Firejail Security Sandbox
https://firejail.wordpress.com/
Lightweight application sandboxing system using seccomp and kernel
namespaces.
Signed-off-by: Chris Frederick <cdf123@cdf123.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
toolchain-wrapper was not reinstalled. So rules toolchain-external-reinstall,
gcc-initial-reinstall, gcc-final-reinstall didn't work as expected.
In add, normalize variable name: s/TOOLCHAIN_BUILD_WRAPPER/TOOLCHAIN_WRAPPER_BUILD/
Signed-off-by: Jérôme Pouiller <jezz@sysmic.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
When adding a boolean option to legacy, it should slect BR2_LEGACY, to
trigger the legacy warning.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
LIBDIR was used in cpp/examples/MinOZW/Makefile to add dynamic
libraries. However, as it was unset by default, the cross-compilation
could fail if the host had a library such as libnss3.so in /.
To fix this issue, this patch sets LIBDIR to top_buildir if it is unset
Fixes:
http://autobuild.buildroot.net/results/68719fdf1320a69310bada6d3c47654dacdb5898
Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Just needed to add --with-ldap to POSTGRESQL_CONF_OPTS and add openldap
to POSTGRESQL_DEPENDENCIES when BR2_PACKAGE_OPENLDAP is on
Signed-off-by: Chris Frederick <cdf123@cdf123.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Following suggestion of Yann Morin, rework selection of php
interfaces: use booleans instead of choice to be able to select
multiple interfaces as they are not exclusive. We make sure at least
one of the options is selected.
It should be noted that previously CGI and FPM could not be selected
at the same time. This is now possible. Bug that prevented compilation
of CGI and FPM binaries at the same time has been fixed since PHP 5.4
(https://github.com/php-build/php-build/issues/101).
Legacy handling is added for the two options that are removed, and the
appropriate new options are selected.
Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Some packages download files (especially patches) with a ? in the
URL. The ? marks the query part of the URL. However, the downloaded
file still contains the ? but from then on it doesn't designate a
query part anymore. Therefore, when fetching from PRIMARY or
BACKUP site over http, the server will report a 404 Not Found.
To fix, we need to replace the ? with %3F. Obviously, this should
be done only when fetching from PRIMARY or BACKUP. For fetching
from the real upstream, the ? really does designate the query part.
Fixes#9371.
Reported-by: Johan Derycke <johanderycke@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Thomas: replace 'SECONDARY' by 'BACKUP'.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Building this minimal defconfig
BR2_TOOLCHAIN_BUILDROOT_MUSL=y
BR2_GCC_VERSION_6_X=y
fails:
In file included from ../../../../libmpx/mpxrt/mpxrt.c:54:0:
../../../../libmpx/mpxrt/mpxrt.c: In function 'read_mpx_status_sig':
../../../../libmpx/mpxrt/mpxrt.h:52:42: error: invalid application of
'sizeof' to incomplete type 'struct _libc_fpstate'
#define XSAVE_OFFSET_IN_FPMEM sizeof (struct _libc_fpstate)
To fix disable libmpx for musl builds, other projects did the same:
3ec2211548http://git.alpinelinux.org/cgit/aports/commit/main/gcc/APKBUILD?id=1830e485126ea9a95d763317fb0c508c1ff297d2
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit bumps cryptopp from 5.6.3 to 5.6.5 in order to fix bug
The commit f707b9ef1688d4429ca6239cf2dc236440974681, which Buildroot
was downloading as a patch to fix build with older gcc versions, has
been merged upstream as of 5.6.4, is therefore no longer necessary,
and dropped in this commit.
In addition, Andrey Volkov in the bug report #9321, proposed to add a
number of patches to cryptopp to solve issues when using
tegrarcm. Those patches are the following ones:
- patch 0: moving to autotools as the build system. This is not
strictly a bug fix, and is not necessary.
- patch 1: merged upstream in
"3941be18891a6a87626b7c70f715ca91c61c08c3 Fixed hang on ARM
platforms in Integer::DivideThreeWordsByTwo", which is part of
5.6.5.
- patch 2: merged upstream in
"9fca0c28023a177106cf58a3de6da610f185a6e4 Work around issue on
ARMEL in MultiplyTop and GCC. ARMHF is OK", which is part of 5.6.5.
- patch 3: merged upstream in
"dce2317195a7d9aa77b159fd1beddaf8358f6243 Increase range for GCC
workaround on ARMEL. After speaking with AP from GCC, he states
some issues are still likely present in Master, which is GCC 6.0",
which is part of 5.6.5
- patch 4: merged upstream in
"605744d8260c6ada033805c13ae0b2646acf18d6 Fixed SecBlock append
when "this == t", fixed assert, added validation test (Issue 92)",
which is part of 5.6.5
- patch 5: merged upstream in
"9f335d719ebc27f58251559240de0077ec42c583 Fix the Rijndael timing
attack counter measure", which is part of 5.6.5
- patch 6: merged upstream in
"d8b02cfaafd7350ed0f876cd5da405cff330d537 Fixed m68k detection
(Issue 153)", which is part of 5.6.5
- patch 7: merged upstream in
"c82fd655ed7465db8d21a0e0559c304a7a86d298 Cleared assert in debug
builds (Issue 138)", which is part of 5.6.5
Bottom line: none of the patches proposed by Andrey Volkov are
necessary if we bump to 5.6.5.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The library is LGPLv2.1+, the tests and tools are GPLv3+ so clarify to
avoid confusion.
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Reviewed-by: Rahul Bedarkar <rahul.bedarkar@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
From the build configuration, Buildroot defines and set some compiler
and linker flags that should be passed to any packages build-system.
For package using the cmake-package infrastructure, this is achieved
via the toolchainfile.cmake.
This change simplifies the way the toolchainfile.cmake file handles
these flags: it now just sets them, without any attempt to extend them
with those Buildroot defined.
This change still allows overriding these flags from the configure
command line.
So, now, when a CMake-based package needs to extend them, they should
be fully set from the package *.mk file. This behavior is consistent
with what is done for others package infrastructures.
This change should not pull any regression WRT the bug #7280 [1].
However, now, when someone uses the toolchainfile.cmake file outside of
Buildroot, he/she must overload all compiler/linker flags (including the
ones Buildroot sets since they no longer get automatically added).
[1] https://bugs.busybox.net/show_bug.cgi?id=7280
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Max Filippov <jcmvbkbc@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
When a build type is set, CMake does append some flags that can override
those set by Buildroot due to the gcc option parser (in which the last
argument controling an option wins).
Hereafter is a summary of the optimization and debug flags set by
Buildroot and appended by CMake.
* Flags set by Buildroot depending on the configuration:
BR2_ENABLE_DEBUG | Optim. level | Buildroot {C,CXX}FLAGS
=================+=====================+=======================
y | BR2_OPTIMIZE_S | -Os -gx
y | BR2_OPTIMIZE_G | -Og -gx
y | BR2_OPTIMIZE_{0..3} | -On -gx
n | BR2_OPTIMIZE_S | -Os
n | BR2_OPTIMIZE_G | -Og
n | BR2_OPTIMIZE_{0..3} | -On
* Default flags appended by CMake depending on the build type:
Build type | Flags | Effects on {C,CXX}FLAGS
===============+=================+===========================================
Debug | -g | Force -g, compatible with BR2_ENABLE_DEBUG
MinSizeRel | -Os -DNDEBUG | Set -Os, compatible with BR2_OPTIMIZE_S
Release | -O3 -DNDEBUG | Set -O3, closest to the others cases,
| | though the optimization level is forced.
RelWithDebInfo | -O2 -g -DNDEBUG | Force -g and set -O2, not friendly with BR
To avoid the CMake flags take precedence over the Buildroot ones, this
change sets in toolchainfile.cmake the per-config compiler flags CMake
can append depending on the build type Buildroot defined.
So, CMake does not mess up with the compilation flags Buildroot sets.
It is still possible to override these per-config flags on the cmake
command line.
Note:
If a CMake-based project forces the compiler and/or linker flag
definitions (the default ones or the per-config ones - e.g.
CMAKE_C_FLAGS/CMAKE_C_FLAGS_{DEBUG,RELEASE}), there is not much
Buildroot can do about it.
So, the flags will be overwritten anyway in these cases.
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Thomas:
- adjust comment in toolchainfile.cmake.in, as suggested by Arnout.
- also handle CMAKE_Fortran_FLAGS_*, as suggested by Arnout.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The chosen CMAKE_BUILD_TYPE encodes an option of the Buildroot
configuration, so it makes more sense to save it in the
toolchainfile.cmake than to pass it during configure.
It is still possible to override the build type on the cmake
command line.
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Thomas: reword description in the CHANGES file.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This reverts commit 4b01201834.
Before reverting this patch, CMake packages are built with the following
options:
* if BR2_ENABLE_DEBUG is set:
The CMake build type is set to RelWithDebInfo, which means:
- Optimization level is forced to: -O2;
- no log nor assert due to -DNDEBUG;
- BR2_DEBUG_{1..3} effect is unchanged;
* otherwise:
The CMake build type is set to Release, which means:
- Optimization level is forced to: -O3;
- no log nor assert due to -DNDEBUG (as expected).
In any case, the optimization WRT the binary size is always ignored
and forced.
Reverting to the previous situation, so Buildroot now chooses between
the 'Debug' and 'Release' config types, which are semantically closer
to what Buildroot does everywhere else:
* if BR2_ENABLE_DEBUG is set:
The CMake build type is set to Debug, which means:
- only -g option is passed by CMake;
- optimization is not forced, nor debug level, so they are kept
as-is;
* otherwise:
The CMake build type is set to Release, so no change in this case:
- Optimization level is forced to: -O3;
- no log nor assert due to -DNDEBUG (as expected);
- size optimization is ignored.
Follow-up patches will fix the CMake flag variables that are appended by
CMake.
Cc: Charles Hardin <ckhardin@exablox.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In order to avoid duplicating architecture dependencies in the trinity
Config.in file, this commit introduces a
BR2_PACKAGE_TRINITY_ARCH_SUPPORTS Config.in variable.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
It also changes the python-protobuf.hash file to be a symbolic link to
../protobuf/protobuf.hash so that both hash files don't have to be
updated when protobuf is bumped.
In addition, the 0001-disable-unneeded-build-dependencies.patch patch
from package/python-protobuf/ is removed because it has been merged
upstream.
Signed-off-by: Jan Heylen <heyleke@gmail.com>
[Thomas: fix the build of python-protobuf.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- change back to original download site
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In this case in particular a host tool is built inside the target build
step.
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>