Commit Graph

53329 Commits

Author SHA1 Message Date
Peter Korsgaard
666503c7de docs/website: update for 2020.02.6
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 21:35:11 +02:00
Peter Korsgaard
721fdb0239 Update for 2020.02.6
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b120226e0e)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 21:35:11 +02:00
Fabrice Fontaine
8414e31138 package/matchbox: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/3f552248869d9842b3db8b71c1ca0b030b1a64ba

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-09-05 21:20:03 +02:00
Peter Korsgaard
918a9fb455 package/gnupg2: security bump to version 2.2.23
Fixes the following security issues:

CVE-2020-25125: Importing an OpenPGP key having a preference list for AEAD
algorithms will lead to an array overflow and thus often to a crash or other
undefined behaviour (affected: 2.2.21 / 2.2.22)

For more details, see the announcement:
https://lists.gnupg.org/pipermail/gnupg-announce/2020q3/000448.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 09:35:50 +02:00
Julien Floret
d27b5c7b72 package/libnss: install certutil tool on target
certutil is a command-line utility for managing keys and certificate in
both NSS databases and other NSS tokens.

Signed-off-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-09-05 09:35:28 +02:00
Paul Cercueil
0e3febb75f package/libzip: add patch from upstream to fix build
Cherry-pick a patch from upstream project that fixes the build when used
with a uClibc based toolchain.

Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-09-05 09:16:50 +02:00
James Hilliard
5c1a6b48ac package/weston: bump to version 9.0.0
Drop patches that are now upstream.

Pipewire now requires renderer-gl, only enable pipewire when
renderer-gl is also enabled.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-09-04 23:57:51 +02:00
Kieran Bingham
a275fc05c6 package/libcamera: bump version to e59713c6
The libcamera project has moved to C++17, therefore also update the
toolchain requirements accordingly.

Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
[yann.morin.1998@free.fr: s/\t/  / in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-09-04 22:41:17 +02:00
Kieran Bingham
66526e3518 package/libcamera: Prevent builds on m68k
The ControlValue structure is currently defined with a 16-bit hole
(causing unaligned access to the numElements_ field, though that's a
separate topic).

This structure has a static assertion to ensure that its size does not
change without due care, as it forms part of our ABI and is used in
Serialisation between the pipeline handlers and IPA components.

The m68k architecture is the only target which fails this assertion,
which is likely because it can pack the structure more efficiently,
producing a different binary size.

This is likely an area we will tackle before stabilising our ABI, but
until then, disable m68k builds as libcamera is not expected to be
supported on this target.

Fixes;
  - http://autobuild.buildroot.net/results/9dce26e94299a2c61bba60cbc7803926e2f85e29/

Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
[yann.morin.1998@free.fr, suggestions from Thomas:
  - introduce BR2_PACKAGE_LIBCAMERA_ARCH_SUPPORTS
  - propagate that to the comment
  - add autobuilder reference
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-09-04 22:30:28 +02:00
Titouan Christophe
f5b89563d7 package/systemd: disable zstd for host-systemd
systemd 246 added support for zstd compression of large fields in
journal files [1]. Since zstd is only used at runtime, we don't
need it to enable its support in host-systemd.

[1] https://github.com/systemd/systemd/blob/v246/NEWS#L323-L331

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-09-04 22:13:31 +02:00
Thomas Petazzoni
a326b6ecb0 package/refpolicy: ensure REFPOLICY_EXTRA_MODULES_DIRS is empty when it should be
When both BR2_REFPOLICY_EXTRA_MODULES_DIRS and
PACKAGES_SELINUX_EXTRA_MODULES_DIRS are empty, we expect
REFPOLICY_EXTRA_MODULES_DIRS to also be empty. However, due to spaces,
this is not the case. This commit adds a $(strip ...) call to ensure
it is the case.

Thanks to this, the check on whether REFPOLICY_EXTRA_MODULES_DIRS is
empty later on will really work as it should.

