From patchwork Thu Jan 28 12:52:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Chevallier X-Patchwork-Id: 1432784 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DRL4D6D6kz9sSC for ; Thu, 28 Jan 2021 23:53:16 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id D55DF86BBE; Thu, 28 Jan 2021 12:53:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEU-P9v887nq; Thu, 28 Jan 2021 12:53:12 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id D4E0E86A10; Thu, 28 Jan 2021 12:53:12 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 7C8691BF299 for ; Thu, 28 Jan 2021 12:53:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 774CF86A10 for ; Thu, 28 Jan 2021 12:53:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O1n4fVVkNFJO for ; Thu, 28 Jan 2021 12:53:09 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay11.mail.gandi.net (relay11.mail.gandi.net [217.70.178.231]) by whitealder.osuosl.org (Postfix) with ESMTPS id 572C886354 for ; Thu, 28 Jan 2021 12:53:09 +0000 (UTC) Received: from pc-2.home (apoitiers-259-1-26-122.w90-55.abo.wanadoo.fr [90.55.97.122]) (Authenticated sender: maxime.chevallier@bootlin.com) by relay11.mail.gandi.net (Postfix) with ESMTPSA id B1F55100002; Thu, 28 Jan 2021 12:53:04 +0000 (UTC) From: Maxime Chevallier To: buildroot@buildroot.org Date: Thu, 28 Jan 2021 13:52:56 +0100 Message-Id: <20210128125256.1419587-1-maxime.chevallier@bootlin.com> X-Mailer: git-send-email 2.25.4 MIME-Version: 1.0 Subject: [Buildroot] [PATCH v2] package/refpolicy: Add option to disable "dontaudit" rules X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antoine Tenart , Thomas Petazzoni , Maxime Chevallier Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Some rules in the refpolicy are declared with "dontaudit", effectively suppressing any AVC violation log, while still denying the actions. This is useful in some cases, where denied actions are to be expected but won't prevent the system from operating. However in some other cases, the suppressed logs are important to troubleshoot some issues. Disabling the "dontaudit" rules can be done either from the running system by rebuilding the policy with "semodules -DB", or when initialy building the policy by using the "enableaudit" make target. This commit allows building the refpolicy with the "enableaudit" target prior to installing it, thanks to a dedicated config option. Signed-off-by: Maxime Chevallier --- v1 -> v2: Use POST_BUILD_HOOKS to summon make enableaudit, as per Antoine Tenart adnd Thomas petazzoni's reviews package/refpolicy/Config.in | 14 ++++++++++++++ package/refpolicy/refpolicy.mk | 8 ++++++++ 2 files changed, 22 insertions(+) diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in index c529b85e1d..d6e195e8f8 100644 --- a/package/refpolicy/Config.in +++ b/package/refpolicy/Config.in @@ -111,6 +111,20 @@ config BR2_REFPOLICY_EXTRA_MODULES endif +config BR2_REFPOLICY_DISABLE_DONTAUDIT + bool "Disable dontaudit" + help + Builds the refpolicy with the "dontaudit" rules disabled. + This will trigger unseen, and probably unharmful audit logs that are + explicitely silenced otherwise. This option can be helpful for + debugging purposes, should a silenced message cause a real issue + that would otherwise be hard to troubleshoot. + + This option should be used for debugging purposes only, due to + the amount of avc logs it generates. + + If unsure, select n. + endif comment "refpolicy needs a toolchain w/ threads" diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index 0194708b37..4dfa9e914a 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -116,6 +116,14 @@ define REFPOLICY_BUILD_CMDS $(REFPOLICY_MAKE) -C $(@D) policy endef +ifeq ($(BR2_REFPOLICY_DISABLE_DONTAUDIT),y) +define REFPOLICY_DISABLE_DONTAUDIT_CMDS + $(REFPOLICY_MAKE) -C $(@D) enableaudit +endef +endif + +REFPOLICY_POST_BUILD_HOOKS += REFPOLICY_DISABLE_DONTAUDIT_CMDS + define REFPOLICY_INSTALL_STAGING_CMDS $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) \ install-src install-headers