[Buildroot] [PATCH 2/7] package/minijail: new package

Giulio Benetti giulio.benetti at benettiengineering.com
Fri Dec 10 14:48:19 UTC 2021 

Hi José,

On 10/12/21 15:12, José Pekkarinen wrote:
> This patch adds a new package for minijail.

Reword "This patch add package minijail"

> Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
> ---
>   DEVELOPERS                                    |  1 +
>   package/Config.in                             |  1 +
>   package/minijail/0001-Fix-prlimit-call.patch  | 29 ++++++++++++++++++
>   package/minijail/0002-Fix-static-assert.patch | 30 +++++++++++++++++++
>   package/minijail/Config.in                    | 12 ++++++++
>   package/minijail/minijail.hash                |  5 ++++
>   package/minijail/minijail.mk                  | 28 +++++++++++++++++
>   7 files changed, 106 insertions(+)
>   create mode 100644 package/minijail/0001-Fix-prlimit-call.patch
>   create mode 100644 package/minijail/0002-Fix-static-assert.patch
>   create mode 100644 package/minijail/Config.in
>   create mode 100644 package/minijail/minijail.hash
>   create mode 100644 package/minijail/minijail.mk
> 
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 854f6f2084..65448a74c8 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -1464,6 +1464,7 @@ F:	package/zfs/
>   F:	support/testing/tests/package/test_zfs.py
>   
>   N:	José Pekkarinen <jose.pekkarinen at unikie.com>
> +F:	package/minijail/
>   F:	package/opensc/
>   F:	package/softhsm2/
>   
> diff --git a/package/Config.in b/package/Config.in
> index b5907d7fa3..aac8172fc4 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2516,6 +2516,7 @@ menu "System tools"
>   	source "package/mender/Config.in"
>   	source "package/mender-grubenv/Config.in"
>   	source "package/mfoc/Config.in"
> +	source "package/minijail/Config.in"
>   	source "package/monit/Config.in"
>   	source "package/multipath-tools/Config.in"
>   	source "package/ncdu/Config.in"
> diff --git a/package/minijail/0001-Fix-prlimit-call.patch b/package/minijail/0001-Fix-prlimit-call.patch
> new file mode 100644
> index 0000000000..9f6902ed43
> --- /dev/null
> +++ b/package/minijail/0001-Fix-prlimit-call.patch
> @@ -0,0 +1,29 @@
> +From 09348f06104bf8101a24a0bce235a75a214e1380 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Jos=C3=A9=20Pekkarinen?= <jose.pekkarinen at unikie.com>
> +Date: Fri, 10 Dec 2021 14:20:30 +0200
> +Subject: [PATCH] Fix prlimit call
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +

Add a commit log

> +Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
> +---
> + libminijail.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/libminijail.c b/libminijail.c
> +index b935dfd..45f133e 100644
> +--- a/libminijail.c
> ++++ b/libminijail.c
> +@@ -1908,7 +1908,7 @@ static void set_rlimits_or_die(const struct minijail *j)
> + 		struct rlimit limit;
> + 		limit.rlim_cur = j->rlimits[i].cur;
> + 		limit.rlim_max = j->rlimits[i].max;
> +-		if (prlimit(j->initpid, j->rlimits[i].type, &limit, NULL))
> ++		if (setrlimit(j->rlimits[i].type, &limit))
> + 			kill_child_and_die(j, "failed to set rlimit");
> + 	}
> + }
> +--
> +2.30.2
> +
> diff --git a/package/minijail/0002-Fix-static-assert.patch b/package/minijail/0002-Fix-static-assert.patch
> new file mode 100644
> index 0000000000..48139e8baa
> --- /dev/null
> +++ b/package/minijail/0002-Fix-static-assert.patch
> @@ -0,0 +1,30 @@
> +From b5d91b793942747e5126e75abca2eebad60ab478 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Jos=C3=A9=20Pekkarinen?= <jose.pekkarinen at unikie.com>
> +Date: Fri, 10 Dec 2021 14:21:38 +0200
> +Subject: [PATCH] Fix static assert
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +

Ditto

> +Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
> +---
> + libminijail.c | 3 ---
> + 1 file changed, 3 deletions(-)
> +
> +diff --git a/libminijail.c b/libminijail.c
> +index 45f133e..8323742 100644
> +--- a/libminijail.c
> ++++ b/libminijail.c
> +@@ -2620,9 +2620,6 @@ static int fd_is_open(int fd)
> + 	return fcntl(fd, F_GETFD) != -1 || errno != EBADF;
> + }
> +
> +-static_assert(FD_SETSIZE >= MAX_PRESERVED_FDS * 2 - 1,
> +-	      "If true, ensure_no_fd_conflict will always find an unused fd.");
> +-
> + /* If parent_fd will be used by a child fd, move it to an unused fd. */
> + static int ensure_no_fd_conflict(const fd_set *child_fds,
> + 				 int child_fd, int *parent_fd)
> +--
> +2.30.2
> +
> diff --git a/package/minijail/Config.in b/package/minijail/Config.in
> new file mode 100644
> index 0000000000..02868ef09c
> --- /dev/null
> +++ b/package/minijail/Config.in
> @@ -0,0 +1,12 @@
> +config BR2_PACKAGE_MINIJAIL
> +	bool "minijail"
> +	depends on !BR2_STATIC_LIBS # dlopen()
> +	select BR2_PACKAGE_HOST_LIBCAP
> +	select BR2_PACKAGE_LIBCAP
> +	help
> +	  Minijail is a sandboxing tool maintained by google.
> +
> +	  https://google.github.io/minijail/
> +
> +comment "minijail needs a toolchain with dynamic library support"
> +	depends on BR2_STATIC_LIBS
> diff --git a/package/minijail/minijail.hash b/package/minijail/minijail.hash
> new file mode 100644
> index 0000000000..227a77fcf5
> --- /dev/null
> +++ b/package/minijail/minijail.hash
> @@ -0,0 +1,5 @@
> +# From https://github.com/google/minijail/releases/

Point the sha256 file

> +sha256  1ee5a5916491a32c121c7422b4d8c16481c0396a3acab34bf1c44589dcf810ae  linux-v17.tar.gz
> +
> +# Locally computed
> +sha256  c6f439c5cf07263f71f01d29b79c79172ee529088e51ab434b22baad0988fe57  LICENSE
> diff --git a/package/minijail/minijail.mk b/package/minijail/minijail.mk
> new file mode 100644
> index 0000000000..bc72421b0c
> --- /dev/null
> +++ b/package/minijail/minijail.mk
> @@ -0,0 +1,28 @@
> +################################################################################
> +#
> +# minijail
> +#
> +################################################################################
> +
> +MINIJAIL_VERSION = linux-v17
> +MINIJAIL_SOURCE = $(MINIJAIL_VERSION).tar.gz
> +MINIJAIL_SITE = "https://github.com/google/minijail/archive/refs/tags"

Please use github wrapper ^^^

> +MINIJAIL_LICENSE = BSD-Style
> +MINIJAIL_LICENSE_FILES = LICENSE
> +MINIJAIL_DEPENDENCIES=libcap host-libcap
> +
> +define MINIJAIL_BUILD_CMDS
> +	(cd $(@D); \
> +	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D)/$(d) CC="$(TARGET_CC)")
> +endef
> +
> +define MINIJAIL_INSTALL_TARGET_CMDS
> +	$(INSTALL) -m 0755 -D $(@D)/minijail0 \
> +		$(TARGET_DIR)/usr/bin/minijail0
> +	$(INSTALL) -m 0755 -D $(@D)/libminijailpreload.so \
> +		$(TARGET_DIR)/lib/libminijailpreload.so
> +	$(INSTALL) -m 0755 -D $(@D)/libminijail.so \
> +		$(TARGET_DIR)/lib/libminijail.so
> +endef
> +
> +$(eval $(generic-package))
> 

Best regards
-- 
Giulio Benetti
Benetti Engineering sas

More information about the buildroot mailing list