[1/1] package/tpm2-tss: needs host-acl

Add host-acl mandatory dependency for setfacl to avoid the following
build failure since bump to version 3.1.0 in commit
470e2e9bc5211184431fbc868359a9d695e624f4 and
https://github.com/tpm2-software/tpm2-tss/commit/9d42f4dbde6a94724e95d57c333cda7711dda57c:

configure: error: Missing required program 'setfacl': ensure it is installed and on PATH.

Fixes:
 - http://autobuild.buildroot.org/results/eab44622f8d8ff4fbf464b5a98856382f019c2cb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/tpm2-tss/tpm2-tss.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

On Wed, 13 Oct 2021 08:54:46 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> Add host-acl mandatory dependency for setfacl to avoid the following
> build failure since bump to version 3.1.0 in commit
> 470e2e9bc5211184431fbc868359a9d695e624f4 and
> https://github.com/tpm2-software/tpm2-tss/commit/9d42f4dbde6a94724e95d57c333cda7711dda57c:

So this commit adds:

# Check all tools used by make install
AS_IF([test "$HOSTOS" = "Linux"],
      [ERROR_IF_NO_PROG([groupadd])
       ERROR_IF_NO_PROG([useradd])
       ERROR_IF_NO_PROG([id])
       ERROR_IF_NO_PROG([chown])
       ERROR_IF_NO_PROG([chmod])
       ERROR_IF_NO_PROG([mkdir])
       ERROR_IF_NO_PROG([setfacl])])

But in the context of Buildroot, using groupadd, useradd, chown, chmod,
setfacl at install time cannot work, since we're not doing "make
install" as root.

So are we sure that adding host-acl as a dependency to get a host
variant of setfacl is really the good solution?

How is it handled for groupadd/useradd/chown/chmod today ?

Thomas

Le lun. 18 oct. 2021 à 22:35, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> a écrit :
>
> On Wed, 13 Oct 2021 08:54:46 +0200
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> > Add host-acl mandatory dependency for setfacl to avoid the following
> > build failure since bump to version 3.1.0 in commit
> > 470e2e9bc5211184431fbc868359a9d695e624f4 and
> > https://github.com/tpm2-software/tpm2-tss/commit/9d42f4dbde6a94724e95d57c333cda7711dda57c:
>
> So this commit adds:
>
> # Check all tools used by make install
> AS_IF([test "$HOSTOS" = "Linux"],
>       [ERROR_IF_NO_PROG([groupadd])
>        ERROR_IF_NO_PROG([useradd])
>        ERROR_IF_NO_PROG([id])
>        ERROR_IF_NO_PROG([chown])
>        ERROR_IF_NO_PROG([chmod])
>        ERROR_IF_NO_PROG([mkdir])
>        ERROR_IF_NO_PROG([setfacl])])
>
> But in the context of Buildroot, using groupadd, useradd, chown, chmod,
> setfacl at install time cannot work, since we're not doing "make
> install" as root.
>
> So are we sure that adding host-acl as a dependency to get a host
> variant of setfacl is really the good solution?
>
> How is it handled for groupadd/useradd/chown/chmod today ?
groupadd/useradd/chown/chmod are called since version 3.0.0 and
https://github.com/tpm2-software/tpm2-tss/commit/d01c24e6cb095e18c5e29af4a3018010b3230a6d

setfacl is called since version 3.0.0 and
https://github.com/tpm2-software/tpm2-tss/commit/811e451c94254496338d36783cda44a7729b085a

But more importantly, all those functions are not even used on a
target without systemd and a host with
systemd-{sysusers,tmpfiles} because tpm2-tss try to install files in
$(TARGET_DIR)/etc/{sysusers,tmpfiles}.d which don't even exist if
BR2_INIT_SYSTEMD is not set.
Even if BR2_INIT_SYSTEMD is set, the path is wrong as it should be
installed in $(TARGET_DIR)/usr/lib/{sysusers,tmpfiles}.d

To conclude, I would say that install of tpm2-tss is partially broken
since at least bump to version 3.0.0 in commit
89f3d90e24bb24b70fc4a37bf8cff6186672475c.
>
> Thomas
> --
> Thomas Petazzoni, co-owner and CEO, Bootlin
> Embedded Linux and Kernel engineering and training
> https://bootlin.com
Best Regards,

Fabrice

Fabrice, Thomas, Yair, All,

On 2021-10-19 23:28 +0200, Fabrice Fontaine spake thusly:
> Le lun. 18 oct. 2021 à 22:35, Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> a écrit :
> > On Wed, 13 Oct 2021 08:54:46 +0200
> > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> > > Add host-acl mandatory dependency for setfacl to avoid the following
> > > build failure since bump to version 3.1.0 in commit
> > > 470e2e9bc5211184431fbc868359a9d695e624f4 and
> > > https://github.com/tpm2-software/tpm2-tss/commit/9d42f4dbde6a94724e95d57c333cda7711dda57c:
> > So this commit adds:
> > # Check all tools used by make install
> > AS_IF([test "$HOSTOS" = "Linux"],
> >       [ERROR_IF_NO_PROG([groupadd])
> >        ERROR_IF_NO_PROG([useradd])
> >        ERROR_IF_NO_PROG([id])
> >        ERROR_IF_NO_PROG([chown])
> >        ERROR_IF_NO_PROG([chmod])
> >        ERROR_IF_NO_PROG([mkdir])
> >        ERROR_IF_NO_PROG([setfacl])])
> >
> > But in the context of Buildroot, using groupadd, useradd, chown, chmod,
> > setfacl at install time cannot work, since we're not doing "make
> > install" as root.
> >
> > So are we sure that adding host-acl as a dependency to get a host
> > variant of setfacl is really the good solution?
> >
> > How is it handled for groupadd/useradd/chown/chmod today ?
> groupadd/useradd/chown/chmod are called since version 3.0.0 and
> https://github.com/tpm2-software/tpm2-tss/commit/d01c24e6cb095e18c5e29af4a3018010b3230a6d
> 
> setfacl is called since version 3.0.0 and
> https://github.com/tpm2-software/tpm2-tss/commit/811e451c94254496338d36783cda44a7729b085a
> 
> But more importantly, all those functions are not even used on a
> target without systemd and a host with
> systemd-{sysusers,tmpfiles} because tpm2-tss try to install files in
> $(TARGET_DIR)/etc/{sysusers,tmpfiles}.d which don't even exist if
> BR2_INIT_SYSTEMD is not set.
> Even if BR2_INIT_SYSTEMD is set, the path is wrong as it should be
> installed in $(TARGET_DIR)/usr/lib/{sysusers,tmpfiles}.d
> 
> To conclude, I would say that install of tpm2-tss is partially broken
> since at least bump to version 3.0.0 in commit
> 89f3d90e24bb24b70fc4a37bf8cff6186672475c.

Agreed, the install is borked because it is looking for programs at
configure time, so it finds those on the host if they exist, or do not
find any at all, which can very well differ from what will be present
on the target.

But I would say that this is not totally unreasonable: there is no way,
at cross-configure time, for a package to find the tools that will be
present at runtime.

All we can do in such a case it force the path to such tools.

However, in this case, tpm2-tss only uses setfacl if systemd-tmpfiles is
not available. If the call to setfacl fails, the install does not fail
(split on two lines for readability):

    @-$(call make_fapi_dirs) && $(call set_fapi_permissions) \
    || echo "WARNING Failed to create the FAPI directories with the correct permissions"

set_fapi_permissions is a macro that eventually expands to:

    (chown -R tss:tss "$1") && \
    (chmod -R 2775 "$1") && \
    (setfacl -m default:group:tss:rwx "$1")

So the call to setfacl will not even be ever attempted, because the
chown will fail first.

We have three solutions to that:

  - either we force the use of systemd-tmpfiles when tpm2-tss is
    enabled,

  - or we disable tpm2-tss if systemd-tmpfiles is not enabled,

  - or we just configure tpm2-tss with ac_cv_prog_result_setfacl=true,
    and let the install use the fallback path and be done with it.

So, this would fix the immediate issue.

Now there would remain the issue that some features of tpm2-tss sill be
incorrectly enabled/disabled depending on whther the host has or is
missing systemd-users and/or systemd-tmpfiles:

    # Check for systemd helper tools used by make install
    AC_CHECK_PROG(systemd_sysusers, systemd-sysusers, yes)
    AM_CONDITIONAL(SYSD_SYSUSERS, test "x$systemd_sysusers" = "xyes")
    AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes)
    AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes")

In which case we would need to pass ac_cv_prog_systemd_sysusers=yes and
systemd_tmpfiles=yes when they are enabled in our config.

This would be for another patch, of course.

I'll see to send appropriate patches soonish.

Regards,
Yann E. MORIN.