Merge Mainline

config/Config-build.in

@@ -317,4 +317,14 @@ menu "Global build settings"
 			bool "Full"
 	endchoice
 
+	config TARGET_ROOTFS_SECURITY_LABELS
+		bool "Enable rootfs security labels"
+		select KERNEL_SQUASHFS_XATTR
+		select KERNEL_EXT4_FS_SECURITY
+		select KERNEL_F2FS_FS_SECURITY
+		select KERNEL_UBIFS_FS_SECURITY
+		select KERNEL_JFFS2_FS_SECURITY
+		select PACKAGE_refpolicy
+		help
+		  This option enables the usage of SELinux labels
 endmenu

config/Config-kernel.in

@@ -894,6 +894,9 @@ config KERNEL_SQUASHFS_FRAGMENT_CACHE_SIZE
 	default 2 if (SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
 	default 3
 
+config KERNEL_SQUASHFS_XATTR
+	bool "Squashfs XATTR support"
+
 #
 # compile optimiziation setting
 #
@@ -915,3 +918,55 @@ config KERNEL_CC_OPTIMIZE_FOR_SIZE
 	  your compiler resulting in a smaller kernel.
 
 endchoice
+
+config KERNEL_AUDIT
+	bool "Auditing support"
+
+config KERNEL_SECURITY
+	bool "Enable different security models"
+
+config KERNEL_SECURITY_NETWORK
+	bool "Socket and Networking Security Hooks"
+	select KERNEL_SECURITY
+
+config KERNEL_SECURITY_SELINUX
+	bool "NSA SELinux Support"
+	select KERNEL_SECURITY_NETWORK
+	select KERNEL_AUDIT
+
+config KERNEL_SECURITY_SELINUX_BOOTPARAM
+	bool "NSA SELinux boot parameter"
+	depends on KERNEL_SECURITY_SELINUX
+
+config KERNEL_SECURITY_SELINUX_DISABLE
+	bool "NSA SELinux runtime disable"
+	depends on KERNEL_SECURITY_SELINUX
+
+config KERNEL_SECURITY_SELINUX_DEVELOP
+	bool "NSA SELinux Development Support"
+	depends on KERNEL_SECURITY_SELINUX
+
+choice
+	prompt "First legacy 'major LSM' to be initialized"
+	depends on KERNEL_SECURITY_SELINUX
+	default KERNEL_DEFAULT_SECURITY_SELINUX
+
+	config KERNEL_DEFAULT_SECURITY_SELINUX
+		bool "SELinux"
+
+	config KERNEL_DEFAULT_SECURITY_DAC
+		bool "Unix Discretionary Access Controls"
+
+endchoice
+
+config KERNEL_EXT4_FS_SECURITY
+	bool "Ext4 Security Labels"
+
+config KERNEL_F2FS_FS_SECURITY
+	bool "F2FS Security Labels"
+
+config KERNEL_UBIFS_FS_SECURITY
+	bool "UBIFS Security Labels"
+
+config KERNEL_JFFS2_FS_SECURITY
+	bool "JFFS2 Security Labels"

include/image.mk

@@ -234,13 +234,30 @@ endef
 $(eval $(foreach S,$(JFFS2_BLOCKSIZE),$(call Image/mkfs/jffs2/template,$(S))))
 $(eval $(foreach S,$(NAND_BLOCKSIZE),$(call Image/mkfs/jffs2-nand/template,$(S))))
 
-define Image/mkfs/squashfs
+define Image/mkfs/squashfs-common
 	$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
 		-nopad -noappend -root-owned \
 		-comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \
 		-processors $(shell nproc)
 endef
 
+ifeq ($(CONFIG_TARGET_ROOTFS_SECURITY_LABELS),y)
+define Image/mkfs/squashfs
+	echo "LD_LIBRARY_PATH=\$$LD_LIBRARY_PATH:$(STAGING_DIR_HOSTPKG)/lib" \
+	     "$(STAGING_DIR_HOSTPKG)/sbin/setfiles -r" \
+	     "$(call mkfs_target_dir,$(1))" \
+	     "$(call mkfs_target_dir,$(1))/etc/selinux/targeted/contexts/files/file_contexts " \
+	     "$(call mkfs_target_dir,$(1))" > $@.fakeroot-script
+	echo "$(Image/mkfs/squashfs-common)" >> $@.fakeroot-script
+	chmod +x $@.fakeroot-script
+	$(STAGING_DIR_HOST)/bin/fakeroot $@.fakeroot-script
+endef
+else
+define Image/mkfs/squashfs
+	$(call Image/mkfs/squashfs-common,$(1))
+endef
+endif
+
 # $(1): board name
 # $(2): rootfs type
 # $(3): kernel image

package/ctcgfw/openwrt-v2ray-plugin/Makefile

@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=v2ray-plugin
-PKG_VERSION:=1.3.5
+PKG_VERSION:=1.4.1
 PKG_RELEASE:=1
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/teddysun/v2ray-plugin/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=46b3b9aec066df710f7ff27518c73c94ed63bbcdd6827e759da8627bf300a8d9
+PKG_HASH:=ecd53ea59dea178f75b47f399a48ce0e0d09ec9e9d866c5becf82d1ed35a7634
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE

package/kernel/linux/modules/leds.mk

@@ -24,6 +24,20 @@ $(eval $(call KernelPackage,leds-gpio))
 
