Fix download test

Signed-off-by: Armin Kuster <akuster808@...>
---
lib/oeqa/runtime/cases/clamav.py | 21 ++++-----------------
1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/lib/oeqa/runtime/cases/clamav.py b/lib/oeqa/runtime/cases/clamav.py
index cf83937..e0cad8f 100644
--- a/lib/oeqa/runtime/cases/clamav.py
+++ b/lib/oeqa/runtime/cases/clamav.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2019 Armin Kuster <akuster808@...>
+# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@...>
#
import re
from tempfile import mkstemp
@@ -48,21 +48,8 @@ class ClamavTest(OERuntimeTestCase):
self.assertEqual(status, 0, msg = msg)

@OETestDepends(['clamav.ClamavTest.test_ping_clamav_net'])
- def test_freshclam_check_mirrors(self):
- status, output = self.target.run('freshclam --list-mirrors')
- match = re.search('Failures: 0', output)
- if not match:
- msg = ('freshclam --list-mirrors: failed. '
- 'Status and output:%s and %s' % (status, output))
- self.assertEqual(status, 1, msg = msg)
-
- @OETestDepends(['clamav.ClamavTest.test_freshclam_check_mirrors'])
def test_freshclam_download(self):
status, output = self.target.run('freshclam --show-progress')
- match = re.search('Database updated', output)
- #match = re.search('main.cvd is up to date', output)
- if not match:
- msg = ('freshclam : DB dowbload failed. '
- 'Status and output:%s and %s' % (status, output))
- self.assertEqual(status, 1, msg = msg)
-
+ msg = ('freshclam : DB dowbload failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
--
2.25.1

Hi,

I experience build failure in the compilation step of the recipe rust-cross-canadian-aarch64. I've used latest master from poky and just changed the MACHINE to qemuarm64. When I execute 'bitbake rust-cross-canadian-aarch64' it ends up in an error with object files in wrong format. I have been trying to bisect this issue but can not get a reproducible result. First thing I would like to get help with is to hear if someone else also experience this issue?

Here is a summary of what I see in log.do_compile:

<snip>
release/deps/std-b23e9faab40803e6.std.1f52b5e3-cgu.0.rcgu.o: Relocations in generic ELF (EM: 62)
/work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../libexec/aarch64-poky-linux/gcc/aarch64-poky-linux/12.1.0/ld: /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/rustc-1.60.0-src/build/x86_64-unknown-linux-gnu/stage2-std/aarch64-poky-linux/release/deps/std-b23e9faab40803e6.std.1f52b5e3-cgu.0.rcgu.o: error adding symbols: file in wrong format
          collect2: error: ld returned 1 exit status
<snip>
RuntimeError: failed to run: /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/rustc-1.60.0-src/build/bootstrap/debug/bootstrap -j 8 build --stage 2 --verbose
WARNING: /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/temp/run.do_compile.1244376:177 exit 1 from 'python3 src/bootstrap/bootstrap.py -j 8 "$@" --verbose'
WARNING: Backtrace (BB generated script):
    #1: rust_runx, /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/temp/run.do_compile.1244376, line 177
    #2: do_compile, /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/temp/run.do_compile.1244376, line 160
    #3: main, /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/temp/run.do_compile.1244376, line 200


Here is my build info:

Build Configuration:
BB_VERSION           = "2.0.1"
BUILD_SYS            = "x86_64-linux"
NATIVELSBSTRING      = "universal"
TARGET_SYS           = "aarch64-poky-linux"
MACHINE              = "qemuarm64"
DISTRO               = "poky"
DISTRO_VERSION       = "4.1+snapshot-cf7d8894545b83f55420fa33f7848e1bfc6754ff"
TUNE_FEATURES        = "aarch64 armv8a crc cortexa57"
TARGET_FPU           = ""
meta
meta-poky
meta-yocto-bsp       = "master:cf7d8894545b83f55420fa33f7848e1bfc6754ff"

/Peter

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-core/images/security-test-image.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-core/images/security-test-image.bb b/recipes-core/images/security-test-image.bb
index 133a7a1..81f69dd 100644
--- a/recipes-core/images/security-test-image.bb
+++ b/recipes-core/images/security-test-image.bb
@@ -12,7 +12,7 @@ IMAGE_INSTALL:append = "\
${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \
"

-TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata"
+TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata aide firejail"
TEST_SUITES:append = " parsec tpm2 swtpm ima"

INSTALL_CLAMAV_CVD = "1"
--
2.25.1

Currently check if --help works.

