From: Richard Purdie <richard.purdie@...>

This should avoid issues with the hashequiv code attempting to contact
an non-existent server in the eSDKs built by the project.

[YOCTO #14471]

Signed-off-by: Richard Purdie <richard.purdie@...>
(cherry picked from commit 4db17f4c9da4efb48d428256efb696d86935a3ea)
Signed-off-by: Steve Sakoman <steve@...>
---
config.json | 1 +
1 file changed, 1 insertion(+)

diff --git a/config.json b/config.json
index d871349..571ddae 100644
--- a/config.json
+++ b/config.json
@@ -55,6 +55,7 @@
"SANITY_TESTED_DISTROS = ''",
"SDK_EXT_TYPE = 'minimal'",
"SDK_INCLUDE_TOOLCHAIN = '1'",
+ "SDK_LOCAL_CONF_BLACKLIST:append = 'BB_HASHSERVE'",
"BB_DISKMON_DIRS = 'STOPTASKS,${TMPDIR},1G,100K STOPTASKS,${DL_DIR},1G STOPTASKS,${SSTATE_DIR},1G STOPTASKS,/tmp,100M,100K ABORT,${TMPDIR},100M,1K ABORT,${DL_DIR},100M ABORT,${SSTATE_DIR},100M ABORT,/tmp,10M,1K'",
"BB_HASHSERVE = 'typhoon.yocto.io:8686'"
]
--
2.25.1

From: Bruce Ashfield <bruce.ashfield@...>

Updating the reference platforms to match the latest 5.10 -stable in
oe-core.

Signed-off-by: Bruce Ashfield <bruce.ashfield@...>
Signed-off-by: Richard Purdie <richard.purdie@...>
(cherry picked from commit 77b8e31f706cb29d1efb19305470d9b525fc5a67)
Signed-off-by: Anuj Mittal <anuj.mittal@...>
---
.../linux/linux-yocto_5.10.bbappend | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend
index 0e5e3b1..347a411 100644
--- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend
+++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend
@@ -7,17 +7,17 @@ KMACHINE_genericx86 ?= "common-pc"
KMACHINE_genericx86-64 ?= "common-pc-64"
KMACHINE_beaglebone-yocto ?= "beaglebone"

-SRCREV_machine_genericx86 ?= "c274623910704eefcc98380a17649889ac7e9408"
-SRCREV_machine_genericx86-64 ?= "c274623910704eefcc98380a17649889ac7e9408"
-SRCREV_machine_edgerouter ?= "ac089d661362ba857e235c5630242039b150ae26"
-SRCREV_machine_beaglebone-yocto ?= "a6df693a45f5787d4254e0998f52b4465b2a5efe"
+SRCREV_machine_genericx86 ?= "164ed895bc1e94722e80fe6496b176f6bb815cd4"
+SRCREV_machine_genericx86-64 ?= "164ed895bc1e94722e80fe6496b176f6bb815cd4"
+SRCREV_machine_edgerouter ?= "4ab94e777d8b41ee1ee4c279259e9733bc8049b1"
+SRCREV_machine_beaglebone-yocto ?= "941cc9c3849f96f7eaf109b1e35e05ba366aca56"

COMPATIBLE_MACHINE_genericx86 = "genericx86"
COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
COMPATIBLE_MACHINE_edgerouter = "edgerouter"
COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"

-LINUX_VERSION_genericx86 = "5.10.55"
-LINUX_VERSION_genericx86-64 = "5.10.55"
-LINUX_VERSION_edgerouter = "5.10.55"
-LINUX_VERSION_beaglebone-yocto = "5.10.55"
+LINUX_VERSION_genericx86 = "5.10.63"
+LINUX_VERSION_genericx86-64 = "5.10.63"
+LINUX_VERSION_edgerouter = "5.10.63"
+LINUX_VERSION_beaglebone-yocto = "5.10.63"
--
2.31.1

From: Kevin Hao <kexin.hao@...>

Build and boot test for all the boards.

