add support for permission fixups when using genimage

Add suid-bit to Xorg as an example. Create
simple *.perm files with relative path to
the files. You can use any command available on
the host. (f.e. chmod/chown)

mk/image.mk

@@ -1,6 +1,12 @@
 # This file is part of the OpenADK project. OpenADK is copyrighted
 # material, please see the LICENCE file in the top-level directory.
 
+ifeq ($(ADK_RUNTIME_FIX_PERMISSION),y)
+FAKEROOT:=$(STAGING_HOST_DIR)/usr/bin/fakeroot --
+else
+FAKEROOT:=
+endif
+
 ifeq ($(ADK_TARGET_OS_LINUX),y)
 # relative paths, like 'mksh' or '../usr/bin/foosh'
 ifeq (${ADK_BINSH_ASH},y)
@@ -276,7 +282,16 @@ ${FW_DIR}/${GENIMAGE}: ${TARGET_DIR} kernel-package
 	@mkdir -p ${FW_DIR}/temp
 	@$(CP) $(KERNEL) $(FW_DIR)/kernel
 	@dd if=/dev/zero of=${FW_DIR}/cfgfs.img bs=16384 count=1 $(MAKE_TRACE)
-	PATH='${HOST_PATH}' mke2img \
+ifeq ($(ADK_RUNTIME_FIX_PERMISSION),y)
+	echo '#!/bin/sh' > $(ADK_TOPDIR)/scripts/fakeroot.sh
+	echo "chown -R 0:0 $(TARGET_DIR)" >> $(ADK_TOPDIR)/scripts/fakeroot.sh
+	echo 'cd $(TARGET_DIR)' >> $(ADK_TOPDIR)/scripts/fakeroot.sh
+	-@cat $(STAGING_TARGET_DIR)/scripts/permissions.sh >> $(ADK_TOPDIR)/scripts/fakeroot.sh 2>/dev/null
+	chmod 755 $(ADK_TOPDIR)/scripts/fakeroot.sh
+	PATH='$(HOST_PATH)' $(FAKEROOT) $(ADK_TOPDIR)/scripts/fakeroot.sh
+	rm $(ADK_TOPDIR)/scripts/fakeroot.sh $(STAGING_TARGET_DIR)/scripts/permissions.sh
+endif
+	PATH='${HOST_PATH}' $(FAKEROOT) mke2img \
 		-G 4 \
 		-d "$(TARGET_DIR)" \
 		-o $(FW_DIR)/rootfs.ext $(MAKE_TRACE)

mk/package.mk

@@ -230,6 +230,9 @@ endif
 endif
 	@mkdir -p $${PACKAGE_DIR} '$${STAGING_PKG_DIR}/stamps' \
 	    '$${STAGING_TARGET_DIR}/scripts'
+	@for file in $$$$(ls ./files/*.perm 2>/dev/null); do \
+		cat $$$$file >> $${STAGING_TARGET_DIR}/scripts/permissions.sh; \
+	done
 ifeq (,$(filter noremove,$(7)))
 	@if test -s '$${STAGING_PKG_DIR}/$(1)'; then \
 		cd '$${STAGING_TARGET_DIR}'; \

package/fakeroot/Makefile

@@ -10,6 +10,7 @@ PKG_HASH:=		7c0a164d19db3efa9e802e0fc7cdfeff70ec6d26cdbdc4338c9c2823c5ea230c
 PKG_DESCR:=		fake root permissions
 PKG_SECTION:=		sys/utils
 PKG_SITES:=		http://http.debian.net/debian/pool/main/f/fakeroot/
+HOST_BUILDDEP:=		libcap-host
 
