Date   

[meta-security][PATCH] security-test-image: auto include layers if present.

Armin Kuster
 

This is to simplify tesing to build one image and include pkgs depending on the
layers included in the BBLAYERS.

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-core/images/security-test-image.bb | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/recipes-core/images/security-test-image.bb b/recipes-core/images/security-test-image.bb
index 54d8978..133a7a1 100644
--- a/recipes-core/images/security-test-image.bb
+++ b/recipes-core/images/security-test-image.bb
@@ -4,7 +4,16 @@ require security-build-image.bb

IMAGE_FEATURES += "ssh-server-openssh"

-TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata"
+IMAGE_INSTALL:append = "\
+ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm2","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "parsec-layer", "packagegroup-security-parsec","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \
+"
+
+TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata"
+TEST_SUITES:append = " parsec tpm2 swtpm ima"

INSTALL_CLAMAV_CVD = "1"

--
2.25.1


[meta-security][PATCH] sssd: update to 2.7.1

Armin Kuster
 

drop CVE-2021-3621.patch
refresh a few patches

fixup configure-unsafe globally via sed in build.m4

=== test
RESULTS - sssd.SSSDTest.test_sssd_help: PASSED (1.70s)
RESULTS - sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk: PASSED (2.71s)
RESULTS - sssd.SSSDTest.test_sssd_sssctl_deamon: PASSED (2.07s)

Signed-off-by: Armin Kuster <akuster808@...>
---
.../sssd/files/CVE-2021-3621.patch | 288 ------------------
.../recipes-security/sssd/files/fix_gid.patch | 8 +-
.../recipes-security/sssd/files/no_gen.patch | 8 +-
.../sssd/{sssd_2.5.2.bb => sssd_2.7.1.bb} | 27 +-
4 files changed, 24 insertions(+), 307 deletions(-)
delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.5.2.bb => sssd_2.7.1.bb} (86%)

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
deleted file mode 100644
index 7a59df9..0000000
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
+++ /dev/null
@@ -1,288 +0,0 @@
-Backport patch to fix CVE-2021-3621.
-
-Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9]
-CVE: CVE-2021-3621
-
-Signed-off-by: Kai Kang <kai.kang@...>
-
-From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@...>
-Date: Fri, 18 Jun 2021 13:17:19 +0200
-Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
- user supplied command
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-:relnote: A flaw was found in SSSD, where the sssctl command was
-vulnerable to shell command injection via the logs-fetch and
-cache-expire subcommands. This flaw allows an attacker to trick
-the root user into running a specially crafted sssctl command,
-such as via sudo, to gain root access. The highest threat from this
-vulnerability is to confidentiality, integrity, as well as system
-availability.
-This patch fixes a flaw by replacing system() with execvp().
-
-:fixes: CVE-2021-3621
-
-Reviewed-by: Pavel Březina <pbrezina@...>
----
- src/tools/sssctl/sssctl.c | 39 ++++++++++++++++-------
- src/tools/sssctl/sssctl.h | 2 +-
- src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
- src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
- 4 files changed, 73 insertions(+), 57 deletions(-)
-
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index 2997dbf968..8adaf30910 100644
---- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
- return SSSCTL_PROMPT_ERROR;
- }
-
--errno_t sssctl_run_command(const char *command)
-+errno_t sssctl_run_command(const char *const argv[])
- {
- int ret;
-+ int wstatus;
-
-- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
-+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
-
-- ret = system(command);
-+ ret = fork();
- if (ret == -1) {
-- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
- ERROR("Error while executing external command\n");
- return EFAULT;
-- } else if (WEXITSTATUS(ret) != 0) {
-- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
-- command, WEXITSTATUS(ret));
-+ }
-+
-+ if (ret == 0) {
-+ /* cast is safe - see
-+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
-+ "The statement about argv[] and envp[] being constants ... "
-+ */
-+ execvp(argv[0], discard_const_p(char * const, argv));
- ERROR("Error while executing external command\n");
-- return EIO;
-+ _exit(1);
-+ } else {
-+ if (waitpid(ret, &wstatus, 0) == -1) {
-+ ERROR("Error while executing external command '%s'\n", argv[0]);
-+ return EFAULT;
-+ } else if (WEXITSTATUS(wstatus) != 0) {
-+ ERROR("Command '%s' failed with [%d]\n",
-+ argv[0], WEXITSTATUS(wstatus));
-+ return EIO;
-+ }
- }
-
- return EOK;
-@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
- #elif defined(HAVE_SERVICE)
- switch (action) {
- case SSSCTL_SVC_START:
-- return sssctl_run_command(SERVICE_PATH" sssd start");
-+ return sssctl_run_command(
-+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
- case SSSCTL_SVC_STOP:
-- return sssctl_run_command(SERVICE_PATH" sssd stop");
-+ return sssctl_run_command(
-+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
- case SSSCTL_SVC_RESTART:
-- return sssctl_run_command(SERVICE_PATH" sssd restart");
-+ return sssctl_run_command(
-+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
- }
- #endif
-
-diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
-index 0115b2457c..599ef65196 100644
---- a/src/tools/sssctl/sssctl.h
-+++ b/src/tools/sssctl/sssctl.h
-@@ -47,7 +47,7 @@ enum sssctl_prompt_result
- sssctl_prompt(const char *message,
- enum sssctl_prompt_result defval);
-
--errno_t sssctl_run_command(const char *command);
-+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
- bool sssctl_start_sssd(bool force);
- bool sssctl_stop_sssd(bool force);
- bool sssctl_restart_sssd(bool force);
-diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
-index 8d79b977fd..bf22913416 100644
---- a/src/tools/sssctl/sssctl_data.c
-+++ b/src/tools/sssctl/sssctl_data.c
-@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
- }
- }
-
-- ret = sssctl_run_command("sss_override user-export "
-- SSS_BACKUP_USER_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
-+ SSS_BACKUP_USER_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to export user overrides\n");
- return ret;
- }
-
-- ret = sssctl_run_command("sss_override group-export "
-- SSS_BACKUP_GROUP_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
-+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to export group overrides\n");
- return ret;
-@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
- }
-
- if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
-- ret = sssctl_run_command("sss_override user-import "
-- SSS_BACKUP_USER_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
-+ SSS_BACKUP_USER_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to import user overrides\n");
- return ret;
-@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
- }
-
- if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
-- ret = sssctl_run_command("sss_override group-import "
-- SSS_BACKUP_GROUP_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
-+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to import group overrides\n");
- return ret;
-@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
- void *pvt)
- {
- errno_t ret;
-- char *cmd_args = NULL;
-- const char *cachecmd = SSS_CACHE;
-- char *cmd = NULL;
-- int i;
--
-- if (cmdline->argc == 0) {
-- ret = sssctl_run_command(cachecmd);
-- goto done;
-- }
-
-- cmd_args = talloc_strdup(tool_ctx, "");
-- if (cmd_args == NULL) {
-- ret = ENOMEM;
-- goto done;
-+ const char **args = talloc_array_size(tool_ctx,
-+ sizeof(char *),
-+ cmdline->argc + 2);
-+ if (!args) {
-+ return ENOMEM;
- }
-+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
-+ args[0] = SSS_CACHE;
-+ args[cmdline->argc + 1] = NULL;
-
-- for (i = 0; i < cmdline->argc; i++) {
-- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
-- if (i != cmdline->argc - 1) {
-- cmd_args = talloc_strdup_append(cmd_args, " ");
-- }
-- }
--
-- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
-- if (cmd == NULL) {
-- ret = ENOMEM;
-- goto done;
-- }
--
-- ret = sssctl_run_command(cmd);
--
--done:
-- talloc_free(cmd_args);
-- talloc_free(cmd);
-+ ret = sssctl_run_command(args);
-
-+ talloc_free(args);
- return ret;
- }
-diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
-index 9ff2be05b6..ebb2c4571c 100644
---- a/src/tools/sssctl/sssctl_logs.c
-+++ b/src/tools/sssctl/sssctl_logs.c
-@@ -31,6 +31,7 @@
- #include <ldb.h>
- #include <popt.h>
- #include <stdio.h>
-+#include <glob.h>
-
- #include "util/util.h"
- #include "tools/common/sss_process.h"
-@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- {
- struct sssctl_logs_opts opts = {0};
- errno_t ret;
-+ glob_t globbuf;
-
- /* Parse command line. */
- struct poptOption options[] = {
-@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
-
- sss_signal(SIGHUP);
- } else {
-+ globbuf.gl_offs = 4;
-+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+ if (ret != 0) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+ return ret;
-+ }
-+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
-+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
-+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
-+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
-+
- PRINT("Truncating log files...\n");
-- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
-+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+ globfree(&globbuf);
- if (ret != EOK) {
- ERROR("Unable to truncate log files\n");
- return ret;
-@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
- void *pvt)
- {
- const char *file;
-- const char *cmd;
- errno_t ret;
-+ glob_t globbuf;
-
- /* Parse command line. */
- ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
-@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
- return ret;
- }
-
-- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
-- if (cmd == NULL) {
-- ERROR("Out of memory!");
-+ globbuf.gl_offs = 3;
-+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+ if (ret != 0) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+ return ret;
- }
-+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
-+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
-+ globbuf.gl_pathv[2] = discard_const_p(char, file);
-
- PRINT("Archiving log files into %s...\n", file);
-- ret = sssctl_run_command(cmd);
-+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+ globfree(&globbuf);
- if (ret != EOK) {
- ERROR("Unable to archive log files\n");
- return ret;
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
index 9b481cc..419b83f 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
@@ -12,10 +12,10 @@ from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
Upstream-Status: Pending
Signed-off-by: Armin Kuster <akuster808@...>

-Index: sssd-2.5.0/src/util/debug.h
+Index: sssd-2.7.1/src/util/debug.h
===================================================================
---- sssd-2.5.0.orig/src/util/debug.h
-+++ sssd-2.5.0/src/util/debug.h
+--- sssd-2.7.1.orig/src/util/debug.h
++++ sssd-2.7.1/src/util/debug.h
@@ -24,6 +24,8 @@
#include "config.h"

@@ -23,5 +23,5 @@ Index: sssd-2.5.0/src/util/debug.h
+#include <unistd.h>
+#include <sys/types.h>
#include <stdbool.h>
+ #include <sys/types.h>

- #include "util/util_errors.h"
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
index 5c83777..7d8e80b 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
@@ -4,11 +4,11 @@ Upstream-Status: Inappropriate [OE Specific]

Signed-off-by: Armin Kuster <akuster808@...>

-Index: sssd-2.5.0/Makefile.am
+Index: sssd-2.7.1/Makefile.am
===================================================================
---- sssd-2.5.0.orig/Makefile.am
-+++ sssd-2.5.0/Makefile.am
-@@ -1033,8 +1033,6 @@ generate-sbus-code:
+--- sssd-2.7.1.orig/Makefile.am
++++ sssd-2.7.1/Makefile.am
+@@ -1023,8 +1023,6 @@ generate-sbus-code:

.PHONY: generate-sbus-code

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
similarity index 86%
rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb
rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
index 9f1d627..71f14a0 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
@@ -5,8 +5,9 @@ SECTION = "base"
LICENSE = "GPL-3.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"

-DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
-DEPENDS:append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit"
+DEPENDS = "acl attr cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
+DEPENDS:append = " libldb dbus libtalloc libpcre2 glib-2.0 popt e2fsprogs libtevent"
+DEPENDS:append = " openldap bind p11-kit jansson softhsm openssl libunistring"

DEPENDS:append:libc-musl = " musl-nscd"

@@ -23,10 +24,9 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g
file://drop_ntpdate_chk.patch \
file://fix-ldblibdir.patch \
file://musl_fixup.patch \
- file://CVE-2021-3621.patch \
"

-SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
+SRC_URI[sha256sum] = "8eebd541a640aec95ed4b2da89713f0cbe8e4edf96895fbb972c0b9d570635c3"

inherit autotools pkgconfig gettext python3-dir features_check systemd

@@ -39,7 +39,7 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
"

-PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
+PACKAGECONFIG ?="nss autofs sudo infopipe"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"

@@ -49,8 +49,8 @@ PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
-PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
PACKAGECONFIG[nss] = ", ,nss,"
+PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
@@ -65,7 +65,6 @@ EXTRA_OECONF += " \
--without-python2-bindings \
--enable-pammoddir=${base_libdir}/security \
--without-python2-bindings \
- --without-secrets \
--with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
--with-pid-path=/run \
"
@@ -74,8 +73,8 @@ do_configure:prepend() {
mkdir -p ${AUTOTOOLS_AUXDIR}/build
cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/

- # libresove has host path, remove it
- sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4
+ # additional_libdir defaults to /usr/lib so replace with staging_libdir globally
+ sed -i -e "s#\$additional_libdir#\${STAGING_LIBDIR}#" ${S}/src/build_macros.m4
}

do_compile:prepend () {
@@ -84,7 +83,11 @@ do_compile:prepend () {
do_install () {
oe_runmake install DESTDIR="${D}"
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
+
install -d ${D}/${sysconfdir}/${BPN}
+ install -d ${D}/${PYTHON_SITEPACKAGES_DIR}
+ mv ${D}/${BPN} ${D}/${PYTHON_SITEPACKAGES_DIR}
+
install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}

# /var/log/sssd needs to be created in runtime. Use rmdir to catch if
@@ -106,6 +109,7 @@ do_install () {
# Remove /run as it is created on startup
rm -rf ${D}/run

+# rm -fr ${D}/sssd
rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
}

@@ -116,8 +120,6 @@ fi
chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
}

-FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
-
CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"

INITSCRIPT_NAME = "sssd"
@@ -141,10 +143,13 @@ PACKAGES =+ "libsss-sudo"
ALLOW_EMPTY:libsss-sudo = "1"

FILES:${PN} += "${base_libdir}/security/pam_sss*.so \
+ ${nonarch_libdir}/tmpfiles.d \
${datadir}/dbus-1/system-services/*.service \
${libdir}/krb5/* \
${libdir}/ldb/* \
+ ${PYTHON_SITEPACKAGES_DIR}/sssd \
"
+
FILES:libsss-sudo = "${libdir}/libsss_sudo.so"

RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"
--
2.25.1


[meta-security][PATCH 2/2] oeqa: sssd.py fix tests

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
lib/oeqa/runtime/cases/sssd.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/oeqa/runtime/cases/sssd.py b/lib/oeqa/runtime/cases/sssd.py
index 4644836..1dfdb94 100644
--- a/lib/oeqa/runtime/cases/sssd.py
+++ b/lib/oeqa/runtime/cases/sssd.py
@@ -28,10 +28,10 @@ class SSSDTest(OERuntimeTestCase):

@OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk'])
def test_sssd_sssctl_deamon(self):
- status, output = self.target.run('sssctl domain-status')
+ status, output = self.target.run('sssctl domain-list')
match = re.search('No domains configured, fatal error!', output)
if match:
- msg = ('sssctl domain-status failed, sssd.conf not setup correctly. '
+ msg = ('sssctl domain-list failed, sssd.conf not setup correctly. '
'Status and output:%s and %s' % (status, output))
self.assertEqual(status, 0, msg = msg)

