[OpenWrt-Devel] [PATCH] toolchain/gdb: Don't use gdb-arc
GDB got support for ARC with version 8.2. No need for this fork. Signed-off-by: Rosen Penev --- toolchain/gdb/Makefile | 11 --- 1 file changed, 11 deletions(-) diff --git a/toolchain/gdb/Makefile b/toolchain/gdb/Makefile index 41ba9853fd..c25d181990 100644 --- a/toolchain/gdb/Makefile +++ b/toolchain/gdb/Makefile @@ -7,23 +7,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gdb - -ifeq ($(CONFIG_arc),y) -PKG_VERSION:=arc-2017.09-gdb - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/foss-for-synopsys-dwc-arc-processors/binutils-gdb/archive/arc-2017.09-gdb -PKG_HASH:=7e3c2a763bf500a40c5c4591a7e22c591dafc1f214b1d514895c1096e85c883a -GDB_DIR:=binutils-$(PKG_NAME)-$(PKG_VERSION) -PATCH_DIR:=./patches-arc -else PKG_VERSION:=8.3.1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@GNU/gdb PKG_HASH:=1e55b4d7cdca7b34be12f4ceae651623aa73b2fd640152313f9f66a7149757c4 GDB_DIR:=$(PKG_NAME)-$(PKG_VERSION) -endif HOST_BUILD_DIR:=$(BUILD_DIR_TOOLCHAIN)/$(GDB_DIR) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] ath79: rename EEPROM to art
Hi David, Adrian, On 22.11.2019 22:39, David Bauer wrote: Hello Adrian, On 11/22/19 2:45 PM, Adrian Schmutzler wrote: This renames all remaining occurrences of "EEPROM" to "art" to further harmonize the partition labelling in ath79. Hmm, I'm not sure if/why we should to these changes. Ubiquiti names these partitions "EEPROM" in their firmware and it contains more information (e.g. board-id / sub-revision) than just the calibration data. Unified and consistent naming of calibration data partition has obvious advantages, like decrease user-space code duplication and limit copy mistakes in future. I don't think this is the first time we change manufacturer partition naming scheme. So: Acked-by: Piotr Dymacz -- Cheers, Piotr Best wishes David Signed-off-by: Adrian Schmutzler --- .../linux/ath79/dts/ar9342_ubnt_lap-120.dts | 2 +- .../ath79/dts/ar9342_ubnt_nanobeam-ac.dts | 2 +- .../dts/ar9342_ubnt_nanostation-ac-loco.dts | 2 +- .../ath79/dts/ar9342_ubnt_nanostation-ac.dts | 4 ++-- target/linux/ath79/dts/ar9342_ubnt_wa.dtsi| 6 +++--- target/linux/ath79/dts/ar9342_ubnt_xw.dtsi| 8 .../linux/ath79/dts/qca9533_ubnt_acb-isp.dts | 10 +- .../ath79/dts/qca9563_ubnt_unifiac-lite.dtsi | 2 +- .../ath79/dts/qca9563_ubnt_unifiac-pro.dtsi | 2 +- .../linux/ath79/dts/qca9563_ubnt_unifiac.dtsi | 6 +++--- .../etc/hotplug.d/firmware/11-ath10k-caldata | 20 +-- 11 files changed, 31 insertions(+), 33 deletions(-) diff --git a/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts b/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts index 82f864b8e3..757654eaee 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts +++ b/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts @@ -26,7 +26,7 @@ /* default for ar934x, except for 1000M and 10M */ pll-data = <0x0600 0x0101 0x1313>; - mtd-mac-address = < 0x0>; + mtd-mac-address = < 0x0>; phy-mode = "rgmii"; phy-handle = <>; diff --git a/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts b/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts index 6e64c7faad..30d054dfed 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts +++ b/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts @@ -51,7 +51,7 @@ /* default for ar934x, except for 1000M and 10M */ pll-data = <0x0600 0x0101 0x1313>; - mtd-mac-address = < 0x0>; + mtd-mac-address = < 0x0>; phy-mode = "rgmii"; phy-handle = <>; diff --git a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts index 9b26d1a628..89904721c0 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts +++ b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts @@ -27,7 +27,7 @@ /* default for ar934x, except for 1000M and 10M */ pll-data = <0x0600 0x0101 0x1313>; - mtd-mac-address = < 0x0>; + mtd-mac-address = < 0x0>; phy-mode = "rgmii"; phy-handle = <>; diff --git a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts index b591925154..97597e5f15 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts +++ b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts @@ -58,7 +58,7 @@ /* default for ar934x, except for 1000M and 10M */ pll-data = <0x0600 0x0101 0x1313>; - mtd-mac-address = < 0x0>; + mtd-mac-address = < 0x0>; phy-mode = "rgmii"; phy-handle = <>; @@ -73,5 +73,5 @@ { status = "okay"; - mtd-cal-data = < 0x1000>; + mtd-cal-data = < 0x1000>; }; diff --git a/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi b/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi index 30fa299638..2847d4098c 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi +++ b/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi @@ -75,8 +75,8 @@ read-only; }; - eeprom: partition@ff { - label = "EEPROM"; + art: partition@ff { + label = "art"; reg = <0xff 0x01>; read-only; }; @@ -88,5 +88,5 @@ status = "okay"; qca,disable-5ghz; - mtd-cal-data = < 0x1000>; + mtd-cal-data = < 0x1000>; }; diff --git a/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi b/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi index ee42498af1..cf24aba5aa 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi +++ b/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi @@ -103,8 +103,8 @@ read-only; }; - eeprom: partition@7f { - label = "EEPROM"; + art: partition@7f { + label = "art";
Re: [OpenWrt-Devel] [PATCH] ath79: rename EEPROM to art
Hello Adrian, On 11/22/19 2:45 PM, Adrian Schmutzler wrote: > This renames all remaining occurrences of "EEPROM" to "art" to > further harmonize the partition labelling in ath79. Hmm, I'm not sure if/why we should to these changes. Ubiquiti names these partitions "EEPROM" in their firmware and it contains more information (e.g. board-id / sub-revision) than just the calibration data. Best wishes David > > Signed-off-by: Adrian Schmutzler > --- > .../linux/ath79/dts/ar9342_ubnt_lap-120.dts | 2 +- > .../ath79/dts/ar9342_ubnt_nanobeam-ac.dts | 2 +- > .../dts/ar9342_ubnt_nanostation-ac-loco.dts | 2 +- > .../ath79/dts/ar9342_ubnt_nanostation-ac.dts | 4 ++-- > target/linux/ath79/dts/ar9342_ubnt_wa.dtsi| 6 +++--- > target/linux/ath79/dts/ar9342_ubnt_xw.dtsi| 8 > .../linux/ath79/dts/qca9533_ubnt_acb-isp.dts | 10 +- > .../ath79/dts/qca9563_ubnt_unifiac-lite.dtsi | 2 +- > .../ath79/dts/qca9563_ubnt_unifiac-pro.dtsi | 2 +- > .../linux/ath79/dts/qca9563_ubnt_unifiac.dtsi | 6 +++--- > .../etc/hotplug.d/firmware/11-ath10k-caldata | 20 +-- > 11 files changed, 31 insertions(+), 33 deletions(-) > > diff --git a/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts > b/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts > index 82f864b8e3..757654eaee 100644 > --- a/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts > +++ b/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts > @@ -26,7 +26,7 @@ > /* default for ar934x, except for 1000M and 10M */ > pll-data = <0x0600 0x0101 0x1313>; > > - mtd-mac-address = < 0x0>; > + mtd-mac-address = < 0x0>; > > phy-mode = "rgmii"; > phy-handle = <>; > diff --git a/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts > b/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts > index 6e64c7faad..30d054dfed 100644 > --- a/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts > +++ b/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts > @@ -51,7 +51,7 @@ > /* default for ar934x, except for 1000M and 10M */ > pll-data = <0x0600 0x0101 0x1313>; > > - mtd-mac-address = < 0x0>; > + mtd-mac-address = < 0x0>; > > phy-mode = "rgmii"; > phy-handle = <>; > diff --git a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts > b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts > index 9b26d1a628..89904721c0 100644 > --- a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts > +++ b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts > @@ -27,7 +27,7 @@ > /* default for ar934x, except for 1000M and 10M */ > pll-data = <0x0600 0x0101 0x1313>; > > - mtd-mac-address = < 0x0>; > + mtd-mac-address = < 0x0>; > > phy-mode = "rgmii"; > phy-handle = <>; > diff --git a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts > b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts > index b591925154..97597e5f15 100644 > --- a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts > +++ b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts > @@ -58,7 +58,7 @@ > /* default for ar934x, except for 1000M and 10M */ > pll-data = <0x0600 0x0101 0x1313>; > > - mtd-mac-address = < 0x0>; > + mtd-mac-address = < 0x0>; > > phy-mode = "rgmii"; > phy-handle = <>; > @@ -73,5 +73,5 @@ > { > status = "okay"; > > - mtd-cal-data = < 0x1000>; > + mtd-cal-data = < 0x1000>; > }; > diff --git a/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi > b/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi > index 30fa299638..2847d4098c 100644 > --- a/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi > +++ b/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi > @@ -75,8 +75,8 @@ > read-only; > }; > > - eeprom: partition@ff { > - label = "EEPROM"; > + art: partition@ff { > + label = "art"; > reg = <0xff 0x01>; > read-only; > }; > @@ -88,5 +88,5 @@ > status = "okay"; > > qca,disable-5ghz; > - mtd-cal-data = < 0x1000>; > + mtd-cal-data = < 0x1000>; > }; > diff --git a/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi > b/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi > index ee42498af1..cf24aba5aa 100644 > --- a/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi > +++ b/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi > @@ -103,8 +103,8 @@ > read-only; > }; > > - eeprom: partition@7f { > - label = "EEPROM"; > + art: partition@7f { > + label = "art"; > reg = <0x7f 0x01>; > read-only; > }; > @@ -115,9