 LED_TRIGGER_DIR=$(LINUX_DIR)/drivers/leds/trigger
 
+define KernelPackage/ledtrig-activity
+  SUBMENU:=$(LEDS_MENU)
+  TITLE:=LED Activity Trigger
+  KCONFIG:=CONFIG_LEDS_TRIGGER_ACTIVITY
+  FILES:=$(LED_TRIGGER_DIR)/ledtrig-activity.ko
+  AUTOLOAD:=$(call AutoLoad,50,ledtrig-activity)
+endef
+
+define KernelPackage/ledtrig-activity/description
+ Kernel module that allows LEDs to blink based on system load
+endef
+
+$(eval $(call KernelPackage,ledtrig-activity))
+
 define KernelPackage/ledtrig-heartbeat
   SUBMENU:=$(LEDS_MENU)
   TITLE:=LED Heartbeat Trigger

package/lean/dns2socks/Makefile

@@ -2,63 +2,47 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dns2socks
 PKG_VERSION:=2.1
-PKG_RELEASE:=20200218
+PKG_RELEASE:=1
 
-PKG_SOURCE:=SourceCode.zip
-PKG_SOURCE_SUBDIR:=DNS2SOCKS
-PKG_SOURCE_URL:=@SF/dns2socks
-PKG_MD5SUM:=ec82de936ad004cc940502cd2a1bff5b
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/kongfl888/dns2socks.git
+PKG_SOURCE_VERSION:=HEAD
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_LICENSE:=GPL-3.0
+PKG_MAINTAINER:=kongfl888 <kongfl888@outlook.com>
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 
-PKG_MAINTAINER:=ghostmaker
-PKG_LICENSE:=BSD-3-Clause
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
-
-PKG_INSTALL:=1
 PKG_USE_MIPS16:=0
 PKG_BUILD_PARALLEL:=1
 
 include $(INCLUDE_DIR)/package.mk
 
-define Package/dns2socks/Default
+define Package/dns2socks
   SECTION:=net
   CATEGORY:=Network
   SUBMENU:=IP Addresses and Names
   TITLE:=The utility to resolve DNS requests via a SOCKS5 tunnel.
-  URL:=http://dns2socks.sourceforge.net/
-  MAINTAINER:=ghostmaker
+  URL:=https://sourceforge.net/projects/dns2socks/
   DEPENDS:=+libpthread
 endef
 
-define Package/dns2socks
-	$(call Package/dns2socks/Default)
-endef
-
 define Package/dns2socks/description
   This is a utility to resolve DNS requests via a SOCKS5 tunnel and caches the answers.
 endef
 
-define Build/Prepare
-	mkdir -p $(PKG_BUILD_DIR)
-	unzip $(DL_DIR)/$(PKG_SOURCE) -d $(PKG_BUILD_DIR)
-endef
-
 define Build/Compile
 	$(TARGET_CC) \
 	$(TARGET_CFLAGS) \
 	$(TARGET_CPPFLAGS) \
 	$(FPIC) \
-	-o $(PKG_BUILD_DIR)/$(PKG_SOURCE_SUBDIR)/$(PKG_NAME) \
-	$(PKG_BUILD_DIR)/$(PKG_SOURCE_SUBDIR)/DNS2SOCKS.c \
+	-o $(PKG_BUILD_DIR)/DNS2SOCKS/$(PKG_NAME) \
+	$(PKG_BUILD_DIR)/DNS2SOCKS/DNS2SOCKS.c \
 	$(TARGET_LDFLAGS) -pthread
 endef
 
-define Build/Install
-endef
-
 define Package/dns2socks/install
 	$(INSTALL_DIR) $(1)/usr/bin
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/$(PKG_SOURCE_SUBDIR)/$(PKG_NAME) $(1)/usr/bin/dns2socks
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/DNS2SOCKS/$(PKG_NAME) $(1)/usr/bin/dns2socks
 endef
 
 $(eval $(call BuildPackage,dns2socks))

package/network/utils/ethtool/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ethtool
-PKG_VERSION:=5.4
+PKG_VERSION:=5.8
 PKG_RELEASE:=1
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/software/network/ethtool
-PKG_HASH:=22f81e4927d6eb6a13a259d705248a96005fce2005e15257f639f5a1c8c52b6b
+PKG_HASH:=2f3b54d08d048f5977b80cb6cb4744994370def7553ee634d39dbbb6ccf87546
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
@@ -45,6 +45,8 @@ define Package/ethtool/config
 		bool "Enable pretty printing"
 endef
 