--
2.25.1


[meta-security][PATCH 1/2] sssd: use example conf file

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
.../recipes-security/sssd/files/sssd.conf | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
index 1709a7a..1e8b537 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
@@ -1,8 +1,15 @@
[sssd]
services = nss, pam
-config_file_version = 2
+domains = shadowutils

[nss]

[pam]

+[domain/shadowutils]
+id_provider = files
+
+auth_provider = proxy
+proxy_pam_target = sssd-shadowutils
+
+proxy_fast_alias = True
--
2.25.1


[ANNOUNCEMENT] Milestone 1 for Yocto Project 4.1 (yocto-4.1_M1) Now Available

Lee Chee Yang
 

Hi

 

We are pleased to announce the first milestone release for Yocto Project 4.1 (yocto-4.1_M1) is now available for download.

 

Download:

 

http://downloads.yoctoproject.org/releases/yocto/milestones/yocto-4.1_M1

 

bitbake: 6a346df51b96a6c0e1ee516df36eb0b6c292b063

meta-agl: 3a0b7a965ba370ca1fbe2ca0e2ac3babace5204d

meta-arm: 0c4c33de09aa921cafcea2ad4b7bc0e19f844213

meta-aws: b2f5ef7e724d3a2271ef99d748734578cf8fcb1a

meta-gplv2: d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a

meta-intel: ebb8c1c26e57e78563760431a57b6da388b82be2

meta-mingw: a90614a6498c3345704e9611f2842eb933dc51c1

meta-openembedded: 90ff53b8df1e3259cbc201c658a4f3f4dddf3aa8

meta-virtualization: 8e8f59d007ca8d60ec77565663cf6285b8acbbd4

oecore: 18a0c31b3386aa5a04eb8ee8e804c2415a61eaaf

poky: 95066dde6861ee08fdb505ab3e0422156cc24fae

 

Full Test Report:

 

http://downloads.yoctoproject.org/releases/yocto/milestones/yocto-4.1_M1/testreport.txt

 

 

Known Issue:

 

There was an issue identified in testing with the 5.15 kernel point release included in M1 with an oops from the framebuffer code. This is confirmed to be fixed in newer 5.15 point releases and those are included on master and will be in M2.

 

 

Thank you.

 

Chee Yang

chee.yang.lee@...

Yocto Project Build and Release


Re: Question about psuedo abort errors

Richard Purdie
 

On Fri, 2022-06-10 at 10:05 -0700, Rusty Howell wrote:
Thanks for the response, Richard.   Is the pseudo database located
inside TMPDIR?   I have deleted the TMPDIR at times to try to get my
build back to a working state. If the pseudo db is outside TMPDIR,
then that would be the most likely cause of this error. But I would
think that other OSS recipes would generate this same error after I
delete TMPDIR, not just my company ones.
The pseudo database is per workdir (i.e. per recipe) in WORKDIR/pseudo.

Cheers,

Richard


Re: Question about psuedo abort errors

Rusty Howell
 

Thanks for the response, Richard.   Is the pseudo database located inside TMPDIR?   I have deleted the TMPDIR at times to try to get my build back to a working state. If the pseudo db is outside TMPDIR, then that would be the most likely cause of this error. But I would think that other OSS recipes would generate this same error after I delete TMPDIR, not just my company ones.


[meta-security][PATCh] oeqa: fix checksec runtime test

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
lib/oeqa/runtime/cases/checksec.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/oeqa/runtime/cases/checksec.py b/lib/oeqa/runtime/cases/checksec.py
index e46744c..53e6c1d 100644
--- a/lib/oeqa/runtime/cases/checksec.py
+++ b/lib/oeqa/runtime/cases/checksec.py
@@ -19,7 +19,7 @@ class CheckSecTest(OERuntimeTestCase):

@OETestDepends(['checksec.CheckSecTest.test_checksec_help'])
def test_checksec_xml(self):
- status, output = self.target.run('checksec --format xml --proc-all')
+ status, output = self.target.run('checksec --format=xml --proc=1')
msg = ('checksec xml failed. Output: %s' % output)
self.assertEqual(status, 0, msg = msg)

--
2.25.1


[meta-security][PATCH 4/4] packagegroup-core-security.bbappend: add sssd

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
.../packagegroup/packagegroup-core-security.bbappend | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend

diff --git a/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend b/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend
new file mode 100644
index 0000000..6bafd9f
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend
@@ -0,0 +1,4 @@
+
+RDEPENDS:packagegroup-security-utils += "\
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
+"
--
2.25.1


[meta-security][PATCH 3/4] packagegroup-core-security: drop sssd

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-core/packagegroup/packagegroup-core-security.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb
index f381d91..636563f 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -36,7 +36,7 @@ RDEPENDS:packagegroup-security-utils = "\
softhsm \
sshguard \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
"