Re: [OpenWrt-Devel] [PATCH] mac80211: switch to upstream owl-loader driver
On Monday, 18 November 2019 00:34:01 CET Hauke Mehrtens wrote: > > +--- a/drivers/net/wireless/ath/ath9k/ath9k_pci_owl_loader.c > > b/drivers/net/wireless/ath/ath9k/ath9k_pci_owl_loader.c > > +@@ -84,6 +84,10 @@ > > + val = swahb32(val); > > + } > > + > > ++#ifdef CONFIG_LANTIQ > > ++ val = swab32(val); > > ++#endif > > Lantiq is big endian, are there other big endian system which do not > need this byte swap? >From what I vaguely remember (I know that Mathias explained it to me once.), that special hack was necessary due to Lantiq's pci(e?)-host silicon doing byteswaps just for 32-bit writes. The only other system that uses the owl-loader is ath79/ar71xx. This is a big-endian MIPS as well that didn't need the swap. (That said, I don't remember what was the reason for going with __raw_writel rather than "iowrite32" though. At least ath9k is using it for the pci access just fine everywhere.) Anyone fancy checking out lantiq and ath79 devices with a AR92XX without the swap above and the __raw_writel replaced by iowrite32? > > ++ > > + __raw_writel(val, mem + reg); > > + usleep_range(100, 120); > > + } Regards, Christian ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] 19.07: ath79: remove ath10k drivers from Archer C7 v1 profile
Ath10k packages were removed from ar71xx in master in commit 34113999ef430ce74a627ab6e6a5370aa41c9d20, fixing FS#1743; but ath79 in master and the 19.07 branch still suffer from the issue. Signed-off-by: Stijn Segers --- target/linux/ath79/image/generic-tp-link.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/linux/ath79/image/generic-tp-link.mk b/target/linux/ath79/image/generic-tp-link.mk index ece7284710..b57fc0a57f 100644 --- a/target/linux/ath79/image/generic-tp-link.mk +++ b/target/linux/ath79/image/generic-tp-link.mk @@ -79,7 +79,7 @@ define Device/tplink_archer-c7-v1 $(Device/tplink-8mlzma) ATH_SOC := qca9558 DEVICE_TITLE := TP-Link Archer C7 v1 - DEVICE_PACKAGES := kmod-usb-core kmod-usb2 kmod-usb-ledtrig-usbport kmod-ath10k-ct ath10k-firmware-qca988x-ct + DEVICE_PACKAGES := kmod-usb-core kmod-usb2 kmod-usb-ledtrig-usbport TPLINK_HWID := 0x7501 SUPPORTED_DEVICES += archer-c7 endef -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] ath79: remove ath10k drivers from Archer C7 v1 profile
Ath10k packages were removed from ar71xx in master in commit 34113999ef430ce74a627ab6e6a5370aa41c9d20, fixing FS#1743; but ath79 in master and the 19.07 branch still suffer from the issue. Signed-off-by: Stijn Segers --- target/linux/ath79/image/generic-tp-link.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/linux/ath79/image/generic-tp-link.mk b/target/linux/ath79/image/generic-tp-link.mk index eeaeaf53f4..ae956eb98e 100644 --- a/target/linux/ath79/image/generic-tp-link.mk +++ b/target/linux/ath79/image/generic-tp-link.mk @@ -123,7 +123,7 @@ define Device/tplink_archer-c7-v1 ATH_SOC := qca9558 DEVICE_MODEL := Archer C7 DEVICE_VARIANT := v1 - DEVICE_PACKAGES := kmod-usb2 kmod-usb-ledtrig-usbport kmod-ath10k-ct ath10k-firmware-qca988x-ct + DEVICE_PACKAGES := kmod-usb2 kmod-usb-ledtrig-usbport TPLINK_HWID := 0x7501 SUPPORTED_DEVICES += archer-c7 endef -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] dnsmasq: correct sense & usage of dnsseccheckunsigned
dnsmasq v2.80 made 'dnssec-check-unsigned' the default, thus the uci option was rendered ineffectual: we checked unsigned zones no matter the setting. Disabling the checking of unsigned zones is now achieve with the "--dnssec-check-unsigned=no" dnsmasq option. Update init script to pass required option in the disabled case. Signed-off-by: Kevin Darbyshire-Bryant --- package/network/services/dnsmasq/Makefile | 2 +- package/network/services/dnsmasq/files/dnsmasq.init | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index a1b51896a9..c57a837e9e 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq PKG_UPSTREAM_VERSION:=2.80 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION))) -PKG_RELEASE:=14 +PKG_RELEASE:=15 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 1054f7a12a..94a069f1ac 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -966,7 +966,8 @@ dnsmasq_start() [ -f "$TIMEVALIDFILE" ] || xappend "--dnssec-no-timecheck" } } - append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned" + config_get_bool dnsseccheckunsigned "$cfg" dnsseccheckunsigned 1 + [ "$dnsseccheckunsigned" -eq 0 ] && xappend "--dnssec-check-unsigned=no" } config_get addmac "$cfg" addmac 0 -- 2.21.0 (Apple Git-122.2) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 19.07] mac80211: update to version 4.19.85
Tested on ~10 devices. IBSS and AP/STA Tested-by: Koen Vandeputte ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] ath79: rename EEPROM to art
This renames all remaining occurrences of "EEPROM" to "art" to further harmonize the partition labelling in ath79. Signed-off-by: Adrian Schmutzler --- .../linux/ath79/dts/ar9342_ubnt_lap-120.dts | 2 +- .../ath79/dts/ar9342_ubnt_nanobeam-ac.dts | 2 +- .../dts/ar9342_ubnt_nanostation-ac-loco.dts | 2 +- .../ath79/dts/ar9342_ubnt_nanostation-ac.dts | 4 ++-- target/linux/ath79/dts/ar9342_ubnt_wa.dtsi| 6 +++--- target/linux/ath79/dts/ar9342_ubnt_xw.dtsi| 8 .../linux/ath79/dts/qca9533_ubnt_acb-isp.dts | 10 +- .../ath79/dts/qca9563_ubnt_unifiac-lite.dtsi | 2 +- .../ath79/dts/qca9563_ubnt_unifiac-pro.dtsi | 2 +- .../linux/ath79/dts/qca9563_ubnt_unifiac.dtsi | 6 +++--- .../etc/hotplug.d/firmware/11-ath10k-caldata | 20 +-- 11 files changed, 31 insertions(+), 33 deletions(-) diff --git a/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts b/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts index 82f864b8e3..757654eaee 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts +++ b/target/linux/ath79/dts/ar9342_ubnt_lap-120.dts @@ -26,7 +26,7 @@ /* default for ar934x, except for 1000M and 10M */ pll-data = <0x0600 0x0101 0x1313>; - mtd-mac-address = < 0x0>; + mtd-mac-address = < 0x0>; phy-mode = "rgmii"; phy-handle = <>; diff --git a/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts b/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts index 6e64c7faad..30d054dfed 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts +++ b/target/linux/ath79/dts/ar9342_ubnt_nanobeam-ac.dts @@ -51,7 +51,7 @@ /* default for ar934x, except for 1000M and 10M */ pll-data = <0x0600 0x0101 0x1313>; - mtd-mac-address = < 0x0>; + mtd-mac-address = < 0x0>; phy-mode = "rgmii"; phy-handle = <>; diff --git a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts index 9b26d1a628..89904721c0 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts +++ b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac-loco.dts @@ -27,7 +27,7 @@ /* default for ar934x, except for 1000M and 10M */ pll-data = <0x0600 0x0101 0x1313>; - mtd-mac-address = < 0x0>; + mtd-mac-address = < 0x0>; phy-mode = "rgmii"; phy-handle = <>; diff --git a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts index b591925154..97597e5f15 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts +++ b/target/linux/ath79/dts/ar9342_ubnt_nanostation-ac.dts @@ -58,7 +58,7 @@ /* default for ar934x, except for 1000M and 10M */ pll-data = <0x0600 0x0101 0x1313>; - mtd-mac-address = < 0x0>; + mtd-mac-address = < 0x0>; phy-mode = "rgmii"; phy-handle = <>; @@ -73,5 +73,5 @@ { status = "okay"; - mtd-cal-data = < 0x1000>; + mtd-cal-data = < 0x1000>; }; diff --git a/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi b/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi index 30fa299638..2847d4098c 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi +++ b/target/linux/ath79/dts/ar9342_ubnt_wa.dtsi @@ -75,8 +75,8 @@ read-only; }; - eeprom: partition@ff { - label = "EEPROM"; + art: partition@ff { + label = "art"; reg = <0xff 0x01>; read-only; }; @@ -88,5 +88,5 @@ status = "okay"; qca,disable-5ghz; - mtd-cal-data = < 0x1000>; + mtd-cal-data = < 0x1000>; }; diff --git a/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi b/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi index ee42498af1..cf24aba5aa 100644 --- a/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi +++ b/target/linux/ath79/dts/ar9342_ubnt_xw.dtsi @@ -103,8 +103,8 @@ read-only; }; - eeprom: partition@7f { - label = "EEPROM"; + art: partition@7f { + label = "art"; reg = <0x7f 0x01>; read-only; }; @@ -115,9 +115,9 @@ { status = "okay"; - mtd-cal-data = < 0x1000>; + mtd-cal-data = < 0x1000>; }; { - mtd-mac-address = < 0x0>; + mtd-mac-address = < 0x0>; }; diff --git a/target/linux/ath79/dts/qca9533_ubnt_acb-isp.dts b/target/linux/ath79/dts/qca9533_ubnt_acb-isp.dts index 629899e1a2..ded95f3a18 100644 --- a/target/linux/ath79/dts/qca9533_ubnt_acb-isp.dts +++
