After upgrading from Dunfell (YP 3.1) to Hardknott (YP 3.3), our
firmware was unable to boot.  Our target hardware is x86-64 booting in
legacy BIOS mode using grub on a variety of motherboards and CPUs.  The
grub menu would never show up; instead it would reboot immediately,
leading to an endless reboot loop.

I have two different workarounds.  Create a bbappend file for grub, and
do one of the following two things:

1) Add the following line:

CFLAGS_remove = "-O2"

2) Or make a patch to revert the following commit, and add it to SRC_URI:

https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4ea7bae51f97e49c84dc67ea30b466ca8633b9f6


NOTE: this commit fixes a CVE, so do not revert it without due
consideration.


Here is my upstream bug report:

https://savannah.gnu.org/bugs/index.php?60458


Is anyone else experiencing this problem?  I am wondering how it got
past Yocto QA.

Tony Battersby
Cybernetics

On 4/18/21 11:41 PM, liu.ming50@gmail.com wrote:

From: Ming Liu <ming.liu@toradex.com>

I have not forgotten about these. My build system is backlogged.

I hope to process these by this weekend.

-armin

Ming Liu (3):
ima-evm-keys: add file-checksums to IMA_EVM_X509
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE

.../initrdscripts/initramfs-framework-ima.bb | 5 +++++
.../initrdscripts/initramfs-framework-ima/ima | 9 +++++++--
.../recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb | 1 +
.../ima-policy-appraise-all_1.0.bb | 9 ++-------
.../ima_policy_hashed/ima-policy-hashed_1.0.bb | 9 ++-------
.../ima_policy_simple/ima-policy-simple_1.0.bb | 9 ++-------
6 files changed, 19 insertions(+), 23 deletions(-)

I wonder what are all possible criteria for Bitbake to decide to skip recipe (please compare to reports delivered by bitbake-layers). Recipe overlay, recipe version, others? Which knowledge source to find more details in?

From: Yann Dirson <yann@blade-group.com>

This patch provides "standard" and "tiny" BSP.

There is still much work to be done in dispatching feature to individual
scc files - the more boards we can support the better it will get.
Not all SoC/board features are covered yet either (esp. Wifi/Bluetooth an=
d
audio jack), and properly-woking HDMI still needs patches.

Tiny is not fully testable by itself, it can be minimally booted with
serial console (though still missing CONFIG_MULTIUSER for serial getty,
and CONFIG_INOTIFY_USER for proper udev operation) using:

PREFERRED_PROVIDER_virtual/kernel =3D "linux-yocto-tiny"
KERNEL_FEATURES_append =3D "\
ktypes/base/base.scc \
features/debug/printk.scc \
cfg/fs/ext4.scc \
cfg/8250.scc \
"

Such a tiny build is still using mainline defconfig with lots of hardware
features, and the kernel can be slimmed down even more by using:

KBUILD_DEFCONFIG =3D ""

Kernel weight using default configurations:
- standard 11MB
- tiny 5MB
- tiny with no defconfig 2.5MB

Signed-off-by: Yann Dirson <yann@blade-group.com>
---
.../files/bsp/rockchip/nanopi-m4-standard.scc | 7 ++
.../files/bsp/rockchip/nanopi-m4-tiny.scc | 7 ++
.../linux/files/bsp/rockchip/nanopi-m4.cfg | 15 ++++
.../linux/files/bsp/rockchip/nanopi-m4.scc | 5 ++
.../linux/files/bsp/rockchip/rk3399.cfg | 71 +++++++++++++++++++
.../linux/files/bsp/rockchip/rk3399.scc | 5 ++
.../linux/files/bsp/rockchip/rockchip.cfg | 50 +++++++++++++
.../linux/files/bsp/rockchip/rockchip.scc | 6 ++
recipes-kernel/linux/linux-yocto%.bbappend | 6 ++
9 files changed, 172 insertions(+)
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/nanopi-m4-sta=
ndard.scc
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/nanopi-m4-tin=
y.scc
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/nanopi-m4.cfg
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/nanopi-m4.scc
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/rk3399.cfg
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/rk3399.scc
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/rockchip.cfg
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/rockchip.scc

