From patchwork Fri Jul 31 10:10:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339365 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37P5ZDFz9sRK for ; Fri, 31 Jul 2020 20:15:13 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 88299863E0; Fri, 31 Jul 2020 10:15:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BqF8WPfdDePN; Fri, 31 Jul 2020 10:15:11 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id D7B5D86427; Fri, 31 Jul 2020 10:15:10 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id A498D1BF2A4 for ; Fri, 31 Jul 2020 10:15:09 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 9C8992050B for ; Fri, 31 Jul 2020 10:15:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqjNMxLMzu-9 for ; Fri, 31 Jul 2020 10:15:07 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by silver.osuosl.org (Postfix) with ESMTPS id DE4992046F for ; Fri, 31 Jul 2020 10:15:06 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id A4559C000D; Fri, 31 Jul 2020 10:15:02 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:26 +0200 Message-Id: <20200731101040.1723047-2-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 01/15] package/e2fsprogs: set xattrs for the root dir as well X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The mke2fs binary copies the xattrs of the source directory when creating an image, but this logic did not include the root directory of the resulting image. A patch was sent upstream to fix this. Include the patch in Buildroot to allow creating SELinux ready images at build time. Signed-off-by: Antoine Tenart --- ...-xattrs-to-the-root-directory-as-wel.patch | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch diff --git a/package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch b/package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch new file mode 100644 index 000000000000..2e9c3ccef0aa --- /dev/null +++ b/package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch @@ -0,0 +1,46 @@ +From 1826d8965057bd84517156a4b75c81bdfdae9ebc Mon Sep 17 00:00:00 2001 +From: Antoine Tenart +Date: Wed, 1 Jul 2020 10:06:03 +0200 +Subject: [PATCH] create_inode: set xattrs to the root directory as well + +populate_fs do copy the xattrs for all files and directories, but the +root directory is skipped and as a result its extended attributes aren't +set. This is an issue when using mkfs to build a full system image that +can be used with SElinux in enforcing mode without making any runtime +fix at first boot. + +This patch adds logic to set the root directory's extended attributes. + +[Uspstream status: sent to the mailing list and has a Reviewed-by tag, +https://lore.kernel.org/linux-ext4/20200717100846.497546-1-antoine.tenart@bootlin.com/] + +Signed-off-by: Antoine Tenart +--- + misc/create_inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/misc/create_inode.c b/misc/create_inode.c +index e8d1df6b55a5..fe66faf1b53d 100644 +--- a/misc/create_inode.c ++++ b/misc/create_inode.c +@@ -1050,9 +1050,17 @@ errcode_t populate_fs2(ext2_filsys fs, ext2_ino_t parent_ino, + file_info.path_max_len = 255; + file_info.path = calloc(file_info.path_max_len, 1); + ++ retval = set_inode_xattr(fs, root, source_dir); ++ if (retval) { ++ com_err(__func__, retval, ++ _("while copying xattrs on root directory")); ++ goto out; ++ } ++ + retval = __populate_fs(fs, parent_ino, source_dir, root, &hdlinks, + &file_info, fs_callbacks); + ++out: + free(file_info.path); + free(hdlinks.hdl); + return retval; +-- +2.26.2 + From patchwork Fri Jul 31 10:10:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339374 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37m4Q1lz9sRN for ; Fri, 31 Jul 2020 20:15:32 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 26DEC8874B; Fri, 31 Jul 2020 10:15:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3W-e2E2O8aVj; Fri, 31 Jul 2020 10:15:30 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 4947C8874E; Fri, 31 Jul 2020 10:15:30 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 395821BF2A4 for ; Fri, 31 Jul 2020 10:15:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 3511C8851F for ; Fri, 31 Jul 2020 10:15:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZOwZOoHvoLQH for ; Fri, 31 Jul 2020 10:15:20 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by whitealder.osuosl.org (Postfix) with ESMTPS id 83C8687D47 for ; Fri, 31 Jul 2020 10:15:19 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id A87124000B; Fri, 31 Jul 2020 10:15:17 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:27 +0200 Message-Id: <20200731101040.1723047-3-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 02/15] fs/common.mk: set SELinux file security contexts X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Set the SELinux file security contexts using setfiles when generating root filesystem images. Without such security contexts created at build time, they need to be setup at first boot by running the restorecon utility on the target. This has two drawbacks: - You have to special case the first boot, which cannot be done in enforcing mode, and will have to run restorecon, then reboot. - You cannot support read-only filesystems. By setting up the security contexts at build time, we can have a filesystem image that is immediately ready to boot an SELinux system in enforcing mode, including if the root filesystem is read-only. Signed-off-by: Antoine Tenart --- fs/common.mk | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/common.mk b/fs/common.mk index 842ea924a5e0..d915a8795b74 100644 --- a/fs/common.mk +++ b/fs/common.mk @@ -49,6 +49,16 @@ ROOTFS_COMMON_DEPENDENCIES = \ $(BR2_TAR_HOST_DEPENDENCY) \ $(if $(PACKAGES_USERS)$(ROOTFS_USERS_TABLES),host-mkpasswd) +ifeq ($(BR2_PACKAGE_REFPOLICY)$(BR2_PACKAGE_POLICYCOREUTILS),yy) +define ROOTFS_SELINUX + $(HOST_DIR)/sbin/setfiles -m -r $(TARGET_DIR) \ + -c $(TARGET_DIR)/etc/selinux/targeted/policy/policy.