Buildroot 2018-11 (#258)

* Update to buildroot 2018.11 * containerd update * runc update * runc docker engine * runc docker proxy * update rpi firmware * update network manager * update dhcpd * update wait on network * update rpi wifi * revert glibc
2018-11-26 11:04:01 +01:00
parent a9bbc7babe
commit 4411307353
3154 changed files with 41316 additions and 24203 deletions
--- a/buildroot/support/testing/tests/core/device_table2.txt
+++ b/buildroot/support/testing/tests/core/device_table2.txt
@@ -0,0 +1,7 @@
+# <name>				<type>	<mode>	<uid>	<gid>	<major>	<minor>	<start>	<inc>	<count>
+/usr/sbin/getcap                        f       755     0       0	-	-	-	-	-
+|xattr cap_sys_nice+eip
+# leading spaces are ignored for xattr
+  |xattr cap_kill+eip
+# leading tabs are ignored for xattr
+	|xattr cap_sys_time+eip
--- a/buildroot/support/testing/tests/core/squashfs-xattr-kernel.config
+++ b/buildroot/support/testing/tests/core/squashfs-xattr-kernel.config
@@ -0,0 +1 @@
+CONFIG_SQUASHFS_XATTR=y
--- a/buildroot/support/testing/tests/core/test_file_capabilities.py
+++ b/buildroot/support/testing/tests/core/test_file_capabilities.py
@@ -0,0 +1,47 @@
+import os
+import subprocess
+
+import infra.basetest
+
+
+class TestFileCapabilities(infra.basetest.BRTest):
+    config = \
+        """
+        BR2_arm=y
+        BR2_TOOLCHAIN_EXTERNAL=y
+        BR2_ROOTFS_DEVICE_TABLE="system/device_table.txt {}"
+        BR2_ROOTFS_DEVICE_TABLE_SUPPORTS_EXTENDED_ATTRIBUTES=y
+        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
+        BR2_LINUX_KERNEL=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.11.3"
+        BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
+        BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="{}"
+        BR2_LINUX_KERNEL_DTS_SUPPORT=y
+        BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca9"
+        BR2_PACKAGE_LIBCAP=y
+        BR2_PACKAGE_LIBCAP_TOOLS=y
+        BR2_TARGET_ROOTFS_SQUASHFS=y
+        # BR2_TARGET_ROOTFS_TAR is not set
+        """.format(infra.filepath("tests/core/device_table2.txt"),
+                   infra.filepath("tests/core/squashfs-xattr-kernel.config"))
+
+    def test_run(self):
+        img = os.path.join(self.builddir, "images", "rootfs.squashfs")
+        subprocess.call(["truncate", "-s", "%1M", img])
+
+        self.emulator.boot(arch="armv7",
+                           kernel=os.path.join(self.builddir, "images", "zImage"),
+                           kernel_cmdline=["root=/dev/mmcblk0",
+                                           "rootfstype=squashfs"],
+                           options=["-drive", "file={},if=sd,format=raw".format(img),
+                                    "-M", "vexpress-a9",
+                                    "-dtb", os.path.join(self.builddir, "images", "vexpress-v2p-ca9.dtb")])
+        self.emulator.login()
+
+        cmd = "getcap -v /usr/sbin/getcap"
+        output, _ = self.emulator.run(cmd)
+        self.assertIn("cap_kill", output[0])
+        self.assertIn("cap_sys_nice", output[0])
+        self.assertIn("cap_sys_time", output[0])
+        self.assertIn("+eip", output[0])
--- a/buildroot/support/testing/tests/core/test_hardening.py
+++ b/buildroot/support/testing/tests/core/test_hardening.py
@@ -0,0 +1,110 @@
+import os
+import subprocess
+import json
+
+import infra.basetest
+
+
+class TestHardeningBase(infra.basetest.BRTest):
+    config = \
+        """
+        BR2_powerpc64=y
+        BR2_powerpc_e5500=y
+        BR2_TOOLCHAIN_EXTERNAL=y
+        BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
+        BR2_TOOLCHAIN_EXTERNAL_URL="https://toolchains.bootlin.com/downloads/releases/toolchains/powerpc64-e5500/tarballs/powerpc64-e5500--glibc--stable-2018.02-2.tar.bz2"
+        BR2_TOOLCHAIN_EXTERNAL_GCC_6=y
+        BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_1=y
+        BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC=y
+        BR2_TOOLCHAIN_EXTERNAL_CXX=y
+        BR2_PACKAGE_LIGHTTPD=y
+        BR2_PACKAGE_HOST_CHECKSEC=y
+        # BR2_TARGET_ROOTFS_TAR is not set
+        """
+
+    checksec_files = ["usr/sbin/lighttpd", "bin/busybox"]
+
+    def checksec_run(self, target_file):
+        filepath = os.path.join(self.builddir, "target", target_file)
+        cmd = ["host/bin/checksec", "--output", "json", "--file", filepath]
+        # Checksec is being used for elf file analysis only.  There are no
+        # assumptions of target/run-time checks as part of this testing.