+CONFIGURE_ARGS += --disable-netlink
+
 ifeq ($(CONFIG_ETHTOOL_PRETTY_DUMP),y)
 CONFIGURE_ARGS += --enable-pretty-dump
 else

package/network/utils/iproute2/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=iproute2
-PKG_VERSION:=5.7.0
-PKG_RELEASE:=2
+PKG_VERSION:=5.8.0
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/linux/utils/net/iproute2
-PKG_HASH:=725dc7ba94aae54c6f8d4223ca055d9fb4fe89d6994b1c03bfb4411c4dd10f21
+PKG_HASH:=cfcd1f890290f8c8afcc91d9444ad929b9252c16f9ab3f286c50dd3c59dc646e
 PKG_BUILD_PARALLEL:=1
 PKG_BUILD_DEPENDS:=iptables
 PKG_LICENSE:=GPL-2.0

package/network/utils/iproute2/patches/001-devlink-update-include-files.patch

@@ -1,46 +0,0 @@
-From 12fafa27c7b306e6c397e858f4d5a8159500f659 Mon Sep 17 00:00:00 2001
-From: Stephen Hemminger <stephen@networkplumber.org>
-Date: Thu, 11 Jun 2020 09:46:46 -0700
-Subject: [PATCH] devlink: update include files
-
-Use the tool iwyu to get more complete list of includes for
-all the bits used by devlink.
-
-This should also fix build with musl libc.
-
-Fixes: c4dfddccef4e ("fix JSON output of mon command")
-Reported-off-by: Dan Robertson <dan@dlrobertson.com>
-Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
----
- devlink/devlink.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
---- a/devlink/devlink.c
-+++ b/devlink/devlink.c
-@@ -19,18 +19,25 @@
- #include <limits.h>
- #include <errno.h>
- #include <inttypes.h>
-+#include <signal.h>
-+#include <time.h>
-+#include <netinet/in.h>
-+#include <arpa/inet.h>
- #include <sys/sysinfo.h>
- #define _LINUX_SYSINFO_H /* avoid collision with musl header */
- #include <linux/genetlink.h>
- #include <linux/devlink.h>
-+#include <linux/netlink.h>
- #include <libmnl/libmnl.h>
- #include <netinet/ether.h>
-+#include <sys/select.h>
-+#include <sys/socket.h>
- #include <sys/types.h>
- 
- #include "SNAPSHOT.h"
- #include "list.h"
- #include "mnlg.h"
--#include "json_writer.h"
-+#include "json_print.h"
- #include "utils.h"
- #include "namespace.h"
- 

package/network/utils/iproute2/patches/002-configure-support-ipset-v7.patch

@@ -1,32 +0,0 @@
-From 650591a7a70cd79d826fcdc579a20c168c987cf2 Mon Sep 17 00:00:00 2001
-From: Tony Ambardar <tony.ambardar@gmail.com>
-Date: Tue, 7 Jul 2020 00:58:33 -0700
-Subject: [PATCH] configure: support ipset version 7 with kernel version 5
-
-The configure script checks for ipset v6 availability but doesn't test
-for v7, which is backward compatible and used on kernel v5.x systems.
-Update the script to test for both ipset versions. Without this change,
-the tc ematch function em_ipset will be disabled.
-
-Signed-off-by: Tony Ambardar <Tony.Ambardar@gmail.com>
-Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
----
- configure | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure b/configure
-index f415bf49..307912aa 100755
---- a/configure
-+++ b/configure
-@@ -208,7 +208,7 @@ typedef unsigned short ip_set_id_t;
- #include <linux/netfilter/xt_set.h>
- 
- struct xt_set_info info;
--#if IPSET_PROTOCOL == 6
-+#if IPSET_PROTOCOL == 6 || IPSET_PROTOCOL == 7
- int main(void)
- {
- 	return IPSET_MAXNAMELEN;
--- 
-2.17.1
-

package/network/utils/iproute2/patches/115-add-config-xtlibdir.patch

@@ -1,6 +1,6 @@
 --- a/tc/Makefile
 +++ b/tc/Makefile
-@@ -126,6 +126,9 @@ CFLAGS += -DCONFIG_GACT -DCONFIG_GACT_PR
+@@ -127,6 +127,9 @@ CFLAGS += -DCONFIG_GACT -DCONFIG_GACT_PR
  ifneq ($(IPT_LIB_DIR),)
  	CFLAGS += -DIPT_LIB_DIR=\"$(IPT_LIB_DIR)\"
  endif

package/network/utils/iproute2/patches/170-ip_tiny.patch

@@ -33,7 +33,7 @@
  		"where  OBJECT := { link | address | addrlabel | route | rule | neigh | ntable |\n"
  		"                   tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm |\n"
  		"                   netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila |\n"
- 		"                   vrf | sr | nexthop }\n"
+ 		"                   vrf | sr | nexthop | mptcp }\n"
 +#else
 +		"where  OBJECT := { link | address | route | rule | neigh | tunnel | maddress |\n"
 +		"                   mroute | mrule | monitor | netns | macsec | token | ila |\n"
@@ -42,7 +42,7 @@
  		"       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |\n"
  		"                    -h[uman-readable] | -iec | -j[son] | -p[retty] |\n"
  		"                    -f[amily] { inet | inet6 | mpls | bridge | link } |\n"
-@@ -74,35 +80,49 @@ static const struct cmd {
+@@ -74,36 +80,50 @@ static const struct cmd {
  	int (*func)(int argc, char **argv);
  } cmds[] = {
  	{ "address",	do_ipaddr },
@@ -88,6 +88,7 @@
  	{ "sr",		do_seg6 },
 +#ifndef IPROUTE2_TINY
  	{ "nexthop",	do_ipnh },
+ 	{ "mptcp",	do_mptcp },
 +#endif
  	{ "help",	do_help },
  	{ 0 }
@@ -104,4 +105,4 @@
 +
  UTILOBJ = utils.o rt_names.o ll_map.o ll_types.o ll_proto.o ll_addr.o \
  	inet_proto.o namespace.o json_writer.o json_print.o \
- 	names.o color.o bpf.o exec.o fs.o
+ 	names.o color.o bpf.o exec.o fs.o cg_map.o