$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) \ + $(TARGET_DIR)/etc/selinux/targeted/contexts/files/file_contexts \ + $(TARGET_DIR) +endef +ROOTFS_COMMON_DEPENDENCIES += refpolicy host-policycoreutils +endif + ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES = $(sort \ $(if $(filter undefined,$(origin ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES__X)), \ $(eval ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES__X := \ @@ -172,6 +182,7 @@ $$(BINARIES_DIR)/$$(ROOTFS_$(2)_FINAL_IMAGE_NAME): $$(ROOTFS_$(2)_DEPENDENCIES) $$(foreach hook,$$(ROOTFS_$(2)_PRE_GEN_HOOKS),\ $$(call PRINTF,$$($$(hook))) >> $$(FAKEROOT_SCRIPT)$$(sep)) $$(call PRINTF,$$(ROOTFS_REPRODUCIBLE)) >> $$(FAKEROOT_SCRIPT) + $$(call PRINTF,$$(ROOTFS_SELINUX)) >> $$(FAKEROOT_SCRIPT) $$(call PRINTF,$$(ROOTFS_$(2)_CMD)) >> $$(FAKEROOT_SCRIPT) chmod a+x $$(FAKEROOT_SCRIPT) PATH=$$(BR_PATH) FAKEROOTDONTTRYCHOWN=1 $$(HOST_DIR)/bin/fakeroot -- $$(FAKEROOT_SCRIPT) From patchwork Fri Jul 31 10:10:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339368 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37Z32Bvz9sT6 for ; Fri, 31 Jul 2020 20:15:22 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id C8F8988754; Fri, 31 Jul 2020 10:15:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a3jwie9UmxKh; Fri, 31 Jul 2020 10:15:15 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 5E2838874E; Fri, 31 Jul 2020 10:15:15 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 5344A1BF2A4 for ; Fri, 31 Jul 2020 10:15:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 4C2592079D for ; Fri, 31 Jul 2020 10:15:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NjpjtZmxNvAM for ; Fri, 31 Jul 2020 10:15:10 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay12.mail.gandi.net (relay12.mail.gandi.net [217.70.178.232]) by silver.osuosl.org (Postfix) with ESMTPS id EC6D32046F for ; Fri, 31 Jul 2020 10:15:09 +0000 (UTC) Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay12.mail.gandi.net (Postfix) with ESMTPSA id F335E200009; Fri, 31 Jul 2020 10:15:05 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:28 +0200 Message-Id: <20200731101040.1723047-4-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 03/15] fs/common.mk: move down ROOTFS_REPRODUCIBLE for consistency X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This patch is cosmetic and moves down ROOTFS_REPRODUCIBLE for consistency. Signed-off-by: Antoine Tenart --- fs/common.mk | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/common.mk b/fs/common.mk index d915a8795b74..a7137b8e89cf 100644 --- a/fs/common.mk +++ b/fs/common.mk @@ -36,12 +36,6 @@ ROOTFS_USERS_TABLES = $(call qstrip,$(BR2_ROOTFS_USERS_TABLES)) ROOTFS_FULL_DEVICES_TABLE = $(FS_DIR)/full_devices_table.txt ROOTFS_FULL_USERS_TABLE = $(FS_DIR)/full_users_table.txt -ifeq ($(BR2_REPRODUCIBLE),y) -define ROOTFS_REPRODUCIBLE - find $(TARGET_DIR) -print0 | xargs -0 -r touch -hd @$(SOURCE_DATE_EPOCH) -endef -endif - ROOTFS_COMMON_NAME = rootfs-common ROOTFS_COMMON_TYPE = rootfs ROOTFS_COMMON_DEPENDENCIES = \ @@ -49,6 +43,12 @@ ROOTFS_COMMON_DEPENDENCIES = \ $(BR2_TAR_HOST_DEPENDENCY) \ $(if $(PACKAGES_USERS)$(ROOTFS_USERS_TABLES),host-mkpasswd) +ifeq ($(BR2_REPRODUCIBLE),y) +define ROOTFS_REPRODUCIBLE + find $(TARGET_DIR) -print0 | xargs -0 -r touch -hd @$(SOURCE_DATE_EPOCH) +endef +endif + ifeq ($(BR2_PACKAGE_REFPOLICY)$(BR2_PACKAGE_POLICYCOREUTILS),yy) define ROOTFS_SELINUX $(HOST_DIR)/sbin/setfiles -m -r $(TARGET_DIR) \ From patchwork Fri Jul 31 10:10:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339367 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37Z1PQ8z9sRN for ; Fri, 31 Jul 2020 20:15:22 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id A6B15885DD; Fri, 31 Jul 2020 10:15:19 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CY9NoWVj+8GI; Fri, 31 Jul 2020 10:15:18 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 86EBF882CA; Fri, 31 Jul 2020 10:15:18 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 17F621BF2A4 for ; Fri, 31 Jul 2020 10:15:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 151C1865DB for ; Fri, 31 Jul 2020 10:15:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSobVtR5paGH for ; Fri, 31 Jul 2020 10:15:10 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 1508F86362 for ; Fri, 31 Jul 2020 10:15:09 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay7-d.mail.gandi.net (Postfix) with ESMTPSA id 7514E20006; Fri, 31 Jul 2020 10:15:07 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:29 +0200 Message-Id: <20200731101040.1723047-5-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 04/15] package/refpolicy: smaller monolithic policy X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The refpolicy is configured to use a monolithic build, compiling all the available modules (whether they're 'base' or 'modules' ones) in the binary policy. The result is a quite big SELinux policy, with a lot more rules than what would be needed in a Buildroot image. Refactor the refpolicy build configuration to enable less modules by default. To achieve this, all the modules marked as being part of the 'base' policy are kept but all the modules marked as being only 'modules' are disabled. Then a static list of modules (in addition to the already selected 'base' ones) are enabled. The result is a much smaller refpolicy: my tests showed a reduction of the binary policy from 2.4M to 249K (~90% smaller). This minimal set of SELinux modules should allow to boot a system in enforcing mode in the future. It currently does not work, not because extra modules are needed, but because of required changes within the selected modules. This patch would break backward compatibility as the refpolicy will no longer have all the modules provided by the project, but