[Buildroot] [PATCH] package/refpolicy: Treat all modules as custom

José Pekkarinen jose.pekkarinen at unikie.com
Thu Sep 23 08:47:50 UTC 2021


On Thu, Sep 23, 2021 at 11:33 AM Antoine Tenart <atenart at kernel.org> wrote:

> Quoting Antoine Tenart (2021-09-23 09:59:46)
> > Quoting José Pekkarinen (2021-09-23 08:26:02)
> > >  On Wed, Sep 22, 2021 at 5:23 PM Antoine Tenart <[1]atenart at kernel.org
> >
> > >  wrote:
> > >
> > >    However I'm surprised as my understanding was the summary was
> required
> > >    for the refpolicy configuration step to succeed (I did use a summary
> > >    for all my tests because of this). When removing a summary from a
> module
> > >    I always get the following error, and the Buildroot build stops.
> > >
> > >      doc/policy.xml:8376: element module: validity error : Element
> module
> > >    content does not follow the DTD, expecting (summary , desc? ,
> required?
> > >    , (interface | template)* , (bool | tunable)*), got ()
> > >      Document doc/policy.xml does not validate against doc/policy.dtd
> > >
> > >    Do you have an idea what made your build to succeed even though you
> did
> > >    not have a summary in your module?
> > >
> > >  I believe it is validating to the summary prior to the module,
> > >  the one you put in metadata.xml, but not any internal summary for
> > >  the interface. This is how policy.xml looks like in a case where I
> didn't
> > >  apply the mitigation:
> > >  <layer name="buildroot">
> > >  <summary>Buildroot extra modules</summary>
> > >  <module name="base" filename="policy/modules/buildroot/base.if">
> > >  </module>
> > >  <module name="secure" filename="policy/modules/buildroot/secure.if">
> > >  </module>
> > >  </layer>
> > >
> > >  With this the modules.conf comes as:
> > >
> > >  # Layer: buildroot
> > >  # Module: base
> > >  #
> > >  # Layer: buildroot
> > >  # Module: secure
> > >  #
> > >
> > >  There is a summary followed by a module, validation pass, but
> > >
> > >  the module is not built. If I add the following lines in the build
> folder
> > >  modules[1]
> > >  and run make.conf:
> > >  [1] refpolicy-2.20200818/policy/modules/buildroot/secure.if: ##
> > >  <summary>External secure module.</summary>
> > >  refpolicy-2.20200818/policy/modules/buildroot/base.if: ##
> > >  <summary>External base module.</summary>
> > >
> > >  The policy.xml looks like:
> > >
> > >  <layer name="buildroot">
> > >  <summary>Buildroot extra modules</summary>
> > >  <module name="base" filename="policy/modules/buildroot/base.if">
> > >  <summary>External base modules.</summary>
> > >  </module>
> > >  <module name="secure" filename="policy/modules/buildroot/secure.if">
> > >  <summary>External secure os vm module.</summary>
> > >  </module>
> > >  </layer>
> > >
> > >  Then policy/modules.conf looks this way:
> > >
> > >  # Layer: buildroot
> > >  # Module: base
> > >  #
> > >  # External base modules.
> > >  #
> > >  base = module
> > >
> > >  # Layer: buildroot
> > >  # Module: secure
> > >  #
> > >  # External secure os vm module.
> > >  #
> > >  secure = module
> > >
> > >  And this produces the modules to get into the policy.32 file.
> > >  Does it makes any sense on your end?
> >
> > The above does not reproduce for me. But I might know what's going on:
> > do you have xmllint installed on your machine?
>
> Or not at /usr/bin/xmllint
>

It was built in a container without it, I'm testing the patch, bear

for a bit.

José.



> > If not, the validation step is skipped but the build is not stopped,
> > which would explain the difference in behaviour we have between our
> > tests:
> >
> >   Makefile:453:
> >   $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
> >           $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid
> $(xmldtd) $@ ;\
> >           else \
> >           echo "$@ XML validation not run. Please install the xmllint
> tool." ;\
> >   fi
> >
> > I believe we should make refpolicy depend on host-libxml2 and force it
> > to use the Buildroot version of xmllint by setting XMLLINT in the
> > configuration step.
> >
> > Do the following fixes the issue[1] on your side?
> >
> >   diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/
> refpolicy.mk
> >   index 1180f0d38bae..ecd8cf226b45 100644
> >   --- a/package/refpolicy/refpolicy.mk
> >   +++ b/package/refpolicy/refpolicy.mk
> >   @@ -14,7 +14,8 @@ REFPOLICY_DEPENDENCIES = \
> >           host-policycoreutils \
> >           host-python3 \
> >           host-setools \
> >   -       host-gawk
> >   +       host-gawk \
> >   +       host-libxml2
> >
> >    ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
> >    REFPOLICY_VERSION = $(call
> qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
> >   @@ -30,6 +31,7 @@ endif
> >    # Cannot use multiple threads to build the reference policy
> >    REFPOLICY_MAKE = \
> >           PYTHON=$(HOST_DIR)/usr/bin/python3 \
> >   +       XMLLINT=$(LIBXML2_HOST_BINARY) \
> >           TEST_TOOLCHAIN=$(HOST_DIR) \
> >           $(TARGET_MAKE_ENV) \
> >           $(MAKE1)
> >
> > (I also checked for other `test -x` conditions in the refpolicy
> > Makefile; xmllint seems to be the only one).
> >
> > [1] "fix the issue" aka throw an error while adding modules without a
> >     summary.
> >
> > Thanks,
> > Antoine
> >
>


-- 

José.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20210923/d033d00b/attachment-0001.html>


More information about the buildroot mailing list