diff options
| author | Alyssa Ross <hi@alyssa.is> | 2022-02-02 15:19:20 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2022-02-14 14:17:19 +0000 |
| commit | 12e4cd012bd6338713c870b8116dd1ea9db7a354 (patch) | |
| tree | 01db6e492df1e0de0b9fb640f54dd159753671cd /vm/sys/net/Makefile | |
| parent | 42c9aaaf111269624e751e3140ccc9460c365b3d (diff) | |
| download | spectrum-12e4cd012bd6338713c870b8116dd1ea9db7a354.tar spectrum-12e4cd012bd6338713c870b8116dd1ea9db7a354.tar.gz spectrum-12e4cd012bd6338713c870b8116dd1ea9db7a354.tar.bz2 spectrum-12e4cd012bd6338713c870b8116dd1ea9db7a354.tar.lz spectrum-12e4cd012bd6338713c870b8116dd1ea9db7a354.tar.xz spectrum-12e4cd012bd6338713c870b8116dd1ea9db7a354.tar.zst spectrum-12e4cd012bd6338713c870b8116dd1ea9db7a354.zip | |
host/rootfs: dynamically generate s6-rc services
This way, we don't allow arbitrary code from the ext partition to run on the host system, which gives us better integrity guarantees when paired with Secure Boot. This new scheme also makes it easy to introspect VMs, since they're defined using a very limited configuration language.
Diffstat (limited to 'vm/sys/net/Makefile')
| -rw-r--r-- | vm/sys/net/Makefile | 25 |
1 files changed, 8 insertions, 17 deletions
diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile index a7920fc..25f865f 100644 --- a/vm/sys/net/Makefile +++ b/vm/sys/net/Makefile @@ -13,30 +13,21 @@ VMM = qemu # paths in the source tree. HOST_DIRECTORIES = s6-rc/netvm-vmm/env -HOST_FILES = \ - host/s6-rc/netvm-vmm/notification-fd \ - host/s6-rc/netvm-vmm/run \ - host/s6-rc/netvm-vmm/type \ - host/s6-rc/netvm/dependencies \ - host/s6-rc/netvm/run \ - host/s6-rc/netvm/type - HOST_BUILD_FILES = \ build/host/data/netvm/rootfs.ext4 \ build/host/data/netvm/vmlinux -# We produce an s6-rc source directory, but that doesn't play nice -# with Make, because it won't know to update if some file in the -# directory is changed, or a file is created or removed in a -# subdirectory. Using the whole source directory could also end up -# including files that aren't intended to be part of the input, like -# temporary editor files or .license files. So for all these reasons, -# only explicitly listed files are included in the build result. -build/svc: $(HOST_FILES) $(HOST_BUILD_FILES) +# We produce a directory, but that doesn't play nice with Make, +# because it won't know to update if some file in the directory is +# changed, or a file is created or removed in a subdirectory. Using +# the whole directory could also end up including files that aren't +# intended to be part of the input, like temporary editor files or +# .license files. So for all these reasons, only explicitly listed +# files are included in the build result. +build/svc: $(HOST_BUILD_FILES) rm -rf $@ mkdir -p $@ - tar -c $(HOST_FILES) | tar -C $@ -x --strip-components 1 tar -c $(HOST_BUILD_FILES) | tar -C $@ -x --strip-components 2 cd $@ && mkdir -p $(HOST_DIRECTORIES) |