Signed-off-by: Kevin Hao <kexin.hao@...>
Signed-off-by: Richard Purdie <richard.purdie@...>
(cherry picked from commit 8b5c126510dbf265dc494ff7c8decbae63f5b597)
Signed-off-by: Anuj Mittal <anuj.mittal@...>
---
.../linux/linux-yocto_5.10.bbappend | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend
index f8362b6..0e5e3b1 100644
--- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend
+++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend
@@ -7,17 +7,17 @@ KMACHINE_genericx86 ?= "common-pc"
KMACHINE_genericx86-64 ?= "common-pc-64"
KMACHINE_beaglebone-yocto ?= "beaglebone"

-SRCREV_machine_genericx86 ?= "ab49d2db98bdee2c8c6e17fb59ded9e5292b0f41"
-SRCREV_machine_genericx86-64 ?= "ab49d2db98bdee2c8c6e17fb59ded9e5292b0f41"
-SRCREV_machine_edgerouter ?= "274d63799465eebfd201b3e8251f16d29e93a978"
-SRCREV_machine_beaglebone-yocto ?= "ab49d2db98bdee2c8c6e17fb59ded9e5292b0f41"
+SRCREV_machine_genericx86 ?= "c274623910704eefcc98380a17649889ac7e9408"
+SRCREV_machine_genericx86-64 ?= "c274623910704eefcc98380a17649889ac7e9408"
+SRCREV_machine_edgerouter ?= "ac089d661362ba857e235c5630242039b150ae26"
+SRCREV_machine_beaglebone-yocto ?= "a6df693a45f5787d4254e0998f52b4465b2a5efe"

COMPATIBLE_MACHINE_genericx86 = "genericx86"
COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
COMPATIBLE_MACHINE_edgerouter = "edgerouter"
COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"

-LINUX_VERSION_genericx86 = "5.10.43"
-LINUX_VERSION_genericx86-64 = "5.10.43"
-LINUX_VERSION_edgerouter = "5.10.43"
-LINUX_VERSION_beaglebone-yocto = "5.10.43"
+LINUX_VERSION_genericx86 = "5.10.55"
+LINUX_VERSION_genericx86-64 = "5.10.55"
+LINUX_VERSION_edgerouter = "5.10.55"
+LINUX_VERSION_beaglebone-yocto = "5.10.55"
--
2.31.1

From: Richard Purdie <richard.purdie@...>

Signed-off-by: Richard Purdie <richard.purdie@...>
(cherry picked from commit 1d98182eb9fa059444c935967d1dc075535289db)
Signed-off-by: Anuj Mittal <anuj.mittal@...>
---
meta-poky/conf/local.conf.sample | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta-poky/conf/local.conf.sample b/meta-poky/conf/local.conf.sample
index a94b613..67124d4 100644
--- a/meta-poky/conf/local.conf.sample
+++ b/meta-poky/conf/local.conf.sample
@@ -225,13 +225,15 @@ BB_DISKMON_DIRS ??= "\
# Yocto Project SState Mirror
#
# The Yocto Project has prebuilt artefacts available for its releases, you can enable
-# use of these by uncommenting the following line. This will mean the build uses
+# use of these by uncommenting the following lines. This will mean the build uses
# the network to check for artefacts at the start of builds, which does slow it down
# equally, it will also speed up the builds by not having to build things if they are
# present in the cache. It assumes you can download something faster than you can build it
# which will depend on your network.
+# Note: For this to work you also need hash-equivalence passthrough to the matching server
#
-#SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/2.5/PATH;downloadfilename=PATH"
+#BB_HASHSERVE_UPSTREAM = "typhoon.yocto.io:8687"
+#SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/3.4/PATH;downloadfilename=PATH"

#
# Qemu configuration
--
2.31.1

From: Richard Purdie <richard.purdie@...>

SDKPATHINSTALL is the default installation path used for the SDK but is not
the path encoded into every SDK binary as the default path. This change
allows it to contain things like dates without requiring every nativesdk
recipe to rebuild.

