From: "José Pekkarinen" <jose.pekkarinen@unikie.com>
To: Antoine Tenart <atenart@kernel.org>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/refpolicy: Treat all modules as custom
Date: Thu, 23 Sep 2021 12:08:28 +0300 [thread overview]
Message-ID: <CAJPV9MqnsNV5zjWMPDZJWCTBSpqZnsO53Gq23DtfKD3JOG0GRQ@mail.gmail.com> (raw)
In-Reply-To: <163238398624.3979.10768324598204859494@kwain>
[-- Attachment #1.1: Type: text/plain, Size: 5916 bytes --]
On Thu, Sep 23, 2021 at 10:59 AM Antoine Tenart <atenart@kernel.org> wrote:
> Quoting José Pekkarinen (2021-09-23 08:26:02)
> > On Wed, Sep 22, 2021 at 5:23 PM Antoine Tenart <[1]atenart@kernel.org>
> > wrote:
> >
> > However I'm surprised as my understanding was the summary was required
> > for the refpolicy configuration step to succeed (I did use a summary
> > for all my tests because of this). When removing a summary from a
> module
> > I always get the following error, and the Buildroot build stops.
> >
> > doc/policy.xml:8376: element module: validity error : Element module
> > content does not follow the DTD, expecting (summary , desc? ,
> required?
> > , (interface | template)* , (bool | tunable)*), got ()
> > Document doc/policy.xml does not validate against doc/policy.dtd
> >
> > Do you have an idea what made your build to succeed even though you
> did
> > not have a summary in your module?
> >
> > I believe it is validating to the summary prior to the module,
> > the one you put in metadata.xml, but not any internal summary for
> > the interface. This is how policy.xml looks like in a case where I
> didn't
> > apply the mitigation:
> > <layer name="buildroot">
> > <summary>Buildroot extra modules</summary>
> > <module name="base" filename="policy/modules/buildroot/base.if">
> > </module>
> > <module name="secure" filename="policy/modules/buildroot/secure.if">
> > </module>
> > </layer>
> >
> > With this the modules.conf comes as:
> >
> > # Layer: buildroot
> > # Module: base
> > #
> > # Layer: buildroot
> > # Module: secure
> > #
> >
> > There is a summary followed by a module, validation pass, but
> >
> > the module is not built. If I add the following lines in the build
> folder
> > modules[1]
> > and run make.conf:
> > [1] refpolicy-2.20200818/policy/modules/buildroot/secure.if: ##
> > <summary>External secure module.</summary>
> > refpolicy-2.20200818/policy/modules/buildroot/base.if: ##
> > <summary>External base module.</summary>
> >
> > The policy.xml looks like:
> >
> > <layer name="buildroot">
> > <summary>Buildroot extra modules</summary>
> > <module name="base" filename="policy/modules/buildroot/base.if">
> > <summary>External base modules.</summary>
> > </module>
> > <module name="secure" filename="policy/modules/buildroot/secure.if">
> > <summary>External secure os vm module.</summary>
> > </module>
> > </layer>
> >
> > Then policy/modules.conf looks this way:
> >
> > # Layer: buildroot
> > # Module: base
> > #
> > # External base modules.
> > #
> > base = module
> >
> > # Layer: buildroot
> > # Module: secure
> > #
> > # External secure os vm module.
> > #
> > secure = module
> >
> > And this produces the modules to get into the policy.32 file.
> > Does it makes any sense on your end?
>
> The above does not reproduce for me. But I might know what's going on:
> do you have xmllint installed on your machine?
>
> If not, the validation step is skipped but the build is not stopped,
> which would explain the difference in behaviour we have between our
> tests:
>
> Makefile:453:
> $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
> $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd)
> $@ ;\
> else \
> echo "$@ XML validation not run. Please install the xmllint
> tool." ;\
> fi
>
> I believe we should make refpolicy depend on host-libxml2 and force it
> to use the Buildroot version of xmllint by setting XMLLINT in the
> configuration step.
