletions(-)
 create mode 100644 tools/flask/policy/Makefile.common

diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index 693eb10..bead199 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -1,126 +1,4 @@
 XEN_ROOT=$(CURDIR)/../../..
 include $(XEN_ROOT)/tools/Rules.mk
 
-########################################
-#
-# Configurable portions of the Makefile
-#
-########################################
-
-CONFIG_MLS ?= n
-
-# Number of available MLS sensitivities and categories.
-# The sensitivities will be s0 to s(MLS_SENS-1).  Dominance will be in
-# increasing numerical order with s0 being lowest.
-MLS_SENS ?= 16
-# The categories will be c0 to c(MLS_CATS-1).
-MLS_CATS ?= 256
-
-# executable paths
-CHECKPOLICY ?= checkpolicy
-M4 ?= m4
-
-# Output security policy version.  Leave unset to autodetect.
-OUTPUT_POLICY ?= $(BEST_POLICY_VER)
-
-########################################
-#
-# End of configuration options
-#
-########################################
-
-POLICY_FILENAME = xenpolicy-$(shell $(MAKE) -C $(XEN_ROOT)/xen xenversion --no-print-directory)
-POLICY_LOADPATH = /boot
-
-# List of policy versions supported by the hypervisor
-POLICY_VER_LIST_HV = 24 30
-
-# policy source layout
-POLDIR := policy
-MODDIR := modules
-
-# Classes and access vectors defined in the hypervisor. Changes to these require
-# a recompile of both the hypervisor and security policy.
-FLASKDIR := ../../../xen/xsm/flask/policy
-SECCLASS := $(FLASKDIR)/security_classes
-ISID_DECLS := $(FLASKDIR)/initial_sids
-AVS := $(FLASKDIR)/access_vectors
-
-# Additional classes and access vectors defined by local policy
-SECCLASS += $(POLDIR)/security_classes
-AVS += $(POLDIR)/access_vectors
-
-# Other policy components
-M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt)
-MLSSUPPORT := $(POLDIR)/mls
-USERS := $(POLDIR)/users
-ISID_DEFS := $(POLDIR)/initial_sids
-DEV_OCONS := $(POLDIR)/device_contexts
-
-# config file paths
-GLOBALTUN := $(POLDIR)/global_tunables
-MOD_CONF := $(MODDIR)/modules.conf
-
-# checkpolicy can use the #line directives provided by -s for error reporting:
-M4PARAM := -D self_contained_policy -s
-
-# The output of checkpolicy -V is "30 (compatibility range 30-15)", and the
-# first word of the output is the maximum policy version supported.
-CHECKPOLICY_VER_MAX := $(firstword $(shell $(CHECKPOLICY) -V))
-
-# Find the highest version supported by both the hypervisor and checkpolicy
-BEST_POLICY_VER := $(shell best=24; for ver in $(POLICY_VER_LIST_HV); do if test $$ver -le $(CHECKPOLICY_VER_MAX); then best=$$ver; fi; done; echo $$best)
-
-CHECKPOLICY_PARAM := -t Xen -c $(OUTPUT_POLICY)
-
-# enable MLS if requested.
-ifneq ($(CONFIG_MLS),n)
-	M4PARAM += -D enable_mls
-	CHECKPOLICY_PARAM += -M
-endif
-
-# Always define these because they are referenced even in non-MLS policy
-M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
-
-
-# modules.conf setting for policy configuration
-MODENABLED := on
-
-# extract settings from modules.conf
-ENABLED_LIST := $(shell awk '/^[ \t]*[a-z]/{ if ($$3 == "$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null)
-
-# Modules must provide a .te file, although it could be empty
-ALL_MODULES := $(foreach mod,$(ENABLED_LIST),$(MODDIR)/$(mod).te)
-
-# Modules may also provide interfaces and constraint definitions
-ALL_INTERFACES := $(wildcard $(ALL_MODULES:.te=.if))
-ALL_CONSTRAINTS := $(wildcard $(ALL_MODULES:.te=.cons))
-
-# The order of these files is important
-POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS)
-POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT)
-POLICY_SECTIONS += $(ALL_INTERFACES)
-POLICY_SECTIONS += $(GLOBALTUN)
-POLICY_SECTIONS += $(ALL_MODULES)
-POLICY_SECTIONS += $(USERS)
-POLICY_SECTIONS += $(ALL_CONSTRAINTS)
-POLICY_SECTIONS += $(ISID_DEFS) $(DEV_OCONS)
-
-all: $(POLICY_FILENAME)
-
-install: $(POLICY_FILENAME)
-	$(INSTALL_DIR) $(DESTDIR)/$(POLICY_LOADPATH)
-	$(INSTALL_DATA) $^ $(DESTDIR)/$(POLICY_LOADPATH)
-
-$(POLICY_FILENAME): policy.conf
-	$(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
-
-policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
-	$(M4) $(M4PARAM) $(POLICY_SECTIONS) > $@
-
-clean:
-	$(RM) tmp policy.conf $(POLICY_FILENAME)
-
-distclean: clean
-
-.PHONY: all install clean distclean
+include $(CURDIR)/Makefile.common
diff --git a/tools/flask/policy/Makefile.common b/tools/flask/policy/Makefile.common
new file mode 100644
index 0000000..312dec9
--- /dev/null