Partially fixes [YOCTO #14100]

Signed-off-by: Richard Purdie <richard.purdie@...>
(cherry picked from commit a62175ee581bd05661717f0fb89dad2a297b4034)
Signed-off-by: Anuj Mittal <anuj.mittal@...>
---
meta-poky/conf/distro/poky.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf
index 1dfce76..d368561 100644
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -23,7 +23,7 @@ PREFERRED_VERSION_linux-yocto ?= "5.10%"
PREFERRED_VERSION_linux-yocto-rt ?= "5.10%"

SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
-SDKPATH = "/opt/${DISTRO}/${SDK_VERSION}"
+SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"

DISTRO_EXTRA_RDEPENDS += "${POKY_DEFAULT_EXTRA_RDEPENDS}"
DISTRO_EXTRA_RRECOMMENDS += "${POKY_DEFAULT_EXTRA_RRECOMMENDS}"
--
2.31.1

From: Richard Purdie <richard.purdie@...>

Signed-off-by: Richard Purdie <richard.purdie@...>
(cherry picked from commit 4689763b513521fc70cca576b88035de240a3ba6)
Signed-off-by: Anuj Mittal <anuj.mittal@...>
---
config.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config.json b/config.json
index 622908b..33d36ad 100644
--- a/config.json
+++ b/config.json
@@ -31,7 +31,7 @@
"DLDIR" : "DL_DIR = '${BASE_SHAREDDIR}/current_sources'",
"SSTATEDIR" : ["SSTATE_DIR ?= '${BASE_SHAREDDIR}/pub/sstate'"],
"SSTATEDIR_RELEASE" : ["SSTATE_MIRRORS += 'file://.* file://${BASE_SHAREDDIR}/pub/sstate/PATH'", "SSTATE_DIR ?= '${BASE_PUBLISHDIR}/sstate/@RELEASENUM@'"],
- "SDKEXTRAS" : ["SSTATE_MIRRORS += '\\", "file://.* http://sstate.yoctoproject.org/dev/@RELEASENUM@PATH;downloadfilename=PATH'"],
+ "SDKEXTRAS" : ["SSTATE_MIRRORS += '\\", "file://.* http://sstate.yoctoproject.org/dev/@RELEASENUM@PATH;downloadfilename=PATH'", "BB_HASHSERVE = 'auto'"],
"BUILDINFO" : false,
"BUILDHISTORY" : false,
"BUILDINFOVARS" : ["INHERIT += 'image-buildinfo'", "IMAGE_BUILDINFO_VARS_append = ' IMAGE_BASENAME IMAGE_NAME'"],
--
2.31.1

From: Richard Purdie <richard.purdie@...>

This should avoid issues with the hashequiv code attempting to contact
an non-existent server in the eSDKs built by the project.

[YOCTO #14471]

Signed-off-by: Richard Purdie <richard.purdie@...>
(cherry picked from commit 4db17f4c9da4efb48d428256efb696d86935a3ea)
Signed-off-by: Anuj Mittal <anuj.mittal@...>
---
config.json | 1 +
1 file changed, 1 insertion(+)

diff --git a/config.json b/config.json
index 0ee7572..622908b 100644
--- a/config.json
+++ b/config.json
@@ -55,6 +55,7 @@
"SANITY_TESTED_DISTROS = ''",
"SDK_EXT_TYPE = 'minimal'",
"SDK_INCLUDE_TOOLCHAIN = '1'",
+ "SDK_LOCAL_CONF_BLACKLIST:append = 'BB_HASHSERVE'",
"BB_DISKMON_DIRS = 'STOPTASKS,${TMPDIR},1G,100K STOPTASKS,${DL_DIR},1G STOPTASKS,${SSTATE_DIR},1G STOPTASKS,/tmp,100M,100K ABORT,${TMPDIR},100M,1K ABORT,${DL_DIR},100M ABORT,${SSTATE_DIR},100M ABORT,/tmp,10M,1K'",
"BB_HASHSERVE = 'typhoon.yocto.io:8686'",
"RUNQEMU_TMPFS_DIR = '/home/pokybuild/tmp'"
--
2.31.1

On Fri 2021-09-17 @ 06:01:21 PM, Trevor Woerner via lists.yoctoproject.org wrote:

Recent upstream kernel changes have made the mmc probing order unpredictable.
Therefore, boards with both an emmc and sdmmc interface aren't guaranteed to
boot with a hard-coded root device selected.

