From 4dde95212d8e5effeea5ffece5dbda59c7d4336d Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Sun, 24 Nov 2019 20:26:41 -0500
Subject: support policy module configuration at recipe level

On highly storage-limited machines it may be beneficial to completely
remove some or all non-essential policy modules.  refpolicy already
supports this with the 'no' option in modules.conf, so we'll just expose
this feature (with an appropriate warning) at the recipe-level.

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
 recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb | 10 ++++++++++
 recipes-security/refpolicy/refpolicy-minimum_git.bb        | 11 +++++++++++
 recipes-security/refpolicy/refpolicy_common.inc            | 10 ++++++++++
 3 files changed, 31 insertions(+)

diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
index 40abe35..01c9fc0 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
@@ -44,6 +44,16 @@ EXTRA_POLICY_MODULES += "mta"
 # hostname_t, ping_t, netutils_t) from modules:
 EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
 
+# Add specific policy modules here that should be purged from the system
+# policy.  Purged modules will not be built and will not be installed on the
+# target.  To use them at some later time you must specifically build and load
+# the modules by hand on the target.
+#
+# USE WITH CARE!  With this feature it is easy to break your policy by purging
+# core modules (eg.  userdomain)
+# 
+# PURGE_POLICY_MODULES += "xdg xen"
+
 POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
 
 # re-write the same func from refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb
index 40abe35..3b3ca15 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -44,6 +44,17 @@ EXTRA_POLICY_MODULES += "mta"
 # hostname_t, ping_t, netutils_t) from modules:
 EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
 
+# Add specific policy modules here that should be purged from the system
+# policy.  Purged modules will not be built and will not be installed on the
+# target.  To use them at some later time you must specifically build and load
+# the modules by hand on the target.
+#
+# USE WITH CARE!  With this feature it is easy to break your policy by purging
+# core modules (eg.  userdomain)
+# 
+# PURGE_POLICY_MODULES += "xdg xen"
+
+
 POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
 
 # re-write the same func from refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 137ccee..2d9ace5 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -122,8 +122,18 @@ python __anonymous () {
         d.setVar('DEFAULT_ENFORCING', 'permissive')
 }
 
+disable_policy_modules () {
+	for module in ${PURGE_POLICY_MODULES} ; do
+		sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
+	done
+}
+
 do_compile() {
+	if [ -f "${WORKDIR}/modules.conf" ] ; then
+		cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
+	fi
 	oe_runmake conf
+	disable_policy_modules
 	oe_runmake policy
 }
 
-- 
cgit v1.2.3-54-g00ecf