 PKG_CFLINE_FAKEROOT:=	depends on ADK_HOST_ONLY
 

package/libcap/Makefile

@@ -4,18 +4,22 @@
 include $(ADK_TOPDIR)/rules.mk
 
 PKG_NAME:=		libcap
-PKG_VERSION:=		2.24
+PKG_VERSION:=		2.25
 PKG_RELEASE:=		1
-PKG_HASH:=		cee4568f78dc851d726fc93f25f4ed91cc223b1fe8259daa4a77158d174e6c65
+PKG_HASH:=		693c8ac51e983ee678205571ef272439d83afe62dd8e424ea14ad9790bc35162
 PKG_DESCR:=		capabilities library
 PKG_SECTION:=		libs/misc
 PKG_URL:=		http://www.friedhoff.org/posixfilecaps.html
 PKG_SITES:=		https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/
 PKG_OPTS:=		dev
 
+include $(ADK_TOPDIR)/mk/host.mk
 include $(ADK_TOPDIR)/mk/package.mk
 
-$(eval $(call PKG_template,LIBCAP,libcap,$(PKG_VERSION)-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION},${PKG_OPTS}))
+$(eval $(call HOST_template,LIBCAP,libcap,$(PKG_VERSION)-$(PKG_RELEASE)))
+$(eval $(call PKG_template,LIBCAP,libcap,$(PKG_VERSION)-$(PKG_RELEASE),$(PKG_DEPENDS),$(PKG_DESCR),$(PKG_SECTION),$(PKG_OPTS)))
+
+HOST_STYLE:=		manual
 
 # for Darwin hosts
 CPPFLAGS_FOR_BUILD+=	-I$(STAGING_TARGET_DIR)/usr/include
@@ -29,9 +33,18 @@ ALL_TARGET:=		shared progs
 INSTALL_TARGET:=	install-shared
 endif
 
+host-build:
+	(cd ${WRKBUILD} && env ${HOST_MAKE_ENV} ${MAKE} -f ${MAKE_FILE} \
+		${HOST_MAKE_FLAGS} ${HOST_ALL_TARGET}) $(MAKE_TRACE)
+
+libcap-hostinstall:
+	cd ${WRKBUILD} && env ${HOST_MAKE_ENV} ${MAKE} -f ${MAKE_FILE} \
+		${HOST_FAKE_FLAGS} DESTDIR='${STAGING_HOST_DIR}' ${HOST_INSTALL_TARGET} $(MAKE_TRACE)
+
 libcap-install:
 	$(INSTALL_DIR) $(IDIR_LIBCAP)/usr/lib
 	$(CP) $(WRKINST)/usr/lib/libcap*.so* \
 		$(IDIR_LIBCAP)/usr/lib
 
-include ${ADK_TOPDIR}/mk/pkg-bottom.mk
+include $(ADK_TOPDIR)/mk/host-bottom.mk
+include $(ADK_TOPDIR)/mk/pkg-bottom.mk

package/libcap/patches/patch-Make_Rules

@@ -1,20 +1,19 @@
---- libcap-2.24.orig/Make.Rules	2014-01-06 02:16:21.000000000 +0100
-+++ libcap-2.24/Make.Rules	2015-02-26 14:01:28.000000000 +0100
-@@ -12,22 +12,12 @@ FAKEROOT=$(DESTDIR)
- # These choices are motivated by the fact that getcap and setcap are
+--- libcap-2.25.orig/Make.Rules	2016-01-31 02:14:53.000000000 +0100
++++ libcap-2.25/Make.Rules	2016-09-23 10:37:16.179167139 +0200
+@@ -13,21 +13,14 @@ FAKEROOT=$(DESTDIR)
  # administrative operations that could be needed to recover a system.
  
--ifndef lib
+ ifndef lib
 -lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2)
--endif
--
++lib=lib
+ endif
+ 
 -ifdef prefix
 -exec_prefix=$(prefix)
 -lib_prefix=$(exec_prefix)
 -inc_prefix=$(lib_prefix)
 -man_prefix=$(prefix)/share
 -else
-+lib=lib
  prefix=/usr
 -exec_prefix=
 +exec_prefix=$(prefix)
@@ -25,41 +24,3 @@
  