package/network/utils/iproute2/patches/175-reduce-dynamic-syms.patch

@@ -1,6 +1,6 @@
 --- a/tc/Makefile
 +++ b/tc/Makefile
-@@ -113,7 +113,7 @@ LDLIBS += -L. -lm
+@@ -114,7 +114,7 @@ LDLIBS += -L. -lm
  
  ifeq ($(SHARED_LIBS),y)
  LDLIBS += -ldl
@@ -9,7 +9,7 @@
  endif
  
  TCLIB := tc_core.o
-@@ -142,7 +142,7 @@ MODDESTDIR := $(DESTDIR)$(LIBDIR)/tc
+@@ -143,7 +143,7 @@ MODDESTDIR := $(DESTDIR)$(LIBDIR)/tc
  all: tc $(TCSO)
  
  tc: $(TCOBJ) $(LIBNETLINK) libtc.a
@@ -18,7 +18,7 @@
  
  libtc.a: $(TCLIB)
  	$(QUIET_AR)$(AR) rcs $@ $^
-@@ -164,6 +164,7 @@ install: all
+@@ -165,6 +165,7 @@ install: all
  clean:
  	rm -f $(TCOBJ) $(TCLIB) libtc.a tc *.so emp_ematch.tab.h; \
  	rm -f emp_ematch.tab.*
@@ -26,7 +26,7 @@
  
  q_atm.so: q_atm.c
  	$(QUIET_CC)$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -shared -fpic -o q_atm.so q_atm.c -latm
-@@ -203,4 +204,15 @@ static-syms.h: $(wildcard *.c)
+@@ -204,4 +205,15 @@ static-syms.h: $(wildcard *.c)
  		sed -n '/'$$s'[^ ]* =/{s:.* \([^ ]*'$$s'[^ ]*\) .*:extern char \1[] __attribute__((weak)); if (!strcmp(sym, "\1")) return \1;:;p}' $$files ; \
  	done > $@
  

package/network/utils/wireguard-tools/Makefile

@@ -12,7 +12,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=wireguard-tools
 
 PKG_VERSION:=1.0.20200820
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/

package/network/utils/wireguard-tools/files/wireguard.sh

@@ -112,6 +112,7 @@ proto_wireguard_setup() {
 	config_get fwmark "${config}" "fwmark"
 	config_get ip6prefix "${config}" "ip6prefix"
 	config_get nohostroute "${config}" "nohostroute"
+	config_get tunlink "${config}" "tunlink"
 
 	ip link del dev "${config}" 2>/dev/null
 	ip link add dev "${config}" type wireguard
@@ -173,7 +174,7 @@ proto_wireguard_setup() {
 		sed -E 's/\[?([0-9.:a-f]+)\]?:([0-9]+)/\1 \2/' | \
 		while IFS=$'\t ' read -r key address port; do
 			[ -n "${port}" ] || continue
-			proto_add_host_dependency "${config}" "${address}"
+			proto_add_host_dependency "${config}" "${address}" "${tunlink}"
 		done
 	fi
 

package/system/refpolicy/Makefile

@@ -0,0 +1,80 @@
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=refpolicy
+PKG_VERSION:=2.20200229
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20200229
+PKG_HASH:=dec854512ed00cd057408f330c2cea4de7a4405f7a147458f59c994bf578e4b0
+PKG_INSTALL:=1
+PKG_BUILD_DEPENDS:=checkpolicy/host policycoreutils/host
+
+PKG_MAINTAINER:=Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+PKG_CPE_ID:=cpe:/a:tresys:refpolicy
+PKG_LICENSE:=GPL-2.0-or-later
+PKG_LICENSE_FILES:=COPYING
+
+TAR_OPTIONS:=--transform='s%^refpolicy%$(PKG_NAME)-$(PKG_VERSION)%' -xf -
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/refpolicy
+  SECTION:=system
+  CATEGORY:=Base system
+  TITLE:=SELinux reference policy
+  URL:=http://selinuxproject.org/page/Main_Page
+endef
+
+define Package/refpolicy/description
+	The SELinux Reference Policy project (refpolicy) is a
+	complete SELinux policy that can be used as the system
+	policy for a variety of systems and used as the basis for
+	creating other policies. Reference Policy was originally
+	based on the NSA example policy, but aims to accomplish many
+	additional goals.
+
+	The current refpolicy does not fully support OpenWRT and
+	needs modifications to work with the default system file
+	layout. These changes should be added as patches to the
+	refpolicy that modify a single SELinux policy.
+
+	The refpolicy works for the most part in permissive
+	mode. Only the basic set of utilities are enabled in the
+	example policy config and some of the pathing in the
+	policies is not correct.  Individual policies would need to
+	be tweaked to get everything functioning properly.
+endef
+
+# Yes, we want CC=$(HOSTCC) because the only code that checkpolicy
+# builds is a small host tool that gets run as part of the build
+# process.
+MAKE_FLAGS += \
+	TEST_TOOLCHAIN="$(STAGING_DIR_HOSTPKG)" \
+	BINDIR=/bin \
+	SBINDIR=/sbin \
+	CC="$(HOSTCC)" \
+	CFLAGS="$(HOST_CFLAGS)"
+
+define Build/Configure
+	$(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(PKG_BUILD_DIR)/build.conf
+	$(SED) "/NAME/c\NAME = targeted" $(PKG_BUILD_DIR)/build.conf
+	$(call Build/Compile/Default,conf)
+endef
+
+define Package/refpolicy/conffiles
+/etc/selinux/config
+endef
+
+define Package/refpolicy/install
+	$(INSTALL_DIR) $(1)/etc/selinux
+	$(CP) $(PKG_INSTALL_DIR)/etc/selinux/* $(1)/etc/selinux/
+	$(CP) ./files/selinux-config $(1)/etc/selinux/config
+endef
+
+$(eval $(call BuildPackage,refpolicy))

