From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 695B7C433F5 for ; Thu, 23 Sep 2021 08:48:09 +0000 (UTC) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id DFCB960F3A for ; Thu, 23 Sep 2021 08:48:08 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org DFCB960F3A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=unikie.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.buildroot.org Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 7412C60771; Thu, 23 Sep 2021 08:48:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jdoyz10u-wN2; Thu, 23 Sep 2021 08:48:07 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 5C94D6077A; Thu, 23 Sep 2021 08:48:06 +0000 (UTC) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id B66441BF325 for ; Thu, 23 Sep 2021 08:48:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 991746154D for ; Thu, 23 Sep 2021 08:48:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBJC6HTimdAl for ; Thu, 23 Sep 2021 08:48:03 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) by smtp3.osuosl.org (Postfix) with ESMTPS id 176E760771 for ; Thu, 23 Sep 2021 08:48:02 +0000 (UTC) Received: by mail-ed1-x52c.google.com with SMTP id s17so2459818edd.8 for ; Thu, 23 Sep 2021 01:48:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unikie-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bb/AtvGePH2f3u+xKahQMn7t1StWGYywJMc8gtGtmKM=; b=OywVtXQEKWmZx/VUed5JLVowiFJHZwqMASmXPs+vpyVSrbK3+Uu3aExeLsdsL+OYKs ub/Bfece0qqw5hzG1DEZfzopldPIp/+lk4eYjpWXuor6O4v5flU1jrmDfQidllEHFfbQ r8j8TbvcYXo0ieYIIRV5+FJZOLfrZKA/tYK3W6QLeZppx/QII9bu9Tjk9234GtJ3BjP+ lRuaa6mtt3iJgrd2bnyx6THso0pd78oZAjM4Ba5fY6kbETiiYnLl684a6r7vC+1PFvQ2 n47OtnzYLe+C1+/Oa26lLID8dqrrCd66Tll0nA2LudjtFYW6UIoi57gozznNs/IXyDaZ 6cZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bb/AtvGePH2f3u+xKahQMn7t1StWGYywJMc8gtGtmKM=; b=xpcNTVi8sc4T8gvxLbZ5IsCFkFCMkZ+Yg0oyYjzOgExwri2aOTItl16rAY/OdkH2Dx /vafFem4v3BkDemdoW0qJQaGT0G3QxaUfiAt3GHX8/O19mUgMdpZpmbFcnXGpraPyQem xtDZ6X1s4QaqgLlFOb/cVVFv2E0pdxI/yz1hkL71Kwq+ixT6KHMD0Mel5Flvycyyaw4W pCSA7Mw+t3tLE4BgomLA6nZR9Z2Pc2YAzhhXNvcESYSqptQIe2wUJMczka+q7v7R/aBV X3sSGeEOpKBQZYjM9qTgvFT+97WhX15rqb4tCxrV6/CX559TOrCml+TL0DY9jehlHrIK 3SPg== X-Gm-Message-State: AOAM530utf0zRdAPU8lGEdh61hoxkLAPbVOo7momDugnDze221O/vBJu SkRXD2cS2rZ8PuWeqlIH4HPretYQNnm86HTfFL1vHHmw9ZspgQ== X-Google-Smtp-Source: ABdhPJwS98h+kkI81UjLjGRZmDSz3JoUXGhzeaSN3BwGUdJz7UonsUcYLOXfE2lZGi0LIZLtKwed9bd7f1IjEaSmvFw= X-Received: by 2002:aa7:c78f:: with SMTP id n15mr4178870eds.338.1632386880938; Thu, 23 Sep 2021 01:48:00 -0700 (PDT) MIME-Version: 1.0 References: <20210830114531.2285178-1-jose.pekkarinen@unikie.com> <163214596519.4283.5229631383777844599@kwain> <163220836697.4283.6363157164675068449@kwain> <163223176981.4283.2007173106051805069@kwain> <163232062091.4283.13096713479109144471@kwain> <163238398624.3979.10768324598204859494@kwain> <163238598414.3979.800122284643311265@kwain> In-Reply-To: <163238598414.3979.800122284643311265@kwain> From: =?UTF-8?Q?Jos=C3=A9_Pekkarinen?= Date: Thu, 23 Sep 2021 11:47:50 +0300 Message-ID: To: Antoine Tenart Subject: Re: [Buildroot] [PATCH] package/refpolicy: Treat all modules as custom X-BeenThere: buildroot@lists.buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: buildroot@buildroot.org Content-Type: multipart/mixed; boundary="===============6268195038813027679==" Errors-To: buildroot-bounces@lists.buildroot.org Sender: "buildroot" --===============6268195038813027679== Content-Type: multipart/alternative; boundary="0000000000002cc0e605cca5b003" --0000000000002cc0e605cca5b003 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Sep 23, 2021 at 11:33 AM Antoine Tenart wrote: > Quoting Antoine Tenart (2021-09-23 09:59:46) > > Quoting