RESULTS:
RESULTS - ping.PingTest.test_ping: PASSED (0.07s)
RESULTS - ssh.SSHTest.test_ssh: PASSED (2.41s)
RESULTS - firejail.FirejailTest.test_firejail_basic: PASSED (1.30s)

Signed-off-by: Armin Kuster <akuster808@...>
---
lib/oeqa/runtime/cases/firejail.py | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
create mode 100644 lib/oeqa/runtime/cases/firejail.py

diff --git a/lib/oeqa/runtime/cases/firejail.py b/lib/oeqa/runtime/cases/firejail.py
new file mode 100644
index 0000000..88a8dda
--- /dev/null
+++ b/lib/oeqa/runtime/cases/firejail.py
@@ -0,0 +1,18 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@...>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+class FirejailTest(OERuntimeTestCase):
+
+ @OEHasPackage(['firejail'])
+ @OEHasPackage(['libseccomp'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_firejail_basic(self):
+ status, output = self.target.run('firejail --help')
+ msg = ('Firejail --help command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
.../exclude_seccomp_util_compiles.patch | 45 ++++++++++++++
recipes-security/Firejail/firejail_0.9.70.bb | 61 +++++++++++++++++++
2 files changed, 106 insertions(+)
create mode 100644 recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
create mode 100644 recipes-security/Firejail/firejail_0.9.70.bb

diff --git a/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch b/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
new file mode 100644
index 0000000..a32720a
--- /dev/null
+++ b/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
@@ -0,0 +1,45 @@
+Exclude all the seccomp files to run during build.
+
+Upstream-Status: Inappropriate [embedded specific]
+There are some files that need to run to generate the appropriate files
+we are currently doing this on the target.
+Signed-off-by: Armin Kuster <akuster808@...>
+
+Index: git/Makefile.in
+===================================================================
+--- git.orig/Makefile.in
++++ git/Makefile.in
+@@ -34,7 +34,6 @@ MYDIRS = src/lib $(MAN_SRC) $(COMPLETION
+ MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
+ COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
+ MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+ ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
+
+ .PHONY: all_items $(ALL_ITEMS)
+@@ -52,7 +51,7 @@ $(MANPAGES): src/man
+
+ man: $(MANPAGES)
+
+-filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
++filters: $(SBOX_APPS_NON_DUMPABLE)
+ seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
+ src/fseccomp/fseccomp default seccomp
+ src/fsec-optimize/fsec-optimize seccomp
+@@ -81,7 +80,6 @@ clean:
+ done
+ $(MAKE) -C test clean
+ rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+- rm -f $(SECCOMP_FILTERS)
+ rm -f test/utils/index.html*
+ rm -f test/utils/wget-log
+ rm -f test/utils/firejail-test-file*
+@@ -119,7 +117,7 @@ endif
+ # libraries and plugins
+ install -m 0755 -d $(DESTDIR)$(libdir)/firejail
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
+- install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
++ install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS)
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
+ # plugins w/o read permission (non-dumpable)
diff --git a/recipes-security/Firejail/firejail_0.9.70.bb b/recipes-security/Firejail/firejail_0.9.70.bb
new file mode 100644
index 0000000..fc9066b
--- /dev/null
+++ b/recipes-security/Firejail/firejail_0.9.70.bb
@@ -0,0 +1,61 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@...>
+#
+SUMMARY = "Linux namespaces and seccomp-bpf sandbox"
+DESCRIPTION = "Firejail is a SUID sandbox program that reduces the risk of security breaches \
+by restricting the running environment of untrusted applications using Linux namespaces, \
+seccomp-bpf and Linux capabilities."
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+LICENSE = "GPL-2.0-only"
+
+SRCREV = "b4b08d21cd95725c9d55dfdb6987fcc6d7893247"
+SRC_URI = "git://github.com/netblue30/firejail.git;protocol=https;branch=master \
+ file://exclude_seccomp_util_compiles.patch \
+ "
+
+DEPENDS = "libseccomp"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep pkgconfig bash-completion features_check
+
+REQUIRED_DISTRO_FEATURES = "seccomp"
+
+PACKAGECONFIG ?= ""
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', 'apparmor', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}"
+
+PACKAGECONFIG[apparmor] = "--enable-apparmor, --disable-apparmor, apparmor, apparmor"
+PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
+PACKAGECONFIG[x11] = " --enable-x11, --disable-x11, "
+PACKAGECONFIG[dbusproxy] = ", --disable-dbusproxy, "
+PACKAGECONFIG[notmpfs] = ", --disable-usertmpfs ,"
+PACKAGECONFIG[nofiretunnel] = ", --disable-firetunnel , "
+PACKAGECONFIG[noprivatehome] = ", --disable-private-home, "
+PACKAGECONFIG[nochroot] = ", --disable-chroot, "
+PACKAGECONFIG[nonetwork] = ", --disable-network, "
+PACKAGECONFIG[nouserns] = ", --disable-userns, "
+PACKAGECONFIG[nofiletransfer] = ", --disable-file-transfer, "
+PACKAGECONFIG[nosuid] = ", --disable-suid, "
+
+EXTRA_OECONF = "--disable-man --enable-busybox-workaround"
+
+PACKAGES:append = " ${PN}-vim ${PN}-zsh"
+
+FILES:${PN}-vim = "${datadir}/vim/"
+FILES:${PN}-zsh = "${datadir}/zsh/"
+
+pkg_postinst_ontarget:${PN} () {
+ ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp
+ ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp
+ ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp.debug allow-debuggers
+ ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.debug
+ ${libdir}/${BPN}/fseccomp secondary 32 ${libdir}/${BPN}/seccomp.32
+ ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.32
+ ${libdir}/${BPN}/fseccomp secondary block ${libdir}/${BPN}/seccomp.block_secondary
+ ${libdir}/${BPN}/fseccomp memory-deny-write-execute ${libdir}/${BPN}/seccomp.mdwx
+}
+
+RDEPENDS:${PN} = "bash"
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-ids/aide/aide/aide.conf | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/recipes-ids/aide/aide/aide.conf b/recipes-ids/aide/aide/aide.conf
index 2c99e07..c4b917e 100644
--- a/recipes-ids/aide/aide/aide.conf
+++ b/recipes-ids/aide/aide/aide.conf
@@ -51,7 +51,7 @@ report_url=stdout
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)

-FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+FIPSR = p+u+g+s+acl+xattrs+sha256

#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
@@ -70,10 +70,10 @@ EVERYTHING = R+ALLXTRAHASHES
NORMAL = FIPSR+sha512

# For directories, don't bother doing hashes
-DIR = p+i+n+u+g+acl+selinux+xattrs
+DIR = p+u+g+acl+xattrs

# Access control only
-PERMS = p+i+u+g+acl+selinux
+PERMS = p+u+g+acl

# Logfile are special, in that they often change
LOG = >
@@ -83,12 +83,9 @@ LSPP = FIPSR+sha512

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
-DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
+DATAONLY = p+u+g+s+acl+xattrs+sha256

# Next decide what directories/files you want in the database.

# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
-/bin NORMAL
-/sbin NORMAL
-/lib NORMAL
--
2.25.1

This will help create a aide db during build that is
then installed on the rootfs for verification at boot time.

This work was inspired by:
Marco Cavallini
Yocto Project Ambassador

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-ids/aide/aide_0.17.4.bb | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/recipes-ids/aide/aide_0.17.4.bb b/recipes-ids/aide/aide_0.17.4.bb
index 87b690d..7ce0729 100644
--- a/recipes-ids/aide/aide_0.17.4.bb
+++ b/recipes-ids/aide/aide_0.17.4.bb
@@ -10,7 +10,7 @@ SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.ta

SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9b7a846"

-inherit autotools pkgconfig
+inherit autotools pkgconfig aide-base

PACKAGECONFIG ??=" mhash zlib e2fsattrs posix capabilities curl \
${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
@@ -27,10 +27,31 @@ PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2
PACKAGECONFIG[capabilities] = "--with-capabilities, --without-capabilities, libcap, libcap"
PACKAGECONFIG[posix] = "--with-posix-acl, --without-posix-acl, acl, acl"

+
+do_install[nostamp] = "1"
+
do_install:append () {
install -d ${D}${libdir}/${PN}/logs
install -d ${D}${sysconfdir}
install ${WORKDIR}/aide.conf ${D}${sysconfdir}/
+
+ for dir in ${AIDE_INCLUDE_DIRS}; do
+ echo "${dir} NORMAL" >> ${D}${sysconfdir}/aide.conf
+ done
+ for dir in ${AIDE_SKIP_DIRS}; do
+ echo "!${dir}" >> ${D}${sysconfdir}/aide.conf
+ done
+}
+
+do_install:class-native () {
+ install -d ${STAGING_AIDE_DIR}/bin
+ install -d ${STAGING_AIDE_DIR}/lib/logs
+
+ install ${B}/aide ${STAGING_AIDE_DIR}/bin
+ install ${WORKDIR}/aide.conf ${STAGING_AIDE_DIR}/
+
+ sed -i -s "s:\@\@define DBDIR.*:\@\@define DBDIR ${STAGING_AIDE_DIR}/lib:" ${STAGING_AIDE_DIR}/aide.conf
+ sed -i -e "s:\@\@define LOGDIR.*:\@\@define LOGDIR ${STAGING_AIDE_DIR}/lib/logs:" ${STAGING_AIDE_DIR}/aide.conf
}

