X-Git-Url: http://git.openwrt.org/?a=blobdiff_plain;f=config%2FConfig-build.in;h=c2303637cb1eb5f6227880599cc9629592748b50;hb=9403810c020cca136149973a3929bf77a1f501aa;hp=fc94f4d45e0c4cd309555a8231cf93ec9277f2e2;hpb=aee58d52ce616fc1d74c15fec01e751e9c2c1dd5;p=openwrt%2Fstaging%2Fjow.git

diff --git a/config/Config-build.in b/config/Config-build.in
index fc94f4d45e..c2303637cb 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -1,15 +1,27 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
 # Copyright (C) 2006-2013 OpenWrt.org
 # Copyright (C) 2016 LEDE Project
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
+
+config EXPERIMENTAL
+	bool "Enable experimental features by default"
+	default n
+	help
+	  Set this option to build with latest bleeding edge features
+	  which may or may not work as expected.
+	  If you would like to help the development of OpenWrt, you are
+	  encouraged to set this option and provide feedback (both
+	  positive and negative). But do so only if you know how to
+	  recover your device in case of flashing potentially non-working
+	  firmware.
+
+	  If you plan to use this build in production, say NO!
 
 menu "Global build settings"
 
 	config JSON_OVERVIEW_IMAGE_INFO
 		bool "Create JSON info file overview per target"
-		default BUILDBOT
+		default y
 		help
 		  Create a JSON info file called profiles.json in the target
 		  directory containing machine readable list of built profiles
@@ -46,12 +58,16 @@ menu "Global build settings"
 		bool "Enable signature checking in opkg"
 		default SIGNED_PACKAGES
 
+	config DOWNLOAD_CHECK_CERTIFICATE
+		bool "Enable TLS certificate verification during package download"
+		default y
+
 	comment "General build options"
 
 	config TESTING_KERNEL
 		bool "Use the testing kernel version"
 		depends on HAS_TESTING_KERNEL
-		default n
+		default EXPERIMENTAL
 		help
 		  If the target supports a newer kernel version than the default,
 		  you can use this config option to enable it
@@ -95,7 +111,7 @@ menu "Global build settings"
 		default n
 		help
 		  This makes file checksums part of package metadata. It increases size
-		  but provides you with pkg_check command to check for flash coruptions.
+		  but provides you with pkg_check command to check for flash corruptions.
 
 	config INCLUDE_CONFIG
 		bool "Include build configuration in firmware" if DEVEL
@@ -138,17 +154,12 @@ menu "Global build settings"
 		  Adds -g3 to the CFLAGS.
 
 	config IPV6
-		bool
-		prompt "Enable IPv6 support in packages"
-		default y
-		help
-		  Enables IPv6 support in kernel (builtin) and packages.
+		def_bool y
 
 	comment "Stripping options"
 
 	choice
 		prompt "Binary stripping method"
-		default USE_STRIP   if EXTERNAL_TOOLCHAIN
 		default USE_STRIP   if USE_GLIBC
 		default USE_SSTRIP
 		help
@@ -182,6 +193,14 @@ menu "Global build settings"
 		help
 		  Specifies arguments passed to the strip command when stripping binaries.
 
+	config SSTRIP_ARGS
+		string
+		prompt "Sstrip arguments"
+		depends on USE_SSTRIP
+		default "-z"
+		help
+		  Specifies arguments passed to the sstrip command when stripping binaries.
+
 	config STRIP_KERNEL_EXPORTS
 		bool "Strip unnecessary exports from the kernel image"
 		help
@@ -197,24 +216,6 @@ menu "Global build settings"
 		  make the system libraries incompatible with most of the packages that are
 		  not selected during the build process.
 
-	choice
-		prompt "Preferred standard C++ library"
-		default USE_LIBSTDCXX if USE_GLIBC
-		default USE_UCLIBCXX
-		help
-		  Select the preferred standard C++ library for all packages that support this.
-
-		config USE_UCLIBCXX
-			bool "uClibc++"
-
-		config USE_LIBCXX
-			bool "libc++"
-			depends on !USE_UCLIBC
-
-		config USE_LIBSTDCXX
-			bool "libstdc++"
-	endchoice
-
 	comment "Hardening build options"
 
 	config PKG_CHECK_FORMAT_SECURITY
@@ -282,11 +283,11 @@ menu "Global build settings"
 			bool "Strong"
 	endchoice
 
-	config  KERNEL_STACKPROTECTOR
+	config KERNEL_STACKPROTECTOR
 		bool
 		default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
 
-	config  KERNEL_STACKPROTECTOR_STRONG
+	config KERNEL_STACKPROTECTOR_STRONG
 		bool
 		default KERNEL_CC_STACKPROTECTOR_STRONG
 
@@ -329,13 +330,57 @@ menu "Global build settings"
 	endchoice
 
 	config TARGET_ROOTFS_SECURITY_LABELS
-		bool "Enable rootfs security labels"
+		bool
 		select KERNEL_SQUASHFS_XATTR
 		select KERNEL_EXT4_FS_SECURITY
 		select KERNEL_F2FS_FS_SECURITY
 		select KERNEL_UBIFS_FS_SECURITY
 		select KERNEL_JFFS2_FS_SECURITY
-		select PACKAGE_refpolicy
+
+	config SELINUX
+		bool "Enable SELinux"
+		select KERNEL_SECURITY_SELINUX
+		select TARGET_ROOTFS_SECURITY_LABELS
+		select PACKAGE_procd-selinux
+		select PACKAGE_busybox-selinux
 		help
-		  This option enables the usage of SELinux labels
+		  This option enables SELinux kernel features, applies security labels
+		  in squashfs rootfs and selects the selinux-variants of busybox and procd.
+
+		  Selecting this option results in about 0.5MiB of additional flash space
+		  usage accounting for increased kernel and rootfs size.
+
+	choice
+		prompt "default SELinux type"
+		depends on TARGET_ROOTFS_SECURITY_LABELS
+		default SELINUXTYPE_dssp
+		help
+		  Select SELinux policy to be installed and used for applying rootfs labels.
+
+		config SELINUXTYPE_targeted
+			bool "targeted"
+			select PACKAGE_refpolicy
+			help
+			  SELinux Reference Policy (refpolicy)
+
+		config SELINUXTYPE_dssp
+			bool "dssp"
+			select PACKAGE_selinux-policy
+			help
+			  Defensec SELinux Security Policy -- OpenWrt edition
+
+	endchoice
+
+	config SECCOMP
+		bool "Enable SECCOMP"
+		select KERNEL_SECCOMP
+		select PACKAGE_procd-seccomp
+		depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
+		depends on !TARGET_uml
+		default y
+		help
+		  This option enables seccomp kernel features to safely
+		  execute untrusted bytecode and selects the seccomp-variants
+		  of procd
+
 endmenu