initial buildroot for linux 5.15

This commit is contained in:
Huan.Feng
2021-12-06 14:12:13 +08:00
parent d7767d594e
commit 7b6fc358fa
12736 changed files with 508822 additions and 0 deletions
@@ -0,0 +1,83 @@
From 7c58f2508efc115dea03e18e1fa611ebf81f6ee6 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Wed, 4 Aug 2021 11:12:01 +0200
Subject: [PATCH] policy/modules/services/samba.te: make crack optional
Make crack optional to avoid the following build failure:
Compiling targeted policy.31
env LD_LIBRARY_PATH="/tmp/instance-5/output-1/host/lib:/tmp/instance-5/output-1/host/usr/lib" /tmp/instance-5/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
policy/modules/services/samba.te:399:ERROR 'type crack_db_t is not within scope' at token ';' on line 360232:
allow smbd_t crack_db_t:dir { getattr search open };
#line 399
checkpolicy: error(s) encountered while parsing configuration
Fixes:
- http://autobuild.buildroot.org/results/ab7098948d1920e42fa587e07f0513f23ba7fc74
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Upstream status: https://github.com/SELinuxProject/refpolicy/pull/407]
---
policy/modules/services/samba.te | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 9d4665ae6..6c37625a9 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -396,8 +396,6 @@ userdom_signal_all_users(smbd_t)
userdom_home_filetrans_user_home_dir(smbd_t)
userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
-usermanage_read_crack_db(smbd_t)
-
ifdef(`hide_broken_symptoms',`
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
@@ -413,18 +411,6 @@ tunable_policy(`samba_create_home_dirs',`
userdom_create_user_home_dirs(smbd_t)
')
-tunable_policy(`samba_domain_controller',`
- gen_require(`
- class passwd passwd;
- ')
-
- usermanage_domtrans_passwd(smbd_t)
- usermanage_kill_passwd(smbd_t)
- usermanage_domtrans_useradd(smbd_t)
- usermanage_domtrans_groupadd(smbd_t)
- allow smbd_t self:passwd passwd;
-')
-
tunable_policy(`samba_enable_home_dirs',`
userdom_manage_user_home_content_dirs(smbd_t)
userdom_manage_user_home_content_files(smbd_t)
@@ -505,6 +491,24 @@ optional_policy(`
seutil_sigchld_newrole(smbd_t)
')
+optional_policy(`
+ usermanage_read_crack_db(smbd_t)
+')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ gen_require(`
+ class passwd passwd;
+ ')
+
+ usermanage_domtrans_passwd(smbd_t)
+ usermanage_kill_passwd(smbd_t)
+ usermanage_domtrans_useradd(smbd_t)
+ usermanage_domtrans_groupadd(smbd_t)
+ allow smbd_t self:passwd passwd;
+ ')
+')
+
########################################
#
# Nmbd Local policy
--
2.30.2
@@ -0,0 +1,54 @@
From 67394d078c2e1438293b25d08cf408b0b0d55755 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Wed, 22 Sep 2021 23:55:59 +0200
Subject: [PATCH] policy/modules/services/wireguard.te: make iptables optional
Make iptables optional to avoid the following build failure raised since
version 2.20210908 and
https://github.com/SELinuxProject/refpolicy/commit/7f1a7b1cacd5d211077ce62fbb4e91890e65c820:
Compiling targeted policy.33
env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
policy/modules/services/wireguard.te:66:ERROR 'type iptables_exec_t is not within scope' at token ';' on line 591892:
#line 66
allow wireguard_t iptables_exec_t:file { getattr open map read execute ioctl };
checkpolicy: error(s) encountered while parsing configuration
make[1]: *** [Rules.monolithic:79: policy.33] Error 1
Fixes:
- http://autobuild.buildroot.org/results/a4223accc6adb70b06fd4e74ca4f28484446b6fa
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Upstream status: https://github.com/SELinuxProject/refpolicy/pull/408]
---
policy/modules/services/wireguard.te | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/wireguard.te b/policy/modules/services/wireguard.te
index 7241f65e6..33fd3c55d 100644
--- a/policy/modules/services/wireguard.te
+++ b/policy/modules/services/wireguard.te
@@ -61,10 +61,6 @@ corecmd_exec_shell(wireguard_t)
domain_use_interactive_fds(wireguard_t)
-# wg-quick can be configured to run iptables and other networking
-# config tools when bringing up/down the wg interfaces
-iptables_domtrans(wireguard_t)
-
# wg-quick tries to read /proc/filesystem when running "stat" and "mv" commands
kernel_dontaudit_read_system_state(wireguard_t)
kernel_dontaudit_search_kernel_sysctl(wireguard_t)
@@ -75,3 +71,9 @@ miscfiles_read_localization(wireguard_t)
sysnet_run_ifconfig(wireguard_t, wireguard_roles)
userdom_use_user_terminals(wireguard_t)
+
+# wg-quick can be configured to run iptables and other networking
+# config tools when bringing up/down the wg interfaces
+optional_policy(`
+ iptables_domtrans(wireguard_t)
+')
--
2.33.0
+117
View File
@@ -0,0 +1,117 @@
config BR2_PACKAGE_REFPOLICY
bool "refpolicy"
depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
# Even though libsepol is not necessary for building, we get
# the policy version from libsepol, so we select it, and treat
# it like a runtime dependency.
select BR2_PACKAGE_LIBSEPOL
help
The SELinux Reference Policy project (refpolicy) is a
complete SELinux policy that can be used as the system
policy for a variety of systems and used as the basis for
creating other policies. Reference Policy was originally
based on the NSA example policy, but aims to accomplish many
additional goals.
The current refpolicy does not fully support Buildroot and
needs modifications to work with the default system file
layout. These changes should be added as patches to the
refpolicy that modify a single SELinux policy.
The refpolicy works for the most part in permissive
mode. Only the basic set of utilities are enabled in the
example policy config and some of the pathing in the
policies is not correct. Individual policies would need to
be tweaked to get everything functioning properly.
https://github.com/TresysTechnology/refpolicy
if BR2_PACKAGE_REFPOLICY
choice
prompt "Refpolicy version"
default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
bool "Upstream version"
help
Use the refpolicy as provided by Buildroot.
config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
bool "Custom git repository"
help
Allows to get the refpolicy from a custom git repository.
The custom refpolicy must define the full policy explicitly,
and must be a fork of the original refpolicy, to have the
same build system. When this is selected, only the custom
policy definition are taken into account and all the modules
of the policy are built into the binary policy.
endchoice
if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
string "URL of custom repository"
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
string "Custom repository version"
help
Revision to use in the typical format used by Git.
E.g. a sha id, tag, branch...
endif
choice
prompt "SELinux default state"
default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
bool "Enforcing"
help
SELinux security policy is enforced
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
bool "Permissive"
help
SELinux prints warnings instead of enforcing
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
bool "Disabled"
help
No SELinux policy is loaded
endchoice
config BR2_PACKAGE_REFPOLICY_POLICY_STATE
string
default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
config BR2_REFPOLICY_EXTRA_MODULES_DIRS
string "Extra modules directories"
help
Specify a space-separated list of directories containing
SELinux modules that will be built into the SELinux
policy. The modules will be automatically enabled in the
policy.
Each of those directories must contain the SELinux policy
.fc, .if and .te files directly at the top-level, with no
sub-directories. Also, you cannot have several modules with
the same name in different directories.
config BR2_REFPOLICY_EXTRA_MODULES
string "Extra modules to enable"
help
List of extra SELinux modules to enable in the refpolicy.
