build: add support for SELinux to include/image.mk

This allows the build process to prepare a squashfs filesystem for use
with SELinux.

Signed-off-by: Thomas Petazzoni <[email protected]>
[rebase, add commit message]
Signed-off-by: W. Michael Petullo <[email protected]>

config/Config-build.in

@@ -328,4 +328,14 @@ menu "Global build settings"
 			bool "Full"
 	endchoice
 
+	config TARGET_ROOTFS_SECURITY_LABELS
+		bool "Enable rootfs security labels"
+		select KERNEL_SQUASHFS_XATTR
+		select KERNEL_EXT4_FS_SECURITY
+		select KERNEL_F2FS_FS_SECURITY
+		select KERNEL_UBIFS_FS_SECURITY
+		select KERNEL_JFFS2_FS_SECURITY
+		select PACKAGE_refpolicy
+		help
+		  This option enables the usage of SELinux labels
 endmenu

include/image.mk

@@ -234,13 +234,30 @@ endef
 $(eval $(foreach S,$(JFFS2_BLOCKSIZE),$(call Image/mkfs/jffs2/template,$(S))))
 $(eval $(foreach S,$(NAND_BLOCKSIZE),$(call Image/mkfs/jffs2-nand/template,$(S))))
 
-define Image/mkfs/squashfs
+define Image/mkfs/squashfs-common
 	$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
 		-nopad -noappend -root-owned \
 		-comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \
 		-processors 1
 endef
 
+ifeq ($(CONFIG_TARGET_ROOTFS_SECURITY_LABELS),y)
+define Image/mkfs/squashfs
+	echo "LD_LIBRARY_PATH=\$$LD_LIBRARY_PATH:$(STAGING_DIR_HOSTPKG)/lib" \
+	     "$(STAGING_DIR_HOSTPKG)/sbin/setfiles -r" \
+	     "$(call mkfs_target_dir,$(1))" \
+	     "$(call mkfs_target_dir,$(1))/etc/selinux/targeted/contexts/files/file_contexts " \
+	     "$(call mkfs_target_dir,$(1))" > [email protected]
+	echo "$(Image/mkfs/squashfs-common)" >> [email protected]
+	chmod +x [email protected]
+	$(STAGING_DIR_HOST)/bin/fakeroot [email protected]
+endef
+else
+define Image/mkfs/squashfs
+	$(call Image/mkfs/squashfs-common,$(1))
+endef
+endif
+
 # $(1): board name
 # $(2): rootfs type
 # $(3): kernel image