[OpenWrt-Devel] [PATCH] ath79: fix source of label MAC address for Ubiquiti XM devices
In d421a8b94489 ("ath79: read label MAC address from flash instead of using phy0/phy1") the source of the label MAC address was changed for devices just reading it from phy0. To get rid of the dependency from phy startup, addresses were read directly from the flash locations that are used to initialize the phy MAC addresses. Unfortunately, it turned out that Ubiquiti XM devices seem to have different flash locations than expected, and also seem to have specific locations for different devices (all in art/EEPROM): 0xe012 AR9280 Nanostation M2 - 0x120c 0xe035 AR9280 Nanostation M3 - 0x120c 0xe1b2 AR9280 Rocket M2 - 0x120c 0xe1c3 AR9280 Rocket M3 - 0x120c 0xe1b5 AR9280 Rocket M5 - 0x120c 0xe2d5 AR9280 Bullet M2 Titanium - 0x120c 0xe2b5 AR9280 Nanobridge M5 - 0x120c 0xe202 AR9280 Bullet M2 - 0x120c 0xe232 AR9287 Nanobridge M2 - 0x110c 0xe4a2 AR9285 AirRouter - 0xa0bf Picostation M2 - 0x120c and 0xa0bf Nanostation Loco M2 - not in 0x120c, other locations not checked An additional problem of the Ubiquiti device support in OpenWrt is that we provide images that match several subvariants of the devices, which might have different MAC address locations. Given that reading the address from phy0 in 02_network _is_ working for the ath79 target in general, it does not seem reasonable to rebuild a complex MAC address retrieval mechanism which is already present in the ath9k driver. So, this patch reverts the label MAC address source for Ubiquiti XM devices (and the Unifi AP) to /sys/class/ieee80211/phy0/macaddress. This doesn't affect XW and Unifi AC devices, where the label MAC address source is defined via device tree. For alfa-network,ap121f the location 0x1002 is kept, as this has been verified during device support preparation in PR #2199. Fixes: d421a8b94489 ("ath79: read label MAC address from flash instead of using phy0/phy1") Signed-off-by: Adrian Schmutzler --- .../generic/base-files/etc/board.d/02_network | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/target/linux/ath79/generic/base-files/etc/board.d/02_network b/target/linux/ath79/generic/base-files/etc/board.d/02_network index 07f3c4e83c..be6df558a6 100755 --- a/target/linux/ath79/generic/base-files/etc/board.d/02_network +++ b/target/linux/ath79/generic/base-files/etc/board.d/02_network @@ -282,12 +282,7 @@ ath79_setup_macs() lan_mac=$(mtd_get_mac_binary "Board data" 2) label_mac=$lan_mac ;; - alfa-network,ap121f|\ - ubnt,airrouter|\ - ubnt,bullet-m|\ - ubnt,nanostation-m|\ - ubnt,rocket-m|\ - ubnt,unifi) + alfa-network,ap121f) label_mac=$(mtd_get_mac_binary art 0x1002) ;; avm,fritz300e) @@ -392,6 +387,13 @@ ath79_setup_macs() wan_mac=$(mtd_get_mac_text mac 0x18) label_mac=$wan_mac ;; + ubnt,airrouter|\ + ubnt,bullet-m|\ + ubnt,nanostation-m|\ + ubnt,rocket-m|\ + ubnt,unifi) + label_mac=$(cat /sys/class/ieee80211/phy0/macaddress) + ;; ubnt,routerstation|\ ubnt,routerstation-pro) wan_mac=$(fconfig -s -r -d $(find_mtd_part "RedBoot config") -n ar7100_esa) -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH RESEND packages 1/2] openssh: add openwrt failsafe support
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software.--- Begin Message --- Adds failsafe support to the openssh package. Roughly based on an earlier patch. Ref: https://github.com/openwrt/openwrt/pull/865 Signed-off-by: Jeff Kletsky Signed-off-by: Kyle Copperfield --- net/openssh/Makefile| 1 + net/openssh/files/sshd.failsafe | 31 +++ 2 files changed, 32 insertions(+) create mode 100755 net/openssh/files/sshd.failsafe diff --git a/net/openssh/Makefile b/net/openssh/Makefile index 97b7fc304..3273180af 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -231,6 +231,7 @@ define Package/openssh-server/install sed -r -i 's,^#(HostKey /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key),\1,' $(1)/etc/ssh/sshd_config $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd + $(INSTALL_BIN) ./files/sshd.failsafe $(1)/lib/preinit/99_10_failsafe_sshd $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/sshd $(1)/usr/sbin/ endef diff --git a/net/openssh/files/sshd.failsafe b/net/openssh/files/sshd.failsafe new file mode 100755 index 0..aee7e7743 --- /dev/null +++ b/net/openssh/files/sshd.failsafe @@ -0,0 +1,31 @@ +#!/bin/sh + +failsafe_sshd () { + + sshd_tmpdir=/tmp/sshd + mkdir ${sshd_tmpdir} + + sed -i 's/^root.*/root::0:17000:/g' /etc/shadow + + for type in ecdsa ed25519; do + key=${sshd_tmpdir}/ssh_host_${type}_key + ssh-keygen -N '' -t ${type} -f ${key} + done + + mkdir -m 0700 -p /var/empty + + cat > ${sshd_tmpdir}/sshd_config <--- End Message --- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH RESEND packages 2/2] openssh: update to 8.1p1
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software.--- Begin Message --- Signed-off-by: Kyle Copperfield --- net/openssh/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/openssh/Makefile b/net/openssh/Makefile index 3273180af..dda3a0398 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssh -PKG_VERSION:=8.0p1 -PKG_RELEASE:=2 +PKG_VERSION:=8.1p1 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ https://ftp.spline.de/pub/OpenBSD/OpenSSH/portable/ \ https://anorien.csc.warwick.ac.uk/pub/OpenBSD/OpenSSH/portable/ -PKG_HASH:=bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68 +PKG_HASH:=02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff PKG_LICENSE:=BSD ISC PKG_LICENSE_FILES:=LICENCE -- 2.24.0 --- End Message --- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 08/11] utils/checkpolicy: new package
Signed-off-by: Thomas Petazzoni --- utils/checkpolicy/Makefile | 42 ++ 1 file changed, 42 insertions(+) create mode 100644 utils/checkpolicy/Makefile diff --git a/utils/checkpolicy/Makefile b/utils/checkpolicy/Makefile new file mode 100644 index 0..305e3b507 --- /dev/null +++ b/utils/checkpolicy/Makefile @@ -0,0 +1,42 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=checkpolicy +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=a946c32b284532447857e4c48830f8816867c61220c8c08bdd32e6f691335f8e +HOST_BUILD_DEPENDS:=libselinux/host + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/checkpolicy + SECTION:=utils + CATEGORY:=Utilities + TITLE:=SELinux policy compiler + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/checkpolicy/description + checkpolicy is the SELinux policy compiler. It uses libsepol + to generate the binary policy. checkpolicy uses the static + libsepol since it deals with low level details of the policy + that have not been encapsulated/abstracted by a proper + shared library interface. +endef + +include $(INCLUDE_DIR)/host-build.mk + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) + +$(eval $(call HostBuild)) +$(eval $(call BuildPackage,checkpolicy)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 09/11] admin/refpolicy: new package
