On highly storage-limited machines it may be beneficial to completely remove some or all non-essential policy modules. refpolicy already supports this with the 'no' option in modules.conf, so we'll just expose this feature (with an appropriate warning) at the recipe-level.
Signed-off-by: Joe MacDonald <[email protected]> --- .../refpolicy/refpolicy-minimum_2.20190201.bb | 10 ++++++++++ recipes-security/refpolicy/refpolicy-minimum_git.bb | 11 +++++++++++ recipes-security/refpolicy/refpolicy_common.inc | 10 ++++++++++ 3 files changed, 31 insertions(+) diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb index 40abe35..01c9fc0 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb @@ -44,6 +44,16 @@ EXTRA_POLICY_MODULES += "mta" # hostname_t, ping_t, netutils_t) from modules: EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils" +# Add specific policy modules here that should be purged from the system +# policy. Purged modules will not be built and will not be installed on the +# target. To use them at some later time you must specifically build and load +# the modules by hand on the target. +# +# USE WITH CARE! With this feature it is easy to break your policy by purging +# core modules (eg. userdomain) +# +# PURGE_POLICY_MODULES += "xdg xen" + POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" # re-write the same func from refpolicy_common.inc diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb index 40abe35..3b3ca15 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_git.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb @@ -44,6 +44,17 @@ EXTRA_POLICY_MODULES += "mta" # hostname_t, ping_t, netutils_t) from modules: EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils" +# Add specific policy modules here that should be purged from the system +# policy. Purged modules will not be built and will not be installed on the +# target. To use them at some later time you must specifically build and load +# the modules by hand on the target. +# +# USE WITH CARE! With this feature it is easy to break your policy by purging +# core modules (eg. userdomain) +# +# PURGE_POLICY_MODULES += "xdg xen" + + POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" # re-write the same func from refpolicy_common.inc diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 137ccee..2d9ace5 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -122,8 +122,18 @@ python __anonymous () { d.setVar('DEFAULT_ENFORCING', 'permissive') } +disable_policy_modules () { + for module in ${PURGE_POLICY_MODULES} ; do + sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf + done +} + do_compile() { + if [ -f "${WORKDIR}/modules.conf" ] ; then + cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf + fi oe_runmake conf + disable_policy_modules oe_runmake policy } -- 2.20.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#47604): https://lists.yoctoproject.org/g/yocto/message/47604 Mute This Topic: https://lists.yoctoproject.org/mt/67794632/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