Reported-by: Antoine Ténart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 17:19:16 +02:00
Thomas Petazzoni
0ade35976d DEVELOPERS: fix path to board/hardkernel/odroidc2/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 17:18:43 +02:00
Fabrice Fontaine
345c68f04f package/usb_modeswitch: fix parallel install
Extract from bug report:

"In usb_modeswitch Makefile dispatcher-script, dispatcher-dynlink and
dispatcher-statlink are .PHONY targets. The result is that sources are
compiled also when install targets are called.
USB_MODESWITCH_INSTALL_TARGET_CMDS calls $(MAKE) which is a call to
parallel make eg. make -j9. So the install phase can install empty
usb_modeswitch binary (happened once) if the compiler have just cleared
the binary and install command installs it before compiler writes the
binary. USB_MODESWITCH_INSTALL_TARGET_CMDS should call $(MAKE1)."

Instead of disabling parellel install, use install-common target instead
of install-{dyn,stat}link targets. Indeed, the dynamic or static
usb_modeswitch_dispatcher binary will be built by
all-with-{dyn,stat}link-dispatcher targets, there is no need to rebuild
it during the install step

Fixes:
 - https://bugs.buildroot.org/show_bug.cgi?id=12911

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:57:24 +02:00
Heiko Thiery
f6d1efdad2 package/acsccid: bump to version 1.1.8
- update indentation of hash file (two spaces)

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:48:56 +02:00
Fabrice Fontaine
fa25e78307 package/tinyhttpd: remove package
tinyhttpd is affected by CVE-2002-1819 and is not maintained anymore
(no release since 2001) so remove it

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:48:15 +02:00
Adam Duskett
3ab421080c package/libselinux: enable kernel selinux support for ubifs images
If BR2_TARGET_ROOTFS_UBIFS is selected, enable the following kernel options:
  - CONFIG_UBIFS_FS_XATTR
  - CONFIG_UBIFS_FS_SECURITY

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:43:54 +02:00
Adam Duskett
c962a341df package/libselinux: enable kernel selinux support for squashfs images
If BR2_TARGET_ROOTFS_SQUASHFS is selected, enable the following kernel options:
  - CONFIG_SQUASHFS_XATTR

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:43:51 +02:00
Adam Duskett
7720ca37b7 package/libselinux: enable kernel selinux support for jffs2 images
If BR2_TARGET_ROOTFS_JFFS2 is selected, enable the following kernel options:
  - CONFIG_JFS_SECURITY

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:43:49 +02:00
Adam Duskett
664c370d0b package/libselinux: enable kernel selinux support for f2fs images
If BR2_TARGET_ROOTFS_F2FS is selected, enable the following kernel options:
  - CONFIG_F2FS_FS_XATTR
  - CONFIG_F2FS_FS_SECURITY

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:43:47 +02:00
Adam Duskett
aae170c468 package/libselinux: enable kernel selinux support for ext4 images
If BR2_TARGET_ROOTFS_EXT2_4 is selected, enable the following kernel options:
  - CONFIG_EXT4_FS_SECURITY

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:43:44 +02:00
Adam Duskett
2ccabaa405 package/libselinux: enable kernel selinux support for ext3 images
If BR2_TARGET_ROOTFS_EXT2_3 is selected, enable the following kernel options:
  - CONFIG_EXT3_FS_SECURITY

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:43:41 +02:00
Adam Duskett
856b997b18 package/libselinux: enable kernel selinux support for ext2 images
If BR2_TARGET_ROOTFS_EXT2 is selected, enable the following kernel options:
  - CONFIG_EXT2_FS_XATTR
  - CONFIG_EXT2_FS_SECURITY

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:43:38 +02:00
Adam Duskett
2be469e3b9 package/libselinux: enable kernel selinux support for erofs images
If BR2_TARGET_ROOTFS_EROFS is selected, enable the following kernel options:
  - CONFIG_EROFS_FS_XATTR
  - CONFIG_EROFS_FS_SECURITY

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:43:35 +02:00
Adam Duskett
b5bb766ff2 package/libselinux: set the config_lsm kernel config option to selinux
Currently, the libselinux package sets the CONFIG_DEFAULT_SECURITY_SELINUX
kernel option. However, as of kernels >= 5.1, this option is superseded in
favor of the CONFIG_LSM option, a comma-separated list of LSMs the kernel
should initialize in order.

As the previous behavior of this package sets the kernel's default and only
LSM to initialize to SELinux, it is safe to set this string to just selinux.
If the user wants additional LSM's, they may do so with a custom kernel config.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 15:43:21 +02:00
Antoine Tenart
c38c1cde0d docs/manual: add a section about SELinux
Add documentation about how to use SELinux in Buildroot, and what are
the available mechanisms to extend and customize the SELinux policy.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
[Thomas: misc improvements.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 14:47:29 +02:00
Antoine Tenart
fb2968707b package/refpolicy: fix the configure, build and install steps
The refpolicy configure and build step were not correctly defined. The
configuration was split between the configure and build step, while
both the compilation and the installation were done in the install
step. Fix this by moving all the configuration within the
configuration step and by adding a call to make in the build step to
compile the policy.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 11:55:02 +02:00
Antoine Tenart
07e5d4dec1 package/refpolicy: allow packages to provide their own SELinux modules
Allow packages to have an 'selinux' subfolder containing SELinux modules
(sources) to be synced and compiled within the refpolicy, if the package
is selected.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 11:52:01 +02:00
Antoine Tenart
8619307c96 package/refpolicy: allow to provide a custom refpolicy
Add support for the user to provide a fully custom refpolicy. When
this is used, modules aren't disabled anymore and packages do not
select refpolicy available modules either. The custom refpolicy must
define the full policy explicitly, and must be a fork of the original
refpolicy, to have the same build system.

This is added to allow users to fully control an SELinux policy, by
providing a complete custom policy.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 11:49:32 +02:00
Antoine Tenart
7f3b075609 package/refpolicy: allow selecting additional modules
Allow users to select additional modules available in the refpolicy, to
be built in the binary policy. This will allow non-base modules to be
selected based on the user use-case and to select extra module
dependencies when providing out-of-tree modules.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 11:34:20 +02:00
Antoine Tenart
1e2e3cc951 package/refpolicy: allow providing user defined modules
Allow users to provide custom SELinux modules to be part of the final
policy. A new configuration variable is added, pointing to list of
directories containing the custom modules.

SELinux modules do require a metadata.xml file to be well integrated
in the refpolicy build. If this file isn't provided, it will be
automatically created.

For now, this option requires the extra modules to be directly into
the BR2_REFPOLICY_EXTRA_MODULES directory, and subfolders aren't
supported.  They may never be, as having subfolders could introduce
issues when two different modules have the same name (which isn't
supported by the refpolicy).

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 11:16:05 +02:00
Antoine Tenart
9c0edf765e package/e2fsprogs: select SELinux module
Select the fstools SELinux module when e2fsprogs binaries are compiled
and installed in the target filesystem, so that they'll be supported by
the SELinux policy.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 11:07:50 +02:00
Antoine Tenart
8408634b9f package/util-linux: select SELinux module
Select the fstools SELinux module to be compiled in the policy for the
relevant binaries of util-linux.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 11:07:42 +02:00
Antoine Tenart
cea777f86a package/dbus: select SELinux module
Select the dbus SElinux module so that it will be compiled in the
refpolicy. This way, if an SELinux policy is generated, dbus will be
supported.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 10:52:49 +02:00
Antoine Tenart
b5704f2ec8 package/systemd: select SELinux modules
Select the systemd and udev SELinux modules so that they will be
compiled in the refpolicy. This way, if an SELinux policy is generated,
Systemd will be supported.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 10:52:39 +02:00
Antoine Tenart
0228f521d6 package/refpolicy: allow packages to select SELinux modules
Add support for packages to enable SELinux modules already supported by
the refpolicy, but not selected by default in its policy.

With this commit, packages will be able to do something like:

SYSTEMD_SELINUX_MODULES = systemd udev

to enable additional SELinux modules.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 10:52:20 +02:00
Antoine Tenart
11a7a0af2a package/refpolicy: smaller monolithic policy
The refpolicy is configured to use a monolithic build, compiling all the
available modules (whether they're 'base' or 'modules' ones) in the
binary policy. The result is a quite big SELinux policy, with a lot more
rules than what would be needed in a Buildroot image.