--
2.25.1


[meta-security][PATCH 2/4] layer.conf:add meta-netorking to BBFILES_DYNAMIC

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
conf/layer.conf | 2 ++
1 file changed, 2 insertions(+)

diff --git a/conf/layer.conf b/conf/layer.conf
index fa7d79e..470c7f6 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,6 +18,8 @@ BBFILES_DYNAMIC += " \
perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bbappend \
meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bb \
meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bbappend \
+ networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/recipes-*/*/*.bb \
+ networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/recipes-*/*/*.bbappend \
"

# Sanity check for meta-security layer.
--
2.25.1


[meta-security][PATCH 1/4] sssd:move to dynamic networking-layer

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
.../recipes-security}/sssd/files/CVE-2021-3621.patch | 0
.../recipes-security}/sssd/files/drop_ntpdate_chk.patch | 0
.../recipes-security}/sssd/files/fix-ldblibdir.patch | 0
.../networking-layer/recipes-security}/sssd/files/fix_gid.patch | 0
.../recipes-security}/sssd/files/musl_fixup.patch | 0
.../networking-layer/recipes-security}/sssd/files/no_gen.patch | 0
.../networking-layer/recipes-security}/sssd/files/sssd.conf | 0
.../recipes-security}/sssd/files/volatiles.99_sssd | 0
.../networking-layer/recipes-security}/sssd/sssd_2.5.2.bb | 0
9 files changed, 0 insertions(+), 0 deletions(-)
rename {recipes-security => dynamic-layers/networking-layer/recipes-security}/sssd/files/CVE-2021-3621.patch (100%)
rename {recipes-security => dynamic-layers/networking-layer/recipes-security}/sssd/files/drop_ntpdate_chk.patch (100%)
rename {recipes-security => dynamic-layers/networking-layer/recipes-security}/sssd/files/fix-ldblibdir.patch (100%)
rename {recipes-security => dynamic-layers/networking-layer/recipes-security}/sssd/files/fix_gid.patch (100%)
rename {recipes-security => dynamic-layers/networking-layer/recipes-security}/sssd/files/musl_fixup.patch (100%)
rename {recipes-security => dynamic-layers/networking-layer/recipes-security}/sssd/files/no_gen.patch (100%)
rename {recipes-security => dynamic-layers/networking-layer/recipes-security}/sssd/files/sssd.conf (100%)
rename {recipes-security => dynamic-layers/networking-layer/recipes-security}/sssd/files/volatiles.99_sssd (100%)
rename {recipes-security => dynamic-layers/networking-layer/recipes-security}/sssd/sssd_2.5.2.bb (100%)

diff --git a/recipes-security/sssd/files/CVE-2021-3621.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
similarity index 100%
rename from recipes-security/sssd/files/CVE-2021-3621.patch
rename to dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
diff --git a/recipes-security/sssd/files/drop_ntpdate_chk.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
similarity index 100%
rename from recipes-security/sssd/files/drop_ntpdate_chk.patch
rename to dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
diff --git a/recipes-security/sssd/files/fix-ldblibdir.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
similarity index 100%
rename from recipes-security/sssd/files/fix-ldblibdir.patch
rename to dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
diff --git a/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
similarity index 100%
rename from recipes-security/sssd/files/fix_gid.patch
rename to dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
diff --git a/recipes-security/sssd/files/musl_fixup.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
similarity index 100%
rename from recipes-security/sssd/files/musl_fixup.patch
rename to dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
diff --git a/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
similarity index 100%
rename from recipes-security/sssd/files/no_gen.patch
rename to dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
diff --git a/recipes-security/sssd/files/sssd.conf b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
similarity index 100%
rename from recipes-security/sssd/files/sssd.conf
rename to dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
diff --git a/recipes-security/sssd/files/volatiles.99_sssd b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
similarity index 100%
rename from recipes-security/sssd/files/volatiles.99_sssd
rename to dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb
similarity index 100%
rename from recipes-security/sssd/sssd_2.5.2.bb
rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb
--
2.25.1


Re: Question about psuedo abort errors

Richard Purdie
 

On Thu, 2022-06-09 at 10:38 -0600, Rusty Howell wrote:
My company is using yocto.  When building our own recipes, I get
pseudo abort errors rather often.  I've read the wiki page about
them, but I'm not sure exactly what we are doing wrong that is making
this happen.  We have many recipes for various libraries and
applications.  The files listed in the abort error log are usually
C++ header files.

A coworker has told me that setting PACKAGE_DEBUG_SPLIT_STYLE =
"debug-without-src" in the local.conf will allow bitbake to ignore
this error. But in the end, I would like to understand what exactly
is the root cause, so that I can adjust our recipes to fix this.

Here is the pseudo.log from the most recent failure. I know a lot of
proprietary context is missing for anyone in the OSS community to
give super confident answers, but I appreciate any suggestions.

Some context here: 
* We have a legacy git repo that contains the source for several
different libraries. 
* We use CMake recursively to build all the libs from the top level.
* Some libs depend on other libs in the repo.
* I am trying to build the recipe "libc4statsclient", which is just
one of the libs in the repo.
* The header file shown in the error is part of another library and
recipe.