Signed-off-by: Thomas Petazzoni --- admin/refpolicy/Makefile | 78 admin/refpolicy/files/selinux-config | 7 +++ 2 files changed, 85 insertions(+) create mode 100644 admin/refpolicy/Makefile create mode 100644 admin/refpolicy/files/selinux-config diff --git a/admin/refpolicy/Makefile b/admin/refpolicy/Makefile new file mode 100644 index 0..fcf13cedf --- /dev/null +++ b/admin/refpolicy/Makefile @@ -0,0 +1,78 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=refpolicy +PKG_VERSION:=2.20190201 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201 +PKG_HASH:=ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843 +PKG_INSTALL:=1 +PKG_BUILD_DEPENDS:=checkpolicy/host policycoreutils/host + +PKG_MAINTAINER:=Thomas Petazzoni + +TAR_OPTIONS:=--transform='s%^refpolicy%$(PKG_NAME)-$(PKG_VERSION)%' -xf - + +include $(INCLUDE_DIR)/package.mk + +define Package/refpolicy + SECTION:=admin + CATEGORY:=Administration + TITLE:=SELinux reference policy + URL:=http://selinuxproject.org/page/Main_Page + DEPENDS:=+@TARGET_ROOTFS_NEEDS_XATTR +endef + +define Package/refpolicy/description + The SELinux Reference Policy project (refpolicy) is a + complete SELinux policy that can be used as the system + policy for a variety of systems and used as the basis for + creating other policies. Reference Policy was originally + based on the NSA example policy, but aims to accomplish many + additional goals. + + The current refpolicy does not fully support OpenWRT and + needs modifications to work with the default system file + layout. These changes should be added as patches to the + refpolicy that modify a single SELinux policy. + + The refpolicy works for the most part in permissive + mode. Only the basic set of utilities are enabled in the + example policy config and some of the pathing in the + policies is not correct. Individual policies would need to + be tweaked to get everything functioning properly. +endef + +# Yes, we want CC=$(HOSTCC) because the only code that checkpolicy +# builds is a small host tool that gets run as part of the build +# process. +MAKE_FLAGS += \ + TEST_TOOLCHAIN=$(STAGING_DIR_HOSTPKG) \ + BINDIR=/bin \ + SBINDIR=/sbin \ + CC=$(HOSTCC) \ + CFLAGS=$(HOST_CFLAGS) + +define Build/Configure + $(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(PKG_BUILD_DIR)/build.conf + $(SED) "/NAME/c\NAME = targeted" $(PKG_BUILD_DIR)/build.conf + $(call Build/Compile/Default,conf) +endef + +define Package/refpolicy/conffiles +/etc/selinux/config +endef + +define Package/refpolicy/install + $(INSTALL_DIR) $(1)/etc/selinux + $(CP) $(PKG_INSTALL_DIR)/etc/selinux/* $(1)/etc/selinux/ + $(CP) ./files/selinux-config $(1)/etc/selinux/config +endef + +$(eval $(call BuildPackage,refpolicy)) diff --git a/admin/refpolicy/files/selinux-config b/admin/refpolicy/files/selinux-config new file mode 100644 index 0..2ae174d29 --- /dev/null +++ b/admin/refpolicy/files/selinux-config @@ -0,0 +1,7 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=permissive +SELINUXTYPE=targeted -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 10/11] libs/libselinux: add support for building the Python bindings
Signed-off-by: Thomas Petazzoni --- libs/libselinux/Makefile | 28 +++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/libs/libselinux/Makefile b/libs/libselinux/Makefile index 30e50a9ba..08b43f0f7 100644 --- a/libs/libselinux/Makefile +++ b/libs/libselinux/Makefile @@ -12,11 +12,13 @@ PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 PKG_HASH:=1bccc8873e449587d9a2b2cf253de9b89a8291b9fbc7c59393ca9e5f5f4d2693 +PKG_BUILD_DEPENDS:=PACKAGE_python-libselinux:python PACKAGE_python-libselinux:swig/host HOST_BUILD_DEPENDS:=libsepol/host pcre/host PKG_MAINTAINER:=Thomas Petazzoni include $(INCLUDE_DIR)/package.mk +include ../../lang/python/python-package.mk define Package/libselinux SECTION:=libs @@ -26,6 +28,14 @@ define Package/libselinux URL:=http://selinuxproject.org/page/Main_Page endef +define Package/python-libselinux + TITLE:=Python bindings sur the runtime SELinux library + SUBMENU:=Python + SECTION:=lang + CATEGORY:=Languages + DEPENDS:=+python +libselinux +endef + define Package/libselinux/description libselinux is the runtime SELinux library that provides interfaces (e.g. library functions for the SELinux kernel @@ -51,14 +61,28 @@ $(eval $(call HostBuild)) MAKE_FLAGS += \ FTS_LDLIBS=-lfts \ - SHLIBDIR=/usr/lib + SHLIBDIR=/usr/lib \ + PYTHON=$(PYTHON) \ + PYINC="-I $(PYTHON_INC_DIR)" + +ifdef CONFIG_PACKAGE_python-libselinux + define Build/Compile/python-libselinux + $(call Build/Compile/Default,swigify pywrap) + endef + + define Build/Install/python-libselinux + $(call Build/Install/Default,install-pywrap) + endef +endif define Build/Compile $(call Build/Compile/Default,all) + $(Build/Compile/python-libselinux) endef define Build/Install $(call Build/Install/Default,install) + $(Build/Install/python-libselinux) endef define Build/InstallDev @@ -76,3 +100,5 @@ define Package/libselinux/install endef $(eval $(call BuildPackage,libselinux)) +$(eval $(call PyPackage,python-libselinux)) +$(eval $(call BuildPackage,python-libselinux)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 11/11] utils/selinux-python: new package
Signed-off-by: Thomas Petazzoni --- utils/selinux-python/Makefile | 155 ++ .../0001-sepolgen-adjust-data_dir.patch | 26 +++ ...hardcode-search-for-ausearch-in-sbin.patch | 38 + .../0003-Don-t-force-using-python3.patch | 67 4 files changed, 286 insertions(+) create mode 100644 utils/selinux-python/Makefile create mode 100644 utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch create mode 100644 utils/selinux-python/patches/0002-sepolgen-don-t-hardcode-search-for-ausearch-in-sbin.patch create mode 100644 utils/selinux-python/patches/0003-Don-t-force-using-python3.patch diff --git a/utils/selinux-python/Makefile b/utils/selinux-python/Makefile new file mode 100644 index 0..4fd0376b6 --- /dev/null +++ b/utils/selinux-python/Makefile @@ -0,0 +1,155 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=selinux-python +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=3650b5393b0d1790cac66db00e34f059aa91c23cfe3c2559676594e295d75fde +PKG_BUILD_DEPENDS:=PACKAGE_selinux-audit2allow:libsepol + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk +include ../../lang/python/python-package.mk + +# +# common definitions +# + +define Package/selinux-python/Default + SECTION:=utils + DEPENDS:=+python +python-libselinux + CATEGORY:=Utilities + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/selinux-python/Default/description + A set of SELinux tools written in python that help with + managing a system with SELinux enabled. +endef + +MAKE_VARS = \ + PYTHON=$(HOST_PYTHON_BIN) \ + PYTHONLIBDIR=$(PYTHON_PKG_DIR) + +define Build/Compile + $(call Build/Compile/Default,all) +endef + +# +# selinux-audit2allow +# + +define Package/selinux-audit2allow +$(call Package/selinux-python/Default) + TITLE:=selinux-audit2allow + DEPENDS:=+python-sepolgen +libsepol +endef + +define Package/selinux-audit2allow/description +$(call Package/selinux-python/Default/description) + This package contains the audit2allow and audit2why tools. +endef + +define Package/selinux-audit2allow/install + $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR)/audit2allow DESTDIR=$(1) install + rm -rf $(1)/usr/share/man +endef + +# +# selinux-chchat +# + +define Package/selinux-chcat +$(call Package/selinux-python/Default) + TITLE:=selinux-chcat +endef + +define Package/selinux-chcat/description +$(call Package/selinux-python/Default/description) + This package contains the chcat tool. +endef + +define Package/selinux-chcat/install + $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR)/chcat DESTDIR=$(1) install + rm -rf $(1)/usr/share +endef + +# +# selinux-semanage +# + +define Package/selinux-semanage +$(call Package/selinux-python/Default) + TITLE:=selinux-semanage + DEPENDS:=+python-sepolicy +endef + +define Package/selinux-semanage/description +$(call Package/selinux-python/Default/description) + This package contains the semanage tool. +endef + +define Package/selinux-semanage/install + $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR)/semanage DESTDIR=$(1) install + rm -rf $(1)/usr/share +endef + +# +# python-sepolgen +# + +define Package/python-sepolgen +$(call Package/selinux-python/Default) + SUBMENU:=Python + SECTION:=lang + CATEGORY:=Languages + TITLE:=python-sepolgen +endef + +define Package/python-sepolgen/description +$(call Package/selinux-python/Default/description) + This package contains the sepolgen Python library. +endef + +define Package/python-sepolgen/install + $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR)/sepolgen DESTDIR=$(1) install + $(INSTALL_DIR) $(1)/usr/share/sepolgen/ + $(INSTALL_DATA) $(1)/var/lib/sepolgen/perm_map $(1)/usr/share/sepolgen/perm_map + $(RM) -rf $(1)/var +endef + +# +# python-sepolicy +# + +define Package/python-sepolicy +$(call Package/selinux-python/Default) + SUBMENU:=Python + SECTION:=lang + CATEGORY:=Languages + TITLE:=python-sepolicy +endef + +define Package/python-sepolicy/description +$(call Package/selinux-python/Default/description) + This package contains the sepolicy Python library. +endef + +define Package/python-sepolicy/install + $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR)/sepolicy DESTDIR=$(1) install + rm -rf $(1)/usr/share +endef + +$(eval $(call BuildPackage,selinux-audit2allow)) +$(eval $(call BuildPackage,selinux-chcat)) +$(eval $(call BuildPackage,selinux-semanage)) +$(eval $(call BuildPackage,python-sepolgen)) +$(eval $(call BuildPackage,python-sepolicy)) diff --git a/utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch b/utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch new file mode 100644 index