only those selected. This should not be an issue as this configuration was not suitable directly for a real system. Modifications had to be done. If we still find out later that this is an issue for someone, we'll have the ability to mimic what was done previously thanks to other mechanisms (such as providing the upstream policy as a "custom" policy location). Signed-off-by: Antoine Tenart --- package/refpolicy/refpolicy.mk | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index 9346649b2c57..0ce83d2cbdcb 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -29,6 +29,33 @@ REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) REFPOLICY_POLICY_STATE = \ $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE)) +REFPOLICY_MODULES = \ + application \ + authlogin \ + getty \ + init \ + libraries \ + locallogin \ + logging \ + miscfiles \ + modutils \ + mount \ + selinuxutil \ + storage \ + sysadm \ + sysnetwork \ + unconfined \ + userdomain + +# In the context of a monolithic policy enabling a piece of the policy as +# 'base' or 'module' is equivalent, so we enable them as 'base'. +define REFPOLICY_CONFIGURE_MODULES + $(SED) "s/ = module/ = no/g" $(@D)/policy/modules.conf + $(foreach m,$(REFPOLICY_MODULES), + $(SED) "/^$(m) =/c\$(m) = base" $(@D)/policy/modules.conf + ) +endef + ifeq ($(BR2_INIT_SYSTEMD),y) define REFPOLICY_CONFIGURE_SYSTEMD $(SED) "/SYSTEMD/c\SYSTEMD = y" $(@D)/build.conf @@ -45,6 +72,7 @@ endef define REFPOLICY_BUILD_CMDS $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) bare conf + $(REFPOLICY_CONFIGURE_MODULES) endef define REFPOLICY_INSTALL_STAGING_CMDS From patchwork Fri Jul 31 10:10:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339369 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37c59K7z9sRK for ; Fri, 31 Jul 2020 20:15:24 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id D68E62153E; Fri, 31 Jul 2020 10:15:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k4KjGfzi8nFz; Fri, 31 Jul 2020 10:15:17 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 88AF3227FC; Fri, 31 Jul 2020 10:15:16 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id BA2111BF2A4 for ; Fri, 31 Jul 2020 10:15:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id B26882046F for ; Fri, 31 Jul 2020 10:15:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Kie0jmqKraU for ; Fri, 31 Jul 2020 10:15:11 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay12.mail.gandi.net (relay12.mail.gandi.net [217.70.178.232]) by silver.osuosl.org (Postfix) with ESMTPS id AFA922050B for ; Fri, 31 Jul 2020 10:15:10 +0000 (UTC) Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay12.mail.gandi.net (Postfix) with ESMTPSA id D9F65200002; Fri, 31 Jul 2020 10:15:08 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:30 +0200 Message-Id: <20200731101040.1723047-6-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 05/15] package/refpolicy: allow packages to select SELinux modules X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Add support for packages to enable SELinux modules already supported by the refpolicy, but not selected by default in its policy. With this commit, packages will be able to do something like: SYSTEMD_SELINUX_MODULES = systemd udev to enable additional SELinux modules. Signed-off-by: Antoine Tenart --- package/pkg-generic.mk | 4 ++++ package/refpolicy/refpolicy.mk | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk index c63807047b29..71d6357836f0 100644 --- a/package/pkg-generic.mk +++ b/package/pkg-generic.mk @@ -1088,6 +1088,10 @@ TARGET_FINALIZE_HOOKS += $$($(2)_TARGET_FINALIZE_HOOKS) ROOTFS_PRE_CMD_HOOKS += $$($(2)_ROOTFS_PRE_CMD_HOOKS) KEEP_PYTHON_PY_FILES += $$($(2)_KEEP_PY_FILES) +ifneq ($$($(2)_SELINUX_MODULES),) +PACKAGES_SELINUX_MODULES += $$($(2)_SELINUX_MODULES) +endif + ifeq ($$($(2)_SITE_METHOD),svn) DL_TOOLS_DEPENDENCIES += svn else ifeq ($$($(2)_SITE_METHOD),git) diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index 0ce83d2cbdcb..c29912a53b0b 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -45,13 +45,14 @@ REFPOLICY_MODULES = \ sysadm \ sysnetwork \ unconfined \ - userdomain + userdomain \ + $(PACKAGES_SELINUX_MODULES) # In the context of a monolithic policy enabling a piece of the policy as # 'base' or 'module' is equivalent, so we enable them as 'base'. define REFPOLICY_CONFIGURE_MODULES $(SED) "s/ = module/ = no/g" $(@D)/policy/modules.conf - $(foreach m,$(REFPOLICY_MODULES), + $(foreach m,$(sort $(REFPOLICY_MODULES)), $(SED) "/^$(m) =/c\$(m) = base" $(@D)/policy/modules.conf ) endef From patchwork Fri Jul 31 10:10:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339370 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37l10sRz9sRK for ; Fri, 31 Jul 2020 20:15:31 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 472CF86427; Fri, 31 Jul 2020 10:15:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CX5xoafrV7qX; Fri, 31 Jul 2020 10:15:25 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 1B527863E0; Fri, 31 Jul 2020 10:15:25 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id BD88A1BF2A4 for ; Fri, 31 Jul 2020 10:15:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id B66168851F for ; Fri, 31 Jul 2020 10:15:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wsDmXVa3z3zU for ; Fri, 31 Jul 2020 10:15:14 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by whitealder.osuosl.org (Postfix) with ESMTPS id 8452088514 for ; Fri, 31 Jul 2020 10:15:14 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 37E3140006; Fri, 31 Jul 2020 10:15:09 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:31 +0200 Message-Id: <20200731101040.1723047-7-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 06/15] package/systemd: select SELinux modules X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Select the systemd and udev SELinux modules so that they will be compiled in the refpolicy. This way, if an SELinux policy is generated, Systemd will be supported. Signed-off-by: Antoine Tenart --- package/systemd/systemd.