sysctl: make it NOEXEC

[oweals/busybox.git] / Config.in

#
# For a description of the syntax of this configuration file,
# see scripts/kbuild/config-language.txt.
#

mainmenu "Configuration"

config HAVE_DOT_CONFIG
        bool
        default y

menu "Settings"

config DESKTOP
        bool "Enable compatibility for full-blown desktop systems"
        default y
        help
        Enable applet options and features which are not essential.
        Many applet options have dedicated config options to (de)select them
        under that applet; this options enables those options which have no
        individual config item for them.

        Select this if you plan to use busybox on full-blown desktop machine
        with common Linux distro, which needs higher level of command-line
        compatibility.

        If you are preparing your build to be used on an embedded box
        where you have tighter control over the entire set of userspace
        tools, you can unselect this option for smaller code size.

config EXTRA_COMPAT
        bool "Provide compatible behavior for rare corner cases (bigger code)"
        default n
        help
        This option makes grep, sed etc handle rare corner cases
        (embedded NUL bytes and such). This makes code bigger and uses
        some GNU extensions in libc. You probably only need this option
        if you plan to run busybox on desktop.

config FEDORA_COMPAT
        bool "Building for Fedora distribution"
        default n
        help
        This option makes some tools behave like they do on Fedora.

        At the time of this writing (2017-08) this only affects uname:
        normally, uname -p (processor) and uname -i (platform)
        are shown as "unknown", but with this option uname -p
        shows the same string as uname -m (machine type),
        and so does uname -i unless machine type is i486/i586/i686 -
        then uname -i shows "i386".

config INCLUDE_SUSv2
        bool "Enable obsolete features removed before SUSv3"
        default y
        help
        This option will enable backwards compatibility with SuSv2,
        specifically, old-style numeric options ('command -1 <file>')
        will be supported in head, tail, and fold. (Note: should
        affect renice too.)

config LONG_OPTS
        bool "Support --long-options"
        default y
        help
        Enable this if you want busybox applets to use the gnu --long-option
        style, in addition to single character -a -b -c style options.

config SHOW_USAGE
        bool "Show applet usage messages"
        default y
        help
        Enabling this option, applets will show terse help messages
        when invoked with wrong arguments.
        If you do not want to show any (helpful) usage message when
        issuing wrong command syntax, you can say 'N' here,
        saving approximately 7k.

config FEATURE_VERBOSE_USAGE
        bool "Show verbose applet usage messages"
        default y
        depends on SHOW_USAGE
        help
        All applets will show verbose help messages when invoked with --help.
        This will add a lot of text to the binary.

config FEATURE_COMPRESS_USAGE
        bool "Store applet usage messages in compressed form"
        default y
        depends on SHOW_USAGE
        help
        Store usage messages in .bz2 compressed form, uncompress them
        on-the-fly when "APPLET --help" is run.

        If you have a really tiny busybox with few applets enabled (and
        bunzip2 isn't one of them), the overhead of the decompressor might
        be noticeable. Also, if you run executables directly from ROM
        and have very little memory, this might not be a win. Otherwise,
        you probably want this.

config LFS
        bool "Support files > 2 GB"
        default y
        help
        If you need to work with large files, enable this option.
        This will have no effect if your kernel or your C
        library lacks large file support for large files. Some of the
        programs that can benefit from large file support include dd, gzip,
        cp, mount, tar.

config PAM
        bool "Support PAM (Pluggable Authentication Modules)"
        default n
        help
        Use PAM in some applets (currently login and httpd) instead
        of direct access to password database.

config FEATURE_DEVPTS
        bool "Use the devpts filesystem for Unix98 PTYs"
        default y
        help
        Enable if you want to use Unix98 PTY support. If enabled,
        busybox will use /dev/ptmx for the master side of the pseudoterminal
        and /dev/pts/<number> for the slave side. Otherwise, BSD style
        /dev/ttyp<number> will be used. To use this option, you should have
        devpts mounted.

config FEATURE_UTMP
        bool "Support utmp file"
        default y
        help
        The file /var/run/utmp is used to track who is currently logged in.
        With this option on, certain applets (getty, login, telnetd etc)
        will create and delete entries there.
        "who" applet requires this option.

config FEATURE_WTMP
        bool "Support wtmp file"
        default y
        depends on FEATURE_UTMP
        help
        The file /var/run/wtmp is used to track when users have logged into
        and logged out of the system.
        With this option on, certain applets (getty, login, telnetd etc)
        will append new entries there.
        "last" applet requires this option.

config FEATURE_PIDFILE
        bool "Support writing pidfiles"
        default y
        help
        This option makes some applets (e.g. crond, syslogd, inetd) write
        a pidfile at the configured PID_FILE_PATH.  It has no effect
        on applets which require pidfiles to run.

config PID_FILE_PATH
        string "Directory for pidfiles"
        default "/var/run"
        depends on FEATURE_PIDFILE
        help
        This is the default path where pidfiles are created.  Applets which
        allow you to set the pidfile path on the command line will override
        this value.  The option has no effect on applets that require you to
        specify a pidfile path.

config BUSYBOX
        bool "Include busybox applet"
        default y
        help
        The busybox applet provides general help message and allows
        the included applets to be listed.  It also provides
        optional --install command to create applet links. If you unselect
        this option, running busybox without any arguments will give
        just a cryptic error message:

        $ busybox
        busybox: applet not found

        Running "busybox APPLET [ARGS...]" will still work, of course.

config FEATURE_INSTALLER
        bool "Support --install [-s] to install applet links at runtime"
        default y
        depends on BUSYBOX
        help
        Enable 'busybox --install [-s]' support. This will allow you to use
        busybox at runtime to create hard links or symlinks for all the
        applets that are compiled into busybox.

config INSTALL_NO_USR
        bool "Don't use /usr"
        default n
        help
        Disable use of /usr. "busybox --install" and "make install"
        will install applets only to /bin and /sbin,
        never to /usr/bin or /usr/sbin.

config FEATURE_SUID
        bool "Drop SUID state for most applets"
        default y
        help
        With this option you can install the busybox binary belonging
        to root with the suid bit set, enabling some applets to perform
        root-level operations even when run by ordinary users
        (for example, mounting of user mounts in fstab needs this).

        With this option enabled, busybox drops privileges for applets
        that don't need root access, before entering their main() function.

        If you are really paranoid and don't want even initial busybox code
        to run under root for every applet, build two busybox binaries with
        different applets in them (and the appropriate symlinks pointing
        to each binary), and only set the suid bit on the one that needs it.

        Some applets which require root rights (need suid bit on the binary
        or to be run by root) and will refuse to execute otherwise:
        crontab, login, passwd, su, vlock, wall.

        The applets which will use root rights if they have them
        (via suid bit, or because run by root), but would try to work
        without root right nevertheless:
        findfs, ping[6], traceroute[6], mount.

        Note that if you DO NOT select this option, but DO make busybox
        suid root, ALL applets will run under root, which is a huge
        security hole (think "cp /some/file /etc/passwd").

config FEATURE_SUID_CONFIG
        bool "Enable SUID configuration via /etc/busybox.conf"
        default y
        depends on FEATURE_SUID
        help
        Allow the SUID/SGID state of an applet to be determined at runtime
        by checking /etc/busybox.conf. (This is sort of a poor man's sudo.)
        The format of this file is as follows:

        APPLET = [Ssx-][Ssx-][x-] [USER.GROUP]

        s: USER or GROUP is allowed to execute APPLET.
           APPLET will run under USER or GROUP
           (regardless of who's running it).
        S: USER or GROUP is NOT allowed to execute APPLET.
           APPLET will run under USER or GROUP.
           This option is not very sensical.
        x: USER/GROUP/others are allowed to execute APPLET.
           No UID/GID change will be done when it is run.
        -: USER/GROUP/others are not allowed to execute APPLET.

        An example might help:

        |[SUID]
        |su = ssx root.0 # applet su can be run by anyone and runs with
        |                # euid=0,egid=0
        |su = ssx        # exactly the same
        |
        |mount = sx- root.disk # applet mount can be run by root and members
        |                      # of group disk (but not anyone else)
        |                      # and runs with euid=0 (egid is not changed)
        |
        |cp = --- # disable applet cp for everyone

        The file has to be owned by user root, group root and has to be
        writeable only by root:
                (chown 0.0 /etc/busybox.conf; chmod 600 /etc/busybox.conf)
        The busybox executable has to be owned by user root, group
        root and has to be setuid root for this to work:
                (chown 0.0 /bin/busybox; chmod 4755 /bin/busybox)

        Robert 'sandman' Griebl has more information here:
        <url: http://www.softforge.de/bb/suid.html >.

config FEATURE_SUID_CONFIG_QUIET
        bool "Suppress warning message if /etc/busybox.conf is not readable"
        default y
        depends on FEATURE_SUID_CONFIG
        help
        /etc/busybox.conf should be readable by the user needing the SUID,
        check this option to avoid users to be notified about missing
        permissions.

config FEATURE_PREFER_APPLETS
        bool "exec prefers applets"
        default n
        help
        This is an experimental option which directs applets about to
        call 'exec' to try and find an applicable busybox applet before
        searching the PATH. This is typically done by exec'ing
        /proc/self/exe.