+++ b/tools/flask/policy/Makefile.common
@@ -0,0 +1,128 @@
+# This file is referenced by both hypervisor build and tools build
+# so there shouldn't be any tools specific things here.
+
+XEN_ROOT=$(CURDIR)/../../..
+
+########################################
+#
+# Configurable portions of the Makefile
+#
+########################################
+
+CONFIG_MLS ?= n
+
+# Number of available MLS sensitivities and categories.
+# The sensitivities will be s0 to s(MLS_SENS-1).  Dominance will be in
+# increasing numerical order with s0 being lowest.
+MLS_SENS ?= 16
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS ?= 256
+
+# executable paths
+CHECKPOLICY ?= checkpolicy
+M4 ?= m4
+
+# Output security policy version.  Leave unset to autodetect.
+OUTPUT_POLICY ?= $(BEST_POLICY_VER)
+
+########################################
+#
+# End of configuration options
+#
+########################################
+
+POLICY_FILENAME = xenpolicy-$(shell $(MAKE) -C $(XEN_ROOT)/xen xenversion --no-print-directory)
+POLICY_LOADPATH = /boot
+
+# List of policy versions supported by the hypervisor
+POLICY_VER_LIST_HV = 24 30
+
+# policy source layout
+POLDIR := policy
+MODDIR := modules
+
+# Classes and access vectors defined in the hypervisor. Changes to these require
+# a recompile of both the hypervisor and security policy.
+FLASKDIR := ../../../xen/xsm/flask/policy
+SECCLASS := $(FLASKDIR)/security_classes
+ISID_DECLS := $(FLASKDIR)/initial_sids
+AVS := $(FLASKDIR)/access_vectors
+
+# Additional classes and access vectors defined by local policy
+SECCLASS += $(POLDIR)/security_classes
+AVS += $(POLDIR)/access_vectors
+
+# Other policy components
+M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt)
+MLSSUPPORT := $(POLDIR)/mls
+USERS := $(POLDIR)/users
+ISID_DEFS := $(POLDIR)/initial_sids
+DEV_OCONS := $(POLDIR)/device_contexts
+
+# config file paths
+GLOBALTUN := $(POLDIR)/global_tunables
+MOD_CONF := $(MODDIR)/modules.conf
+
+# checkpolicy can use the #line directives provided by -s for error reporting:
+M4PARAM := -D self_contained_policy -s
+
+# The output of checkpolicy -V is "30 (compatibility range 30-15)", and the
+# first word of the output is the maximum policy version supported.
+CHECKPOLICY_VER_MAX := $(firstword $(shell $(CHECKPOLICY) -V))
+
+# Find the highest version supported by both the hypervisor and checkpolicy
+BEST_POLICY_VER := $(shell best=24; for ver in $(POLICY_VER_LIST_HV); do if test $$ver -le $(CHECKPOLICY_VER_MAX); then best=$$ver; fi; done; echo $$best)
+
+CHECKPOLICY_PARAM := -t Xen -c $(OUTPUT_POLICY)
+
+# enable MLS if requested.
+ifneq ($(CONFIG_MLS),n)
+	M4PARAM += -D enable_mls
+	CHECKPOLICY_PARAM += -M
+endif
+
+# Always define these because they are referenced even in non-MLS policy
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
+
+
+# modules.conf setting for policy configuration
+MODENABLED := on
+
+# extract settings from modules.conf
+ENABLED_LIST := $(shell awk '/^[ \t]*[a-z]/{ if ($$3 == "$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null)
+
+# Modules must provide a .te file, although it could be empty
+ALL_MODULES := $(foreach mod,$(ENABLED_LIST),$(MODDIR)/$(mod).te)
+
+# Modules may also provide interfaces and constraint definitions
+ALL_INTERFACES := $(wildcard $(ALL_MODULES:.te=.if))
+ALL_CONSTRAINTS := $(wildcard $(ALL_MODULES:.te=.cons))
+
+# The order of these files is important
+POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS)
+POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT)
+POLICY_SECTIONS += $(ALL_INTERFACES)
+POLICY_SECTIONS += $(GLOBALTUN)
+POLICY_SECTIONS += $(ALL_MODULES)
+POLICY_SECTIONS += $(USERS)
+POLICY_SECTIONS += $(ALL_CONSTRAINTS)
+POLICY_SECTIONS += $(ISID_DEFS) $(DEV_OCONS)
+
+all: $(POLICY_FILENAME)
+
+install: $(POLICY_FILENAME)
+	$(INSTALL_DIR) $(DESTDIR)/$(POLICY_LOADPATH)
+	$(INSTALL_DATA) $^ $(DESTDIR)/$(POLICY_LOADPATH)
+
+$(POLICY_FILENAME): policy.conf
+	$(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
+
+policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
+	$(M4) $(M4PARAM) $(POLICY_SECTIONS) > $@
+
+clean:
+	$(RM) tmp policy.conf $(POLICY_FILENAME)
+
+distclean: clean
+
+.PHONY: all install clean distclean
diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index a04f605..0ed7d7b 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -32,7 +32,7 @@ obj-$(CONFIG_XSM_POLICY) += policy.o
 POLICY_SRC := $(XEN_ROOT)/tools/flask/policy/xenpolicy-$(XEN_FULLVERSION)
 