package/system/refpolicy/files/selinux-config

@@ -0,0 +1,7 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX=permissive
+SELINUXTYPE=targeted

package/utils/checkpolicy/Makefile

@@ -0,0 +1,51 @@
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=checkpolicy
+PKG_VERSION:=3.1
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20200710
+PKG_HASH:=dfc7707070520c93b14fbbdfdbe081364d806bf28e3e79e10318c2594c77bbb2
+PKG_INSTALL:=1
+HOST_BUILD_DEPENDS:=libselinux/host
+
+PKG_MAINTAINER:=Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+PKG_CPE_ID:=cpe:/a:selinuxproject:checkpolicy
+PKG_LICENSE:=GPL-2.0-or-later
+PKG_LICENSE_FILES:=COPYING
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/checkpolicy
+  SECTION:=utils
+  CATEGORY:=Utilities
+  TITLE:=SELinux policy compiler
+  URL:=http://selinuxproject.org/page/Main_Page
+endef
+
+define Package/checkpolicy/description
+	checkpolicy is the SELinux policy compiler. It uses libsepol
+	to generate the binary policy. checkpolicy uses the static
+	libsepol since it deals with low level details of the policy
+	that have not been encapsulated/abstracted by a proper
+	shared library interface.
+endef
+
+include $(INCLUDE_DIR)/host-build.mk
+
+HOST_MAKE_FLAGS += \
+	PREFIX=$(STAGING_DIR_HOSTPKG)
+
+define Package/checkpolicy/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/
+endef
+
+$(eval $(call HostBuild))
+$(eval $(call BuildPackage,checkpolicy))

package/utils/policycoreutils/Makefile

@@ -0,0 +1,83 @@
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=policycoreutils
+PKG_VERSION:=3.1
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20200710
+PKG_HASH:=c889f62ee80f8b6a369469a9b8af51f5b797975aeaa291f5c5960cc12eed1934
+PKG_INSTALL:=1
+HOST_BUILD_DEPENDS:=libsemanage/host
+PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam
+
+PKG_MAINTAINER:=Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+PKG_CPE_ID:=cpe:/a:selinuxproject:policycoreutils
+PKG_LICENSE:=GPL-2.0-or-later
+PKG_LICENSE_FILES:=COPYING
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/policycoreutils
+  SECTION:=utils
+  CATEGORY:=Utilities
+  DEPENDS:= +libsemanage +libcap-ng +BUSYBOX_CONFIG_PAM:libpam
+  TITLE:=SELinux policy utilities
+  URL:=http://selinuxproject.org/page/Main_Page
+  ALTERNATIVES:=\
+    300:/sbin/restorecon:policycoreutils-restorecon \
+    300:/sbin/setfiles:policycoreutils-setfiles \
+    300:/usr/sbin/load_policy:policycoreutils-load_policy \
+    300:/usr/sbin/sestatus:policycoreutils-sestatus \
+    300:/usr/sbin/setsebool:policycoreutils-setsebool
+endef
+
+define Package/policycoreutils/description
+	Policycoreutils is a collection of policy utilities
+	(originally the "core" set of utilities needed to use
+	SELinux, although it has grown a bit over time), which have
+	different dependencies.  sestatus, secon, run_init, and
+	newrole only use libselinux. load_policy and setfiles only
+	use libselinux and libsepol. semodule and semanage use
+	libsemanage (and thus bring in dependencies on libsepol and
+	libselinux as well). setsebool uses libselinux to make
+	non-persistent boolean changes (via the kernel interface)
+	and uses libsemanage to make persistent boolean changes.
+endef
+
+include $(INCLUDE_DIR)/host-build.mk
+
+HOST_MAKE_FLAGS += \
+	PAMH=$(CONFIG_BUSYBOX_CONFIG_PAM) \
+	PREFIX=$(STAGING_DIR_HOSTPKG) \
+	SBINDIR=$(STAGING_DIR_HOSTPKG)/sbin \
+	ETCDIR=$(STAGING_DIR_HOSTPKG)/etc
+
+MAKE_FLAGS += \
+	PAMH=$(CONFIG_BUSYBOX_CONFIG_PAM)
+
+define Package/policycoreutils/install
+	$(INSTALL_DIR) $(1)/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/sbin/restorecon_xattr $(1)/sbin/restorecon_xattr
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/sbin/restorecon $(1)/sbin/policycoreutils-restorecon
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/sbin/setfiles $(1)/sbin/policycoreutils-setfiles
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/fixfiles $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/genhomedircon $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/open_init_pty $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/run_init $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/semodule $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/load_policy $(1)/usr/sbin/policycoreutils-load_policy
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/sestatus $(1)/usr/sbin/policycoreutils-sestatus
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setsebool $(1)/usr/sbin/policycoreutils-setsebool
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/
+endef
+
+$(eval $(call HostBuild))
+$(eval $(call BuildPackage,policycoreutils))