ERROR: Task (/home/rhowell/corex-develop/yocto/sources/c4-distro/meta-c4/recipes-c4/libc4statsdclient/libc4statsdclient_git.bb:do_install) failed with exit code '1'
Pseudo log:
Setup complete, sending SIGUSR1 to pid 3063620.
path mismatch [3 links]: ino 3804719 db '/home/rhowell/corex-develop/yocto/build.imx8mq-core/tmp/work/imx8mq_core-control4-linux/libc4statsdclient/local+AUTOINC+e18ad903a2-r3/package/usr/src/debug/libc4statsdclient/local+AUTOINC+e18ad903a2-r3/git/control4/c4shared/logger/logger.hpp' req '/home/rhowell/corex-develop/yocto/build.imx8mq-core/tmp/work/imx8mq_core-control4-linux/libc4statsdclient/local+AUTOINC+e18ad903a2-r3/git/control4/c4shared/logger/logger.hpp'.

Thanks for your time and any suggestions.
Starting with the error message, it says that a path of:

WORKDIR/git/control4/c4shared/logger/logger.hpp

was accessed and it was found in the pseudo database as:

WORKDIR/package/usr/src/debug/libc4statsdclient/local+AUTOINC+e18ad903a2-r3/git/control4/c4shared/logger/logger.hpp

This doesn't seem so unusual to me since recipe source files would
often be hardlinked into package/usr/src/debug as part of the build,
however the ordering is backwards, the git/ should be created first,
then the WORKDIR/package one.

I was thinking this was really odd, then I realised you say this
aborted in do_install. WORKDIR/package is created by do_package, *not*
do_install which runs before do_package. This probably starts to hint
at what is going on.

Is this a directory where a previous build has run? If so, what changed
between the build runs?

My suspicion is that WORKDIR/package is being deleted outside of pseudo
and that is confusing things. The question is what/where it is being
deleted. Are you using rm_work?

The WORKDIR/temp/log.task_order file can be interesting to see which
tasks reran and in which order.

I appreciate this isn't an answer but it might give you an idea where
to look...

Cheers,

Richard


Question about psuedo abort errors

Rusty Howell
 

Hello,

My company is using yocto.  When building our own recipes, I get pseudo abort errors rather often.  I've read the wiki page about them, but I'm not sure exactly what we are doing wrong that is making this happen.  We have many recipes for various libraries and applications.  The files listed in the abort error log are usually C++ header files.

A coworker has told me that setting PACKAGE_DEBUG_SPLIT_STYLE = "debug-without-src" in the local.conf will allow bitbake to ignore this error. But in the end, I would like to understand what exactly is the root cause, so that I can adjust our recipes to fix this.

Here is the pseudo.log from the most recent failure. I know a lot of proprietary context is missing for anyone in the OSS community to give super confident answers, but I appreciate any suggestions.

Some context here: 
* We have a legacy git repo that contains the source for several different libraries. 
* We use CMake recursively to build all the libs from the top level.
* Some libs depend on other libs in the repo.
* I am trying to build the recipe "libc4statsclient", which is just one of the libs in the repo.
* The header file shown in the error is part of another library and recipe.


ERROR: Task (/home/rhowell/corex-develop/yocto/sources/c4-distro/meta-c4/recipes-c4/libc4statsdclient/libc4statsdclient_git.bb:do_install) failed with exit code '1'
Pseudo log:
Setup complete, sending SIGUSR1 to pid 3063620.
path mismatch [3 links]: ino 3804719 db '/home/rhowell/corex-develop/yocto/build.imx8mq-core/tmp/work/imx8mq_core-control4-linux/libc4statsdclient/local+AUTOINC+e18ad903a2-r3/package/usr/src/debug/libc4statsdclient/local+AUTOINC+e18ad903a2-r3/git/control4/c4shared/logger/logger.hpp' req '/home/rhowell/corex-develop/yocto/build.imx8mq-core/tmp/work/imx8mq_core-control4-linux/libc4statsdclient/local+AUTOINC+e18ad903a2-r3/git/control4/c4shared/logger/logger.hpp'.

Thanks for your time and any suggestions.
Rusty Howell


Re: Minutes: Yocto Project Weekly Triage Meeting 6/9/2022

Richard Purdie
 

On Thu, 2022-06-09 at 12:10 -0400, Sakib Sajal wrote:
Wiki: https://wiki.yoctoproject.org/wiki/Bug_Triage
Attendees: Richard, Steve Sakoman, Tim Orling, Pavel, Aryaman Gupta,
Stephen Jolley, Randy, Luca Ceresoli, Michael Opdenacker
ARs:
Richard:
    - Bug 9762: close with a sensible log message
Done.

Cheers,

Richard


Minutes: Yocto Project Weekly Triage Meeting 6/9/2022

sakib.sajal@...
 