CONF_FILE = "${sysconfdir}/aide.conf"
@@ -38,7 +59,14 @@ CONF_FILE = "${sysconfdir}/aide.conf"
FILES:${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf"

pkg_postinst_ontarget:${PN} () {
- /usr/bin/aide -i
+ if [ ${AIDE_SCAN_POSTINIT} ]; then
+ ${bindir}/aide -i
+ fi
+ if [ ${AIDE_RESCAN_POSTINIT} && -e ${libdir}/aide/aide.db.gz ]; then
+ ${bindir}/aide -C
+ fi
}

RDEPENDS:${PN} = "bison libpcre"
+
+BBCLASSEXTEND = "native"
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
classes/aide-base.bbclass | 11 ++++++++
classes/aide-db-init.bbclass | 52 ++++++++++++++++++++++++++++++++++++
2 files changed, 63 insertions(+)
create mode 100644 classes/aide-base.bbclass
create mode 100644 classes/aide-db-init.bbclass

diff --git a/classes/aide-base.bbclass b/classes/aide-base.bbclass
new file mode 100644
index 0000000..36cc454
--- /dev/null
+++ b/classes/aide-base.bbclass
@@ -0,0 +1,11 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@...>
+#
+
+STAGING_AIDE_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/aida"
+AIDE_INCLUDE_DIRS ?= "/lib"
+AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+
+AIDE_SCAN_POSTINIT ?= "0"
+AIDE_RESCAN_POSTINIT ?= "0"
+
diff --git a/classes/aide-db-init.bbclass b/classes/aide-db-init.bbclass
new file mode 100644
index 0000000..800006f
--- /dev/null
+++ b/classes/aide-db-init.bbclass
@@ -0,0 +1,52 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@...>
+#
+# This class creates the initial aide database durning
+# the build cycle allowing for that set being skipped during boot
+# It has an additional benefit of having not being tamper with
+# after build.
+#
+# To have the aide db created during build
+# 1. Extend local.conf:
+# INHERIT += "adie-init-db"
+#
+# These are the defaults as defined in aide-base.bbclass
+# They can be overriden in your local.conf or other distro include
+#
+# To define where the share directory should be.
+# STAGING_AIDE_DIR = "${TMPDIR}/work-shared/${MACHINE}/aida"
+#
+# To define which directories should be inclued in a scan
+# AIDE_INCLUDE_DIRS ?= "/lib"
+#
+# To exclude directories and files from being scanned
+# AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+#
+# To controll if a db init should happen at postint
+# AIDE_SCAN_POSTINIT ?= "0"
+#
+# To cotroll if a db recan should be run at postinit
+# AIDE_RESCAN_POSTINIT ?= "0"
+
+inherit aide-base
+
+aide_init_db() {
+ for dir in ${AIDE_INCLUDE_DIRS}; do
+ echo "${IMAGE_ROOTFS}${dir} NORMAL" >> ${STAGING_AIDE_DIR}/aide.conf
+ done
+ for dir in ${AIDE_SKIP_DIRS}; do
+ echo "!${IMAGE_ROOTFS}${dir}" >> ${STAGING_AIDE_DIR}/aide.conf
+ done
+
+
+ ${STAGING_AIDE_DIR}/bin/aide -c ${STAGING_AIDE_DIR}/aide.conf --init
+ gunzip ${STAGING_AIDE_DIR}/lib/aide.db.gz
+ # strip out native path
+ sed -i -e 's:${IMAGE_ROOTFS}::' ${STAGING_AIDE_DIR}/lib/aide.db
+ gzip -9 ${STAGING_AIDE_DIR}/lib/aide.db
+ cp -f ${STAGING_AIDE_DIR}/lib/aide.db.gz ${IMAGE_ROOTFS}${libdir}/aide
+}
+
+EXTRA_IMAGEDEPENDS:append = " aide-native"
+
+ROOTFS_POSTPROCESS_COMMAND:append = " aide_init_db;"
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-security/libmhash/libmhash_0.9.9.9.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-security/libmhash/libmhash_0.9.9.9.bb b/recipes-security/libmhash/libmhash_0.9.9.9.bb
index 35c5ff8..4d1f584 100644
--- a/recipes-security/libmhash/libmhash_0.9.9.9.bb
+++ b/recipes-security/libmhash/libmhash_0.9.9.9.bb
@@ -35,3 +35,5 @@ do_compile_ptest() {
do_install_ptest() {
install -m 0755 ${S}/demo/mhash ${D}${PTEST_PATH}
}
+
+BBCLASSEXTEND = "native"
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
lib/oeqa/runtime/cases/aide.py | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
create mode 100644 lib/oeqa/runtime/cases/aide.py

