[Buildroot] [ PATCH Selinux v11] busybox: applets as individual binaries
Niranjan Reddy
niranjan.reddy at rockwellcollins.com
Wed Mar 16 11:46:10 UTC 2016
From: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
The individual binaries option of busybox allows for the applets
that would usually be symlinks to be built as individual applications
that link against a shared library.
This feature is needed for SELinux to allow the applications to run
under the correct SELinux context.
The patch being added allows the individual applications to be
installed and will be upstreamed to the busybox developers.
The initial work for this change was done by Thomas Petazzoni
<thomas.petazzoni at free-electrons.com>.
Signed-off-by: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49 at gmail.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy at rockwellcollins.com>
---
Changes v10 -> v11:
- Removed BUSYBOX_MAKEDEV_PERMISSIONS logic and added all 12 applets to
BUSYBOX_PERMISSIONS variable.
- Changed makedevs.c file to ignore optional files with type=F ( files which does not exist).
Changes v9 -> v10:
- Removed 0002-applets-Add-installation-of-individual-binaries.patch as it was upstreamed.
Changes v8 -> v9:
- No changes
Changes v7 -> v8:
- Changed individual binaries comment to be !BR2_bfin (Suggested by
Samuel)
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Renamed to follow latest patch naming convention (Matt W.)
- Updated to use BR2_STATIC_LIBS instead of old PREFERRED (Matt W.)
- Added depends to make sure bfin can't build shared lib
busybox lib for individual binary use. Looks like shared
lib creation doesn't error out but the objects don't get
placed into the elf. Then the trylink fails on linking
the first individual applet. (Matt W.)
- Made suid permissions setting dynamic for applets actually being
installed (Clayton S.)
Changes v1 -> v4:
- Did not exist
---
package/busybox/Config.in | 9 +++++++++
package/busybox/busybox.mk | 40 ++++++++++++++++++++++++++++++++++++++++
package/makedevs/makedevs.c | 4 +++-
3 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index a3a328d..920ee0c 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -51,6 +51,15 @@ config BR2_PACKAGE_BUSYBOX_SELINUX
crond, then individual binaries have to be enabled for the
SELinux type transitions to occur properly.
+config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
+ bool "Individual binaries"
+ depends on !BR2_STATIC_LIBS
+ depends on !BR2_bfin # libbusybox.so link issue
+
+comment "Busybox individual binaries depends on dynamic libraries"
+ depends on BR2_STATIC_LIBS
+ depends on !BR2_bfin
+
config BR2_PACKAGE_BUSYBOX_WATCHDOG
bool "Install the watchdog daemon startup script"
help
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 7f6dbd6..a08cb5a 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -50,9 +50,36 @@ BUSYBOX_KCONFIG_FRAGMENT_FILES = $(call qstrip,$(BR2_PACKAGE_BUSYBOX_CONFIG_FRAG
BUSYBOX_KCONFIG_EDITORS = menuconfig xconfig gconfig
BUSYBOX_KCONFIG_OPTS = $(BUSYBOX_MAKE_OPTS)
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_PERMISSIONS
+ /usr/share/udhcpc/default.script f 755 0 0 - - - - -
+# Set permissions on all applets with BB_SUID_REQUIRE and BB_SUID_MAYBE.
+# 12 Applets are pulled from applets.h using grep command :
+# grep -r -e "APPLET.*BB_SUID_REQUIRE\|APPLET.*BB_SUID_MAYBE" \
+# $(@D)/include/applets.h
+# o/p:
+# wall,ping,ping6,crontab,findfs,login,mount,passwd,su,traceroute
+# traceroute6 and vlock.
+# These applets are added to the device table and the makedev file
+# ignores the files with type 'F' ( optional files).
+ /usr/bin/wall F 4755 0 0 - - - - -
+ /bin/ping f 4755 0 0 - - - - -
+ /bin/ping6 F 4755 0 0 - - - - -
+ /usr/bin/crontab f 4755 0 0 - - - - -
+ /sbin/findfs F 4755 0 0 - - - - -
+ /bin/login F 4755 0 0 - - - - -
+ /bin/mount f 4755 0 0 - - - - -
+ /usr/bin/passwd F 4755 0 0 - - - - -
+ /bin/su F 4755 0 0 - - - - -
+ /usr/bin/traceroute f 4755 0 0 - - - - -
+ /usr/bin/traceroute6 F 4755 0 0 - - - - -
+ /usr/bin/vlock F 4755 0 0 - - - - -
+endef
+else
define BUSYBOX_PERMISSIONS
/bin/busybox f 4755 0 0 - - - - -
endef
+endif
# If mdev will be used for device creation enable it and copy S10mdev to /etc/init.d
ifeq ($(BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV),y)
@@ -170,6 +197,17 @@ define BUSYBOX_SET_SELINUX
endef
endif
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES
+ $(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG))
+ $(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_INDIVIDUAL,$(BUSYBOX_BUILD_CONFIG))
+endef
+
+define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
+ rm -f $(TARGET_DIR)/bin/busybox
+endef
+endif
+
define BUSYBOX_INSTALL_LOGGING_SCRIPT
if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
$(INSTALL) -m 0755 -D package/busybox/S01logging \
@@ -229,6 +267,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
$(BUSYBOX_SET_INIT)
$(BUSYBOX_SET_WATCHDOG)
$(BUSYBOX_SET_SELINUX)
+ $(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
$(BUSYBOX_MUSL_TWEAKS)
endef
@@ -252,6 +291,7 @@ define BUSYBOX_INSTALL_INIT_SYSV
$(BUSYBOX_INSTALL_LOGGING_SCRIPT)
$(BUSYBOX_INSTALL_WATCHDOG_SCRIPT)
$(BUSYBOX_INSTALL_TELNET_SCRIPT)
+ $(BUSYBOX_INSTALL_INDIVIDUAL_BINARIES)
endef
# Checks to give errors that the user can understand
diff --git a/package/makedevs/makedevs.c b/package/makedevs/makedevs.c
index 53ff6fe..20a2804 100644
--- a/package/makedevs/makedevs.c
+++ b/package/makedevs/makedevs.c
@@ -496,7 +496,9 @@ int main(int argc, char **argv)
ret = EXIT_FAILURE;
goto loop;
}
- } else if (type == 'r') {
+ } else if (type == 'F') {
+ continue; /*Ignore optional files*/
+ } else if (type == 'r') {
recursive_uid = uid;
recursive_gid = gid;
recursive_mode = mode;
--
2.5.0
More information about the buildroot
mailing list