diff --git a/recipes-kernel/linux/files/bsp/rockchip/nanopi-m4-standard.s=
cc b/recipes-kernel/linux/files/bsp/rockchip/nanopi-m4-standard.scc
new file mode 100644
index 0000000..5c74d6b
--- /dev/null
+++ b/recipes-kernel/linux/files/bsp/rockchip/nanopi-m4-standard.scc
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: MIT
+define KMACHINE nanopi-m4
+define KTYPE standard
+define KARCH arm
+
+include ktypes/standard/standard.scc
+include nanopi-m4.scc
diff --git a/recipes-kernel/linux/files/bsp/rockchip/nanopi-m4-tiny.scc b=
/recipes-kernel/linux/files/bsp/rockchip/nanopi-m4-tiny.scc
new file mode 100644
index 0000000..6e94d6a
--- /dev/null
+++ b/recipes-kernel/linux/files/bsp/rockchip/nanopi-m4-tiny.scc
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: MIT
+define KMACHINE nanopi-m4
+define KTYPE tiny
+define KARCH arm
+
+include ktypes/tiny/tiny.scc
+include nanopi-m4.scc
diff --git a/recipes-kernel/linux/files/bsp/rockchip/nanopi-m4.cfg b/reci=
pes-kernel/linux/files/bsp/rockchip/nanopi-m4.cfg
new file mode 100644
index 0000000..7802ab3
--- /dev/null
+++ b/recipes-kernel/linux/files/bsp/rockchip/nanopi-m4.cfg
@@ -0,0 +1,15 @@
+CONFIG_MFD_RK808=3Dy
+CONFIG_COMMON_CLK_RK808=3Dy
+
+CONFIG_REGULATOR_RK808=3Dy
+CONFIG_REGULATOR_FAN53555=3Dy
+
+CONFIG_MMC_BLOCK=3Dy
+CONFIG_PWRSEQ_SIMPLE=3Dy
+
+# RTL8211E
+CONFIG_REALTEK_PHY=3Dm
+
+# AP6356S
+CONFIG_BT_BCM=3Dm
+CONFIG_BT_HCIUART_BCM=3Dy
diff --git a/recipes-kernel/linux/files/bsp/rockchip/nanopi-m4.scc b/reci=
pes-kernel/linux/files/bsp/rockchip/nanopi-m4.scc
new file mode 100644
index 0000000..f4267aa
--- /dev/null
+++ b/recipes-kernel/linux/files/bsp/rockchip/nanopi-m4.scc
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: MIT
+
+kconf hardware nanopi-m4.cfg
+
+include rk3399.scc
diff --git a/recipes-kernel/linux/files/bsp/rockchip/rk3399.cfg b/recipes=
-kernel/linux/files/bsp/rockchip/rk3399.cfg
new file mode 100644
index 0000000..f5f2909
--- /dev/null
+++ b/recipes-kernel/linux/files/bsp/rockchip/rk3399.cfg
@@ -0,0 +1,71 @@
+# A72 errata, all past revisions
+CONFIG_ARM64_ERRATUM_1319367=3Dy
+# A53 errata, all patched on boot when needed
+CONFIG_ARM64_ERRATUM_826319=3Dy
+CONFIG_ARM64_ERRATUM_827319=3Dy
+CONFIG_ARM64_ERRATUM_824069=3Dy
+CONFIG_ARM64_ERRATUM_819472=3Dy
+
+# cru
+CONFIG_CLK_RK3399=3Dy
+
+CONFIG_PL330_DMA=3Dy
+CONFIG_I2C_RK3X=3Dy
+CONFIG_SERIAL_8250_DW=3Dy
+
+# usb
+CONFIG_PHY_ROCKCHIP_INNO_USB2=3Dy
+CONFIG_PHY_ROCKCHIP_TYPEC=3Dy
+
+# ethernet
+CONFIG_NET_VENDOR_STMICRO=3Dy
+CONFIG_STMMAC_ETH=3Dm
+CONFIG_STMMAC_PLATFORM=3Dm
+CONFIG_DWMAC_ROCKCHIP=3Dm
+CONFIG_PHYLIB=3Dm
+
+# display
+CONFIG_ROCKCHIP_DW_HDMI=3Dy
+CONFIG_ROCKCHIP_DW_MIPI_DSI=3Dy
+CONFIG_ROCKCHIP_ANALOGIX_DP=3Dy
+CONFIG_ROCKCHIP_CDN_DP=3Dy
+CONFIG_PHY_ROCKCHIP_DP=3Dy
+CONFIG_DRM_DW_HDMI=3Dm
+CONFIG_DRM_DW_HDMI_I2S_AUDIO=3Dm
+CONFIG_DRM_DW_HDMI_CEC=3Dm
+CONFIG_DRM_DW_MIPI_DSI=3Dm
+CONFIG_DRM_PANFROST=3Dm
+
+# HDMI audio
+CONFIG_DRM_DW_HDMI_AHB_AUDIO=3Dm
+CONFIG_SND_SOC_RK3288_HDMI_ANALOG=3Dm
+
+CONFIG_VIDEO_DEV=3Dm
+CONFIG_V4L_MEM2MEM_DRIVERS=3Dy
+CONFIG_VIDEO_ROCKCHIP_RGA=3Dm
+
+CONFIG_V4L2_H264=3Dm
+CONFIG_MEDIA_CONTROLLER_REQUEST_API=3Dy
+CONFIG_VIDEO_HANTRO=3Dm
+CONFIG_VIDEO_HANTRO_ROCKCHIP=3Dy
+CONFIG_VIDEO_ROCKCHIP_VDEC=3Dm
+
+# usb
+CONFIG_USB_DWC2=3Dy
+CONFIG_USB_DWC3=3Dy
+CONFIG_USB_DWC3_DUAL_ROLE=3Dy
+
+# sd/mmc
+CONFIG_MMC=3Dy
+CONFIG_MMC_SDHCI=3Dy
+CONFIG_MMC_SDHCI_PLTFM=3Dy
+CONFIG_MMC_DW=3Dy
+CONFIG_MMC_DW_ROCKCHIP=3Dy
+CONFIG_MMC_SDHCI_OF_ARASAN=3Dy
+
+# temperature sensors
+CONFIG_THERMAL=3Dy
+CONFIG_THERMAL_OF=3Dy
+CONFIG_ROCKCHIP_THERMAL=3Dm
+CONFIG_IIO=3Dy
+CONFIG_ROCKCHIP_SARADC=3Dm
diff --git a/recipes-kernel/linux/files/bsp/rockchip/rk3399.scc b/recipes=
-kernel/linux/files/bsp/rockchip/rk3399.scc
new file mode 100644
index 0000000..9b1a88e
--- /dev/null
+++ b/recipes-kernel/linux/files/bsp/rockchip/rk3399.scc
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: MIT
+
+kconf hardware rk3399.cfg
+
+include rockchip.scc
diff --git a/recipes-kernel/linux/files/bsp/rockchip/rockchip.cfg b/recip=
es-kernel/linux/files/bsp/rockchip/rockchip.cfg
new file mode 100644
index 0000000..05a397d
--- /dev/null
+++ b/recipes-kernel/linux/files/bsp/rockchip/rockchip.cfg
@@ -0,0 +1,50 @@
+CONFIG_CPU_ISOLATION=3Dy
+CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=3Dy
+CONFIG_HZ_250=3Dy
+CONFIG_CPU_IDLE=3Dy
+CONFIG_ARM_CPUIDLE=3Dy
+
+CONFIG_ARCH_ROCKCHIP=3Dy
+CONFIG_COMMON_CLK_ROCKCHIP=3Dy
+CONFIG_REGULATOR=3Dy
+CONFIG_REGULATOR_FIXED_VOLTAGE=3Dy
+CONFIG_REGULATOR_PWM=3Dy
+CONFIG_I2C=3Dy
+CONFIG_FW_LOADER=3Dy
+CONFIG_PHY_ROCKCHIP_EMMC=3Dy
+CONFIG_PINCTRL=3Dy
+CONFIG_PINCTRL_ROCKCHIP=3Dy
+CONFIG_ROCKCHIP_IODOMAIN=3Dy
+CONFIG_ROCKCHIP_PM_DOMAINS=3Dy
+
+CONFIG_SPI=3Dy
+CONFIG_SPI_ROCKCHIP=3Dm
+
+CONFIG_PWM=3Dy
+CONFIG_PWM_ROCKCHIP=3Dy
+
+CONFIG_DRM_KMS_HELPER=3Dm
+CONFIG_DRM_FBDEV_EMULATION=3Dy
+CONFIG_ROCKCHIP_IOMMU=3Dy
+CONFIG_DRM_ROCKCHIP=3Dm
+CONFIG_DRM_BRIDGE=3Dy
+
+CONFIG_SND=3Dy
+CONFIG_SND_SOC=3Dy
+CONFIG_SND_HDA_CODEC_HDMI=3Dm
+CONFIG_SND_SOC_ROCKCHIP=3Dm
+CONFIG_SND_SOC_ROCKCHIP_I2S=3Dm
+CONFIG_SND_SOC_ROCKCHIP_SPDIF=3Dm
+
+CONFIG_NVMEM=3Dy
+CONFIG_ROCKCHIP_EFUSE=3Dm
+
+CONFIG_CPU_FREQ=3Dy
+CONFIG_CPU_FREQ_THERMAL=3Dy
+CONFIG_HWMON=3Dy
+CONFIG_THERMAL_HWMON=3Dy
+
+CONFIG_CRYPTO_HW=3Dy
+CONFIG_CRYPTO_DEV_ROCKCHIP=3Dm
+
+CONFIG_MMC_BLOCK_MINORS=3D32
diff --git a/recipes-kernel/linux/files/bsp/rockchip/rockchip.scc b/recip=
es-kernel/linux/files/bsp/rockchip/rockchip.scc
new file mode 100644
index 0000000..800f105
--- /dev/null
+++ b/recipes-kernel/linux/files/bsp/rockchip/rockchip.scc
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: MIT
+
+kconf hardware rockchip.cfg
+
+include cfg/dmaengine.scc
+include features/mmc/mmc-block.cfg
diff --git a/recipes-kernel/linux/linux-yocto%.bbappend b/recipes-kernel/=
linux/linux-yocto%.bbappend
index 7702e3f..9658681 100644
--- a/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/recipes-kernel/linux/linux-yocto%.bbappend
@@ -1,3 +1,9 @@
+FILESEXTRAPATHS_prepend :=3D "${THISDIR}/files:"
+
+SRC_URI_append =3D "\
+ file://bsp;type=3Dkmeta;subdir=3Dkernel-meta \
+"
+
COMPATIBLE_MACHINE_marsboard-rk3066 =3D "marsboard-rk3066"
COMPATIBLE_MACHINE_rock2-square =3D "rock2-square"
COMPATIBLE_MACHINE_radxarock =3D "radxarock"
--=20
2.30.2

