The license folder is a core part of OpenWrt and all GPL-2.0 licensed.
Use SPDX license tags to allow machines to check licenses.
Signed-off-by: Paul Spooren <mail@aparcar.org>
[rebase, keep some Copyright lines, sharpen commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The config setting was renamed to CONFIG_KPROBE_EVENTS.
Fixes: 97d3f800a8 ("config: kernel: Add KPROBE_EVENTS config option)
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Set CCACHE_DIR to $(TOPDIR)/.ccache and CCACHE_BASEDIR to $(TOPDIR).
This allows to do clean and dirclean. Cache hit rate for test build
after dirclean is ~65%.
If CCACHE is enabled stats are printed out at the end of building process.
CCACHE_DIR config variable allows to override default, which could be useful
when sharing cache with many builds.
cacheclean make target allows to clean the cache.
Changes from v1:
- remove ccache directory using CCACHE_DIR variable
- remove ccache leftovers from sdk and toolchain make files
- introduce CONFIG_CCACHE_DIR variable
- introduce cacheclean make target
Signed-off-by: Roman Yeryomin <roman@advem.lv>
Enable CONFIG_KEYS by default on systems which are not marked as
flash-space constraint by the 'small_flash' feature.
CONFIG_KEYS is required by Docker, enabling it in our kernel allows
users to run Docker on stock OpenWrt.
It is also used of by some network file systems (such as NFSv4) to
store credentials as well as UID/GID mappings.
Adds about 50kB to vmlinux on ath79/generic (~18kB compressed)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add KERNEL_KEYS_REQUEST_CACHE option.
'tristate' (ie. module builds) are not valid in Config-kernel.in, hence
remove tristate KERNEL_ENCRYPTED_KEYS. It will be readded as a kernel
module in a follow-up commit.
Fixes: 39d817cf38 ("Add config symbols for kernel keyring support")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This is a neat project, but offers no benefit to OpenWrt. The initial
reason for it was to be a replacement for libstdcpp as it is smaller
and lacks compatibility for C++98. Unfortunately, compiling several
packages with it results in larger ipk sizes.
While not a member of the packages feed, this will be moved to
packages-abandoned to keep it somewhere.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Drop our local sstrip copy and use the current ELFKickers upstream
version.
Patch the original makefile in order to avoid building elftoc, since it
fails with musl's elf.h. This is fine, since we only need sstrip anyway.
Finally, add the possibility to pass additional arguments to sstrip and
pass -z (remove trailing zeros) by default, which matches the behaviour
of the previous version.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[shorten long commit msg lines]
Signed-off-by: Paul Spooren <mail@aparcar.org>
Trivial cosmetic cleanup. This also helps for script that parse for
options in Config files.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Reviewed-by: Petr Štetiar <ynezz@true.cz>
This reverts commit 9eb9943f82.
Building the 'modular' variant requires 'semodule_package' from
'selinux-python' to be installed on the buildhost.
Apart from that, this change also broke the monolithic refpolicy
'targeted' build.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
JSON info files contain machine readable information of built profiles
and resulting images. These files were added in commit 881ed09ee6
("build: create JSON files containing image info").
They are useful for firmware wizards and script checking for
reproducibility.
Currently all JSON files are stored next to the built images, resulting
in up to 168 individual files for the ath79/generic target.
This patch refactors the JSON creation to store individual per image
(not per profile) files in $(BUILD_DIR)/json_info_files and create an
single overview file called `profiles.json` in the target directory.
Storing per image files and not per profile solves the problem of
parallel file writes. If a profiles sysupgrade and factory image are
finished at the same time both processes would write to the same JSON
file, resulting in randomly broken outputs.
Some target like x86/64 do not use the image code yet, resulting in
missing JSON files. If no JSON info files were created, no
`profiles.json` files is created as it would be empty anyway.
As before, this creation is enabled by default only if `BUILDBOT` is set.
Tested via buildroot & ImageBuilder on ath79/generic, imx6 and x86/64.