For example, on the rock64, with linux-yocto 5.10.y, using the uSD card (i.e.
the sdmmc interface) about 50% of the time the boot would succeed, and roughly
50% of the time it wouldn't:

...
[ 0.612233] Waiting for root device /dev/mmcblk1p7...
[ 0.634551] mmc_host mmc1: Bus speed (slot 0) = 300000Hz (slot req 300000Hz, actual 300000HZ div = 0)
[ 0.639064] mmc_host mmc0: Bus speed (slot 0) = 50000000Hz (slot req 50000000Hz, actual 50000000HZ di)
[ 0.640007] mmc0: new high speed SDXC card at address 5048
[ 0.641176] mmcblk0: mmc0:5048 SD64G 58.0 GiB
[ 0.647610] random: fast init done
[ 0.648279] GPT:Primary header thinks Alt. header is not at the end of the disk.
[ 0.648941] GPT:376479 != 121634815
[ 0.649252] GPT:Alternate GPT header not at the end of the disk.
[ 0.649796] GPT:376479 != 121634815
[ 0.650106] GPT: Use GNU Parted to correct GPT errors.
[ 0.650598] mmcblk0: p1 p2 p3 p4 p5 p6 p7

NOTE the discrepancy between the kernel waiting for device /dev/mmcblk1p7,
which comes from the hard-coded kernel cmdline, and the kernel probing putting
the sdmmc on mmcblk0.

With linux-yocto 5.13.y on the rock64 using the uSD card the board would never
boot, the sdmmc always appears on mmcblk0.

Instead of simply changing the hard-coded root device (i.e. from mmcblk0 to
mmcblk1) switch to using partition UUIDs instead. Hard-coding the boot device
would work with 5.13.y but would fail 50% of the time with 5.10.y; who knows
what other kernels will do?

In any case, switching to UUIDs works regardless of board, kernel, or
available mmc interfaces.

Boot tested on:
- rock64
- nanopi-m4-2gb
- tinker-board
- rock-pi-e
- rock-pi-4b

Signed-off-by: Trevor Woerner <twoerner@...>
---
conf/machine/include/nanopi-m4.inc | 2 --
conf/machine/include/rock-pi-4.inc | 2 --
conf/machine/include/rockchip-wic.inc | 4 ----
conf/machine/rock64.conf | 3 ---
conf/machine/tinker-board-s.conf | 2 --
conf/machine/vyasa-rk3288.conf | 2 --
wic/rockchip.wks | 16 ++++++++--------
7 files changed, 8 insertions(+), 23 deletions(-)

Applied to meta-rockchip master.

On Thu, 16 Sept 2021 at 05:34, Rusty Howell <rustyhowell@...> wrote:

Can SSTATE_DIR be shared across build hosts with different OS's (Ubuntu 18.04, ubuntu 20.04, etc, RHEL)?

If you don't use uninative, then the sstate can be in a single
directory but artifacts won't be shared. If you use uninative then the
native will be shared between the build hosts.

Basically, there's no situation where you can't use a single sstate directory.

Ross

Hi Anibal,

Hi Anibal,

Up till now ptest-runner2 returns number of failed tests with its
exit status code. Such use case is not recommended [1] and may cause
issues when there are more than 256 tests to be executed.

To alleviate this issue the number of total tests with number of
failed ones is printed before exit. To be more specific - failure of
tests (one or more) causes ptest-runner to provide exit code of 1.

One can test this change with executing:
./ptest-runner -d tests/data fail

Gentle ping on this patch.

Gentle ping on this patch.

Is it OK to be applied?