diff --git a/lib/oeqa/runtime/cases/aide.py b/lib/oeqa/runtime/cases/aide.py
new file mode 100644
index 0000000..4c7633c
--- /dev/null
+++ b/lib/oeqa/runtime/cases/aide.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@...>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class AideTest(OERuntimeTestCase):
+
+ @OEHasPackage(['aide'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_aide_help(self):
+ status, output = self.target.run('aide --help')
+ msg = ('Aide help command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['aide.AideTest.test_aide_help'])
+ def test_aide_dbinit(self):
+ status, output = self.target.run('aide --init')
+ match = re.search('Number of entries:', output)
+ if not match:
+ msg = ('Aide db init failed: output is:\n%s' % output)
+ self.assertEqual(status, 0, msg = msg)
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-ids/aide/aide_0.17.4.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/recipes-ids/aide/aide_0.17.4.bb b/recipes-ids/aide/aide_0.17.4.bb
index ebd6ac3..87b690d 100644
--- a/recipes-ids/aide/aide_0.17.4.bb
+++ b/recipes-ids/aide/aide_0.17.4.bb
@@ -12,7 +12,7 @@ SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9

inherit autotools pkgconfig

-PACKAGECONFIG ??=" mhash zlib e2fsattrs \
+PACKAGECONFIG ??=" mhash zlib e2fsattrs posix capabilities curl \
${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \
"
@@ -24,6 +24,8 @@ PACKAGECONFIG[audit] = "--with-audit, --without-audit,audit"
PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt"
PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash"
PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs"
+PACKAGECONFIG[capabilities] = "--with-capabilities, --without-capabilities, libcap, libcap"
+PACKAGECONFIG[posix] = "--with-posix-acl, --without-posix-acl, acl, acl"

do_install:append () {
install -d ${D}${libdir}/${PN}/logs
--
2.25.1

drop test_smack_mmap_enforced as is was skipped do to possible licensing issues

Signed-off-by: Armin Kuster <akuster808@...>
---
lib/oeqa/runtime/cases/smack.py | 103 +++++---------------------------
1 file changed, 15 insertions(+), 88 deletions(-)

diff --git a/lib/oeqa/runtime/cases/smack.py b/lib/oeqa/runtime/cases/smack.py
index b8255c7..6b87574 100644
--- a/lib/oeqa/runtime/cases/smack.py
+++ b/lib/oeqa/runtime/cases/smack.py
@@ -15,17 +15,16 @@ class SmackBasicTest(OERuntimeTestCase):

@classmethod
def setUpClass(cls):
- cls.smack_path = ""
cls.current_label = ""
cls.uid = 1000
+ status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'")
+ cls.smack_path = output

@skipIfNotFeature('smack',
'Test requires smack to be in DISTRO_FEATURES')
@OEHasPackage(['smack-test'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
def test_smack_basic(self):
- status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'")
- self.smack_path = output
status,output = self.target.run("cat /proc/self/attr/current")
self.current_label = output.strip()

@@ -41,11 +40,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m = re.search('(?<=access=")\S+(?=")', output)
+ m = re.search('(access=")\S+(?=")', output)
if m is None:
self.fail("Did not find access attribute")
else:
- label_retrieved = m .group(0)
+ label_retrieved = re.split("access=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: "
@@ -64,11 +63,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m= re.search('(?<=execute=")\S+(?=")', output)
+ m= re.search('(execute=")\S+(?=")', output)
if m is None:
self.fail("Did not find execute attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("execute=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -87,11 +86,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m = re.search('(?<=mmap=")\S+(?=")', output)
+ m = re.search('(mmap=")\S+(?=")', output)
if m is None:
self.fail("Did not find mmap attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("mmap=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -109,11 +108,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %directory)
self.target.run("rmdir %s" %directory)
- m = re.search('(?<=transmute=")\S+(?=")', output)
+ m = re.search('(transmute=")\S+(?=")', output)
if m is None:
self.fail("Did not find transmute attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("transmute=\"", output)[1][:-1]
self.assertEqual(
"TRUE", label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -127,10 +126,10 @@ class SmackBasicTest(OERuntimeTestCase):
'''

labelf = "/proc/self/attr/current"
- command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+ command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf)

status, output = self.target.run(
- "notroot.py 0 %s %s" %(self.current_label, command))
+ "/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command))

self.assertIn("PRIVILEGED", output,
"Privilege process did not change label.Output: %s" %output)
@@ -142,7 +141,7 @@ class SmackBasicTest(OERuntimeTestCase):

command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
status, output = self.target.run(
- "notroot.py %d %s %s"
+ "/usr/sbin/notroot.py %d %s %s"
%(self.uid, self.current_label, command) +
" 2>&1 | grep 'Operation not permitted'" )