Signed-off-by: Paul Spooren <mail@aparcar.org>
[json_info_files dir handling in Make, if case refactoring]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This adds a variant of refpolicy that builds the modular form of the
policy. While this requires more memory on the target device, along with
some tricks to deal with OpenWrt's volatile /var directory, it is useful
for experiementing with SELinux policy.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
In order to make it easier for users to build with SELinux, have a
single option in 'Global build settings' to enable all necessary
kernel features, userland packages and build-system hooks.
Also add better descriptions and help messages while at it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The LSM (Linux security mechanism) list is the successor of the now
legacy *major LSM*. Instead of defining a single security mechanism the
LSM symbol is a comma separated list of mechanisms to load.
Until recently OpenWrt would only support DAC (Unix discretionary access
controls) which don't require an additional entry in the LSM list. With
the newly introduced SELinux support the LSM needs to be extended else
only a manual modified Kernel cmdline (`security=selinux`) would
activate SELinux.
As the default OpenWrt Kernel config sets DAC as default security
mechanism, SELinux is stripped from the LSM list, even if
`KERNEL_DEFAULT_SECURITY_SELINUX` is activated. To allow SELinux without
a modified cmdline this commit sets a specific LSM list if
`KERNEL_SECURITY_SELINUX` is enabled.
The upstream Kconfig adds even more mechanisms
(smack,selinux,tomoyo,apparmor), but until they're ported to OpenWrt,
these can be ignored.
To compile SELinux Kernel support but disable it from loading, the
already present options `KERNEL_SECURITY_SELINUX_DISABLE` or
`KERNEL_SECURITY_SELINUX_BOOTPARAM` (with custom cmdline `selinux=0`)
can be used. Further it's possible to edit `/etc/selinux/config`.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This adds a number of options to config/Config-kernel.in so that
packages related to SELinux support can enable the appropriate Linux
kernel support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase; add ext4, F2FS, UBIFS, and JFFS2 support; add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
This allows the build process to prepare a squashfs filesystem for use
with SELinux.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
The symbol KERNEL_CGROUP_HUGETLB is always used whenever KERNEL_CGROUPS is enabled.
The absence of this notation will cause the user to be asked to enter this parameter the first time it is compiled.
Signed-off-by: Yuan Tao <ty@wevs.org>
Remapping the local build path in debug information makes debugging
using ./scripts/remote-gdb harder, because files no longer refer to the full
path on the build host.
For local builds, debug information does not need to be reproducible,
since it will be stripped out of packages anyway.
For buildbot builds, it makes sense to keep debug information reproducible,
since the full path is not needed (nor desired) anywhere.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Enabling KERNEL_TRANSPARENT_HUGEPAGE exposes 2 missing symbols:
* CONFIG_READ_ONLY_THP_FOR_FS
* TRANSPARENT_HUGEPAGE_ALWAYS
* TRANSPARENT_HUGEPAGE_MADVISE
The first one was added in 5.4, and is marked experimental there so just
disable it in the generic config.
For the latter two, we should not force the user to use either of them,
so add them as build-configurable kernel options.
Fixes: d1a8217d87 ("kernel: clean-up build-configurable kernel config symbols")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
It was removed from target defaults though it didn't exist in the
build-systems kernel configuration options. Add it there.
Fixes: d1a8217d87 ("kernel: clean-up build-configurable kernel config symbols")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Don't explicitely disable options in target/linux/generic/config-* if
they are already controlled in config/Config-kernel.in.
Add a bunch of new symbols and prepare defaults for using only unified
hierarchy (ie. cgroup2). Update symbol dependencies while at it
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Currently the user space stack cookies work well also when the kernel
stack cookies are not activated. This is handled completely in user
space and does not need kernel support.
This dependency was probably needed some years ago when the libc did not
support stack cookies.
Reviewed-by: Ian Cooper <iancooper@hotmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Removes the standalone implementation of stack smashing protection
in gcc's libssp in favour of the native implementation available
in glibc and uclibc. Musl libc already uses its native ssp, so this
patch does not affect musl-based toolchains.
Stack smashing protection configuration options are now uniform
across all supported libc variants.
This also makes kernel-level stack smashing protection available
for x86_64 and i386 builds using non-musl libc.
Signed-off-by: Ian Cooper <iancooper@hotmail.com>
