[ptxdist] [PATCH 1/2] libseccomp: new package

[ptxdist] [PATCH 1/2] libseccomp: new package

[Clemens Gruber]

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
 rules/libseccomp.in   | 13 ++++++++++++
 rules/libseccomp.make | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 rules/libseccomp.in
 create mode 100644 rules/libseccomp.make

diff --git a/rules/libseccomp.in b/rules/libseccomp.in
new file mode 100644
index 0000000..ece48a2
--- /dev/null
+++ b/rules/libseccomp.in
@@ -0,0 +1,13 @@
+## SECTION=system_libraries
+
+config LIBSECCOMP
+	bool
+	prompt "libseccomp"
+	help
+	  An Enhanced Seccomp (mode 2) Helper Library
+
+	  The libseccomp library provides an easy to use, platform independent, interface
+	  to the Linux Kernel's syscall filtering mechanism.  The libseccomp API is
+	  designed to abstract away the underlying BPF based syscall filter language and
+	  present a more conventional function-call based filtering interface that should
+	  be familiar to, and easily adopted by, application developers.
diff --git a/rules/libseccomp.make b/rules/libseccomp.make
new file mode 100644
index 0000000..3ae5823
--- /dev/null
+++ b/rules/libseccomp.make
@@ -0,0 +1,56 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2016 by Clemens Gruber <clemens.gruber@pqgruber.com>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBSECCOMP) += libseccomp
+
+#
+# Paths and names
+#
+LIBSECCOMP_VERSION	:= 2.2.3
+LIBSECCOMP_MD5		:= 7db418d35d7a6168400bf6b05502f8bf
+LIBSECCOMP		:= libseccomp-$(LIBSECCOMP_VERSION)
+LIBSECCOMP_SUFFIX	:= tar.gz
+LIBSECCOMP_URL		:= https://github.com/downloads/seccomp/libseccomp/$(LIBSECCOMP).$(LIBSECCOMP_SUFFIX)
+LIBSECCOMP_SOURCE	:= $(SRCDIR)/$(LIBSECCOMP).$(LIBSECCOMP_SUFFIX)
+LIBSECCOMP_DIR		:= $(BUILDDIR)/$(LIBSECCOMP)
+LIBSECCOMP_LICENSE	:= LGPL-2.1
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# autoconf
+#
+LIBSECCOMP_CONF_TOOL	:= autoconf
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libseccomp.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, libseccomp)
+	@$(call install_fixup, libseccomp, PRIORITY, optional)
+	@$(call install_fixup, libseccomp, SECTION, base)
+	@$(call install_fixup, libseccomp, AUTHOR, "Clemens Gruber <clemens.gruber@pqgruber.com>")
+	@$(call install_fixup, libseccomp, DESCRIPTION, missing)
+
+	@$(call install_lib, libseccomp, 0, 0, 0644, libseccomp)
+
+	@$(call install_finish, libseccomp)
+
+	@$(call touch)
+
+# vim: syntax=make
-- 
2.7.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 2/2] systemd: add option for seccomp support

[Clemens Gruber]

With seccomp support enabled, service files can limit the syscalls a
process is allowed to use through the SystemCallFilter option.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
 rules/systemd.in   | 8 ++++++++
 rules/systemd.make | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/rules/systemd.in b/rules/systemd.in
index 979e32c..c58e424 100644
--- a/rules/systemd.in
+++ b/rules/systemd.in
@@ -17,6 +17,7 @@ menuconfig SYSTEMD
 	select MACHINE_ID	if RUNTIME
 	select XZ		if SYSTEMD_XZ
 	select LZ4		if SYSTEMD_LZ4
+	select LIBSECCOMP	if SYSTEMD_SECCOMP
 	select LIBSELINUX	if GLOBAL_SELINUX
 	# for udev:
 	select ROOTFS_DEV
@@ -94,5 +95,12 @@ config SYSTEMD_COREDUMP
 	help
 	  Enable this only if you need to debug a crashing systemd service
 
+config SYSTEMD_SECCOMP
+	bool
+	prompt "enable seccomp filtering support"
+	help
+	  Enable this if you want to use SystemCallFilter in service files
+
+
 endif
 
diff --git a/rules/systemd.make b/rules/systemd.make
index b2edb3d..5c87023 100644
--- a/rules/systemd.make
+++ b/rules/systemd.make
@@ -73,7 +73,7 @@ SYSTEMD_CONF_OPT	:= \
 	--enable-kmod \
 	--disable-xkbcommon \
 	--enable-blkid \
-	--disable-seccomp \
+	--$(call ptx/endis,PTXCONF_SYSTEMD_SECCOMP)-seccomp \
 	--disable-ima \
 	$(GLOBAL_SELINUX_OPTION) \
 	--disable-apparmor \
-- 
2.7.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH 1/2] libseccomp: new package

[Michael Olbrich]

On Tue, Feb 09, 2016 at 05:31:13PM +0100, Clemens Gruber wrote:
> Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>

Thanks, applied.

Note: The URL was broken for me so I had to change it. Please check if it
still works for you.