@@ -160,9 +159,9 @@ class SmackBasicTest(OERuntimeTestCase):
filename = "/tmp/test_unprivileged_change_file_label"

self.target.run("touch %s" % filename)
- self.target.run("notroot.py %d %s" %(self.uid, self.current_label))
+ self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label))
status, output = self.target.run(
- "notroot.py " +
+ "/usr/sbin/notroot.py " +
"%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
"| grep 'Operation not permitted'" )

@@ -346,78 +345,6 @@ class SmackBasicTest(OERuntimeTestCase):
self.assertEqual(status, 0, output)


- @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
- def test_smack_mmap_enforced(self):
- '''Test if smack mmap access is enforced'''
- raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
-
- # 12345678901234567890123456789012345678901234567890123456
- delr1="mmap_label mmap_test_label1 -----"
- delr2="mmap_label mmap_test_label2 -----"
- delr3="mmap_file_label mmap_test_label1 -----"
- delr4="mmap_file_label mmap_test_label2 -----"
-
- RuleA="mmap_label mmap_test_label1 rw---"
- RuleB="mmap_label mmap_test_label2 r--at"
- RuleC="mmap_file_label mmap_test_label1 rw---"
- RuleD="mmap_file_label mmap_test_label2 rwxat"
-
- mmap_label="mmap_label"
- file_label="mmap_file_label"
- test_file = "/usr/sbin/smack_test_mmap"
- mmap_exe = "/tmp/mmap_test"
- status, echo = self.target.run("which echo")
- status, output = self.target.run(
- "notroot.py %d %s %s 'test' > %s" \
- %(self.uid, self.current_label, echo, test_file))
- status, output = self.target.run("ls %s" %test_file)
- self.assertEqual(status, 0, "Could not create mmap test file")
- self.target.run("chsmack -m %s %s" %(file_label, test_file))
- self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
-
- # test with no rules with mmap label or exec label as subject
- # access should be granted
- self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access without rules. Output: %s" %output)
-
- # add rules that do not match access required
- self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with unmatching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with unmatching rules")
-
- # add rule to match only partially (one way)
- self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with partial matching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with partial matching rules")
-
- # add rule to match fully
- self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access with full matching rules." +
- "Output: %s" %output)
-
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_transmute_dir(self):
'''Test if smack transmute attribute works
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-mac/smack/smack-test/notroot.py | 12 ++++++------
.../smack/smack-test/smack_test_file_access.sh | 10 +++++-----
2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/recipes-mac/smack/smack-test/notroot.py b/recipes-mac/smack/smack-test/notroot.py
index f0eb0b5..89f83f4 100644
--- a/recipes-mac/smack/smack-test/notroot.py
+++ b/recipes-mac/smack/smack-test/notroot.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
#
# Script used for running executables with custom labels, as well as custom uid/gid
# Process label is changed by writing to /proc/self/attr/curent
@@ -9,8 +9,8 @@
# """By default, each user in Debian GNU/Linux is given a corresponding group
# with the same name. """
#
-# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
-# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+# Usage: root@desk:~# python3 notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python3 notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
#
# Author: Alexandru Cornea <alexandru.cornea@...>
import os
@@ -28,6 +28,6 @@ try:
os.setuid(uid)
os.execv(path,sys.argv)

-except Exception,e:
- print e.message
- sys.exit(1)
+except Exception as e:
+ print(e.strerror)
+ sys.exit(-1)
diff --git a/recipes-mac/smack/smack-test/smack_test_file_access.sh b/recipes-mac/smack/smack-test/smack_test_file_access.sh
index 5a0ce84..598f1df 100644
--- a/recipes-mac/smack/smack-test/smack_test_file_access.sh
+++ b/recipes-mac/smack/smack-test/smack_test_file_access.sh
@@ -8,7 +8,7 @@ CAT=`which cat`
ECHO=`which echo`
uid=1000
initial_label=`cat /proc/self/attr/current`
-python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+python3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
chsmack -a "TheOther" $test_file

# 12345678901234567890123456789012345678901234567890123456
@@ -17,7 +17,7 @@ rule_ro="TheOne TheOther r----"

# Remove pre-existent rules for "TheOne TheOther <access>"
echo -n "$delrule" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process with different label than the test file and no read access on it can read it"
exit $RC
@@ -25,7 +25,7 @@ fi