Links:
[1] -
https://www.gnu.org/software/libc/manual/html_node/Exit-Status.html

Signed-off-by: Lukasz Majewski <lukma@...>
---
Changes for v2:
- When number of failed tests is N, the ptest-runner returns value
of 1 to indicate error in the execution
---
main.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/main.c b/main.c
index 890bc6a..bcec844 100644
--- a/main.c
+++ b/main.c
@@ -220,6 +220,9 @@ main(int argc, char *argv[])
ptest_list_remove(run, opts.exclude[i], 1);

rc = run_ptests(run, opts, argv[0], stdout, stderr);
+ fprintf(stdout, "TOTAL: %d FAIL: %d\n",
ptest_list_length(run), rc);
+ if (rc > 0)
+ rc = 1;

ptest_list_free_all(&run);

Best regards,

Lukasz Majewski

--

DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email:
lukma@...

Best regards,

Lukasz Majewski

--

DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma@...

fscrypt is a high-level tool for the management of Linux
filesystem encryption. fscrypt manages metadata, key generation,
key wrapping, PAM integration, and provides a uniform interface
for creating and modifying encrypted directories.

Add recipe for the same in 'recipes-security'.

Signed-off-by: Bhupesh Sharma <bhupesh.sharma@...>
---
recipes-security/fscrypt/fscrypt_1.0.0.bb | 49 +++++++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 recipes-security/fscrypt/fscrypt_1.0.0.bb

diff --git a/recipes-security/fscrypt/fscrypt_1.0.0.bb b/recipes-security/fscrypt/fscrypt_1.0.0.bb
new file mode 100644
index 0000000..a70d310
--- /dev/null
+++ b/recipes-security/fscrypt/fscrypt_1.0.0.bb
@@ -0,0 +1,49 @@
+SUMMARY = "fscrypt is a high-level tool for the management of Linux filesystem encryption"
+DESCIPTION = "fscrypt manages metadata, key generation, key wrapping, PAM integration, \
+and provides a uniform interface for creating and modifying encrypted directories. For \
+a small, low-level tool that directly sets policies, see fscryptctl \
+(https://github.com/google/fscryptcl)."
+HOMEPAGE = "https://github.com/google/fscrypt"
+SECTION = "base"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+BBCLASSEXTEND = "native nativesdk"
+
+# fscrypt depends on go and libpam
+DEPENDS += "go-dep-native libpam"
+
+SRCREV = "92b1e9a8670ccd3916a7d24a06cab1e4c9815bc4"
+SRC_URI = "git://github.com/google/fscrypt.git"
+GO_IMPORT = "import"
+
+S = "${WORKDIR}/git"
+
+inherit go
+inherit goarch
+
+do_compile() {
+ export GOARCH=${TARGET_GOARCH}
+ export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go"
+ export GOPATH="${WORKDIR}/git"
+
+ # Pass the needed cflags/ldflags so that cgo
+ # can find the needed headers files and libraries
+ export CGO_ENABLED="1"
+ export CGO_CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+ export CGO_LDFLAGS="${LDFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+
+ cd ${S}/src/${GO_IMPORT}
+ oe_runmake
+
+ # Golang forces permissions to 0500 on directories and 0400 on files in
+ # the module cache which prevents us from easily cleaning up the build
+ # directory. Let's just fix the permissions here so we don't have to
+ # hack the clean tasks.
+ chmod -R u+w ${S}/pkg/mod
+}
+
+do_install() {
+ install -d ${D}/${bindir}
+ install ${S}/src/${GO_IMPORT}/bin/fscrypt ${D}/${bindir}/fscrypt
+}
--
2.31.1

On 9/10/21 1:36 AM, kai wrote:

From: Kai Kang <kai.kang@...>

Backport patch to fix CVE-2021-3621.