  # Target directories
  
-@@ -48,28 +38,28 @@ MINOR=24
- KERNEL_HEADERS := $(topdir)/libcap/include/uapi
- IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include
- 
--CC := gcc
--CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
-+CC ?= gcc
-+CFLAGS ?= -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
- BUILD_CC := $(CC)
- BUILD_CFLAGS := $(CFLAGS) $(IPATH)
--AR := ar
--RANLIB := ranlib
--DEBUG = -g #-DDEBUG
-+AR ?= ar
-+RANLIB ?= ranlib
-+DEBUG = 
- WARNINGS=-Wall -Wwrite-strings \
-         -Wpointer-arith -Wcast-qual -Wcast-align \
-         -Wstrict-prototypes -Wmissing-prototypes \
-         -Wnested-externs -Winline -Wshadow
--LD=$(CC) -Wl,-x -shared
--LDFLAGS := #-g
-+LD=$(CC) -shared
-+LDFLAGS ?= #-g
- 
- SYSTEM_HEADERS = /usr/include
- INCS=$(topdir)/libcap/include/sys/capability.h
- LDFLAGS += -L$(topdir)/libcap
- CFLAGS += -Dlinux $(WARNINGS) $(DEBUG)
--PAM_CAP := $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo yes ; else echo no ; fi)
-+PAM_CAP := no
- INDENT := $(shell if [ -n "$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi)
- DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi)
--LIBATTR := yes
-+LIBATTR := no
- 
- # When installing setcap, set its inheritable bit to be able to place
- # capabilities on files. It can be used in conjunction with pam_cap

package/libcap/patches/patch-Makefile

@@ -1,25 +1,14 @@
---- libcap-2.24.orig/Makefile	2013-12-27 19:17:17.000000000 +0100
-+++ libcap-2.24/Makefile	2015-02-26 20:36:58.000000000 +0100
-@@ -16,6 +16,22 @@ endif
+--- libcap-2.25.orig/Makefile	2014-05-31 22:11:05.000000000 +0200
++++ libcap-2.25/Makefile	2016-09-23 10:32:34.156211429 +0200
+@@ -10,11 +10,7 @@ include Make.Rules
+ 
+ all install clean: %: %-here
+ 	$(MAKE) -C libcap $@
+-ifneq ($(PAM_CAP),no)
+-	$(MAKE) -C pam_cap $@
+-endif
  	$(MAKE) -C progs $@
- 	$(MAKE) -C doc $@
+-	$(MAKE) -C doc $@
  
-+progs:
-+	$(MAKE) -C progs all
-+
-+shared:
-+	$(MAKE) -C libcap shared
-+
-+static:
-+	$(MAKE) -C libcap static
-+
-+install-shared:
-+	$(MAKE) -C libcap install-shared
-+
-+install-static:
-+	$(MAKE) -C libcap install-static
-+
-+
  all-here:
  
- install-here:

