PERFORCE change 107772 for review

Thu Oct 12 12:34:34 PDT 2006

http://perforce.freebsd.org/chv.cgi?CH=107772

Change 107772 by millert at millert_macbook on 2006/10/12 19:33:59

	Fix handling of migscs data.  We now install sebsd_migscs in
	the policy dir alongside the binary policy file which makes
	it possible to reload it via load_policy.
	
	Fix path to load_policy so "make reload" can work.
	
	Trim leading underscores from MiG class method names since
	checkpolicy requires names to start with a letter.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/migscs.pl#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/update_plist#4 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Makefile#3 (text+ko) ====

@@ -76,7 +76,7 @@
 SEMOD_PKG ?= $(BINDIR)/semodule_package
 SEMOD_LNK ?= $(BINDIR)/semodule_link
 SEMOD_EXP ?= $(BINDIR)/semodule_expand
-LOADPOLICY ?= $(BINDIR)/load_policy
+LOADPOLICY ?= $(SBINDIR)/load_policy
 SETFILES ?= $(BINDIR)/setfiles
 MIG ?= $(BINDIR)/mig
 endif
@@ -624,21 +624,18 @@
 endif
 endif
 
-all: default sebsd_migscs
+all: default
 
 $(mig_msgids): $(MIG_DEFS)
 	echo > $@
 	for i in $(MIG_DEFS); do $(MIG) -user /dev/null -server /dev/null -header /dev/null -sheader /dev/null -flasksc `basename $$i .defs`.flask $$i; cat `basename $$i .defs`.flask >> $@; done
 
 $(mig_avs): $(mig_msgids)
-	cat $< | awk '{print $$1, $$2}' > $@
+	cat $< | awk '{sub("^_*", "", $$1); print $$1, $$2}' > $@
 
 $(mig_secclass): $(mig_avs)
 	grep '^class' $< > $@
 
-sebsd_migscs:	$(secclass) $(mig_msgids)
-		cat $(secclass) $(mig_msgids) | perl migscs.pl
-
 .PHONY: install-src install-appconfig generate xml conf html bare tags
 .SUFFIXES:
 .SUFFIXES: .c

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#4 (text+ko) ====

@@ -17,6 +17,7 @@
 policy_conf = $(builddir)policy.conf
 fc = $(builddir)file_contexts
 polver = $(builddir)policy.$(pv)
+migscs = $(builddir)sebsd_migscs
 homedir_template = $(builddir)homedir_template
 
 M4PARAM += -D self_contained_policy
@@ -24,6 +25,7 @@
 # install paths
 policypath = $(installdir)/policy
 loadpath = $(policypath)/$(notdir $(polver))
+migscs_loadpath = $(policypath)/sebsd_migscs
 homedirpath = $(contextpath)/files/homedir_template
 
 appfiles += $(installdir)/booleans $(userpath)/local.users
@@ -51,14 +53,14 @@
 #
 default: policy
 
-policy: $(polver)
+policy: $(polver) $(migscs)
 
 ifeq ($(SEDARWIN_BUILD),1)
-install: install-src $(loadpath) $(fcpath) $(ncpath) $(appfiles)
-	./update_plist --policy=$(loadpath) --migscs=sebsd_migscs --install-dir=/etc/sedarwin/$(strip $(NAME))/policy ../sedarwin/mac_sedarwin.kext/Contents/Info.plist && make -C ../sedarwin mac_sedarwin.kext.tar install
+install: install-src $(loadpath) $(migscs_loadpath) $(fcpath) $(ncpath) $(appfiles)
+	./update_plist --policy=$(loadpath) --migscs=$(migscs_loadpath) --install-dir=/etc/sedarwin/$(strip $(NAME))/policy ../sedarwin/mac_sedarwin.kext/Contents/Info.plist && make -C ../sedarwin mac_sedarwin.kext.tar install
 else
-install: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
-	./update_plist --policy=$(loadpath) /System/Library/Extensions/mac_sedarwin.kext/Contents/Info.plist
+install: $(loadpath) $(migscs_loadpath) $(fcpath) $(ncpath) $(appfiles)
+	./update_plist --policy=$(loadpath) --migscs=$(migscs_loadpath) /System/Library/Extensions/mac_sedarwin.kext/Contents/Info.plist
 	rm -f /System/Library/Extensions.kextcache  /System/Library/Extensions.mkext
 endif
 
@@ -82,6 +84,9 @@
 endif
 	$(verbose) $(CHECKPOLICY) -o $@ $^
 
+$(migscs): $(secclass) $(mig_msgids)
+	cat $(secclass) $(mig_msgids) | perl migscs.pl > $@
+
 ########################################
 #
 # Install a binary policy
@@ -94,15 +99,18 @@
 	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
 	@echo
 endif
-	$(verbose) $(CHECKPOLICY) -o $@ $^
+	$(verbose) $(CHECKPOLICY) -o $@ $<
+
+$(migscs_loadpath): $(secclass) $(mig_msgids)
+	cat $(secclass) $(mig_msgids) | perl migscs.pl > $@
 
 ########################################
 #
 # Load the binary policy
 #
-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
-	@echo "Loading $(NAME) $(loadpath)"
-	$(verbose) $(LOADPOLICY) -q $(loadpath)
+reload $(tmpdir)/load: $(loadpath) $(migscs_loadpath) $(fcpath) $(ncpath) $(appfiles)
+	@echo "Loading $(NAME) $(shell sysctl -n security.mac.sebsd.policypath)"
+	$(verbose) $(LOADPOLICY) -q
 	@touch $(tmpdir)/load
 
 ########################################
@@ -260,6 +268,10 @@
 clean:
 	rm -f $(policy_conf)
 	rm -f $(polver)
+	rm -f $(migscs)
+	rm -f $(poldir)/mig_classes
+	rm -f $(poldir)/mig_access_vectors
+	rm -f $(poldir)/mig_msgids
 	rm -f $(fc)
 	rm -f $(homedir_template)
 	rm -f $(net_contexts)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/migscs.pl#2 (text+ko) ====

@@ -1,6 +1,5 @@
 #!/usr/bin/perl
 
-open (OUT, "> sebsd_migscs") || die ("cant open sebsd_migscs");
 my %scs;
 my $curclass = 0;
 
@@ -16,7 +15,7 @@
   elsif (/^class/) { $curclass++; }
 }
 
-print "$curclass classes\n";
+warn "$curclass classes\n";
 my $out;
 
 foreach my $c (keys %scs) {
@@ -25,6 +24,4 @@
   foreach my $c (@ca) { $out .= pack ('I', $c); }
 }
 
-print OUT $out;
-close (OUT);
-
+print $out;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/update_plist#4 (xtext) ====

@@ -25,7 +25,8 @@
 $status = GetOptions("policy=s" => \$policy_file, "migscs=s" => \$migscs_file,
     "enforce!" => \$enforcing_mode, "install-dir=s" => \$install_dir);
 &usage() unless $status && $#ARGV == 0;
-die "$0: install dir must be fully-qualified\n" unless $install_dir =~ /^\//;
+die "$0: install dir must be fully-qualified\n" unless
+    !defined($install_dir) || $install_dir =~ /^\//;
 
 $plist_file = $ARGV[0];
 my $data = Mac::PropertyList::parse_plist_file($plist_file) ||