Refactor the refpolicy build configuration to enable less modules by
default. To achieve this, all the modules marked as being part of the
'base' policy are kept but all the modules marked as being only
'modules' are disabled. Then a static list of modules (in addition to
the already selected 'base' ones) are enabled. The result is a much
smaller refpolicy: tests showed a reduction of the binary policy from
2.4M to 249K (~90% smaller).

This minimal set of SELinux modules should allow to boot a system in
enforcing mode in the future. It currently does not work, not because
extra modules are needed, but because of required changes within the
selected modules.

This patch would break backward compatibility as the refpolicy will no
longer have all the modules provided by the project, but only those
selected. This should not be an issue as this configuration was not
suitable directly for a real system. Modifications had to be done. If we
still find out later that this is an issue for someone, we'll have the
ability to mimic what was done previously thanks to other mechanisms
(such as providing the upstream policy as a "custom" policy location).

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 10:51:38 +02:00
Antoine Tenart
b0f3d22976 fs/common.mk: move down ROOTFS_REPRODUCIBLE for consistency
This patch is cosmetic and moves down ROOTFS_REPRODUCIBLE for
consistency.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 10:50:14 +02:00
Antoine Tenart
b843d78173 fs/common.mk: set SELinux file security contexts
Set the SELinux file security contexts using setfiles when generating
root filesystem images.

Without such security contexts created at build time, they need to be
setup at first boot by running the restorecon utility on the target.
This has two drawbacks:

 - You have to special case the first boot, which cannot be done in
   enforcing mode, and will have to run restorecon, then reboot.

 - You cannot support read-only filesystems.

By setting up the security contexts at build time, we can have a
filesystem image that is immediately ready to boot an SELinux system
in enforcing mode, including if the root filesystem is read-only.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 10:49:30 +02:00
Antoine Tenart
fde2d3b524 package/e2fsprogs: set xattrs for the root dir as well
The mke2fs binary copies the xattrs of the source directory when
creating an image, but this logic did not include the root directory of
the resulting image. A patch was sent upstream to fix this. Include the
patch in Buildroot to allow creating SELinux ready images at build time.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 10:31:55 +02:00
Heiko Thiery
e990368b7d package/ethtool: bump version to 5.8
Release notes: https://lwn.net/Articles/828044/

- remove patch that is in new version

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 10:28:52 +02:00
Joachim Wiberg
43670e4fd6 package/mg: new package
Mg is a small Emacs-like editor with no external dependencies except a
standard C library.  It weighs in at 130 kiB and is one of a select few
completely free (public domain) text editors suitable for small and
embedded systems.

This version is based on the OpenBSD Mg, but with more features, one of
which being the no-ncurses/termcap support, which heavily reduces the
impact on a resource constrained system.

Upstream: https://github.com/troglobit/mg/

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 10:28:43 +02:00
Francois Perrad
d16d88b5ec package/perl-net-dns: bump to version 1.26
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-09-04 09:21:42 +02:00
Fabrice Fontaine
9e31511d64 package/minidlna: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/8754bb4f7d749f999d5f8ddfec587470ceec4476

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 09:18:20 +02:00
Asaf Kahlon
920e8dbab1 package/spdlog: bump to version 1.8.0
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 09:15:07 +02:00
Asaf Kahlon
841b453fcb package/python-scapy: bump to version 2.4.4
And use two space for hash file indentation.

Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 09:14:58 +02:00
Asaf Kahlon
f094b5e5a7 package/collectd: bump to version 5.12.0
And drop patch (already in version).

Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 09:14:53 +02:00
Bernd Kuhls
4a9333b7a1 package/{mesa3d, mesa3d-headers}: bump version to 20.1.7
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 09:14:48 +02:00
Francois Perrad
eef2f9af9f package/lua-utf8:bump to version 0.1.3
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 09:14:10 +02:00
Francois Perrad
a257cae6ab package/lua-testmore: bump to version 0.3.5
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 09:14:05 +02:00
Francois Perrad
0b1eda87b7 package/lua-std-normalize: bump to version 2.0.3
diff LICENSE.md:
- Copyright (C) 2002-2018 normalize authors
+ Copyright (C) 2002-2020 normalize authors

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-04 09:14:01 +02:00