feat: add libselinux, libsepol, pcre2 and libcap

They are used for SELinux support and systemd-udevd

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>

.github/renovate.json

@@ -59,7 +59,10 @@
                 "git://git.savannah.gnu.org/grub.git",
                 "https://pagure.io/libaio.git",
                 "rpm-software-management/popt",
-                "git://git.liburcu.org/userspace-rcu.git"
+                "PCRE2Project/pcre2",
+                "SELinuxProject/selinux",
+                "git://git.liburcu.org/userspace-rcu.git",
+                "git://git.kernel.org/pub/scm/libs/libcap/libcap.git"
             ],
             "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.?(?<patch>\\d+)?$"
         },

.kres.yaml

@@ -19,16 +19,20 @@ spec:
     - ipxe
     - kmod
     - libaio
+    - libcap
     - libinih
     - libjson-c
     - liblzma
     - libpopt
     - libseccomp
+    - libselinux
+    - libsepol
     - liburcu
     - linux-firmware
     - lvm2
     - musl
     - openssl
+    - pcre2
     - runc
     - sd-boot
     - socat

Makefile

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2024-08-07T16:43:47Z by kres dbf015a.
+# Generated on 2024-09-29T13:39:30Z by kres 8be5fa7.
 
 # common variables
 
@@ -61,16 +61,20 @@ TARGETS += ipxe
 TARGETS += kmod
 TARGETS += libaio
 TARGETS += libattr
+TARGETS += libcap
 TARGETS += libinih
 TARGETS += libjson-c
 TARGETS += liblzma
 TARGETS += libpopt
 TARGETS += libseccomp
+TARGETS += libselinux
+TARGETS += libsepol
 TARGETS += liburcu
 TARGETS += linux-firmware
 TARGETS += lvm2
 TARGETS += musl
 TARGETS += openssl
+TARGETS += pcre2
 TARGETS += runc
 TARGETS += sd-boot
 TARGETS += socat

Pkgfile

@@ -113,6 +113,18 @@ vars:
   libseccomp_sha256: 248a2c8a4d9b9858aa6baf52712c34afefcf9c9e94b76dce02c1c9aa25fb3375
   libseccomp_sha512: f630e7a7e53a21b7ccb4d3e7b37616b89aeceba916677c8e3032830411d77a14c2d74dcf594cd193b1acc11f52595072e28316dc44300e54083d5d7b314a38da
 
+  # renovate: datasource=github-tags depName=SELinuxProject/selinux
+  selinux_version: 3.7
+  libselinux_sha256: ea03f42d13a4f95757997dba8cf0b26321fac5d2f164418b4cc856a92d2b17bd
+  libselinux_sha512: e949c20b606c50ad521b9592ce55ad6658e8c4b24d9838028f5aba0a4fc762b6d0d0d0d207f5bef7a2e41485e12d91382fa6090df27152dbb40071b273419352
+  libsepol_sha256: cd741e25244e7ef6cd934d633614131a266c3eaeab33d8bfa45e8a93b45cc901
+  libsepol_sha512: 85d12d0ba5a7a3225f08d041a18fd59641608db5e0a78a1e9649754e45be54a807cd422d4889b88da6e806b4af546336c7a0913448f08ac33dc6ffb983890ef8
+
+  # renovate: datasource=git-tags extractVersion=^libcap-(?<version>.*)$ depName=git://git.kernel.org/pub/scm/libs/libcap/libcap.git
+  libcap_version: 2.70
+  libcap_sha256: 23a6ef8aadaf1e3e875f633bb2d116cfef8952dba7bc7c569b13458e1952b30f
+  libcap_sha512: 4e0bf0efeccb654c409afe9727b2b53c1d4da8190d7a0a9848fc52550ff3e13502add3eacde04a68a5b7bec09e91df487f64c5746ba987f873236a9e53b3d4e8
+
   # renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://git.liburcu.org/userspace-rcu.git
   liburcu_version: 0.14.1
   liburcu_sha256: 231acb13dc6ec023e836a0f0666f6aab47dc621ecb1d2cd9d9c22f922678abc0
@@ -150,6 +162,11 @@ vars:
   openssl_sha256: 2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281
   openssl_sha512: 5ae47bf1aed2740a33ba5df7dc7345a6738aa6bfa3c9c4de5e51742485e24b25192988d7a2c1b8201ef70056ad8abd0ca78b3d55abe24c0b0373d83b47ed9b74
 
+  # renovate: datasource=github-releases extractVersion=^pcre2-(?<version>.*)$ depName=PCRE2Project/pcre2
+  pcre2_version: 10.44
+  pcre2_sha256: d34f02e113cf7193a1ebf2770d3ac527088d485d4e047ed10e5d217c6ef5de96
+  pcre2_sha512: ee91cc10a2962bc7818b03d368df3dd31f42ea9a7260ae51483ea8cd331b7431e36e63256b0adc213cc6d6741e7c90414fd420622308c0ae3fcb5dd878591be2
+
   # renovate: datasource=github-tags depName=opencontainers/runc
   runc_version: v1.2.0-rc.3
   runc_ref: 45471bc945571d57acef05e0795008d7f1d9baf5

