diff options
author | Waldemar Brodkorb <wbx@uclibc-ng.org> | 2016-09-23 14:43:56 +0200 |
---|---|---|
committer | Waldemar Brodkorb <wbx@uclibc-ng.org> | 2016-09-23 14:46:14 +0200 |
commit | cc2f3ef0e48483f8909f6f29f58bcb984ea27682 (patch) | |
tree | 38fee6682a9745cbbae0ae913bd9676028778aa0 | |
parent | 58eeb548906799709ffe076a90923a62efbcd83d (diff) |
add support for permission fixups when using genimage
Add suid-bit to Xorg as an example. Create
simple *.perm files with relative path to
the files. You can use any command available on
the host. (f.e. chmod/chown)
-rw-r--r-- | mk/image.mk | 17 | ||||
-rw-r--r-- | mk/package.mk | 3 | ||||
-rw-r--r-- | package/fakeroot/Makefile | 1 | ||||
-rw-r--r-- | package/libcap/Makefile | 21 | ||||
-rw-r--r-- | package/libcap/patches/patch-Make_Rules | 53 | ||||
-rw-r--r-- | package/libcap/patches/patch-Makefile | 31 | ||||
-rw-r--r-- | package/libcap/patches/patch-libcap_Makefile | 50 | ||||
-rw-r--r-- | package/libcap/patches/patch-progs_Makefile | 12 | ||||
-rw-r--r-- | package/xorg-server/files/xorg-server.perm | 1 | ||||
-rw-r--r-- | target/config/Config.in.runtime | 7 | ||||
-rw-r--r-- | target/config/Config.in.tools | 4 |
11 files changed, 87 insertions, 113 deletions
diff --git a/mk/image.mk b/mk/image.mk index dfd32f3f3..a3e044fde 100644 --- a/mk/image.mk +++ b/mk/image.mk @@ -1,6 +1,12 @@ # This file is part of the OpenADK project. OpenADK is copyrighted # material, please see the LICENCE file in the top-level directory. +ifeq ($(ADK_RUNTIME_FIX_PERMISSION),y) +FAKEROOT:=$(STAGING_HOST_DIR)/usr/bin/fakeroot -- +else +FAKEROOT:= +endif + ifeq ($(ADK_TARGET_OS_LINUX),y) # relative paths, like 'mksh' or '../usr/bin/foosh' ifeq (${ADK_BINSH_ASH},y) @@ -276,7 +282,16 @@ ${FW_DIR}/${GENIMAGE}: ${TARGET_DIR} kernel-package @mkdir -p ${FW_DIR}/temp @$(CP) $(KERNEL) $(FW_DIR)/kernel @dd if=/dev/zero of=${FW_DIR}/cfgfs.img bs=16384 count=1 $(MAKE_TRACE) - PATH='${HOST_PATH}' mke2img \ +ifeq ($(ADK_RUNTIME_FIX_PERMISSION),y) + echo '#!/bin/sh' > $(ADK_TOPDIR)/scripts/fakeroot.sh + echo "chown -R 0:0 $(TARGET_DIR)" >> $(ADK_TOPDIR)/scripts/fakeroot.sh + echo 'cd $(TARGET_DIR)' >> $(ADK_TOPDIR)/scripts/fakeroot.sh + -@cat $(STAGING_TARGET_DIR)/scripts/permissions.sh >> $(ADK_TOPDIR)/scripts/fakeroot.sh 2>/dev/null + chmod 755 $(ADK_TOPDIR)/scripts/fakeroot.sh + PATH='$(HOST_PATH)' $(FAKEROOT) $(ADK_TOPDIR)/scripts/fakeroot.sh + rm $(ADK_TOPDIR)/scripts/fakeroot.sh $(STAGING_TARGET_DIR)/scripts/permissions.sh +endif + PATH='${HOST_PATH}' $(FAKEROOT) mke2img \ -G 4 \ -d "$(TARGET_DIR)" \ -o $(FW_DIR)/rootfs.ext $(MAKE_TRACE) diff --git a/mk/package.mk b/mk/package.mk index 768b845ed..88c08cba9 100644 --- a/mk/package.mk +++ b/mk/package.mk @@ -230,6 +230,9 @@ endif endif @mkdir -p $${PACKAGE_DIR} '$${STAGING_PKG_DIR}/stamps' \ '$${STAGING_TARGET_DIR}/scripts' + @for file in $$$$(ls ./files/*.perm 2>/dev/null); do \ + cat $$$$file >> $${STAGING_TARGET_DIR}/scripts/permissions.sh; \ + done ifeq (,$(filter noremove,$(7))) @if test -s '$${STAGING_PKG_DIR}/$(1)'; then \ cd '$${STAGING_TARGET_DIR}'; \ diff --git a/package/fakeroot/Makefile b/package/fakeroot/Makefile index f0654d696..3900198b3 