From: Yann Dirson <yann@blade-group.com>

Signed-off-by: Yann Dirson <yann@blade-group.com>
---
conf/machine/include/nanopi-m4.inc | 2 ++
1 file changed, 2 insertions(+)

diff --git a/conf/machine/include/nanopi-m4.inc b/conf/machine/include/na=
nopi-m4.inc
index 603160f..a14b705 100644
--- a/conf/machine/include/nanopi-m4.inc
+++ b/conf/machine/include/nanopi-m4.inc
@@ -3,6 +3,8 @@
=20
require rk3399.inc
=20
+MACHINE_FEATURES +=3D "usbhost serial"
+
KMACHINE =3D "nanopi-m4"
KERNEL_DEVICETREE =3D "rockchip/rk3399-nanopi-m4.dtb"
=20
--=20
2.30.2

From: Yann Dirson <yann@blade-group.com>

This will allow us to define a single set of kernel BSP for all
variants of the board (which only need to differ in u-boot dts).

Signed-off-by: Yann Dirson <yann@blade-group.com>
---
conf/machine/include/nanopi-m4.inc | 1 +
1 file changed, 1 insertion(+)

diff --git a/conf/machine/include/nanopi-m4.inc b/conf/machine/include/na=
nopi-m4.inc
index 74cdae8..603160f 100644
--- a/conf/machine/include/nanopi-m4.inc
+++ b/conf/machine/include/nanopi-m4.inc
@@ -3,6 +3,7 @@
=20
require rk3399.inc
=20
+KMACHINE =3D "nanopi-m4"
KERNEL_DEVICETREE =3D "rockchip/rk3399-nanopi-m4.dtb"
=20
RK_BOOT_DEVICE =3D "mmcblk1"
--=20
2.30.2

From: Yann Dirson <yann@blade-group.com>

Changes in v4:
- install our bsp files in bsp/rockchip/ rather than directly in bsp/
- also add "serial" to MACHINE_FEATURES

Changes in v3:
- relocate the bsp files into files/ so we don't have to add linux-yocto/
to FILESEXTRAPATHS for all other kernels
- removed the "don't force KCONFIG_MODE to alldefconfig" (not needed fina=
lly,
and causing interferences in default setup)
- add "usbhost" to MACHINE_FEATURES to enable lsusb and friends
- better hardware coverage (though still no wifi/bt/audio, and buggy hdmi=
)

The Wifi/BT support requires firmware, to be properly packaged; BT
support itself is still buggy in mainline; audio jack requires a
couple of patches; HDMI requires at the very least a DTS patch, and
LibreELEC maintains a "latest and greatest" DRM patchset, but it can
conflicts with some patches in default kmeta.

Yann Dirson (3):
NanoPi-M4: let all variants use the same KMACHINE type
NanoPi-M4: declare "usbhost" and "serial" in MACHINE_FEATURES
linux-yocto: add an initial NanoPi-M4 BSP

conf/machine/include/nanopi-m4.inc | 3 +
.../files/bsp/rockchip/nanopi-m4-standard.scc | 7 ++
.../files/bsp/rockchip/nanopi-m4-tiny.scc | 7 ++
.../linux/files/bsp/rockchip/nanopi-m4.cfg | 15 ++++
.../linux/files/bsp/rockchip/nanopi-m4.scc | 5 ++
.../linux/files/bsp/rockchip/rk3399.cfg | 71 +++++++++++++++++++
.../linux/files/bsp/rockchip/rk3399.scc | 5 ++
.../linux/files/bsp/rockchip/rockchip.cfg | 50 +++++++++++++
.../linux/files/bsp/rockchip/rockchip.scc | 6 ++
recipes-kernel/linux/linux-yocto%.bbappend | 6 ++
10 files changed, 175 insertions(+)
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/nanopi-m4-sta=
ndard.scc
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/nanopi-m4-tin=
y.scc
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/nanopi-m4.cfg
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/nanopi-m4.scc
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/rk3399.cfg
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/rk3399.scc
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/rockchip.cfg
create mode 100644 recipes-kernel/linux/files/bsp/rockchip/rockchip.scc

--=20
2.30.2

Hi Martin,

On Mon, Apr 26, 2021 at 12:41:18PM +0000, Martin Hollingsworth wrote:

Hello community,

I am looking for a best practice / a simple solution for switching the SRCREV in a bitbake recipe between git master HEAD (default, used in nightly builds) and a tagged release version (needed for a reproducible release config).

Look how swupdate recipes are done in meta-swupdate:
https://github.com/sbabic/meta-swupdate/tree/master/recipes-support/swupdate

Basically all variants include the .inc file where everything in common is
specified.

Then the git recipe would point to your git master HEAD (I guess you\re
using AUTOREV mechanism?) and the point releases are e.g. foo_1.5.0.bb
where you put a given SRCREV only (or even a tarball if you want).

In the git recipe, add:

DEFAULT_PREFERENCE = "-1"

This means it'll never be preferred to other recipes (if there are
others).

For your nightly builds, you put PREFERRED_VERSION_foo = "git" in
local.conf and you should be good to go (don't add it for release builds
obviously :) ).

