[Buildroot] [PATCH] package/refpolicy: Treat all modules as custom
José Pekkarinen
jose.pekkarinen at unikie.com
Thu Sep 23 09:08:28 UTC 2021
On Thu, Sep 23, 2021 at 10:59 AM Antoine Tenart <atenart at kernel.org> wrote:
> Quoting José Pekkarinen (2021-09-23 08:26:02)
> > On Wed, Sep 22, 2021 at 5:23 PM Antoine Tenart <[1]atenart at kernel.org>
> > wrote:
> >
> > However I'm surprised as my understanding was the summary was required
> > for the refpolicy configuration step to succeed (I did use a summary
> > for all my tests because of this). When removing a summary from a
> module
> > I always get the following error, and the Buildroot build stops.
> >
> > doc/policy.xml:8376: element module: validity error : Element module
> > content does not follow the DTD, expecting (summary , desc? ,
> required?
> > , (interface | template)* , (bool | tunable)*), got ()
> > Document doc/policy.xml does not validate against doc/policy.dtd
> >
> > Do you have an idea what made your build to succeed even though you
> did
> > not have a summary in your module?
> >
> > I believe it is validating to the summary prior to the module,
> > the one you put in metadata.xml, but not any internal summary for
> > the interface. This is how policy.xml looks like in a case where I
> didn't
> > apply the mitigation:
> > <layer name="buildroot">
> > <summary>Buildroot extra modules</summary>
> > <module name="base" filename="policy/modules/buildroot/base.if">
> > </module>
> > <module name="secure" filename="policy/modules/buildroot/secure.if">
> > </module>
> > </layer>
> >
> > With this the modules.conf comes as:
> >
> > # Layer: buildroot
> > # Module: base
> > #
> > # Layer: buildroot
> > # Module: secure
> > #
> >
> > There is a summary followed by a module, validation pass, but
> >
> > the module is not built. If I add the following lines in the build
> folder
> > modules[1]
> > and run make.conf:
> > [1] refpolicy-2.20200818/policy/modules/buildroot/secure.if: ##
> > <summary>External secure module.</summary>
> > refpolicy-2.20200818/policy/modules/buildroot/base.if: ##
> > <summary>External base module.</summary>
> >
> > The policy.xml looks like:
> >
> > <layer name="buildroot">
> > <summary>Buildroot extra modules</summary>
> > <module name="base" filename="policy/modules/buildroot/base.if">
> > <summary>External base modules.</summary>
> > </module>
> > <module name="secure" filename="policy/modules/buildroot/secure.if">
> > <summary>External secure os vm module.</summary>
> > </module>
> > </layer>
> >
> > Then policy/modules.conf looks this way:
> >
> > # Layer: buildroot
> > # Module: base
> > #
> > # External base modules.
> > #
> > base = module
> >
> > # Layer: buildroot
> > # Module: secure
> > #
> > # External secure os vm module.
> > #
> > secure = module
> >
> > And this produces the modules to get into the policy.32 file.
> > Does it makes any sense on your end?
>
> The above does not reproduce for me. But I might know what's going on:
> do you have xmllint installed on your machine?
>
> If not, the validation step is skipped but the build is not stopped,
> which would explain the difference in behaviour we have between our
> tests:
>
> Makefile:453:
> $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
> $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd)
> $@ ;\
> else \
> echo "$@ XML validation not run. Please install the xmllint
> tool." ;\
> fi
>
> I believe we should make refpolicy depend on host-libxml2 and force it
> to use the Buildroot version of xmllint by setting XMLLINT in the
> configuration step.
>
> Do the following fixes the issue[1] on your side?
>
> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/
> refpolicy.mk
> index 1180f0d38bae..ecd8cf226b45 100644
> --- a/package/refpolicy/refpolicy.mk
> +++ b/package/refpolicy/refpolicy.mk
> @@ -14,7 +14,8 @@ REFPOLICY_DEPENDENCIES = \
> host-policycoreutils \
> host-python3 \
> host-setools \
> - host-gawk
> + host-gawk \
> + host-libxml2
>
> ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
> REFPOLICY_VERSION = $(call
> qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
> @@ -30,6 +31,7 @@ endif
> # Cannot use multiple threads to build the reference policy
> REFPOLICY_MAKE = \
> PYTHON=$(HOST_DIR)/usr/bin/python3 \
> + XMLLINT=$(LIBXML2_HOST_BINARY) \
> TEST_TOOLCHAIN=$(HOST_DIR) \
> $(TARGET_MAKE_ENV) \
> $(MAKE1)
>
>
Confirmed, the patch *works*:
Creating policy.xml
echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' >
doc/policy.xml
echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> doc/policy.xml
echo '<policy>' >> doc/policy.xml
for i in admin apps buildroot kernel roles services system; do echo "<layer
name=\"$i\">" >> doc/policy.xml; cat doc/tmp/$i.xml >> doc/policy.xml; echo
"</layer>" >> doc/policy.xml; done
cat doc/global_tunables.xml doc/global_booleans.xml >> doc/policy.xml
echo '</policy>' >> doc/policy.xml
if test -x /output/br_admin/output_x86_qemu/host/bin/xmllint && test -f
doc/policy.dtd; then \
/output/br_admin/output_x86_qemu/host/bin/xmllint --noout --path
doc/ --dtdvalid doc/policy.dtd doc/policy.xml ;\
else \
echo "doc/policy.xml XML validation not run. Please install the
xmllint tool." ;\
fi
doc/policy.xml:8373: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required? ,
(interface | template)* , (bool | tunable)*), got ()
doc/policy.xml:8375: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required? ,
(interface | template)* , (bool | tunable)*), got ()
Thanks!
José.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20210923/0e587fc2/attachment.html>
More information about the buildroot
mailing list