+        ret = subprocess.check_output(cmd,
+                                      stderr=open(os.devnull, "w"),
+                                      cwd=self.builddir,
+                                      env={"LANG": "C"})
+        return json.loads(ret)
+
+
+class TestRelro(TestHardeningBase):
+    config = TestHardeningBase.config + \
+        """
+        BR2_RELRO_FULL=y
+        """
+
+    def test_run(self):
+        for f in self.checksec_files:
+            out = self.checksec_run(f)
+            self.assertEqual(out["file"]["relro"], "full")
+            self.assertEqual(out["file"]["pie"], "yes")
+
+
+class TestRelroPartial(TestHardeningBase):
+    config = TestHardeningBase.config + \
+        """
+        BR2_RELRO_PARTIAL=y
+        """
+
+    def test_run(self):
+        for f in self.checksec_files:
+            out = self.checksec_run(f)
+            self.assertEqual(out["file"]["relro"], "partial")
+            self.assertEqual(out["file"]["pie"], "no")
+
+
+class TestSspNone(TestHardeningBase):
+    config = TestHardeningBase.config + \
+        """
+        BR2_SSP_NONE=y
+        """
+
+    def test_run(self):
+        for f in self.checksec_files:
+            out = self.checksec_run(f)
+            self.assertEqual(out["file"]["canary"], "no")
+
+
+class TestSspStrong(TestHardeningBase):
+    config = TestHardeningBase.config + \
+        """
+        BR2_SSP_STRONG=y
+        """
+
+    def test_run(self):
+        for f in self.checksec_files:
+            out = self.checksec_run(f)
+            self.assertEqual(out["file"]["canary"], "yes")
+
+
+class TestFortifyNone(TestHardeningBase):
+    config = TestHardeningBase.config + \
+        """
+        BR2_FORTIFY_SOURCE_NONE=y
+        """
+
+    def test_run(self):
+        for f in self.checksec_files:
+            out = self.checksec_run(f)
+            self.assertEqual(out["file"]["fortified"], "0")
+
+
+class TestFortifyConserv(TestHardeningBase):
+    config = TestHardeningBase.config + \
+        """
+        BR2_FORTIFY_SOURCE_1=y
+        """
+
+    def test_run(self):
+        for f in self.checksec_files:
+            out = self.checksec_run(f)
+            self.assertNotEqual(out["file"]["fortified"], "0")
--- a/buildroot/support/testing/tests/core/test_post_scripts.py
+++ b/buildroot/support/testing/tests/core/test_post_scripts.py
@@ -41,8 +41,8 @@ class TestPostScripts(infra.basetest.BRTest):
                                 os.path.join(self.builddir, "target"),
                                 os.path.join(self.builddir, "target"))
        self.check_post_log_file("post-fakeroot.log",
-                                 os.path.join(self.builddir, "build/buildroot-fs/target"),
-                                 os.path.join(self.builddir, "build/buildroot-fs/target"))
+                                 os.path.join(self.builddir, "build/buildroot-fs/tar/target"),
+                                 os.path.join(self.builddir, "build/buildroot-fs/tar/target"))
        self.check_post_log_file("post-image.log",
                                 os.path.join(self.builddir, "images"),
                                 os.path.join(self.builddir, "target"))