| Message ID | 20211013150222.10815-1-fe@dev.tdt.de |
|---|---|
| State | Superseded |
| Headers | show |
| Series | buildsystem: add CONFIG_SECCOMP | expand |
On Wed, Oct 13, 2021 at 05:02:22PM +0200, Florian Eckert wrote: > Until now, this feature was switched on via the kernel configuration > option KERNEL_SECCOMP. > > The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that > the package procd-seccomp must also enabled for the build. > > However, this is not the case we have no dependency to enable this > package. > Also the imagebuilder cannot build the image, because of the implicit > package selection. > > This change adds a new configuration option CONFIG_SECCOMP like the > CONFIG_SELINUX option. > > If the CONFIG_SECCOMP is selected then the package procd-seccomp and > KERNEL_SECCOMP is enabled for this build. > > Signed-off-by: Florian Eckert <fe@dev.tdt.de> > --- > config/Config-build.in | 11 +++++++++++ > include/target.mk | 2 +- > package/system/procd/Makefile | 3 +-- > 3 files changed, 13 insertions(+), 3 deletions(-) > > diff --git a/config/Config-build.in b/config/Config-build.in > index f0e1aaa695..5887d1a9c4 100644 > --- a/config/Config-build.in > +++ b/config/Config-build.in > @@ -386,4 +386,15 @@ menu "Global build settings" > > endchoice > > + config SECCOMP > + bool "Enable SECCOMP" > + select KERNEL_SECCOMP > + select PACKAGE_procd-seccomp > + depends on (aarch64 || arm || armeb || mips || mipsel || i386 || powerpc || x86_64) > + depends on !TARGET_uml I guess 'default y' is needed to also make sure the symbol is selected by default if possible. > + help > + This option enables seccomp kernel features to safely > + execute untrusted bytecode and selects the seccomp-variants > + of procd > + > endmenu > diff --git a/include/target.mk b/include/target.mk > index 03192d3ebe..60760bf602 100644 > --- a/include/target.mk > +++ b/include/target.mk > @@ -39,7 +39,7 @@ DEFAULT_PACKAGES+=procd-ujail > endif > > # include seccomp ld-preload hooks if kernel supports it > -ifneq ($(CONFIG_KERNEL_SECCOMP),) > +ifneq ($(CONFIG_SECCOMP),) > DEFAULT_PACKAGES+=procd-seccomp > endif > > diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile > index 6f506423f8..4c76045062 100644 > --- a/package/system/procd/Makefile > +++ b/package/system/procd/Makefile > @@ -82,8 +82,7 @@ endef > define Package/procd-seccomp > SECTION:=base > CATEGORY:=Base system > - DEPENDS:=@(aarch64||arm||armeb||mips||mipsel||i386||powerpc||x86_64) @!TARGET_uml \ > - @KERNEL_SECCOMP +libubox +libblobmsg-json > + DEPENDS:=@SECCOMP +libubox +libblobmsg-json > TITLE:=OpenWrt process seccomp helper + utrace > endef > > -- > 2.20.1 >
diff --git a/config/Config-build.in b/config/Config-build.in index f0e1aaa695..5887d1a9c4 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -386,4 +386,15 @@ menu "Global build settings" endchoice + config SECCOMP + bool "Enable SECCOMP" + select KERNEL_SECCOMP + select PACKAGE_procd-seccomp + depends on (aarch64 || arm || armeb || mips || mipsel || i386 || powerpc || x86_64) + depends on !TARGET_uml + help + This option enables seccomp kernel features to safely + execute untrusted bytecode and selects the seccomp-variants + of procd + endmenu diff --git a/include/target.mk b/include/target.mk index 03192d3ebe..60760bf602 100644 --- a/include/target.mk +++ b/include/target.mk @@ -39,7 +39,7 @@ DEFAULT_PACKAGES+=procd-ujail endif # include seccomp ld-preload hooks if kernel supports it -ifneq ($(CONFIG_KERNEL_SECCOMP),) +ifneq ($(CONFIG_SECCOMP),) DEFAULT_PACKAGES+=procd-seccomp endif diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile index 6f506423f8..4c76045062 100644 --- a/package/system/procd/Makefile +++ b/package/system/procd/Makefile @@ -82,8 +82,7 @@ endef define Package/procd-seccomp SECTION:=base CATEGORY:=Base system - DEPENDS:=@(aarch64||arm||armeb||mips||mipsel||i386||powerpc||x86_64) @!TARGET_uml \ - @KERNEL_SECCOMP +libubox +libblobmsg-json + DEPENDS:=@SECCOMP +libubox +libblobmsg-json TITLE:=OpenWrt process seccomp helper + utrace endef
Until now, this feature was switched on via the kernel configuration option KERNEL_SECCOMP. The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that the package procd-seccomp must also enabled for the build. However, this is not the case we have no dependency to enable this package. Also the imagebuilder cannot build the image, because of the implicit package selection. This change adds a new configuration option CONFIG_SECCOMP like the CONFIG_SELINUX option. If the CONFIG_SECCOMP is selected then the package procd-seccomp and KERNEL_SECCOMP is enabled for this build. Signed-off-by: Florian Eckert <fe@dev.tdt.de> --- config/Config-build.in | 11 +++++++++++ include/target.mk | 2 +- package/system/procd/Makefile | 3 +-- 3 files changed, 13 insertions(+), 3 deletions(-)