[OpenWrt-Devel] [PATCH packages 05/11] libs/libcap-ng: new package
Signed-off-by: Thomas Petazzoni --- libs/libcap-ng/Makefile | 53 + 1 file changed, 53 insertions(+) create mode 100644 libs/libcap-ng/Makefile diff --git a/libs/libcap-ng/Makefile b/libs/libcap-ng/Makefile new file mode 100644 index 0..5cf1f2499 --- /dev/null +++ b/libs/libcap-ng/Makefile @@ -0,0 +1,53 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libcap-ng +PKG_VERSION:=0.7.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://people.redhat.com/sgrubb/libcap-ng +PKG_HASH:=4a1532bcf3731aade40936f6d6a586ed5a66ca4c7455e1338d1f6c3e09221328 +PKG_INSTALL:=1 + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/libcap-ng + SECTION:=libs + CATEGORY:=Libraries + TITLE:=POSIX capabilities programming library + URL:=http://people.redhat.com/sgrubb/libcap-ng/ +endef + +define Package/libcap-ng/description + The libcap-ng library is intended to make programming with + posix capabilities much easier than the traditional libcap + library. It includes utilities that can analyse all currently + running applications and print out any capabilities and + whether or not it has an open ended bounding set. +endef #' + +CONFIGURE_ARGS += --without-python +CONFIGURE_VARS += ac_cv_prog_swig_found=no + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libcap-ng.pc $(1)/usr/lib/pkgconfig/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ +endef + +define Package/libcap-ng/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libcap-ng.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libcap-ng)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 07/11] utils/policycoreutils: new package
Signed-off-by: Thomas Petazzoni --- utils/policycoreutils/Makefile | 60 ++ 1 file changed, 60 insertions(+) create mode 100644 utils/policycoreutils/Makefile diff --git a/utils/policycoreutils/Makefile b/utils/policycoreutils/Makefile new file mode 100644 index 0..ce3f68692 --- /dev/null +++ b/utils/policycoreutils/Makefile @@ -0,0 +1,60 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=policycoreutils +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=c53c344f28007b3c0742bd958751e9b5d2385898adeb8aec6281ae57342f0f7b +PKG_INSTALL:=1 +HOST_BUILD_DEPENDS:=libsemanage/host + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/policycoreutils + SECTION:=utils + CATEGORY:=Utilities + DEPENDS:= +libsemanage +libcap-ng + TITLE:=SELinux policy utilities + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/policycoreutils/description + Policycoreutils is a collection of policy utilities + (originally the "core" set of utilities needed to use + SELinux, although it has grown a bit over time), which have + different dependencies. sestatus, secon, run_init, and + newrole only use libselinux. load_policy and setfiles only + use libselinux and libsepol. semodule and semanage use + libsemanage (and thus bring in dependencies on libsepol and + libselinux as well). setsebool uses libselinux to make + non-persistent boolean changes (via the kernel interface) + and uses libsemanage to make persistent boolean changes. +endef + +include $(INCLUDE_DIR)/host-build.mk + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) \ + SBINDIR=$(STAGING_DIR_HOSTPKG)/sbin \ + ETCDIR=$(STAGING_DIR_HOSTPKG)/etc + +define Package/policycoreutils/install + $(INSTALL_DIR) $(1)/usr/bin + $(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/* $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/sbin + $(CP) $(PKG_INSTALL_DIR)/sbin/* $(1)/sbin/ +endef + +$(eval $(call HostBuild)) +$(eval $(call BuildPackage,policycoreutils)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 06/11] libs/libsemanage: new package
Signed-off-by: Thomas Petazzoni --- libs/libsemanage/Makefile | 70 +++ 1 file changed, 70 insertions(+) create mode 100644 libs/libsemanage/Makefile diff --git a/libs/libsemanage/Makefile b/libs/libsemanage/Makefile new file mode 100644 index 0..75aea0305 --- /dev/null +++ b/libs/libsemanage/Makefile @@ -0,0 +1,70 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libsemanage +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=2576349d344492e73b468059767268dec1dabd8c35f3c7222c3ec2448737bc1c +HOST_BUILD_DEPENDS:=audit/host libselinux/host bzip2/host + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/libsemanage + SECTION:=libs + DEPENDS:=+libaudit +libselinux +libbz2 + CATEGORY:=Libraries + TITLE:=SELinux policy management library + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/libsemanage/description + libsemanage is the policy management library. It uses + libsepol for binary policy manipulation and libselinux for + interacting with the SELinux system. It also exec's helper + programs for loading policy and for checking whether the + file_contexts configuration is valid (load_policy and + setfiles from policycoreutils) presently, although this may + change at least for the bootstrapping case (for rpm). +endef #' + +include $(INCLUDE_DIR)/host-build.mk + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) + +define Build/Configure +endef + +define Build/Compile + $(call Build/Compile/Default,all) +endef + +define Build/Install + $(call Build/Install/Default,install) +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libsemanage.pc $(1)/usr/lib/pkgconfig/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ +endef + +define Package/libsemanage/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libsemanage.so.* $(1)/usr/lib/ +endef + +$(eval $(call HostBuild)) +$(eval $(call BuildPackage,libsemanage)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 01/11] libs/pcre: add host variant of libpcre
This is needed to build the host variant of libselinux. Signed-off-by: Thomas Petazzoni --- libs/pcre/Makefile | 11 +++ 1 file changed, 11 insertions(+) diff --git a/libs/pcre/Makefile b/libs/pcre/Makefile index 720142332..29fda6749 100644 --- a/libs/pcre/Makefile +++ b/libs/pcre/Makefile @@ -51,6 +51,17 @@ define Package/libpcrecpp DEPENDS:=+libpcre $(CXX_DEPENDS) endef +include $(INCLUDE_DIR)/host-build.mk + +HOST_CONFIGURE_ARGS += \ + --enable-utf8 \ + --enable-unicode-properties \ + --enable-pcre16 \ + --with-match-limit-recursion=16000 \ + --enable-cpp + +$(eval $(call HostBuild)) + TARGET_CFLAGS += $(FPIC) CONFIGURE_ARGS += \ -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 03/11] libs/libselinux: new package
Signed-off-by: Thomas Petazzoni --- libs/libselinux/Makefile | 78 1 file changed, 78 insertions(+) create mode 100644 libs/libselinux/Makefile diff --git a/libs/libselinux/Makefile b/libs/libselinux/Makefile new file mode 100644 index 0..30e50a9ba --- /dev/null +++ b/libs/libselinux/Makefile @@ -0,0 +1,78 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libselinux +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=1bccc8873e449587d9a2b2cf253de9b89a8291b9fbc7c59393ca9e5f5f4d2693 +HOST_BUILD_DEPENDS:=libsepol/host pcre/host + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/libselinux + SECTION:=libs + DEPENDS:=+libsepol +libpcre +musl-fts +@KERNEL_SECURITY +@KERNEL_SECURITY_NETWORK +@KERNEL_SECURITY_SELINUX + CATEGORY:=Libraries + TITLE:=Runtime SELinux library + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/libselinux/description + libselinux is the runtime SELinux library that provides + interfaces (e.g. library functions for the SELinux kernel + APIs like getcon(), other support functions like + getseuserbyname()) to SELinux-aware applications. libselinux + may use the shared libsepol to manipulate the binary policy + if necessary (e.g. to downgrade the policy format to an + older version supported by the kernel) when loading policy. +endef + +include $(INCLUDE_DIR)/host-build.mk + +# Needed to link libselinux utilities, which link against +# libselinux.so, which indirectly depends on libpcre.so, installed in +# $(STAGING_DIR_HOSTPKG). +HOST_LDFLAGS += -Wl,-rpath="$(STAGING_DIR_HOSTPKG)/lib" + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) \ + SHLIBDIR=$(STAGING_DIR_HOSTPKG)/lib + +$(eval $(call HostBuild)) + +MAKE_FLAGS += \ + FTS_LDLIBS=-lfts \ + SHLIBDIR=/usr/lib + +define Build/Compile + $(call Build/Compile/Default,all) +endef + +define Build/Install + $(call Build/Install/Default,install) +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libselinux.pc $(1)/usr/lib/pkgconfig/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ +endef + +define Package/libselinux/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libselinux.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libselinux)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 02/11] libs/libsepol: new package
Signed-off-by: Thomas Petazzoni --- libs/libsepol/Makefile | 65 ++ 1 file changed, 65 insertions(+) create mode 100644 libs/libsepol/Makefile diff --git a/libs/libsepol/Makefile b/libs/libsepol/Makefile new file mode 100644 index 0..225f74996 --- /dev/null +++ b/libs/libsepol/Makefile @@ -0,0 +1,65 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libsepol +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=a34b12b038d121e3e459b1cbaca3c9202e983137819c16baf63658390e3f1d5d + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/libsepol + SECTION:=libs + CATEGORY:=Libraries + TITLE:=SELinux binary policy manipulation library + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/libsepol/description + Libsepol is the binary policy manipulation library. It doesn't + depend upon or use any of the other SELinux components. +endef #' + +include $(INCLUDE_DIR)/host-build.mk + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) \ + SHLIBDIR=$(STAGING_DIR_HOSTPKG)/lib + +$(eval $(call HostBuild)) + +MAKE_FLAGS += \ + SHLIBDIR=/usr/lib + +define Build/Compile + $(call Build/Compile/Default,all) +endef + +define Build/Install + $(call Build/Install/Default,install) +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libsepol.pc $(1)/usr/lib/pkgconfig/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ +endef + +define Package/libsepol/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libsepol.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libsepol)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/7] package/utils/busybox: add optional selinux support
Signed-off-by: Thomas Petazzoni --- package/utils/busybox/Makefile | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile index c0f3007e5d..bad4598525 100644 --- a/package/utils/busybox/Makefile +++ b/package/utils/busybox/Makefile @@ -17,7 +17,7 @@ PKG_SOURCE_URL:=https://www.busybox.net/downloads \ http://sources.buildroot.net PKG_HASH:=d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998 -PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam +PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam BUSYBOX_CONFIG_SELINUX:libselinux PKG_BUILD_PARALLEL:=1 PKG_CHECK_FORMAT_SECURITY:=0 @@ -45,7 +45,7 @@ define Package/busybox MAINTAINER:=Felix Fietkau TITLE:=Core utilities for embedded Linux URL:=http://busybox.net/ - DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter + DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter +BUSYBOX_CONFIG_SELINUX:libselinux MENU:=1 endef @@ -76,6 +76,9 @@ LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc pthread) ifeq ($(CONFIG_USE_GLIBC),y) LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv) endif +ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y) + LDLIBS += selinux sepol +endif TARGET_CFLAGS += -flto TARGET_LDFLAGS += -flto=jobserver -fuse-linker-plugin -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 04/11] utils/audit: new package
Signed-off-by: Thomas Petazzoni --- utils/audit/Makefile | 125 utils/audit/files/audit.init | 16 +++ ...tue-functions-for-strndupa-rawmemchr.patch | 133 ++ 3 files changed, 274 insertions(+) create mode 100644 utils/audit/Makefile create mode 100644 utils/audit/files/audit.init create mode 100644 utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch diff --git a/utils/audit/Makefile b/utils/audit/Makefile new file mode 100644 index 0..16ee560a1 --- /dev/null +++ b/utils/audit/Makefile @@ -0,0 +1,125 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=audit +PKG_VERSION:=2.8.5 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://people.redhat.com/sgrubb/audit +PKG_HASH:=0e5d4103646e00f8d1981e1cd2faea7a2ae28e854c31a803e907a383c5e2ecb7 + +PKG_MAINTAINER:=Thomas Petazzoni +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/package.mk + +define Package/audit/Default + SECTION:=utils + TITLE:=Audit Daemon + URL:=http://people.redhat.com/sgrubb/audit/ +endef + +define Package/audit/Default/description + The audit package contains the user space utilities for + storing and searching the audit records generated by + the audit subsystem in the Linux 2.6 kernel +endef + +define Package/libaudit +$(call Package/audit/Default) + CATEGORY:=Libraries + TITLE+= (library) + DEPENDS:=+@KERNEL_AUDIT +endef + +define Package/libaudit/description +$(call Package/audit/Default/description) + This package contains the audit shared library. +endef + +define Package/audit +$(call Package/audit/Default) + CATEGORY:=Utilities + TITLE+= (daemon) + DEPENDS:= +libaudit +endef + +define Package/audit/description +$(call Package/audit/Default/description) + This package contains the audit daemon. +endef + +CONFIGURE_VARS += \ + LDFLAGS_FOR_BUILD="$(HOST_LDFLAGS)" \ + CPPFLAGS_FOR_BUILD="$(HOST_CPPFLAGS)" \ + CFLAGS_FOR_BUILD="$(HOST_CFLAGS)" \ + CC_FOR_BUILD="$(HOSTCC)" + +CONFIGURE_ARGS += \ + --without-libcap-ng \ + --disable-systemd \ + --without-python \ + --without-python3 \ + --disable-zos-remote + +ifeq ($(ARCH),aarch64) +CONFIGURE_ARGS += --with-aarch64 +else ifeq ($(ARCH),arm) +CONFIGURE_ARGS += --with-arm +endif + +# We can't use the default, as the default passes $(MAKE_ARGS), which +# overrides CC, CFLAGS, etc. and defeats the *_FOR_BUILD definitions +# passed in CONFIGURE_VARS +define Build/Compile + $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(MAKE_PATH) +endef + +define Build/Install + $(call Build/Install/Default,install) + $(SED) 's%^dispatcher *=.*%dispatcher = /usr/sbin/audispd%' $(PKG_INSTALL_DIR)/etc/audit/auditd.conf +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/*.pc $(1)/usr/lib/pkgconfig/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ +endef + +define Package/libaudit/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so.* $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/etc + $(CP) $(PKG_INSTALL_DIR)/etc/libaudit.conf $(1)/etc/ +endef + +define Package/audit/install + $(INSTALL_DIR) $(1)/usr/bin + $(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/* $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/etc/audit + $(CP) $(PKG_INSTALL_DIR)/etc/audit/* $(1)/etc/audit/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/audit.init $(1)/etc/init.d/audit +endef + +include $(INCLUDE_DIR)/host-build.mk + +HOST_CONFIGURE_ARGS += \ +--without-python \ +--without-python3 \ +--disable-zos-remote \ +--without-libcap-ng + +$(eval $(call HostBuild)) +$(eval $(call BuildPackage,libaudit)) +$(eval $(call BuildPackage,audit)) diff --git a/utils/audit/files/audit.init b/utils/audit/files/audit.init new file mode 100644 index 0..4a9f53884 --- /dev/null +++ b/utils/audit/files/audit.init @@ -0,0 +1,16 @@ +#!/bin/sh /etc/rc.common +# Copyright (c) 2014 OpenWrt.org + +START=11 + +USE_PROCD=1 +PROG=/usr/sbin/auditd + +start_service() { + mkdir -p /var/log/audit + procd_open_instance + procd_set_param command "$PROG" -n + procd_set_param respawn + procd_close_instance + test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -R /etc/audit/rules.d/audit.rules +} diff --git a/utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch
[OpenWrt-Devel] [PATCH 6/7] config/Config-kernel.in: add various options needed for SELinux
This commit adds a small number of options to config/Config-kernel.in so that packages related to SELinux support can enable the appropriate Linux kernel support. Signed-off-by: Thomas Petazzoni --- config/Config-kernel.in | 12 1 file changed, 12 insertions(+) diff --git a/config/Config-kernel.in b/config/Config-kernel.in index 7f8c63f25d..2aa059e56b 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -863,3 +863,15 @@ config KERNEL_CC_OPTIMIZE_FOR_SIZE your compiler resulting in a smaller kernel. endchoice + +config KERNEL_AUDIT + bool "Auditing support" + +config KERNEL_SECURITY + bool "Enable different security models" + +config KERNEL_SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + +config KERNEL_SECURITY_SELINUX + bool "NSA SELinux Support" -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 3/7] tools/fakeroot: new tool
