9eb9943f82
This adds a variant of refpolicy that builds the modular form of the policy. While this requires more memory on the target device, along with some tricks to deal with OpenWrt's volatile /var directory, it is useful for experiementing with SELinux policy. Signed-off-by: W. Michael Petullo <mike@flyn.org>
380 lines
11 KiB
Plaintext
380 lines
11 KiB
Plaintext
# Copyright (C) 2006-2013 OpenWrt.org
|
|
# Copyright (C) 2016 LEDE Project
|
|
#
|
|
# This is free software, licensed under the GNU General Public License v2.
|
|
# See /LICENSE for more information.
|
|
#
|
|
|
|
menu "Global build settings"
|
|
|
|
config JSON_OVERVIEW_IMAGE_INFO
|
|
bool "Create JSON info file overview per target"
|
|
default BUILDBOT
|
|
help
|
|
Create a JSON info file called profiles.json in the target
|
|
directory containing machine readable list of built profiles
|
|
and resulting images.
|
|
|
|
config ALL_NONSHARED
|
|
bool "Select all target specific packages by default"
|
|
select ALL_KMODS
|
|
default BUILDBOT
|
|
|
|
config ALL_KMODS
|
|
bool "Select all kernel module packages by default"
|
|
|
|
config ALL
|
|
bool "Select all userspace packages by default"
|
|
select ALL_KMODS
|
|
select ALL_NONSHARED
|
|
|
|
config BUILDBOT
|
|
bool "Set build defaults for automatic builds (e.g. via buildbot)"
|
|
default n
|
|
help
|
|
This option changes several defaults to be more suitable for
|
|
automatic builds. This includes the following changes:
|
|
- Deleting build directories after compiling (to save space)
|
|
- Enabling per-device rootfs support
|
|
...
|
|
|
|
config SIGNED_PACKAGES
|
|
bool "Cryptographically signed package lists"
|
|
default y
|
|
|
|
config SIGNATURE_CHECK
|
|
bool "Enable signature checking in opkg"
|
|
default SIGNED_PACKAGES
|
|
|
|
comment "General build options"
|
|
|
|
config TESTING_KERNEL
|
|
bool "Use the testing kernel version"
|
|
depends on HAS_TESTING_KERNEL
|
|
default n
|
|
help
|
|
If the target supports a newer kernel version than the default,
|
|
you can use this config option to enable it
|
|
|
|
|
|
config DISPLAY_SUPPORT
|
|
bool "Show packages that require graphics support (local or remote)"
|
|
default n
|
|
|
|
config BUILD_PATENTED
|
|
default n
|
|
bool "Compile with support for patented functionality"
|
|
help
|
|
When this option is disabled, software which provides patented functionality
|
|
will not be built. In case software provides optional support for patented
|
|
functionality, this optional support will get disabled for this package.
|
|
|
|
config BUILD_NLS
|
|
default n
|
|
bool "Compile with full language support"
|
|
help
|
|
When this option is enabled, packages are built with the full versions of
|
|
iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
|
|
used, it is also built with locale support.
|
|
|
|
config SHADOW_PASSWORDS
|
|
bool
|
|
default y
|
|
|
|
config CLEAN_IPKG
|
|
bool
|
|
prompt "Remove ipkg/opkg status data files in final images"
|
|
default n
|
|
help
|
|
This removes all ipkg/opkg status data files from the target directory
|
|
before building the root filesystem.
|
|
|
|
config IPK_FILES_CHECKSUMS
|
|
bool
|
|
prompt "Record files checksums in package metadata"
|
|
default n
|
|
help
|
|
This makes file checksums part of package metadata. It increases size
|
|
but provides you with pkg_check command to check for flash coruptions.
|
|
|
|
config INCLUDE_CONFIG
|
|
bool "Include build configuration in firmware" if DEVEL
|
|
default n
|
|
help
|
|
If enabled, buildinfo files will be stored in /etc/build.* of firmware.
|
|
|
|
config REPRODUCIBLE_DEBUG_INFO
|
|
bool "Make debug information reproducible"
|
|
default BUILDBOT
|
|
help
|
|
This strips the local build path out of debug information. This has the
|
|
advantage of making it reproducible, but the disadvantage of making local
|
|
debugging using ./scripts/remote-gdb harder, since the debug data will
|
|
no longer point to the full path on the build host.
|
|
|
|
config COLLECT_KERNEL_DEBUG
|
|
bool
|
|
prompt "Collect kernel debug information"
|
|
select KERNEL_DEBUG_INFO
|
|
default BUILDBOT
|
|
help
|
|
This collects debugging symbols from the kernel and all compiled modules.
|
|
Useful for release builds, so that kernel issues can be debugged offline
|
|
later.