Wiki: https://wiki.yoctoproject.org/wiki/Bug_Triage

Attendees: Richard, Steve Sakoman, Tim Orling, Pavel, Aryaman Gupta, Stephen Jolley, Randy, Luca Ceresoli, Michael Opdenacker

ARs:

Richard:

    - Bug 9762: close with a sensible log message

Notes:
N/A

Medium+ 4.1 Unassigned Enhancements/Bugs: 73 (Last week 74)

Medium+ 4.99 Unassigned Enhancements/Bugs: 45 (Last week 47)

AB Bugs: 47 (Last week 47)


Re: How to remove the python3 from Yocto SDK

Ross Burton
 

It would be fairly simple to make a ‘dummy’ python3 recipe, like there already is for perl, which you can explicitly add to the SDK to use the host python. This would break anything inside the SDK which is a Python module with a C extension, as those need to be build against the right python.

 

Ross

 

From: yocto@... <yocto@...> on behalf of Alexander Kanavin via lists.yoctoproject.org <alex.kanavin=gmail.com@...>
Date: Tuesday, 7 June 2022 at 14:56
To: Vinothkumar Eswaran <evinoth1206@...>
Cc: Yocto-mailing-list <yocto@...>
Subject: Re: [yocto] How to remove the python3 from Yocto SDK

Python3 isn't directly pulled into the SDK, but is a runtime
dependency of other items, such as meson. You can check that by

$ bitbake core-image-minimal -g -c populate_sdk

and reading/grepping the .dot file for nativesdk-python3.

Meson in turn is pulled in by the sdk packagegroup:

$ grep nativesdk-meson task-depends.dot |grep packagegroup
"nativesdk-packagegroup-sdk-host.do_package_write_rpm" ->
"nativesdk-meson.do_packagedata"

I guess if you drop all python consumers from packagegroups, then
python won't get pulled in either, but that is swimming in uncharted
waters, and you'll need to ensure replacements from the host are
available.

Alex

On Tue, 7 Jun 2022 at 14:21, Vinothkumar Eswaran <evinoth1206@...> wrote:
>
> Hi Alex,
>
> yes the absolute path works. May I ask why python3 is part of the SDK and is it possible to remove it from the SDK ?
>
> regards,
>
> Vinothkumar
>
>
>
>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


[meta-security][PATCH] apparmor: fix ownership issues

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-mac/AppArmor/apparmor_3.0.4.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-mac/AppArmor/apparmor_3.0.4.bb b/recipes-mac/AppArmor/apparmor_3.0.4.bb
index 046a3a0..896abfe 100644
--- a/recipes-mac/AppArmor/apparmor_3.0.4.bb
+++ b/recipes-mac/AppArmor/apparmor_3.0.4.bb
@@ -101,6 +101,8 @@ do_install () {
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd
fi
+ chown root:root -R ${D}/${sysconfdir}/apparmor.d
+ chown root:root -R ${D}/${datadir}/apparmor
}

#Building ptest on arm fails.
--
2.25.1


Re: Force binary package install

Richard Purdie
 

On Tue, 2022-06-07 at 18:17 -0700, Rudolf J Streif wrote:

On 6/7/22 4:36 PM, Chuck Wolber wrote:
 
 

 
 
 
 >> Is there an elegant way around it?
 >>
 >>
 >> Error:
 >>    Problem: conflicting requests
 >>     - nothing provides libdl.so.2 needed by
 >> xxx-single-group-0.1-r0.cortexa53_crypto
 >>     - nothing provides libdl.so.2(GLIBC_2.0) needed by
Could this be considered a bug in the package_rpm.bbclass? It seems
to me that if you skip files-rdeps,
we might not want to be adding anything into splitpreinst.
Otherwise it seems silly to tell insane.bbclass
to skip something that RPM is going to ding you on later anyway. Or
maybe I am confused...

In any case, I believe what you may be seeing can be viewed as an
RPM-ism, and not necessarily a
yocto-ism per se. So you might consider trying one of the following
to work around the problem:
It's Yocto that creates the spec file for rpm. Apparently, besides
relying on what is declared in RDEPENDS, it
 actually iterates over the files and appends the dependencies (and
their versions). It results in this:
Requires: libc.so.6
 Requires: libc.so.6()(64bit)
 Requires: libc.so.6(GLIBC_2.0)
 Requires: libc.so.6(GLIBC_2.1)
 Requires: libc.so.6(GLIBC_2.1.3)
 Requires: libc.so.6(GLIBC_2.17)(64bit)
 Requires: libc.so.6(GLIBC_2.2)
 Requires: libc.so.6(GLIBC_2.28)(64bit)
 Requires: libc.so.6(GLIBC_2.3)
 Requires: libc.so.6(GLIBC_2.3.4)
 Requires: libc.so.6(GLIBC_2.4)
 Requires: libc.so.6(GLIBC_2.7)
Removing anything but the first two lines would probably do the
trick. So if file-rdeps is declared in INSANE_SKIP
 it should simply only use the declared RDEPENDS and not analyze the
files.
 

If that works at runtime it makes me wonder if our glibc shouldn't be
providing some of those things? What does our glibc package say it is
providing? How does that compare to what objdump says?

Cheers,

Richard


Re: Force binary package install

Alexander Kanavin
 

I think what should help you is
EXCLUDE_FROM_SHLIBS = "1"
which disables poking into libraries to auto-generate those
dependencies that otherwise cause both qa and dnf errors.