Michael

> ---
>  rules/libseccomp.in   | 13 ++++++++++++
>  rules/libseccomp.make | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 69 insertions(+)
>  create mode 100644 rules/libseccomp.in
>  create mode 100644 rules/libseccomp.make
> 
> diff --git a/rules/libseccomp.in b/rules/libseccomp.in
> new file mode 100644
> index 0000000..ece48a2
> --- /dev/null
> +++ b/rules/libseccomp.in
> @@ -0,0 +1,13 @@
> +## SECTION=system_libraries
> +
> +config LIBSECCOMP
> +	bool
> +	prompt "libseccomp"
> +	help
> +	  An Enhanced Seccomp (mode 2) Helper Library
> +
> +	  The libseccomp library provides an easy to use, platform independent, interface
> +	  to the Linux Kernel's syscall filtering mechanism.  The libseccomp API is
> +	  designed to abstract away the underlying BPF based syscall filter language and
> +	  present a more conventional function-call based filtering interface that should
> +	  be familiar to, and easily adopted by, application developers.
> diff --git a/rules/libseccomp.make b/rules/libseccomp.make
> new file mode 100644
> index 0000000..3ae5823
> --- /dev/null
> +++ b/rules/libseccomp.make
> @@ -0,0 +1,56 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2016 by Clemens Gruber <clemens.gruber@pqgruber.com>
> +#
> +# See CREDITS for details about who has contributed to this project.
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBSECCOMP) += libseccomp
> +
> +#
> +# Paths and names
> +#
> +LIBSECCOMP_VERSION	:= 2.2.3
> +LIBSECCOMP_MD5		:= 7db418d35d7a6168400bf6b05502f8bf
> +LIBSECCOMP		:= libseccomp-$(LIBSECCOMP_VERSION)
> +LIBSECCOMP_SUFFIX	:= tar.gz
> +LIBSECCOMP_URL		:= https://github.com/downloads/seccomp/libseccomp/$(LIBSECCOMP).$(LIBSECCOMP_SUFFIX)
> +LIBSECCOMP_SOURCE	:= $(SRCDIR)/$(LIBSECCOMP).$(LIBSECCOMP_SUFFIX)
> +LIBSECCOMP_DIR		:= $(BUILDDIR)/$(LIBSECCOMP)
> +LIBSECCOMP_LICENSE	:= LGPL-2.1
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# autoconf
> +#
> +LIBSECCOMP_CONF_TOOL	:= autoconf
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libseccomp.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, libseccomp)
> +	@$(call install_fixup, libseccomp, PRIORITY, optional)
> +	@$(call install_fixup, libseccomp, SECTION, base)
> +	@$(call install_fixup, libseccomp, AUTHOR, "Clemens Gruber <clemens.gruber@pqgruber.com>")
> +	@$(call install_fixup, libseccomp, DESCRIPTION, missing)
> +
> +	@$(call install_lib, libseccomp, 0, 0, 0644, libseccomp)
> +
> +	@$(call install_finish, libseccomp)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make
> -- 
> 2.7.1
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH 2/2] systemd: add option for seccomp support

[Michael Olbrich]

On Tue, Feb 09, 2016 at 05:31:14PM +0100, Clemens Gruber wrote:
> With seccomp support enabled, service files can limit the syscalls a
> process is allowed to use through the SystemCallFilter option.
> 
> Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>

Thanks, applied.

Michael

> ---
>  rules/systemd.in   | 8 ++++++++
>  rules/systemd.make | 2 +-
>  2 files changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/rules/systemd.in b/rules/systemd.in
> index 979e32c..c58e424 100644
> --- a/rules/systemd.in
> +++ b/rules/systemd.in
> @@ -17,6 +17,7 @@ menuconfig SYSTEMD
>  	select MACHINE_ID	if RUNTIME
>  	select XZ		if SYSTEMD_XZ
>  	select LZ4		if SYSTEMD_LZ4
> +	select LIBSECCOMP	if SYSTEMD_SECCOMP
>  	select LIBSELINUX	if GLOBAL_SELINUX
>  	# for udev:
>  	select ROOTFS_DEV
> @@ -94,5 +95,12 @@ config SYSTEMD_COREDUMP
>  	help
>  	  Enable this only if you need to debug a crashing systemd service
>  
> +config SYSTEMD_SECCOMP
> +	bool
> +	prompt "enable seccomp filtering support"
> +	help
> +	  Enable this if you want to use SystemCallFilter in service files
> +
> +
>  endif
>  
> diff --git a/rules/systemd.make b/rules/systemd.make
> index b2edb3d..5c87023 100644
> --- a/rules/systemd.make
> +++ b/rules/systemd.make
> @@ -73,7 +73,7 @@ SYSTEMD_CONF_OPT	:= \
>  	--enable-kmod \
>  	--disable-xkbcommon \
>  	--enable-blkid \
> -	--disable-seccomp \
> +	--$(call ptx/endis,PTXCONF_SYSTEMD_SECCOMP)-seccomp \
>  	--disable-ima \
>  	$(GLOBAL_SELINUX_OPTION) \
>  	--disable-apparmor \
> -- 
> 2.7.1
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH 1/2] libseccomp: new package

[Clemens Gruber]

Hi Michael,

On Thu, Feb 11, 2016 at 12:32:56PM +0100, Michael Olbrich wrote:
> On Tue, Feb 09, 2016 at 05:31:13PM +0100, Clemens Gruber wrote:
> > Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
> 
> Thanks, applied.
> 
> Note: The URL was broken for me so I had to change it. Please check if it
> still works for you.

Yes, it does also work for me with the new URL.

I'll double-check for patches in the future.

Clemens

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de