build: add support for SELinux to include/image.mk

This allows the build process to prepare a squashfs filesystem for use
with SELinux.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
This commit is contained in:
Thomas Petazzoni 2020-07-18 08:01:54 -05:00 committed by Daniel Golle
parent 1aa71833fe
commit aee58d52ce
2 changed files with 28 additions and 1 deletions

View File

@ -328,4 +328,14 @@ menu "Global build settings"
bool "Full" bool "Full"
endchoice endchoice
config TARGET_ROOTFS_SECURITY_LABELS
bool "Enable rootfs security labels"
select KERNEL_SQUASHFS_XATTR
select KERNEL_EXT4_FS_SECURITY
select KERNEL_F2FS_FS_SECURITY
select KERNEL_UBIFS_FS_SECURITY
select KERNEL_JFFS2_FS_SECURITY
select PACKAGE_refpolicy
help
This option enables the usage of SELinux labels
endmenu endmenu

View File

@ -234,13 +234,30 @@ endef
$(eval $(foreach S,$(JFFS2_BLOCKSIZE),$(call Image/mkfs/jffs2/template,$(S)))) $(eval $(foreach S,$(JFFS2_BLOCKSIZE),$(call Image/mkfs/jffs2/template,$(S))))
$(eval $(foreach S,$(NAND_BLOCKSIZE),$(call Image/mkfs/jffs2-nand/template,$(S)))) $(eval $(foreach S,$(NAND_BLOCKSIZE),$(call Image/mkfs/jffs2-nand/template,$(S))))
define Image/mkfs/squashfs define Image/mkfs/squashfs-common
$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \ $(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
-nopad -noappend -root-owned \ -nopad -noappend -root-owned \
-comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \ -comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \
-processors 1 -processors 1
endef endef
ifeq ($(CONFIG_TARGET_ROOTFS_SECURITY_LABELS),y)
define Image/mkfs/squashfs
echo "LD_LIBRARY_PATH=\$$LD_LIBRARY_PATH:$(STAGING_DIR_HOSTPKG)/lib" \
"$(STAGING_DIR_HOSTPKG)/sbin/setfiles -r" \
"$(call mkfs_target_dir,$(1))" \
"$(call mkfs_target_dir,$(1))/etc/selinux/targeted/contexts/files/file_contexts " \
"$(call mkfs_target_dir,$(1))" > $@.fakeroot-script
echo "$(Image/mkfs/squashfs-common)" >> $@.fakeroot-script
chmod +x $@.fakeroot-script
$(STAGING_DIR_HOST)/bin/fakeroot $@.fakeroot-script
endef
else
define Image/mkfs/squashfs
$(call Image/mkfs/squashfs-common,$(1))
endef
endif
# $(1): board name # $(1): board name
# $(2): rootfs type # $(2): rootfs type
# $(3): kernel image # $(3): kernel image