Alex

On Wed, 8 Jun 2022 at 00:48, Rudolf J Streif <rudolf.streif@...> wrote:


On 6/7/22 3:12 PM, Alexander Kanavin wrote:

Can you drop insane_skip for a moment and show what errors then happen?


Yes, thank you.

ERROR: xxx-single-group-0.1-r0 do_package_qa: QA Issue: /opt/binstuf/linux-allwinneryocto-armle-opengles_2.0-obj/lib/libfbxsdk.so contained in package xxx-single-group requires libpthread.so.0(GLIBC_2.2), but no providers found in RDEPENDS:xxx-single-group? [file-rdeps]

There are many more of these errors.


Objdump on libfbxsdk.so:

Version References:
required from libgcc_s.so.1:
0x0b792650 0x00 12 GCC_3.0
required from libpthread.so.0:
0x0d696912 0x00 10 GLIBC_2.2
0x09691972 0x00 07 GLIBC_2.3.2
0x0d696911 0x00 05 GLIBC_2.1
0x0d696910 0x00 03 GLIBC_2.0
required from libc.so.6:
0x0d696912 0x00 11 GLIBC_2.2
0x0d696917 0x00 09 GLIBC_2.7
0x0d696911 0x00 08 GLIBC_2.1
0x0d696913 0x00 06 GLIBC_2.3
0x09691f73 0x00 04 GLIBC_2.1.3
0x0d696910 0x00 02 GLIBC_2.0

Objdump on libpthread.so.0:

Version definitions:
1 0x01 0x0e2f2c50 libpthread.so.0
2 0x00 0x06969197 GLIBC_2.17
3 0x00 0x06969198 GLIBC_2.18
GLIBC_2.17
4 0x00 0x06969188 GLIBC_2.28
GLIBC_2.18
5 0x00 0x069691b0 GLIBC_2.30
GLIBC_2.28
6 0x00 0x069691b1 GLIBC_2.31
GLIBC_2.30


The versions don't match hence dnf throws an error. I guess I can defer the error with INSANE_SKIP += "file-rdeps" but then it comes up again when installing.



Alex

On Tue 7. Jun 2022 at 22.57, Rudolf J Streif <rudolf.streif@...> wrote:


On 6/7/22 12:44 PM, Alexander Kanavin wrote:
Can you show the recipe that you wrote for the blob?
Not exactly as is because of customer names, but below is a sanitized
version:


SUMMARY = "Binary Stuff"

LICENSE = "CLOSED"

SRC_URI = "file://binary_installer.tgz \
"

do_install() {

install -d -m 0755 ${D}/opt/binstuff

tar cf - -C ${WORKDIR}/opt/binstuff . | tar xf - -C ${D}/binstuff

}

FILES:${PN} = "/opt/binstuff"


RDEPENDS:${PN} += "libsystemd libudev libgpiod wayland"
INSANE_SKIP:${PN} += "ldflags file-rdeps arch staticdev"

The recipe itself builds just fine and creates the RPM package. However,
the some of the binaries inside the package have been built against
shared libs of older versions. The libs are there of course but with the
wrong version. Adding file-rdeps to INSANE_SKIP addresses this at build
time. But when installing the package in the rootfs dnf does a
dependency check which then fails.

I don't know if there is an elegant way of overriding dnf to force
installation of the package.



Alex

On Tue, 7 Jun 2022 at 20:59, Rudolf J Streif <rudolf.streif@...> wrote:
I have been handed a binary package that I am integrating into a Yocto
build.

When dnf runs it complains about missing dependencies. These are
standard libraries of course but the culprit is the incompatible
version. The software runs fine when I install it on the target using
the script/tar installation it comes with. Needless to say that YP
packaging QA complains about this already when assembling the package.
However, there I can silence the complaints with INSANE_SKIP.

Unfortunately I have not found a method doing the same when the package
is installed by the image class.

Is there an elegant way around it?


Error:
Problem: conflicting requests
- nothing provides libdl.so.2 needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libdl.so.2(GLIBC_2.0) needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libdl.so.2(GLIBC_2.1) needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libgcc_s.so.1 needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libgcc_s.so.1(GCC_3.0) needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libm.so.6 needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libm.so.6(GLIBC_2.0) needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libm.so.6(GLIBC_2.1) needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libpthread.so.0 needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libpthread.so.0(GLIBC_2.0) needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libpthread.so.0(GLIBC_2.1) needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libpthread.so.0(GLIBC_2.2) needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides libpthread.so.0(GLIBC_2.3.2) needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides librt.so.1 needed by
xxx-single-group-0.1-r0.cortexa53_crypto
- nothing provides librt.so.1(GLIBC_2.2) needed by
xxx-single-group-0.1-r0.cortexa53_crypto
(try to add '--skip-broken' to skip uninstallable packages)


--
Rudolf J Streif
CEO/CTO ibeeto
+1.855.442.3386 x700



--
Rudolf J Streif
CEO/CTO ibeeto
+1.855.442.3386 x700
--
Rudolf J Streif
CEO/CTO ibeeto
+1.855.442.3386 x700

1361 - 1380 of 58636