[Buildroot] [PATCH 2/3] package/minijail: new package
José Pekkarinen
jose.pekkarinen at unikie.com
Fri Dec 3 08:37:06 UTC 2021
This patch adds a new package for minijail.
Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
---
DEVELOPERS | 1 +
package/Config.in | 1 +
package/minijail/0001-fix-prlimit-call.patch | 17 +++++++++++
.../minijail/0002-fix-static-asserts.patch | 18 ++++++++++++
package/minijail/Config.in | 12 ++++++++
package/minijail/minijail.hash | 5 ++++
package/minijail/minijail.mk | 28 +++++++++++++++++++
7 files changed, 82 insertions(+)
create mode 100644 package/minijail/0001-fix-prlimit-call.patch
create mode 100644 package/minijail/0002-fix-static-asserts.patch
create mode 100644 package/minijail/Config.in
create mode 100644 package/minijail/minijail.hash
create mode 100644 package/minijail/minijail.mk
diff --git a/DEVELOPERS b/DEVELOPERS
index d92c38f07d..fbe316e52a 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1456,6 +1456,7 @@ F: support/testing/tests/package/test_zfs.py
N: José Pekkarinen <jose.pekkarinen at unikie.com>
F: package/softhsm2/
F: package/opensc/
+F: package/minijail/
N: Joseph Kogut <joseph.kogut at gmail.com>
F: package/at-spi2-atk/
diff --git a/package/Config.in b/package/Config.in
index 3cfcf372f3..7dd4c17d7d 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2558,6 +2558,7 @@ menu "System tools"
source "package/xdg-dbus-proxy/Config.in"
source "package/xen/Config.in"
source "package/xvisor/Config.in"
+ source "package/minijail/Config.in"
endmenu
menu "Text editors and viewers"
diff --git a/package/minijail/0001-fix-prlimit-call.patch b/package/minijail/0001-fix-prlimit-call.patch
new file mode 100644
index 0000000000..d7d779b7ce
--- /dev/null
+++ b/package/minijail/0001-fix-prlimit-call.patch
@@ -0,0 +1,17 @@
+
+Substitute prlimit calls with setrlimit
+
+Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
+Index: minijail-linux-v17/libminijail.c
+===================================================================
+--- minijail-linux-v17.orig/libminijail.c
++++ minijail-linux-v17/libminijail.c
+@@ -1908,7 +1908,7 @@ static void set_rlimits_or_die(const str
+ struct rlimit limit;
+ limit.rlim_cur = j->rlimits[i].cur;
+ limit.rlim_max = j->rlimits[i].max;
+- if (prlimit(j->initpid, j->rlimits[i].type, &limit, NULL))
++ if (setrlimit(j->rlimits[i].type, &limit))
+ kill_child_and_die(j, "failed to set rlimit");
+ }
+ }
diff --git a/package/minijail/0002-fix-static-asserts.patch b/package/minijail/0002-fix-static-asserts.patch
new file mode 100644
index 0000000000..22e0bbe5fe
--- /dev/null
+++ b/package/minijail/0002-fix-static-asserts.patch
@@ -0,0 +1,18 @@
+
+Remove redundant static assert
+
+Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
+Index: minijail-linux-v17/libminijail.c
+===================================================================
+--- minijail-linux-v17.orig/libminijail.c
++++ minijail-linux-v17/libminijail.c
+@@ -2620,9 +2620,6 @@ static int fd_is_open(int fd)
+ return fcntl(fd, F_GETFD) != -1 || errno != EBADF;
+ }
+
+-static_assert(FD_SETSIZE >= MAX_PRESERVED_FDS * 2 - 1,
+- "If true, ensure_no_fd_conflict will always find an unused fd.");
+-
+ /* If parent_fd will be used by a child fd, move it to an unused fd. */
+ static int ensure_no_fd_conflict(const fd_set *child_fds,
+ int child_fd, int *parent_fd)
diff --git a/package/minijail/Config.in b/package/minijail/Config.in
new file mode 100644
index 0000000000..02868ef09c
--- /dev/null
+++ b/package/minijail/Config.in
@@ -0,0 +1,12 @@
+config BR2_PACKAGE_MINIJAIL
+ bool "minijail"
+ depends on !BR2_STATIC_LIBS # dlopen()
+ select BR2_PACKAGE_HOST_LIBCAP
+ select BR2_PACKAGE_LIBCAP
+ help
+ Minijail is a sandboxing tool maintained by google.
+
+ https://google.github.io/minijail/
+
+comment "minijail needs a toolchain with dynamic library support"
+ depends on BR2_STATIC_LIBS
diff --git a/package/minijail/minijail.hash b/package/minijail/minijail.hash
new file mode 100644
index 0000000000..227a77fcf5
--- /dev/null
+++ b/package/minijail/minijail.hash
@@ -0,0 +1,5 @@
+# From https://github.com/google/minijail/releases/
+sha256 1ee5a5916491a32c121c7422b4d8c16481c0396a3acab34bf1c44589dcf810ae linux-v17.tar.gz
+
+# Locally computed
+sha256 c6f439c5cf07263f71f01d29b79c79172ee529088e51ab434b22baad0988fe57 LICENSE
diff --git a/package/minijail/minijail.mk b/package/minijail/minijail.mk
new file mode 100644
index 0000000000..bc72421b0c
--- /dev/null
+++ b/package/minijail/minijail.mk
@@ -0,0 +1,28 @@
+################################################################################
+#
+# minijail
+#
+################################################################################
+
+MINIJAIL_VERSION = linux-v17
+MINIJAIL_SOURCE = $(MINIJAIL_VERSION).tar.gz
+MINIJAIL_SITE = "https://github.com/google/minijail/archive/refs/tags"
+MINIJAIL_LICENSE = BSD-Style
+MINIJAIL_LICENSE_FILES = LICENSE
+MINIJAIL_DEPENDENCIES=libcap host-libcap
+
+define MINIJAIL_BUILD_CMDS
+ (cd $(@D); \
+ $(TARGET_MAKE_ENV) $(MAKE) -C $(@D)/$(d) CC="$(TARGET_CC)")
+endef
+
+define MINIJAIL_INSTALL_TARGET_CMDS
+ $(INSTALL) -m 0755 -D $(@D)/minijail0 \
+ $(TARGET_DIR)/usr/bin/minijail0
+ $(INSTALL) -m 0755 -D $(@D)/libminijailpreload.so \
+ $(TARGET_DIR)/lib/libminijailpreload.so
+ $(INSTALL) -m 0755 -D $(@D)/libminijail.so \
+ $(TARGET_DIR)/lib/libminijail.so
+endef
+
+$(eval $(generic-package))
--
2.30.2
More information about the buildroot
mailing list