[Buildroot] [PATCH] package/refpolicy: Treat all modules as custom
José Pekkarinen
jose.pekkarinen at unikie.com
Thu Sep 23 08:47:50 UTC 2021
On Thu, Sep 23, 2021 at 11:33 AM Antoine Tenart <atenart at kernel.org> wrote:
> Quoting Antoine Tenart (2021-09-23 09:59:46)
> > Quoting José Pekkarinen (2021-09-23 08:26:02)
> > > On Wed, Sep 22, 2021 at 5:23 PM Antoine Tenart <[1]atenart at kernel.org
> >
> > > wrote:
> > >
> > > However I'm surprised as my understanding was the summary was
> required
> > > for the refpolicy configuration step to succeed (I did use a summary
> > > for all my tests because of this). When removing a summary from a
> module
> > > I always get the following error, and the Buildroot build stops.
> > >
> > > doc/policy.xml:8376: element module: validity error : Element
> module
> > > content does not follow the DTD, expecting (summary , desc? ,
> required?
> > > , (interface | template)* , (bool | tunable)*), got ()
> > > Document doc/policy.xml does not validate against doc/policy.dtd
> > >
> > > Do you have an idea what made your build to succeed even though you
> did
> > > not have a summary in your module?
> > >
> > > I believe it is validating to the summary prior to the module,
> > > the one you put in metadata.xml, but not any internal summary for
> > > the interface. This is how policy.xml looks like in a case where I
> didn't
> > > apply the mitigation:
> > > <layer name="buildroot">
> > > <summary>Buildroot extra modules</summary>
> > > <module name="base" filename="policy/modules/buildroot/base.if">
> > > </module>
> > > <module name="secure" filename="policy/modules/buildroot/secure.if">
> > > </module>
> > > </layer>
> > >
> > > With this the modules.conf comes as:
> > >
> > > # Layer: buildroot
> > > # Module: base
> > > #
> > > # Layer: buildroot
> > > # Module: secure
> > > #
> > >
> > > There is a summary followed by a module, validation pass, but
> > >
> > > the module is not built. If I add the following lines in the build
> folder
> > > modules[1]
> > > and run make.conf:
> > > [1] refpolicy-2.20200818/policy/modules/buildroot/secure.if: ##
> > > <summary>External secure module.</summary>
> > > refpolicy-2.20200818/policy/modules/buildroot/base.if: ##
> > > <summary>External base module.</summary>
> > >
> > > The policy.xml looks like:
> > >
> > > <layer name="buildroot">
> > > <summary>Buildroot extra modules</summary>
> > > <module name="base" filename="policy/modules/buildroot/base.if">
> > > <summary>External base modules.</summary>
> > > </module>
> > > <module name="secure" filename="policy/modules/buildroot/secure.if">
> > > <summary>External secure os vm module.</summary>
> > > </module>
> > > </layer>
> > >
> > > Then policy/modules.conf looks this way:
> > >
> > > # Layer: buildroot
> > > # Module: base
> > > #
> > > # External base modules.
> > > #
> > > base = module
> > >
> > > # Layer: buildroot
> > > # Module: secure
> > > #
> > > # External secure os vm module.
> > > #
> > > secure = module
> > >
> > > And this produces the modules to get into the policy.32 file.
> > > Does it makes any sense on your end?
> >
> > The above does not reproduce for me. But I might know what's going on:
> > do you have xmllint installed on your machine?
>
> Or not at /usr/bin/xmllint
>
It was built in a container without it, I'm testing the patch, bear
for a bit.
José.
> > If not, the validation step is skipped but the build is not stopped,
> > which would explain the difference in behaviour we have between our
> > tests:
> >
> > Makefile:453:
> > $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
> > $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid
> $(xmldtd) $@ ;\
> > else \
> > echo "$@ XML validation not run. Please install the xmllint
> tool." ;\
> > fi
> >
> > I believe we should make refpolicy depend on host-libxml2 and force it
> > to use the Buildroot version of xmllint by setting XMLLINT in the
> > configuration step.
> >
> > Do the following fixes the issue[1] on your side?
> >
> > diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/
> refpolicy.mk
> > index 1180f0d38bae..ecd8cf226b45 100644
> > --- a/package/refpolicy/refpolicy.mk
> > +++ b/package/refpolicy/refpolicy.mk
> > @@ -14,7 +14,8 @@ REFPOLICY_DEPENDENCIES = \
> > host-policycoreutils \
> > host-python3 \
> > host-setools \
> > - host-gawk
> > + host-gawk \
> > + host-libxml2
> >
> > ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
> > REFPOLICY_VERSION = $(call
> qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
> > @@ -30,6 +31,7 @@ endif
> > # Cannot use multiple threads to build the reference policy
> > REFPOLICY_MAKE = \
> > PYTHON=$(HOST_DIR)/usr/bin/python3 \
> > + XMLLINT=$(LIBXML2_HOST_BINARY) \
> > TEST_TOOLCHAIN=$(HOST_DIR) \
> > $(TARGET_MAKE_ENV) \
> > $(MAKE1)
> >
> > (I also checked for other `test -x` conditions in the refpolicy
> > Makefile; xmllint seems to be the only one).
> >
> > [1] "fix the issue" aka throw an error while adding modules without a
> > summary.
> >
> > Thanks,
> > Antoine
> >
>
--
José.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20210923/d033d00b/attachment-0001.html>
More information about the buildroot
mailing list