>
> Do the following fixes the issue[1] on your side?
>
> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/
> refpolicy.mk
> index 1180f0d38bae..ecd8cf226b45 100644
> --- a/package/refpolicy/refpolicy.mk
> +++ b/package/refpolicy/refpolicy.mk
> @@ -14,7 +14,8 @@ REFPOLICY_DEPENDENCIES = \
> host-policycoreutils \
> host-python3 \
> host-setools \
> - host-gawk
> + host-gawk \
> + host-libxml2
>
> ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
> REFPOLICY_VERSION = $(call
> qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
> @@ -30,6 +31,7 @@ endif
> # Cannot use multiple threads to build the reference policy
> REFPOLICY_MAKE = \
> PYTHON=$(HOST_DIR)/usr/bin/python3 \
> + XMLLINT=$(LIBXML2_HOST_BINARY) \
> TEST_TOOLCHAIN=$(HOST_DIR) \
> $(TARGET_MAKE_ENV) \
> $(MAKE1)
>
>
Confirmed, the patch *works*:
Creating policy.xml
echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' >
doc/policy.xml
echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> doc/policy.xml
echo '<policy>' >> doc/policy.xml
for i in admin apps buildroot kernel roles services system; do echo "<layer
name=\"$i\">" >> doc/policy.xml; cat doc/tmp/$i.xml >> doc/policy.xml; echo
"</layer>" >> doc/policy.xml; done
cat doc/global_tunables.xml doc/global_booleans.xml >> doc/policy.xml
echo '</policy>' >> doc/policy.xml
if test -x /output/br_admin/output_x86_qemu/host/bin/xmllint && test -f
doc/policy.dtd; then \
/output/br_admin/output_x86_qemu/host/bin/xmllint --noout --path
doc/ --dtdvalid doc/policy.dtd doc/policy.xml ;\
else \
echo "doc/policy.xml XML validation not run. Please install the
xmllint tool." ;\
fi
doc/policy.xml:8373: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required? ,
(interface | template)* , (bool | tunable)*), got ()
doc/policy.xml:8375: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required? ,
(interface | template)* , (bool | tunable)*), got ()
Thanks!
José.
[-- Attachment #1.2: Type: text/html, Size: 8045 bytes --]
[-- Attachment #2: Type: text/plain, Size: 156 bytes --]
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2021-09-23 9:08 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-30 11:45 [Buildroot] [PATCH] package/refpolicy: Treat all modules as custom José Pekkarinen
2021-08-30 21:14 ` Thomas Petazzoni
2021-09-17 17:22 ` Antoine Tenart
2021-09-20 6:01 ` José Pekkarinen
2021-09-20 9:30 ` Antoine Tenart
2021-09-20 9:44 ` José Pekkarinen
2021-09-20 13:21 ` Antoine Tenart
2021-09-20 13:39 ` José Pekkarinen
2021-09-20 13:52 ` Antoine Tenart
2021-09-21 6:29 ` José Pekkarinen
2021-09-21 7:12 ` Antoine Tenart
2021-09-21 13:32 ` José Pekkarinen
2021-09-21 13:42 ` Antoine Tenart
2021-09-22 14:00 ` José Pekkarinen
2021-09-22 14:23 ` Antoine Tenart
2021-09-23 6:26 ` José Pekkarinen
2021-09-23 7:59 ` Antoine Tenart
2021-09-23 8:33 ` Antoine Tenart
2021-09-23 8:47 ` José Pekkarinen
2021-09-23 9:08 ` José Pekkarinen [this message]
2021-09-23 9:17 ` Antoine Tenart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJPV9MqnsNV5zjWMPDZJWCTBSpqZnsO53Gq23DtfKD3JOG0GRQ@mail.gmail.com \
--to=jose.pekkarinen@unikie.com \
--cc=atenart@kernel.org \
--cc=buildroot@buildroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.