diff --git a/config/Config-build.in b/config/Config-build.in index 4cd86d8e07..00244fdf56 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -317,4 +317,14 @@ menu "Global build settings" bool "Full" endchoice + config TARGET_ROOTFS_SECURITY_LABELS + bool "Enable rootfs security labels" + select KERNEL_SQUASHFS_XATTR + select KERNEL_EXT4_FS_SECURITY + select KERNEL_F2FS_FS_SECURITY + select KERNEL_UBIFS_FS_SECURITY + select KERNEL_JFFS2_FS_SECURITY + select PACKAGE_refpolicy + help + This option enables the usage of SELinux labels endmenu diff --git a/config/Config-kernel.in b/config/Config-kernel.in index 213000fe54..c3dd8767ba 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -894,6 +894,9 @@ config KERNEL_SQUASHFS_FRAGMENT_CACHE_SIZE default 2 if (SMALL_FLASH && !LOW_MEMORY_FOOTPRINT) default 3 +config KERNEL_SQUASHFS_XATTR + bool "Squashfs XATTR support" + # # compile optimiziation setting # @@ -915,3 +918,55 @@ config KERNEL_CC_OPTIMIZE_FOR_SIZE your compiler resulting in a smaller kernel. endchoice + +config KERNEL_AUDIT + bool "Auditing support" + +config KERNEL_SECURITY + bool "Enable different security models" + +config KERNEL_SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + select KERNEL_SECURITY + +config KERNEL_SECURITY_SELINUX + bool "NSA SELinux Support" + select KERNEL_SECURITY_NETWORK + select KERNEL_AUDIT + +config KERNEL_SECURITY_SELINUX_BOOTPARAM + bool "NSA SELinux boot parameter" + depends on KERNEL_SECURITY_SELINUX + +config KERNEL_SECURITY_SELINUX_DISABLE + bool "NSA SELinux runtime disable" + depends on KERNEL_SECURITY_SELINUX + +config KERNEL_SECURITY_SELINUX_DEVELOP + bool "NSA SELinux Development Support" + depends on KERNEL_SECURITY_SELINUX + +choice + prompt "First legacy 'major LSM' to be initialized" + depends on KERNEL_SECURITY_SELINUX + default KERNEL_DEFAULT_SECURITY_SELINUX + + config KERNEL_DEFAULT_SECURITY_SELINUX + bool "SELinux" + + config KERNEL_DEFAULT_SECURITY_DAC + bool "Unix Discretionary Access Controls" + +endchoice + +config KERNEL_EXT4_FS_SECURITY + bool "Ext4 Security Labels" + +config KERNEL_F2FS_FS_SECURITY + bool "F2FS Security Labels" + +config KERNEL_UBIFS_FS_SECURITY + bool "UBIFS Security Labels" + +config KERNEL_JFFS2_FS_SECURITY + bool "JFFS2 Security Labels" diff --git a/include/image.mk b/include/image.mk index c0d0b61479..d529f537c5 100644 --- a/include/image.mk +++ b/include/image.mk @@ -234,13 +234,30 @@ endef $(eval $(foreach S,$(JFFS2_BLOCKSIZE),$(call Image/mkfs/jffs2/template,$(S)))) $(eval $(foreach S,$(NAND_BLOCKSIZE),$(call Image/mkfs/jffs2-nand/template,$(S)))) -define Image/mkfs/squashfs +define Image/mkfs/squashfs-common $(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \ -nopad -noappend -root-owned \ -comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \ -processors $(shell nproc) endef +ifeq ($(CONFIG_TARGET_ROOTFS_SECURITY_LABELS),y) +define Image/mkfs/squashfs + echo "LD_LIBRARY_PATH=\$$LD_LIBRARY_PATH:$(STAGING_DIR_HOSTPKG)/lib" \ + "$(STAGING_DIR_HOSTPKG)/sbin/setfiles -r" \ + "$(call mkfs_target_dir,$(1))" \ + "$(call mkfs_target_dir,$(1))/etc/selinux/targeted/contexts/files/file_contexts " \ + "$(call mkfs_target_dir,$(1))" > $@.fakeroot-script + echo "$(Image/mkfs/squashfs-common)" >> $@.fakeroot-script + chmod +x $@.fakeroot-script + $(STAGING_DIR_HOST)/bin/fakeroot $@.fakeroot-script +endef +else +define Image/mkfs/squashfs + $(call Image/mkfs/squashfs-common,$(1)) +endef +endif + # $(1): board name # $(2): rootfs type # $(3): kernel image diff --git a/package/ctcgfw/openwrt-v2ray-plugin/Makefile b/package/ctcgfw/openwrt-v2ray-plugin/Makefile index 201c5c943b..875269ada1 100644 --- a/package/ctcgfw/openwrt-v2ray-plugin/Makefile +++ b/package/ctcgfw/openwrt-v2ray-plugin/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=v2ray-plugin -PKG_VERSION:=1.3.5 +PKG_VERSION:=1.4.1 PKG_RELEASE:=1 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/teddysun/v2ray-plugin/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=46b3b9aec066df710f7ff27518c73c94ed63bbcdd6827e759da8627bf300a8d9 +PKG_HASH:=ecd53ea59dea178f75b47f399a48ce0e0d09ec9e9d866c5becf82d1ed35a7634 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE diff --git a/package/kernel/linux/modules/leds.mk b/package/kernel/linux/modules/leds.mk index 59ea6edbcd..c030b54b39 100644 --- a/package/kernel/linux/modules/leds.mk +++ b/package/kernel/linux/modules/leds.mk @@ -24,6 +24,20 @@ $(eval $(call KernelPackage,leds-gpio)) LED_TRIGGER_DIR=$(LINUX_DIR)/drivers/leds/trigger +define KernelPackage/ledtrig-activity + SUBMENU:=$(LEDS_MENU) + TITLE:=LED Activity Trigger + KCONFIG:=CONFIG_LEDS_TRIGGER_ACTIVITY + FILES:=$(LED_TRIGGER_DIR)/ledtrig-activity.ko + AUTOLOAD:=$(call AutoLoad,50,ledtrig-activity) +endef + +define KernelPackage/ledtrig-activity/description + Kernel module that allows LEDs to blink based on system load +endef + +$(eval $(call KernelPackage,ledtrig-activity)) + define KernelPackage/ledtrig-heartbeat SUBMENU:=$(LEDS_MENU) TITLE:=LED Heartbeat Trigger diff --git a/package/lean/dns2socks/Makefile b/package/lean/dns2socks/Makefile index a6d5a49f70..20f3908b08 100755 --- a/package/lean/dns2socks/Makefile +++ b/package/lean/dns2socks/Makefile @@ -2,63 +2,47 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dns2socks PKG_VERSION:=2.1 -PKG_RELEASE:=20200218 +PKG_RELEASE:=1 -PKG_SOURCE:=SourceCode.zip -PKG_SOURCE_SUBDIR:=DNS2SOCKS -PKG_SOURCE_URL:=@SF/dns2socks -PKG_MD5SUM:=ec82de936ad004cc940502cd2a1bff5b +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/kongfl888/dns2socks.git +PKG_SOURCE_VERSION:=HEAD +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_LICENSE:=GPL-3.0 +PKG_MAINTAINER:=kongfl888 +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) -PKG_MAINTAINER:=ghostmaker -PKG_LICENSE:=BSD-3-Clause - -PKG_BUILD_DIR:=$(BUILD_DIR)/$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) - -PKG_INSTALL:=1 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 include $(INCLUDE_DIR)/package.mk -define Package/dns2socks/Default +define Package/dns2socks SECTION:=net CATEGORY:=Network SUBMENU:=IP Addresses and Names TITLE:=The utility to resolve DNS requests via a SOCKS5 tunnel. - URL:=http://dns2socks.sourceforge.net/ - MAINTAINER:=ghostmaker + URL:=https://sourceforge.net/projects/dns2socks/ DEPENDS:=+libpthread endef -define Package/dns2socks - $(call Package/dns2socks/Default) -endef - define Package/dns2socks/description This is a utility to resolve DNS requests via a SOCKS5 tunnel and caches the answers. endef -define Build/Prepare - mkdir -p $(PKG_BUILD_DIR) - unzip $(DL_DIR)/$(PKG_SOURCE) -d $(PKG_BUILD_DIR) -endef - define Build/Compile $(TARGET_CC) \ $(TARGET_CFLAGS) \ $(TARGET_CPPFLAGS) \ $(FPIC) \ - -o $(PKG_BUILD_DIR)/$(PKG_SOURCE_SUBDIR)/$(PKG_NAME) \ - $(PKG_BUILD_DIR)/$(PKG_SOURCE_SUBDIR)/DNS2SOCKS.c \ + -o $(PKG_BUILD_DIR)/DNS2SOCKS/$(PKG_NAME) \ + $(PKG_BUILD_DIR)/DNS2SOCKS/DNS2SOCKS.c \ $(TARGET_LDFLAGS) -pthread endef -define Build/Install -endef - define Package/dns2socks/install $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/$(PKG_SOURCE_SUBDIR)/$(PKG_NAME) $(1)/usr/bin/dns2socks + $(INSTALL_BIN) $(PKG_BUILD_DIR)/DNS2SOCKS/$(PKG_NAME) $(1)/usr/bin/dns2socks endef $(eval $(call BuildPackage,dns2socks)) diff --git a/package/network/utils/ethtool/Makefile b/package/network/utils/ethtool/Makefile index c2f92a4ed9..6547eee9a5 100644 --- a/package/network/utils/ethtool/Makefile +++ b/package/network/utils/ethtool/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ethtool -PKG_VERSION:=5.4 +PKG_VERSION:=5.8 PKG_RELEASE:=1 PKG_MAINTAINER:=Felix Fietkau PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@KERNEL/software/network/ethtool -PKG_HASH:=22f81e4927d6eb6a13a259d705248a96005fce2005e15257f639f5a1c8c52b6b +PKG_HASH:=2f3b54d08d048f5977b80cb6cb4744994370def7553ee634d39dbbb6ccf87546 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING @@ -45,6 +45,8 @@ define Package/ethtool/config bool "Enable pretty printing" endef +CONFIGURE_ARGS += --disable-netlink + ifeq ($(CONFIG_ETHTOOL_PRETTY_DUMP),y) CONFIGURE_ARGS += --enable-pretty-dump else diff --git a/package/network/utils/iproute2/Makefile b/package/network/utils/iproute2/Makefile index 89bbeb5608..9533487057 100644 --- a/package/network/utils/iproute2/Makefile +++ b/package/network/utils/iproute2/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=iproute2 -PKG_VERSION:=5.7.0 -PKG_RELEASE:=2 +PKG_VERSION:=5.8.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@KERNEL/linux/utils/net/iproute2 -PKG_HASH:=725dc7ba94aae54c6f8d4223ca055d9fb4fe89d6994b1c03bfb4411c4dd10f21 +PKG_HASH:=cfcd1f890290f8c8afcc91d9444ad929b9252c16f9ab3f286c50dd3c59dc646e PKG_BUILD_PARALLEL:=1 PKG_BUILD_DEPENDS:=iptables PKG_LICENSE:=GPL-2.0 diff --git a/package/network/utils/iproute2/patches/001-devlink-update-include-files.patch b/package/network/utils/iproute2/patches/001-devlink-update-include-files.patch deleted file mode 100644 index ab43fb7700..0000000000 --- a/package/network/utils/iproute2/patches/001-devlink-update-include-files.