libcap2/pkg.yaml

@@ -0,0 +1,22 @@
+name: libcap
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-{{ .libcap_version }}.tar.xz
+        destination: libcap.tar.xz
+        sha256: "{{ .libcap_sha256 }}"
+        sha512: "{{ .libcap_sha512 }}"
+    prepare:
+      - |
+        tar -xf libcap.tar.xz --strip-components=1
+    build:
+      - |
+        make prefix=/ lib=lib -j $(nproc)
+    install:
+      - |
+        make DESTDIR=/rootfs prefix=/ lib=lib install
+        rm -rf /rootfs/share
+finalize:
+  - from: /rootfs
+    to: /

libselinux/patches/musl-lstat.patch

@@ -0,0 +1,24 @@
+Patch from https://bugs.gentoo.org/905711#c10 to build with musl
+
+diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c
+index bc6ed935..3bc0d8dd 100644
+--- a/src/selinux_restorecon.c
++++ b/src/selinux_restorecon.c
+@@ -438,7 +438,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 	file_spec_t *prevfl, *fl;
+ 	uint32_t h;
+ 	int ret;
+-	struct stat64 sb;
++	struct stat sb;
+
+ 	__pthread_mutex_lock(&fl_mutex);
+
+@@ -452,7 +452,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 	for (prevfl = &fl_head[h], fl = fl_head[h].next; fl;
+ 	     prevfl = fl, fl = fl->next) {
+ 		if (ino == fl->ino) {
+-			ret = lstat64(fl->file, &sb);
++			ret = lstat(fl->file, &sb);
+ 			if (ret < 0 || sb.st_ino != ino) {
+ 				freecon(fl->con);
+ 				free(fl->file);

libselinux/patches/selabel-digest-uninit.patch

@@ -0,0 +1,13 @@
+diff --git a/utils/selabel_digest.c b/utils/selabel_digest.c
+index 47aad21f..c574d3fd 100644
+--- a/utils/selabel_digest.c
++++ b/utils/selabel_digest.c
+@@ -65,7 +65,7 @@ int main(int argc, char **argv)
+ 	size_t digest_len, i, num_specfiles;
+
+ 	char cmd_buf[4096];
+-	char *cmd_ptr;
++	char *cmd_ptr = NULL;
+ 	char *sha1_buf = NULL;
+
+ 	struct selabel_handle *hnd;

libselinux/pkg.yaml

@@ -0,0 +1,28 @@
+name: libselinux
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+  - stage: libsepol
+  - stage: pcre2
+steps:
+  - sources:
+      - url: https://github.com/SELinuxProject/selinux/releases/download/{{ .selinux_version }}/libselinux-{{ .selinux_version }}.tar.gz
+        destination: libselinux.tar.gz
+        sha256: "{{ .libselinux_sha256 }}"
+        sha512: "{{ .libselinux_sha512 }}"
+    prepare:
+      - |
+        tar -xzf libselinux.tar.gz --strip-components=1
+
+        patch -p1 < /pkg/patches/musl-lstat.patch
+        patch -p1 < /pkg/patches/selabel-digest-uninit.patch
+    build:
+      - |
+        make -j $(nproc) FTS_LDLIBS="-l:libfts.a -L/toolchain/lib"
+    install:
+      - |
+        make install DESTDIR=/rootfs
+finalize:
+  - from: /rootfs
+    to: /

libsepol/pkg.yaml

@@ -0,0 +1,23 @@
+name: libsepol
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/SELinuxProject/selinux/releases/download/{{ .selinux_version }}/libsepol-{{ .selinux_version }}.tar.gz
+        destination: libsepol.tar.gz
+        sha256: "{{ .libsepol_sha256 }}"
+        sha512: "{{ .libsepol_sha512 }}"
+    prepare:
+      - |
+        tar -xzf libsepol.tar.gz --strip-components=1
+    build:
+      - |
+        make -j $(nproc)
+    install:
+      - |
+        make install DESTDIR=/rootfs
+finalize:
+  - from: /rootfs
+    to: /

pcre2/pkg.yaml

@@ -0,0 +1,32 @@
+name: pcre2
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/PCRE2Project/pcre2/releases/download/pcre2-{{ .pcre2_version }}/pcre2-{{ .pcre2_version }}.tar.bz2
+        destination: pcre.tar.bz2
+        sha256: "{{ .pcre2_sha256 }}"
+        sha512: "{{ .pcre2_sha512 }}"
+    prepare:
+      - |
+        tar -xjf pcre.tar.bz2 --strip-components=1
+        mkdir build
+        cd build
+        ../configure \
+              --prefix="/usr" \
+              --enable-unicode-properties \
+              --enable-pcre216 \
+              --enable-pcre232 \
+              --disable-static
+    build:
+      - |
+        cd build
+        make -j $(nproc)
+    install:
+      - |
+        cd build
+        make DESTDIR=/rootfs install
+        rm -rf /rootfs/share
+finalize:
+  - from: /rootfs
+    to: /

reproducibility/pkg.yaml

@@ -19,17 +19,21 @@ dependencies:
   - stage: ipxe
   - stage: kmod
   - stage: libaio
+  - stage: libcap
   - stage: libinih
   - stage: libjson-c
   - stage: liblzma
   - stage: libpopt
   - stage: libseccomp
+  - stage: libselinux
+  - stage: libsepol
   - stage: liburcu
   # linux-firmware can be ignored from reproducibility test since it's a tarball downloaded and extracted (no build happens)
   # - stage: linux-firmware
   - stage: lvm2
   - stage: musl
   - stage: openssl
+  - stage: pcre2
   - stage: runc
   - stage: sd-boot
   - stage: socat