Jos=C3=A9 Pekkarinen (2021-09-23 08:26:02) > > > On Wed, Sep 22, 2021 at 5:23 PM Antoine Tenart <[1]atenart@kernel.or= g > > > > > wrote: > > > > > > However I'm surprised as my understanding was the summary was > required > > > for the refpolicy configuration step to succeed (I did use a summa= ry > > > for all my tests because of this). When removing a summary from a > module > > > I always get the following error, and the Buildroot build stops. > > > > > > doc/policy.xml:8376: element module: validity error : Element > module > > > content does not follow the DTD, expecting (summary , desc? , > required? > > > , (interface | template)* , (bool | tunable)*), got () > > > Document doc/policy.xml does not validate against doc/policy.dtd > > > > > > Do you have an idea what made your build to succeed even though yo= u > did > > > not have a summary in your module? > > > > > > I believe it is validating to the summary prior to the module, > > > the one you put in metadata.xml, but not any internal summary for > > > the interface. This is how policy.xml looks like in a case where I > didn't > > > apply the mitigation: > > > > > > Buildroot extra modules > > > > > > > > > > > > > > > > > > > > > With this the modules.conf comes as: > > > > > > # Layer: buildroot > > > # Module: base > > > # > > > # Layer: buildroot > > > # Module: secure > > > # > > > > > > There is a summary followed by a module, validation pass, but > > > > > > the module is not built. If I add the following lines in the build > folder > > > modules[1] > > > and run make.conf: > > > [1] refpolicy-2.20200818/policy/modules/buildroot/secure.if: ## > > > External secure module. > > > refpolicy-2.20200818/policy/modules/buildroot/base.if: ## > > > External base module. > > > > > > The policy.xml looks like: > > > > > > > > > Buildroot extra modules > > > > > > External base modules. > > > > > > > > > External secure os vm module. > > > > > > > > > > > > Then policy/modules.conf looks this way: > > > > > > # Layer: buildroot > > > # Module: base > > > # > > > # External base modules. > > > # > > > base =3D module > > > > > > # Layer: buildroot > > > # Module: secure > > > # > > > # External secure os vm module. > > > # > > > secure =3D module > > > > > > And this produces the modules to get into the policy.32 file. > > > Does it makes any sense on your end? > > > > The above does not reproduce for me. But I might know what's going on: > > do you have xmllint installed on your machine? > > Or not at /usr/bin/xmllint > It was built in a container without it, I'm testing the patch, bear for a bit. Jos=C3=A9. > > If not, the validation step is skipped but the build is not stopped, > > which would explain the difference in behaviour we have between our > > tests: > > > > Makefile:453: > > $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \ > > $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid > $(xmldtd) $@ ;\ > > else \ > > echo "$@ XML validation not run. Please install the xmllint > tool." ;\ > > fi > > > > I believe we should make refpolicy depend on host-libxml2 and force it > > to use the Buildroot version of xmllint by setting XMLLINT in the > > configuration step. > > > > Do the following fixes the issue[1] on your side? > > > > diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/ > refpolicy.mk > > index 1180f0d38bae..ecd8cf226b45 100644 > > --- a/package/refpolicy/refpolicy.mk > > +++ b/package/refpolicy/refpolicy.mk > > @@ -14,7 +14,8 @@ REFPOLICY_DEPENDENCIES =3D \ > > host-policycoreutils \ > > host-python3 \ > > host-setools \ > > - host-gawk > > + host-gawk \ > > + host-libxml2 > > > > ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y) > > REFPOLICY_VERSION =3D $(call > qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION)) > > @@ -30,6 +31,7 @@ endif > > # Cannot use multiple threads to build the reference policy > > REFPOLICY_MAKE =3D \ > > PYTHON=3D$(HOST_DIR)/usr/bin/python3 \ > > + XMLLINT=3D$(LIBXML2_HOST_BINARY) \ > > TEST_TOOLCHAIN=3D$(HOST_DIR) \ > > $(TARGET_MAKE_ENV) \ > > $(MAKE1) > > > > (I also checked for other `test -x` conditions in the refpolicy > > Makefile; xmllint seems to be the only one). > > > > [1] "fix the issue" aka throw an error while adding modules without a > > summary. > > > > Thanks, > > Antoine > > > --=20 Jos=C3=A9. --0000000000002cc0e605cca5b003 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Thu, Sep 23, 2021 at 11:33 AM Anto= ine Tenart <atenart@kernel.org= > wrote:
Quot= ing Antoine Tenart (2021-09-23 09:59:46)
> Quoting Jos=C3=A9 Pekkarinen (2021-09-23 08:26:02)
> >=C2=A0 On Wed, Sep 22, 2021 at 5:23 PM Antoine Tenart <[1]atenart@kernel.org&g= t;
> >=C2=A0 wrote:
> >
> >=C2=A0 =C2=A0 However I'm surprised as my understanding was th= e summary was required
> >=C2=A0 =C2=A0 for the refpolicy configuration step to succeed (I d= id use a summary
> >=C2=A0 =C2=A0 for all my tests because of this). When removing a s= ummary from a module
> >=C2=A0 =C2=A0 I always get the following error, and the Buildroot = build stops.
> >
> >=C2=A0 =C2=A0 =C2=A0 doc/policy.xml:8376: element module: validity= error : Element module
> >=C2=A0 =C2=A0 content does not follow the DTD, expecting (summary = , desc? , required?
> >=C2=A0 =C2=A0 , (interface | template)* , (bool | tunable)*), got = ()
> >=C2=A0 =C2=A0 =C2=A0 Document doc/policy.xml does not validate aga= inst doc/policy.dtd
> >
> >=C2=A0 =C2=A0 Do you have an idea what made your build to succeed = even though you did
> >=C2=A0 =C2=A0 not have a summary in your module?
> >
> >=C2=A0 I believe it is validating to the summary prior to the modu= le,
> >=C2=A0 the one you put in metadata.xml, but not any internal summa= ry for
> >=C2=A0 the interface. This is how policy.xml looks like in a case = where I didn't
> >=C2=A0 apply the mitigation:
> >=C2=A0 <layer name=3D"buildroot">
> >=C2=A0 <summary>Buildroot extra modules</summary>
> >=C2=A0 <module name=3D"base" filename=3D"policy/= modules/buildroot/base.if">
> >=C2=A0 </module>
> >=C2=A0 <module name=3D"secure" filename=3D"polic= y/modules/buildroot/secure.if">
> >=C2=A0 </module>
> >=C2=A0 </layer>
> >
> >=C2=A0 With this the modules.conf comes as:
> >
> >=C2=A0 # Layer: buildroot
> >=C2=A0 # Module: base
> >=C2=A0 #
> >=C2=A0 # Layer: buildroot
> >=C2=A0 # Module: secure
> >=C2=A0 #
> >
> >=C2=A0 There is a summary followed by a module, validation pass, b= ut
> >
> >=C2=A0 the module is not built. If I add the following lines in th= e build folder
> >=C2=A0 modules[1]
> >=C2=A0 and run make.conf:
> >=C2=A0 [1]=C2=A0refpolicy-2.20200818/policy/modules/buildroot/secu= re.if: ##
> >=C2=A0 <summary>External secure module.</summary>
> >=C2=A0 refpolicy-2.20200818/policy/modules/buildroot/base.if: ## > >=C2=A0 <summary>External base module.</summary>
> >
> >=C2=A0 The policy.xml looks like:
> >
> >=C2=A0 <layer name=3D"buildroot">
> >=C2=A0 <summary>Buildroot extra modules</summary>
> >=C2=A0 <module name=3D"base" filename=3D"policy/= modules/buildroot/base.if">
> >=C2=A0 <summary>External base modules.</summary>
> >=C2=A0 </module>
> >=C2=A0 <module name=3D"secure" filename=3D"polic= y/modules/buildroot/secure.if">
> >=C2=A0 <summary>External secure os vm module.</summary>= ;
> >=C2=A0 </module>
> >=C2=A0 </layer>
> >
> >=C2=A0 Then policy/modules.conf looks this way:
> >
> >=C2=A0 # Layer: buildroot
> >=C2=A0 # Module: base
> >=C2=A0 #
> >=C2=A0 # External base modules.
