[PATCH] buildsystem: add CONFIG_SECCOMP

Daniel Golle daniel at makrotopia.org
Wed Oct 13 08:06:05 PDT 2021 

On Wed, Oct 13, 2021 at 05:02:22PM +0200, Florian Eckert wrote:
> Until now, this feature was switched on via the kernel configuration
> option KERNEL_SECCOMP.
> 
> The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that
> the package procd-seccomp must also enabled for the build.
> 
> However, this is not the case we have no dependency to enable this
> package.
> Also the imagebuilder cannot build the image, because of the implicit
> package selection.
> 
> This change adds a new configuration option CONFIG_SECCOMP like the
> CONFIG_SELINUX option.
> 
> If the CONFIG_SECCOMP is selected then the package procd-seccomp and
> KERNEL_SECCOMP is enabled for this build.
> 
> Signed-off-by: Florian Eckert <fe at dev.tdt.de>
> ---
>  config/Config-build.in        | 11 +++++++++++
>  include/target.mk             |  2 +-
>  package/system/procd/Makefile |  3 +--
>  3 files changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/config/Config-build.in b/config/Config-build.in
> index f0e1aaa695..5887d1a9c4 100644
> --- a/config/Config-build.in
> +++ b/config/Config-build.in
> @@ -386,4 +386,15 @@ menu "Global build settings"
>  
>  	endchoice
>  
> +	config SECCOMP
> +		bool "Enable SECCOMP"
> +		select KERNEL_SECCOMP
> +		select PACKAGE_procd-seccomp
> +		depends on (aarch64 || arm || armeb || mips || mipsel || i386 || powerpc || x86_64)
> +		depends on !TARGET_uml

I guess 'default y' is needed to also make sure the symbol is selected
by default if possible.


> +		help
> +		  This option enables seccomp kernel features to safely
> +		  execute untrusted bytecode and selects the seccomp-variants
> +		  of procd
> +
>  endmenu
> diff --git a/include/target.mk b/include/target.mk
> index 03192d3ebe..60760bf602 100644
> --- a/include/target.mk
> +++ b/include/target.mk
> @@ -39,7 +39,7 @@ DEFAULT_PACKAGES+=procd-ujail
>  endif
>  
>  # include seccomp ld-preload hooks if kernel supports it
> -ifneq ($(CONFIG_KERNEL_SECCOMP),)
> +ifneq ($(CONFIG_SECCOMP),)
>  DEFAULT_PACKAGES+=procd-seccomp
>  endif
>  
> diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile
> index 6f506423f8..4c76045062 100644
> --- a/package/system/procd/Makefile
> +++ b/package/system/procd/Makefile
> @@ -82,8 +82,7 @@ endef
>  define Package/procd-seccomp
>    SECTION:=base
>    CATEGORY:=Base system
> -  DEPENDS:=@(aarch64||arm||armeb||mips||mipsel||i386||powerpc||x86_64) @!TARGET_uml \
> -	  @KERNEL_SECCOMP +libubox +libblobmsg-json
> +  DEPENDS:=@SECCOMP +libubox +libblobmsg-json
>    TITLE:=OpenWrt process seccomp helper + utrace
>  endef
>  
> -- 
> 2.20.1
>

More information about the openwrt-devel mailing list