        This may affect shell, find -exec, xargs and similar applets.
        They will use applets even if /bin/APPLET -> busybox link
        is missing (or is not a link to busybox). However, this causes
        problems in chroot jails without mounted /proc and with ps/top
        (command name can be shown as 'exe' for applets started this way).

config BUSYBOX_EXEC_PATH
        string "Path to busybox executable"
        default "/proc/self/exe"
        help
        When applets need to run other applets, busybox
        sometimes needs to exec() itself. When the /proc filesystem is
        mounted, /proc/self/exe always points to the currently running
        executable. If you haven't got /proc, set this to wherever you
        want to run busybox from.

config SELINUX
        bool "Support NSA Security Enhanced Linux"
        default n
        select PLATFORM_LINUX
        help
        Enable support for SELinux in applets ls, ps, and id. Also provide
        the option of compiling in SELinux applets.

        If you do not have a complete SELinux userland installed, this stuff
        will not compile.  Specifially, libselinux 1.28 or better is
        directly required by busybox. If the installation is located in a
        non-standard directory, provide it by invoking make as follows:

                CFLAGS=-I<libselinux-include-path> \
                LDFLAGS=-L<libselinux-lib-path> \
                make

        Most people will leave this set to 'N'.

config FEATURE_CLEAN_UP
        bool "Clean up all memory before exiting (usually not needed)"
        default n
        help
        As a size optimization, busybox normally exits without explicitly
        freeing dynamically allocated memory or closing files. This saves
        space since the OS will clean up for us, but it can confuse debuggers
        like valgrind, which report tons of memory and resource leaks.

        Don't enable this unless you have a really good reason to clean
        things up manually.

# These are auto-selected by other options

config FEATURE_SYSLOG
        bool #No description makes it a hidden option
        default n
        #help
        #This option is auto-selected when you select any applet which may
        #send its output to syslog. You do not need to select it manually.

config FEATURE_HAVE_RPC
        bool #No description makes it a hidden option
        default n
        #help
        #This is automatically selected if any of enabled applets need it.
        #You do not need to select it manually.

config PLATFORM_LINUX
        bool #No description makes it a hidden option
        default n
        #help
        #For the most part, busybox requires only POSIX compatibility
        #from the target system, but some applets and features use
        #Linux-specific interfaces.
        #
        #This is automatically selected if any applet or feature requires
        #Linux-specific interfaces. You do not need to select it manually.

comment 'Build Options'

config STATIC
        bool "Build static binary (no shared libs)"
        default n
        help
        If you want to build a static binary, which does not use
        or require any shared libraries, enable this option.
        Static binaries are larger, but do not require functioning
        dynamic libraries to be present, which is important if used
        as a system rescue tool.

config PIE
        bool "Build position independent executable"
        default n
        depends on !STATIC
        help
        Hardened code option. PIE binaries are loaded at a different
        address at each invocation. This has some overhead,
        particularly on x86-32 which is short on registers.

        Most people will leave this set to 'N'.

config NOMMU
        bool "Force NOMMU build"
        default n
        help
        Busybox tries to detect whether architecture it is being
        built against supports MMU or not. If this detection fails,
        or if you want to build NOMMU version of busybox for testing,
        you may force NOMMU build here.

        Most people will leave this set to 'N'.

# PIE can be made to work with BUILD_LIBBUSYBOX, but currently
# build system does not support that
config BUILD_LIBBUSYBOX
        bool "Build shared libbusybox"
        default n
        depends on !FEATURE_PREFER_APPLETS && !PIE && !STATIC
        help
        Build a shared library libbusybox.so.N.N.N which contains all
        busybox code.

        This feature allows every applet to be built as a really tiny
        separate executable linked against the library:
        |$ size 0_lib/l*
        |    text  data   bss     dec    hex filename
        |     939   212    28    1179    49b 0_lib/last
        |     939   212    28    1179    49b 0_lib/less
        |  919138  8328  1556  929022  e2cfe 0_lib/libbusybox.so.1.N.M

        This is useful on NOMMU systems which are not capable
        of sharing executables, but are capable of sharing code
        in dynamic libraries.

config FEATURE_LIBBUSYBOX_STATIC
        bool "Pull in all external references into libbusybox"
        default n
        depends on BUILD_LIBBUSYBOX
        help
        Make libbusybox library independent, not using or requiring
        any other shared libraries.

config FEATURE_INDIVIDUAL
        bool "Produce a binary for each applet, linked against libbusybox"
        default y
        depends on BUILD_LIBBUSYBOX
        help
        If your CPU architecture doesn't allow for sharing text/rodata
        sections of running binaries, but allows for runtime dynamic
        libraries, this option will allow you to reduce memory footprint
        when you have many different applets running at once.

        If your CPU architecture allows for sharing text/rodata,
        having single binary is more optimal.

        Each applet will be a tiny program, dynamically linked
        against libbusybox.so.N.N.N.

        You need to have a working dynamic linker.

config FEATURE_SHARED_BUSYBOX
        bool "Produce additional busybox binary linked against libbusybox"
        default y
        depends on BUILD_LIBBUSYBOX
        help
        Build busybox, dynamically linked against libbusybox.so.N.N.N.

        You need to have a working dynamic linker.

### config BUILD_AT_ONCE
###     bool "Compile all sources at once"
###     default n
###     help
###     Normally each source-file is compiled with one invocation of
###     the compiler.
###     If you set this option, all sources are compiled at once.
###     This gives the compiler more opportunities to optimize which can
###     result in smaller and/or faster binaries.
###
###     Setting this option will consume alot of memory, e.g. if you
###     enable all applets with all features, gcc uses more than 300MB
###     RAM during compilation of busybox.
###
###     This option is most likely only beneficial for newer compilers
###     such as gcc-4.1 and above.
###
###     Say 'N' unless you know what you are doing.

config CROSS_COMPILER_PREFIX
        string "Cross compiler prefix"
        default ""
        help
        If you want to build busybox with a cross compiler, then you
        will need to set this to the cross-compiler prefix, for example,
        "i386-uclibc-".

        Note that CROSS_COMPILE environment variable or
        "make CROSS_COMPILE=xxx ..." will override this selection.

        Native builds leave this empty.

config SYSROOT
        string "Path to sysroot"
        default ""
        help
        If you want to build busybox with a cross compiler, then you
        might also need to specify where /usr/include and /usr/lib
        will be found.

        For example, busybox can be built against an installed
        Android NDK, platform version 9, for ARM ABI with

        CONFIG_SYSROOT=/opt/android-ndk/platforms/android-9/arch-arm

        Native builds leave this empty.

config EXTRA_CFLAGS
        string "Additional CFLAGS"
        default ""
        help
        Additional CFLAGS to pass to the compiler verbatim.

config EXTRA_LDFLAGS
        string "Additional LDFLAGS"
        default ""
        help
        Additional LDFLAGS to pass to the linker verbatim.

config EXTRA_LDLIBS
        string "Additional LDLIBS"
        default ""
        help
        Additional LDLIBS to pass to the linker with -l.

config USE_PORTABLE_CODE
        bool "Avoid using GCC-specific code constructs"
        default n
        help
        Use this option if you are trying to compile busybox with
        compiler other than gcc.
        If you do use gcc, this option may needlessly increase code size.

comment 'Installation Options ("make install" behavior)'

choice
        prompt "What kind of applet links to install"
        default INSTALL_APPLET_SYMLINKS
        help
        Choose what kind of links to applets are created by "make install".

config INSTALL_APPLET_SYMLINKS
        bool "as soft-links"
        help
        Install applets as soft-links to the busybox binary. This needs some
        free inodes on the filesystem, but might help with filesystem
        generators that can't cope with hard-links.

config INSTALL_APPLET_HARDLINKS
        bool "as hard-links"
        help
        Install applets as hard-links to the busybox binary. This might
        count on a filesystem with few inodes.

config INSTALL_APPLET_SCRIPT_WRAPPERS
        bool "as script wrappers"
        help
        Install applets as script wrappers that call the busybox binary.

config INSTALL_APPLET_DONT
        bool "not installed"
        help
        Do not install applet links. Useful when you plan to use
        busybox --install for installing links, or plan to use
        a standalone shell and thus don't need applet links.

endchoice

choice
        prompt "/bin/sh applet link"
        default INSTALL_SH_APPLET_SYMLINK
        depends on INSTALL_APPLET_SCRIPT_WRAPPERS
        help
        Choose how you install /bin/sh applet link.

config INSTALL_SH_APPLET_SYMLINK
        bool "as soft-link"
        help
        Install /bin/sh applet as soft-link to the busybox binary.

config INSTALL_SH_APPLET_HARDLINK
        bool "as hard-link"
        help
        Install /bin/sh applet as hard-link to the busybox binary.

config INSTALL_SH_APPLET_SCRIPT_WRAPPER
        bool "as script wrapper"
        help
        Install /bin/sh applet as script wrapper that calls
        the busybox binary.

endchoice

config PREFIX
        string "Destination path for 'make install'"
        default "./_install"
        help
        Where "make install" should install busybox binary and links.

comment 'Debugging Options'

config DEBUG
        bool "Build with debug information"
        default n
        help
        Say Y here to compile with debug information.
        This increases the size of the binary considerably, and
        should only be used when doing development.

        This adds -g option to gcc command line.

        Most people should answer N.

config DEBUG_PESSIMIZE
        bool "Disable compiler optimizations"
        default n
        depends on DEBUG
        help
        The compiler's optimization of source code can eliminate and reorder
        code, resulting in an executable that's hard to understand when
        stepping through it with a debugger. This switches it off, resulting
        in a much bigger executable that more closely matches the source
        code.

        This replaces -Os/-O2 with -O0 in gcc command line.

config DEBUG_SANITIZE
        bool "Enable runtime sanitizers (ASAN/LSAN/USAN/etc...)"
        default n
        help
        Say Y here if you want to enable runtime sanitizers. These help
        catch bad memory accesses (e.g. buffer overflows), but will make
        the executable larger and slow down runtime a bit.

        This adds -fsanitize=foo options to gcc command line.

        If you aren't developing/testing busybox, say N here.

config UNIT_TEST
        bool "Build unit tests"
        default n
        help
        Say Y here if you want to build unit tests (both the framework and
        test cases) as an applet. This results in bigger code, so you
        probably don't want this option in production builds.

config WERROR
        bool "Abort compilation on any warning"
        default n
        help
        This adds -Werror to gcc command line.

        Most people should answer N.

choice
        prompt "Additional debugging library"
        default NO_DEBUG_LIB
        help
        Using an additional debugging library will make busybox become
        considerably larger and will cause it to run more slowly. You
        should always leave this option disabled for production use.

        dmalloc support:
        ----------------
        This enables compiling with dmalloc ( http://dmalloc.com/ )
        which is an excellent public domain mem leak and malloc problem
        detector. To enable dmalloc, before running busybox you will
        want to properly set your environment, for example:
                export DMALLOC_OPTIONS=debug=0x34f47d83,inter=100,log=logfile
        The 'debug=' value is generated using the following command
        dmalloc -p log-stats -p log-non-free -p log-bad-space \
                -p log-elapsed-time -p check-fence -p check-heap \
                -p check-lists -p check-blank -p check-funcs -p realloc-copy \
                -p allow-free-null

        Electric-fence support:
        -----------------------
        This enables compiling with Electric-fence support. Electric
        fence is another very useful malloc debugging library which uses
        your computer's virtual memory hardware to detect illegal memory
        accesses. This support will make busybox be considerably larger
        and run slower, so you should leave this option disabled unless
        you are hunting a hard to find memory problem.


config NO_DEBUG_LIB
        bool "None"

config DMALLOC
        bool "Dmalloc"

config EFENCE
        bool "Electric-fence"

endchoice

source libbb/Config.in

endmenu

comment "Applets"

source archival/Config.in
source coreutils/Config.in
source console-tools/Config.in
source debianutils/Config.in
source editors/Config.in
source findutils/Config.in
source init/Config.in
source loginutils/Config.in
source e2fsprogs/Config.in
source modutils/Config.in
source util-linux/Config.in
source miscutils/Config.in
source networking/Config.in
source printutils/Config.in
source mailutils/Config.in
source procps/Config.in
source runit/Config.in
source selinux/Config.in
source shell/Config.in
source sysklogd/Config.in