target/linux/generic/config-4.14

@@ -1118,6 +1118,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
 # CONFIG_DEFAULT_RENO is not set
 CONFIG_DEFAULT_SECURITY=""
 CONFIG_DEFAULT_SECURITY_DAC=y
+# CONFIG_DEFAULT_SECURITY_SELINUX is not set
 CONFIG_DEFAULT_TCP_CONG="cubic"
 CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
 # CONFIG_DELL_LAPTOP is not set
@@ -1363,6 +1364,7 @@ CONFIG_EXTRA_TARGETS=""
 # CONFIG_F2FS_IO_TRACE is not set
 # CONFIG_FAIR_GROUP_SCHED is not set
 # CONFIG_FANOTIFY is not set
+# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
 CONFIG_FAT_DEFAULT_CODEPAGE=437
 CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
 # CONFIG_FAT_DEFAULT_UTF8 is not set
@@ -1504,6 +1506,24 @@ CONFIG_FLAT_NODE_MEM_MAP=y
 # CONFIG_FORCEDETH is not set
 CONFIG_FORCE_MAX_ZONEORDER=11
 CONFIG_FORTIFY_SOURCE=y
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
+# CONFIG_SECURITY_SMACK is not set
+# CONFIG_SECURITY_TOMOYO is not set
+# CONFIG_SECURITY_APPARMOR is not set
+# CONFIG_SECURITY_LOADPIN is not set
+# CONFIG_SECURITY_YAMA is not set
+# CONFIG_SECURITY_SAFESETID is not set
+# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+# CONFIG_INTEGRITY is not set
+# CONFIG_INTEGRITY_SIGNATURE is not set
+# CONFIG_INTEGRITY_AUDIT is not set
+# CONFIG_IMA is not set
+# CONFIG_EVM is not set
+# CONFIG_LSM is not set
 # CONFIG_FPGA is not set
 # CONFIG_FRAMEBUFFER_CONSOLE is not set
 # CONFIG_FRAME_POINTER is not set
@@ -3054,6 +3074,7 @@ CONFIG_NETDEVICES=y
 # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
 # CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
 # CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set
+# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set
 # CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set
 # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
 # CONFIG_NETFILTER_XT_TARGET_TEE is not set
@@ -3065,6 +3086,7 @@ CONFIG_NETDEVICES=y
 # CONFIG_NETROM is not set
 CONFIG_NETWORK_FILESYSTEMS=y
 # CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+# CONFIG_NETLABEL is not set
 # CONFIG_NETWORK_SECMARK is not set
 # CONFIG_NETXEN_NIC is not set
 # CONFIG_NET_9P is not set
@@ -3291,6 +3313,7 @@ CONFIG_NFS_V3=y
 CONFIG_NF_CONNTRACK_PROCFS=y
 # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set
 # CONFIG_NF_CONNTRACK_SANE is not set
+# CONFIG_NF_CONNTRACK_SECMARK is not set
 # CONFIG_NF_CONNTRACK_SIP is not set
 # CONFIG_NF_CONNTRACK_SNMP is not set
 # CONFIG_NF_CONNTRACK_TFTP is not set
@@ -4125,6 +4148,8 @@ CONFIG_SCSI_PROC_FS=y
 CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 # CONFIG_SECURITY is not set
 # CONFIG_SECURITYFS is not set
+# CONFIG_SECURITY_PATH is not set
+CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SELECT_MEMORY_MODEL=y
 # CONFIG_SENSORS_ABITUGURU is not set

target/linux/generic/config-4.19

@@ -1158,6 +1158,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
 # CONFIG_DEFAULT_RENO is not set
 CONFIG_DEFAULT_SECURITY=""
 CONFIG_DEFAULT_SECURITY_DAC=y
+# CONFIG_DEFAULT_SECURITY_SELINUX is not set
 CONFIG_DEFAULT_TCP_CONG="cubic"
 CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
 # CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
@@ -1431,6 +1432,7 @@ CONFIG_EXTRA_TARGETS=""
 # CONFIG_FAILOVER is not set
 # CONFIG_FAIR_GROUP_SCHED is not set
 # CONFIG_FANOTIFY is not set
+# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
 CONFIG_FAT_DEFAULT_CODEPAGE=437
 CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
 # CONFIG_FAT_DEFAULT_UTF8 is not set
@@ -1572,6 +1574,24 @@ CONFIG_FLAT_NODE_MEM_MAP=y
 # CONFIG_FORCEDETH is not set
 CONFIG_FORCE_MAX_ZONEORDER=11
 CONFIG_FORTIFY_SOURCE=y
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
+# CONFIG_SECURITY_SMACK is not set
+# CONFIG_SECURITY_TOMOYO is not set
+# CONFIG_SECURITY_APPARMOR is not set
+# CONFIG_SECURITY_LOADPIN is not set
+# CONFIG_SECURITY_YAMA is not set
+# CONFIG_SECURITY_SAFESETID is not set
+# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+# CONFIG_INTEGRITY is not set
+# CONFIG_INTEGRITY_SIGNATURE is not set
+# CONFIG_INTEGRITY_AUDIT is not set
+# CONFIG_IMA is not set
+# CONFIG_EVM is not set
+# CONFIG_LSM is not set
 # CONFIG_FPGA is not set
 # CONFIG_FRAMEBUFFER_CONSOLE is not set
 # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set
@@ -3186,6 +3206,7 @@ CONFIG_NETDEVICES=y
 # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
 # CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
 # CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set
+# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set
 # CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set
 # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
 # CONFIG_NETFILTER_XT_TARGET_TEE is not set
@@ -3197,6 +3218,7 @@ CONFIG_NETDEVICES=y
 # CONFIG_NETROM is not set
 CONFIG_NETWORK_FILESYSTEMS=y
 # CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+# CONFIG_NETLABEL is not set
 # CONFIG_NETWORK_SECMARK is not set
 # CONFIG_NETXEN_NIC is not set
 # CONFIG_NET_9P is not set
@@ -3446,6 +3468,7 @@ CONFIG_NFS_V3=y
 CONFIG_NF_CONNTRACK_PROCFS=y
 # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set
 # CONFIG_NF_CONNTRACK_SANE is not set
+# CONFIG_NF_CONNTRACK_SECMARK is not set
 # CONFIG_NF_CONNTRACK_SIP is not set
 # CONFIG_NF_CONNTRACK_SNMP is not set
 # CONFIG_NF_CONNTRACK_TFTP is not set
@@ -4320,6 +4343,8 @@ CONFIG_SCSI_PROC_FS=y
 CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 # CONFIG_SECURITY is not set
 # CONFIG_SECURITYFS is not set
+# CONFIG_SECURITY_PATH is not set
+CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SELECT_MEMORY_MODEL=y
 # CONFIG_SENSORS_ABITUGURU is not set