Hope that helps,
Cheers,
Quentin

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-security/libseccomp/files/run-ptest | 4 --
.../libseccomp/libseccomp_2.5.1.bb | 47 -------------------
2 files changed, 51 deletions(-)
delete mode 100644 recipes-security/libseccomp/files/run-ptest
delete mode 100644 recipes-security/libseccomp/libseccomp_2.5.1.bb

diff --git a/recipes-security/libseccomp/files/run-ptest b/recipes-security/libseccomp/files/run-ptest
deleted file mode 100644
index 54b4a63..0000000
--- a/recipes-security/libseccomp/files/run-ptest
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-cd tests
-./regression -a
diff --git a/recipes-security/libseccomp/libseccomp_2.5.1.bb b/recipes-security/libseccomp/libseccomp_2.5.1.bb
deleted file mode 100644
index 40ac1a8..0000000
--- a/recipes-security/libseccomp/libseccomp_2.5.1.bb
+++ /dev/null
@@ -1,47 +0,0 @@
-SUMMARY = "interface to seccomp filtering mechanism"
-DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp."
-SECTION = "security"
-LICENSE = "LGPL-2.1"
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-
-DEPENDS += "gperf-native"
-
-SRCREV = "4bf70431a339a2886ab8c82e9a45378f30c6e6c7"
-
-SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \
- file://run-ptest \
- "
-
-COMPATIBLE_HOST_riscv32 = "null"
-
-S = "${WORKDIR}/git"
-
-inherit autotools-brokensep pkgconfig ptest
-
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python3"
-
-DISABLE_STATIC = ""
-
-do_compile_ptest() {
- oe_runmake -C tests check-build
-}
-
-do_install_ptest() {
- install -d ${D}${PTEST_PATH}/tests
- install -d ${D}${PTEST_PATH}/tools
- for file in $(find tests/* -executable -type f); do
- install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests
- done
- for file in $(find tests/*.tests -type f); do
- install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests
- done
- for file in $(find tools/* -executable -type f); do
- install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools
- done
-}
-
-FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*"
-FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug"
-
-RDEPENDS_${PN}-ptest = "coreutils bash"
--
2.25.1

Hi Konstantin,

On Mon, Apr 26, 2021 at 01:45:30PM +0300, Konstantin Aladyshev wrote:

I'm using the OpenBMC system (https://github.com/openbmc/openbmc) and
I've tried to enable AppArmor functionality from the 'meta-security'
layer.

To achieve this I've added these strings to my local.conf file:
DISTRO_FEATURES_append = " apparmor"
IMAGE_INSTALL += "apparmor"

The AppArmor functionality was installed to my image, but
unfortunately I've come to this issue:

kernel: AppArmor: AppArmor initialized
kernel: AppArmor: AppArmor Filesystem Enabled
kernel: AppArmor: AppArmor sha1 policy hashing enabled
systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
-SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP -GCRYPT
-GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN
-PCRE2 default-hierarchy=hybrid)
systemd[1]: Starting AppArmor initialization...
apparmor[113]: Starting AppArmor profiles
apparmor[128]: xargs: invalid option -- 'd'

Busybox implementation of xargs does not support specifying a delimiter.

I suggest you to install the full-featured xargs which is provided by
the findutils recipe.

You probably need to disable xargs Busybox implementation otherwise
there'll be a conflict (you'll know, Yocto won't create the image).

Cheers,
Quentin

I'm using the OpenBMC system (https://github.com/openbmc/openbmc) and
I've tried to enable AppArmor functionality from the 'meta-security'
layer.

To achieve this I've added these strings to my local.conf file:
DISTRO_FEATURES_append = " apparmor"
IMAGE_INSTALL += "apparmor"

The AppArmor functionality was installed to my image, but
unfortunately I've come to this issue:

kernel: AppArmor: AppArmor initialized
kernel: AppArmor: AppArmor Filesystem Enabled
kernel: AppArmor: AppArmor sha1 policy hashing enabled
systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
-SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP -GCRYPT
-GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN
-PCRE2 default-hierarchy=hybrid)
systemd[1]: Starting AppArmor initialization...
apparmor[113]: Starting AppArmor profiles
apparmor[128]: xargs: invalid option -- 'd'
apparmor[128]: BusyBox v1.33.0 (2021-04-01 10:05:19 UTC) multi-call binary.
apparmor[128]: Usage: xargs [OPTIONS] [PROG ARGS]
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
...
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[138]: xargs: invalid option -- 'd'
apparmor[138]: BusyBox v1.33.0 (2021-04-01 10:05:19 UTC) multi-call binary.
apparmor[138]: Usage: xargs [OPTIONS] [PROG ARGS]
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
...
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[113]: failed!
systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: apparmor.service: Failed with result 'exit-code'.
systemd[1]: Failed to start AppArmor initialization.
dbus-broker-launch[152]: AppArmor enabled, but not supported. Ignoring.


From the way I see it the problems start from this output:
xargs: invalid option -- 'd'

This error comes from a fact that `xargs` from the `busybox` doesn't
have the `-d` option
(https://git.busybox.net/busybox/tree/findutils/xargs.c)
but this functionality is used in the file:
https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/recipes-mac/AppArmor/files/functions

Once I've discovered it, I started to wonder if I'm doing everything correctly.
Is my issue a simple bug, or AppArmor is not supposed to be run in an
environment like mine?

Best regards,
Konstantin Aladyshev

I'm using the OpenBMC system (https://github.com/openbmc/openbmc) and
I've tried to enable AppArmor functionality from the 'meta-security'
layer.

To achieve this I've added these strings to my local.conf file:
DISTRO_FEATURES_append = " apparmor"
IMAGE_INSTALL += "apparmor"

The AppArmor functionality was installed to my image, but
unfortunately I've come to this issue:

kernel: AppArmor: AppArmor initialized
kernel: AppArmor: AppArmor Filesystem Enabled
kernel: AppArmor: AppArmor sha1 policy hashing enabled
systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
-SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP -GCRYPT
-GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN
-PCRE2 default-hierarchy=hybrid)
systemd[1]: Starting AppArmor initialization...
apparmor[113]: Starting AppArmor profiles
apparmor[128]: xargs: invalid option -- 'd'
apparmor[128]: BusyBox v1.33.0 (2021-04-01 10:05:19 UTC) multi-call binary.
apparmor[128]: Usage: xargs [OPTIONS] [PROG ARGS]
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
...
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[138]: xargs: invalid option -- 'd'
apparmor[138]: BusyBox v1.33.0 (2021-04-01 10:05:19 UTC) multi-call binary.
apparmor[138]: Usage: xargs [OPTIONS] [PROG ARGS]
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
...
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[113]: failed!
systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: apparmor.service: Failed with result 'exit-code'.
systemd[1]: Failed to start AppArmor initialization.
dbus-broker-launch[152]: AppArmor enabled, but not supported. Ignoring.


From the way I see it the problems start from this output:
xargs: invalid option -- 'd'

This error comes from a fact that `xargs` from the `busybox` doesn't
have the `-d` option
(https://git.busybox.net/busybox/tree/findutils/xargs.c)
but this functionality is used in the file:
https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/recipes-mac/AppArmor/files/functions

Once I've discovered it, I started to wonder if I'm doing everything correctly.
Is my issue a simple bug, or AppArmor is not supposed to be run in an
environment like mine?

Best regards,
Konstantin Aladyshev

On 2021-04-15 9:52 a.m., Richard Purdie wrote:

[Please note: This e-mail is from an EXTERNAL e-mail address]

On Tue, 2021-04-13 at 13:02 -0400, sakib.sajal@windriver.com wrote:

collect-data template can run arbitrary commands/scripts
on a regular basis and logs the output in a file.

