support policy module configuration at recipe level

On highly storage-limited machines it may be beneficial to completely
remove some or all non-essential policy modules.  refpolicy already
supports this with the 'no' option in modules.conf, so we'll just expose
this feature (with an appropriate warning) at the recipe-level.

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>

3 files changed, 31 insertions, 0 deletions

diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
index 40abe35..01c9fc0 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
@@ -44,6 +44,16 @@ EXTRA_POLICY_MODULES += "mta"
 # hostname_t, ping_t, netutils_t) from modules:
 EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
 
+# Add specific policy modules here that should be purged from the system
+# policy.  Purged modules will not be built and will not be installed on the
+# target.  To use them at some later time you must specifically build and load
+# the modules by hand on the target.
+#
+# USE WITH CARE!  With this feature it is easy to break your policy by purging
+# core modules (eg.  userdomain)
+# 
+# PURGE_POLICY_MODULES += "xdg xen"
+
 POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
 
 # re-write the same func from refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb
index 40abe35..3b3ca15 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -44,6 +44,17 @@ EXTRA_POLICY_MODULES += "mta"
 # hostname_t, ping_t, netutils_t) from modules:
 EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
 
+# Add specific policy modules here that should be purged from the system
+# policy.  Purged modules will not be built and will not be installed on the
+# target.  To use them at some later time you must specifically build and load
+# the modules by hand on the target.
+#
+# USE WITH CARE!  With this feature it is easy to break your policy by purging
+# core modules (eg.  userdomain)
+# 
+# PURGE_POLICY_MODULES += "xdg xen"
+
+
 POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
 
 # re-write the same func from refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 137ccee..2d9ace5 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -122,8 +122,18 @@ python __anonymous () {
         d.setVar('DEFAULT_ENFORCING', 'permissive')
 }
 
+disable_policy_modules () {
+        for module in ${PURGE_POLICY_MODULES} ; do
+                sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
+        done
+}
+
 do_compile() {
+        if [ -f "${WORKDIR}/modules.conf" ] ; then
+                cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
+        fi
         oe_runmake conf
+        disable_policy_modules
         oe_runmake policy
 }