SELinux support requires setting the appropriate SELinux security context to files and directories, which needs to happen at build time in order to support read-only root filesystem scenarios. In order to create these security contexts, we will have to run some SELinux-specific tool on the host machine, but that requires root access. So this tool adds support for fakeroot, which will be used to run the SELinux security context creation and the image creation. Signed-off-by: Thomas Petazzoni --- tools/Makefile | 2 +- tools/fakeroot/Makefile | 20 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 tools/fakeroot/Makefile diff --git a/tools/Makefile b/tools/Makefile index 2f57d25525..fd67a880de 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -26,7 +26,7 @@ tools-y += m4 libtool autoconf automake flex bison pkg-config mklibs zlib tools-y += sstrip make-ext4fs e2fsprogs mtd-utils mkimage tools-y += firmware-utils patch-image quilt padjffs2 tools-y += mm-macros missing-macros cmake bc findutils gengetopt patchelf -tools-y += mtools dosfstools libressl +tools-y += mtools dosfstools libressl fakeroot tools-$(CONFIG_TARGET_orion_generic) += wrt350nv2-builder upslug2 tools-$(CONFIG_TARGET_x86) += qemu tools-$(CONFIG_TARGET_mxs) += elftosb sdimage diff --git a/tools/fakeroot/Makefile b/tools/fakeroot/Makefile new file mode 100644 index 00..04d9a0dd60 --- /dev/null +++ b/tools/fakeroot/Makefile @@ -0,0 +1,20 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# +include $(TOPDIR)/rules.mk + +PKG_NAME:=fakeroot +PKG_VERSION:=1.20.2 + +PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).orig.tar.bz2 +PKG_SOURCE_URL:=http://snapshot.debian.org/archive/debian/20141005T221953Z/pool/main/f/fakeroot +PKG_HASH:=7c0a164d19db3efa9e802e0fc7cdfeff70ec6d26cdbdc4338c9c2823c5ea230c + +include $(INCLUDE_DIR)/host-build.mk + +HOST_CONFIGURE_VARS += \ + ac_cv_header_sys_capability_h=no \ + ac_cv_func_capset=no + +$(eval $(call HostBuild)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 5/7] config/Config-kernel.in: add option to enable squashfs xattr support
Extended attribute support is needed to run a SELinux-enabled system, as SELinux security contexts are stored as extended attributes. Signed-off-by: Thomas Petazzoni --- config/Config-kernel.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/Config-kernel.in b/config/Config-kernel.in index bdb6b91cbb..7f8c63f25d 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -839,6 +839,9 @@ config KERNEL_SQUASHFS_FRAGMENT_CACHE_SIZE default 2 if (SMALL_FLASH && !LOW_MEMORY_FOOTPRINT) default 3 +config KERNEL_SQUASHFS_XATTR + bool "Squashfs XATTR support" + # # compile optimiziation setting # -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes
Hello, This patch series is one part of the changes needed to bring minimal SELinux support to OpenWrt. SELinux is a mandatory access control Linux security module, which I assume most if not all OpenWrt users are already familiar with. The work presented in these patch series presents a minimal integration, in the sense that it allows to: (1) Build all the important SELinux components, both on the build system (for example to compile a SELinux policy) and on the target system (libselinux, policy management tools, etc.) (2) Set the SELinux security contexts on the files in the filesystem image generated by OpenWrt. (3) Compile the SELinux policy on the build machine, and integrate the compiled SELinux policy in the target filesystem. (4) Load at boot time the SELinux policy and enable it. The provided SELinux policy is the default SELinux policy from the upstream project: it has not been tuned specifically for OpenWrt. There are two patch series for this work: - One for OpenWrt itself - One for the OpenWrt packages feed (this patch series) OpenWrt changes === This patch series brings the following changes: - Allow to build Busybox with SELinux support, mainly to get -Z option support in several commands. This requires linking against libselinux, which is provided in the packages feeds as part of the second patch series. - Addition of minimal SELinux support in procd, to load the SELinux policy at boot time. The patch has been submitted separately to procd, and is being discussed. - Addition of the fakeroot tool, which we need when generating the filesystem image to run the SELinux command "setfiles" that sets the appropriate security context for the files in the filesystem. It obviously requires root access, which is why it is executed under fakeroot. - Addition of support for generating a SquashFS image with the SELinux security contexts defined. It could be extended to other filesystem formats of course. - Add some logic to be able to enable SquashFS extended attribute support in the kernel configuration, as well as SELinux support. - Enable extended attribute support in mksquashfs. OpenWrt packages feed changes = This patch series brings new packages for the different user-space components of SELinux and their dependencies: - libsepol - libselinux, including its Python bindings - audit - libcap-ng - libsemanage - policycoreutils - checkpolicy - refpolicy - selinux-python These are pretty regular packages. I'm looking forward to the feedback of the OpenWrt community on this proposal. Best regards, Thomas Petazzoni Thomas Petazzoni (11): libs/pcre: add host variant of libpcre libs/libsepol: new package libs/libselinux: new package utils/audit: new package libs/libcap-ng: new package libs/libsemanage: new package utils/policycoreutils: new package utils/checkpolicy: new package admin/refpolicy: new package libs/libselinux: add support for building the Python bindings utils/selinux-python: new package admin/refpolicy/Makefile | 78 + admin/refpolicy/files/selinux-config | 7 + libs/libcap-ng/Makefile | 53 ++ libs/libselinux/Makefile | 104 libs/libsemanage/Makefile | 70 libs/libsepol/Makefile| 65 libs/pcre/Makefile| 11 ++ utils/audit/Makefile | 125 ++ utils/audit/files/audit.init | 16 ++ ...tue-functions-for-strndupa-rawmemchr.patch | 133 +++ utils/checkpolicy/Makefile| 42 + utils/policycoreutils/Makefile| 60 +++ utils/selinux-python/Makefile | 155 ++ .../0001-sepolgen-adjust-data_dir.patch | 26 +++ ...hardcode-search-for-ausearch-in-sbin.patch | 38 + .../0003-Don-t-force-using-python3.patch | 67 16 files changed, 1050 insertions(+) create mode 100644 admin/refpolicy/Makefile create mode 100644 admin/refpolicy/files/selinux-config create mode 100644 libs/libcap-ng/Makefile create mode 100644 libs/libselinux/Makefile create mode 100644 libs/libsemanage/Makefile create mode 100644 libs/libsepol/Makefile create mode 100644 utils/audit/Makefile create mode 100644 utils/audit/files/audit.init create mode 100644 utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch create mode 100644 utils/checkpolicy/Makefile create mode 100644 utils/policycoreutils/Makefile create mode 100644 utils/selinux-python/Makefile create mode 100644 utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch create mode 100644 utils/selinux-python/patches/0002-sepolgen-don-t-hardcode-search-for-ausearch-in-sbin.patch create mode 100644
[OpenWrt-Devel] [PATCH 2/7] package/system/procd: add SELinux support
This commit adds a patch to procd to support loading the SELinux policy early at boot time, and adjusts the procd package to use this SELinux support when libselinux is enabled. The procd patch has been submitted separately [1]: obviously the intent is to have it merged in the procd Git repository rather than have it in OpenWrt itself. [1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/020070.html Signed-off-by: Thomas Petazzoni --- package/system/procd/Makefile | 5 +- ...inimal-SELinux-policy-loading-suppor.patch | 110 ++ 2 files changed, 113 insertions(+), 2 deletions(-) create mode 100644 package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile index c4b86ba746..53d9e1120f 100644 --- a/package/system/procd/Makefile +++ b/package/system/procd/Makefile @@ -43,7 +43,7 @@ TARGET_LDFLAGS += -flto define Package/procd SECTION:=base CATEGORY:=Base system - DEPENDS:=+ubusd +ubus +libjson-script +ubox +USE_GLIBC:librt +libubox +libubus +libblobmsg-json +libjson-c + DEPENDS:=+ubusd +ubus +libjson-script +ubox +USE_GLIBC:librt +libubox +libubus +libblobmsg-json +libjson-c +PACKAGE_libselinux:libselinux TITLE:=OpenWrt system process manager USERID:=:dialout=20 :audio=29 endef @@ -92,7 +92,8 @@ ifdef CONFIG_PACKAGE_procd-ujail endif SECCOMP=$(if $(CONFIG_PACKAGE_procd-seccomp),1,0) -CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP) +SELINUX=$(if $(CONFIG_PACKAGE_libselinux),1,0) +CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP) -DSELINUX=$(SELINUX) define Package/procd/install $(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions diff --git a/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch b/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch new file mode 100644 index 00..cfab059b40 --- /dev/null +++ b/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch @@ -0,0 +1,110 @@ +From fe74ad8b11977d0ced5c44f5e389c50ee70bc008 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Thu, 23 May 2019 13:57:30 +0200 +Subject: [PATCH] initd/init: add minimal SELinux policy loading support + +In order to support SELinux in OpenWRT, this commit introduces minimal +support for loading the SELinux policy in the init code. The logic is +very much inspired from what Busybox is doing: call +selinux_init_load_policy() from libselinux, and then re-execute init +so that it runs with the SELinux policy in place and enforced. + +Signed-off-by: Thomas Petazzoni +--- + CMakeLists.txt | 9 - + initd/init.c | 38 ++ + 2 files changed, 46 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 4b3eebd..865e43c 100644 +--- a/CMakeLists.txt b/CMakeLists.txt +@@ -40,6 +40,12 @@ IF(ZRAM_TMPFS) + SET(SOURCES_ZRAM initd/zram.c) + ENDIF() + ++IF(SELINUX) ++ include(FindPkgConfig) ++ pkg_search_module(SELINUX REQUIRED libselinux) ++ add_compile_definitions(WITH_SELINUX) ++ENDIF() ++ + add_subdirectory(upgraded) + + ADD_EXECUTABLE(procd ${SOURCES}) +@@ -56,7 +62,8 @@ ADD_DEFINITIONS(-DDISABLE_INIT) + ELSE() + ADD_EXECUTABLE(init initd/init.c initd/early.c initd/preinit.c initd/mkdev.c sysupgrade.c watchdog.c + utils/utils.c ${SOURCES_ZRAM}) +-TARGET_LINK_LIBRARIES(init ${LIBS}) ++TARGET_INCLUDE_DIRECTORIES(init PUBLIC ${SELINUX_INCLUDE_DIRS}) ++TARGET_LINK_LIBRARIES(init ${LIBS} ${SELINUX_LIBRARIES}) + INSTALL(TARGETS init + RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR} + ) +diff --git a/initd/init.c b/initd/init.c +index 29eee50..561970c 100644 +--- a/initd/init.c b/initd/init.c +@@ -29,6 +29,10 @@ + #include + #include + ++#if defined(WITH_SELINUX) ++#include ++#endif ++ + #include "../utils/utils.h" + #include "init.h" + #include "../watchdog.h" +@@ -67,6 +71,38 @@ cmdline(void) + } + } + ++#if defined(WITH_SELINUX) ++static int ++selinux(char **argv) ++{ ++ int enforce = 0; ++ int ret; ++ ++ /* SELinux already initialized */ ++ if (getenv("SELINUX_INIT")) ++ return 0; ++ ++ putenv("SELINUX_INIT=1"); ++ ++ ret = selinux_init_load_policy(); ++ if (ret == 0) ++ execv(argv[0], argv); ++ ++ if (enforce > 0) { ++ fprintf(stderr, "Cannot load SELinux policy, but system in enforcing mode. Halting.\n"); ++ return 1; ++ } ++ ++ return 0; ++} ++#else ++static int ++selinux(char **argv) ++{ ++ return 0; ++} ++#endif ++ + int + main(int argc, char **argv) + { +@@ -79,6 +115,8 @@ main(int argc, char **argv) + sigaction(SIGUSR2, _shutdown, NULL); + sigaction(SIGPWR, _shutdown, NULL); + ++ if (selinux(argv)) ++ exit(-1); +
[OpenWrt-Devel] [PATCH 7/7] tools/squashfs4: enable xattr support
xattr support in mksquashfs is needed to be able to store SELinux security contexts. Signed-off-by: Thomas Petazzoni --- tools/squashfskit4/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/squashfskit4/Makefile b/tools/squashfskit4/Makefile index 4808c5607f..a54d86be4d 100644 --- a/tools/squashfskit4/Makefile +++ b/tools/squashfskit4/Makefile @@ -22,7 +22,7 @@ define Host/Compile $(MAKE) -C $(HOST_BUILD_DIR)/squashfs-tools \ XZ_SUPPORT=1 \ LZMA_XZ_SUPPORT=1 \ - XATTR_SUPPORT= \ + XATTR_SUPPORT=1 \ LZMA_LIB="$(STAGING_DIR_HOST)/lib/liblzma.a" \ EXTRA_CFLAGS="-I$(STAGING_DIR_HOST)/include" \ mksquashfs unsquashfs -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 4/7] include/image.mk: implement SELinux squashfs image generation
Signed-off-by: Thomas Petazzoni --- include/image.mk | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/include/image.mk b/include/image.mk index 8592c19b99..86b3edeb87 100644 --- a/include/image.mk +++ b/include/image.mk @@ -239,13 +239,26 @@ endef $(eval $(foreach S,$(JFFS2_BLOCKSIZE),$(call Image/mkfs/jffs2/template,$(S $(eval $(foreach S,$(NAND_BLOCKSIZE),$(call Image/mkfs/jffs2-nand/template,$(S -define Image/mkfs/squashfs +define Image/mkfs/squashfs-common $(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \ -nopad -noappend -root-owned \ -comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \ -processors 1 endef +ifeq ($(CONFIG_PACKAGE_refpolicy),y) +define Image/mkfs/squashfs + echo "LD_LIBRARY_PATH=\$$LD_LIBRARY_PATH:$(STAGING_DIR_HOSTPKG)/lib $(STAGING_DIR_HOSTPKG)/sbin/setfiles -r $(call mkfs_target_dir,$(1)) $(call mkfs_target_dir,$(1))/etc/selinux/targeted/contexts/files/file_contexts $(call mkfs_target_dir,$(1))" > $@.fakeroot-script + echo "$(Image/mkfs/squashfs-common)" >> $@.fakeroot-script + chmod +x $@.fakeroot-script + $(STAGING_DIR_HOST)/bin/fakeroot $@.fakeroot-script +endef +else +define Image/mkfs/squashfs + $(call Image/mkfs/squashfs-common,$(1)) +endef +endif + # $(1): board name # $(2): rootfs type # $(3): kernel image -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 0/7] SELinux support: core OpenWrt changes
Hello, This patch series is one part of the changes needed to bring minimal SELinux support to OpenWrt. SELinux is a mandatory access control Linux security module, which I assume most if not all OpenWrt users are already familiar with. The work presented in these patch series presents a minimal integration, in the sense that it allows to: (1) Build all the important SELinux components, both on the build system (for example to compile a SELinux policy) and on the target system (libselinux, policy management tools, etc.) (2) Set the SELinux security contexts on the files in the filesystem image generated by OpenWrt. (3) Compile the SELinux policy on the build machine, and integrate the compiled SELinux policy in the target filesystem. (4) Load at boot time the SELinux policy and enable it. The provided SELinux policy is the default SELinux policy from the upstream project: it has not been tuned specifically for OpenWrt. There are two patch series for this work: - One for OpenWrt itself (this patch series) - One for the OpenWrt packages feed OpenWrt changes === This patch series brings the following changes: - Allow to build Busybox with SELinux support, mainly to get -Z option support in several commands. This requires linking against libselinux, which is provided in the packages feeds as part of the second patch series. - Addition of minimal SELinux support in procd, to load the SELinux policy at boot time. The patch has been submitted separately to procd, and is being discussed. - Addition of the fakeroot tool, which we need when generating the filesystem image to run the SELinux command "setfiles" that sets the appropriate security context for the files in the filesystem. It obviously requires root access, which is why it is executed under fakeroot. - Addition of support for generating a SquashFS image with the SELinux security contexts defined. It could be extended to other filesystem formats of course. - Add some logic to be able to enable SquashFS extended attribute support in the kernel configuration, as well as SELinux support. - Enable extended attribute support in mksquashfs. OpenWrt packages feed changes = This patch series brings new packages for the different user-space components of SELinux and their dependencies: - libsepol - libselinux, including its Python bindings - audit - libcap-ng - libsemanage - policycoreutils - checkpolicy - refpolicy - selinux-python These are pretty regular packages. I'm looking forward to the feedback of the OpenWrt community on this proposal. Best regards, Thomas Petazzoni Thomas Petazzoni (7): package/utils/busybox: add optional selinux support package/system/procd: add SELinux support tools/fakeroot: new tool include/image.mk: implement SELinux squashfs image generation config/Config-kernel.in: add option to enable squashfs xattr support config/Config-kernel.in: add various options needed for SELinux tools/squashfs4: enable xattr support config/Config-kernel.in | 15 +++ include/image.mk | 15 ++- package/system/procd/Makefile | 5 +- ...inimal-SELinux-policy-loading-suppor.patch | 110 ++ package/utils/busybox/Makefile| 7 +- tools/Makefile| 2 +- tools/fakeroot/Makefile | 20 tools/squashfskit4/Makefile | 2 +- 8 files changed, 169 insertions(+), 7 deletions(-) create mode 100644 package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch create mode 100644 tools/fakeroot/Makefile -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel