All of lore.kernel.org
 help / color / mirror / Atom feed
From: Antoine Tenart <atenart@kernel.org>
To: José Pekkarinen <jose.pekkarinen@unikie.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/refpolicy: Treat all modules as custom
Date: Thu, 23 Sep 2021 09:59:46 +0200	[thread overview]
Message-ID: <163238398624.3979.10768324598204859494@kwain> (raw)
In-Reply-To: <CAJPV9MpWep997PN1v+R0E6RKhe4EOwY=ogFECnyfG0ppz2ekww@mail.gmail.com>

Quoting José Pekkarinen (2021-09-23 08:26:02)
>  On Wed, Sep 22, 2021 at 5:23 PM Antoine Tenart <[1]atenart@kernel.org>
>  wrote:
>
>    However I'm surprised as my understanding was the summary was required
>    for the refpolicy configuration step to succeed (I did use a summary
>    for all my tests because of this). When removing a summary from a module
>    I always get the following error, and the Buildroot build stops.
>
>      doc/policy.xml:8376: element module: validity error : Element module
>    content does not follow the DTD, expecting (summary , desc? , required?
>    , (interface | template)* , (bool | tunable)*), got ()
>      Document doc/policy.xml does not validate against doc/policy.dtd
>
>    Do you have an idea what made your build to succeed even though you did
>    not have a summary in your module?
>
>  I believe it is validating to the summary prior to the module,
>  the one you put in metadata.xml, but not any internal summary for
>  the interface. This is how policy.xml looks like in a case where I didn't
>  apply the mitigation:
>  <layer name="buildroot">
>  <summary>Buildroot extra modules</summary>
>  <module name="base" filename="policy/modules/buildroot/base.if">
>  </module>
>  <module name="secure" filename="policy/modules/buildroot/secure.if">
>  </module>
>  </layer>
>
>  With this the modules.conf comes as:
>
>  # Layer: buildroot
>  # Module: base
>  #
>  # Layer: buildroot
>  # Module: secure
>  #
>
>  There is a summary followed by a module, validation pass, but
>
>  the module is not built. If I add the following lines in the build folder
>  modules[1]
>  and run make.conf:
>  [1] refpolicy-2.20200818/policy/modules/buildroot/secure.if: ##
>  <summary>External secure module.</summary>
>  refpolicy-2.20200818/policy/modules/buildroot/base.if: ##
>  <summary>External base module.</summary>
>
>  The policy.xml looks like:
>
>  <layer name="buildroot">
>  <summary>Buildroot extra modules</summary>
>  <module name="base" filename="policy/modules/buildroot/base.if">
>  <summary>External base modules.</summary>
>  </module>
>  <module name="secure" filename="policy/modules/buildroot/secure.if">
>  <summary>External secure os vm module.</summary>
>  </module>
>  </layer>
>
>  Then policy/modules.conf looks this way:
>
>  # Layer: buildroot
>  # Module: base
>  #
>  # External base modules.
>  #  
>  base = module
>
>  # Layer: buildroot
>  # Module: secure
>  #
>  # External secure os vm module.
>  #  
>  secure = module
>
>  And this produces the modules to get into the policy.32 file.
>  Does it makes any sense on your end?

The above does not reproduce for me. But I might know what's going on:
do you have xmllint installed on your machine?

If not, the validation step is skipped but the build is not stopped,
which would explain the difference in behaviour we have between our
tests:

  Makefile:453:
  $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
          $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
          else \
          echo "$@ XML validation not run. Please install the xmllint tool." ;\
  fi

I believe we should make refpolicy depend on host-libxml2 and force it
to use the Buildroot version of xmllint by setting XMLLINT in the
configuration step.

Do the following fixes the issue[1] on your side?

  diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
  index 1180f0d38bae..ecd8cf226b45 100644
  --- a/package/refpolicy/refpolicy.mk
  +++ b/package/refpolicy/refpolicy.mk
  @@ -14,7 +14,8 @@ REFPOLICY_DEPENDENCIES = \
          host-policycoreutils \
          host-python3 \
          host-setools \
  -       host-gawk
  +       host-gawk \
  +       host-libxml2

   ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
   REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
  @@ -30,6 +31,7 @@ endif
   # Cannot use multiple threads to build the reference policy
   REFPOLICY_MAKE = \
          PYTHON=$(HOST_DIR)/usr/bin/python3 \
  +       XMLLINT=$(LIBXML2_HOST_BINARY) \
          TEST_TOOLCHAIN=$(HOST_DIR) \
          $(TARGET_MAKE_ENV) \
          $(MAKE1)

(I also checked for other `test -x` conditions in the refpolicy
Makefile; xmllint seems to be the only one).

[1] "fix the issue" aka throw an error while adding modules without a
    summary.

Thanks,
Antoine
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

  reply	other threads:[~2021-09-23  7:59 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-30 11:45 [Buildroot] [PATCH] package/refpolicy: Treat all modules as custom José Pekkarinen
2021-08-30 21:14 ` Thomas Petazzoni
2021-09-17 17:22 ` Antoine Tenart
2021-09-20  6:01   ` José Pekkarinen
2021-09-20  9:30     ` Antoine Tenart
2021-09-20  9:44       ` José Pekkarinen
2021-09-20 13:21         ` Antoine Tenart
2021-09-20 13:39           ` José Pekkarinen
2021-09-20 13:52             ` Antoine Tenart
2021-09-21  6:29               ` José Pekkarinen
2021-09-21  7:12                 ` Antoine Tenart
2021-09-21 13:32                   ` José Pekkarinen
2021-09-21 13:42                     ` Antoine Tenart
2021-09-22 14:00                       ` José Pekkarinen
2021-09-22 14:23                         ` Antoine Tenart
2021-09-23  6:26                           ` José Pekkarinen
2021-09-23  7:59                             ` Antoine Tenart [this message]
2021-09-23  8:33                               ` Antoine Tenart
2021-09-23  8:47                                 ` José Pekkarinen
2021-09-23  9:08                               ` José Pekkarinen
2021-09-23  9:17                                 ` Antoine Tenart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=163238398624.3979.10768324598204859494@kwain \
    --to=atenart@kernel.org \
    --cc=buildroot@buildroot.org \
    --cc=jose.pekkarinen@unikie.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.