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk index 107fcbe66a6c..76dcee408226 100644 --- a/package/systemd/systemd.mk +++ b/package/systemd/systemd.mk @@ -18,6 +18,8 @@ SYSTEMD_DEPENDENCIES = \ util-linux \ $(TARGET_NLS_DEPENDENCIES) +SYSTEMD_SELINUX_MODULES = systemd udev + SYSTEMD_PROVIDES = udev SYSTEMD_CONF_OPTS += \ From patchwork Fri Jul 31 10:10:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339372 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37l6v38z9sT6 for ; Fri, 31 Jul 2020 20:15:31 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 6D64188648; Fri, 31 Jul 2020 10:15:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZV5R2VDsVx1; Fri, 31 Jul 2020 10:15:23 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 7D5E4885E8; Fri, 31 Jul 2020 10:15:23 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 1DF551BF2A4 for ; Fri, 31 Jul 2020 10:15:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 17A62882CA for ; Fri, 31 Jul 2020 10:15:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OM4hgj36QCri for ; Fri, 31 Jul 2020 10:15:14 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay12.mail.gandi.net (relay12.mail.gandi.net [217.70.178.232]) by whitealder.osuosl.org (Postfix) with ESMTPS id 22B0887D47 for ; Fri, 31 Jul 2020 10:15:13 +0000 (UTC) Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay12.mail.gandi.net (Postfix) with ESMTPSA id EA5D5200007; Fri, 31 Jul 2020 10:15:11 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:32 +0200 Message-Id: <20200731101040.1723047-8-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 07/15] package/dbus: select SELinux module X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Select the dbus SElinux module so that it will be compiled in the refpolicy. This way, if an SELinux policy is generated, dbus will be supported. Signed-off-by: Antoine Tenart --- package/dbus/dbus.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk index 3c6762568871..70f2c6fef48d 100644 --- a/package/dbus/dbus.mk +++ b/package/dbus/dbus.mk @@ -20,6 +20,8 @@ endef DBUS_DEPENDENCIES = host-pkgconf expat +DBUS_SELINUX_MODULES = dbus + DBUS_CONF_OPTS = \ --with-dbus-user=dbus \ --disable-tests \ From patchwork Fri Jul 31 10:10:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339373 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37m0tMkz9sRK for ; Fri, 31 Jul 2020 20:15:32 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 6EB5A863E0; Fri, 31 Jul 2020 10:15:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-iVukj5aCfL; Fri, 31 Jul 2020 10:15:28 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id AC20286A3C; Fri, 31 Jul 2020 10:15:28 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id B41C11BF2A4 for ; Fri, 31 Jul 2020 10:15:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 859042154B for ; Fri, 31 Jul 2020 10:15:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8zF2XsdINR8 for ; Fri, 31 Jul 2020 10:15:16 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by silver.osuosl.org (Postfix) with ESMTPS id 9A02D2153E for ; Fri, 31 Jul 2020 10:15:15 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 4B9404000C; Fri, 31 Jul 2020 10:15:13 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:33 +0200 Message-Id: <20200731101040.1723047-9-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 08/15] package/util-linux: select SELinux module X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Select the fstools SELinux module to be compiled in the policy for the relevant binaries of util-linux. Signed-off-by: Antoine Tenart --- package/util-linux/util-linux.mk | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk index 6c8f295eedd9..4779fe766544 100644 --- a/package/util-linux/util-linux.mk +++ b/package/util-linux/util-linux.mk @@ -43,6 +43,10 @@ HOST_UTIL_LINUX_CONF_OPTS = \ --with-systemdsystemunitdir=no \ --without-python +ifneq ($(BR2_PACKAGE_UTIL_LINUX_BINARIES)$(BR2_PACKAGE_UTIL_LINUX_CRAMFS)$(BR2_PACKAGE_UTIL_LINUX_FSCK)$(BR2_PACKAGE_UTIL_LINUX_LOSETUP),) +UTIL_LINUX_SELINUX_MODULES = fstools +endif + # Prevent the installation from attempting to move shared libraries from # ${usrlib_execdir} (/usr/lib) to ${libdir} (/lib), since both paths are # the same when merged usr is in use. From patchwork Fri Jul 31 10:10:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339371 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37l3pXRz9sRN for ; Fri, 31 Jul 2020 20:15:31 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id E8A7B88651; Fri, 31 Jul 2020 10:15:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lBdKJLBcVa5d; Fri, 31 Jul 2020 10:15:26 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 485EB88655; Fri, 31 Jul 2020 10:15:26 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 329441BF2A4 for ; Fri, 31 Jul 2020 10:15:19 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 24C7421541 for ; Fri, 31 Jul 2020 10:15:19 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UDQ-NdOagvcv for ; Fri, 31 Jul 2020 10:15:17 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by silver.osuosl.org (Postfix) with ESMTPS id 9465D22C6B for ; Fri, 31 Jul 2020 10:15:16 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id AB62F40004; Fri, 31 Jul 2020 10:15:14 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:34 +0200 Message-Id: <20200731101040.1723047-10-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 09/15] package/e2fsprogs: select SELinux module X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Select the fstools SELinux module when e2fsprogs binaries are compiled and installed in the target filesystem, so that they'll be supported by the SELinux policy. Signed-off-by: Antoine Tenart --- package/e2fsprogs/e2fsprogs.