From patchwork Wed Oct 13 15:02:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Eckert X-Patchwork-Id: 1540454 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=WyLpmX38; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=VIs627F6; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HTwnz0phQz9sS8 for ; Thu, 14 Oct 2021 02:05:42 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=nhNbMGnqlPJD/HOlwUtjxlcOxjipApQjLGRwBPaLN8w=; b=WyLpmX385dc0PI 960VpkKb3XPlAt3VKusxn4CND+wP5zs85hFXCgeKmKLBiEeBAD0venS3ZO6kOB070qy2ZCB4jTGmK Fm+6xFuAUVgpeKQDHr5kZE7PiE/mv8LIT/vromFCDGlKYPjRH7W0Up7vgoRqCAOFIIP9qwPOv5UDX JMPF5TFaqsSY0Ibqd/UlhRcaE54Xc/RBVjY4PFqq94ZD/Nt128s7EHyiTQypWqN/HwdunaA3XQg17 0Uyr71fQskgEC+w+bIIg4+AvGIxY0LkuREaNWUC4UtFkEjX+vovGLHfKuvFfF7TeDGdIbNyV71sY/ PP7zcGclJwYasODvffXA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mafmh-00HHXw-ED; Wed, 13 Oct 2021 15:03:11 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mafme-00HHXD-QU for openwrt-devel@bombadil.infradead.org; Wed, 13 Oct 2021 15:03:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:In-Reply-To:References; bh=BRZlHL1l+inKr6OrNkXpmSCZ4Vf/I4wYOJxPJDRhsV4=; b=VIs627F63LKPvy5F6tP3UopW4O r993Dt1yN+znE2mw97t4rXHSf7l5YqCtlpN8PBY1EiISxobs1WzZc21VgA5/8nIQ1XocLb6tsMD+q v0s8IFB5+9FZufxzukdF6kzbZ/yHphHqs6apEpwup3uJZXknEX60GLLVx6uLG31cSHA5BEhxAt1Ql UD3dt6iwbmhQUF1Xu9PP59BjHOMMe7b11NGeyEOO6CDE1AbfsA197dScJettI6Q5VsehYt/VAcJ2c NnOcMElse2hZINxjkIa1DkOBIEA3R2dJtci5Tg115f73wPT5JnaMS8+kN9TsXhzwyh8YLNsd6QTxb IpHqArWg==; Received: from mxout70.expurgate.net ([91.198.224.70]) by desiato.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mafma-009d3i-If for openwrt-devel@lists.openwrt.org; Wed, 13 Oct 2021 15:03:06 +0000 Received: from [127.0.0.1] (helo=localhost) by relay.expurgate.net with smtp (Exim 4.92) (envelope-from ) id 1mafmC-0006Gy-Rn; Wed, 13 Oct 2021 17:02:40 +0200 Received: from [195.243.126.94] (helo=securemail.tdt.de) by relay.expurgate.net with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mafm3-000HOK-Mf; Wed, 13 Oct 2021 17:02:31 +0200 Received: from securemail.tdt.de (localhost [127.0.0.1]) by securemail.tdt.de (Postfix) with ESMTP id 1A90C240041; Wed, 13 Oct 2021 17:02:31 +0200 (CEST) Received: from mail.dev.tdt.de (unknown [10.2.4.42]) by securemail.tdt.de (Postfix) with ESMTP id BBBB1240040; Wed, 13 Oct 2021 17:02:30 +0200 (CEST) Received: from localhost.localdomain (unknown [10.2.3.40]) by mail.dev.tdt.de (Postfix) with ESMTPSA id 32D00202DF; Wed, 13 Oct 2021 17:02:30 +0200 (CEST) From: Florian Eckert To: daniel@makrotopia.org Cc: Eckert.Florian@googlemail.com, openwrt-devel@lists.openwrt.org Subject: [PATCH] buildsystem: add CONFIG_SECCOMP Date: Wed, 13 Oct 2021 17:02:22 +0200 Message-ID: <20211013150222.10815-1-fe@dev.tdt.de> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED, URIBL_DBL_BLOCKED_OPENDNS,URIBL_ZEN_BLOCKED_OPENDNS autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dev.tdt.de X-purgate: clean X-purgate-type: clean X-purgate-ID: 151534::1634137352-00009D1C-948F620C/0/0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211013_160304_778980_D7AC3656 X-CRM114-Status: GOOD ( 13.28 ) X-Spam-Score: -0.7 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Until now, this feature was switched on via the kernel configuration option KERNEL_SECCOMP. The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that the package procd-seccomp must also enabled for the build. Content analysis details: (-0.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [91.198.224.70 listed in list.dnswl.org] X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Until now, this feature was switched on via the kernel configuration option KERNEL_SECCOMP. The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that the package procd-seccomp must also enabled for the build. However, this is not the case we have no dependency to enable this package. Also the imagebuilder cannot build the image, because of the implicit package selection. This change adds a new configuration option CONFIG_SECCOMP like the CONFIG_SELINUX option. If the CONFIG_SECCOMP is selected then the package procd-seccomp and KERNEL_SECCOMP is enabled for this build. Signed-off-by: Florian Eckert --- config/Config-build.in | 11 +++++++++++ include/target.mk | 2 +- package/system/procd/Makefile | 3 +-- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/config/Config-build.in b/config/Config-build.in index f0e1aaa695..5887d1a9c4 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -386,4 +386,15 @@ menu "Global build settings" endchoice + config SECCOMP + bool "Enable SECCOMP" + select KERNEL_SECCOMP + select PACKAGE_procd-seccomp + depends on (aarch64 || arm || armeb || mips || mipsel || i386 || powerpc || x86_64) + depends on !TARGET_uml + help + This option enables seccomp kernel features to safely + execute untrusted bytecode and selects the seccomp-variants + of procd + endmenu diff --git a/include/target.mk b/include/target.mk index 03192d3ebe..60760bf602 100644 --- a/include/target.mk +++ b/include/target.mk @@ -39,7 +39,7 @@ DEFAULT_PACKAGES+=procd-ujail endif # include seccomp ld-preload hooks if kernel supports it -ifneq ($(CONFIG_KERNEL_SECCOMP),) +ifneq ($(CONFIG_SECCOMP),) DEFAULT_PACKAGES+=procd-seccomp endif diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile index 6f506423f8..4c76045062 100644 --- a/package/system/procd/Makefile +++ b/package/system/procd/Makefile @@ -82,8 +82,7 @@ endef define Package/procd-seccomp SECTION:=base CATEGORY:=Base system - DEPENDS:=@(aarch64||arm||armeb||mips||mipsel||i386||powerpc||x86_64) @!TARGET_uml \ - @KERNEL_SECCOMP +libubox +libblobmsg-json + DEPENDS:=@SECCOMP +libubox +libblobmsg-json TITLE:=OpenWrt process seccomp helper + utrace endef