> >=C2=A0 # =C2=A0
> >=C2=A0 base =3D module
> >
> >=C2=A0 # Layer: buildroot
> >=C2=A0 # Module: secure
> >=C2=A0 #
> >=C2=A0 # External secure os vm module.
> >=C2=A0 # =C2=A0
> >=C2=A0 secure =3D module
> >
> >=C2=A0 And this produces the modules to get into the policy.32 fil= e.
> >=C2=A0 Does it makes any sense on your end?
>
> The above does not reproduce for me. But I might know what's going= on:
> do you have xmllint installed on your machine?

Or not at /usr/bin/xmllint

It was built in a container without it, I'm testing the patch= , bear
for a bit.

Jos=C3=A9.
= =C2=A0

> If not, the validation step is skipped but the build is not stopped, > which would explain the difference in behaviour we have between our > tests:
>
>=C2=A0 =C2=A0Makefile:453:
>=C2=A0 =C2=A0$(verbose) if test -x $(XMLLINT) && test -f $(xmld= td); then \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0$(XMLLINT) --noout --path $(di= r $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0else \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "$@ XML validation n= ot run. Please install the xmllint tool." ;\
>=C2=A0 =C2=A0fi
>
> I believe we should make refpolicy depend on host-libxml2 and force it=
> to use the Buildroot version of xmllint by setting XMLLINT in the
> configuration step.
>
> Do the following fixes the issue[1] on your side?
>
>=C2=A0 =C2=A0diff --git a/package/refpolicy/refpolicy.mk b/package/refpol= icy/re= fpolicy.mk
>=C2=A0 =C2=A0index 1180f0d38bae..ecd8cf226b45 100644
>=C2=A0 =C2=A0--- a/package/refpolicy/refpolicy.mk
>=C2=A0 =C2=A0+++ b/package/refpolicy/refpolicy.mk
>=C2=A0 =C2=A0@@ -14,7 +14,8 @@ REFPOLICY_DEPENDENCIES =3D \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0host-policycoreutils \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0host-python3 \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0host-setools \
>=C2=A0 =C2=A0-=C2=A0 =C2=A0 =C2=A0 =C2=A0host-gawk
>=C2=A0 =C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0host-gawk \
>=C2=A0 =C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0host-libxml2
>
>=C2=A0 =C2=A0 ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
>=C2=A0 =C2=A0 REFPOLICY_VERSION =3D $(call qstrip,$(BR2_PACKAGE_REFPOLI= CY_CUSTOM_REPO_VERSION))
>=C2=A0 =C2=A0@@ -30,6 +31,7 @@ endif
>=C2=A0 =C2=A0 # Cannot use multiple threads to build the reference poli= cy
>=C2=A0 =C2=A0 REFPOLICY_MAKE =3D \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0PYTHON=3D$(HOST_DIR)/usr/bin/p= ython3 \
>=C2=A0 =C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0XMLLINT=3D$(LIBXML2_HOST_BINAR= Y) \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0TEST_TOOLCHAIN=3D$(HOST_DIR) \=
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0$(TARGET_MAKE_ENV) \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0$(MAKE1)
>
> (I also checked for other `test -x` conditions in the refpolicy
> Makefile; xmllint seems to be the only one).
>
> [1] "fix the issue" aka throw an error while adding modules = without a
>=C2=A0 =C2=A0 =C2=A0summary.
>
> Thanks,
> Antoine
>


--
Jos=C3=A9.
<= /div>
--0000000000002cc0e605cca5b003-- --===============6268195038813027679== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ buildroot mailing list buildroot@lists.buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot --===============6268195038813027679==--