[yocto] [PATCH meta-selinux] selinux: add nativesdk support for libselinux, libsepol and setfiles
luca.boccassi at gmail.com
luca.boccassi at gmail.com
Mon Jul 8 08:42:12 PDT 2019
From: Luca Boccassi <luca.boccassi at microsoft.com>
It is useful to be able to set labels at build time, via the SDK.
Add support for building a nativesdk package for
policycoreutils-setfiles and its dependencies, libselinux and libsepol.
---
recipes-security/selinux/libselinux.inc | 37 +++++++++++++++-----
recipes-security/selinux/libsepol.inc | 2 +-
recipes-security/selinux/policycoreutils.inc | 31 ++++++++++++++--
3 files changed, 57 insertions(+), 13 deletions(-)
diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc
index 6e115e3..c7da6f4 100644
--- a/recipes-security/selinux/libselinux.inc
+++ b/recipes-security/selinux/libselinux.inc
@@ -7,11 +7,12 @@ LICENSE = "PD"
inherit lib_package pythonnative
-DEPENDS += "libsepol python libpcre swig-native"
+DEPENDS += "libsepol libpcre"
+DEPENDS += "${@['', ' python swig-native']['${PN}' != 'nativesdk-${BPN}']}"
DEPENDS_append_libc-musl = " fts"
RDEPENDS_${PN}-python += "python-core python-shell"
-PACKAGES += "${PN}-python"
+PACKAGES += "${@['', '${PN}-python']['${PN}' != 'nativesdk-${BPN}']}"
FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/.debug/*"
@@ -27,18 +28,36 @@ EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsep
EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"
do_compile_append() {
- oe_runmake pywrap -j1 \
- INCLUDEDIR='${STAGING_INCDIR}' \
- LIBDIR='${STAGING_LIBDIR}' \
- PYINC='-I${STAGING_INCDIR}/python${PYTHON_BASEVERSION}'
+ if '${PN}' != 'nativesdk-${BPN}'; then
+ oe_runmake pywrap -j1 \
+ INCLUDEDIR='${STAGING_INCDIR}' \
+ LIBDIR='${STAGING_LIBDIR}' \
+ PYINC='-I${STAGING_INCDIR}/python${PYTHON_BASEVERSION}'
+ fi
}
do_install_append() {
- oe_runmake install-pywrap swigify \
- PYTHONLIBDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages
+ if '${PN}' != 'nativesdk-${BPN}'; then
+ oe_runmake install-pywrap swigify \
+ PYTHONLIBDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages
+ fi
if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then
rm -rf ${D}${base_sbindir}
fi
}
-BBCLASSEXTEND = "native"
+do_compile_class-nativesdk() {
+ oe_runmake INCLUDEDIR='${STAGING_INCDIR}' LIBDIR='${STAGING_LIBDIR}'
+}
+
+do_install_class-nativesdk() {
+ oe_runmake install \
+ DESTDIR="${D}" \
+ PREFIX="${prefix}" \
+ INCLUDEDIR="${includedir}" \
+ LIBDIR="${libdir}" \
+ SHLIBDIR="${base_libdir}" \
+ SBINDIR="${base_sbindir}"
+}
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/recipes-security/selinux/libsepol.inc b/recipes-security/selinux/libsepol.inc
index a8ee749..041dadd 100644
--- a/recipes-security/selinux/libsepol.inc
+++ b/recipes-security/selinux/libsepol.inc
@@ -14,4 +14,4 @@ EXTRA_OEMAKE += "RANLIB='$(AR) s'"
DEPENDS += "flex-native"
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index 85ff164..1310804 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -15,9 +15,11 @@ PAM_SRC_URI = "file://pam.d/newrole \
file://pam.d/run_init \
"
-DEPENDS += "libsepol libselinux libsemanage libcap gettext-native"
+DEPENDS += "libsepol libselinux libcap"
EXTRA_DEPENDS = "libcap-ng libcgroup"
-DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
+DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native' and '${PN}' != 'nativesdk-${BPN}']}"
+TARGET_DEPENDS = " libsemanage gettext-native"
+DEPENDS += "${@['', '${TARGET_DEPENDS}']['${PN}' != 'nativesdk-${BPN}']}"
inherit selinux pythonnative
@@ -78,6 +80,13 @@ PACKAGES =+ "\
${PN}-setfiles \
${PN}-setsebool \
"
+
+# only policycoreutils-setfiles is supported for the native SDK target
+python () {
+ if d.getVar("PN").startswith("nativesdk-"):
+ d.setVar("PACKAGES", d.getVar("PN") + "-setfiles")
+}
+
FILES_${PN}-fixfiles += "${base_sbindir}/fixfiles"
FILES_${PN}-genhomedircon += "${base_sbindir}/genhomedircon"
FILES_${PN}-loadpolicy += "\
@@ -100,9 +109,17 @@ FILES_${PN}-sestatus += "\
${base_sbindir}/sestatus \
${sysconfdir}/sestatus.conf \
"
+# Install the debug files and manpages in the SDK, so that they can be used
+# by developers
FILES_${PN}-setfiles += "\
${base_sbindir}/restorecon \
${base_sbindir}/setfiles \
+ ${@['', '${base_sbindir}/restorecon_xattr']['${PN}' == 'nativesdk-${BPN}']} \
+ ${@['', '${datadir}/man/man8/restorecon.8']['${PN}' == 'nativesdk-${BPN}']} \
+ ${@['', '${datadir}/man/man8/restorecon_xattr.8']['${PN}' == 'nativesdk-${BPN}']} \
+ ${@['', '${datadir}/man/man8/setfiles.8']['${PN}' == 'nativesdk-${BPN}']} \
+ ${@['', '${base_sbindir}/.debug/restorecon_xattr']['${PN}' == 'nativesdk-${BPN}']} \
+ ${@['', '${base_sbindir}/.debug/setfiles']['${PN}' == 'nativesdk-${BPN}']} \
"
FILES_${PN}-setsebool += "\
${base_sbindir}/setsebool \
@@ -130,7 +147,7 @@ EXTRA_OEMAKE += "\
SBINDIR=${base_sbindir} \
"
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
PCU_NATIVE_CMDS = "setfiles semodule hll"
@@ -142,6 +159,10 @@ do_compile_class-native() {
done
}
+do_compile_class-nativesdk() {
+ oe_runmake -C setfiles INCLUDEDIR='${STAGING_INCDIR}' LIBDIR='${STAGING_LIBDIR}'
+}
+
sysroot_stage_dirs_append_class-native() {
cp -R $from/${prefix}/libexec $to/${prefix}/libexec
}
@@ -168,6 +189,10 @@ do_install_class-native() {
done
}
+do_install_class-nativesdk() {
+ oe_runmake -C setfiles install DESTDIR="${D}" PREFIX="${prefix}" SBINDIR="${base_sbindir}"
+}
+
do_install_append_class-target() {
if [ -e ${WORKDIR}/pam.d ]; then
install -d ${D}${sysconfdir}/pam.d/
--
2.20.1
More information about the yocto
mailing list