|
|
|
|
menu "Kernel build options"
|
|
|
|
source "config/Config-kernel.in"
|
|
|
|
endmenu
|
|
|
|
comment "Package build options"
|
|
|
|
config DEBUG
|
|
bool
|
|
prompt "Compile packages with debugging info"
|
|
default n
|
|
help
|
|
Adds -g3 to the CFLAGS.
|
|
|
|
config IPV6
|
|
bool
|
|
prompt "Enable IPv6 support in packages"
|
|
default y
|
|
help
|
|
Enables IPv6 support in kernel (builtin) and packages.
|
|
|
|
comment "Stripping options"
|
|
|
|
choice
|
|
prompt "Binary stripping method"
|
|
default USE_STRIP if EXTERNAL_TOOLCHAIN
|
|
default USE_STRIP if USE_GLIBC
|
|
default USE_SSTRIP
|
|
help
|
|
Select the binary stripping method you wish to use.
|
|
|
|
config NO_STRIP
|
|
bool "none"
|
|
help
|
|
This will install unstripped binaries (useful for native
|
|
compiling/debugging).
|
|
|
|
config USE_STRIP
|
|
bool "strip"
|
|
help
|
|
This will install binaries stripped using strip from binutils.
|
|
|
|
|
|
config USE_SSTRIP
|
|
bool "sstrip"
|
|
depends on !USE_GLIBC
|
|
help
|
|
This will install binaries stripped using sstrip.
|
|
endchoice
|
|
|
|
config STRIP_ARGS
|
|
string
|
|
prompt "Strip arguments"
|
|
depends on USE_STRIP
|
|
default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
|
|
default "--strip-all"
|
|
help
|
|
Specifies arguments passed to the strip command when stripping binaries.
|
|
|
|
config STRIP_KERNEL_EXPORTS
|
|
bool "Strip unnecessary exports from the kernel image"
|
|
help
|
|
Reduces kernel size by stripping unused kernel exports from the kernel
|
|
image. Note that this might make the kernel incompatible with any kernel
|
|
modules that were not selected at the time the kernel image was created.
|
|
|
|
config USE_MKLIBS
|
|
bool "Strip unnecessary functions from libraries"
|
|
help
|
|
Reduces libraries to only those functions that are necessary for using all
|
|
selected packages (including those selected as <M>). Note that this will
|
|
make the system libraries incompatible with most of the packages that are
|
|
not selected during the build process.
|
|
|
|
choice
|
|
prompt "Preferred standard C++ library"
|
|
default USE_LIBSTDCXX if USE_GLIBC
|
|
default USE_UCLIBCXX
|
|
help
|
|
Select the preferred standard C++ library for all packages that support this.
|
|
|
|
config USE_UCLIBCXX
|
|
bool "uClibc++"
|
|
|
|
config USE_LIBCXX
|
|
bool "libc++"
|
|
depends on !USE_UCLIBC
|
|
|
|
config USE_LIBSTDCXX
|
|
bool "libstdc++"
|
|
endchoice
|
|
|
|
comment "Hardening build options"
|
|
|
|
config PKG_CHECK_FORMAT_SECURITY
|
|
bool
|
|
prompt "Enable gcc format-security"
|
|
default y
|
|
help
|
|
Add -Wformat -Werror=format-security to the CFLAGS. You can disable
|
|
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
|
|
Makefile.
|
|
|
|
choice
|
|
prompt "User space ASLR PIE compilation"
|
|
default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
|
|
default PKG_ASLR_PIE_REGULAR
|
|
help
|
|
Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
|
|
This enables package build as Position Independent Executables (PIE)
|
|
to protect against "return-to-text" attacks. This belongs to the
|
|
feature of Address Space Layout Randomisation (ASLR), which is
|
|
implemented by the kernel and the ELF loader by randomising the
|
|
location of memory allocations. This makes memory addresses harder
|
|
to predict when an attacker is attempting a memory-corruption exploit.
|
|
You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
|
|
Makefile.
|
|
Be ware that ASLR increases the binary size.