 policy.bin: FORCE
-	$(MAKE) -C $(XEN_ROOT)/tools/flask/policy
+	$(MAKE) -f $(XEN_ROOT)/tools/flask/policy/Makefile.common -C $(XEN_ROOT)/tools/flask/policy
 	cmp -s $(POLICY_SRC) $@ || cp $(POLICY_SRC) $@
 
 policy.c: policy.bin gen-policy.py
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH] xsm: don't require configuring tools to build xen xsm blob

[Daniel De Graaf]

On 07/25/2016 11:22 AM, Wei Liu wrote:
> Starting from 08cffe66 ("xsm: add a default policy to .init.data") we
> can attach a xsm policy blob to hypervisor. To build that policy blob
> now hypervisor build system needs to enter tools directory.
>
> The expectation for hypervisor and tools build systems is different. We
> don't want xen build system to depend on configure but we want tools
> build system to. That commit broke this expectation because it required
> users to run configure before building hypervisor. This broke ARM build
> because ARM developers normally build hypervisor and tools separately
> (and possibly on different platforms). It can also break x86 if
> developers don't run configure before building hypervisor with XSM on.
>
> To fix it, move major part of tools/flask/policy/Makefile into
> Makefile.common and create tools only Makefile to include that common
> Makefile. Hypervisor Makefile will use Makefile.common to build xsm
> policy.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>

Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Thanks for fixing this; I intended the build to remain separate but
never actually de-configured a build tree to test.

Using git-send-email -C would make the patch email clearer.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH] xsm: don't require configuring tools to build xen xsm blob

[Ian Jackson]

Wei Liu writes ("[PATCH] xsm: don't require configuring tools to build xen xsm blob"):
> Starting from 08cffe66 ("xsm: add a default policy to .init.data") we
> can attach a xsm policy blob to hypervisor. To build that policy blob
> now hypervisor build system needs to enter tools directory.
> 
> The expectation for hypervisor and tools build systems is different. We
> don't want xen build system to depend on configure but we want tools
> build system to. That commit broke this expectation because it required
> users to run configure before building hypervisor. This broke ARM build
> because ARM developers normally build hypervisor and tools separately
> (and possibly on different platforms). It can also break x86 if
> developers don't run configure before building hypervisor with XSM on.
> 
> To fix it, move major part of tools/flask/policy/Makefile into
> Makefile.common and create tools only Makefile to include that common
> Makefile. Hypervisor Makefile will use Makefile.common to build xsm
> policy.

Your reasoning and patch seem plausible.

I wonder if we should actally test configure-less hypervisor builds.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH] xsm: don't require configuring tools to build xen xsm blob

[Julien Grall]

Hi Wei,

On 25/07/16 16:22, Wei Liu wrote:
> Starting from 08cffe66 ("xsm: add a default policy to .init.data") we
> can attach a xsm policy blob to hypervisor. To build that policy blob
> now hypervisor build system needs to enter tools directory.
>
> The expectation for hypervisor and tools build systems is different. We
> don't want xen build system to depend on configure but we want tools
> build system to. That commit broke this expectation because it required
> users to run configure before building hypervisor. This broke ARM build
> because ARM developers normally build hypervisor and tools separately
> (and possibly on different platforms). It can also break x86 if
> developers don't run configure before building hypervisor with XSM on.
>
> To fix it, move major part of tools/flask/policy/Makefile into
> Makefile.common and create tools only Makefile to include that common
> Makefile. Hypervisor Makefile will use Makefile.common to build xsm
> policy.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>

Tested-by: Julien Grall <julien.grall@arm.com>

Regards,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH] xsm: don't require configuring tools to build xen xsm blob

[Wei Liu]

On Wed, Jul 27, 2016 at 04:10:18PM +0100, Julien Grall wrote:
> Hi Wei,
> 
> On 25/07/16 16:22, Wei Liu wrote:
> >Starting from 08cffe66 ("xsm: add a default policy to .init.data") we
> >can attach a xsm policy blob to hypervisor. To build that policy blob
> >now hypervisor build system needs to enter tools directory.
> >
> >The expectation for hypervisor and tools build systems is different. We
> >don't want xen build system to depend on configure but we want tools
> >build system to. That commit broke this expectation because it required
> >users to run configure before building hypervisor. This broke ARM build
> >because ARM developers normally build hypervisor and tools separately
> >(and possibly on different platforms). It can also break x86 if
> >developers don't run configure before building hypervisor with XSM on.
> >
> >To fix it, move major part of tools/flask/policy/Makefile into
> >Makefile.common and create tools only Makefile to include that common
> >Makefile. Hypervisor Makefile will use Makefile.common to build xsm
> >policy.
> >
> >Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> 
> Tested-by: Julien Grall <julien.grall@arm.com>
> 

Pushed with your tested-by and Daniel's ack.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel