[Buildroot] [PATCH v3] package/refpolicy: Add option to disable "dontaudit" rules

From: Giulio Benetti <giulio.benetti@benettiengineering.com>
To: buildroot@buildroot.org
Cc: Antoine Tenart <atenart@kernel.org>,
	Giulio Benetti <giulio.benetti@benettiengineering.com>,
	Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
	Maxime Chevallier <maxime.chevallier@bootlin.com>
Subject: [Buildroot] [PATCH v3] package/refpolicy: Add option to disable "dontaudit" rules
Date: Wed, 19 Jan 2022 23:23:32 +0100	[thread overview]
Message-ID: <20220119222332.66485-1-giulio.benetti@benettiengineering.com> (raw)
In-Reply-To: <20210128125256.1419587-1-maxime.chevallier@bootlin.com>

From: Maxime Chevallier <maxime.chevallier@bootlin.com>

Some rules in the refpolicy are declared with "dontaudit", effectively
suppressing any AVC violation log, while still denying the actions.

This is useful in some cases, where denied actions are to be expected
but won't prevent the system from operating.

However in some other cases, the suppressed logs are important to
troubleshoot some issues.

Disabling the "dontaudit" rules can be done either from the running
system by rebuilding the policy with "semodules -DB", or when initialy
building the policy by using the "enableaudit" make target.

This commit allows building the refpolicy with the "enableaudit" target
prior to installing it, thanks to a dedicated config option.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Giulio: moved REFPOLICY_POST_BUILD_HOOKS inside ifeq/endef]
---
Maxime:
V1->V2:
* Use POST_BUILD_HOOKS to summon make enableaudit, as per Antoine Tenart
and Thomas petazzoni's reviews
Giulio:
V2->V3:
* moved REFPOLICY_POST_BUILD_HOOKS into ifeq/endef as suggested by Antoine
Tenart

NOTE: this patch superseeds V2:
https://patchwork.ozlabs.org/project/buildroot/patch/20210128125256.1419587-1-maxime.chevallier@bootlin.com/
---
 package/refpolicy/Config.in    | 14 ++++++++++++++
 package/refpolicy/refpolicy.mk |  7 +++++++
 2 files changed, 21 insertions(+)

diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index 0e72b895df..caba147feb 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -113,6 +113,20 @@ config BR2_REFPOLICY_EXTRA_MODULES
 
 endif
 
+config BR2_REFPOLICY_DISABLE_DONTAUDIT
+	bool "Disable dontaudit"
+	help
+	  Builds the refpolicy with the "dontaudit" rules disabled.
+	  This will trigger unseen, and probably unharmful audit logs that are
+	  explicitely silenced otherwise. This option can be helpful for
+	  debugging purposes, should a silenced message cause a real issue
+	  that would otherwise be hard to troubleshoot.
+
+	  This option should be used for debugging purposes only, due to
+	  the amount of avc logs it generates.
+
+	  If unsure, select n.
+
 endif
 
 comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 44c50af278..e113c3496e 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -118,6 +118,13 @@ define REFPOLICY_BUILD_CMDS
 	$(REFPOLICY_MAKE) -C $(@D) policy
 endef
 
+ifeq ($(BR2_REFPOLICY_DISABLE_DONTAUDIT),y)
+define REFPOLICY_DISABLE_DONTAUDIT_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) enableaudit
+endef
+REFPOLICY_POST_BUILD_HOOKS += REFPOLICY_DISABLE_DONTAUDIT_CMDS
+endif
+
 define REFPOLICY_INSTALL_STAGING_CMDS
 	$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) \
 		install-src install-headers
-- 
2.25.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
