[OpenWrt-Devel,1/7] package/utils/busybox: add optional selinux support
diff mbox series

Message ID 20191122095541.688125-2-thomas.petazzoni@bootlin.com
State Changes Requested
Delegated to: Daniel Golle
Headers show
Series
  • SELinux support: core OpenWrt changes
Related show

Commit Message

Thomas Petazzoni Nov. 22, 2019, 9:55 a.m. UTC
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/utils/busybox/Makefile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

Daniel Golle Jan. 4, 2020, 1:06 p.m. UTC | #1
Hi Thomas,

On Fri, Nov 22, 2019 at 10:55:35AM +0100, Thomas Petazzoni wrote:
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  package/utils/busybox/Makefile | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
> index c0f3007e5d..bad4598525 100644
> --- a/package/utils/busybox/Makefile
> +++ b/package/utils/busybox/Makefile
> @@ -17,7 +17,7 @@ PKG_SOURCE_URL:=https://www.busybox.net/downloads \
>  		http://sources.buildroot.net
>  PKG_HASH:=d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998
>  
> -PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam
> +PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam BUSYBOX_CONFIG_SELINUX:libselinux
>  PKG_BUILD_PARALLEL:=1
>  PKG_CHECK_FORMAT_SECURITY:=0
>  
> @@ -45,7 +45,7 @@ define Package/busybox
>    MAINTAINER:=Felix Fietkau <nbd@nbd.name>
>    TITLE:=Core utilities for embedded Linux
>    URL:=http://busybox.net/
> -  DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter
> +  DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter +BUSYBOX_CONFIG_SELINUX:libselinux
>    MENU:=1
>  endef
>  
> @@ -76,6 +76,9 @@ LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc pthread)
>  ifeq ($(CONFIG_USE_GLIBC),y)
>    LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv)
>  endif
> +ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y)
> +  LDLIBS += selinux sepol
> +endif

also here, it would be better to have a build-variant of busybox with
has selinux enabled instead of a buildroot compile option.


Cheers


Daniel

>  
>  TARGET_CFLAGS += -flto
>  TARGET_LDFLAGS += -flto=jobserver -fuse-linker-plugin
> -- 
> 2.23.0
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Thomas Petazzoni Jan. 4, 2020, 1:15 p.m. UTC | #2
Hello,

On Sat, 4 Jan 2020 15:06:38 +0200
Daniel Golle <daniel@makrotopia.org> wrote:

> > @@ -76,6 +76,9 @@ LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc pthread)
> >  ifeq ($(CONFIG_USE_GLIBC),y)
> >    LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv)
> >  endif
> > +ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y)
> > +  LDLIBS += selinux sepol
> > +endif  
> 
> also here, it would be better to have a build-variant of busybox with
> has selinux enabled instead of a buildroot compile option.

Thanks for your feedback. Could you give some initial hints on what you
mean by "build-variant", or at least point at some existing examples ?

Thanks a lot,

Thomas
Daniel Golle Jan. 4, 2020, 1:25 p.m. UTC | #3
Hi Thomas,

On Sat, Jan 04, 2020 at 02:15:38PM +0100, Thomas Petazzoni wrote:
> Hello,
> 
> On Sat, 4 Jan 2020 15:06:38 +0200
> Daniel Golle <daniel@makrotopia.org> wrote:
> 
> > > @@ -76,6 +76,9 @@ LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc pthread)
> > >  ifeq ($(CONFIG_USE_GLIBC),y)
> > >    LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv)
> > >  endif
> > > +ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y)
> > > +  LDLIBS += selinux sepol
> > > +endif  
> > 
> > also here, it would be better to have a build-variant of busybox with
> > has selinux enabled instead of a buildroot compile option.
> 
> Thanks for your feedback. Could you give some initial hints on what you
> mean by "build-variant", or at least point at some existing examples ?

See package/utils/px5g/Makefile, in that case px5g is build two times,
once with built-in crypto and once with libmbedtls linked. The result
are two binary packages 'px5g'(-standalone) and 'px5g-mbedtls'.
Doing the same for SELinux-enabled busybox and procd will potentially
allow building SELinux-enabled images using the ImageBuilder (as
opposed to building them entirely from source).
And similar to how we do for seccomp-policies (see
package/network/services/umdns/Makefile) we could ship SELinux policies
with packages or as add-on packages like in other distributions (given
we will add support for that in the build system as well as in opkg).


Cheers


Daniel

> 
> Thanks a lot,
> 
> Thomas
> -- 
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Patch
diff mbox series

diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index c0f3007e5d..bad4598525 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -17,7 +17,7 @@  PKG_SOURCE_URL:=https://www.busybox.net/downloads \
 		http://sources.buildroot.net
 PKG_HASH:=d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998
 
-PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam
+PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam BUSYBOX_CONFIG_SELINUX:libselinux
 PKG_BUILD_PARALLEL:=1
 PKG_CHECK_FORMAT_SECURITY:=0
 
@@ -45,7 +45,7 @@  define Package/busybox
   MAINTAINER:=Felix Fietkau <nbd@nbd.name>
   TITLE:=Core utilities for embedded Linux
   URL:=http://busybox.net/
-  DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter
+  DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter +BUSYBOX_CONFIG_SELINUX:libselinux
   MENU:=1
 endef
 
@@ -76,6 +76,9 @@  LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc pthread)
 ifeq ($(CONFIG_USE_GLIBC),y)
   LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv)
 endif
+ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y)
+  LDLIBS += selinux sepol
+endif
 
 TARGET_CFLAGS += -flto
 TARGET_LDFLAGS += -flto=jobserver -fuse-linker-plugin