aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Petazzoni <thomas.petazzoni@bootlin.com>2020-07-18 08:01:54 -0500
committerDaniel Golle <daniel@makrotopia.org>2020-08-31 01:15:41 +0100
commitaee58d52ce616fc1d74c15fec01e751e9c2c1dd5 (patch)
tree611add95055e4978b0a2bd8dcd2cbe6b1c6b2aa3
parent1aa71833fe875b0a5b48a64dc8c0775b490ee37f (diff)
downloadupstream-aee58d52ce616fc1d74c15fec01e751e9c2c1dd5.tar.gz
upstream-aee58d52ce616fc1d74c15fec01e751e9c2c1dd5.tar.bz2
upstream-aee58d52ce616fc1d74c15fec01e751e9c2c1dd5.zip
build: add support for SELinux to include/image.mk
This allows the build process to prepare a squashfs filesystem for use with SELinux. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [rebase, add commit message] Signed-off-by: W. Michael Petullo <mike@flyn.org>
-rw-r--r--config/Config-build.in10
-rw-r--r--include/image.mk19
2 files changed, 28 insertions, 1 deletions
diff --git a/config/Config-build.in b/config/Config-build.in
index 499f84690f..fc94f4d45e 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -328,4 +328,14 @@ menu "Global build settings"
bool "Full"
endchoice
+ config TARGET_ROOTFS_SECURITY_LABELS
+ bool "Enable rootfs security labels"
+ select KERNEL_SQUASHFS_XATTR
+ select KERNEL_EXT4_FS_SECURITY
+ select KERNEL_F2FS_FS_SECURITY
+ select KERNEL_UBIFS_FS_SECURITY
+ select KERNEL_JFFS2_FS_SECURITY
+ select PACKAGE_refpolicy
+ help
+ This option enables the usage of SELinux labels
endmenu
diff --git a/include/image.mk b/include/image.mk
index e8c2cf7100..3a12db3676 100644
--- a/include/image.mk
+++ b/include/image.mk
@@ -234,13 +234,30 @@ endef
$(eval $(foreach S,$(JFFS2_BLOCKSIZE),$(call Image/mkfs/jffs2/template,$(S))))
$(eval $(foreach S,$(NAND_BLOCKSIZE),$(call Image/mkfs/jffs2-nand/template,$(S))))
-define Image/mkfs/squashfs
+define Image/mkfs/squashfs-common
$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
-nopad -noappend -root-owned \
-comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \
-processors 1
endef
+ifeq ($(CONFIG_TARGET_ROOTFS_SECURITY_LABELS),y)
+define Image/mkfs/squashfs
+ echo "LD_LIBRARY_PATH=\$$LD_LIBRARY_PATH:$(STAGING_DIR_HOSTPKG)/lib" \
+ "$(STAGING_DIR_HOSTPKG)/sbin/setfiles -r" \
+ "$(call mkfs_target_dir,$(1))" \
+ "$(call mkfs_target_dir,$(1))/etc/selinux/targeted/contexts/files/file_contexts " \
+ "$(call mkfs_target_dir,$(1))" > $@.fakeroot-script
+ echo "$(Image/mkfs/squashfs-common)" >> $@.fakeroot-script
+ chmod +x $@.fakeroot-script
+ $(STAGING_DIR_HOST)/bin/fakeroot $@.fakeroot-script
+endef
+else
+define Image/mkfs/squashfs
+ $(call Image/mkfs/squashfs-common,$(1))
+endef
+endif
+
# $(1): board name
# $(2): rootfs type
# $(3): kernel image