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package/e2fsprogs/e2fsprogs.mk b/package/e2fsprogs/e2fsprogs.mk index f6642d8de164..eb82a55ce79d 100644 --- a/package/e2fsprogs/e2fsprogs.mk +++ b/package/e2fsprogs/e2fsprogs.mk @@ -17,6 +17,8 @@ E2FSPROGS_INSTALL_STAGING = YES E2FSPROGS_DEPENDENCIES = host-pkgconf util-linux HOST_E2FSPROGS_DEPENDENCIES = host-pkgconf host-util-linux +E2FSPROGS_SELINUX_MODULES = fstools + # e4defrag doesn't build on older systems like RHEL5.x, and we don't # need it on the host anyway. # Disable fuse2fs as well to avoid carrying over deps, and it's unused From patchwork Fri Jul 31 10:10:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339377 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37w0Z7kz9sRN for ; Fri, 31 Jul 2020 20:15:40 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 959DA869E4; Fri, 31 Jul 2020 10:15:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29ZFHL7NW9vl; Fri, 31 Jul 2020 10:15:37 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id DDE1186AA5; Fri, 31 Jul 2020 10:15:37 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id BEF501BF2A4 for ; Fri, 31 Jul 2020 10:15:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 939D82079D for ; Fri, 31 Jul 2020 10:15:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWZBJ0z04NtA for ; Fri, 31 Jul 2020 10:15:20 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by silver.osuosl.org (Postfix) with ESMTPS id 44D9F21541 for ; Fri, 31 Jul 2020 10:15:20 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 4B1111C0004; Fri, 31 Jul 2020 10:15:15 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:35 +0200 Message-Id: <20200731101040.1723047-11-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 10/15] package/refpolicy: allow providing user defined modules X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Allow users to provide custom SELinux modules to be part of the final policy. A new configuration variable is added, pointing to list of directories containing the custom modules. SELinux modules do require a metadata.xml file to be well integrated in the refpolicy build. If this file isn't provided, it will be automatically created. For now, this option requires the extra modules to be directly into the BR2_REFPOLICY_EXTRA_MODULES directory, and subfolders aren't supported. They may never be, as having subfolders could introduce issues when two different modules have the same name (which isn't supported by the refpolicy). Signed-off-by: Antoine Tenart --- package/refpolicy/Config.in | 10 ++++++++++ package/refpolicy/refpolicy.mk | 23 ++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in index b50b2f09ff79..030b1e93c9bd 100644 --- a/package/refpolicy/Config.in +++ b/package/refpolicy/Config.in @@ -54,6 +54,16 @@ config BR2_PACKAGE_REFPOLICY_POLICY_STATE default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED +config BR2_REFPOLICY_EXTRA_MODULES_DIRS + string "Extra modules directories" + help + Specify directories containing SELinux modules that will be build + in the SELinux policy. The modules will be automatically enabled in + the policy. + + Each of those directories must contain the SELinux policy .fc, .if + and .te files directly at the top-level, with no sub-directories. + endif comment "refpolicy needs a toolchain w/ threads" diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index c29912a53b0b..edbb5a228f55 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -46,7 +46,26 @@ REFPOLICY_MODULES = \ sysnetwork \ unconfined \ userdomain \ - $(PACKAGES_SELINUX_MODULES) + $(PACKAGES_SELINUX_MODULES) \ + $(foreach d,$(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\ + $(basename $(notdir $(wildcard $(d)/*.te)))) + +# Allow to provide out-of-tree SELinux modules in addition to the ones in the +# refpolicy. +REFPOLICY_EXTRA_MODULES = $(BR2_REFPOLICY_EXTRA_MODULES_DIRS) +$(foreach dir,$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS)),\ + $(if $(wildcard $(dir)),,\ + $(error BR2_REFPOLICY_EXTRA_MODULES_DIRS contains nonexistent directory $(dir)))) + +define REFPOLICY_COPY_MODULES + mkdir -p $(@D)/policy/modules/buildroot + rsync -au $(addsuffix /*,$(call qstrip,$(REFPOLICY_EXTRA_MODULES))) \ + $(@D)/policy/modules/buildroot/ + if [ ! -f $(@D)/policy/modules/buildroot/metadata.xml ]; then \ + echo "Buildroot extra modules" > \ + $(@D)/policy/modules/buildroot/metadata.xml; \ + fi +endef # In the context of a monolithic policy enabling a piece of the policy as # 'base' or 'module' is equivalent, so we enable them as 'base'. @@ -72,6 +91,8 @@ define REFPOLICY_CONFIGURE_CMDS endef define REFPOLICY_BUILD_CMDS + $(if $(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\ + $(REFPOLICY_COPY_MODULES)) $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) bare conf $(REFPOLICY_CONFIGURE_MODULES) endef From patchwork Fri Jul 31 10:10:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339379 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37z6VTfz9sRK for ; Fri, 31 Jul 2020 20:15:43 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 0581C86ACE; Fri, 31 Jul 2020 10:15:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uqrHYG9Tl13s; Fri, 31 Jul 2020 10:15:40 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 7B57186AE1; Fri, 31 Jul 2020 10:15:40 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 188641BF2A4 for ; Fri, 31 Jul 2020 10:15:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 15A728874E for ; Fri, 31 Jul 2020 10:15:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Pmi2WIIJ9Sb for ; Fri, 31 Jul 2020 10:15:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by hemlock.osuosl.org (Postfix) with ESMTPS id 0E15D8874B for ; Fri, 31 Jul 2020 10:15:26 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id A45BE1C0012; Fri, 31 Jul 2020 10:15:24 