# adding read access
echo -n "$rule_ro" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process with different label than the test file but with read access on it cannot read it"
exit $RC
@@ -36,7 +36,7 @@ echo -n "$delrule" > $SMACK_PATH/load
# changing label of test file to *
# according to SMACK documentation, read access on a * object is always permitted
chsmack -a '*' $test_file
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process cannot read file with * label"
exit $RC
@@ -45,7 +45,7 @@ fi
# changing subject label to *
# according to SMACK documentation, every access requested by a star labeled subject is rejected
TOUCH=`which touch`
-python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+python3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
if [ $RC -ne 0 ];then
echo "Process with label '*' should not have any access"
--
2.25.1

This is to simplify tesing to build one image and include pkgs depending on the
layers included in the BBLAYERS.

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-core/images/security-test-image.bb | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/recipes-core/images/security-test-image.bb b/recipes-core/images/security-test-image.bb
index 54d8978..133a7a1 100644
--- a/recipes-core/images/security-test-image.bb
+++ b/recipes-core/images/security-test-image.bb
@@ -4,7 +4,16 @@ require security-build-image.bb

IMAGE_FEATURES += "ssh-server-openssh"

-TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata"
+IMAGE_INSTALL:append = "\
+ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm2","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "parsec-layer", "packagegroup-security-parsec","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \
+"
+
+TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata"
+TEST_SUITES:append = " parsec tpm2 swtpm ima"

INSTALL_CLAMAV_CVD = "1"

--
2.25.1

Specific provider (ie. RPM or IPK) does "provide" just itself as a
package to the system. This will cause the "-dev" package, which
refers to the generic signing-keys and not the provider specific,
to miss the dependency.

Error case (RPM) when populating sdk:

Error:
Problem: conflicting requests
- nothing provides signing-keys = 1.0-r0 needed by signing-keys-dev-1.0-r0.noarch
(try to add '--skip-broken' to skip uninstallable packages)

Examining signing-keys-rpm packages in PROVIDES we have indeed:
signing-keys-rpm = 1.0-r0

But in signing-keys-dev: in REQUIRES:
signing-keys-1.0-r0

This MR will fix the situation bringing the specific provider
PROVIDES to include also the generic package (RPM example):
signing-keys
signing-keys-rpm = 1.0-r0

Likely another way could be also to change the requirement for
dev or just allow empty packages as well.

Signed-off-by: Federico Pellegrin <fede@...>
---
meta/recipes-core/meta/signing-keys.bb | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb
index 03463f95f56..d0602cf82af 100644
--- a/meta/recipes-core/meta/signing-keys.bb
+++ b/meta/recipes-core/meta/signing-keys.bb
@@ -18,6 +18,10 @@ FILES:${PN}-rpm = "${sysconfdir}/pki/rpm-gpg"
FILES:${PN}-ipk = "${sysconfdir}/pki/ipk-gpg"
FILES:${PN}-packagefeed = "${sysconfdir}/pki/packagefeed-gpg"

+RPROVIDES:${PN}-rpm += "${PN}"
+RPROVIDES:${PN}-ipk += "${PN}"
+RPROVIDES:${PN}-packagefeed += "${PN}"
+
python do_get_public_keys () {
from oe.gpg_sign import get_signer