See oe-core for more details:
edb7098e9e buildstats.bbclass: add functionality to collect build system stats

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
---
config.json | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/config.json b/config.json
index 5bfa240..c43d231 100644
--- a/config.json
+++ b/config.json
@@ -87,6 +87,13 @@
"SANITYTARGETS" : "core-image-full-cmdline:do_testimage core-image-sato:do_testimage core-image-sato-sdk:do_testimage"
}
},
+ "collect-data" : {
+ "extravars" : [
+ "BB_HEARTBEAT_EVENT = '10'",
+ "BB_LOG_HOST_STAT_ON_INTERVAL = '1'",
+ "BB_LOG_HOST_STAT_CMDS = 'oe-time-dd-test.sh 100'"
+ ]
+ },

Is the template used anywhere? I can't remember if we support nesting templates in which
case this is useful, or not?

Cheers,

Richard

The template is not used anywhere, yet, the initial patchset enables the data collection by default.

I have left the template in case the data collection is removed from defaults and need to be used on a case by case basis.

I am not entirely sure if nesting templates work. I have not seen any examples of it, neither did i try it myself. If nesting does work, the template should be useful.

Sakib

I added a custom layer and under recipes-kernel I try to apply kernel config fragments:

└[~]> cat poky/meta-insidem2m/recipes-kernel/linux/linux-yocto_5.10.bbappend 

FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"

SRC_URI += "\

    file://wext.cfg \

file://at24.cfg \

file://leds.cfg \

    file://usb.cfg \ 

    file://keyspan.cfg \ 

    file://00-leds.patch \

"

Works fine. So far.
Today i added wext.cfg and the file itself is found among the other in 

poky/build/tmp/work/beaglebone_yocto-poky-linux-gnueabi/linux-yocto/5.10.12+gitAUTOINC+67e74d52f2_cdca787784-r0
but its content is not applied to the .config.


wext.cfg has this content:

└[~]> cat poky/meta-insidem2m/recipes-kernel/linux/linux-yocto/wext.cfg                                                 

CONFIG_WIRELESS_EXT=y

CONFIG_WEXT_CORE=y

CONFIG_WEXT_PROC=y

I don't see a dependency missing, 
if I test the so far .config in two fresh linux trees, do make menuconfig in both and do this again in one tree and add then CONFIG_WIRELESS_EXT in one tree with make menucinfug I get the following diff:

└[~]> diff -Nur a/.config b/.config

--- a/.config 2021-04-26 15:16:24.425877434 +0200

+++ b/.config 2021-04-26 15:15:42.797926593 +0200

@@ -1222,7 +1222,9 @@

 # CONFIG_AF_KCM is not set

 CONFIG_FIB_RULES=y

 CONFIG_WIRELESS=y

-# CONFIG_WIRELESS_EXT is not set

+CONFIG_WIRELESS_EXT=y

+CONFIG_WEXT_CORE=y

+CONFIG_WEXT_PROC=y

 # CONFIG_WEXT_SPY is not set

 # CONFIG_WEXT_PRIV is not set

 

 CONFIG_CFG80211=y

Does somebody have a hint what's going on here? As said the other fragments are properly applied...

 

create mode 100644 recipes-kernel/linux/files/bsp/nanopi-m4-standard.scc
create mode 100644 recipes-kernel/linux/files/bsp/nanopi-m4-tiny.scc
create mode 100644 recipes-kernel/linux/files/bsp/nanopi-m4.cfg
create mode 100644 recipes-kernel/linux/files/bsp/nanopi-m4.scc
create mode 100644 recipes-kernel/linux/files/bsp/rk3399.cfg
create mode 100644 recipes-kernel/linux/files/bsp/rk3399.scc
create mode 100644 recipes-kernel/linux/files/bsp/rockchip.cfg
create mode 100644 recipes-kernel/linux/files/bsp/rockchip.scc

Ah, I forgot to put all of this in a bsp/rockchip/ dir, will reroll.

Le ven. 23 avr. 2021 à 19:19, Joshua Watt <jpewhacker@gmail.com> a écrit :

On 4/23/21 11:58 AM, Yann Dirson wrote:

From: Yann Dirson <yann@blade-group.com>

Changes from v2:
- turn the DISTRO_FEATURE idea into separate RFC patches so as to allow
merging of basic support
- remove optee-os patch that proved unnecessary

Changes from v1:
- fix last-minute typo in TFA_SPD setting, which led to optee not being started
- use PACKAGECONFIG[optee] to simplify recipes as suggested on meta-arm ml

Yann Dirson (7):
trusted-firmware-a: include optee support when requested by
DISTRO_FEATURE
u-boot: include optee-os as BL32 when requested by DISTRO_FEATURE
optee-os: enable rk3399 support, including serial console support
RFC optee: new "optee" DISTRO_FEATURE to enable optee-os integration
RFC: optee: only enable the recipes when "optee" is included in
DISTRO_FEATURES
WIP nanopi-m4: declare OP-TEE presence in devicetree
WIP kernel config feature for OP-TEE activation

In general, it seems like a lot of these changes should be in the upstream recipes, not the meta-rockchip bbappends.

Generally speaking, I'd say yes, and it would be great if we are able
to do that. But from what I've seen of op-tee integration,
it looks like vendor platforms usually have different ways of integrating it.

Eg. for tf-a, meta-ti does something completely custom, see
https://git.yoctoproject.org/cgit/cgit.cgi/meta-ti/tree/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%25.bbappend

I'd think it would make sense to integrate something in meta-arm, if
more than one platform uses it,
or possibly if this is the "right way do do things that everyone
should use going forward".

Also, the things that do belong in this layer need proper variable overrides to keep the layer (mostly) Yocto project compliant.

After a quick review I can only see the optee patch in 3/7, do I miss
anything else ?
For this particular case, it did not seem crucial to restrict it,
especially as the patch has been applied upstream. But
sure it wouldn't hurt to make it rk3399-conditional.

conf/machine/include/rk3399.inc | 2 +
.../trusted-firmware-a_%.bbappend | 14 +++++
recipes-bsp/u-boot/u-boot%.bbappend | 9 ++++
.../0001-nanopi-declare-optee-presence.patch | 30 +++++++++++
recipes-kernel/linux/files/bsp/tee.cfg | 2 +
recipes-kernel/linux/linux-yocto%.bbappend | 1 +
...399-enable-serial-console-by-default.patch | 52 +++++++++++++++++++
recipes-security/optee/optee%.bbappend | 4 ++
recipes-security/optee/optee-os_%.bbappend | 8 +++
9 files changed, 122 insertions(+)
create mode 100644 recipes-kernel/linux/files/0001-nanopi-declare-optee-presence.patch
create mode 100644 recipes-kernel/linux/files/bsp/tee.cfg
create mode 100644 recipes-security/optee/files/0001-rk3399-enable-serial-console-by-default.patch
create mode 100644 recipes-security/optee/optee%.bbappend
create mode 100644 recipes-security/optee/optee-os_%.bbappend

--
Yann Dirson <yann@blade-group.com>
Blade / Shadow -- http://shadow.tech

OE-Core rev: fd1c26ab426c3699ffd8082b83d65a84c8eb8bff added an
additional parameter, tmpfsdir, to the API. This caused testimage to no
longer work in meta-zephyr. Add that parameter and everything is happy
now.