|
|
config PKG_ASLR_PIE_NONE
|
|
bool "None"
|
|
help
|
|
PIE is deactivated for all applications
|
|
config PKG_ASLR_PIE_REGULAR
|
|
bool "Regular"
|
|
help
|
|
PIE is activated for some binaries, mostly network exposed applications
|
|
config PKG_ASLR_PIE_ALL
|
|
bool "All"
|
|
select BUSYBOX_DEFAULT_PIE
|
|
help
|
|
PIE is activated for all applications
|
|
endchoice
|
|
|
|
choice
|
|
prompt "User space Stack-Smashing Protection"
|
|
default PKG_CC_STACKPROTECTOR_REGULAR
|
|
help
|
|
Enable GCC Stack Smashing Protection (SSP) for userspace applications
|
|
config PKG_CC_STACKPROTECTOR_NONE
|
|
bool "None"
|
|
config PKG_CC_STACKPROTECTOR_REGULAR
|
|
bool "Regular"
|
|
config PKG_CC_STACKPROTECTOR_STRONG
|
|
bool "Strong"
|
|
endchoice
|
|
|
|
choice
|
|
prompt "Kernel space Stack-Smashing Protection"
|
|
default KERNEL_CC_STACKPROTECTOR_REGULAR
|
|
help
|
|
Enable GCC Stack-Smashing Protection (SSP) for the kernel
|
|
config KERNEL_CC_STACKPROTECTOR_NONE
|
|
bool "None"
|
|
config KERNEL_CC_STACKPROTECTOR_REGULAR
|
|
bool "Regular"
|
|
config KERNEL_CC_STACKPROTECTOR_STRONG
|
|
bool "Strong"
|
|
endchoice
|
|
|
|
config KERNEL_STACKPROTECTOR
|
|
bool
|
|
default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
|
|
|
|
config KERNEL_STACKPROTECTOR_STRONG
|
|
bool
|
|
default KERNEL_CC_STACKPROTECTOR_STRONG
|
|
|
|
choice
|
|
prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
|
|
default PKG_FORTIFY_SOURCE_1
|
|
help
|
|
Enable the _FORTIFY_SOURCE macro which introduces additional
|
|
checks to detect buffer-overflows in the following standard library
|
|
functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
|
|
strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
|
|
gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
|
|
checks that shouldn't change the behavior of conforming programs,
|
|
while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
|
|
added, but some conforming programs might fail.
|
|
config PKG_FORTIFY_SOURCE_NONE
|
|
bool "None"
|
|
config PKG_FORTIFY_SOURCE_1
|
|
bool "Conservative"
|
|
config PKG_FORTIFY_SOURCE_2
|
|
bool "Aggressive"
|
|
endchoice
|
|
|
|
choice
|
|
prompt "Enable RELRO protection"
|
|
default PKG_RELRO_FULL
|
|
help
|
|
Enable a link-time protection known as RELRO (Relocation Read Only)
|
|
which helps to protect from certain type of exploitation techniques
|
|
altering the content of some ELF sections. "Partial" RELRO makes the
|
|
.dynamic section not writeable after initialization, introducing
|
|
almost no performance penalty, while "full" RELRO also marks the GOT
|
|
as read-only at the cost of initializing all of it at startup.
|
|
config PKG_RELRO_NONE
|
|
bool "None"
|
|
config PKG_RELRO_PARTIAL
|
|
bool "Partial"
|
|
config PKG_RELRO_FULL
|
|
bool "Full"
|
|
endchoice
|
|
|
|
config TARGET_ROOTFS_SECURITY_LABELS
|
|
bool
|
|
select KERNEL_SQUASHFS_XATTR
|
|
select KERNEL_EXT4_FS_SECURITY
|
|
select KERNEL_F2FS_FS_SECURITY
|
|
select KERNEL_UBIFS_FS_SECURITY
|
|
select KERNEL_JFFS2_FS_SECURITY
|
|
|
|
config SELINUX
|
|
bool "Enable SELinux"
|
|
select KERNEL_SECURITY_SELINUX
|
|
select TARGET_ROOTFS_SECURITY_LABELS
|
|
select PACKAGE_procd-selinux
|
|
select PACKAGE_busybox-selinux
|
|
help
|
|
This option enables SELinux kernel features, applies security labels
|
|
in squashfs rootfs and selects the selinux-variants of busybox and procd.
|
|
|
|
Selecting this option results in about 0.5MiB of additional flash space
|
|
usage accounting for increased kernel and rootfs size.
|
|
|
|
choice
|
|
prompt "default SELinux type"
|
|
depends on TARGET_ROOTFS_SECURITY_LABELS
|
|
default SELINUXTYPE_dssp
|
|
help
|
|
Select SELinux policy to be installed and used for applying rootfs labels.
|
|
|
|
config SELINUXTYPE_targeted
|
|
bool "targeted"
|
|
select PACKAGE_refpolicy
|
|
help
|
|
SELinux Reference Policy (refpolicy)
|
|
|
|
config SELINUXTYPE_targeted-modular
|
|
bool "targeted-modular"
|
|
select PACKAGE_refpolicy-modular
|
|
help
|
|
Modular SELinux Reference Policy (refpolicy-modular)
|
|
|
|
config SELINUXTYPE_dssp
|
|
bool "dssp"
|
|
select PACKAGE_selinux-policy
|
|
help
|
|
Defensec SELinux Security Policy -- OpenWrt edition
|
|
|
|
endchoice
|
|
|
|
endmenu
|