busybox: alternatives link to sh wrappers for commands

While directly using busybox[.[no]suid] as the alternatives'
targets, commands could not get correct security labels.

 ~# ls -l /sbin/getty
 ..... /sbin/getty -> /bin/busybox.nosuid
 ~# ls -Z /bin/busybox.nosuid
 system_u:object_r:bin_t:s0 /bin/busybox.nosuid

Add sh wrappers for commands so selinux could work fine.

 ~# ls -l /sbin/getty
 ..... /sbin/getty -> /usr/lib/busybox/sbin/getty
 ~# ls -Z /usr/lib/busybox/sbin/getty
 system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty
 ~# cat /usr/lib/busybox/sbin/getty
 #!/bin/busybox.nosuid

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>

recipes-core/busybox/busybox_1.21.1.bbappend

@@ -0,0 +1,87 @@
+PR .= ".1"
+
+FILES_${PN} += "${libdir}/${PN}"
+
+# We should use sh wrappers instead of links so the commands could get correct
+# security labels
+python create_sh_wrapper_reset_alternative_vars () {
+    # We need to load the full set of busybox provides from the /etc/busybox.links
+    # Use this to see the update-alternatives with the right information
+
+    dvar = d.getVar('D', True)
+    pn = d.getVar('PN', True)
+
+    def create_sh_alternative_vars(links, target, mode):
+        import shutil
+        # Create sh wrapper template
+        fwp = open("busybox_wrapper", 'w')
+        fwp.write("#!%s" % (target))
+        os.fchmod(fwp.fileno(), mode)
+        fwp.close()
+        # Install the sh wrappers and alternatives reset to link to them
+        wpdir = os.path.join(d.getVar('libdir', True), pn)
+        wpdir_dest = '%s%s' % (dvar, wpdir)
+        if not os.path.exists(wpdir_dest):
+            os.makedirs(wpdir_dest)
+        f = open('%s%s' % (dvar, links), 'r')
+        for alt_link_name in f:
+            alt_link_name = alt_link_name.strip()
+            alt_name = os.path.basename(alt_link_name)
+            # Copy script wrapper to wp_path
+            alt_wppath = '%s%s' % (wpdir, alt_link_name)
+            alt_wppath_dest = '%s%s' % (wpdir_dest, alt_link_name) 
+            alt_wpdir_dest = os.path.dirname(alt_wppath_dest)
+            if not os.path.exists(alt_wpdir_dest):
+                os.makedirs(alt_wpdir_dest)
+            shutil.copy2("busybox_wrapper", alt_wppath_dest)
+            # Re-set alternatives
+            # Match coreutils
+            if alt_name == '[':
+                alt_name = 'lbracket'
+            d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name)
+            d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name)
+            if os.path.exists(alt_wppath_dest):
+                d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath)
+        f.close()
+
+        os.remove("busybox_wrapper")
+        return
+
+    if os.path.exists('%s/etc/busybox.links' % (dvar)):
+        create_sh_alternative_vars("/etc/busybox.links", "/bin/busybox", 0o0755)
+    else:
+        create_sh_alternative_vars("/etc/busybox.links.nosuid", "/bin/busybox.nosuid", 0o0755)
+        create_sh_alternative_vars("/etc/busybox.links.suid", "/bin/busybox.suid", 0o4755)
+}
+
+# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in
+# do_package_prepend() section of busybox_*.bb.
+PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars "
+
+# Use sh wrappers instead of links
+pkg_postinst_${PN} () {
+	# This part of code is dedicated to the on target upgrade problem.
+	# It's known that if we don't make appropriate symlinks before update-alternatives calls,
+	# there will be errors indicating missing commands such as 'sed'.
+	# These symlinks will later be updated by update-alternatives calls.
+	test -n 2 > /dev/null || alias test='busybox test'
+	if test "x$D" = "x"; then
+		# Remove busybox.nosuid if it's a symlink, because this situation indicates
+		# that we're installing or upgrading to a one-binary busybox.
+		if test -h /bin/busybox.nosuid; then
+			rm -f /bin/busybox.nosuid
+		fi
+		for suffix in "" ".nosuid" ".suid"; do
+			if test -e /etc/busybox.links$suffix; then
+				while read link; do
+					if test ! -e "$link"; then
+						# we can use busybox here because even if we are using splitted busybox
+						# we've made a symlink from /bin/busybox to /bin/busybox.nosuid.
+						busybox echo "#!/bin/busybox$suffix" > $link
+					fi
+				done < /etc/busybox.links$suffix
+			fi
+		done
+	fi
+}
+

recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch

@@ -8,13 +8,13 @@ Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ---
  config/file_contexts.subs_dist |    8 ++++++++
- 1 files changed, 8 insertions(+), 0 deletions(-)
+ 1 files changed, 11 insertions(+), 0 deletions(-)
 
 diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
 index 32b87a4..ebba73d 100644
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
-@@ -5,3 +5,11 @@
+@@ -5,3 +5,14 @@
  /usr/lib32 /usr/lib
  /usr/lib64 /usr/lib
  /var/run/lock /var/lock
@@ -26,6 +26,9 @@ index 32b87a4..ebba73d 100644
 +/var/volatile/lock /var/lock
 +/var/volatile/run/lock /var/lock
 +/www /var/www
++/usr/lib/busybox/bin /bin
++/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/usr /usr
 -- 
 1.7.5.4
 

recipes-security/refpolicy/refpolicy_2.20130424.inc

@@ -1,3 +1,5 @@
+PRINC = "1"
+
 SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;"
 SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085"
 SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4"