diff mbox

[v9,05/15] busybox: selinux support

Message ID 1436905227-26937-6-git-send-email-clayton.shotwell@rockwellcollins.com
State Accepted
Headers show

Commit Message

Clayton Shotwell July 14, 2015, 8:20 p.m. UTC 
Add a configure option to enable the SELinux support in the
busybox configuration from the Buildroot menuconfig.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>

---
Changes v8 -> v9:
  - No changes

Changes v7 -> v8:
  - Fixed typos and removed extra line (Suggested by Samuel)

Changes v6 -> v7:
  - No changes

Changes v5 -> v6:
  - Added help text to the SELinux configuration option (Suggested by
    Thomas P. and Samuel)

Changes v4 -> v5:
  - Renamed to follow patch naming convention (Matt W.)
  - Added a dependency on having threads for the busybox SELinux flag to
    ensure it does not cause libselinux to build when threads are not
    available. Also added a select for libselinux to make the linking
    apparent. (Clayton S.)
 - Add dependency on not static libs for libselinux (Clayton S.)

Changes v1 -> v4:
  - Did not exist
---
 ...ags-strip-non-l-arguments-returned-by-pkg.patch | 28 ++++++++++++++++++++++
 package/busybox/Config.in                          | 16 +++++++++++++
 package/busybox/busybox.mk                         |  9 +++++++
 3 files changed, 53 insertions(+)
 create mode 100644 package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch

Comments

Thomas Petazzoni July 18, 2015, 1:06 p.m. UTC | #1 
Dear Clayton Shotwell,

On Tue, 14 Jul 2015 15:20:17 -0500, Clayton Shotwell wrote:
> Add a configure option to enable the SELinux support in the
> busybox configuration from the Buildroot menuconfig.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> Reviewed-by: Samuel Martin <s.martin49@gmail.com>
> 
> ---
> Changes v8 -> v9:
>   - No changes

I've applied the patch. However, could you submit the Busybox patch
upstream?

Also, the Config.in help text mentions
BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES, for which I haven't merged the
patch yet because I still had comments. So we will have to hurry to
merge it, to not keep for too long this currently "invalid" reference!

Thanks,

Thomas
Clayton Shotwell July 20, 2015, 1:56 p.m. UTC | #2 
Thomas,

On Sat, Jul 18, 2015 at 8:06 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Clayton Shotwell,
>
> On Tue, 14 Jul 2015 15:20:17 -0500, Clayton Shotwell wrote:
>> Add a configure option to enable the SELinux support in the
>> busybox configuration from the Buildroot menuconfig.
>>
>> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
>> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>> Reviewed-by: Samuel Martin <s.martin49@gmail.com>
>>
>> ---
>> Changes v8 -> v9:
>>   - No changes
>
> I've applied the patch. However, could you submit the Busybox patch
> upstream?

I'll get it sent out today. Thanks for merging the rest of it.

> Also, the Config.in help text mentions
> BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES, for which I haven't merged the
> patch yet because I still had comments. So we will have to hurry to
> merge it, to not keep for too long this currently "invalid" reference!

Thanks,
Clayton

Clayton Shotwell
Senior Software Engineer, Rockwell Collins
clayton.shotwell@rockwellcollins.com
diff mbox

Patch

diff --git a/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch b/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
new file mode 100644
index 0000000..105626c
--- /dev/null
+++ b/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
@@ -0,0 +1,28 @@ 
+From 67eb23d2be8aba3c474dac81a15b0fa11e5847b7 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Mon, 25 Nov 2013 22:51:53 +0100
+Subject: [PATCH] Makefile.flags: strip non -l arguments returned by pkg-config
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+---
+ Makefile.flags | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.flags b/Makefile.flags
+index 307afa7..885e323 100644
+--- a/Makefile.flags
++++ b/Makefile.flags
+@@ -141,7 +141,9 @@ ifeq ($(CONFIG_SELINUX),y)
+ SELINUX_PC_MODULES = libselinux libsepol
+ $(eval $(call pkg_check_modules,SELINUX,$(SELINUX_PC_MODULES)))
+ CPPFLAGS += $(SELINUX_CFLAGS)
+-LDLIBS += $(if $(SELINUX_LIBS),$(SELINUX_LIBS:-l%=%),$(SELINUX_PC_MODULES:lib%=%))
++LDLIBS += $(if $(SELINUX_LIBS),\
++       $(patsubst -l%,%,$(filter -l%,$(SELINUX_LIBS))),\
++       $(SELINUX_PC_MODULES:lib%=%))
+ endif
+ 
+ ifeq ($(CONFIG_EFENCE),y)
+-- 
+1.8.1.2
+
diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index b3303c0..a80a050 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -41,6 +41,22 @@  comment "Busybox individual binaries depends on dynamic libraries"
 	depends on BR2_STATIC_LIBS
 	depends on !BR2_bfin
 
+config BR2_PACKAGE_BUSYBOX_SELINUX
+	select BR2_PACKAGE_LIBSELINUX
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on !BR2_STATIC_LIBS
+	bool "Enable SELinux support"
+	help
+	  Enable SELinux support in BusyBox. Please note that depending on
+	  your BusyBox configuration and the SELinux policy implementation,
+	  you may want to also enable BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES.
+
+	  For instance, if your BusyBox configuration only uses a couple of
+	  minor BusyBox features, such as simple command line utilities, the
+	  symlinked version of BusyBox can be used to save space. If BusyBox
+	  provides more features, such as crond, then individual binaries
+	  have to be enabled for the SELinux type transitions to occur properly.
+
 config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	bool "Install the watchdog daemon startup script"
 	help
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 4942e75..94f3b47 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -180,6 +180,14 @@  define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_SELINUX),y)
+BUSYBOX_DEPENDENCIES += host-pkgconf libselinux libsepol
+define BUSYBOX_SET_SELINUX
+	$(call KCONFIG_ENABLE_OPT,CONFIG_SELINUX,$(BUSYBOX_BUILD_CONFIG))
+	$(call KCONFIG_ENABLE_OPT,CONFIG_SELINUXENABLED,$(BUSYBOX_BUILD_CONFIG))
+endef
+endif
+
 define BUSYBOX_INSTALL_LOGGING_SCRIPT
 	if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
 		$(INSTALL) -m 0755 -D package/busybox/S01logging \
@@ -239,6 +247,7 @@  define BUSYBOX_KCONFIG_FIXUP_CMDS
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
 	$(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
+	$(BUSYBOX_SET_SELINUX)
 endef
 
 define BUSYBOX_CONFIGURE_CMDS