From patchwork Fri Oct 15 07:19:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Eckert X-Patchwork-Id: 1541397 X-Patchwork-Delegate: daniel@makrotopia.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=vWK0xfLd; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HVyT74xN1z9t0k for ; Fri, 15 Oct 2021 18:24:43 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=fwy3pNVT05XeREeSakZ3lm5r6Qh5c/hALPcoLnRnJ7M=; b=vWK0xfLdJNssLG cV5IcVvSCvU/eNcXq3xc54cPA700s4N626DgEripd8bGmfar2FyAj8gIPfSLxVEIpZhl5YfO7ut+0 gMO2du3erW1WT5iM3Y4TiYP143lW3haNTzcctUg85lSr03f520/nnkLTtg7jtogEWLTolZiQ4+fAX WPDVZTf9Hc7KhkWdnSgC4acm8YDsPYKZXLnOkVGppA8nRhlXs2yl9CPPdalgqQNt4lJdBstPOhZsb N7fojOhxFvl3tQxaAciCe9UGalTbfiLp1KzCeeUklnYInAanNOdzQxtfS6zeEgJXxbkMxxedpUn20 Kw30pNZ1NquDwzl/OEGQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mbHV7-005gtS-S2; Fri, 15 Oct 2021 07:19:33 +0000 Received: from mxout70.expurgate.net ([194.37.255.70]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mbHV2-005grd-7w for openwrt-devel@lists.openwrt.org; Fri, 15 Oct 2021 07:19:30 +0000 Received: from [127.0.0.1] (helo=localhost) by relay.expurgate.net with smtp (Exim 4.92) (envelope-from ) id 1mbHUw-0006pN-3f; Fri, 15 Oct 2021 09:19:22 +0200 Received: from [195.243.126.94] (helo=securemail.tdt.de) by relay.expurgate.net with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mbHUv-0006oz-A8; Fri, 15 Oct 2021 09:19:21 +0200 Received: from securemail.tdt.de (localhost [127.0.0.1]) by securemail.tdt.de (Postfix) with ESMTP id BAECF240041; Fri, 15 Oct 2021 09:19:20 +0200 (CEST) Received: from mail.dev.tdt.de (unknown [10.2.4.42]) by securemail.tdt.de (Postfix) with ESMTP id 67930240040; Fri, 15 Oct 2021 09:19:20 +0200 (CEST) Received: from localhost.localdomain (unknown [10.2.3.40]) by mail.dev.tdt.de (Postfix) with ESMTPSA id BBC7C201D7; Fri, 15 Oct 2021 09:19:19 +0200 (CEST) From: Florian Eckert To: daniel@makrotopia.org Cc: Eckert.Florian@googlemail.com, openwrt-devel@lists.openwrt.org Subject: [PATCH v2] buildsystem: add CONFIG_SECCOMP Date: Fri, 15 Oct 2021 09:19:12 +0200 Message-ID: <20211015071912.30350-1-fe@dev.tdt.de> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED, URIBL_DBL_BLOCKED_OPENDNS,URIBL_ZEN_BLOCKED_OPENDNS autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dev.tdt.de X-purgate-ID: 151534::1634282361-00007B1E-837DA9B1/0/0 X-purgate: clean X-purgate-type: clean X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211015_001928_472414_5BD0F96D X-CRM114-Status: GOOD ( 14.55 ) X-Spam-Score: -0.7 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Until now, this feature was switched on via the kernel configuration option KERNEL_SECCOMP. The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that the package procd-seccomp must also enabled for buildinmg. Content analysis details: (-0.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [194.37.255.70 listed in list.dnswl.org] 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Until now, this feature was switched on via the kernel configuration option KERNEL_SECCOMP. The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that the package procd-seccomp must also enabled for buildinmg. However, this is not the case we have no dependency and the imagebuilder cannot build the image, because of the implicit package selection. This change adds a new configuration option CONFIG_SECCOMP. The new option has the same behaviour as the configuration option CONFIG_SELINUX. If the CONFIG_SECCOMP is selected then the package procd-seccomp and KERNEL_SECCOMP is enabled for this build. Signed-off-by: Florian Eckert --- v2: Enable CONFIG_SECCOMP by default config/Config-build.in | 12 ++++++++++++ include/target.mk | 2 +- package/system/procd/Makefile | 3 +-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/config/Config-build.in b/config/Config-build.in index f0e1aaa695..ca6f513450 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -386,4 +386,16 @@ menu "Global build settings" endchoice + config SECCOMP + bool "Enable SECCOMP" + select KERNEL_SECCOMP + select PACKAGE_procd-seccomp + depends on (aarch64 || arm || armeb || mips || mipsel || i386 || powerpc || x86_64) + depends on !TARGET_uml + default y + help + This option enables seccomp kernel features to safely + execute untrusted bytecode and selects the seccomp-variants + of procd + endmenu diff --git a/include/target.mk b/include/target.mk index 03192d3ebe..60760bf602 100644 --- a/include/target.mk +++ b/include/target.mk @@ -39,7 +39,7 @@ DEFAULT_PACKAGES+=procd-ujail endif # include seccomp ld-preload hooks if kernel supports it -ifneq ($(CONFIG_KERNEL_SECCOMP),) +ifneq ($(CONFIG_SECCOMP),) DEFAULT_PACKAGES+=procd-seccomp endif diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile index 6f506423f8..4c76045062 100644 --- a/package/system/procd/Makefile +++ b/package/system/procd/Makefile @@ -82,8 +82,7 @@ endef define Package/procd-seccomp SECTION:=base CATEGORY:=Base system - DEPENDS:=@(aarch64||arm||armeb||mips||mipsel||i386||powerpc||x86_64) @!TARGET_uml \ - @KERNEL_SECCOMP +libubox +libblobmsg-json + DEPENDS:=@SECCOMP +libubox +libblobmsg-json TITLE:=OpenWrt process seccomp helper + utrace endef