--
2.35.3

6dd320f791 release: update v2.7.2 release notes
ecac165d36 logging: shell: fix shell stats null pointer dereference
132d90d1bc tests/bluetooth/tester: Refactor Read UUID callback
58356313ac coredump: adjust mem_region find in gdbstub
99cfd3e4d7 Bluetooth: Controller: Fix per adv scheduling issue
780588bd33 edac: ibecc: Add support for EHL SKU13, SKU14, SKU15
38de9b0156 release: Zephyr 2.7.2
3a21dff459 doc: release: Update release notes with CVE
b98ec9e0db x86: Initialise FPU regs during thread creation for eager FPU sharing
8f2d164674 release: Bump release to 2.7.2-rc1
6b61b219ea doc: Add link to J-Link virtual MSD disable for SMP
8822f85ef9 board: arm64: fvp_baser_aemv8r_smp: Increase CONFIG_MAX_THREAD_BYTES
0bc81c82ab board: arm64: fvp_baser_aemv8r: Update the version requirement
32c49d04b0 cmake: armfvp: Add FVP min version check
02c32316fc arm64: Fix booting issue with FVP V8R >= 11.16.16
9bf571808d net/tcp: Use highest priority for TCP internal work queue
4eec9d95ef test/net: Make sure the tls server socket is accepting before connect
32a593396d tests/net: Put the context down and not only the tcp part in tcp2 test
066dcd6119 tests/net: Switch k_msleep to k_yield for tcp packet scheduling
ffcc1d3c92 tests/net: TLS test requires more RX PKT and buffers
2d49a4c8b9 net/context: Close TCP connection properly
9d229e0bb5 net/tcp: Stop TCP state machine breaking when sending locally
74c00d0b4e boards: bl654_usb: Fix non-mcuboot builds not limiting size
2a09d5e53f drivers: virt_ivshmem: Allow multiple instances of ivShMem devices.
ad4e9934de samples: subsys: mgmt: smp_svr: Fix dupicate fs mgmt registration
f133449cf5 boards: arm: stm32l562e_dk and nucleo_l552ze_q add openocd support
33318bfb45 doc: css: update code documentation directives style
3497031e3e doc: update requirements
57a1be33ff boards: nucleo_wb55rg: Add stm32cubeprogrammer runner
652eb37b4d scripts/pylib/twister: Add sn option to stm32cubeprogrgammer runner
9e4edaec21 tests/bluetooth/tester: Add support for auto connection establishment
9b18f4a730 net: gptp: Fix type mismatch calculation error in gptp_mi
3f958347c2 test: pm: device: Fix build options
041653662b pm: Remove unused fields in pm_device
6da71d7c2f ARC: nSIM: fix missing core numbers for mdb-hw runner args
52a68bec73 net: tcp: Verify accept callback before use
6324e997e1 net: sockets: Fix userspace accept() verification
e9eed0015f subsys/mgmt/hawkbit: update http response handling
a3e7047ad5 wifi: esp_at: claim net_context in rx
50a24d6782 net: sockets: Retry net_context_sendmsg if EAGAIN is reported
9c3be1212f tests/bluetooth/tester: Enable security validation for GATT subsciption
e2c96814ce Bluetooth: Host: Validate security on GATT subscription
3c64ed4e77 drivers: spi_nrfx_spi: Fix compilation error
e78a6ab2cd spi: nrfx_spi*: only run uninit if configured
6bbf1e7e7a Bluetooth: controller: Add missing NULL assign to df_cfg in ll_adv_set
063dbecb23 arch/x86: Fix MSI MAP destination
a807fff085 arch/x86: Add a CPUID function to get initial APIC ID
b4b474cb4b arch/x86: Have a dedicated place for CPUID related functions
175ae83c78 tests/bluetooth/tester: Allocate L2CAP channel only when needed
22ab715ad8 test/bluetooth/tester: Don't clear auth requirements on L2CAP server
.....

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
...ephyr-kernel-src-2.7.1.inc => zephyr-kernel-src-2.7.2.inc} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-zephyr-core/recipes-kernel/zephyr-kernel/{zephyr-kernel-src-2.7.1.inc => zephyr-kernel-src-2.7.2.inc} (97%)

diff --git a/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.1.inc b/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.2.inc
similarity index 97%
rename from meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.1.inc
rename to meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.2.inc
index a2c100c..7a4da21 100644
--- a/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.1.inc
+++ b/meta-zephyr-core/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.7.2.inc
@@ -14,7 +14,7 @@ SRC_URI += " \
# echo SRCREV_$x = \"$rev\"'
#

-SRCREV_default = "e4da3e528088a34a9989f5a50e7ed3149d57de92"
+SRCREV_default = "6dd320f791c4da49190b30f9134f776d85bc5836"
SRCREV_canopennode = "f167efe85c8c7de886f1bc47f9173cfb8a346bb5"
SRCREV_civetweb = "094aeb41bb93e9199d24d665ee43e9e05d6d7b1c"
SRCREV_cmsis = "b0612c97c1401feeb4160add6462c3627fe90fc7"
@@ -60,6 +60,6 @@ SRCREV_TraceRecorder = "36c577727642457b0db7274298a4b96558374832"
SRCREV_tfm = "c74be3890c9d975976fde1b1a3b2f5742bec34c0"

ZEPHYR_BRANCH = "v2.7-branch"
-PV = "2.7.1+git${SRCPV}"
+PV = "2.7.2+git${SRCPV}"

SRC_URI:append = " file://dtc.patch"
--
2.25.1

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
README.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.txt b/README.txt
index ec860fd..5e0c4b6 100644
--- a/README.txt
+++ b/README.txt
@@ -9,9 +9,9 @@ Prerequisites:
==============

This layer depends on:
- Yocto distro (master)
+ Yocto distro (kirkstone)
git://git.yoctoproject.org/poky
- Python layer (meta-openembedded/meta-python)
+ Python layer (meta-openembedded/meta-python) (kirkstone)
git://git.openembedded.org/meta-openembedded

Modify local conf by adding:
--
2.25.1