[Buildroot] [PATCH 2/3] package/minijail: new package

José Pekkarinen jose.pekkarinen at unikie.com
Fri Dec 3 08:37:06 UTC 2021 

This patch adds a new package for minijail.

Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
---
 DEVELOPERS                                    |  1 +
 package/Config.in                             |  1 +
 package/minijail/0001-fix-prlimit-call.patch  | 17 +++++++++++
 .../minijail/0002-fix-static-asserts.patch    | 18 ++++++++++++
 package/minijail/Config.in                    | 12 ++++++++
 package/minijail/minijail.hash                |  5 ++++
 package/minijail/minijail.mk                  | 28 +++++++++++++++++++
 7 files changed, 82 insertions(+)
 create mode 100644 package/minijail/0001-fix-prlimit-call.patch
 create mode 100644 package/minijail/0002-fix-static-asserts.patch
 create mode 100644 package/minijail/Config.in
 create mode 100644 package/minijail/minijail.hash
 create mode 100644 package/minijail/minijail.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index d92c38f07d..fbe316e52a 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1456,6 +1456,7 @@ F:	support/testing/tests/package/test_zfs.py
 N:	José Pekkarinen <jose.pekkarinen at unikie.com>
 F:	package/softhsm2/
 F:	package/opensc/
+F:	package/minijail/
 
 N:	Joseph Kogut <joseph.kogut at gmail.com>
 F:	package/at-spi2-atk/
diff --git a/package/Config.in b/package/Config.in
index 3cfcf372f3..7dd4c17d7d 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2558,6 +2558,7 @@ menu "System tools"
 	source "package/xdg-dbus-proxy/Config.in"
 	source "package/xen/Config.in"
 	source "package/xvisor/Config.in"
+	source "package/minijail/Config.in"
 endmenu
 
 menu "Text editors and viewers"
diff --git a/package/minijail/0001-fix-prlimit-call.patch b/package/minijail/0001-fix-prlimit-call.patch
new file mode 100644
index 0000000000..d7d779b7ce
--- /dev/null
+++ b/package/minijail/0001-fix-prlimit-call.patch
@@ -0,0 +1,17 @@
+
+Substitute prlimit calls with setrlimit
+
+Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
+Index: minijail-linux-v17/libminijail.c
+===================================================================
+--- minijail-linux-v17.orig/libminijail.c
++++ minijail-linux-v17/libminijail.c
+@@ -1908,7 +1908,7 @@ static void set_rlimits_or_die(const str
+ 		struct rlimit limit;
+ 		limit.rlim_cur = j->rlimits[i].cur;
+ 		limit.rlim_max = j->rlimits[i].max;
+-		if (prlimit(j->initpid, j->rlimits[i].type, &limit, NULL))
++		if (setrlimit(j->rlimits[i].type, &limit))
+ 			kill_child_and_die(j, "failed to set rlimit");
+ 	}
+ }
diff --git a/package/minijail/0002-fix-static-asserts.patch b/package/minijail/0002-fix-static-asserts.patch
new file mode 100644
index 0000000000..22e0bbe5fe
--- /dev/null
+++ b/package/minijail/0002-fix-static-asserts.patch
@@ -0,0 +1,18 @@
+
+Remove redundant static assert
+
+Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
+Index: minijail-linux-v17/libminijail.c
+===================================================================
+--- minijail-linux-v17.orig/libminijail.c
++++ minijail-linux-v17/libminijail.c
+@@ -2620,9 +2620,6 @@ static int fd_is_open(int fd)
+ 	return fcntl(fd, F_GETFD) != -1 || errno != EBADF;
+ }
+ 
+-static_assert(FD_SETSIZE >= MAX_PRESERVED_FDS * 2 - 1,
+-	      "If true, ensure_no_fd_conflict will always find an unused fd.");
+-
+ /* If parent_fd will be used by a child fd, move it to an unused fd. */
+ static int ensure_no_fd_conflict(const fd_set *child_fds,
+ 				 int child_fd, int *parent_fd)
diff --git a/package/minijail/Config.in b/package/minijail/Config.in
new file mode 100644
index 0000000000..02868ef09c
--- /dev/null
+++ b/package/minijail/Config.in
@@ -0,0 +1,12 @@
+config BR2_PACKAGE_MINIJAIL
+	bool "minijail"
+	depends on !BR2_STATIC_LIBS # dlopen()
+	select BR2_PACKAGE_HOST_LIBCAP
+	select BR2_PACKAGE_LIBCAP
+	help
+	  Minijail is a sandboxing tool maintained by google.
+
+	  https://google.github.io/minijail/
+
+comment "minijail needs a toolchain with dynamic library support"
+	depends on BR2_STATIC_LIBS
diff --git a/package/minijail/minijail.hash b/package/minijail/minijail.hash
new file mode 100644
index 0000000000..227a77fcf5
--- /dev/null
+++ b/package/minijail/minijail.hash
@@ -0,0 +1,5 @@
+# From https://github.com/google/minijail/releases/
+sha256  1ee5a5916491a32c121c7422b4d8c16481c0396a3acab34bf1c44589dcf810ae  linux-v17.tar.gz
+
+# Locally computed
+sha256  c6f439c5cf07263f71f01d29b79c79172ee529088e51ab434b22baad0988fe57  LICENSE
diff --git a/package/minijail/minijail.mk b/package/minijail/minijail.mk
new file mode 100644
index 0000000000..bc72421b0c
--- /dev/null
+++ b/package/minijail/minijail.mk
@@ -0,0 +1,28 @@
+################################################################################
+#
+# minijail
+#
+################################################################################
+
+MINIJAIL_VERSION = linux-v17
+MINIJAIL_SOURCE = $(MINIJAIL_VERSION).tar.gz
+MINIJAIL_SITE = "https://github.com/google/minijail/archive/refs/tags"
+MINIJAIL_LICENSE = BSD-Style
+MINIJAIL_LICENSE_FILES = LICENSE
+MINIJAIL_DEPENDENCIES=libcap host-libcap
+
+define MINIJAIL_BUILD_CMDS
+	(cd $(@D); \
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D)/$(d) CC="$(TARGET_CC)")
+endef
+
+define MINIJAIL_INSTALL_TARGET_CMDS
+	$(INSTALL) -m 0755 -D $(@D)/minijail0 \
+		$(TARGET_DIR)/usr/bin/minijail0
+	$(INSTALL) -m 0755 -D $(@D)/libminijailpreload.so \
+		$(TARGET_DIR)/lib/libminijailpreload.so
+	$(INSTALL) -m 0755 -D $(@D)/libminijail.so \
+		$(TARGET_DIR)/lib/libminijail.so
+endef
+
+$(eval $(generic-package))
-- 
2.30.2

More information about the buildroot mailing list