CVE: CVE-2021-3621

Merged.  thanks,
Armin

Signed-off-by: Kai Kang <kai.kang@...>
---
.../sssd/files/CVE-2021-3621.patch | 291 ++++++++++++++++++
recipes-security/sssd/sssd_1.16.5.bb | 1 +
2 files changed, 292 insertions(+)
create mode 100644 recipes-security/sssd/files/CVE-2021-3621.patch

diff --git a/recipes-security/sssd/files/CVE-2021-3621.patch b/recipes-security/sssd/files/CVE-2021-3621.patch
new file mode 100644
index 0000000..3d2c707
--- /dev/null
+++ b/recipes-security/sssd/files/CVE-2021-3621.patch
@@ -0,0 +1,291 @@
+Backport patch to fix CVE-2021-3621.
+
+Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/b4b3267]
+CVE: CVE-2021-3621
+
+Signed-off-by: Kai Kang <kai.kang@...>
+
+From b4b32677a886bc26d60ce0171505aa3ab0c82c8a Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@...>
+Date: Fri, 30 Jul 2021 19:05:31 +0200
+Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
+ user supplied command
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+:relnote: A flaw was found in SSSD, where the sssctl command was
+vulnerable to shell command injection via the logs-fetch and
+cache-expire subcommands. This flaw allows an attacker to trick
+the root user into running a specially crafted sssctl command,
+such as via sudo, to gain root access. The highest threat from this
+vulnerability is to confidentiality, integrity, as well as system
+availability.
+This patch fixes a flaw by replacing system() with execvp().
+
+:fixes: CVE-2021-3621
+
+Reviewed-by: Pavel Březina <pbrezina@...>
+---
+ src/tools/sssctl/sssctl.c | 40 +++++++++++++++++-------
+ src/tools/sssctl/sssctl.h | 2 +-
+ src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
+ src/tools/sssctl/sssctl_logs.c | 31 ++++++++++++++----
+ 4 files changed, 73 insertions(+), 57 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index afaa84bc0..403c89c35 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -97,22 +97,37 @@ sssctl_prompt(const char *message,
+ return SSSCTL_PROMPT_ERROR;
+ }
+
+-errno_t sssctl_run_command(const char *command)
++errno_t sssctl_run_command(const char *const argv[])
+ {
+ int ret;
++ int wstatus;
+
+- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
++ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
+
+- ret = system(command);
++ ret = fork();
+ if (ret == -1) {
+- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
+ fprintf(stderr, _("Error while executing external command\n"));
+ return EFAULT;
+- } else if (WEXITSTATUS(ret) != 0) {
+- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
+- command, WEXITSTATUS(ret));
++ }
++
++ if (ret == 0) {
++ /* cast is safe - see
++ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
++ "The statement about argv[] and envp[] being constants ... "
++ */
++ execvp(argv[0], discard_const_p(char * const, argv));
+ fprintf(stderr, _("Error while executing external command\n"));
+- return EIO;
++ _exit(1);
++ } else {
++ if (waitpid(ret, &wstatus, 0) == -1) {
++ fprintf(stderr,
++ _("Error while executing external command '%s'\n"), argv[0]);
++ return EFAULT;
++ } else if (WEXITSTATUS(wstatus) != 0) {
++ fprintf(stderr,
++ _("Command '%s' failed with [%d]\n"), argv[0], WEXITSTATUS(wstatus));
++ return EIO;
++ }
+ }
+
+ return EOK;
+@@ -132,11 +147,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
+ #elif defined(HAVE_SERVICE)
+ switch (action) {
+ case SSSCTL_SVC_START:
+- return sssctl_run_command(SERVICE_PATH" sssd start");
++ return sssctl_run_command(
++ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
+ case SSSCTL_SVC_STOP:
+- return sssctl_run_command(SERVICE_PATH" sssd stop");
++ return sssctl_run_command(
++ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
+ case SSSCTL_SVC_RESTART:
+- return sssctl_run_command(SERVICE_PATH" sssd restart");
++ return sssctl_run_command(
++ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
+ }
+ #endif
+
+diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
+index 70fc19eff..71f798b2a 100644
+--- a/src/tools/sssctl/sssctl.h
++++ b/src/tools/sssctl/sssctl.h
+@@ -42,7 +42,7 @@ enum sssctl_prompt_result
+ sssctl_prompt(const char *message,
+ enum sssctl_prompt_result defval);
+
+-errno_t sssctl_run_command(const char *command);
++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
+ bool sssctl_start_sssd(bool force);
+ bool sssctl_stop_sssd(bool force);
+ bool sssctl_restart_sssd(bool force);
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index cc46cafbf..8a042664c 100644
+--- a/src/tools/sssctl/sssctl_data.c
++++ b/src/tools/sssctl/sssctl_data.c
+@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
+ }
+ }
+
+- ret = sssctl_run_command("sss_override user-export "
+- SSS_BACKUP_USER_OVERRIDES);
++ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
++ SSS_BACKUP_USER_OVERRIDES, NULL});
+ if (ret != EOK) {
+ fprintf(stderr, _("Unable to export user overrides\n"));
+ return ret;
+ }
+
+- ret = sssctl_run_command("sss_override group-export "