endif
endif
comment "refpolicy needs a toolchain w/ threads"
depends on !BR2_TOOLCHAIN_HAS_THREADS
+8
View File
@@ -0,0 +1,8 @@
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
SELINUXTYPE=targeted
+5
View File
@@ -0,0 +1,5 @@
# From https://github.com/SELinuxProject/refpolicy/releases
sha256 4d3140d9fbb91322f5de36d73959464ce1d8946dcd149e36fcaf60e92444e902 refpolicy-2.20210908.tar.bz2
# Locally computed
sha256 204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994 COPYING
+134
View File
@@ -0,0 +1,134 @@
################################################################################
#
# refpolicy
#
################################################################################
REFPOLICY_LICENSE = GPL-2.0
REFPOLICY_LICENSE_FILES = COPYING
REFPOLICY_CPE_ID_VENDOR = selinuxproject
REFPOLICY_INSTALL_STAGING = YES
REFPOLICY_DEPENDENCIES = \
host-m4 \
host-checkpolicy \
host-policycoreutils \
host-python3 \
host-setools \
host-gawk \
host-libxml2
ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
REFPOLICY_SITE_METHOD = git
BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE)
else
REFPOLICY_VERSION = 2.20210908
REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION))
endif
# Cannot use multiple threads to build the reference policy
REFPOLICY_MAKE = \
PYTHON=$(HOST_DIR)/usr/bin/python3 \
XMLLINT=$(LIBXML2_HOST_BINARY) \
TEST_TOOLCHAIN=$(HOST_DIR) \
$(TARGET_MAKE_ENV) \
$(MAKE1)
REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION)
REFPOLICY_POLICY_STATE = \
$(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE))
ifeq ($(BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION),y)
# Allow to provide out-of-tree SELinux modules in addition to the ones
# in the refpolicy.
REFPOLICY_EXTRA_MODULES_DIRS = \
$(strip \
$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS)) \
$(PACKAGES_SELINUX_EXTRA_MODULES_DIRS))
$(foreach dir,$(REFPOLICY_EXTRA_MODULES_DIRS),\
$(if $(wildcard $(dir)),,\
$(error BR2_REFPOLICY_EXTRA_MODULES_DIRS contains nonexistent directory $(dir))))
REFPOLICY_MODULES = \
application \
authlogin \
getty \
init \
libraries \
locallogin \
logging \
miscfiles \
modutils \
mount \
selinuxutil \
storage \
sysadm \
sysnetwork \
unconfined \
userdomain \
$(PACKAGES_SELINUX_MODULES) \
$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES)) \
$(foreach d,$(REFPOLICY_EXTRA_MODULES_DIRS),\
$(basename $(notdir $(wildcard $(d)/*.te))))
define REFPOLICY_COPY_EXTRA_MODULES
mkdir -p $(@D)/policy/modules/buildroot
rsync -au $(addsuffix /*,$(REFPOLICY_EXTRA_MODULES_DIRS)) \
$(@D)/policy/modules/buildroot/
if [ ! -f $(@D)/policy/modules/buildroot/metadata.xml ]; then \
echo "<summary>Buildroot extra modules</summary>" > \
$(@D)/policy/modules/buildroot/metadata.xml; \
fi
endef
# In the context of a monolithic policy enabling a piece of the policy as
# 'base' or 'module' is equivalent, so we enable them as 'base'.
define REFPOLICY_CONFIGURE_MODULES
$(SED) "s/ = module/ = no/g" $(@D)/policy/modules.conf
$(foreach m,$(sort $(REFPOLICY_MODULES)),
$(SED) "/^$(m) =/c\$(m) = base" $(@D)/policy/modules.conf
)
endef
endif # BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION = y
ifeq ($(BR2_INIT_SYSTEMD),y)
define REFPOLICY_CONFIGURE_SYSTEMD
$(SED) "/SYSTEMD/c\SYSTEMD = y" $(@D)/build.conf
endef
endif
define REFPOLICY_CONFIGURE_CMDS
$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
$(@D)/build.conf
$(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(@D)/build.conf
$(SED) "/NAME/c\NAME = targeted" $(@D)/build.conf
$(REFPOLICY_CONFIGURE_SYSTEMD)
$(if $(REFPOLICY_EXTRA_MODULES_DIRS), \
$(REFPOLICY_COPY_EXTRA_MODULES)
)
$(REFPOLICY_MAKE) -C $(@D) bare conf
$(REFPOLICY_CONFIGURE_MODULES)
endef
define REFPOLICY_BUILD_CMDS
$(REFPOLICY_MAKE) -C $(@D) policy
endef
define REFPOLICY_INSTALL_STAGING_CMDS
$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) \
install-src install-headers
endef
define REFPOLICY_INSTALL_TARGET_CMDS
$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
$(INSTALL) -m 0755 -D package/refpolicy/config \
$(TARGET_DIR)/etc/selinux/config
$(SED) "/^SELINUX=/c\SELINUX=$(REFPOLICY_POLICY_STATE)" \
$(TARGET_DIR)/etc/selinux/config
endef
$(eval $(generic-package))