Signed-off-by: Jon Mason <jon.mason@arm.com>
---
lib/oeqa/controllers/zephyrtargetcontrol.py | 6 +++---
lib/oeqa/utils/qemuzephyrrunner.py | 8 ++++++--
2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/lib/oeqa/controllers/zephyrtargetcontrol.py b/lib/oeqa/controllers/zephyrtargetcontrol.py
index 8e94cb53673d..1dd7fd22543f 100644
--- a/lib/oeqa/controllers/zephyrtargetcontrol.py
+++ b/lib/oeqa/controllers/zephyrtargetcontrol.py
@@ -14,8 +14,8 @@ class QemuTargetZephyr(OETarget):
def __init__(self, logger, ip, server_ip,
machine='', rootfs='', tmpdir ='',dir_image ='',display=None,
kernel='',boottime=60,bootlog='',kvm=False,slirp=False,
- dump_dir='',serial_ports=0,ovmf=None,target_modules_path='',powercontrol_cmd='',powercontrol_extra_args='',
- serialcontrol_cmd=None,serialcontrol_extra_args='',testimage_dump_target='' ):
+ dump_dir='',serial_ports=0,ovmf=None,tmpfsdir='' ,target_modules_path='',powercontrol_cmd='',powercontrol_extra_args='',
+ serialcontrol_cmd=None,serialcontrol_extra_args='',testimage_dump_target=''):

timeout = 300
user = 'root'
@@ -48,7 +48,7 @@ class QemuTargetZephyr(OETarget):
logfile=self.qemulog, boottime=boottime,
use_kvm=kvm, dump_dir=dump_dir,
dump_host_cmds=dump_host_cmds,
- logger = logger)
+ logger = logger, tmpfsdir=tmpfsdir)


def start(self, params=None, runqemuparams=None, extra_bootparams=None):
diff --git a/lib/oeqa/utils/qemuzephyrrunner.py b/lib/oeqa/utils/qemuzephyrrunner.py
index 0308f1e50e29..e8a1bd4544cf 100644
--- a/lib/oeqa/utils/qemuzephyrrunner.py
+++ b/lib/oeqa/utils/qemuzephyrrunner.py
@@ -18,11 +18,12 @@ from oeqa.utils.qemurunner import QemuRunner

class QemuZephyrRunner(QemuRunner):

- def __init__(self, machine, rootfs, display, tmpdir, deploy_dir_image, logfile, boottime, dump_dir, dump_host_cmds, use_kvm, logger):
+ def __init__(self, machine, rootfs, display, tmpdir, deploy_dir_image, logfile, boottime, dump_dir, dump_host_cmds, use_kvm, logger, tmpfsdir):
+

QemuRunner.__init__(self, machine, rootfs, display, tmpdir,
deploy_dir_image, logfile, boottime, None,
- None, use_kvm, logger)
+ None, use_kvm, logger, tmpfsdir)

# Popen object for runqemu
self.socketfile = tempfile.NamedTemporaryFile()
@@ -32,6 +33,7 @@ class QemuZephyrRunner(QemuRunner):

self.kernel = rootfs
self.deploy_dir_image = deploy_dir_image
+ self.tmpfsdir = tmpfsdir
self.logfile = logfile
self.use_kvm = use_kvm

@@ -73,6 +75,8 @@ class QemuZephyrRunner(QemuRunner):
return False
else:
os.environ["DEPLOY_DIR_IMAGE"] = self.deploy_dir_image
+ if self.tmpfsdir:
+ env["RUNQEMU_TMPFS_DIR"] = self.tmpfsdir

if not os.path.exists(self.kernel):
bb.error("Invalid kernel path: %s" % self.kernel)
--
2.20.1

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...Makefile-drop-running-scrips-install.patch | 37 +++
.../0002-Makefile-don-t-set-uid-gid.patch | 251 ++++++++++++++++++
recipes-ids/ossec/ossec-hids_3.6.0.bb | 161 +++++++++++
3 files changed, 449 insertions(+)
create mode 100644 recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch
create mode 100644 recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch
create mode 100644 recipes-ids/ossec/ossec-hids_3.6.0.bb

