[Buildroot] [PATCH] package/refpolicy: Treat all modules as custom

José Pekkarinen jose.pekkarinen at unikie.com
Thu Sep 23 09:08:28 UTC 2021 

On Thu, Sep 23, 2021 at 10:59 AM Antoine Tenart <atenart at kernel.org> wrote:

> Quoting José Pekkarinen (2021-09-23 08:26:02)
> >  On Wed, Sep 22, 2021 at 5:23 PM Antoine Tenart <[1]atenart at kernel.org>
> >  wrote:
> >
> >    However I'm surprised as my understanding was the summary was required
> >    for the refpolicy configuration step to succeed (I did use a summary
> >    for all my tests because of this). When removing a summary from a
> module
> >    I always get the following error, and the Buildroot build stops.
> >
> >      doc/policy.xml:8376: element module: validity error : Element module
> >    content does not follow the DTD, expecting (summary , desc? ,
> required?
> >    , (interface | template)* , (bool | tunable)*), got ()
> >      Document doc/policy.xml does not validate against doc/policy.dtd
> >
> >    Do you have an idea what made your build to succeed even though you
> did
> >    not have a summary in your module?
> >
> >  I believe it is validating to the summary prior to the module,
> >  the one you put in metadata.xml, but not any internal summary for
> >  the interface. This is how policy.xml looks like in a case where I
> didn't
> >  apply the mitigation:
> >  <layer name="buildroot">
> >  <summary>Buildroot extra modules</summary>
> >  <module name="base" filename="policy/modules/buildroot/base.if">
> >  </module>
> >  <module name="secure" filename="policy/modules/buildroot/secure.if">
> >  </module>
> >  </layer>
> >
> >  With this the modules.conf comes as:
> >
> >  # Layer: buildroot
> >  # Module: base
> >  #
> >  # Layer: buildroot
> >  # Module: secure
> >  #
> >
> >  There is a summary followed by a module, validation pass, but
> >
> >  the module is not built. If I add the following lines in the build
> folder
> >  modules[1]
> >  and run make.conf:
> >  [1] refpolicy-2.20200818/policy/modules/buildroot/secure.if: ##
> >  <summary>External secure module.</summary>
> >  refpolicy-2.20200818/policy/modules/buildroot/base.if: ##
> >  <summary>External base module.</summary>
> >
> >  The policy.xml looks like:
> >
> >  <layer name="buildroot">
> >  <summary>Buildroot extra modules</summary>
> >  <module name="base" filename="policy/modules/buildroot/base.if">
> >  <summary>External base modules.</summary>
> >  </module>
> >  <module name="secure" filename="policy/modules/buildroot/secure.if">
> >  <summary>External secure os vm module.</summary>
> >  </module>
> >  </layer>
> >
> >  Then policy/modules.conf looks this way:
> >
> >  # Layer: buildroot
> >  # Module: base
> >  #
> >  # External base modules.
> >  #
> >  base = module
> >
> >  # Layer: buildroot
> >  # Module: secure
> >  #
> >  # External secure os vm module.
> >  #
> >  secure = module
> >
> >  And this produces the modules to get into the policy.32 file.
> >  Does it makes any sense on your end?
>
> The above does not reproduce for me. But I might know what's going on:
> do you have xmllint installed on your machine?
>
> If not, the validation step is skipped but the build is not stopped,
> which would explain the difference in behaviour we have between our
> tests:
>
>   Makefile:453:
>   $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
>           $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd)
> $@ ;\
>           else \
>           echo "$@ XML validation not run. Please install the xmllint
> tool." ;\
>   fi
>
> I believe we should make refpolicy depend on host-libxml2 and force it
> to use the Buildroot version of xmllint by setting XMLLINT in the
> configuration step.
>
> Do the following fixes the issue[1] on your side?
>
>   diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/
> refpolicy.mk
>   index 1180f0d38bae..ecd8cf226b45 100644
>   --- a/package/refpolicy/refpolicy.mk
>   +++ b/package/refpolicy/refpolicy.mk
>   @@ -14,7 +14,8 @@ REFPOLICY_DEPENDENCIES = \
>           host-policycoreutils \
>           host-python3 \
>           host-setools \
>   -       host-gawk
>   +       host-gawk \
>   +       host-libxml2
>
>    ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
>    REFPOLICY_VERSION = $(call
> qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
>   @@ -30,6 +31,7 @@ endif
>    # Cannot use multiple threads to build the reference policy
>    REFPOLICY_MAKE = \
>           PYTHON=$(HOST_DIR)/usr/bin/python3 \
>   +       XMLLINT=$(LIBXML2_HOST_BINARY) \
>           TEST_TOOLCHAIN=$(HOST_DIR) \
>           $(TARGET_MAKE_ENV) \
>           $(MAKE1)
>
>
Confirmed, the patch *works*:


Creating policy.xml
echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' >
doc/policy.xml
echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> doc/policy.xml
echo '<policy>' >> doc/policy.xml
for i in admin apps buildroot kernel roles services system; do echo "<layer
name=\"$i\">" >> doc/policy.xml; cat doc/tmp/$i.xml >> doc/policy.xml; echo
"</layer>" >> doc/policy.xml; done
cat doc/global_tunables.xml doc/global_booleans.xml >> doc/policy.xml
echo '</policy>' >> doc/policy.xml
if test -x /output/br_admin/output_x86_qemu/host/bin/xmllint && test -f
doc/policy.dtd; then \
       /output/br_admin/output_x86_qemu/host/bin/xmllint --noout --path
doc/ --dtdvalid doc/policy.dtd doc/policy.xml ;\
       else \
       echo "doc/policy.xml XML validation not run. Please install the
xmllint tool." ;\
fi
doc/policy.xml:8373: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required? ,
(interface | template)* , (bool | tunable)*), got ()
doc/policy.xml:8375: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required? ,
(interface | template)* , (bool | tunable)*), got ()

Thanks!


José.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20210923/0e587fc2/attachment.html>

More information about the buildroot mailing list