package/libcap/patches/patch-libcap_Makefile

@@ -1,42 +1,10 @@
---- libcap-2.24.orig/libcap/Makefile	2014-01-06 01:55:03.000000000 +0100
-+++ libcap-2.24/libcap/Makefile	2015-02-26 20:34:47.000000000 +0100
-@@ -28,6 +28,9 @@ GPERF_OUTPUT = _caps_output.gperf
- 
- all: $(MINLIBNAME) $(STALIBNAME) libcap.pc
- 
-+static: $(STALIBNAME)
-+shared: $(MINLIBNAME)
-+
- ifeq ($(shell gperf --version > /dev/null 2>&1 && echo yes),yes)
- USE_GPERF_OUTPUT = $(GPERF_OUTPUT)
- INCLUDE_GPERF_OUTPUT = -include $(GPERF_OUTPUT)
-@@ -43,7 +46,7 @@ libcap.pc: libcap.pc.in
- 		$< >$@
- 
- _makenames: _makenames.c cap_names.list.h
--	$(BUILD_CC) $(BUILD_CFLAGS) $< -o $@
-+	$(CC_FOR_BUILD) $(CPPFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) $< -o $@
- 
- cap_names.h: _makenames
- 	./_makenames > cap_names.h
-@@ -70,6 +73,20 @@ $(MINLIBNAME): $(OBJS)
- cap_text.o: cap_text.c $(USE_GPERF_OUTPUT) $(INCLS)
- 	$(CC) $(CFLAGS) $(IPATH) $(INCLUDE_GPERF_OUTPUT) -c $< -o $@
- 
-+install-shared: install-headers
-+	mkdir -p -m 0755 $(LIBDIR)
-+	install -m 0644 $(MINLIBNAME) $(LIBDIR)/$(MINLIBNAME)
-+	ln -sf $(MINLIBNAME) $(LIBDIR)/$(MAJLIBNAME)
-+	ln -sf $(MAJLIBNAME) $(LIBDIR)/$(LIBNAME)
-+
-+install-static: install-headers
-+	mkdir -p -m 0755 $(LIBDIR)
-+	install -m 0644 $(STALIBNAME) $(LIBDIR)/$(STALIBNAME)
-+
-+install-headers:
-+	mkdir -p -m 0755 $(INCDIR)/sys
-+	install -m 0644 include/sys/capability.h $(INCDIR)/sys
-+
+--- libcap-2.25.orig/libcap/Makefile	2016-01-31 01:01:41.000000000 +0100
++++ libcap-2.25/libcap/Makefile	2016-09-23 10:34:12.564023450 +0200
+@@ -65,7 +65,6 @@ cap_text.o: cap_text.c $(USE_GPERF_OUTPU
  install: all
- 	mkdir -p -m 0755 $(INCDIR)/sys
- 	install -m 0644 include/sys/capability.h $(INCDIR)/sys
+ 	mkdir -p -m 0755 $(FAKEROOT)$(INCDIR)/sys
+ 	install -m 0644 include/sys/capability.h $(FAKEROOT)$(INCDIR)/sys
+-	mkdir -p -m 0755 $(FAKEROOT)$(LIBDIR)
+ 	install -m 0644 $(STALIBNAME) $(FAKEROOT)$(LIBDIR)/$(STALIBNAME)
+ 	install -m 0644 $(MINLIBNAME) $(FAKEROOT)$(LIBDIR)/$(MINLIBNAME)
+ 	ln -sf $(MINLIBNAME) $(FAKEROOT)$(LIBDIR)/$(MAJLIBNAME)

package/libcap/patches/patch-progs_Makefile

@@ -0,0 +1,12 @@
+--- libcap-2.25.orig/progs/Makefile	2016-01-31 01:01:41.000000000 +0100
++++ libcap-2.25/progs/Makefile	2016-09-23 10:37:55.480689559 +0200
+@@ -26,9 +26,6 @@ install: all
+ 	for p in $(PROGS) ; do \
+ 		install -m 0755 $$p $(FAKEROOT)$(SBINDIR) ; \
+ 	done
+-ifeq ($(RAISE_SETFCAP),yes)
+-	$(FAKEROOT)$(SBINDIR)/setcap cap_setfcap=i $(FAKEROOT)$(SBINDIR)/setcap
+-endif
+ 
+ clean:
+ 	$(LOCALCLEAN)

package/xorg-server/files/xorg-server.perm

@@ -0,0 +1 @@
+chmod u+s usr/bin/Xorg

target/config/Config.in.runtime

@@ -51,6 +51,13 @@ config ADK_RUNTIME_DEV_STATIC
 
 endchoice
 
+config ADK_RUNTIME_FIX_PERMISSION
+	bool "Fix permissions for target files (suid bit, ..)"
+	select ADK_HOST_BUILD_FAKEROOT
+	help
+	  Use fakeroot to fix permissions for target dir before image
+	  creation.
+
 config ADK_RUNTIME_SSH_PUBKEY
 	string "SSH public key (root user only)"
 	depends on ADK_PACKAGE_OPENSSH_SERVER || ADK_PACKAGE_DROPBEAR

target/config/Config.in.tools

@@ -23,6 +23,10 @@ config ADK_HOST_BUILD_BISON
 	bool
 	default y
 
+config ADK_HOST_BUILD_FAKEROOT
+	bool
+	default n
+
 config ADK_HOST_BUILD_FLEX
 	bool
 	default y