+- SSS_BACKUP_GROUP_OVERRIDES);
++ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
++ SSS_BACKUP_GROUP_OVERRIDES, NULL});
+ if (ret != EOK) {
+ fprintf(stderr, _("Unable to export group overrides\n"));
+ return ret;
+@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+ }
+
+ if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+- ret = sssctl_run_command("sss_override user-import "
+- SSS_BACKUP_USER_OVERRIDES);
++ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
++ SSS_BACKUP_USER_OVERRIDES, NULL});
+ if (ret != EOK) {
+ fprintf(stderr, _("Unable to import user overrides\n"));
+ return ret;
+@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+ }
+
+ if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+- ret = sssctl_run_command("sss_override group-import "
+- SSS_BACKUP_GROUP_OVERRIDES);
++ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
++ SSS_BACKUP_GROUP_OVERRIDES, NULL});
+ if (ret != EOK) {
+ fprintf(stderr, _("Unable to import group overrides\n"));
+ return ret;
+@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
+ void *pvt)
+ {
+ errno_t ret;
+- char *cmd_args = NULL;
+- const char *cachecmd = SSS_CACHE;
+- char *cmd = NULL;
+- int i;
+-
+- if (cmdline->argc == 0) {
+- ret = sssctl_run_command(cachecmd);
+- goto done;
+- }
+
+- cmd_args = talloc_strdup(tool_ctx, "");
+- if (cmd_args == NULL) {
+- ret = ENOMEM;
+- goto done;
++ const char **args = talloc_array_size(tool_ctx,
++ sizeof(char *),
++ cmdline->argc + 2);
++ if (!args) {
++ return ENOMEM;
+ }
++ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
++ args[0] = SSS_CACHE;
++ args[cmdline->argc + 1] = NULL;
+
+- for (i = 0; i < cmdline->argc; i++) {
+- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
+- if (i != cmdline->argc - 1) {
+- cmd_args = talloc_strdup_append(cmd_args, " ");
+- }
+- }
+-
+- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
+- if (cmd == NULL) {
+- ret = ENOMEM;
+- goto done;
+- }
+-
+- ret = sssctl_run_command(cmd);
+-
+-done:
+- talloc_free(cmd_args);
+- talloc_free(cmd);
++ ret = sssctl_run_command(args);
+
++ talloc_free(args);
+ return ret;
+ }
+diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
+index aca988c05..c85cc7a4b 100644
+--- a/src/tools/sssctl/sssctl_logs.c
++++ b/src/tools/sssctl/sssctl_logs.c
+@@ -32,6 +32,7 @@
+ #include <popt.h>
+ #include <stdio.h>
+ #include <signal.h>
++#include <glob.h>
+
+ #include "util/util.h"
+ #include "tools/common/sss_process.h"
+@@ -231,6 +232,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ {
+ struct sssctl_logs_opts opts = {0};
+ errno_t ret;
++ glob_t globbuf;
+
+ /* Parse command line. */
+ struct poptOption options[] = {
+@@ -254,8 +256,19 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+
+ sss_signal(SIGHUP);
+ } else {
++ globbuf.gl_offs = 4;
++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
++ if (ret != 0) {
++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
++ return ret;
++ }
++ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
++ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
++ globbuf.gl_pathv[3] = discard_const_p(char, "0");
++
+ printf(_("Truncating log files...\n"));
+- ret = sssctl_run_command("truncate --size 0 " LOG_FILES);
++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
++ globfree(&globbuf);
+ if (ret != EOK) {
+ fprintf(stderr, _("Unable to truncate log files\n"));
+ return ret;
+@@ -270,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+ void *pvt)
+ {
+ const char *file;
+- const char *cmd;
+ errno_t ret;
++ glob_t globbuf;
+
+ /* Parse command line. */
+ ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
+@@ -281,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+ return ret;
+ }
+
+- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
+- if (cmd == NULL) {
+- fprintf(stderr, _("Out of memory!"));
++ globbuf.gl_offs = 3;
++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
++ if (ret != 0) {
++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
++ return ret;
+ }
++ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
++ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
++ globbuf.gl_pathv[2] = discard_const_p(char, file);
+
+ printf(_("Archiving log files into %s...\n"), file);
+- ret = sssctl_run_command(cmd);
++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
++ globfree(&globbuf);
+ if (ret != EOK) {
+ fprintf(stderr, _("Unable to archive log files\n"));
+ return ret;
+--
+2.33.0
+
diff --git a/recipes-security/sssd/sssd_1.16.5.bb b/recipes-security/sssd/sssd_1.16.5.bb
index 9784ec7..02d0837 100644
--- a/recipes-security/sssd/sssd_1.16.5.bb
+++ b/recipes-security/sssd/sssd_1.16.5.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \
file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \
file://0001-nss-Collision-with-external-nss-symbol.patch \
file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \
+ file://CVE-2021-3621.patch \
"

SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0"

On Fri, 2021-09-17 at 15:38 +0200, Alexander Kanavin wrote:

There are additional logs there (such as task log or qemu
console output), which can be useful for debugging test failures.

[YOCTO #14518]

Signed-off-by: Alexander Kanavin <alex@...>
---
scripts/collect-results | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/scripts/collect-results b/scripts/collect-results
index 93834d6..3663330 100755
--- a/scripts/collect-results
+++ b/scripts/collect-results
@@ -3,11 +3,9 @@ WORKDIR=$1
DEST=$2
target=$3

-RESFILE=$WORKDIR/tmp/log/oeqa/testresults.json
-
-if [ -e $RESFILE ]; then
- mkdir -p $DEST/$target
- cp $WORKDIR/tmp/log/oeqa/testresults.json $DEST/$target/
+mkdir -p $DEST
+if [ -e $WORKDIR/tmp/log/oeqa/ ]; then
+ cp -rf $WORKDIR/tmp/log/oeqa/ $DEST/$target
fi

if [ -e $WORKDIR/buildhistory ]; then

I'm not sure about this since it has the potential to add a lot of files to the
release directories and I suspect that will confuse the releases and people
looking at them. At the very least we need to think about layout here...

When I proposed we improve the logging on the autobuilder, I was thinking more
about printing the logfiles on the console in the failure case. That way the
logs are immediately visible on the autobuilder log output people are looking at
and you don't have to go digging for the files. I can see pros/cons to both
approaches though.

Cheers,

Richard

Hi, Richard

Layer Index "https://layers.openembedded.org/" not works since below update failure.  I don't know who is the maintainer,

Could you help to handle this to proper person? Thanks.

Besides, I am trying to add a funtion that when there are errors, send a mail to maintainer, so we can know this failure sooner.

ERROR: Traceback (most recent call last):
  File "update_layer.py", line 380, in main
    (tinfoil, tempdir) = recipeparse.init_parser(settings, branch, bitbakepath, nocheckout=options.nocheckout, logger=logger)
  File "/opt/layerindex/layerindex/recipeparse.py", line 83, in init_parser
    tinfoil = utils.setup_tinfoil(bitbakepath, enable_tracking, loglevel=logger.getEffectiveLevel())
  File "/opt/layerindex/layerindex/utils.py", line 193, in setup_tinfoil
    import bb.tinfoil
  File "/opt/workdir/git___git_openembedded_org_bitbake/lib/bb/__init__.py", line 16, in <module>
    raise RuntimeError("Sorry, python 3.6.0 or later is required for this version of bitbake")
RuntimeError: Sorry, python 3.6.0 or later is required for this version of bitbake


//Changqing