diff --git a/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch b/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch
new file mode 100644
index 0000000..08e018f
--- /dev/null
+++ b/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch
@@ -0,0 +1,37 @@
+From b948d36a8ca8e04794381f0f6eba29daf7e3fd01 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 21 Apr 2021 00:56:53 +0000
+Subject: [PATCH 1/2] Makefile: drop running scrips @ install
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ src/Makefile | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index 06a7094c..dfb8cb58 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -409,7 +409,6 @@ install-hybrid: install-server-generic
+ install-server: install-server-generic
+
+ install-common: build
+- ./init/adduser.sh ${OSSEC_USER} ${OSSEC_USER_MAIL} ${OSSEC_USER_REM} ${OSSEC_GROUP} ${PREFIX}
+ $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/
+ $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs
+ $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/ossec.log
+@@ -485,9 +484,6 @@ endif
+ $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/var
+ $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/var/run
+
+- ./init/fw-check.sh execute
+-
+-
+
+ install-server-generic: install-common
+ $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/active-responses.log
+--
+2.25.1
+
diff --git a/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch b/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch
new file mode 100644
index 0000000..d5e3403
--- /dev/null
+++ b/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch
@@ -0,0 +1,251 @@
+From d9ec907881b72d42b4918f7cfb46516ce8e77772 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Sat, 24 Apr 2021 23:07:29 +0000
+Subject: [PATCH 2/2] Makefile: don't set uid/gid
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ src/Makefile | 166 +++++++++++++++++++++++++--------------------------
+ 1 file changed, 83 insertions(+), 83 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index dfb8cb58..a4d69ef6 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -21,7 +21,7 @@ OSSEC_USER?=ossec
+ OSSEC_USER_MAIL?=ossecm
+ OSSEC_USER_REM?=ossecr
+
+-INSTALL_CMD?=install -m $(1) -o $(2) -g $(3)
++INSTALL_CMD?=install -m $(1)
+ INSTALL_LOCALTIME?=yes
+ INSTALL_RESOLVCONF?=yes
+
+@@ -397,10 +397,10 @@ endif
+ install: install-${TARGET}
+
+ install-agent: install-common
+- $(call INSTALL_CMD,0550,root,0) ossec-agentd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) agent-auth ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-agentd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) agent-auth ${PREFIX}/bin
+
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/rids
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/rids
+
+ install-local: install-server-generic
+
+@@ -409,129 +409,129 @@ install-hybrid: install-server-generic
+ install-server: install-server-generic
+
+ install-common: build
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs
+- $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/ossec.log
+-
+- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-logcollector ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-syscheckd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-execd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) manage_agents ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ../contrib/util.sh ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs
++ $(call INSTALL_CMD,0660) /dev/null ${PREFIX}/logs/ossec.log
++
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-logcollector ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-syscheckd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-execd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) manage_agents ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ../contrib/util.sh ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control
+
+ ifeq (${LUA_ENABLE},yes)
+- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua
+- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua/native
+- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua/compiled
+- $(call INSTALL_CMD,0550,root,0) ${EXTERNAL_LUA}src/ossec-lua ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) ${EXTERNAL_LUA}src/ossec-luac ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/lua
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/lua/native
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/lua/compiled
++ $(call INSTALL_CMD,0550) ${EXTERNAL_LUA}src/ossec-lua ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) ${EXTERNAL_LUA}src/ossec-luac ${PREFIX}/bin/
+ endif
+
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/queue
+- $(call INSTALL_CMD,0770,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/alerts
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/ossec
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/syscheck
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/diff
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/queue
++ $(call INSTALL_CMD,0770) -d ${PREFIX}/queue/alerts
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/ossec
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/syscheck
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/diff
+
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/etc
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/etc
+ ifeq (${INSTALL_LOCALTIME},yes)
+- $(call INSTALL_CMD,0440,root,${OSSEC_GROUP}) /etc/localtime ${PREFIX}/etc
++ $(call INSTALL_CMD,0440) /etc/localtime ${PREFIX}/etc
+ endif
+ ifeq (${INSTALL_RESOLVCONF},yes)
+- $(call INSTALL_CMD,0440,root,${OSSEC_GROUP}) /etc/resolv.conf ${PREFIX}/etc
++ $(call INSTALL_CMD,0440) /etc/resolv.conf ${PREFIX}/etc
+ endif
+
+- $(call INSTALL_CMD,1550,root,${OSSEC_GROUP}) -d ${PREFIX}/tmp
++ $(call INSTALL_CMD,1550) -d ${PREFIX}/tmp
+
+ ifneq (,$(wildcard /etc/TIMEZONE))
+- $(call INSTALL_CMD,440,root,${OSSEC_GROUP}) /etc/TIMEZONE ${PREFIX}/etc/
++ $(call INSTALL_CMD,440) /etc/TIMEZONE ${PREFIX}/etc/
+ endif
+ # Solaris Needs some extra files
+ ifeq (${uname_S},SunOS)
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/usr/share/lib/zoneinfo/
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/usr/share/lib/zoneinfo/
+ cp -r /usr/share/lib/zoneinfo/* ${PREFIX}/usr/share/lib/zoneinfo/
+ endif
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/internal_options.conf ${PREFIX}/etc/
++ $(call INSTALL_CMD,0640) -b ../etc/internal_options.conf ${PREFIX}/etc/
+ ifeq (,$(wildcard ${PREFIX}/etc/local_internal_options.conf))
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf
++ $(call INSTALL_CMD,0640) ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf
+ endif
+ ifeq (,$(wildcard ${PREFIX}/etc/client.keys))
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) /dev/null ${PREFIX}/etc/client.keys
++ $(call INSTALL_CMD,0640) /dev/null ${PREFIX}/etc/client.keys
+ endif
+ ifeq (,$(wildcard ${PREFIX}/etc/ossec.conf))
+ ifneq (,$(wildcard ../etc/ossec.mc))
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/ossec.mc ${PREFIX}/etc/ossec.conf
++ $(call INSTALL_CMD,0640) ../etc/ossec.mc ${PREFIX}/etc/ossec.conf
+ else
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf
++ $(call INSTALL_CMD,0640) ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf
+ endif
+ endif
+
+- $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/etc/shared
+- $(call INSTALL_CMD,0640,${OSSEC_USER},${OSSEC_GROUP}) rootcheck/db/*.txt ${PREFIX}/etc/shared/
++ $(call INSTALL_CMD,0770) -d ${PREFIX}/etc/shared
++ $(call INSTALL_CMD,0640) rootcheck/db/*.txt ${PREFIX}/etc/shared/
+
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/active-response
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/active-response/bin
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/agentless
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) agentlessd/scripts/* ${PREFIX}/agentless/
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/active-response
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/active-response/bin
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/agentless
++ $(call INSTALL_CMD,0550) agentlessd/scripts/* ${PREFIX}/agentless/
+
+- $(call INSTALL_CMD,0700,root,${OSSEC_GROUP}) -d ${PREFIX}/.ssh
++ $(call INSTALL_CMD,0700) -d ${PREFIX}/.ssh
+
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) ../active-response/*.sh ${PREFIX}/active-response/bin/
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/
++ $(call INSTALL_CMD,0550) ../active-response/*.sh ${PREFIX}/active-response/bin/
++ $(call INSTALL_CMD,0550) ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/
+
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/var
+- $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/var/run
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/var
++ $(call INSTALL_CMD,0770) -d ${PREFIX}/var/run
+
+
+ install-server-generic: install-common
+- $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/active-responses.log
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/archives
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/alerts
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/firewall
+-
