support policy module configuration at recipe level

On highly storage-limited machines it may be beneficial to completely remove some or all non-essential policy modules. refpolicy already supports this with the 'no' option in modules.conf, so we'll just expose this feature (with an appropriate warning) at the recipe-level. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
2026-01-01 13:58:04 +00:00 · 2019-11-24 20:26:41 -05:00 · 2019-11-24 20:26:41 -05:00 · 4dde95212d
commit 4dde95212d
parent 5fd3c5b71e
3 changed files with 31 additions and 0 deletions
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
@ -44,6 +44,16 @@ EXTRA_POLICY_MODULES += "mta"
 # hostname_t, ping_t, netutils_t) from modules:
 EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"

+# Add specific policy modules here that should be purged from the system
+# policy.  Purged modules will not be built and will not be installed on the
+# target.  To use them at some later time you must specifically build and load
+# the modules by hand on the target.
+#
+# USE WITH CARE!  With this feature it is easy to break your policy by purging
+# core modules (eg.  userdomain)
+# 
+# PURGE_POLICY_MODULES += "xdg xen"
+
 POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"

 # re-write the same func from refpolicy_common.inc
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@ -44,6 +44,17 @@ EXTRA_POLICY_MODULES += "mta"
 # hostname_t, ping_t, netutils_t) from modules:
 EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"

+# Add specific policy modules here that should be purged from the system
+# policy.  Purged modules will not be built and will not be installed on the
+# target.  To use them at some later time you must specifically build and load
+# the modules by hand on the target.
+#
+# USE WITH CARE!  With this feature it is easy to break your policy by purging
+# core modules (eg.  userdomain)
+# 
+# PURGE_POLICY_MODULES += "xdg xen"
+
+
 POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"

 # re-write the same func from refpolicy_common.inc
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@ -122,8 +122,18 @@ python __anonymous () {
        d.setVar('DEFAULT_ENFORCING', 'permissive')
 }

+disable_policy_modules () {
+	for module in ${PURGE_POLICY_MODULES} ; do
+		sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
+	done
+}
+
 do_compile() {
+	if [ -f "${WORKDIR}/modules.conf" ] ; then
+		cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
+	fi
 	oe_runmake conf
+	disable_policy_modules
 	oe_runmake policy
 }