From 125d14805f769104f93c510bedaa685a52ec025d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ciro=20Santilli=20=E5=85=AD=E5=9B=9B=E4=BA=8B=E4=BB=B6=20?= =?UTF-8?q?=E6=B3=95=E8=BD=AE=E5=8A=9F?= Date: Fri, 1 Feb 2019 00:00:01 +0000 Subject: [PATCH] buildroot: move to glibc selinux: continue attempt now that we have glibc, but still failing --- README.adoc | 94 +++++++++++++++++++++++++++++++++++----- buildroot_config/default | 2 + common.py | 6 +-- 3 files changed, 88 insertions(+), 14 deletions(-) diff --git a/README.adoc b/README.adoc index 5d72387..78eca71 100644 --- a/README.adoc +++ b/README.adoc @@ -7027,22 +7027,68 @@ https://en.wikipedia.org/wiki/Linux_Security_Modules ===== SELinux -TODO get hello world working. +TODO get a hello world permission control working: .... ./build-linux \ --config-fragment linux_config/selinux \ --linux-build-id selinux \ ; +./build-buildroot --config 'BR2_PACKAGE_REFPOLICY=y' +./run --enable-kvm --linux-build-id selinux .... -But then this fails currently: +Source: link:linux_config/selinux[] + +This builds: + +* `BR2_PACKAGE_REFPOLICY`, which includes a reference `/etc/selinux/config` policy: https://github.com/SELinuxProject/refpolicy ++ +refpolicy in turn depends on: +* `BR2_PACKAGE_SETOOLS`, which contains tools such as `getenforced`: https://github.com/SELinuxProject/setools ++ +setools depends on: +* `BR2_PACKAGE_LIBSELINUX`, which is the backing userland library + +After boot finishes, we see: .... -./build-buildroot --config 'BR2_PACKAGE_SETOOLS=y' +Starting auditd: mkdir: invalid option -- 'Z' .... -because we use ucLibc which is incompatible with SELinux, with a trivial unmerged fix at: http://lists.busybox.net/pipermail/buildroot/2017-July/197793.html +which comes from `/etc/init.d/S01auditd`, because BusyBox' `mkdir` does not have the crazy `-Z` option like Ubuntu. That's amazing! + +The kernel logs contain: + +.... +SELinux: Initializing. +.... + +Inside the guest we now have: + +.... +getenforce +.... + +which initially says: + +.... +Disabled +.... + +TODO: if we try to enforce: + +.... +setenforce 1 +.... + +it does not work and outputs: + +.... +setenforce: SELinux is disabled +.... + +SELinux requires glibc: <>. === User mode Linux @@ -7056,7 +7102,7 @@ Maybe some brave soul will send a pull request one day. UIO is a kernel subsystem that allows to do certain types of driver operations from userland. -This would be awesome to improve debugability and safety of kernel modules. +This would be awesome to improve debuggability and safety of kernel modules. VFIO looks like a newer and better UIO replacement, but there do not exist any examples of how to use it: https://stackoverflow.com/questions/49309162/interfacing-with-qemu-edu-device-via-userspace-i-o-uio-linux-driver @@ -7221,7 +7267,7 @@ When you hit `Ctrl-Alt-Del` in the guest, our tiny init handles a `SIGINT` sent cad .... -To map between `man 2 reboot` and the uclibc `RB_*` magic constants see: +To map between `man 2 reboot` and the uClibc `RB_*` magic constants see: .... less "$(./getvar buildroot_build_build_dir)"/uclibc-*/include/sys/reboot.h" @@ -7693,17 +7739,19 @@ TODO a large chunk of tests, the Open POSIX test suite, is disabled with a comme POSIX userland stress. Two versions: .... -./build-buildroot --config 'BR2_PACKAGE_STRESS=y' -./build-buildroot --config 'BR2_PACKAGE_STRESS_NG=y' +./build-buildroot \ + --config 'BR2_PACKAGE_STRESS=y' \ + --config 'BR2_PACKAGE_STRESS_NG=y' \ +; .... +`STRESS_NG` is likely the best, but it requires glibc: <>. + Websites: * https://people.seas.harvard.edu/~apw/stress/ * https://github.com/ColinIanKing/stress-ng -Likely the NG one is best, but it requires `BR2_TOOLCHAIN_USES_GLIBC=y` which we don't have currently because we use uclibc... arghhhh. - `stress` usage: .... @@ -10312,7 +10360,7 @@ link:https://en.wikipedia.org/wiki/Buildroot[Buildroot] is a set of Make scripts * GCC * Linux kernel -* C standard library: Buildroot supports several implementations, we use link:https://en.wikipedia.org/wiki/GNU_C_Library[glibc] by default +* C standard library: Buildroot supports several implementations, see: <> * link:https://en.wikipedia.org/wiki/BusyBox[BusyBox]: provides the shell and basic command line utilities It therefore produces a pristine, blob-less, debuggable setup, where all moving parts are configured to work perfectly together. @@ -10623,6 +10671,30 @@ For Buildroot problems, you should wither provide the config you have: or try to reproduce with a minimal config, see: https://github.com/cirosantilli/buildroot/tree/in-tree-package-master +== libc choice + +Buildroot supports several libc implementations, including: + +* link:https://en.wikipedia.org/wiki/GNU_C_Library[glibc] +* link:https://en.wikipedia.org/wiki/UClibc[uClibc] + +We currently use glibc, which is selected by: + +.... +BR2_TOOLCHAIN_BUILDROOT_GLIBC=y +.... + +Ideally we would like to use uClibc, as it is more minimal and easier to understand, but unfortunately there are some very few packages that use some weird glibc extension that uClibc hasn't implemented yet, e.g.: + +* <>. Trivial unmerged fix at: http://lists.busybox.net/pipermail/buildroot/2017-July/197793.html just missing the uClibc option to expose `fts.h`... +* <> + +The full list of unsupported packages can be found by grepping the Buildroot source: + +.... +git -C "$(./getvar buildroot_source_dir)" grep 'depends on BR2_TOOLCHAIN_USES_GLIBC' +.... + == Baremetal Getting started at: <> diff --git a/buildroot_config/default b/buildroot_config/default index e5b5b4c..4403a30 100644 --- a/buildroot_config/default +++ b/buildroot_config/default @@ -11,6 +11,8 @@ BR2_OPTIMIZE_0=y BR2_PTHREAD_DEBUG=y BR2_TOOLCHAIN_BUILDROOT_CXX=y BR2_TOOLCHAIN_BUILDROOT_FORTRAN=y +# http://github.com/cirosantilli/linux-kernel-module-cheat#libc-choice +BR2_TOOLCHAIN_BUILDROOT_GLIBC=y BR2_TOOLCHAIN_BUILDROOT_WCHAR=y # Rootfs diff --git a/common.py b/common.py index 6571e44..d2f77c4 100644 --- a/common.py +++ b/common.py @@ -453,21 +453,21 @@ Valid emulators: {} if env['arch'] == 'arm': env['armv'] = 7 env['mcpu'] = 'cortex-a15' - env['buildroot_toolchain_prefix'] = 'arm-buildroot-linux-uclibcgnueabihf' + env['buildroot_toolchain_prefix'] = 'arm-buildroot-linux-gnueabihf' env['crosstool_ng_toolchain_prefix'] = 'arm-unknown-eabi' env['ubuntu_toolchain_prefix'] = 'arm-linux-gnueabihf' env['is_arm'] = True elif env['arch'] == 'aarch64': env['armv'] = 8 env['mcpu'] = 'cortex-a57' - env['buildroot_toolchain_prefix'] = 'aarch64-buildroot-linux-uclibc' + env['buildroot_toolchain_prefix'] = 'aarch64-buildroot-linux-gnu' env['crosstool_ng_toolchain_prefix'] = 'aarch64-unknown-elf' env['ubuntu_toolchain_prefix'] = 'aarch64-linux-gnu' env['is_arm'] = True elif env['arch'] == 'x86_64': env['crosstool_ng_toolchain_prefix'] = 'x86_64-unknown-elf' env['gem5_arch'] = 'X86' - env['buildroot_toolchain_prefix'] = 'x86_64-buildroot-linux-uclibc' + env['buildroot_toolchain_prefix'] = 'x86_64-buildroot-linux-gnu' env['ubuntu_toolchain_prefix'] = 'x86_64-linux-gnu' if env['emulator'] == 'gem5': if not env['_args_given']['machine']: