Date   

[meta-selinux][PATCH 0/7] selinux: upgrade refpolicy

Yi Zhao
 

Upgrade refpolicy from 20200229+git to 20210203+git

Yi Zhao (7):
selinux-python: depend on libselinux
parted: remove bbappend
audit: move audisp-* to audispd-plugins package
audit: upgrade 3.0 -> 3.0.1
packagegroup-core-selinux: add auditd
initscripts: restore security contexts after running
populate-volatile.sh
refpolicy: upgrade 20200229+git -> 20210203+git

.../initscripts/initscripts-1.0_selinux.inc | 2 +-
recipes-extended/parted/parted_%.bbappend | 1 -
...arm_table.h-update-arm-syscall-table.patch | 49 -----
.../audit/{audit_3.0.bb => audit_3.0.1.bb} | 17 +-
.../packagegroup-core-selinux.bb | 1 +
.../refpolicy/refpolicy-minimum_git.bb | 1 +
.../refpolicy/refpolicy-targeted_git.bb | 2 -
...tile-alias-common-var-volatile-paths.patch | 6 +-
...inimum-make-sysadmin-module-optional.patch | 10 +-
...ed-make-unconfined_u-the-default-sel.patch | 20 +-
...box-set-aliases-for-bin-sbin-and-usr.patch | 6 +-
...efpolicy-minimum-enable-nscd_use_shm.patch | 35 ++++
...y-policy-to-common-yocto-hostname-al.patch | 2 +-
...sr-bin-bash-context-to-bin-bash.bash.patch | 4 +-
...abel-resolv.conf-in-var-run-properly.patch | 6 +-
...-apply-login-context-to-login.shadow.patch | 2 +-
.../0007-fc-bind-fix-real-path-for-bind.patch | 4 +-
...-fc-hwclock-add-hwclock-alternatives.patch | 2 +-
...g-apply-policy-to-dmesg-alternatives.patch | 2 +-
...ssh-apply-policy-to-ssh-alternatives.patch | 2 +-
...work-apply-policy-to-ip-alternatives.patch | 6 +-
...v-apply-policy-to-udevadm-in-libexec.patch | 6 +-
...ply-rpm_exec-policy-to-cpio-binaries.patch | 4 +-
...c-su-apply-policy-to-su-alternatives.patch | 2 +-
...fc-fstools-fix-real-path-for-fstools.patch | 2 +-
...fix-update-alternatives-for-sysvinit.patch | 6 +-
...l-apply-policy-to-brctl-alternatives.patch | 2 +-
...apply-policy-to-nologin-alternatives.patch | 6 +-
...apply-policy-to-sulogin-alternatives.patch | 2 +-
...tp-apply-policy-to-ntpd-alternatives.patch | 2 +-
...pply-policy-to-kerberos-alternatives.patch | 2 +-
...ap-apply-policy-to-ldap-alternatives.patch | 2 +-
...ply-policy-to-postgresql-alternative.patch | 2 +-
...-apply-policy-to-screen-alternatives.patch | 6 +-
...ply-policy-to-usermanage-alternative.patch | 2 +-
...etty-add-file-context-to-start_getty.patch | 2 +-
...file-context-to-etc-network-if-files.patch | 6 +-
...k-apply-policy-to-vlock-alternatives.patch | 2 +-
...ron-apply-policy-to-etc-init.d-crond.patch | 2 +-
...rk-update-file-context-for-ifconfig.patch} | 6 +-
...s_dist-set-aliase-for-root-director.patch} | 6 +-
...stem-logging-add-rules-for-the-syml.patch} | 43 +---
...ystem-logging-add-domain-rules-for-t.patch | 37 ----
...stem-logging-add-rules-for-syslogd-.patch} | 6 +-
...ernel-files-add-rules-for-the-symlin.patch | 24 +--
...ernel-terminal-add-rules-for-bsdpty_.patch | 124 ------------
...ystem-logging-fix-auditd-startup-fai.patch | 64 ++++++
...ernel-terminal-don-t-audit-tty_devic.patch | 4 +-
...ystem-modutils-allow-mod_t-to-access.patch | 67 +++++++
...rvices-avahi-allow-avahi_t-to-watch.patch} | 8 +-
...ystem-getty-allow-getty_t-watch-gett.patch | 42 ----
...ervices-bluetooth-allow-bluetooth_t-.patch | 65 ------
...ystem-getty-allow-getty_t-to-search-.patch | 32 +++
...ervices-bluetooth-fix-bluetoothd-sta.patch | 88 ++++++++
...les-sysadm-allow-sysadm-to-run-rpci.patch} | 6 +-
...rvices-rpc-add-capability-dac_read_.patch} | 6 +-
...rvices-rpcbind-allow-rpcbind_t-to-c.patch} | 24 ++-
...rvices-rngd-fix-security-context-fo.patch} | 29 +--
...ystem-authlogin-allow-chkpwd_t-to-ma.patch | 34 ----
...ervices-ssh-allow-ssh_keygen_t-to-re.patch | 34 ++++
...ystem-udev-allow-udevadm_t-to-search.patch | 34 ----
...rvices-ssh-make-respective-init-scr.patch} | 4 +-
...dev-do-not-audit-udevadm_t-to-read-w.patch | 37 ----
...rnel-terminal-allow-loging-to-reset.patch} | 4 +-
...ervices-rdisc-allow-rdisc_t-to-searc.patch | 34 ----
...ystem-logging-fix-auditd-startup-fai.patch | 52 -----
...stem-selinuxutil-allow-semanage_t-t.patch} | 6 +-
...stem-systemd-enable-support-for-sys.patch} | 10 +-
...ystem-systemd-fix-systemd-resolved-s.patch | 69 +++++++
...ystem-init-add-capability2-bpf-and-p.patch | 37 ++++
...ystem-sysnetwork-allow-ifconfig_t-to.patch | 35 ----
...ystem-systemd-allow-systemd_logind_t.patch | 37 ++++
...ervices-ntp-allow-ntpd_t-to-watch-sy.patch | 55 -----
...ystem-logging-set-label-devlog_t-to-.patch | 86 ++++++++
...-system-systemd-support-systemd-user.patch | 189 ++++++++++++++++++
...ystem-logging-fix-systemd-journald-s.patch | 74 -------
...ystem-systemd-allow-systemd-generato.patch | 69 +++++++
...ystem-systemd-allow-systemd_backligh.patch | 35 ++++
...ystem-logging-fix-systemd-journald-s.patch | 47 +++++
...ystem-systemd-add-capability-mknod-f.patch | 35 ----
...ervices-cron-allow-crond_t-to-search.patch | 34 ++++
...ystem-systemd-systemd-gpt-auto-gener.patch | 35 ----
...ervices-crontab-allow-sysadm_r-to-ru.patch | 46 +++++
...ystem-sysnetwork-support-priviledge-.patch | 120 +++++++++++
...ervices-acpi-allow-acpid-to-watch-th.patch | 35 ++++
...stem-setrans-allow-setrans-to-acces.patch} | 19 +-
...ystem-modutils-allow-kmod_t-to-write.patch | 35 ++++
...les-sysadm-allow-sysadm_t-to-watch-.patch} | 17 +-
...ystem-selinux-allow-setfiles_t-to-re.patch | 44 ++++
...stem-mount-make-mount_t-domain-MLS-.patch} | 6 +-
...les-sysadm-MLS-sysadm-rw-to-clearan.patch} | 4 +-
...rvices-rpc-make-nfsd_t-domain-MLS-t.patch} | 31 +--
...min-dmesg-make-dmesg_t-MLS-trusted-.patch} | 4 +-
...rnel-kernel-make-kernel_t-MLS-trust.patch} | 4 +-
...stem-init-make-init_t-MLS-trusted-f.patch} | 6 +-
...stem-systemd-make-systemd-tmpfiles_.patch} | 6 +-
...stem-logging-add-the-syslogd_t-to-t.patch} | 8 +-
...stem-init-make-init_t-MLS-trusted-f.patch} | 6 +-
...stem-init-all-init_t-to-read-any-le.patch} | 6 +-
...ystem-systemd-systemd-networkd-make-.patch | 36 ----
...stem-logging-allow-auditd_t-to-writ.patch} | 6 +-
...ystem-systemd-systemd-resolved-make-.patch | 40 ----
...rnel-kernel-make-kernel_t-MLS-trust.patch} | 4 +-
...ystem-systemd-make-systemd-modules_t.patch | 36 ----
...stem-systemd-make-systemd-logind-do.patch} | 6 +-
...ystem-systemd-systemd-gpt-auto-gener.patch | 70 -------
...stem-systemd-systemd-user-sessions-.patch} | 6 +-
...ystem-systemd-systemd-make-systemd_-.patch | 162 +++++++++++++++
...rvices-ntp-make-nptd_t-MLS-trusted-.patch} | 6 +-
...ystem-setrans-allow-setrans_t-use-fd.patch | 30 +++
...ervices-acpi-make-acpid_t-domain-MLS.patch | 35 ++++
...rvices-avahi-make-avahi_t-MLS-trust.patch} | 4 +-
...ervices-bluetooth-make-bluetooth_t-d.patch | 36 ++++
...ystem-sysnetwork-make-dhcpc_t-domain.patch | 38 ++++
...ervices-inetd-make-inetd_t-domain-ML.patch | 36 ++++
...ervices-bind-make-named_t-domain-MLS.patch | 38 ++++
...rvices-rpc-make-rpcd_t-MLS-trusted-.patch} | 6 +-
...ystem-systemd-make-_systemd_t-MLS-tr.patch | 42 ++++
.../refpolicy/refpolicy_common.inc | 113 ++++++-----
recipes-security/refpolicy/refpolicy_git.inc | 4 +-
recipes-security/selinux/selinux-python.inc | 2 +-
121 files changed, 1918 insertions(+), 1240 deletions(-)
delete mode 100644 recipes-extended/parted/parted_%.bbappend
delete mode 100644 recipes-security/audit/audit/0001-lib-arm_table.h-update-arm-syscall-table.patch
rename recipes-security/audit/{audit_3.0.bb => audit_3.0.1.bb} (87%)
create mode 100644 recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch
rename recipes-security/refpolicy/refpolicy/{0081-fc-sysnetwork-update-file-context-for-ifconfig.patch => 0030-fc-sysnetwork-update-file-context-for-ifconfig.patch} (89%)
rename recipes-security/refpolicy/refpolicy/{0030-file_contexts.subs_dist-set-aliase-for-root-director.patch => 0031-file_contexts.subs_dist-set-aliase-for-root-director.patch} (87%)
rename recipes-security/refpolicy/refpolicy/{0031-policy-modules-system-logging-add-rules-for-the-syml.patch => 0032-policy-modules-system-logging-add-rules-for-the-syml.patch} (60%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-domain-rules-for-t.patch
rename recipes-security/refpolicy/refpolicy/{0032-policy-modules-system-logging-add-rules-for-syslogd-.patch => 0033-policy-modules-system-logging-add-rules-for-syslogd-.patch} (87%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-kernel-terminal-add-rules-for-bsdpty_.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-fix-auditd-startup-fai.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0037-policy-modules-system-modutils-allow-mod_t-to-access.patch
rename recipes-security/refpolicy/refpolicy/{0037-policy-modules-services-avahi-allow-avahi_t-to-watch.patch => 0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch} (87%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0038-policy-modules-system-getty-allow-getty_t-watch-gett.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch
rename recipes-security/refpolicy/refpolicy/{0040-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch => 0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch} (87%)
rename recipes-security/refpolicy/refpolicy/{0041-policy-modules-services-rpc-add-capability-dac_read_.patch => 0042-policy-modules-services-rpc-add-capability-dac_read_.patch} (88%)
rename recipes-security/refpolicy/refpolicy/{0042-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch => 0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch} (61%)
rename recipes-security/refpolicy/refpolicy/{0043-policy-modules-services-rngd-fix-security-context-fo.patch => 0044-policy-modules-services-rngd-fix-security-context-fo.patch} (66%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0045-policy-modules-system-udev-allow-udevadm_t-to-search.patch
rename recipes-security/refpolicy/refpolicy/{0049-policy-modules-services-ssh-make-respective-init-scr.patch => 0046-policy-modules-services-ssh-make-respective-init-scr.patch} (89%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0046-policy-modules-udev-do-not-audit-udevadm_t-to-read-w.patch
rename recipes-security/refpolicy/refpolicy/{0050-policy-modules-kernel-terminal-allow-loging-to-reset.patch => 0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch} (90%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0047-policy-modules-services-rdisc-allow-rdisc_t-to-searc.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0048-policy-modules-system-logging-fix-auditd-startup-fai.patch
rename recipes-security/refpolicy/refpolicy/{0051-policy-modules-system-selinuxutil-allow-semanage_t-t.patch => 0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch} (84%)
rename recipes-security/refpolicy/refpolicy/{0054-policy-modules-system-systemd-enable-support-for-sys.patch => 0049-policy-modules-system-systemd-enable-support-for-sys.patch} (89%)
create mode 100644 recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0052-policy-modules-system-sysnetwork-allow-ifconfig_t-to.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0053-policy-modules-services-ntp-allow-ntpd_t-to-watch-sy.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0057-policy-modules-system-systemd-add-capability-mknod-f.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0058-policy-modules-system-systemd-systemd-gpt-auto-gener.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch
rename recipes-security/refpolicy/refpolicy/{0063-policy-modules-system-setrans-allow-setrans-to-acces.patch => 0062-policy-modules-system-setrans-allow-setrans-to-acces.patch} (71%)
create mode 100644 recipes-security/refpolicy/refpolicy/0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch
rename recipes-security/refpolicy/refpolicy/{0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch => 0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch} (60%)
create mode 100644 recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch
rename recipes-security/refpolicy/refpolicy/{0062-policy-modules-system-mount-make-mount_t-domain-MLS-.patch => 0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch} (85%)
rename recipes-security/refpolicy/refpolicy/{0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch => 0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch} (92%)
rename recipes-security/refpolicy/refpolicy/{0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch => 0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch} (61%)
rename recipes-security/refpolicy/refpolicy/{0064-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch => 0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch} (91%)
rename recipes-security/refpolicy/refpolicy/{0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch => 0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch} (96%)
rename recipes-security/refpolicy/refpolicy/{0066-policy-modules-system-init-make-init_t-MLS-trusted-f.patch => 0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch} (90%)
rename recipes-security/refpolicy/refpolicy/{0067-policy-modules-system-systemd-make-systemd-tmpfiles_.patch => 0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch} (92%)
rename recipes-security/refpolicy/refpolicy/{0068-policy-modules-system-logging-add-the-syslogd_t-to-t.patch => 0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch} (86%)
rename recipes-security/refpolicy/refpolicy/{0069-policy-modules-system-init-make-init_t-MLS-trusted-f.patch => 0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch} (86%)
rename recipes-security/refpolicy/refpolicy/{0070-policy-modules-system-init-all-init_t-to-read-any-le.patch => 0075-policy-modules-system-init-all-init_t-to-read-any-le.patch} (88%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0075-policy-modules-system-systemd-systemd-networkd-make-.patch
rename recipes-security/refpolicy/refpolicy/{0071-policy-modules-system-logging-allow-auditd_t-to-writ.patch => 0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch} (88%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0076-policy-modules-system-systemd-systemd-resolved-make-.patch
rename recipes-security/refpolicy/refpolicy/{0072-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch => 0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch} (90%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0077-policy-modules-system-systemd-make-systemd-modules_t.patch
rename recipes-security/refpolicy/refpolicy/{0073-policy-modules-system-systemd-make-systemd-logind-do.patch => 0078-policy-modules-system-systemd-make-systemd-logind-do.patch} (90%)
delete mode 100644 recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch
rename recipes-security/refpolicy/refpolicy/{0074-policy-modules-system-systemd-systemd-user-sessions-.patch => 0079-policy-modules-system-systemd-systemd-user-sessions-.patch} (88%)
create mode 100644 recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch
rename recipes-security/refpolicy/refpolicy/{0079-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch => 0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch} (89%)
create mode 100644 recipes-security/refpolicy/refpolicy/0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch
rename recipes-security/refpolicy/refpolicy/{0080-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch => 0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch} (89%)
create mode 100644 recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch
rename recipes-security/refpolicy/refpolicy/{0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch => 0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch} (85%)
create mode 100644 recipes-security/refpolicy/refpolicy/0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch

--
2.25.1


VS: [meta-raspberrypi] Support for Raspberry pi CM4 (USB host support not working)

Jonas Vennevold
 

Hello,

 

I was wondering if the meta-raspberrypi layer has official support for the cm4 module?

I see a commit adding the .dtb files for the cm4 and 400 in the master branch.

http://git.yoctoproject.org/cgit/cgit.cgi/meta-raspberrypi/commit/conf/machine/raspberrypi4-64.conf?id=0c85f0150629e1f5eaf86289f2542744e38b5413&context=3&ignorews=0&dt=0

In the documentation, it is also mentioned that USB host support has to be enabled for CM4 IO board.

https://meta-raspberrypi.readthedocs.io/en/latest/extra-build-config.html#enable-usb-host-support

 

Since it is not listed under supported machines I assume that it is not supported.
If that is true, how long before it is going to be supported?

 

I haven’t been able to get the USB host support to work.

I have been building from the master branch and set ' ENABLE_DWC2_HOST = "1" ’ in my local.conf.

I have also confirmed that ‘ dtoverlay=dwc2,dr_mode=host ‘ has been added to the config.txt, but so far I have had no luck getting it to work.

Any tips on how to get it to work?

 

I tried writing an image onto the CM4 with the RPI Imager and had success with enabling the USB host support that way.

 

--

Jonas Vennevold
 

 


yocto meta intel dual boot with windows 8.1

Sachin Dagur
 

Hi

I am new to yoctoproject and have a system with intel architecture and embedded OS based on windows 8.1 installed. But now I want to make a dual boot system with yocto. I have around 100 GB free space when checked in disk management.

So here's what I did downloaded poky repo and meta-intel sub repo. appended the following at the end of my local.conf file

MACHINE = "intel-corei7-64"
MACHINE_ESSENTIAL_EXTRA_RDEPENDS = "grub"
PREFERRED_VERSION_grub ?= "2.0"
WKS_FILE = "image-installer.wks.in"
IMAGE_FSTYPES_append = " ext4"
IMAGE_TYPEDEP_wic = "ext4"
INITRD_IMAGE_LIVE="core-image-minimal-initramfs"
do_image_wic[depends] += "${INITRD_IMAGE_LIVE}:do_image_complete"
do_rootfs[depends] += "virtual/kernel:do_deploy"
IMAGE_BOOT_FILES_append = "\
      ${KERNEL_IMAGETYPE} \
  microcode.cpio \
  ${IMGDEPLOYDIR}/${IMAGE_BASENAME}-${MACHINE}.ext4;rootfs.img \
  ${@bb.utils.contains('EFI_PROVIDER', 'grub-efi', 'grub-efi-bootx64.efi;EFI/BOOT/bootx64.efi', '', d)} \
  ${@bb.utils.contains('EFI_PROVIDER', 'grub-efi', '${IMAGE_ROOTFS}/boot/EFI/BOOT/grub.cfg;EFI/BOOT/grub.cfg', '', d)} \
  ${@bb.utils.contains('EFI_PROVIDER', 'systemd-boot', 'systemd-bootx64.efi;EFI/BOOT/bootx64.efi', '', d)} \
  ${@bb.utils.contains('EFI_PROVIDER', 'systemd-boot', '${IMAGE_ROOTFS}/boot/loader/loader.conf;loader/loader.conf ', '', d)} \
  ${@bb.utils.contains('EFI_PROVIDER', 'systemd-boot', '${IMAGE_ROOTFS}/boot/loader/entries/boot.conf;loader/entries/boot.conf', '', d)} "

So with the above config I build a sato image using bitbake command and got a .wic image file. But when I try to install the image on my system I could see 2 options

install
reboot to firmware settings.

when I selected the first option to install it only asks to install on sda, that means it will erase my entire disk and install only yocto.

So how can I achieve something like we do in standard linux distribution where we are able to install it on a specific partition/free space available. Is there any configuration I need to change/add?

Thanks


Reminder: Yocto Project Technical Team Meeting @ Monthly from 8am on the first Tuesday (PDT)

Stephen Jolley
 

All,

 

Just a reminder we will hold the monthly Yocto Project Technical Meeting at 8am PST tomorrow. (3/2) 

 

Yocto Project Technical Team Meeting: We encourage people attending the meeting to logon and announce themselves on the Yocto Project IRC chancel during the meeting (optional):

Yocto IRC: http://webchat.freenode.net/?channels=#yocto

 

Wiki: https://www.yoctoproject.org/public-virtual-meetings/

 

When            Monthly from 8am to 9am on the first Tuesday Pacific Time

Where           Zoom Meeting: https://zoom.us/j/990892712?pwd=cHU1MjhoM2x6ck81bkcrYjRrcmJsUT09

 

We are tracking the minutes at: https://docs.google.com/document/d/1ly8nyhO14kDNnFcW2QskANXW3ZT7QwKC5wWVDg9dDH4/edit?pli=1 Please request access if you want to assist in editing them.  The world should have view access.

 

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Enhancements/Bugs closed WW09!

Stephen Jolley
 

All,

The below were the owners of enhancements or bugs closed during the last week!

Who

Count

randy.macleod@...

4

richard.purdie@...

4

alexandre.belloni@...

3

steve@...

1

thomasnam@...

1

denis@...

1

alejandro@...

1

Grand Total

15

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Current high bug count owners for Yocto Project 3.3

Stephen Jolley
 

All,

Below is the list as of top 50 bug owners as of the end of WW09 of who have open medium or higher bugs and enhancements against YP 3.3.   There are 43 possible work days left until the final release candidates for YP 3.3 needs to be released.

Who

Count

richard.purdie@...

30

ross@...

25

david.reyna@...

20

bluelightning@...

15

bruce.ashfield@...

12

JPEWhacker@...

10

trevor.gamblin@...

9

kai.kang@...

8

yifan.yu@...

8

akuster808@...

7

mark.morton@...

7

raj.khem@...

6

chee.yang.lee@...

6

Qi.Chen@...

5

sakib.sajal@...

5

yi.zhao@...

4

idadelm@...

4

saul.wold@...

3

hongxu.jia@...

3

randy.macleod@...

3

timothy.t.orling@...

3

stacygaikovaia@...

3

mingli.yu@...

3

mostthingsweb@...

3

matthewzmd@...

2

alejandro@...

2

jon.mason@...

2

pokylinux@...

2

liezhi.yang@...

2

sangeeta.jain@...

2

nicolas.dechesne@...

2

ydirson@...

2

limon.anibal@...

2

jaewon@...

2

jeanmarie.lemetayer@...

2

twoerner@...

1

mhalstead@...

1

john.kaldas.enpj@...

1

Martin.Jansa@...

1

dl9pf@...

1

mshah@...

1

charles.davies@...

1

steve@...

1

dorindabassey@...

1

kergoth@...

1

shachar@...

1

matt.ranostay@...

1

mister_rs@...

1

aehs29@...

1

yoctoproject@...

1

mark.hatle@...

1

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Yocto Project Newcomer & Unassigned Bugs - Help Needed

Stephen Jolley
 

All,

 

The triage team is starting to try and collect up and classify bugs which a newcomer to the project would be able to work on in a way which means people can find them. They're being listed on the triage page under the appropriate heading:

https://wiki.yoctoproject.org/wiki/Bug_Triage#Newcomer_Bugs  Also please review: https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded and how to create a bugzilla account at: https://bugzilla.yoctoproject.org/createaccount.cgi

The idea is these bugs should be straight forward for a person to help work on who doesn't have deep experience with the project.  If anyone can help, please take ownership of the bug and send patches!  If anyone needs help/advice there are people on irc who can likely do so, or some of the more experienced contributors will likely be happy to help too.

 

Also, the triage team meets weekly and does its best to handle the bugs reported into the Bugzilla. The number of people attending that meeting has fallen, as have the number of people available to help fix bugs. One of the things we hear users report is they don't know how to help. We (the triage team) are therefore going to start reporting out the currently 364 unassigned or newcomer bugs.

 

We're hoping people may be able to spare some time now and again to help out with these.  Bugs are split into two types, "true bugs" where things don't work as they should and "enhancements" which are features we'd want to add to the system.  There are also roughly four different "priority" classes right now, “3.2”, “3.3, "3.99" and "Future", the more pressing/urgent issues being in "3.2" and then “3.3”.

 

Please review this link and if a bug is something you would be able to help with either take ownership of the bug, or send me (sjolley.yp.pm@...) an e-mail with the bug number you would like and I will assign it to you (please make sure you have a Bugzilla account).  The list is at: https://wiki.yoctoproject.org/wiki/Bug_Triage_Archive#Unassigned_or_Newcomer_Bugs

 

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Re: Kernel panic - not syncing: VFS: Unable to mount root fs ...

Rudolf J Streif
 

Hi,

On 3/1/21 1:16 PM, jchludzinski via lists.yoctoproject.org wrote:
I rebuilt socfpga_arria10_socdk_sdmmc.dtb in ./sd_card/sdfs/ using modified files:

   arch/arm/boot/dts/socfpga_arria10_socdk_sdmmc.dts
   arch/arm/boot/dts/socfpga_arria10_socdk.dtsi

When I try booting I now get:
Are you saying it worked before and now it does not anymore? Did you make changes to the device tree?

Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(179,2)

What is this telling me?
 
Pretty much exactly what the message is saying: the kernel cannot find the root file system to mount.
I searched online and read something about the boot command in extlinux/extlinux.conf: 'root=/dev/mmcblk0p2'?
The '2' is the problem somehow?

You found the correct item: the kernel command line parameter passed by the boot loader (presumably u-boot in your case) for the root file system partition. The partition number could be the problem if the root file system is not on partition 2. It could also be that the device is incorrect (that would be the number 0). It could also be that it is the correct device and partition but no root file system has been copied to it.

You would need to use the u-boot monitor commands to track it down.

Please bear with me here. I don't have that particular board and you only provided very little information.

:rjs




-- 
Rudolf J Streif
CEO/CTO ibeeto
+1.855.442.3386 x700


Kernel panic - not syncing: VFS: Unable to mount root fs ...

jchludzinski
 

I rebuilt socfpga_arria10_socdk_sdmmc.dtb in ./sd_card/sdfs/ using modified files:

   arch/arm/boot/dts/socfpga_arria10_socdk_sdmmc.dts
   arch/arm/boot/dts/socfpga_arria10_socdk.dtsi

When I try booting I now get:

Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(179,2)

What is this telling me?
 
I searched online and read something about the boot command in extlinux/extlinux.conf: 'root=/dev/mmcblk0p2'?
The '2' is the problem somehow?


Re: [opkg-devel] [opkg-utils PATCH] CONTRIBUTING: fix yocto ML link

Alex Stewart
 

Merged 1 commit to opkg-utils:master.

18f7bfca3ac6f5c4502ce05de6e5e4fa5360e759

Thanks,

--
Alex Stewart
Software Engineer - NI Real-Time OS
NI (National Instruments)

alex.stewart@ni.com


Re: [opkg-devel] [opkg-utils PATCH] opkg-build: make sure destination dir exists

Alex Stewart
 

Merged 1 commit to opkg-utils:master.

53ab66853e073f54ef43d3045b38ed0303da72a4

Thanks,

--
Alex Stewart
Software Engineer - NI Real-Time OS
NI (National Instruments)

alex.stewart@ni.com


Re: npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json from remote location

TRO
 

i did this:
addtask getsw after do_fetch before do_compile

python do_getsw() {
    import os
    bb.debug("downloading shrinkwrap file")
    os.system ("git archive --remote=ssh://git@... HEAD frontend/npm-shrinkwrap.json | tar -xO > /tmp/npm-shrinkwrap.json_dwnl")
    src_uri_sw = {'npmsw:///tmp/npm-shrinkwrap.json_dwnl;dev=True'}
    
    try:
        fetcher = bb.fetch2.Fetch(src_uri_sw, d)
        fetcher.download()
    except bb.fetch2.BBFetchException as e:
        bb.fatal(str(e))

    try:        
        fetcher.unpack(d.getVar('WORKDIR'))
    except bb.fetch2.BBFetchException as e:
        bb.fatal(str(e))
                
    bb.debug("src_uri: " + str(src_uri_sw))
}


Re: [PATCH] dev-manual/common-task.rst: Added documentation for debuginfod support

Armin Kuster
 

Dorinda,

Thanks for the patch. Documentation has its own mailing list.
docs@lists.yoctoproject.org

Please resend to that list.

-armin

On 3/1/21 6:45 AM, Dorinda wrote:
Added documentation on running debuginfod server and using it on the target.

Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
---
documentation/dev-manual/common-tasks.rst | 46 ++++++++++++++++++++++-
1 file changed, 45 insertions(+), 1 deletion(-)

diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst
index 65db4aed33..d4a2b2f28d 100644
--- a/documentation/dev-manual/common-tasks.rst
+++ b/documentation/dev-manual/common-tasks.rst
@@ -10023,7 +10023,51 @@ before starting the debugging process. These extra computations place
more load on the target system and can alter the characteristics of the
program being debugged.

-To help get past the previously mentioned constraints, you can use
+To help get past the previously mentioned constraints, they're two
+methods you can use: running a debuginfod server and using gdbserver.
+
+Using the debuginfod server Method
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+debuginfod from elfutils is a way to distribute debuginfo files.
+running a debuginfod server makes debug symbols readily available,
+which means you don't need to download debugging information
+and the binaries of the process being debugged. you can just fetch
+debug symbols from the server.
+
+1. To run a debuginfod server, you need to do the following:
+
+- Ensure that this variable is set in your ``local.conf`` file:
+ ::
+
+ PACKAGECONFIG_pn-elfutils-native = "debuginfod libdebuginfod"
+
+ This PACKAGECONFIG option enables debuginfod and libdebuginfod for
+ elfutils-native.
+
+- Run the following commands to set up the debuginfod server:
+ ::
+
+ $ oe-debuginfod
+2. To use debuginfod on the target, you need the following:
+
+- Ensure that these variable is set in your ``local.conf`` file:
+ ::
+
+ DEBUGINFOD_URLS = "http://localhost:port"
+
+ This option does the client configuration by setting DEBUGINFOD_URLS
+ to point at the server running debuginfod. Such that for every lookup,
+ the debuginfod client will query the server and return the requested information.
+ ::
+
+ PACKAGECONFIG_pn-gdb = "debuginfod"
+
+ This PACKAGECONFIG option enables debuginfod for gdb.
+
+Using the gdbserver Method
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
gdbserver, which runs on the remote target and does not load any
debugging information from the debugged process. Instead, a GDB instance
processes the debugging information that is run on a remote computer -



[PATCH] dev-manual/common-task.rst: Added documentation for debuginfod support

Dorinda
 

Added documentation on running debuginfod server and using it on the target.

Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
---
documentation/dev-manual/common-tasks.rst | 46 ++++++++++++++++++++++-
1 file changed, 45 insertions(+), 1 deletion(-)

diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst
index 65db4aed33..d4a2b2f28d 100644
--- a/documentation/dev-manual/common-tasks.rst
+++ b/documentation/dev-manual/common-tasks.rst
@@ -10023,7 +10023,51 @@ before starting the debugging process. These extra computations place
more load on the target system and can alter the characteristics of the
program being debugged.

-To help get past the previously mentioned constraints, you can use
+To help get past the previously mentioned constraints, they're two
+methods you can use: running a debuginfod server and using gdbserver.
+
+Using the debuginfod server Method
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+debuginfod from elfutils is a way to distribute debuginfo files.
+running a debuginfod server makes debug symbols readily available,
+which means you don't need to download debugging information
+and the binaries of the process being debugged. you can just fetch
+debug symbols from the server.
+
+1. To run a debuginfod server, you need to do the following:
+
+- Ensure that this variable is set in your ``local.conf`` file:
+ ::
+
+ PACKAGECONFIG_pn-elfutils-native = "debuginfod libdebuginfod"
+
+ This PACKAGECONFIG option enables debuginfod and libdebuginfod for
+ elfutils-native.
+
+- Run the following commands to set up the debuginfod server:
+ ::
+
+ $ oe-debuginfod
+2. To use debuginfod on the target, you need the following:
+
+- Ensure that these variable is set in your ``local.conf`` file:
+ ::
+
+ DEBUGINFOD_URLS = "http://localhost:port"
+
+ This option does the client configuration by setting DEBUGINFOD_URLS
+ to point at the server running debuginfod. Such that for every lookup,
+ the debuginfod client will query the server and return the requested information.
+ ::
+
+ PACKAGECONFIG_pn-gdb = "debuginfod"
+
+ This PACKAGECONFIG option enables debuginfod for gdb.
+
+Using the gdbserver Method
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
gdbserver, which runs on the remote target and does not load any
debugging information from the debugged process. Instead, a GDB instance
processes the debugging information that is run on a remote computer -
--
2.17.1


Re: Poky Dunfell 3.1.6 broken due to pseudo changes

Steve Sakoman
 

On Mon, Mar 1, 2021 at 1:46 AM Peter Kjellerstedt
<peter.kjellerstedt@axis.com> wrote:

If you upgrade an existing build tree to use the Poky Dunfell 3.1.6 release,
you are likely to see a lot of pseudo aborts. This is because commit e3cab68b
in poky (commit 8c1084f3 in meta-yocto) was not backported to meta-poky. Due
to this, OELAYOUT_ABI remains at 12, and thus the sanity test in sanity.bbclass
that should prevent an existing tmp directory from being used does not trigger.

Can you backport this change to get poky back to a working state?
Yes! Sorry I missed this :-(

Steve


Including Python3 modules in generated SDK do not work (pandas, dunfell)

Daniel Adolfsson
 

Hello,

I have been using Yocto for several years now and I really appreciate all the hard work you all are putting into this project!

I have up until now been able to find documentation or answers to questions that cover my issues. But this time I have not been able to find my way, maybe I am using the wrong search terms.


Some background,
Running on a custom embedded device, powered by a AM3552 soc, currently running Dunfell.

I have a recipe that compiles a software using CMake. CMake in turn uses a Python3 script in the build step to generate some source files based on a CSV file. That script uses the python3-pandas library.

In my recipe I include python3-pandas as a DEPENDS

# For some reason python3-pandas-native does not pull in its dependencies, pytz and dateutil.
# The same is true for dateutil which depend on six
DEPENDS += "python3-pandas-native python3-pytz-native python3-dateutil-native python3-six-native"


This works great for building the firmware image file.

But in the generated SDK or Extensible SDK the modules are not available.

$ which python3
/home/daad/cem-fw-dev_sdk_chc/sysroots/x86_64-pokysdk-linux/usr/bin/python3

$ python3
Python 3.8.2 (default, Feb 25 2020, 10:39:28)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pandas
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'pandas'
>>>


I have also tried using the extensible sdk but i get another error when trying devtool

devtool modify recipie fails with python error: Exception: ModuleNotFoundError: No module named '_sysconfigdata'


I am unsure how to continue, where should I look for the issue? I am assuming that "depending" on a native python package would cause it to be included in the SDK..? even thugh it is a python dependency?
This has worked for other recipies (non-python) dependencies.
It "feels" like somehow the python3 "install" in the sdk is not identical to the one that is used when building the images.

Best Regards

--
Daniel Adolfsson


[meta-security][PATCH] ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic

Ming Liu <liu.ming50@...>
 

From: Ming Liu <liu.ming50@gmail.com>

This fixes following systemd boot issues:
[ 7.455580] systemd[1]: Failed to create /init.scope control group: Pe=
rmission denied
[ 7.457677] systemd[1]: Failed to allocate manager object: Permission =
denied
[!!!!!!] Failed to allocate manager object.
[ 7.459270] systemd[1]: Freezing execution.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
---
.../recipes-security/ima_policy_hashed/files/ima_policy_hashed | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_=
policy_hashed b/meta-integrity/recipes-security/ima_policy_hashed/files/i=
ma_policy_hashed
index 7f89c8d..4d9e4ca 100644
--- a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_=
hashed
+++ b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_=
hashed
@@ -53,6 +53,9 @@ dont_measure fsmagic=3D0x43415d53
# CGROUP_SUPER_MAGIC
dont_appraise fsmagic=3D0x27e0eb
dont_measure fsmagic=3D0x27e0eb
+# CGROUP2_SUPER_MAGIC
+dont_appraise fsmagic=3D0x63677270
+dont_measure fsmagic=3D0x63677270
# EFIVARFS_MAGIC
dont_appraise fsmagic=3D0xde5e81e4
dont_measure fsmagic=3D0xde5e81e4
--=20
2.29.0


Poky Dunfell 3.1.6 broken due to pseudo changes

Peter Kjellerstedt
 

If you upgrade an existing build tree to use the Poky Dunfell 3.1.6 release,
you are likely to see a lot of pseudo aborts. This is because commit e3cab68b
in poky (commit 8c1084f3 in meta-yocto) was not backported to meta-poky. Due
to this, OELAYOUT_ABI remains at 12, and thus the sanity test in sanity.bbclass
that should prevent an existing tmp directory from being used does not trigger.

Can you backport this change to get poky back to a working state?

//Peter


Re: Dunfell, nodejs and typescript - short experience report

TRO
 

Hi Simon,
thank you - in my current solution I don't use npm bbclass at all.
I basically use npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json;dev=True
this will downloadall npm stuff including angular because of dev=True to $S/node_modules

do_compile () {
#    build frontend
     chmod -R a+w ${S}/node_modules/@angular
     chmod 755 ${S}/node_modules/@angular/cli/bin/ng
     cd ${S}/ && ./node_modules/@angular/cli/bin/ng build --prod
}

I'm dealing with that problem:
https://lists.yoctoproject.org/g/yocto/message/52515


npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json from remote location

TRO
 

Hi,
bitbake fetcher for npmsw - npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json
wondering if it is possible to download npm-shrinkwrap.json from remote before evaluating it's dependencies.
For instance - https, git.
Any ideas how to deal with that problem?
cheers Thomas

3441 - 3460 of 55944