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 12fafa27c7b306e6c397e858f4d5a8159500f659 Mon Sep 17 00:00:00 2001 -From: Stephen Hemminger -Date: Thu, 11 Jun 2020 09:46:46 -0700 -Subject: [PATCH] devlink: update include files - -Use the tool iwyu to get more complete list of includes for -all the bits used by devlink. - -This should also fix build with musl libc. - -Fixes: c4dfddccef4e ("fix JSON output of mon command") -Reported-off-by: Dan Robertson -Signed-off-by: Stephen Hemminger ---- - devlink/devlink.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - ---- a/devlink/devlink.c -+++ b/devlink/devlink.c -@@ -19,18 +19,25 @@ - #include - #include - #include -+#include -+#include -+#include -+#include - #include - #define _LINUX_SYSINFO_H /* avoid collision with musl header */ - #include - #include -+#include - #include - #include -+#include -+#include - #include - - #include "SNAPSHOT.h" - #include "list.h" - #include "mnlg.h" --#include "json_writer.h" -+#include "json_print.h" - #include "utils.h" - #include "namespace.h" - diff --git a/package/network/utils/iproute2/patches/002-configure-support-ipset-v7.patch b/package/network/utils/iproute2/patches/002-configure-support-ipset-v7.patch deleted file mode 100644 index cd0c529544..0000000000 --- a/package/network/utils/iproute2/patches/002-configure-support-ipset-v7.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 650591a7a70cd79d826fcdc579a20c168c987cf2 Mon Sep 17 00:00:00 2001 -From: Tony Ambardar -Date: Tue, 7 Jul 2020 00:58:33 -0700 -Subject: [PATCH] configure: support ipset version 7 with kernel version 5 - -The configure script checks for ipset v6 availability but doesn't test -for v7, which is backward compatible and used on kernel v5.x systems. -Update the script to test for both ipset versions. Without this change, -the tc ematch function em_ipset will be disabled. - -Signed-off-by: Tony Ambardar -Signed-off-by: Stephen Hemminger ---- - configure | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure b/configure -index f415bf49..307912aa 100755 ---- a/configure -+++ b/configure -@@ -208,7 +208,7 @@ typedef unsigned short ip_set_id_t; - #include - - struct xt_set_info info; --#if IPSET_PROTOCOL == 6 -+#if IPSET_PROTOCOL == 6 || IPSET_PROTOCOL == 7 - int main(void) - { - return IPSET_MAXNAMELEN; --- -2.17.1 - diff --git a/package/network/utils/iproute2/patches/115-add-config-xtlibdir.patch b/package/network/utils/iproute2/patches/115-add-config-xtlibdir.patch index 1b6e7441c8..03df7809f7 100644 --- a/package/network/utils/iproute2/patches/115-add-config-xtlibdir.patch +++ b/package/network/utils/iproute2/patches/115-add-config-xtlibdir.patch @@ -1,6 +1,6 @@ --- a/tc/Makefile +++ b/tc/Makefile -@@ -126,6 +126,9 @@ CFLAGS += -DCONFIG_GACT -DCONFIG_GACT_PR +@@ -127,6 +127,9 @@ CFLAGS += -DCONFIG_GACT -DCONFIG_GACT_PR ifneq ($(IPT_LIB_DIR),) CFLAGS += -DIPT_LIB_DIR=\"$(IPT_LIB_DIR)\" endif diff --git a/package/network/utils/iproute2/patches/170-ip_tiny.patch b/package/network/utils/iproute2/patches/170-ip_tiny.patch index 7129d4f19e..c9b28dfe77 100644 --- a/package/network/utils/iproute2/patches/170-ip_tiny.patch +++ b/package/network/utils/iproute2/patches/170-ip_tiny.patch @@ -33,7 +33,7 @@ "where OBJECT := { link | address | addrlabel | route | rule | neigh | ntable |\n" " tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm |\n" " netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila |\n" - " vrf | sr | nexthop }\n" + " vrf | sr | nexthop | mptcp }\n" +#else + "where OBJECT := { link | address | route | rule | neigh | tunnel | maddress |\n" + " mroute | mrule | monitor | netns | macsec | token | ila |\n" @@ -42,7 +42,7 @@ " OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |\n" " -h[uman-readable] | -iec | -j[son] | -p[retty] |\n" " -f[amily] { inet | inet6 | mpls | bridge | link } |\n" -@@ -74,35 +80,49 @@ static const struct cmd { +@@ -74,36 +80,50 @@ static const struct cmd { int (*func)(int argc, char **argv); } cmds[] = { { "address", do_ipaddr }, @@ -88,6 +88,7 @@ { "sr", do_seg6 }, +#ifndef IPROUTE2_TINY { "nexthop", do_ipnh }, + { "mptcp", do_mptcp }, +#endif { "help", do_help }, { 0 } @@ -104,4 +105,4 @@ + UTILOBJ = utils.o rt_names.o ll_map.o ll_types.o ll_proto.o ll_addr.o \ inet_proto.o namespace.o json_writer.o json_print.o \ - names.o color.o bpf.o exec.o fs.o + names.o color.o bpf.o exec.o fs.o cg_map.o diff --git a/package/network/utils/iproute2/patches/175-reduce-dynamic-syms.patch b/package/network/utils/iproute2/patches/175-reduce-dynamic-syms.patch index dbb516f02e..e5d5492a35 100644 --- a/package/network/utils/iproute2/patches/175-reduce-dynamic-syms.patch +++ b/package/network/utils/iproute2/patches/175-reduce-dynamic-syms.patch @@ -1,6 +1,6 @@ --- a/tc/Makefile +++ b/tc/Makefile -@@ -113,7 +113,7 @@ LDLIBS += -L. -lm +@@ -114,7 +114,7 @@ LDLIBS += -L. -lm ifeq ($(SHARED_LIBS),y) LDLIBS += -ldl @@ -9,7 +9,7 @@ endif TCLIB := tc_core.o -@@ -142,7 +142,7 @@ MODDESTDIR := $(DESTDIR)$(LIBDIR)/tc +@@ -143,7 +143,7 @@ MODDESTDIR := $(DESTDIR)$(LIBDIR)/tc all: tc $(TCSO) tc: $(TCOBJ) $(LIBNETLINK) libtc.a @@ -18,7 +18,7 @@ libtc.a: $(TCLIB) $(QUIET_AR)$(AR) rcs $@ $^ -@@ -164,6 +164,7 @@ install: all +@@ -165,6 +165,7 @@ install: all clean: rm -f $(TCOBJ) $(TCLIB) libtc.a tc *.so emp_ematch.tab.h; \ rm -f emp_ematch.tab.* @@ -26,7 +26,7 @@ q_atm.so: q_atm.c $(QUIET_CC)$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -shared -fpic -o q_atm.so q_atm.c -latm -@@ -203,4 +204,15 @@ static-syms.h: $(wildcard *.c) +@@ -204,4 +205,15 @@ static-syms.h: $(wildcard *.c) sed -n '/'$$s'[^ ]* =/{s:.* \([^ ]*'$$s'[^ ]*\) .*:extern char \1[] __attribute__((weak)); if (!strcmp(sym, "\1")) return \1;:;p}' $$files ; \ done > $@ diff --git a/package/network/utils/wireguard-tools/Makefile b/package/network/utils/wireguard-tools/Makefile index 8cb1e46587..844d8893c2 100644 --- a/package/network/utils/wireguard-tools/Makefile +++ b/package/network/utils/wireguard-tools/Makefile @@ -12,7 +12,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard-tools PKG_VERSION:=1.0.20200820 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/ diff --git a/package/network/utils/wireguard-tools/files/wireguard.sh b/package/network/utils/wireguard-tools/files/wireguard.sh index ccac34e45f..63261aea71 100644 --- a/package/network/utils/wireguard-tools/files/wireguard.sh +++ b/package/network/utils/wireguard-tools/files/wireguard.sh @@ -112,6 +112,7 @@ proto_wireguard_setup() { config_get fwmark "${config}" "fwmark" config_get ip6prefix "${config}" "ip6prefix" config_get nohostroute "${config}" "nohostroute" + config_get tunlink "${config}" "tunlink" ip link del dev "${config}" 2>/dev/null ip link add dev "${config}" type wireguard @@ -173,7 +174,7 @@ proto_wireguard_setup() { sed -E 's/\[?([0-9.:a-f]+)\]?:([0-9]+)/\1 \2/' | \ while IFS=$'\t ' read -r key address port; do [ -n "${port}" ] || continue - proto_add_host_dependency "${config}" "${address}" + proto_add_host_dependency "${config}" "${address}" "${tunlink}" done fi diff --git a/package/system/refpolicy/Makefile b/package/system/refpolicy/Makefile new file mode 100644 index 0000000000..f1a33c8e79 --- /dev/null +++ b/package/system/refpolicy/Makefile @@ -0,0 +1,80 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=refpolicy +PKG_VERSION:=2.20200229 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20200229 +PKG_HASH:=dec854512ed00cd057408f330c2cea4de7a4405f7a147458f59c994bf578e4b0 +PKG_INSTALL:=1 +PKG_BUILD_DEPENDS:=checkpolicy/host policycoreutils/host + +PKG_MAINTAINER:=Thomas Petazzoni +PKG_CPE_ID:=cpe:/a:tresys:refpolicy +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=COPYING + +TAR_OPTIONS:=--transform='s%^refpolicy%$(PKG_NAME)-$(PKG_VERSION)%' -xf - + +include $(INCLUDE_DIR)/package.mk + +define Package/refpolicy + SECTION:=system + CATEGORY:=Base system + TITLE:=SELinux reference policy + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/refpolicy/description + The SELinux Reference Policy project (refpolicy) is a + complete SELinux policy that can be used as the system + policy for a variety of systems and used as the basis for + creating other policies. Reference Policy was originally + based on the NSA example policy, but aims to accomplish many + additional goals. + + The current refpolicy does not fully support OpenWRT and + needs modifications to work with the default system file + layout. These changes should be added as patches to the + refpolicy that modify a single SELinux policy. + + The refpolicy works for the most part in permissive + mode. Only the basic set of utilities are enabled in the + example policy config and some of the pathing in the + policies is not correct. Individual policies would need to + be tweaked to get everything functioning properly. +endef + +# Yes, we want CC=$(HOSTCC) because the only code that checkpolicy +# builds is a small host tool that gets run as part of the build +# process. +MAKE_FLAGS += \ + TEST_TOOLCHAIN="$(STAGING_DIR_HOSTPKG)" \ + BINDIR=/bin \ + SBINDIR=/sbin \ + CC="$(HOSTCC)" \ + CFLAGS="$(HOST_CFLAGS)" + +define Build/Configure + $(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(PKG_BUILD_DIR)/build.conf + $(SED) "/NAME/c\NAME = targeted" $(PKG_BUILD_DIR)/build.conf + $(call Build/Compile/Default,conf) +endef + +define Package/refpolicy/conffiles +/etc/selinux/config +endef + +define Package/refpolicy/install + $(INSTALL_DIR) $(1)/etc/selinux + $(CP) $(PKG_INSTALL_DIR)/etc/selinux/* $(1)/etc/selinux/ + $(CP) ./files/selinux-config $(1)/etc/selinux/config +endef + +$(eval $(call BuildPackage,refpolicy)) diff --git a/package/system/refpolicy/files/selinux-config b/package/system/refpolicy/files/selinux-config new file mode 100644 index 0000000000..2ae174d297 --- /dev/null +++ b/package/system/refpolicy/files/selinux-config @@ -0,0 +1,7 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=permissive +SELINUXTYPE=targeted diff --git a/package/utils/checkpolicy/Makefile b/package/utils/checkpolicy/Makefile new file mode 100644 index 0000000000..5e32bc5871 --- /dev/null +++ b/package/utils/checkpolicy/Makefile @@ -0,0 +1,51 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=checkpolicy +PKG_VERSION:=3.1 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20200710 +PKG_HASH:=dfc7707070520c93b14fbbdfdbe081364d806bf28e3e79e10318c2594c77bbb2 +PKG_INSTALL:=1 +HOST_BUILD_DEPENDS:=libselinux/host + +PKG_MAINTAINER:=Thomas Petazzoni +PKG_CPE_ID:=cpe:/a:selinuxproject:checkpolicy +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=COPYING + +include $(INCLUDE_DIR)/package.mk + +define Package/checkpolicy + SECTION:=utils + CATEGORY:=Utilities + TITLE:=SELinux policy compiler + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/checkpolicy/description + checkpolicy is the SELinux policy compiler. It uses libsepol + to generate the binary policy. checkpolicy uses the static + libsepol since it deals with low level details of the policy + that have not been encapsulated/abstracted by a proper + shared library interface. +endef + +include $(INCLUDE_DIR)/host-build.mk + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) + +define Package/checkpolicy/install + $(INSTALL_DIR) $(1)/usr/bin + $(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/ +endef + +$(eval $(call HostBuild)) +$(eval $(call BuildPackage,checkpolicy)) diff --git a/package/utils/policycoreutils/Makefile b/package/utils/policycoreutils/Makefile new file mode 100644 index 0000000000..c82731b740 --- /dev/null +++ b/package/utils/policycoreutils/Makefile @@ -0,0 +1,83 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=policycoreutils +PKG_VERSION:=3.1 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20200710 +PKG_HASH:=c889f62ee80f8b6a369469a9b8af51f5b797975aeaa291f5c5960cc12eed1934 +PKG_INSTALL:=1 +HOST_BUILD_DEPENDS:=libsemanage/host +PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam + +PKG_MAINTAINER:=Thomas Petazzoni +PKG_CPE_ID:=cpe:/a:selinuxproject:policycoreutils +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=COPYING + +include $(INCLUDE_DIR)/package.mk + +define Package/policycoreutils + SECTION:=utils + CATEGORY:=Utilities + DEPENDS:= +libsemanage +libcap-ng +BUSYBOX_CONFIG_PAM:libpam + TITLE:=SELinux policy utilities + URL:=http://selinuxproject.org/page/Main_Page + ALTERNATIVES:=\ + 300:/sbin/restorecon:policycoreutils-restorecon \ + 300:/sbin/setfiles:policycoreutils-setfiles \ + 300:/usr/sbin/load_policy:policycoreutils-load_policy \ + 300:/usr/sbin/sestatus:policycoreutils-sestatus \ + 300:/usr/sbin/setsebool:policycoreutils-setsebool +endef + +define Package/policycoreutils/description + Policycoreutils is a collection of policy utilities + (originally the "core" set of utilities needed to use + SELinux, although it has grown a bit over time), which have + different dependencies. sestatus, secon, run_init, and + newrole only use libselinux. load_policy and setfiles only + use libselinux and libsepol. semodule and semanage use + libsemanage (and thus bring in dependencies on libsepol and + libselinux as well). setsebool uses libselinux to make + non-persistent boolean changes (via the kernel interface) + and uses libsemanage to make persistent boolean changes. +endef + +include $(INCLUDE_DIR)/host-build.mk + +HOST_MAKE_FLAGS += \ + PAMH=$(CONFIG_BUSYBOX_CONFIG_PAM) \ + PREFIX=$(STAGING_DIR_HOSTPKG) \ + SBINDIR=$(STAGING_DIR_HOSTPKG)/sbin \ + ETCDIR=$(STAGING_DIR_HOSTPKG)/etc + +MAKE_FLAGS += \ + PAMH=$(CONFIG_BUSYBOX_CONFIG_PAM) + +define Package/policycoreutils/install + $(INSTALL_DIR) $(1)/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/sbin/restorecon_xattr $(1)/sbin/restorecon_xattr + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/sbin/restorecon $(1)/sbin/policycoreutils-restorecon + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/sbin/setfiles $(1)/sbin/policycoreutils-setfiles + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/fixfiles $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/genhomedircon $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/open_init_pty $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/run_init $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/semodule $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/load_policy $(1)/usr/sbin/policycoreutils-load_policy + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/sestatus $(1)/usr/sbin/policycoreutils-sestatus + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setsebool $(1)/usr/sbin/policycoreutils-setsebool + $(INSTALL_DIR) $(1)/usr/bin + $(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/ +endef + +$(eval $(call HostBuild)) +$(eval $(call BuildPackage,policycoreutils)) diff --git a/target/linux/generic/config-4.14 b/target/linux/generic/config-4.14 index aed0cb5058..49aba2a93f 100644 --- a/target/linux/generic/config-4.14 +++ b/target/linux/generic/config-4.14 @@ -1118,6 +1118,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 # CONFIG_DEFAULT_RENO is not set CONFIG_DEFAULT_SECURITY="" CONFIG_DEFAULT_SECURITY_DAC=y +# CONFIG_DEFAULT_SECURITY_SELINUX is not set CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" # CONFIG_DELL_LAPTOP is not set @@ -1363,6 +1364,7 @@ CONFIG_EXTRA_TARGETS="" # CONFIG_F2FS_IO_TRACE is not set # CONFIG_FAIR_GROUP_SCHED is not set # CONFIG_FANOTIFY is not set +# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set CONFIG_FAT_DEFAULT_CODEPAGE=437 CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1" # CONFIG_FAT_DEFAULT_UTF8 is not set @@ -1504,6 +1506,24 @@ CONFIG_FLAT_NODE_MEM_MAP=y # CONFIG_FORCEDETH is not set CONFIG_FORCE_MAX_ZONEORDER=11 CONFIG_FORTIFY_SOURCE=y +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set +# CONFIG_SECURITY_SELINUX_DISABLE is not set +# CONFIG_SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_AVC_STATS is not set +CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 +# CONFIG_SECURITY_SMACK is not set +# CONFIG_SECURITY_TOMOYO is not set +# CONFIG_SECURITY_APPARMOR is not set +# CONFIG_SECURITY_LOADPIN is not set +# CONFIG_SECURITY_YAMA is not set +# CONFIG_SECURITY_SAFESETID is not set +# CONFIG_SECURITY_LOCKDOWN_LSM is not set +# CONFIG_INTEGRITY is not set +# CONFIG_INTEGRITY_SIGNATURE is not set +# CONFIG_INTEGRITY_AUDIT is not set +# CONFIG_IMA is not set +# CONFIG_EVM is not set +# CONFIG_LSM is not set # CONFIG_FPGA is not set # CONFIG_FRAMEBUFFER_CONSOLE is not set # CONFIG_FRAME_POINTER is not set @@ -3054,6 +3074,7 @@ CONFIG_NETDEVICES=y # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set # CONFIG_NETFILTER_XT_TARGET_RATEEST is not set # CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set +# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set # CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set # CONFIG_NETFILTER_XT_TARGET_TEE is not set @@ -3065,6 +3086,7 @@ CONFIG_NETDEVICES=y # CONFIG_NETROM is not set CONFIG_NETWORK_FILESYSTEMS=y # CONFIG_NETWORK_PHY_TIMESTAMPING is not set +# CONFIG_NETLABEL is not set # CONFIG_NETWORK_SECMARK is not set # CONFIG_NETXEN_NIC is not set # CONFIG_NET_9P is not set @@ -3291,6 +3313,7 @@ CONFIG_NFS_V3=y CONFIG_NF_CONNTRACK_PROCFS=y # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set # CONFIG_NF_CONNTRACK_SANE is not set +# CONFIG_NF_CONNTRACK_SECMARK is not set # CONFIG_NF_CONNTRACK_SIP is not set # CONFIG_NF_CONNTRACK_SNMP is not set # CONFIG_NF_CONNTRACK_TFTP is not set @@ -4125,6 +4148,8 @@ CONFIG_SCSI_PROC_FS=y CONFIG_SECTION_MISMATCH_WARN_ONLY=y # CONFIG_SECURITY is not set # CONFIG_SECURITYFS is not set +# CONFIG_SECURITY_PATH is not set +CONFIG_LSM_MMAP_MIN_ADDR=65536 CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SELECT_MEMORY_MODEL=y # CONFIG_SENSORS_ABITUGURU is not set diff --git a/target/linux/generic/config-4.19 b/target/linux/generic/config-4.19 index d2fda9fae6..d00dabdb13 100644 --- a/target/linux/generic/config-4.19 +++ b/target/linux/generic/config-4.19 @@ -1158,6 +1158,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 # CONFIG_DEFAULT_RENO is not set CONFIG_DEFAULT_SECURITY="" CONFIG_DEFAULT_SECURITY_DAC=y +# CONFIG_DEFAULT_SECURITY_SELINUX is not set CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" # CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set @@ -1431,6 +1432,7 @@ CONFIG_EXTRA_TARGETS="" # CONFIG_FAILOVER is not set # CONFIG_FAIR_GROUP_SCHED is not set # CONFIG_FANOTIFY is not set +# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set CONFIG_FAT_DEFAULT_CODEPAGE=437 CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1" # CONFIG_FAT_DEFAULT_UTF8 is not set @@ -1572,6 +1574,24 @@ CONFIG_FLAT_NODE_MEM_MAP=y # CONFIG_FORCEDETH is not set CONFIG_FORCE_MAX_ZONEORDER=11 CONFIG_FORTIFY_SOURCE=y +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set +# CONFIG_SECURITY_SELINUX_DISABLE is not set +# CONFIG_SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_AVC_STATS is not set +CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 +# CONFIG_SECURITY_SMACK is not set +# CONFIG_SECURITY_TOMOYO is not set +# CONFIG_SECURITY_APPARMOR is not set +# CONFIG_SECURITY_LOADPIN is not set +# CONFIG_SECURITY_YAMA is not set +# CONFIG_SECURITY_SAFESETID is not set +# CONFIG_SECURITY_LOCKDOWN_LSM is not set +# CONFIG_INTEGRITY is not set +# CONFIG_INTEGRITY_SIGNATURE is not set +# CONFIG_INTEGRITY_AUDIT is not set +# CONFIG_IMA is not set +# CONFIG_EVM is not set +# CONFIG_LSM is not set # CONFIG_FPGA is not set # CONFIG_FRAMEBUFFER_CONSOLE is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -3186,6 +3206,7 @@ CONFIG_NETDEVICES=y # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set # CONFIG_NETFILTER_XT_TARGET_RATEEST is not set # CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set +# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set # CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set # CONFIG_NETFILTER_XT_TARGET_TEE is not set @@ -3197,6 +3218,7 @@ CONFIG_NETDEVICES=y # CONFIG_NETROM is not set CONFIG_NETWORK_FILESYSTEMS=y # CONFIG_NETWORK_PHY_TIMESTAMPING is not set +# CONFIG_NETLABEL is not set # CONFIG_NETWORK_SECMARK is not set # CONFIG_NETXEN_NIC is not set # CONFIG_NET_9P is not set @@ -3446,6 +3468,7 @@ CONFIG_NFS_V3=y CONFIG_NF_CONNTRACK_PROCFS=y # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set # CONFIG_NF_CONNTRACK_SANE is not set +# CONFIG_NF_CONNTRACK_SECMARK is not set # CONFIG_NF_CONNTRACK_SIP is not set # CONFIG_NF_CONNTRACK_SNMP is not set # CONFIG_NF_CONNTRACK_TFTP is not set @@ -4320,6 +4343,8 @@ CONFIG_SCSI_PROC_FS=y CONFIG_SECTION_MISMATCH_WARN_ONLY=y # CONFIG_SECURITY is not set # CONFIG_SECURITYFS is not set +# CONFIG_SECURITY_PATH is not set +CONFIG_LSM_MMAP_MIN_ADDR=65536 CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SELECT_MEMORY_MODEL=y # CONFIG_SENSORS_ABITUGURU is not set diff --git a/target/linux/generic/config-5.4 b/target/linux/generic/config-5.4 index 6f9afffaff..a31ff11e15 100644 --- a/target/linux/generic/config-5.4 +++ b/target/linux/generic/config-5.4 @@ -399,6 +399,7 @@ CONFIG_ATAGS_PROC=y # CONFIG_ATA_ACPI is not set CONFIG_ATA_BMDMA=y # CONFIG_ATA_GENERIC is not set +# CONFIG_ATA_LEDS is not set # CONFIG_ATA_NONSTANDARD is not set # CONFIG_ATA_OVER_ETH is not set # CONFIG_ATA_PIIX is not set @@ -1209,6 +1210,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 # CONFIG_DEFAULT_RENO is not set CONFIG_DEFAULT_SECURITY="" CONFIG_DEFAULT_SECURITY_DAC=y +# CONFIG_DEFAULT_SECURITY_SELINUX is not set CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" # CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set @@ -1525,6 +1527,7 @@ CONFIG_EXTRA_TARGETS="" # CONFIG_FAILOVER is not set # CONFIG_FAIR_GROUP_SCHED is not set # CONFIG_FANOTIFY is not set +# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set CONFIG_FAT_DEFAULT_CODEPAGE=437 CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1" # CONFIG_FAT_DEFAULT_UTF8 is not set @@ -1670,6 +1673,24 @@ CONFIG_FLAT_NODE_MEM_MAP=y # CONFIG_FORCEDETH is not set CONFIG_FORCE_MAX_ZONEORDER=11 CONFIG_FORTIFY_SOURCE=y +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set +# CONFIG_SECURITY_SELINUX_DISABLE is not set +# CONFIG_SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_AVC_STATS is not set +CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 +# CONFIG_SECURITY_SMACK is not set +# CONFIG_SECURITY_TOMOYO is not set +# CONFIG_SECURITY_APPARMOR is not set +# CONFIG_SECURITY_LOADPIN is not set +# CONFIG_SECURITY_YAMA is not set +# CONFIG_SECURITY_SAFESETID is not set +# CONFIG_SECURITY_LOCKDOWN_LSM is not set +# CONFIG_INTEGRITY is not set +# CONFIG_INTEGRITY_SIGNATURE is not set +# CONFIG_INTEGRITY_AUDIT is not set +# CONFIG_IMA is not set +# CONFIG_EVM is not set +# CONFIG_LSM is not set # CONFIG_FPGA is not set # CONFIG_FRAMEBUFFER_CONSOLE is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -1999,6 +2020,8 @@ CONFIG_HPET_MMAP_DEFAULT=y # CONFIG_HTC_PASIC3 is not set # CONFIG_HTS221 is not set # CONFIG_HTU21 is not set +# CONFIG_HUGETLB_PAGE is not set +# CONFIG_HUGETLBFS is not set # CONFIG_HVC_DCC is not set # CONFIG_HVC_UDBG is not set # CONFIG_HWLAT_TRACER is not set @@ -3365,6 +3388,7 @@ CONFIG_NETDEVICES=y # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set # CONFIG_NETFILTER_XT_TARGET_RATEEST is not set # CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set +# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set # CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set # CONFIG_NETFILTER_XT_TARGET_TEE is not set @@ -3376,6 +3400,7 @@ CONFIG_NETDEVICES=y # CONFIG_NETROM is not set CONFIG_NETWORK_FILESYSTEMS=y # CONFIG_NETWORK_PHY_TIMESTAMPING is not set +# CONFIG_NETLABEL is not set # CONFIG_NETWORK_SECMARK is not set # CONFIG_NETXEN_NIC is not set # CONFIG_NET_9P is not set @@ -3650,6 +3675,7 @@ CONFIG_NFS_V3=y CONFIG_NF_CONNTRACK_PROCFS=y # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set # CONFIG_NF_CONNTRACK_SANE is not set +# CONFIG_NF_CONNTRACK_SECMARK is not set # CONFIG_NF_CONNTRACK_SIP is not set # CONFIG_NF_CONNTRACK_SNMP is not set # CONFIG_NF_CONNTRACK_TFTP is not set @@ -4572,6 +4598,8 @@ CONFIG_SCSI_PROC_FS=y CONFIG_SECTION_MISMATCH_WARN_ONLY=y # CONFIG_SECURITY is not set # CONFIG_SECURITYFS is not set +# CONFIG_SECURITY_PATH is not set +CONFIG_LSM_MMAP_MIN_ADDR=65536 CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SELECT_MEMORY_MODEL=y # CONFIG_SENSIRION_SGP30 is not set @@ -5769,6 +5797,7 @@ CONFIG_TRACE_IRQFLAGS_SUPPORT=y # CONFIG_TRACING_EVENTS_GPIO is not set CONFIG_TRACING_SUPPORT=y CONFIG_TRAD_SIGNALS=y +# CONFIG_TRANSPARENT_HUGEPAGE is not set # CONFIG_TREE_RCU is not set # CONFIG_TREE_RCU_TRACE is not set # CONFIG_TRIM_UNUSED_KSYMS is not set @@ -5877,6 +5906,7 @@ CONFIG_USB_DEFAULT_PERSIST=y # CONFIG_USB_EG20T is not set # CONFIG_USB_EHCI_ATH79 is not set # CONFIG_USB_EHCI_FSL is not set +# CONFIG_USB_EHCI_HCD is not set # CONFIG_USB_EHCI_HCD_AT91 is not set # CONFIG_USB_EHCI_HCD_OMAP is not set # CONFIG_USB_EHCI_HCD_PPC_OF is not set diff --git a/tools/coreutils/Makefile b/tools/coreutils/Makefile index 05c8040fa5..537ece57cc 100644 --- a/tools/coreutils/Makefile +++ b/tools/coreutils/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=coreutils PKG_CPE_ID:=cpe:/a:gnu:coreutils -PKG_VERSION:=8.27 +PKG_VERSION:=8.32 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@GNU/coreutils -PKG_HASH:=8891d349ee87b9ff7870f52b6d9312a9db672d2439d289bc57084771ca21656b +PKG_HASH:=4458d8de7849df44ccab15e16b1548b285224dbba5f08fac070c1c0e0bcc4cfa HOST_BUILD_PARALLEL := 1 diff --git a/tools/coreutils/patches/001-fix-macos-vasnprintf.patch b/tools/coreutils/patches/001-fix-macos-vasnprintf.patch deleted file mode 100644 index e41315d34e..0000000000 --- a/tools/coreutils/patches/001-fix-macos-vasnprintf.patch +++ /dev/null @@ -1,25 +0,0 @@ ---- a/lib/vasnprintf.c -+++ b/lib/vasnprintf.c -@@ -4858,7 +4858,11 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t * - #endif - *fbp = dp->conversion; - #if USE_SNPRINTF --# if !(((__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3)) && !defined __UCLIBC__) || ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__)) -+# if ! (((__GLIBC__ > 2 \ -+ || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3)) \ -+ && !defined __UCLIBC__) \ -+ || (defined __APPLE__ && defined __MACH__) \ -+ || ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__)) - fbp[1] = '%'; - fbp[2] = 'n'; - fbp[3] = '\0'; -@@ -4872,6 +4876,9 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t * - in format strings in writable memory may crash the program - (if compiled with _FORTIFY_SOURCE=2), so we should avoid it - in this situation. */ -+ /* macOS 10.13 High Sierra behaves like glibc with -+ _FORTIFY_SOURCE=2, and older macOS releases -+ presumably do not need %n. */ - /* On native Windows systems (such as mingw), we can avoid using - %n because: - - Although the gl_SNPRINTF_TRUNCATION_C99 test fails, diff --git a/tools/squashfskit4/Makefile b/tools/squashfskit4/Makefile index 396a7c0edc..9ed10ecef9 100644 --- a/tools/squashfskit4/Makefile +++ b/tools/squashfskit4/Makefile @@ -22,7 +22,7 @@ define Host/Compile $(MAKE) -C $(HOST_BUILD_DIR)/squashfs-tools \ XZ_SUPPORT=1 \ LZMA_XZ_SUPPORT=1 \ - XATTR_SUPPORT= \ + XATTR_SUPPORT=1 \ LZMA_LIB="$(STAGING_DIR_HOST)/lib/liblzma.a" \ EXTRA_CFLAGS="-I$(STAGING_DIR_HOST)/include" \ mksquashfs unsquashfs