target/linux/generic/config-5.4

@@ -399,6 +399,7 @@ CONFIG_ATAGS_PROC=y
 # CONFIG_ATA_ACPI is not set
 CONFIG_ATA_BMDMA=y
 # CONFIG_ATA_GENERIC is not set
+# CONFIG_ATA_LEDS is not set
 # CONFIG_ATA_NONSTANDARD is not set
 # CONFIG_ATA_OVER_ETH is not set
 # CONFIG_ATA_PIIX is not set
@@ -1209,6 +1210,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
 # CONFIG_DEFAULT_RENO is not set
 CONFIG_DEFAULT_SECURITY=""
 CONFIG_DEFAULT_SECURITY_DAC=y
+# CONFIG_DEFAULT_SECURITY_SELINUX is not set
 CONFIG_DEFAULT_TCP_CONG="cubic"
 CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
 # CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
@@ -1525,6 +1527,7 @@ CONFIG_EXTRA_TARGETS=""
 # CONFIG_FAILOVER is not set
 # CONFIG_FAIR_GROUP_SCHED is not set
 # CONFIG_FANOTIFY is not set
+# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
 CONFIG_FAT_DEFAULT_CODEPAGE=437
 CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
 # CONFIG_FAT_DEFAULT_UTF8 is not set
@@ -1670,6 +1673,24 @@ CONFIG_FLAT_NODE_MEM_MAP=y
 # CONFIG_FORCEDETH is not set
 CONFIG_FORCE_MAX_ZONEORDER=11
 CONFIG_FORTIFY_SOURCE=y
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
+# CONFIG_SECURITY_SMACK is not set
+# CONFIG_SECURITY_TOMOYO is not set
+# CONFIG_SECURITY_APPARMOR is not set
+# CONFIG_SECURITY_LOADPIN is not set
+# CONFIG_SECURITY_YAMA is not set
+# CONFIG_SECURITY_SAFESETID is not set
+# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+# CONFIG_INTEGRITY is not set
+# CONFIG_INTEGRITY_SIGNATURE is not set
+# CONFIG_INTEGRITY_AUDIT is not set
+# CONFIG_IMA is not set
+# CONFIG_EVM is not set
+# CONFIG_LSM is not set
 # CONFIG_FPGA is not set
 # CONFIG_FRAMEBUFFER_CONSOLE is not set
 # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set
@@ -1999,6 +2020,8 @@ CONFIG_HPET_MMAP_DEFAULT=y
 # CONFIG_HTC_PASIC3 is not set
 # CONFIG_HTS221 is not set
 # CONFIG_HTU21 is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_HUGETLBFS is not set
 # CONFIG_HVC_DCC is not set
 # CONFIG_HVC_UDBG is not set
 # CONFIG_HWLAT_TRACER is not set
@@ -3365,6 +3388,7 @@ CONFIG_NETDEVICES=y
 # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
 # CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
 # CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set
+# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set
 # CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set
 # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
 # CONFIG_NETFILTER_XT_TARGET_TEE is not set
@@ -3376,6 +3400,7 @@ CONFIG_NETDEVICES=y
 # CONFIG_NETROM is not set
 CONFIG_NETWORK_FILESYSTEMS=y
 # CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+# CONFIG_NETLABEL is not set
 # CONFIG_NETWORK_SECMARK is not set
 # CONFIG_NETXEN_NIC is not set
 # CONFIG_NET_9P is not set
@@ -3650,6 +3675,7 @@ CONFIG_NFS_V3=y
 CONFIG_NF_CONNTRACK_PROCFS=y
 # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set
 # CONFIG_NF_CONNTRACK_SANE is not set
+# CONFIG_NF_CONNTRACK_SECMARK is not set
 # CONFIG_NF_CONNTRACK_SIP is not set
 # CONFIG_NF_CONNTRACK_SNMP is not set
 # CONFIG_NF_CONNTRACK_TFTP is not set
@@ -4572,6 +4598,8 @@ CONFIG_SCSI_PROC_FS=y
 CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 # CONFIG_SECURITY is not set
 # CONFIG_SECURITYFS is not set
+# CONFIG_SECURITY_PATH is not set
+CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SELECT_MEMORY_MODEL=y
 # CONFIG_SENSIRION_SGP30 is not set
@@ -5769,6 +5797,7 @@ CONFIG_TRACE_IRQFLAGS_SUPPORT=y
 # CONFIG_TRACING_EVENTS_GPIO is not set
 CONFIG_TRACING_SUPPORT=y
 CONFIG_TRAD_SIGNALS=y
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
 # CONFIG_TREE_RCU is not set
 # CONFIG_TREE_RCU_TRACE is not set
 # CONFIG_TRIM_UNUSED_KSYMS is not set
@@ -5877,6 +5906,7 @@ CONFIG_USB_DEFAULT_PERSIST=y
 # CONFIG_USB_EG20T is not set
 # CONFIG_USB_EHCI_ATH79 is not set
 # CONFIG_USB_EHCI_FSL is not set
+# CONFIG_USB_EHCI_HCD is not set
 # CONFIG_USB_EHCI_HCD_AT91 is not set
 # CONFIG_USB_EHCI_HCD_OMAP is not set
 # CONFIG_USB_EHCI_HCD_PPC_OF is not set

tools/coreutils/Makefile

@@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=coreutils
 PKG_CPE_ID:=cpe:/a:gnu:coreutils
-PKG_VERSION:=8.27
+PKG_VERSION:=8.32
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@GNU/coreutils
-PKG_HASH:=8891d349ee87b9ff7870f52b6d9312a9db672d2439d289bc57084771ca21656b
+PKG_HASH:=4458d8de7849df44ccab15e16b1548b285224dbba5f08fac070c1c0e0bcc4cfa
 
 HOST_BUILD_PARALLEL := 1
 

tools/coreutils/patches/001-fix-macos-vasnprintf.patch

@@ -1,25 +0,0 @@
---- a/lib/vasnprintf.c
-+++ b/lib/vasnprintf.c
-@@ -4858,7 +4858,11 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *
- #endif
-                   *fbp = dp->conversion;
- #if USE_SNPRINTF
--# if !(((__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3)) && !defined __UCLIBC__) || ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__))
-+# if ! (((__GLIBC__ > 2                                                 \
-+          || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3))                  \
-+         && !defined __UCLIBC__)                                        \
-+        || (defined __APPLE__ && defined __MACH__)                      \
-+        || ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__))
-                 fbp[1] = '%';
-                 fbp[2] = 'n';
-                 fbp[3] = '\0';
-@@ -4872,6 +4876,9 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *
-                    in format strings in writable memory may crash the program
-                    (if compiled with _FORTIFY_SOURCE=2), so we should avoid it
-                    in this situation.  */
-+                /* macOS 10.13 High Sierra behaves like glibc with
-+                   _FORTIFY_SOURCE=2, and older macOS releases
-+                   presumably do not need %n.  */
-                 /* On native Windows systems (such as mingw), we can avoid using
-                    %n because:
-                      - Although the gl_SNPRINTF_TRUNCATION_C99 test fails,

tools/squashfskit4/Makefile

@@ -22,7 +22,7 @@ define Host/Compile
 	$(MAKE) -C $(HOST_BUILD_DIR)/squashfs-tools \
 		XZ_SUPPORT=1 \
 		LZMA_XZ_SUPPORT=1 \
-		XATTR_SUPPORT= \
+		XATTR_SUPPORT=1 \
 		LZMA_LIB="$(STAGING_DIR_HOST)/lib/liblzma.a" \
 		EXTRA_CFLAGS="-I$(STAGING_DIR_HOST)/include" \
 		mksquashfs unsquashfs