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:36 +0200 Message-Id: <20200731101040.1723047-12-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 11/15] package/refpolicy: allow selecting additional modules X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Allow users to select additional modules available in the refpolicy, to be built in the binary policy. This will allow non-base modules to be selected based on the user use-case and to select extra module dependencies when providing out-of-tree modules. Signed-off-by: Antoine Tenart --- package/refpolicy/Config.in | 5 +++++ package/refpolicy/refpolicy.mk | 1 + 2 files changed, 6 insertions(+) diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in index 030b1e93c9bd..73274920000a 100644 --- a/package/refpolicy/Config.in +++ b/package/refpolicy/Config.in @@ -64,6 +64,11 @@ config BR2_REFPOLICY_EXTRA_MODULES_DIRS Each of those directories must contain the SELinux policy .fc, .if and .te files directly at the top-level, with no sub-directories. +config BR2_REFPOLICY_EXTRA_MODULES + string "Extra modules to enable" + help + List of extra SELinux modules to enable in the refpolicy. + endif comment "refpolicy needs a toolchain w/ threads" diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index edbb5a228f55..de1fe9217a80 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -47,6 +47,7 @@ REFPOLICY_MODULES = \ unconfined \ userdomain \ $(PACKAGES_SELINUX_MODULES) \ + $(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES)) \ $(foreach d,$(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\ $(basename $(notdir $(wildcard $(d)/*.te)))) From patchwork Fri Jul 31 10:10:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339376 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37v1N1tz9sRK for ; Fri, 31 Jul 2020 20:15:39 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id A585D88799; Fri, 31 Jul 2020 10:15:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zpZ3XCpuVaX1; Fri, 31 Jul 2020 10:15:36 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 63DF388754; Fri, 31 Jul 2020 10:15:36 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 172211BF9C1 for ; Fri, 31 Jul 2020 10:15:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 1102C86427 for ; Fri, 31 Jul 2020 10:15:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7MiD056X7i8x for ; Fri, 31 Jul 2020 10:15:23 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by fraxinus.osuosl.org (Postfix) with ESMTPS id B4C7586362 for ; Fri, 31 Jul 2020 10:15:22 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id 06AF6FF803; Fri, 31 Jul 2020 10:15:18 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:37 +0200 Message-Id: <20200731101040.1723047-13-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 12/15] package/refpolicy: allow to provide a custom refpolicy X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Add support for the user to provide a fully custom refpolicy. When this is used, modules aren't disabled anymore and packages do not select refpolicy available modules either. The custom refpolicy must define the full policy explicitly, and must be a fork of the original refpolicy, to have the same build system. This is added to allow users to fully control an SELinux policy, by providing a complete custom policy. Signed-off-by: Antoine Tenart --- package/refpolicy/Config.in | 39 ++++++++++++++++++++++++++++++++++ package/refpolicy/refpolicy.mk | 18 +++++++++++++--- 2 files changed, 54 insertions(+), 3 deletions(-) diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in index 73274920000a..5e1fa0e93c6a 100644 --- a/package/refpolicy/Config.in +++ b/package/refpolicy/Config.in @@ -28,6 +28,41 @@ config BR2_PACKAGE_REFPOLICY if BR2_PACKAGE_REFPOLICY +choice + prompt "Refpolicy version" + default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION + +config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION + bool "Upstream version" + help + Use the refpolicy as provided by Buildroot. + +config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT + bool "Custom git repository" + help + Allows to get the refpolicy from a custom git repository. + + The custom refpolicy must define the full policy explicitly, and must + be a fork of the original refpolicy, to have the same build system. + When this is selected, only the custom policy definition are taken + into account and all the modules of the policy are built into the + binary policy. + +endchoice + +if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT + +config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL + string "URL of custom repository" + +config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION + string "Custom repository version" + help + Revision to use in the typical format used by Git. + E.g. a sha id, tag, branch... + +endif + choice prompt "SELinux default state" default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE @@ -54,6 +89,8 @@ config BR2_PACKAGE_REFPOLICY_POLICY_STATE default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED +if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION + config BR2_REFPOLICY_EXTRA_MODULES_DIRS string "Extra modules directories" help @@ -71,5 +108,7 @@ config BR2_REFPOLICY_EXTRA_MODULES endif +endif + comment "refpolicy needs a toolchain w/ threads" depends on !BR2_TOOLCHAIN_HAS_THREADS diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index de1fe9217a80..74d2733f7d10 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -4,9 +4,6 @@ # ################################################################################ -REFPOLICY_VERSION = 2.20200229 -REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2 -REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20200229 REFPOLICY_LICENSE = GPL-2.0 REFPOLICY_LICENSE_FILES = COPYING REFPOLICY_INSTALL_STAGING = YES @@ -18,6 +15,17 @@ REFPOLICY_DEPENDENCIES = \ host-setools \ host-gawk +ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y) +REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION)) +REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL)) +REFPOLICY_SITE_METHOD = git +BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE) +else +REFPOLICY_VERSION = 2.20200229 +REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2 +REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20200229 +endif + # Cannot use multiple threads to build the reference policy REFPOLICY_MAKE = \ PYTHON=$(HOST_DIR)/usr/bin/python3 \ @@ -29,6 +37,8 @@ REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) REFPOLICY_POLICY_STATE = \ $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE)) +ifeq ($(BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION),y) + REFPOLICY_MODULES = \ application \ authlogin \ @@ -77,6 +87,8 @@ define REFPOLICY_CONFIGURE_MODULES ) endef +endif # BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION = y + ifeq ($(BR2_INIT_SYSTEMD),y) define REFPOLICY_CONFIGURE_SYSTEMD $(SED) "/SYSTEMD/c\SYSTEMD = y" $(@D)/build.conf From patchwork Fri Jul 31 10:10:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339375 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37q6GQmz9sRK for ; Fri, 31 Jul 2020 20:15:35 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id C2EA986362; Fri, 31 Jul 2020 10:15:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ni1DLy8Oi971; Fri, 31 Jul 2020 10:15:32 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id EFBA086637; Fri, 31 Jul 2020 10:15:31 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id E44C61BF2A4 for ; Fri, 31 Jul 2020 10:15:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id D825C88634 for ; Fri, 31 Jul 2020 10:15:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C1ACr+wF3+nA for ; Fri, 31 Jul 2020 10:15:22 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by whitealder.osuosl.org (Postfix) with ESMTPS id 89F8D8851F for ; Fri, 31 Jul 2020 10:15:22 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 7BAD24000C; Fri, 31 Jul 2020 10:15:20 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:38 +0200 Message-Id: <20200731101040.1723047-14-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 13/15] package/refpolicy: allow packages to provide their own SELinux modules X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Allow packages to have an 'selinux' subfolder containing SELinux modules (sources) to be synced and compiled within the refpolicy, if the package is selected. Signed-off-by: Antoine Tenart --- package/pkg-generic.mk | 2 ++ package/refpolicy/refpolicy.mk | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk index 71d6357836f0..e52456b1ca5d 100644 --- a/package/pkg-generic.mk +++ b/package/pkg-generic.mk @@ -1091,6 +1091,8 @@ KEEP_PYTHON_PY_FILES += $$($(2)_KEEP_PY_FILES) ifneq ($$($(2)_SELINUX_MODULES),) PACKAGES_SELINUX_MODULES += $$($(2)_SELINUX_MODULES) endif +PACKAGES_SELINUX_EXTRA_MODULES_DIRS += \ + $$(if $$(wildcard $$($(2)_PKGDIR)/selinux),$$($(2)_PKGDIR)/selinux) ifeq ($$($(2)_SITE_METHOD),svn) DL_TOOLS_DEPENDENCIES += svn diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index 74d2733f7d10..51ac71075fb8 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -63,7 +63,7 @@ REFPOLICY_MODULES = \ # Allow to provide out-of-tree SELinux modules in addition to the ones in the # refpolicy. -REFPOLICY_EXTRA_MODULES = $(BR2_REFPOLICY_EXTRA_MODULES_DIRS) +REFPOLICY_EXTRA_MODULES = $(BR2_REFPOLICY_EXTRA_MODULES_DIRS) $(PACKAGES_SELINUX_EXTRA_MODULES_DIRS) $(foreach dir,$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS)),\ $(if $(wildcard $(dir)),,\ $(error BR2_REFPOLICY_EXTRA_MODULES_DIRS contains nonexistent directory $(dir)))) From patchwork Fri Jul 31 10:10:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339378 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37x4zf4z9sRN for ; Fri, 31 Jul 2020 20:15:41 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id E10AA2152A; Fri, 31 Jul 2020 10:15:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y86ybnvD4iIn; Fri, 31 Jul 2020 10:15:39 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 151E9214FD; Fri, 31 Jul 2020 10:15:39 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id D51631BF9C1 for ; Fri, 31 Jul 2020 10:15:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id D25388874E for ; Fri, 31 Jul 2020 10:15:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZfQb+mujiXx9 for ; Fri, 31 Jul 2020 10:15:24 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by hemlock.osuosl.org (Postfix) with ESMTPS id 3EF9C8874B for ; Fri, 31 Jul 2020 10:15:24 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id DDED3FF810; Fri, 31 Jul 2020 10:15:21 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:39 +0200 Message-Id: <20200731101040.1723047-15-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 14/15] package/refpolicy: fix the configure, build and install steps X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The refpolicy configure and build step were not correctly defined. The configuration was split between the configure and build step, while both the compilation and the installation were done in the install step. Fix this by moving all the configuration within the configuration step and by adding a call to make in the build step to compile the policy. Signed-off-by: Antoine Tenart --- package/refpolicy/refpolicy.mk | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index 51ac71075fb8..5c100168401c 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -95,7 +95,7 @@ define REFPOLICY_CONFIGURE_SYSTEMD endef endif -define REFPOLICY_CONFIGURE_CMDS +define REFPOLICY_CONFIGURE_BUILD $(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \ $(@D)/build.conf $(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(@D)/build.conf @@ -103,13 +103,18 @@ define REFPOLICY_CONFIGURE_CMDS $(REFPOLICY_CONFIGURE_SYSTEMD) endef -define REFPOLICY_BUILD_CMDS +define REFPOLICY_CONFIGURE_CMDS + $(REFPOLICY_CONFIGURE_BUILD) $(if $(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\ $(REFPOLICY_COPY_MODULES)) - $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) bare conf + $(REFPOLICY_MAKE) -C $(@D) bare conf $(REFPOLICY_CONFIGURE_MODULES) endef +define REFPOLICY_BUILD_CMDS + $(REFPOLICY_MAKE) -C $(@D) policy +endef + define REFPOLICY_INSTALL_STAGING_CMDS $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) \ install-src install-headers From patchwork Fri Jul 31 10:10:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339380 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ3812lXNz9sRK for ; Fri, 31 Jul 2020 20:15:45 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id C36B78863B; Fri, 31 Jul 2020 10:15:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9aKYRRFVTkcJ; Fri, 31 Jul 2020 10:15:41 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 8D545885E8; Fri, 31 Jul 2020 10:15:41 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 9BEE51BF2A4 for ; Fri, 31 Jul 2020 10:15:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 9555786A33 for ; Fri, 31 Jul 2020 10:15:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LrDTrp1ghaWB for ; Fri, 31 Jul 2020 10:15:28 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay10.mail.gandi.net (relay10.mail.gandi.net [217.70.178.230]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 6630E8696D for ; Fri, 31 Jul 2020 10:15:26 +0000 (UTC) Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay10.mail.gandi.net (Postfix) with ESMTPSA id 38A89240004; Fri, 31 Jul 2020 10:15:23 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:40 +0200 Message-Id: <20200731101040.1723047-16-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 15/15] docs/manual: add a section about SELinux X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Add documentation about how to use SELinux in Buildroot, and what are the available mechanisms to extend and customize the SELinux policy. Signed-off-by: Antoine Tenart --- docs/manual/manual.txt | 2 + docs/manual/selinux-support.txt | 66 +++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 docs/manual/selinux-support.txt diff --git a/docs/manual/manual.txt b/docs/manual/manual.txt index 48de65ee1033..b5cc044805b1 100644 --- a/docs/manual/manual.txt +++ b/docs/manual/manual.txt @@ -38,6 +38,8 @@ include::common-usage.txt[] include::customize.txt[] +include::selinux-support.txt[] + include::faq-troubleshooting.txt[] include::known-issues.txt[] diff --git a/docs/manual/selinux-support.txt b/docs/manual/selinux-support.txt new file mode 100644 index 000000000000..613b1c8f2275 --- /dev/null +++ b/docs/manual/selinux-support.txt @@ -0,0 +1,66 @@ +// -*- mode:doc; -*- +// vim: set syntax=asciidoc: + +[[selinux]] +== Using +SELinux+ in Buildroot + +https://selinuxproject.org[SELinux] is a Linux kernel security module enforcing +access control policies. In addition to the traditional file permissions and +access control lists, +SELinux+ allows to write rules for users or processes to +access specific functions of resources (files, sockets...). + ++SELinux+ has three modes of operating: +Enforcing+, +Permissive+ and ++Disabled+. If not +Disabled+, the kernel will apply the policy and +non-authorized actions will be denied in +Enforcing+ mode or logged and reported +in +Permissive+ mode. +Permissive+ mode is often used for troubleshooting +SELinux issues. In Buildroot this is controlled by the ++BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options. + +By default in Buildroot the +SELinux+ policy is provided by the upstream +https://github.com/SELinuxProject/refpolicy[refpolicy] project, enabled with ++BR2_PACKAGE_REFPOLICY+. + +[[enabling-selinux]] +=== Enabling SELinux support + +To have proper support for +SELinux+ in a Buildroot generated system, the +following configuration needs to be enabled: + +* +BR2_PACKAGE_REFPOLICY+ +* +BR2_PACKAGE_POLICYCOREUTILS+ + +The Linux kernel configuration must also enable +SELinux+ support with ++CONFIG_SECURITY_SELINUX+, +CONFIG_LSM+ (or using the +lsm+ kernel +parameter) and extended attributes in filesystems (+CONFIG_EXT2_FS_XATTR+ for ++ext2+, +CONFIG_SQUASHFS_XATTR+ for +squashfs+, etc...). + +[[selinux-policy-tweaking]] +=== SELinux policy tweaking + +The +SELinux refpolicy+ contains modules that can be enabled or disabled when +being built. In Buildroot the non-base modules are disabled by default and ways +to enable them are provided: + +- Packages can enable a list of +SELinux+ modules within the +refpolicy+ with + the +_SELINUX_MODULES+ variable. +- Packages can provide additional +SELinux+ modules by putting them (.fc, .if + and .te files) in +package//selinux/+. +- Extra +SELinux+ modules can be added if in directories pointed by the + +BR2_REFPOLICY_EXTRA_MODULES_DIRS+ configuration variable. +- Additional modules in the +refpolicy+ can be enabled if listed in the + +BR2_REFPOLICY_EXTRA_MODULES_DEPENDENCIES+ configuration variable. + +Buildroot also allows to completely override the +refpolicy+. This allows to +provide a full custom policy designed specifically for a given system. When +going this way, all of the above mechanisms are disabled: no extra +SElinux+ +module is added to the policy, and all the available modules within the custom +policy are enabled and built into the final binary policy. The custom policy +must be a fork of the official +https://github.com/SELinuxProject/refpolicy[refpolicy]. + +In order to fully override the +refpolicy+ the following configuration variables +have to be set: + +- +BR2_PACKAGE_REFPOLICY_CUSTOM_GIT+ +- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL+ +- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION+