busybox: alternatives link to sh wrappers for commands

While directly using busybox[.[no]suid] as the alternatives' targets, commands could not get correct security labels. ~# ls -l /sbin/getty ..... /sbin/getty -> /bin/busybox.nosuid ~# ls -Z /bin/busybox.nosuid system_u:object_r:bin_t:s0 /bin/busybox.nosuid Add sh wrappers for commands so selinux could work fine. ~# ls -l /sbin/getty ..... /sbin/getty -> /usr/lib/busybox/sbin/getty ~# ls -Z /usr/lib/busybox/sbin/getty system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty ~# cat /usr/lib/busybox/sbin/getty #!/bin/busybox.nosuid Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Xin Ouyang <Xin.Ouyang@windriver.com> 2013-09-23 21:18:05 +0800
committer: Joe MacDonald <joe@deserted.net> 2013-10-02 13:24:45 -0400
commit: 521ca9c9cf370840e9f8c808a7955aa5da7c356e (patch)
tree: d8883798d9ef8e7a0b86ac1958e322053e8f6574 /recipes-core
parent: 20153c8810cecc31873fbe14bb1695a85b77cef4 (diff)
download: meta-selinux-521ca9c9cf370840e9f8c808a7955aa5da7c356e.tar.gz
1 files changed, 87 insertions, 0 deletions
diff --git a/recipes-core/busybox/busybox_1.21.1.bbappend b/recipes-core/busybox/busybox_1.21.1.bbappend
new file mode 100644
index 0000000..b4935b2
--- /dev/null
+++ b/recipes-core/busybox/busybox_1.21.1.bbappend
@@ -0,0 +1,87 @@
+PR .= ".1"
+FILES_${PN} += "${libdir}/${PN}"
+# We should use sh wrappers instead of links so the commands could get correct
+# security labels
+python create_sh_wrapper_reset_alternative_vars () {
+    # We need to load the full set of busybox provides from the /etc/busybox.links
+    # Use this to see the update-alternatives with the right information
+    dvar = d.getVar('D', True)
+    pn = d.getVar('PN', True)
+    def create_sh_alternative_vars(links, target, mode):
+        import shutil
+        # Create sh wrapper template
+        fwp = open("busybox_wrapper", 'w')
+        fwp.write("#!%s" % (target))
+        os.fchmod(fwp.fileno(), mode)
+        fwp.close()
+        # Install the sh wrappers and alternatives reset to link to them
+        wpdir = os.path.join(d.getVar('libdir', True), pn)
+        wpdir_dest = '%s%s' % (dvar, wpdir)
+        if not os.path.exists(wpdir_dest):
+            os.makedirs(wpdir_dest)
+        f = open('%s%s' % (dvar, links), 'r')
+        for alt_link_name in f:
+            alt_link_name = alt_link_name.strip()
+            alt_name = os.path.basename(alt_link_name)
+            # Copy script wrapper to wp_path
+            alt_wppath = '%s%s' % (wpdir, alt_link_name)
+            alt_wppath_dest = '%s%s' % (wpdir_dest, alt_link_name) 
+            alt_wpdir_dest = os.path.dirname(alt_wppath_dest)
+            if not os.path.exists(alt_wpdir_dest):
+                os.makedirs(alt_wpdir_dest)
+            shutil.copy2("busybox_wrapper", alt_wppath_dest)
+            # Re-set alternatives
+            # Match coreutils
+            if alt_name == '[':
+                alt_name = 'lbracket'
+            d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name)
+            d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name)
+            if os.path.exists(alt_wppath_dest):
+                d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath)
+        f.close()
+        os.remove("busybox_wrapper")
+        return
+    if os.path.exists('%s/etc/busybox.links' % (dvar)):
+        create_sh_alternative_vars("/etc/busybox.links", "/bin/busybox", 0o0755)
+    else:
+        create_sh_alternative_vars("/etc/busybox.links.nosuid", "/bin/busybox.nosuid", 0o0755)
+        create_sh_alternative_vars("/etc/busybox.links.suid", "/bin/busybox.suid", 0o4755)
+}
+# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in
+# do_package_prepend() section of busybox_*.bb.
+PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars "
+# Use sh wrappers instead of links
+pkg_postinst_${PN} () {
+        # This part of code is dedicated to the on target upgrade problem.
+        # It's known that if we don't make appropriate symlinks before update-alternatives calls,
+        # there will be errors indicating missing commands such as 'sed'.
+        # These symlinks will later be updated by update-alternatives calls.
+        test -n 2 > /dev/null || alias test='busybox test'
+        if test "x$D" = "x"; then
+                # Remove busybox.nosuid if it's a symlink, because this situation indicates
+                # that we're installing or upgrading to a one-binary busybox.
+                if test -h /bin/busybox.nosuid; then
+                        rm -f /bin/busybox.nosuid
+                fi
+                for suffix in "" ".nosuid" ".suid"; do
+                        if test -e /etc/busybox.links$suffix; then
+                                while read link; do
+                                        if test ! -e "$link"; then
+                                                # we can use busybox here because even if we are using splitted busybox
+                                                # we've made a symlink from /bin/busybox to /bin/busybox.nosuid.
+                                                busybox echo "#!/bin/busybox$suffix" > $link
+                                        fi
+                                done < /etc/busybox.links$suffix
+                        fi
+                done
+        fi
+}
author	Xin Ouyang <Xin.Ouyang@windriver.com>	2013-09-23 21:18:05 +0800
committer	Joe MacDonald <joe@deserted.net>	2013-10-02 13:24:45 -0400
commit	521ca9c9cf370840e9f8c808a7955aa5da7c356e (patch)
tree	d8883798d9ef8e7a0b86ac1958e322053e8f6574 /recipes-core
parent	20153c8810cecc31873fbe14bb1695a85b77cef4 (diff)
download	meta-selinux-521ca9c9cf370840e9f8c808a7955aa5da7c356e.tar.gz

diff --git a/recipes-core/busybox/busybox_1.21.1.bbappend b/recipes-core/busybox/busybox_1.21.1.bbappend new file mode 100644 index 0000000..b4935b2 --- /dev/null +++ b/recipes-core/busybox/busybox_1.21.1.bbappend
@@ -0,0 +1,87 @@
	1	PR .= ".1"
	2
	3	FILES_${PN} += "${libdir}/${PN}"
	4
	5	# We should use sh wrappers instead of links so the commands could get correct
	6	# security labels
	7	python create_sh_wrapper_reset_alternative_vars () {
	8	# We need to load the full set of busybox provides from the /etc/busybox.links
	9	# Use this to see the update-alternatives with the right information
	10
	11	dvar = d.getVar('D', True)
	12	pn = d.getVar('PN', True)
	13
	14	def create_sh_alternative_vars(links, target, mode):
	15	import shutil
	16	# Create sh wrapper template
	17	fwp = open("busybox_wrapper", 'w')
	18	fwp.write("#!%s" % (target))
	19	os.fchmod(fwp.fileno(), mode)
	20	fwp.close()
	21	# Install the sh wrappers and alternatives reset to link to them
	22	wpdir = os.path.join(d.getVar('libdir', True), pn)
	23	wpdir_dest = '%s%s' % (dvar, wpdir)
	24	if not os.path.exists(wpdir_dest):
	25	os.makedirs(wpdir_dest)
	26	f = open('%s%s' % (dvar, links), 'r')
	27	for alt_link_name in f:
	28	alt_link_name = alt_link_name.strip()
	29	alt_name = os.path.basename(alt_link_name)
	30	# Copy script wrapper to wp_path
	31	alt_wppath = '%s%s' % (wpdir, alt_link_name)
	32	alt_wppath_dest = '%s%s' % (wpdir_dest, alt_link_name)
	33	alt_wpdir_dest = os.path.dirname(alt_wppath_dest)
	34	if not os.path.exists(alt_wpdir_dest):
	35	os.makedirs(alt_wpdir_dest)
	36	shutil.copy2("busybox_wrapper", alt_wppath_dest)
	37	# Re-set alternatives
	38	# Match coreutils
	39	if alt_name == '[':
	40	alt_name = 'lbracket'
	41	d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name)
	42	d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name)
	43	if os.path.exists(alt_wppath_dest):
	44	d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath)
	45	f.close()
	46
	47	os.remove("busybox_wrapper")
	48	return
	49
	50	if os.path.exists('%s/etc/busybox.links' % (dvar)):
	51	create_sh_alternative_vars("/etc/busybox.links", "/bin/busybox", 0o0755)
	52	else:
	53	create_sh_alternative_vars("/etc/busybox.links.nosuid", "/bin/busybox.nosuid", 0o0755)
	54	create_sh_alternative_vars("/etc/busybox.links.suid", "/bin/busybox.suid", 0o4755)
	55	}
	56
	57	# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in
	58	# do_package_prepend() section of busybox_*.bb.
	59	PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars "
	60
	61	# Use sh wrappers instead of links
	62	pkg_postinst_${PN} () {
	63	# This part of code is dedicated to the on target upgrade problem.
	64	# It's known that if we don't make appropriate symlinks before update-alternatives calls,
	65	# there will be errors indicating missing commands such as 'sed'.
	66	# These symlinks will later be updated by update-alternatives calls.
	67	test -n 2 > /dev/null \|\| alias test='busybox test'
	68	if test "x$D" = "x"; then
	69	# Remove busybox.nosuid if it's a symlink, because this situation indicates
	70	# that we're installing or upgrading to a one-binary busybox.
	71	if test -h /bin/busybox.nosuid; then
	72	rm -f /bin/busybox.nosuid
	73	fi
	74	for suffix in "" ".nosuid" ".suid"; do
	75	if test -e /etc/busybox.links$suffix; then
	76	while read link; do
	77	if test ! -e "$link"; then
	78	# we can use busybox here because even if we are using splitted busybox
	79	# we've made a symlink from /bin/busybox to /bin/busybox.nosuid.
	80	busybox echo "#!/bin/busybox$suffix" > $link
	81	fi
	82	done < /etc/busybox.links$suffix
	83	fi
	84	done
	85	fi
	86	}
	87