[Buildroot] [PATCH v14 1/4] makedevs: support optional files

[Buildroot] [PATCH v14 1/4] makedevs: support optional files

[Arnout Vandecappelle]

Add the 'F' file type to makedevs, that allows a file to be optional.
With this option, the line is just silently skipped if the file doesn't
exist (or is not a regular file).

This is useful for _PERMISSIONS where the file can be configured out
by package-specific configuration that is not directly handled by
Buildroot, like busybox.

Cc: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Cc: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
v14:
 - Split off the makedevs change in a separate patch.
 - Fix it - AFAICS, the original patch would just skip all F lines.
---
 package/makedevs/makedevs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/package/makedevs/makedevs.c b/package/makedevs/makedevs.c
index 7092b1475e..1ba5936342 100644
--- a/package/makedevs/makedevs.c
+++ b/package/makedevs/makedevs.c
@@ -570,9 +570,12 @@ int main(int argc, char **argv)
 				ret = EXIT_FAILURE;
 				goto loop;
 			}
-		} else if (type == 'f') {
+		} else if (type == 'f' || type == 'F') {
 			struct stat st;
 			if ((stat(full_name, &st) < 0 || !S_ISREG(st.st_mode))) {
+				if (type == 'F') {
+					continue; /*Ignore optional files*/
+				}
 				bb_perror_msg("line %d: regular file '%s' does not exist", linenum, full_name);
 				ret = EXIT_FAILURE;
 				goto loop;
-- 
2.13.2

[Buildroot] [PATCH v14 2/4] busybox: applets as individual binaries

[Arnout Vandecappelle]

From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>

The individual binaries option of busybox allows for the applets
that would usually be symlinks to be built as individual applications
that link against a shared library.

This feature is needed for SELinux to allow the applications to run
under the correct SELinux context.

The patch being added allows the individual applications to be
installed and will be upstreamed to the busybox developers.

The initial work for this change was done by Thomas Petazzoni
<thomas.petazzoni@free-electrons.com>.

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
[Thomas:
 - add help text in Config.in option.
 - rename BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES to
   BUSYBOX_SET_INDIVIDUAL_BINARIES to be consistent with other
   variables.
 - call BUSYBOX_INSTALL_INDIVIDUAL_BINARIES in
   BUSYBOX_INSTALL_TARGET_CMDS, not in BUSYBOX_INSTALL_INIT_SYSV.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Arnout:
 - revert to the "optional file" approach in makedevs;
 - reword Config.in comment text to match our usual pattern;
 - abbreviate comment about how suid applets are found a little;
 - all applets are optional (each one may have been unselected from the
   busybox config).]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
v14:
 - revert to the "optional file" approach in makedevs;
 - reword Config.in comment text to match our usual pattern;
 - abbreviate comment about how suid applets are found a little;
 - all applets are optional (each one may have been unselected from the
   busybox config).
---
 package/busybox/Config.in  | 16 ++++++++++++++++
 package/busybox/busybox.mk | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)

diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index 116a72e945..ca8fe68eea 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -56,6 +56,22 @@ config BR2_PACKAGE_BUSYBOX_SELINUX
 	  crond, then individual binaries have to be enabled for the
 	  SELinux type transitions to occur properly.
 
+config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
+	bool "Individual binaries"
+	depends on !BR2_STATIC_LIBS
+	depends on !BR2_bfin # libbusybox.so link issue
+	help
+	  By default (i.e with this option disabled), Busybox is
+	  installed as a single binary in /bin/busybox and all applets
+	  are a symbolic link to /bin/busybox.
+
+	  With this option enabled, each applet is a separate binary,
+	  which is needed for proper operation with SELinux.
+
+comment "Busybox individual binaries need a toolchain w/ dynamic library"
+	depends on BR2_STATIC_LIBS
+	depends on !BR2_bfin
+
 config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	bool "Install the watchdog daemon startup script"
 	help
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index a536ed2953..943ac2d514 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -60,9 +60,33 @@ BUSYBOX_KCONFIG_FRAGMENT_FILES = $(call qstrip,$(BR2_PACKAGE_BUSYBOX_CONFIG_FRAG
 BUSYBOX_KCONFIG_EDITORS = menuconfig xconfig gconfig
 BUSYBOX_KCONFIG_OPTS = $(BUSYBOX_MAKE_OPTS)
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_PERMISSIONS
+	/usr/share/udhcpc/default.script f 755  0  0 - - - - -
+# Set permissions on all applets with BB_SUID_REQUIRE and BB_SUID_MAYBE.
+# 12 Applets are pulled from applets.h using grep command :
+#  grep -r -e "APPLET.*BB_SUID_REQUIRE\|APPLET.*BB_SUID_MAYBE" \
+#  $(@D)/include/applets.h 
+# These applets are added to the device table and the makedev file
+# ignores the files with type 'F' ( optional files).
+	/usr/bin/wall 			 F 4755 0  0 - - - - -
+	/bin/ping 			 F 4755 0  0 - - - - -
+	/bin/ping6 			 F 4755 0  0 - - - - -
+	/usr/bin/crontab 		 F 4755 0  0 - - - - -
+	/sbin/findfs 			 F 4755 0  0 - - - - -
+	/bin/login 			 F 4755 0  0 - - - - -
+	/bin/mount 			 F 4755 0  0 - - - - -
+	/usr/bin/passwd 		 F 4755 0  0 - - - - -
+	/bin/su 			 F 4755 0  0 - - - - -
+	/usr/bin/traceroute 		 F 4755 0  0 - - - - -
+	/usr/bin/traceroute6 		 F 4755 0  0 - - - - -
+	/usr/bin/vlock 			 F 4755 0  0 - - - - -
+endef
+else
 define BUSYBOX_PERMISSIONS
 	/bin/busybox                     f 4755 0  0 - - - - -
 endef
+endif
 
 # If mdev will be used for device creation enable it and copy S10mdev to /etc/init.d
 ifeq ($(BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV),y)
@@ -171,6 +195,17 @@ define BUSYBOX_SET_SELINUX
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_SET_INDIVIDUAL_BINARIES
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG))
+	$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_INDIVIDUAL,$(BUSYBOX_BUILD_CONFIG))
+endef
+
+define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
+	rm -f $(TARGET_DIR)/bin/busybox
+endef
+endif
+
 define BUSYBOX_INSTALL_LOGGING_SCRIPT
 	if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
 		$(INSTALL) -m 0755 -D package/busybox/S01logging \
@@ -228,6 +263,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
 	$(BUSYBOX_SET_SELINUX)
+	$(BUSYBOX_SET_INDIVIDUAL_BINARIES)
 	$(BUSYBOX_MUSL_TWEAKS)
 endef
 
@@ -251,6 +287,7 @@ define BUSYBOX_INSTALL_INIT_SYSV
 	$(BUSYBOX_INSTALL_LOGGING_SCRIPT)
 	$(BUSYBOX_INSTALL_WATCHDOG_SCRIPT)
 	$(BUSYBOX_INSTALL_TELNET_SCRIPT)
+	$(BUSYBOX_INSTALL_INDIVIDUAL_BINARIES)
 endef
 
 # Checks to give errors that the user can understand
-- 
2.13.2

[Buildroot] [PATCH v14 3/4] qemu x86 selinux: added common selinux support files

[Arnout Vandecappelle]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Add a default busybox SELinux config which disables init and uses
sysvinit. Add base skeleton with inittab and fstab tailored to selinux
Add base skeleton audit configuration (didn't seem to merit being
the package default).

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
[Arnout:
 - Include linux-selinux-fragment.config in this patch already;
 - Renamed a number of files/directories.]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
v14:
 - Reordered before adding the qemu_selinux defconfig that uses this
   stuff.
 - Include linux-selinux-fragment.config in this patch already.
 - Renamed a number of files/directories.
---
 .../common_selinux/busybox-selinux-fragment.config | 32 ++++++++++++++++++++++
 .../fs-overlay/etc/audit/auditd.conf               | 32 ++++++++++++++++++++++
 .../fs-overlay/etc/audit/rules.d/audit.rules       |  3 ++
 board/common_selinux/fs-overlay/etc/fstab          | 15 ++++++++++
 board/common_selinux/fs-overlay/etc/inittab        | 29 ++++++++++++++++++++
 board/common_selinux/linux-selinux-fragment.config | 19 +++++++++++++
 board/common_selinux/permissions.txt               | 26 ++++++++++++++++++
 board/common_selinux/post_build.sh                 | 30 ++++++++++++++++++++
 8 files changed, 186 insertions(+)
 create mode 100644 board/common_selinux/busybox-selinux-fragment.config
 create mode 100644 board/common_selinux/fs-overlay/etc/audit/auditd.conf
 create mode 100644 board/common_selinux/fs-overlay/etc/audit/rules.d/audit.rules
 create mode 100755 board/common_selinux/fs-overlay/etc/fstab
 create mode 100755 board/common_selinux/fs-overlay/etc/inittab
 create mode 100644 board/common_selinux/linux-selinux-fragment.config
 create mode 100755 board/common_selinux/permissions.txt
 create mode 100755 board/common_selinux/post_build.sh

diff --git a/board/common_selinux/busybox-selinux-fragment.config b/board/common_selinux/busybox-selinux-fragment.config
new file mode 100644
index 0000000000..7222fac96c
--- /dev/null
+++ b/board/common_selinux/busybox-selinux-fragment.config
@@ -0,0 +1,32 @@
+CONFIG_BUILD_LIBBUSYBOX=y
+CONFIG_CHCON=y
+CONFIG_DEFAULT_DEPMOD_FILE=""
+CONFIG_DEFAULT_MODULES_DIR=""
+CONFIG_FATATTR=y
+CONFIG_FEATURE_BASH_IS_ASH=y
+CONFIG_FEATURE_CHCON_LONG_OPTIONS=y
+CONFIG_FEATURE_DEFAULT_PASSWD_ALGO=""
+CONFIG_FEATURE_FIND_INUM=y
+CONFIG_FEATURE_HAVE_RPC=y
+CONFIG_FEATURE_INDIVIDUAL=y
+CONFIG_FEATURE_LAST_SMALL=y
+CONFIG_FEATURE_MOUNT_HELPERS=y
+CONFIG_FEATURE_MOUNT_LABEL=y
+CONFIG_FEATURE_MOUNT_NFS=y
+CONFIG_FEATURE_MOUNT_VERBOSE=y
+CONFIG_FEATURE_RUNCON_LONG_OPTIONS=y
+CONFIG_FEATURE_SWAPON_DISCARD=y
+CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=0
+CONFIG_FEATURE_TAR_SELINUX=y
+CONFIG_FEATURE_TOUCH_NODEREF=y
+CONFIG_FIRST_SYSTEM_ID=0
+CONFIG_GROUPS=y
+CONFIG_INIT_TERMINAL_TYPE=""
+CONFIG_LAST_ID=0
+CONFIG_LAST_SYSTEM_ID=0
+CONFIG_PAM=y
+CONFIG_RUNCON=y
+CONFIG_SELINUXENABLED=y
+CONFIG_SELINUX=y
+CONFIG_SHUF=y
+CONFIG_USERS=y
diff --git a/board/common_selinux/fs-overlay/etc/audit/auditd.conf b/board/common_selinux/fs-overlay/etc/audit/auditd.conf
new file mode 100644
index 0000000000..039b7f0287
--- /dev/null
+++ b/board/common_selinux/fs-overlay/etc/audit/auditd.conf
@@ -0,0 +1,32 @@
+#
+# This file controls the configuration of the audit daemon
+#
+
+log_file = /var/log/audit/audit.log
+log_format = RAW
+log_group = root
+priority_boost = 4
+flush = INCREMENTAL
+freq = 20
+num_logs = 5
+disp_qos = lossy
+dispatcher = /usr/sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file = 6 
+max_log_file_action = ROTATE
+space_left = 75
+space_left_action = IGNORE
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = IGNORE
+disk_full_action = IGNORE
+disk_error_action = IGNORE
+##tcp_listen_port = 
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
diff --git a/board/common_selinux/fs-overlay/etc/audit/rules.d/audit.rules b/board/common_selinux/fs-overlay/etc/audit/rules.d/audit.rules
new file mode 100644
index 0000000000..7c906060e6
--- /dev/null
+++ b/board/common_selinux/fs-overlay/etc/audit/rules.d/audit.rules
@@ -0,0 +1,3 @@
+-D
+-b 1024
+-e 2
diff --git a/board/common_selinux/fs-overlay/etc/fstab b/board/common_selinux/fs-overlay/etc/fstab
new file mode 100755
index 0000000000..d772349c9f
--- /dev/null
+++ b/board/common_selinux/fs-overlay/etc/fstab
@@ -0,0 +1,15 @@
+# /etc/fstab: static file system information.
+#
+# <file system> <mount pt>     <type>    <options>                      <dump> <pass>
+/dev/root       /              ext3      rw,noauto                       0      1
+proc            /proc          proc      defaults                        0      0
+devpts          /dev/pts       devpts    defaults,gid=5,mode=620         0      0
+tmpfs           /dev/shm       tmpfs     mode=0700,nodev,nosuid,noexec,size=1M    0      0
+tmpfs           /tmp           tmpfs     mode=0700,nodev,nosuid,noexec,size=200M  0      0
+tmpfs           /var/cache     tmpfs     mode=0700,nodev,nosuid,noexec,size=1M    0      0
+tmpfs           /var/lock      tmpfs     mode=0700,nodev,nosuid,noexec,size=1M    0      0
+tmpfs           /var/log       tmpfs     mode=0700,nodev,nosuid,noexec,size=50M   0      0
+tmpfs           /var/run       tmpfs     mode=0700,nodev,nosuid,noexec,size=1M    0      0
+tmpfs           /var/spool     tmpfs     mode=0700,nodev,nosuid,noexec,size=1M    0      0
+sysfs           /sys           sysfs     defaults                 0      0
+none            /selinux       selinuxfs noauto                   0      0
diff --git a/board/common_selinux/fs-overlay/etc/inittab b/board/common_selinux/fs-overlay/etc/inittab
new file mode 100755
index 0000000000..cbdc23766c
--- /dev/null
+++ b/board/common_selinux/fs-overlay/etc/inittab
@@ -0,0 +1,29 @@
+# /etc/inittab
+#
+# This inittab is a basic inittab sample for sysvinit, which mimics
+# Buildroot's default inittab for BusyBox.
+id:1:initdefault:
+
+proc::sysinit:/bin/mount -t proc proc /proc
+sysf::sysinit:/bin/mount -t sysfs sysfs /sys
+dpts::sysinit:/bin/mkdir -p /dev/pts -Z `matchpathcon -n /dev/pts`
+dshm::sysinit:/bin/mkdir -p /dev/shm -Z `matchpathcon -n /dev/shm`
+mpts::sysinit:/bin/mkdir -p /dev/pts
+mshm::sysinit:/bin/mkdir -p /dev/shm
+fsck::sysinit:/sbin/fsck -ARy
+moun::sysinit:/bin/mount -a
+host::sysinit:/bin/hostname -F /etc/hostname
+
+# now run any rc scripts
+init::bootwait:/etc/init.d/rcS
+
+S0::respawn:/sbin/getty -L  ttyS0 115200 vt100 # GENERIC_SERIAL
+
+# Stuff to do before rebooting
+shd0:06:wait:/etc/init.d/rcK
+shd1:06:wait:/sbin/swapoff -a
+shd2:06:wait:/bin/umount -a -r
+
+# The usual halt or reboot actions
+hlt0:0:wait:/sbin/halt -dhp
+reb0:6:wait:/sbin/reboot
diff --git a/board/common_selinux/linux-selinux-fragment.config b/board/common_selinux/linux-selinux-fragment.config
new file mode 100644
index 0000000000..6c715f0599
--- /dev/null
+++ b/board/common_selinux/linux-selinux-fragment.config
@@ -0,0 +1,19 @@
+CONFIG_AUDIT=y
+CONFIG_MODULES=y
+CONFIG_IP_PNP=y
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_EXT2_FS=y
+CONFIG_EXT2_FS_XATTR=y
+CONFIG_EXT2_FS_POSIX_ACL=y
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS=y
+CONFIG_EXT3_FS_POSIX_ACL=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_NFS_FS=y
+CONFIG_ROOT_NFS=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_CRYPTO_ANSI_CPRNG=y
diff --git a/board/common_selinux/permissions.txt b/board/common_selinux/permissions.txt
new file mode 100755
index 0000000000..374adbc02a
--- /dev/null
+++ b/board/common_selinux/permissions.txt
@@ -0,0 +1,26 @@
+################################################################################
+#
+# See <buildroot-source>/package/makedevs/README for details
+#
+# This device table is used to assign proper ownership and permissions
+# on the files in the local-skeleton directory. It doesn't create any device
+# file, as it is used in both static device configurations (where /dev/ is static)
+# and in dynamic configurations (where devtmpfs, mdev or udev are used).
+#
+# <name>				<type>	<mode>	<uid>	<gid>	<major>	<minor>	<start>	<inc>	<count>
+
+# All the necessary file permissions for /etc
+/etc/audit/auditd.conf			f	644	0	0	-	-	-	-	-
+/etc/audit/rules.d/audit.rules		f	644	0	0	-	-	-	-	-
+/etc/fstab				f	644	0	0	-	-	-	-	-
+/etc/inittab				f	644	0	0	-	-	-	-	-
+
+# Setup entries for all of the /var/* directories that need proper
+# mount points
+/var/cache				d	755	0	0	-	-	-	-	-
+/var/lib/misc				d	755	0	0	-	-	-	-	-
+/var/lock				d	755	0	0	-	-	-	-	-
+/var/log				d	755	0	0	-	-	-	-	-
+/var/run				d	755	0	0	-	-	-	-	-
+/var/spool				d	755	0	0	-	-	-	-	-
+/var/tmp				d	755	0	0	-	-	-	-	-
diff --git a/board/common_selinux/post_build.sh b/board/common_selinux/post_build.sh
new file mode 100755
index 0000000000..3509de9135
--- /dev/null
+++ b/board/common_selinux/post_build.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+################################################################################
+#
+# DESCRIPTION:
+#     This script will do any "post-build" steps (after all packages are built
+#     but before image creation). Any filesystem permission issues should be
+#     fixed in this script.
+#
+#     The script requires following variables to be passed into it.
+#        $1 - the target directory (passed in by default by buildroot if
+#             script is BR2_ROOTFS_POST_BUILD_SCRIPT)
+#
+################################################################################
+
+DEST_DIR=$1
+
+# For SELinux targets, the /var directory symlinks need to be removed
+# and replaced with actual folders. The removal is done here and the
+# recreation is done in the permissions file for the common_selinux
+# local_skeleton
+for link in ${DEST_DIR}/var/{cache,lock,log,run,spool,tmp} ${DEST_DIR}/var/lib/misc; do
+	if [ -h ${link} ]; then
+		echo "Removing symlink ${link}"
+		unlink ${link}
+	fi
+done
+
+# Replace the /run folder with a symlink to /var/run
+rm -rf ${DEST_DIR}/run
+ln -sf -t ${DEST_DIR} run var/run
-- 
2.13.2

[Buildroot] [PATCH v14 4/4] qemu x86 selinux: base br defconfig

[Arnout Vandecappelle]

From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>

This will build a base SELinux system that boots with SELinux
in permissive mode. Also adding documentation on how to use it.

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
[Arnout:
 - Create a 64-bit defconfig instead of a 32-bit one.
 - Move the kernel fragment to board/common_selinux.
 - Align with qemu_x86_64_defconfig.
 - Regenerate .gitlab-ci.yml.]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
v14:
 - Create a 64-bit defconfig instead of a 32-bit one.
 - Move the kernel fragment to board/common_selinux.
 - Align with qemu_x86_defconfig.
 - Regenerate .gitlab-ci.yml.
 - Add the defconfig only after the selinux-specific bits have been
   added.

I would really like some explanation why the following config options
are needed:
BR2_TARGET_GENERIC_ROOT_PASSWD="root"
BR2_TARGET_ROOTFS_EXT2_RESBLKS=5
BR2_PACKAGE_OPENSSH=y
BR2_PACKAGE_RSYSLOG=y
BR2_PACKAGE_UTIL_LINUX_LOGIN_UTILS=y
BR2_PACKAGE_HOST_CHECKPOLICY=y

I switched to x86_64 because the BR2_i386_pentiumpro variant fails to
build glibc:
In file included from ../sysdeps/x86_64/multiarch/strcspn-c.c:22:0,
                 from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
../sysdeps/x86_64/multiarch/varshift.h: In function '__m128i_shift_right':
../sysdeps/x86_64/multiarch/varshift.h:26:1: error: SSE vector return without SSE enabled changes the ABI [-Werror=psabi]
 {
 ^

(and more). I couldn't be bothered to debug that, switching to x86_64
was simpler.
---
 .gitlab-ci.yml                        |  1 +
 board/qemu/x86_64/readme.txt          | 17 +++++++++++++
 configs/qemu_x86_64_selinux_defconfig | 47 +++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 configs/qemu_x86_64_selinux_defconfig

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3ae7e5db64..4a48c560f2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -174,6 +174,7 @@ qemu_sh4eb_r2d_defconfig: *defconfig
 qemu_sparc64_sun4u_defconfig: *defconfig
 qemu_sparc_ss10_defconfig: *defconfig
 qemu_x86_64_defconfig: *defconfig
+qemu_x86_64_selinux_defconfig: *defconfig
 qemu_x86_defconfig: *defconfig
 qemu_xtensa_lx60_defconfig: *defconfig
 qemu_xtensa_lx60_nommu_defconfig: *defconfig
diff --git a/board/qemu/x86_64/readme.txt b/board/qemu/x86_64/readme.txt
index ecd7813a1e..742cf13ba5 100644
--- a/board/qemu/x86_64/readme.txt
+++ b/board/qemu/x86_64/readme.txt
@@ -7,3 +7,20 @@ Optionally add -smp N to emulate a SMP system with N CPUs.
 The login prompt will appear in the graphical window.
 
 Tested with QEMU 2.9.0
+
+-------------------------------------------------------------------
+
+Run the SELinux target (based on qemu_x86_64_selinux_defconfig) emulation with:
+
+    qemu-system-x86_64 -M pc -kernel output/images/bzImage -drive file=output/images/rootfs.ext2,if=ide -append "root=/dev/sda rw console=ttyS0 selinux=1" -net nic,model=rtl8139 -net user -display none -serial stdio
+
+The emulation should reboot once the first time for relabeling and
+then provide a login prompt. The login is username root and password
+root because PAM requires a password in this secure configuration. To
+enable SELinux enforcing at boot, login and edit the
+/etc/selinux/config and set SELINUX to enforcing. Save and make sure
+to "sync" before restarting the emulation as the ext2 fs would
+otherwise corrupt when the emulation exits. After enforcing is
+default, the selinux= provided as part of the qemu "append" above can
+be used to turn enforcing on/off. This configuration would be tailored
+as part of a targets refpolicy customization.
diff --git a/configs/qemu_x86_64_selinux_defconfig b/configs/qemu_x86_64_selinux_defconfig
new file mode 100644
index 0000000000..28d8d45942
--- /dev/null
+++ b/configs/qemu_x86_64_selinux_defconfig
@@ -0,0 +1,47 @@
+# Architecture
+BR2_x86_64=y
+
+# System
+BR2_SYSTEM_DHCP="eth0"
+BR2_TARGET_GENERIC_GETTY_PORT="tty1"
+# Select SYSV init to provide selinux enabled init
+BR2_INIT_SYSV=y
+BR2_TARGET_GENERIC_ROOT_PASSWD="root"
+# Pull in SELinux specific file overlay to allow login
+# in enforcing mode.
+BR2_ROOTFS_DEVICE_TABLE="system/device_table.txt board/common_selinux/permissions.txt"
+BR2_ROOTFS_OVERLAY="board/common_selinux/fs-overlay"
+BR2_ROOTFS_POST_BUILD_SCRIPT="board/common_selinux/post_build.sh"
+
+# Filesystem
+BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_EXT2_RESBLKS=5
+# BR2_TARGET_ROOTFS_TAR is not set
+
+# Internal toolchain glibc, for policycoreutils
+BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
+# Linux headers same as kernel, a 4.11 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_11=y
+
+# Kernel
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.11.3"
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86_64/linux-4.11.config"
+BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/common_selinux/linux-selinux-fragment.config"
+
+# Customized busybox config providing a tailored
+# balance of applets vs full apps
+BR2_PACKAGE_BUSYBOX_CONFIG_FRAGMENT_FILES="board/common_selinux/busybox-selinux-fragment.config"
+
+# Ensure busybox is built as individual binaries for the
+# SELinux refpolicy to work correctly
+BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES=y
+BR2_PACKAGE_OPENSSH=y
+BR2_PACKAGE_REFPOLICY=y
+BR2_PACKAGE_RSYSLOG=y
+BR2_PACKAGE_UTIL_LINUX=y
+BR2_PACKAGE_UTIL_LINUX_BINARIES=y
+BR2_PACKAGE_UTIL_LINUX_LOGIN_UTILS=y
+BR2_PACKAGE_HOST_CHECKPOLICY=y
-- 
2.13.2

[Buildroot] [PATCH v14 1/4] makedevs: support optional files

[Thomas Petazzoni]

Hello,

On Mon, 3 Jul 2017 23:00:48 +0200, Arnout Vandecappelle
(Essensium/Mind) wrote:
> Add the 'F' file type to makedevs, that allows a file to be optional.
> With this option, the line is just silently skipped if the file doesn't
> exist (or is not a regular file).
> 
> This is useful for _PERMISSIONS where the file can be configured out
> by package-specific configuration that is not directly handled by
> Buildroot, like busybox.
> 
> Cc: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
> Cc: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
> Cc: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
> ---
> v14:
>  - Split off the makedevs change in a separate patch.
>  - Fix it - AFAICS, the original patch would just skip all F lines.
> ---
>  package/makedevs/makedevs.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v14 2/4] busybox: applets as individual binaries

[Thomas Petazzoni]

Hello,

On Mon, 3 Jul 2017 23:00:49 +0200, Arnout Vandecappelle
(Essensium/Mind) wrote:

> +ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
> +define BUSYBOX_PERMISSIONS
> +	/usr/share/udhcpc/default.script f 755  0  0 - - - - -

This shouldn't have been added by this patch, so I've dropped this
line. And applied your patch. Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com