100644 --- a/package/fakeroot/Makefile +++ b/package/fakeroot/Makefile @@ -10,6 +10,7 @@ PKG_HASH:= 7c0a164d19db3efa9e802e0fc7cdfeff70ec6d26cdbdc4338c9c2823c5ea230c PKG_DESCR:= fake root permissions PKG_SECTION:= sys/utils PKG_SITES:= http://http.debian.net/debian/pool/main/f/fakeroot/ +HOST_BUILDDEP:= libcap-host PKG_CFLINE_FAKEROOT:= depends on ADK_HOST_ONLY diff --git a/package/libcap/Makefile b/package/libcap/Makefile index 59ce0e965..99f23695c 100644 --- a/package/libcap/Makefile +++ b/package/libcap/Makefile @@ -4,18 +4,22 @@ include $(ADK_TOPDIR)/rules.mk PKG_NAME:= libcap -PKG_VERSION:= 2.24 +PKG_VERSION:= 2.25 PKG_RELEASE:= 1 -PKG_HASH:= cee4568f78dc851d726fc93f25f4ed91cc223b1fe8259daa4a77158d174e6c65 +PKG_HASH:= 693c8ac51e983ee678205571ef272439d83afe62dd8e424ea14ad9790bc35162 PKG_DESCR:= capabilities library PKG_SECTION:= libs/misc PKG_URL:= http://www.friedhoff.org/posixfilecaps.html PKG_SITES:= https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/ PKG_OPTS:= dev +include $(ADK_TOPDIR)/mk/host.mk include $(ADK_TOPDIR)/mk/package.mk -$(eval $(call PKG_template,LIBCAP,libcap,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION},${PKG_OPTS})) +$(eval $(call HOST_template,LIBCAP,libcap,$(PKG_VERSION)-$(PKG_RELEASE))) +$(eval $(call PKG_template,LIBCAP,libcap,$(PKG_VERSION)-$(PKG_RELEASE),$(PKG_DEPENDS),$(PKG_DESCR),$(PKG_SECTION),$(PKG_OPTS))) + +HOST_STYLE:= manual # for Darwin hosts CPPFLAGS_FOR_BUILD+= -I$(STAGING_TARGET_DIR)/usr/include @@ -29,9 +33,18 @@ ALL_TARGET:= shared progs INSTALL_TARGET:= install-shared endif +host-build: + (cd ${WRKBUILD} && env ${HOST_MAKE_ENV} ${MAKE} -f ${MAKE_FILE} \ + ${HOST_MAKE_FLAGS} ${HOST_ALL_TARGET}) $(MAKE_TRACE) + +libcap-hostinstall: + cd ${WRKBUILD} && env ${HOST_MAKE_ENV} ${MAKE} -f ${MAKE_FILE} \ + ${HOST_FAKE_FLAGS} DESTDIR='${STAGING_HOST_DIR}' ${HOST_INSTALL_TARGET} $(MAKE_TRACE) + libcap-install: $(INSTALL_DIR) $(IDIR_LIBCAP)/usr/lib $(CP) $(WRKINST)/usr/lib/libcap*.so* \ $(IDIR_LIBCAP)/usr/lib -include ${ADK_TOPDIR}/mk/pkg-bottom.mk +include $(ADK_TOPDIR)/mk/host-bottom.mk +include $(ADK_TOPDIR)/mk/pkg-bottom.mk diff --git a/package/libcap/patches/patch-Make_Rules b/package/libcap/patches/patch-Make_Rules index a6a637d3b..57b0e9425 100644 --- a/package/libcap/patches/patch-Make_Rules +++ b/package/libcap/patches/patch-Make_Rules @@ -1,20 +1,19 @@ ---- libcap-2.24.orig/Make.Rules 2014-01-06 02:16:21.000000000 +0100 -+++ libcap-2.24/Make.Rules 2015-02-26 14:01:28.000000000 +0100 -@@ -12,22 +12,12 @@ FAKEROOT=$(DESTDIR) - # These choices are motivated by the fact that getcap and setcap are +--- libcap-2.25.orig/Make.Rules 2016-01-31 02:14:53.000000000 +0100 ++++ libcap-2.25/Make.Rules 2016-09-23 10:37:16.179167139 +0200 +@@ -13,21 +13,14 @@ FAKEROOT=$(DESTDIR) # administrative operations that could be needed to recover a system. --ifndef lib + ifndef lib -lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2) --endif -- ++lib=lib + endif + -ifdef prefix -exec_prefix=$(prefix) -lib_prefix=$(exec_prefix) -inc_prefix=$(lib_prefix) -man_prefix=$(prefix)/share -else -+lib=lib prefix=/usr -exec_prefix= +exec_prefix=$(prefix) @@ -25,41 +24,3 @@ # Target directories -@@ -48,28 +38,28 @@ MINOR=24 - KERNEL_HEADERS := $(topdir)/libcap/include/uapi - IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include - --CC := gcc --CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -+CC ?= gcc -+CFLAGS ?= -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 - BUILD_CC := $(CC) - BUILD_CFLAGS := $(CFLAGS) $(IPATH) --AR := ar --RANLIB := ranlib --DEBUG = -g #-DDEBUG -+AR ?= ar -+RANLIB ?= ranlib -+DEBUG = - WARNINGS=-Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align \ - -Wstrict-prototypes -Wmissing-prototypes \ - -Wnested-externs -Winline -Wshadow --LD=$(CC) -Wl,-x -shared --LDFLAGS := #-g -+LD=$(CC) -shared -+LDFLAGS ?= #-g - - SYSTEM_HEADERS = /usr/include - INCS=$(topdir)/libcap/include/sys/capability.h - LDFLAGS += -L$(topdir)/libcap - CFLAGS += -Dlinux $(WARNINGS) $(DEBUG) --PAM_CAP := $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo yes ; else echo no ; fi) -+PAM_CAP := no - INDENT := $(shell if [ -n "$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi) - DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi) --LIBATTR := yes -+LIBATTR := no - - # When installing setcap, set its inheritable bit to be able to place - # capabilities on files. It can be used in conjunction with pam_cap diff --git a/package/libcap/patches/patch-Makefile b/package/libcap/patches/patch-Makefile index 8e2f8415b..51603e650 100644 --- a/package/libcap/patches/patch-Makefile +++ b/package/libcap/patches/patch-Makefile @@ -1,25 +1,14 @@ ---- libcap-2.24.orig/Makefile 2013-12-27 19:17:17.000000000 +0100 -+++ libcap-2.24/Makefile 2015-02-26 20:36:58.000000000 +0100 -@@ -16,6 +16,22 @@ endif +--- libcap-2.25.orig/Makefile 2014-05-31 22:11:05.000000000 +0200 ++++ libcap-2.25/Makefile 2016-09-23 10:32:34.156211429 +0200 +@@ -10,11 +10,7 @@ include Make.Rules + + all install clean: %: %-here + $(MAKE) -C libcap $@ +-ifneq ($(PAM_CAP),no) +- $(MAKE) -C pam_cap $@ +-endif $(MAKE) -C progs $@ - $(MAKE) -C doc $@ +- $(MAKE) -C doc $@ -+progs: -+ $(MAKE) -C progs all -+ -+shared: -+ $(MAKE) -C libcap shared -+ -+static: -+ $(MAKE) -C libcap static -+ -+install-shared: -+ $(MAKE) -C libcap install-shared -+ -+install-static: -+ $(MAKE) -C libcap install-static -+ -+ all-here: - install-here: diff --git a/package/libcap/patches/patch-libcap_Makefile b/package/libcap/patches/patch-libcap_Makefile index cf7703a43..5b1823e64 100644 --- a/package/libcap/patches/patch-libcap_Makefile +++ b/package/libcap/patches/patch-libcap_Makefile @@ -1,42 +1,10 @@ ---- libcap-2.24.orig/libcap/Makefile 2014-01-06 01:55:03.000000000 +0100 -+++ libcap-2.24/libcap/Makefile 2015-02-26 20:34:47.000000000 +0100 -@@ -28,6 +28,9 @@ GPERF_OUTPUT = _caps_output.gperf - - all: $(MINLIBNAME) $(STALIBNAME) libcap.pc - -+static: $(STALIBNAME) -+shared: $(MINLIBNAME) -+ - ifeq ($(shell gperf --version > /dev/null 2>&1 && echo yes),yes) - USE_GPERF_OUTPUT = $(GPERF_OUTPUT) - INCLUDE_GPERF_OUTPUT = -include $(GPERF_OUTPUT) -@@ -43,7 +46,7 @@ libcap.pc: libcap.pc.in - $< >$@ - - _makenames: _makenames.c cap_names.list.h -- $(BUILD_CC) $(BUILD_CFLAGS) $< -o $@ -+ $(CC_FOR_BUILD) $(CPPFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) $< -o $@ - - cap_names.h: _makenames - ./_makenames > cap_names.h -@@ -70,6 +73,20 @@ $(MINLIBNAME): $(OBJS) - cap_text.o: cap_text.c $(USE_GPERF_OUTPUT) $(INCLS) - $(CC) $(CFLAGS) $(IPATH) $(INCLUDE_GPERF_OUTPUT) -c $< -o $@ - -+install-shared: install-headers -+ mkdir -p -m 0755 $(LIBDIR) -+ install -m 0644 $(MINLIBNAME) $(LIBDIR)/$(MINLIBNAME) -+ ln -sf $(MINLIBNAME) $(LIBDIR)/$(MAJLIBNAME) -+ ln -sf $(MAJLIBNAME) $(LIBDIR)/$(LIBNAME) -+ -+install-static: install-headers -+ mkdir -p -m 0755 $(LIBDIR) -+ install -m 0644 $(STALIBNAME) $(LIBDIR)/$(STALIBNAME) -+ -+install-headers: -+ mkdir -p -m 0755 $(INCDIR)/sys -+ install -m 0644 include/sys/capability.h $(INCDIR)/sys -+ +--- libcap-2.25.orig/libcap/Makefile 2016-01-31 01:01:41.000000000 +0100 ++++ libcap-2.25/libcap/Makefile 2016-09-23 10:34:12.564023450 +0200 +@@ -65,7 +65,6 @@ cap_text.o: cap_text.c $(USE_GPERF_OUTPU install: all - mkdir -p -m 0755 $(INCDIR)/sys - install -m 0644 include/sys/capability.h $(INCDIR)/sys + mkdir -p -m 0755 $(FAKEROOT)$(INCDIR)/sys + install -m 0644 include/sys/capability.h $(FAKEROOT)$(INCDIR)/sys +- mkdir -p -m 0755 $(FAKEROOT)$(LIBDIR) + install -m 0644 $(STALIBNAME) $(FAKEROOT)$(LIBDIR)/$(STALIBNAME) + install -m 0644 $(MINLIBNAME) $(FAKEROOT)$(LIBDIR)/$(MINLIBNAME) + ln -sf $(MINLIBNAME) $(FAKEROOT)$(LIBDIR)/$(MAJLIBNAME) diff --git a/package/libcap/patches/patch-progs_Makefile b/package/libcap/patches/patch-progs_Makefile new file mode 100644 index 000000000..c13d1ddd8 --- /dev/null +++ b/package/libcap/patches/patch-progs_Makefile @@ -0,0 +1,12 @@ +--- libcap-2.25.orig/progs/Makefile 2016-01-31 01:01:41.000000000 +0100 ++++ libcap-2.25/progs/Makefile 2016-09-23 10:37:55.480689559 +0200 +@@ -26,9 +26,6 @@ install: all + for p in $(PROGS) ; do \ + install -m 0755 $$p $(FAKEROOT)$(SBINDIR) ; \ + done +-ifeq ($(RAISE_SETFCAP),yes) +- $(FAKEROOT)$(SBINDIR)/setcap cap_setfcap=i $(FAKEROOT)$(SBINDIR)/setcap +-endif + + clean: + $(LOCALCLEAN) diff --git a/package/xorg-server/files/xorg-server.perm b/package/xorg-server/files/xorg-server.perm new file mode 100644 index 000000000..8a12248a9 --- /dev/null +++ b/package/xorg-server/files/xorg-server.perm @@ -0,0 +1 @@ +chmod u+s usr/bin/Xorg diff --git a/target/config/Config.in.runtime b/target/config/Config.in.runtime index c9b488360..901718de7 100644 --- a/target/config/Config.in.runtime +++ b/target/config/Config.in.runtime @@ -51,6 +51,13 @@ config ADK_RUNTIME_DEV_STATIC endchoice +config ADK_RUNTIME_FIX_PERMISSION + bool "Fix permissions for target files (suid bit, ..)" + select ADK_HOST_BUILD_FAKEROOT + help + Use fakeroot to fix permissions for target dir before image + creation. + config ADK_RUNTIME_SSH_PUBKEY string "SSH public key (root user only)" depends on ADK_PACKAGE_OPENSSH_SERVER || ADK_PACKAGE_DROPBEAR diff --git a/target/config/Config.in.tools b/target/config/Config.in.tools index 81913f0f1..b01becf42 100644 --- a/target/config/Config.in.tools +++ b/target/config/Config.in.tools @@ -23,6 +23,10 @@ config ADK_HOST_BUILD_BISON bool default y +config ADK_HOST_BUILD_FAKEROOT + bool + default n + config ADK_HOST_BUILD_FLEX bool default y |