Message ID | 20191122095541.688125-2-thomas.petazzoni@bootlin.com |
---|---|
State | Changes Requested |
Delegated to: | Daniel Golle |
Headers | show |
Series | SELinux support: core OpenWrt changes | expand |
Hi Thomas, On Fri, Nov 22, 2019 at 10:55:35AM +0100, Thomas Petazzoni wrote: > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > --- > package/utils/busybox/Makefile | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile > index c0f3007e5d..bad4598525 100644 > --- a/package/utils/busybox/Makefile > +++ b/package/utils/busybox/Makefile > @@ -17,7 +17,7 @@ PKG_SOURCE_URL:=https://www.busybox.net/downloads \ > http://sources.buildroot.net > PKG_HASH:=d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998 > > -PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam > +PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam BUSYBOX_CONFIG_SELINUX:libselinux > PKG_BUILD_PARALLEL:=1 > PKG_CHECK_FORMAT_SECURITY:=0 > > @@ -45,7 +45,7 @@ define Package/busybox > MAINTAINER:=Felix Fietkau <nbd@nbd.name> > TITLE:=Core utilities for embedded Linux > URL:=http://busybox.net/ > - DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter > + DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter +BUSYBOX_CONFIG_SELINUX:libselinux > MENU:=1 > endef > > @@ -76,6 +76,9 @@ LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc pthread) > ifeq ($(CONFIG_USE_GLIBC),y) > LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv) > endif > +ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y) > + LDLIBS += selinux sepol > +endif also here, it would be better to have a build-variant of busybox with has selinux enabled instead of a buildroot compile option. Cheers Daniel > > TARGET_CFLAGS += -flto > TARGET_LDFLAGS += -flto=jobserver -fuse-linker-plugin > -- > 2.23.0 > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Hello, On Sat, 4 Jan 2020 15:06:38 +0200 Daniel Golle <daniel@makrotopia.org> wrote: > > @@ -76,6 +76,9 @@ LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc pthread) > > ifeq ($(CONFIG_USE_GLIBC),y) > > LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv) > > endif > > +ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y) > > + LDLIBS += selinux sepol > > +endif > > also here, it would be better to have a build-variant of busybox with > has selinux enabled instead of a buildroot compile option. Thanks for your feedback. Could you give some initial hints on what you mean by "build-variant", or at least point at some existing examples ? Thanks a lot, Thomas
Hi Thomas, On Sat, Jan 04, 2020 at 02:15:38PM +0100, Thomas Petazzoni wrote: > Hello, > > On Sat, 4 Jan 2020 15:06:38 +0200 > Daniel Golle <daniel@makrotopia.org> wrote: > > > > @@ -76,6 +76,9 @@ LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc pthread) > > > ifeq ($(CONFIG_USE_GLIBC),y) > > > LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv) > > > endif > > > +ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y) > > > + LDLIBS += selinux sepol > > > +endif > > > > also here, it would be better to have a build-variant of busybox with > > has selinux enabled instead of a buildroot compile option. > > Thanks for your feedback. Could you give some initial hints on what you > mean by "build-variant", or at least point at some existing examples ? See package/utils/px5g/Makefile, in that case px5g is build two times, once with built-in crypto and once with libmbedtls linked. The result are two binary packages 'px5g'(-standalone) and 'px5g-mbedtls'. Doing the same for SELinux-enabled busybox and procd will potentially allow building SELinux-enabled images using the ImageBuilder (as opposed to building them entirely from source). And similar to how we do for seccomp-policies (see package/network/services/umdns/Makefile) we could ship SELinux policies with packages or as add-on packages like in other distributions (given we will add support for that in the build system as well as in opkg). Cheers Daniel > > Thanks a lot, > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile index c0f3007e5d..bad4598525 100644 --- a/package/utils/busybox/Makefile +++ b/package/utils/busybox/Makefile @@ -17,7 +17,7 @@ PKG_SOURCE_URL:=https://www.busybox.net/downloads \ http://sources.buildroot.net PKG_HASH:=d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998 -PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam +PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam BUSYBOX_CONFIG_SELINUX:libselinux PKG_BUILD_PARALLEL:=1 PKG_CHECK_FORMAT_SECURITY:=0 @@ -45,7 +45,7 @@ define Package/busybox MAINTAINER:=Felix Fietkau <nbd@nbd.name> TITLE:=Core utilities for embedded Linux URL:=http://busybox.net/ - DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter + DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter +BUSYBOX_CONFIG_SELINUX:libselinux MENU:=1 endef @@ -76,6 +76,9 @@ LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc pthread) ifeq ($(CONFIG_USE_GLIBC),y) LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv) endif +ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y) + LDLIBS += selinux sepol +endif TARGET_CFLAGS += -flto TARGET_LDFLAGS += -flto=jobserver -fuse-linker-plugin
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> --- package/utils/busybox/Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)