+- $(call INSTALL_CMD,0550,root,0) ossec-agentlessd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-analysisd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-monitord ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-reportd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-maild ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-remoted ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-logtest ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-csyslogd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-authd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-dbd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-makelists ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) verify-agent-conf ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) clear_stats ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) list_agents ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) ossec-regex ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) syscheck_update ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) agent_control ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) syscheck_control ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) rootcheck_control ${PREFIX}/bin/
+-
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/stats
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/rules
++ $(call INSTALL_CMD,0660) /dev/null ${PREFIX}/logs/active-responses.log
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs/archives
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs/alerts
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs/firewall
++
++ $(call INSTALL_CMD,0550) ossec-agentlessd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-analysisd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-monitord ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-reportd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-maild ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-remoted ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-logtest ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-csyslogd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-authd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-dbd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-makelists ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) verify-agent-conf ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) clear_stats ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) list_agents ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) ossec-regex ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) syscheck_update ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) agent_control ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) syscheck_control ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) rootcheck_control ${PREFIX}/bin/
++
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/stats
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/rules
+ ifneq (,$(wildcard ${PREFIX}/rules/local_rules.xml))
+ cp ${PREFIX}/rules/local_rules.xml ${PREFIX}/rules/local_rules.xml.installbackup
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/rules/*.xml ${PREFIX}/rules
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml
++ $(call INSTALL_CMD,0640) -b ../etc/rules/*.xml ${PREFIX}/rules
++ $(call INSTALL_CMD,0640) ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml
+ rm ${PREFIX}/rules/local_rules.xml.installbackup
+ else
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/rules/*.xml ${PREFIX}/rules
++ $(call INSTALL_CMD,0640) -b ../etc/rules/*.xml ${PREFIX}/rules
+ endif
+
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/fts
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/fts
+
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/rootcheck
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/rootcheck
+
+- $(call INSTALL_CMD,0750,${OSSEC_USER_REM},${OSSEC_GROUP}) -d ${PREFIX}/queue/agent-info
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/agentless
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/agent-info
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/agentless
+
+- $(call INSTALL_CMD,0750,${OSSEC_USER_REM},${OSSEC_GROUP}) -d ${PREFIX}/queue/rids
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/rids
+
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/decoder.xml ${PREFIX}/etc/
++ $(call INSTALL_CMD,0640) ../etc/decoder.xml ${PREFIX}/etc/
+
+ rm -f ${PREFIX}/etc/shared/merged.mg
+
+--
+2.25.1
+
diff --git a/recipes-ids/ossec/ossec-hids_3.6.0.bb b/recipes-ids/ossec/ossec-hids_3.6.0.bb
new file mode 100644
index 0000000..10354a7
--- /dev/null
+++ b/recipes-ids/ossec/ossec-hids_3.6.0.bb
@@ -0,0 +1,161 @@
+SUMMARY = "A full platform to monitor and control your systems"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d625d1520b5e38faefb81cf9772badc9"
+
+
+DEPENDS = "openssl libpcre2 zlib libevent"
+SRC_URI = "git://github.com/ossec/ossec-hids;branch=master \
+ file://0001-Makefile-drop-running-scrips-install.patch \
+ file://0002-Makefile-don-t-set-uid-gid.patch \
+ "
+
+SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2"
+
+inherit autotools-brokensep useradd
+
+S = "${WORKDIR}/git"
+
+OSSEC_UID ?= "ossec"
+OSSEC_RUID ?= "ossecr"
+OSSEC_GID ?= "ossec"
+OSSEC_EMAIL ?= "ossecm"
+
+do_configure[noexec] = "1"
+
+do_compile() {
+ cd ${S}/src
+ make PREFIX=${prefix} TARGET=local USE_SYSTEMD=No build
+}
+
+do_install(){
+ install -d ${D}${sysconfdir}
+ install -d ${D}/var/ossec/${sysconfdir}
+
+ cd ${S}/src
+ make TARGET=local PREFIX=${D}/var/ossec install
+
+ echo "DIRECTORY=\"/var/ossec\"" > ${D}/${sysconfdir}/ossec-init.conf
+ echo "VERSION=\"${PV}\"" >> ${D}/${sysconfdir}/ossec-init.conf
+ echo "DATE=\"`date`\"" >> ${D}/${sysconfdir}/ossec-init.conf
+ echo "TYPE=\"local\"" >> ${D}/${sysconfdir}/ossec-init.conf
+ chmod 600 ${D}/${sysconfdir}/ossec-init.conf
+ install -m 640 ${D}/${sysconfdir}/ossec-init.conf ${D}/var/ossec/${sysconfdir}/ossec-init.conf
+}
+
+pkg_postinst_ontarget_${PN} () {
+ DIR="/var/ossec"
+
+ usermod -g ossec -G ossec -a root
+
+ # Default for all directories
+ chmod -R 550 ${DIR}
+ chown -R root:${OSSEC_GID} ${DIR}
+
+ # To the ossec queue (default for agentd to read)
+ chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/ossec
+ chmod -R 770 ${DIR}/queue/ossec
+
+ # For the logging user
+ chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs
+ chmod -R 750 ${DIR}/logs
+ chmod -R 775 ${DIR}/queue/rids
+ touch ${DIR}/logs/ossec.log
+ chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs/ossec.log
+ chmod 664 ${DIR}/logs/ossec.log
+
+ chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/diff
+ chmod -R 750 ${DIR}/queue/diff
+ chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 || true
+
+ # For the etc dir
+ chmod 550 ${DIR}/etc
+ chown -R root:${OSSEC_GID} ${DIR}/etc
+ if [ -f /etc/localtime ]; then
+ cp -pL /etc/localtime ${DIR}/etc/;
+ chmod 555 ${DIR}/etc/localtime
+ chown root:${OSSEC_GID} ${DIR}/etc/localtime
+ fi
+
+ if [ -f /etc/TIMEZONE ]; then
+ cp -p /etc/TIMEZONE ${DIR}/etc/;
+ chmod 555 ${DIR}/etc/TIMEZONE
+ fi
+
+ # More files
+ chown root:${OSSEC_GID} ${DIR}/etc/internal_options.conf
+ chown root:${OSSEC_GID} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
+ chown root:${OSSEC_GID} ${DIR}/etc/client.keys >/dev/null 2>&1 || true
+ chown root:${OSSEC_GID} ${DIR}/agentless/*
+ chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/.ssh
+ chown root:${OSSEC_GID} ${DIR}/etc/shared/*
+
+ chmod 550 ${DIR}/etc
+ chmod 440 ${DIR}/etc/internal_options.conf
+ chmod 660 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
+ chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1 || true
+ chmod 550 ${DIR}/agentless/*
+ chmod 700 ${DIR}/.ssh
+ chmod 770 ${DIR}/etc/shared
+ chmod 660 ${DIR}/etc/shared/*
+
+ # For the /var/run
+ chmod 770 ${DIR}/var/run
+ chown root:${OSSEC_GID} ${DIR}/var/run
+
+ # For util.sh
+ chown root:${OSSEC_GID} ${DIR}/bin/util.sh
+ chmod +x ${DIR}/bin/util.sh
+
+ # For binaries and active response
+ chmod 755 ${DIR}/active-response/bin/*
+ chown root:${OSSEC_GID} ${DIR}/active-response/bin/*
+ chown root:${OSSEC_GID} ${DIR}/bin/*
+ chmod 550 ${DIR}/bin/*
+
+ # For ossec.conf
+ chown root:${OSSEC_GID} ${DIR}/etc/ossec.conf
+ chmod 660 ${DIR}/etc/ossec.conf
+
+ # Debconf
+ . /usr/share/debconf/confmodule
+ db_input high ossec-hids-agent/server-ip || true
+ db_go
+
+ db_get ossec-hids-agent/server-ip
+ SERVER_IP=$RET
+
+ sed -i "s/<server-ip>[^<]\+<\/server-ip>/<server-ip>${SERVER_IP}<\/server-ip>/" ${DIR}/etc/ossec.conf
+ db_stop
+
+ # ossec-init.conf
+ if [ -e ${DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then
+ if [ -e /etc/ossec-init.conf ]; then
+ rm -f /etc/ossec-init.conf
+ fi
+ ln -s ${DIR}/etc/ossec-init.conf /etc/ossec-init.conf
+ fi
+
+ # init.d/ossec file
+ if [ -x ${DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then
+ if [ -e /etc/init.d/ossec ]; then
+ rm -f /etc/init.d/ossec
+ fi
+ ln -s ${DIR}/etc/init.d/ossec /etc/init.d/ossec
+ fi
+
+ # Service
+ if [ -x /etc/init.d/ossec ]; then
+ update-rc.d -f ossec defaults
+ fi
+
+ # Delete tmp directory
+ if [ -d ${OSSEC_HIDS_TMP_DIR} ]; then
+ rm -r ${OSSEC_HIDS_TMP_DIR}
+ fi
+}
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM_${PN} = "--system --home-dir /var/ossec -g ossec --shell /bin/false ossec"
+GROUPADD_PARAM_${PN} = "--system ossec"
+
+RDEPENDS_${PN} = "openssl bash"
--
2.25.1

--
Regards,
Sateesh