Date   

[meta-selinux][PATCH 11/16] selinux-python: update to 3.2

Yi Zhao
 

Merge inc file into bb file.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
.../selinux/selinux-python_3.1.bb | 7 -------
...linux-python.inc => selinux-python_3.2.bb} | 20 +++++++++++--------
2 files changed, 12 insertions(+), 15 deletions(-)
delete mode 100644 recipes-security/selinux/selinux-python_3.1.bb
rename recipes-security/selinux/{selinux-python.inc => selinux-python_3.2.bb} (89%)

diff --git a/recipes-security/selinux/selinux-python_3.1.bb b/recipes-security/selinux/selinux-python_3.1.bb
deleted file mode 100644
index a0555d2..0000000
--- a/recipes-security/selinux/selinux-python_3.1.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-require selinux_20200710.inc
-require ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "ec75687b680e0dd63e3ded05bd41cb5a"
-SRC_URI[sha256sum] = "f4d0a1a030bc291a6af498b26e0676b745075dd289a8ba16cdec86c3ea8f2f02"
diff --git a/recipes-security/selinux/selinux-python.inc b/recipes-security/selinux/selinux-python_3.2.bb
similarity index 89%
rename from recipes-security/selinux/selinux-python.inc
rename to recipes-security/selinux/selinux-python_3.2.bb
index 827fa8b..a827a90 100644
--- a/recipes-security/selinux/selinux-python.inc
+++ b/recipes-security/selinux/selinux-python_3.2.bb
@@ -2,14 +2,20 @@ SUMMARY = "Python modules and various SELinux utilities."
DESCRIPTION = "\
This package contains Python modules sepolgen, sepolicy; And the \
SELinux utilities audit2allow, chcat, semanage ..."
-
SECTION = "base"
LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"

-SRC_URI += "file://fix-sepolicy-install-path.patch"
+require selinux_common.inc

inherit python3native

+SRC_URI += "file://fix-sepolicy-install-path.patch"
+
+S = "${WORKDIR}/git/python"
+
+EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
+
DEPENDS += "python3 libsepol libselinux"
RDEPENDS_${BPN}-audit2allow += "\
python3-core \
@@ -97,11 +103,9 @@ FILES_${PN} += "\
${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/* \
"

-EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
-
do_install() {
- oe_runmake DESTDIR="${D}" \
- PYLIBVER='python${PYTHON_BASEVERSION}' \
- PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
- install
+ oe_runmake DESTDIR="${D}" \
+ PYLIBVER='python${PYTHON_BASEVERSION}' \
+ PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
+ install
}
--
2.25.1


[meta-selinux][PATCH 10/16] restorecond: update to 3.2

Yi Zhao
 

* Merge inc file into bb file.
* Drop obsolete patches:
policycoreutils-make-O_CLOEXEC-optional.patch

Signed-off-by: Yi Zhao <yi.zhao@...>
---
...icycoreutils-make-O_CLOEXEC-optional.patch | 48 -------------------
recipes-security/selinux/restorecond_3.1.bb | 7 ---
.../{restorecond.inc => restorecond_3.2.bb} | 7 +--
3 files changed, 4 insertions(+), 58 deletions(-)
delete mode 100644 recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
delete mode 100644 recipes-security/selinux/restorecond_3.1.bb
rename recipes-security/selinux/{restorecond.inc => restorecond_3.2.bb} (88%)

diff --git a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
deleted file mode 100644
index 83250eb..0000000
--- a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 4adc1c02e4da42f64249c05534875e732f043693 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@...>
-Date: Wed, 6 Nov 2019 23:17:50 +0800
-Subject: [PATCH] policycoreutils: make O_CLOEXEC optional
-
-Various commits in the selinux tree in the current release added
-O_CLOEXEC to open() calls in an attempt to address file descriptor leaks
-as described:
-
- http://danwalsh.livejournal.com/53603.html
-
-However O_CLOEXEC isn't available on all platforms, so make it a
-compile-time option and generate a warning when it is not available.
-The actual impact of leaking these file descriptors is minimal, though
-it does produce curious AVC Denied messages.
-
-Upstream-Status: Inappropriate
-[O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
-
-Signed-off-by: Joe MacDonald <joe.macdonald@...>
-Signed-off-by: Wenzong Fan <wenzong.fan@...>
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- user.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/user.c b/user.c
-index 714aae7..bbf018e 100644
---- a/user.c
-+++ b/user.c
-@@ -202,7 +202,13 @@ static int local_server(void) {
- perror("asprintf");
- return -1;
- }
-- local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
-+ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW
-+ #ifdef O_CLOEXEC
-+ | O_CLOEXEC
-+ #else
-+ #warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+ #endif
-+ , S_IRUSR | S_IWUSR);
- if (debug_mode)
- g_warning ("Lock file: %s", ptr);
-
---
-2.7.4
-
diff --git a/recipes-security/selinux/restorecond_3.1.bb b/recipes-security/selinux/restorecond_3.1.bb
deleted file mode 100644
index d4e0d06..0000000
--- a/recipes-security/selinux/restorecond_3.1.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-require selinux_20200710.inc
-require ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "8daf761739a150a7a29bb491726a6cd9"
-SRC_URI[sha256sum] = "82ca45099685a45d718f11f8859963c1ba83d98e510312cbf0b7dc5664c60ad0"
diff --git a/recipes-security/selinux/restorecond.inc b/recipes-security/selinux/restorecond_3.2.bb
similarity index 88%
rename from recipes-security/selinux/restorecond.inc
rename to recipes-security/selinux/restorecond_3.2.bb
index a5b1635..d9def9a 100644
--- a/recipes-security/selinux/restorecond.inc
+++ b/recipes-security/selinux/restorecond_3.2.bb
@@ -4,12 +4,11 @@ The restorecond daemon uses inotify to watch files listed in the \
/etc/selinux/restorecond.conf, when they are created, this daemon \
will make sure they have the correct file context associated with \
the policy."
-
SECTION = "base"
LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"

-SRC_URI += "file://policycoreutils-make-O_CLOEXEC-optional.patch \
-"
+require selinux_common.inc

inherit systemd update-rc.d

@@ -19,6 +18,8 @@ EXTRA_OEMAKE += "SYSTEMDSYSTEMUNITDIR=${systemd_system_unitdir} \
SYSTEMDUSERUNITDIR=${systemd_user_unitdir} \
"

+S = "${WORKDIR}/git/restorecond"
+
FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \
${systemd_user_unitdir}/* \
"
--
2.25.1


[meta-selinux][PATCH 09/16] mcstrans: update to 3.2

Yi Zhao
 

Merge inc file into bb file.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-security/selinux/mcstrans_3.1.bb | 7 -------
.../selinux/{mcstrans.inc => mcstrans_3.2.bb} | 13 +++++++++----
2 files changed, 9 insertions(+), 11 deletions(-)
delete mode 100644 recipes-security/selinux/mcstrans_3.1.bb
rename recipes-security/selinux/{mcstrans.inc => mcstrans_3.2.bb} (92%)

diff --git a/recipes-security/selinux/mcstrans_3.1.bb b/recipes-security/selinux/mcstrans_3.1.bb
deleted file mode 100644
index 26bb299..0000000
--- a/recipes-security/selinux/mcstrans_3.1.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-require selinux_20200710.inc
-require ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-
-SRC_URI[md5sum] = "18b7bf8193dd2360bc60f0e2639009ab"
-SRC_URI[sha256sum] = "cc918576c17340fc944849d785e2a7400b269ef079a36b871c140504164d6a45"
diff --git a/recipes-security/selinux/mcstrans.inc b/recipes-security/selinux/mcstrans_3.2.bb
similarity index 92%
rename from recipes-security/selinux/mcstrans.inc
rename to recipes-security/selinux/mcstrans_3.2.bb
index 52b95c6..0cece17 100644
--- a/recipes-security/selinux/mcstrans.inc
+++ b/recipes-security/selinux/mcstrans_3.2.bb
@@ -1,17 +1,20 @@
+
SUMMARY = "Daemon to translate SELinux MCS/MLS sensitivity labels"
DESCRIPTION = "\
mcstrans provides an translation daemon to translate SELinux categories \
from internal representations to user defined representation."
-
SECTION = "base"
LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"

-SRC_URI += "file://mcstrans-de-bashify.patch \
- file://mcstrans-fix-the-init-script.patch \
-"
+require selinux_common.inc

inherit systemd update-rc.d

+SRC_URI += "file://mcstrans-de-bashify.patch \
+ file://mcstrans-fix-the-init-script.patch \
+ "
+
DEPENDS += "libsepol libselinux libcap"

EXTRA_OEMAKE += "SBINDIR=${base_sbindir} \
@@ -19,6 +22,8 @@ EXTRA_OEMAKE += "SBINDIR=${base_sbindir} \
SYSTEMDDIR=${systemd_unitdir} \
"

+S = "${WORKDIR}/git/mcstrans"
+
do_install_append() {
install -d ${D}${sbindir}
install -m 755 utils/untranscon ${D}${sbindir}/
--
2.25.1


[meta-selinux][PATCH 08/16] policycoreutils: update to 3.2

Yi Zhao
 

Merge inc file into bb file.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
.../selinux/policycoreutils_3.1.bb | 7 -
...cycoreutils.inc => policycoreutils_3.2.bb} | 145 +++++++++---------
2 files changed, 75 insertions(+), 77 deletions(-)
delete mode 100644 recipes-security/selinux/policycoreutils_3.1.bb
rename recipes-security/selinux/{policycoreutils.inc => policycoreutils_3.2.bb} (52%)

diff --git a/recipes-security/selinux/policycoreutils_3.1.bb b/recipes-security/selinux/policycoreutils_3.1.bb
deleted file mode 100644
index f56d1c3..0000000
--- a/recipes-security/selinux/policycoreutils_3.1.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-require selinux_20200710.inc
-require ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "3097ac2c83e47af130452f10399282cb"
-SRC_URI[sha256sum] = "c889f62ee80f8b6a369469a9b8af51f5b797975aeaa291f5c5960cc12eed1934"
diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils_3.2.bb
similarity index 52%
rename from recipes-security/selinux/policycoreutils.inc
rename to recipes-security/selinux/policycoreutils_3.2.bb
index 43a641d..9fc1691 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils_3.2.bb
@@ -6,6 +6,9 @@ to switch roles, and run_init to run /etc/init.d scripts in the proper \
context."
SECTION = "base"
LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+require selinux_common.inc

SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
file://policycoreutils-fixfiles-de-bashify.patch \
@@ -13,92 +16,94 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '',

PAM_SRC_URI = "file://pam.d/newrole \
file://pam.d/run_init \
-"
+ "

DEPENDS += "libsepol libselinux libsemanage libcap gettext-native"
EXTRA_DEPENDS = "libcap-ng libcgroup"
DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"

+S = "${WORKDIR}/git/policycoreutils"
+
inherit selinux python3native

RDEPENDS_${BPN}-fixfiles += "\
- ${BPN}-setfiles \
- grep \
- findutils \
+ ${BPN}-setfiles \
+ grep \
+ findutils \
"
RDEPENDS_${BPN}-genhomedircon += "\
- ${BPN}-semodule \
+ ${BPN}-semodule \
"
RDEPENDS_${BPN}-loadpolicy += "\
- libselinux \
- libsepol \
+ libselinux \
+ libsepol \
"
RDEPENDS_${BPN}-newrole += "\
- libcap-ng \
- libselinux \
+ libcap-ng \
+ libselinux \
"
RDEPENDS_${BPN}-runinit += "libselinux"
RDEPENDS_${BPN}-secon += "libselinux"
RDEPENDS_${BPN}-semodule += "\
- libsepol \
- libselinux \
- libsemanage \
+ libsepol \
+ libselinux \
+ libsemanage \
"
RDEPENDS_${BPN}-sestatus += "libselinux"
RDEPENDS_${BPN}-setfiles += "\
- libselinux \
- libsepol \
+ libselinux \
+ libsepol \
"
RDEPENDS_${BPN}-setsebool += "\
- libsepol \
- libselinux \
- libsemanage \
+ libsepol \
+ libselinux \
+ libsemanage \
"
RDEPENDS_${BPN} += "selinux-python"

PACKAGES =+ "\
- ${PN}-fixfiles \
- ${PN}-genhomedircon \
- ${PN}-hll \
- ${PN}-loadpolicy \
- ${PN}-newrole \
- ${PN}-runinit \
- ${PN}-secon \
- ${PN}-semodule \
- ${PN}-sestatus \
- ${PN}-setfiles \
- ${PN}-setsebool \
+ ${PN}-fixfiles \
+ ${PN}-genhomedircon \
+ ${PN}-hll \
+ ${PN}-loadpolicy \
+ ${PN}-newrole \
+ ${PN}-runinit \
+ ${PN}-secon \
+ ${PN}-semodule \
+ ${PN}-sestatus \
+ ${PN}-setfiles \
+ ${PN}-setsebool \
"
FILES_${PN}-fixfiles += "${base_sbindir}/fixfiles"
FILES_${PN}-genhomedircon += "${base_sbindir}/genhomedircon"
FILES_${PN}-loadpolicy += "\
- ${base_sbindir}/load_policy \
+ ${base_sbindir}/load_policy \
"
FILES_${PN}-newrole += "\
- ${bindir}/newrole \
- ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \
+ ${bindir}/newrole \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \
"
FILES_${PN}-runinit += "\
- ${base_sbindir}/run_init \
- ${base_sbindir}/open_init_pty \
- ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
+ ${base_sbindir}/run_init \
+ ${base_sbindir}/open_init_pty \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
"
FILES_${PN}-dbg += "${prefix}/libexec/selinux/hll/.debug"
FILES_${PN}-secon += "${bindir}/secon"
FILES_${PN}-semodule += "${base_sbindir}/semodule"
FILES_${PN}-hll += "${prefix}/libexec/selinux/hll/*"
FILES_${PN}-sestatus += "\
- ${base_sbindir}/sestatus \
- ${sysconfdir}/sestatus.conf \
+ ${base_sbindir}/sestatus \
+ ${sysconfdir}/sestatus.conf \
"
FILES_${PN}-setfiles += "\
- ${base_sbindir}/restorecon \
- ${base_sbindir}/restorecon_xattr \
- ${base_sbindir}/setfiles \
+ ${base_sbindir}/restorecon \
+ ${base_sbindir}/restorecon_xattr \
+ ${base_sbindir}/setfiles \
"
FILES_${PN}-setsebool += "\
- ${base_sbindir}/setsebool \
- ${datadir}/bash-completion/completions/setsebool \
+ ${base_sbindir}/setsebool \
+ ${datadir}/bash-completion/completions/setsebool \
"

export STAGING_INCDIR
@@ -127,48 +132,48 @@ BBCLASSEXTEND = "native"
PCU_NATIVE_CMDS = "setfiles semodule hll"

do_compile_class-native() {
- for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
- oe_runmake -C $PCU_CMD \
- INCLUDEDIR='${STAGING_INCDIR}' \
- LIBDIR='${STAGING_LIBDIR}'
- done
+ for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
+ oe_runmake -C $PCU_CMD \
+ INCLUDEDIR='${STAGING_INCDIR}' \
+ LIBDIR='${STAGING_LIBDIR}'
+ done
}

sysroot_stage_dirs_append_class-native() {
- cp -R $from/${prefix}/libexec $to/${prefix}/libexec
+ cp -R $from/${prefix}/libexec $to/${prefix}/libexec
}

do_compile_prepend() {
- export PYTHON=python3
- export PYLIBVER='python${PYTHON_BASEVERSION}'
- export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}"
- export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so"
- export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages"
+ export PYTHON=python3
+ export PYLIBVER='python${PYTHON_BASEVERSION}'
+ export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}"
+ export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so"
+ export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages"
}

do_install_prepend() {
- export PYTHON=python3
- export SBINDIR="${D}/${base_sbindir}"
+ export PYTHON=python3
+ export SBINDIR="${D}/${base_sbindir}"
}

do_install_class-native() {
- for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
- oe_runmake -C $PCU_CMD install \
- DESTDIR="${D}" \
- PREFIX="${prefix}" \
- SBINDIR="${base_sbindir}"
- done
+ for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
+ oe_runmake -C $PCU_CMD install \
+ DESTDIR="${D}" \
+ PREFIX="${prefix}" \
+ SBINDIR="${base_sbindir}"
+ done
}

do_install_append_class-target() {
- if [ -e ${WORKDIR}/pam.d ]; then
- install -d ${D}${sysconfdir}/pam.d/
- install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
- fi
-
- # /var/lib/selinux is involved by seobject.py:
- # + dirname = "/var/lib/selinux"
- # and it's required for running command:
- # $ semanage permissive [OPTS]
- install -d ${D}${localstatedir}/lib/selinux
+ if [ -e ${WORKDIR}/pam.d ]; then
+ install -d ${D}${sysconfdir}/pam.d/
+ install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
+ fi
+
+ # /var/lib/selinux is involved by seobject.py:
+ # + dirname = "/var/lib/selinux"
+ # and it's required for running command:
+ # $ semanage permissive [OPTS]
+ install -d ${D}${localstatedir}/lib/selinux
}
--
2.25.1


[meta-selinux][PATCH 07/16] secilc: update to 3.2

Yi Zhao
 

Merge inc file into bb file.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-security/selinux/secilc_3.1.bb | 7 -------
recipes-security/selinux/{secilc.inc => secilc_3.2.bb} | 6 +++++-
2 files changed, 5 insertions(+), 8 deletions(-)
delete mode 100644 recipes-security/selinux/secilc_3.1.bb
rename recipes-security/selinux/{secilc.inc => secilc_3.2.bb} (66%)

diff --git a/recipes-security/selinux/secilc_3.1.bb b/recipes-security/selinux/secilc_3.1.bb
deleted file mode 100644
index c1fb36b..0000000
--- a/recipes-security/selinux/secilc_3.1.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-require selinux_20200710.inc
-require ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=c7e802b9a3b0c2c852669864c08b9138"
-
-SRC_URI[md5sum] = "f9743e405a8de331c249b723c09c6c3f"
-SRC_URI[sha256sum] = "86117246fec3017af710a9ff7c1dae3ed1cd571e232a86cff3e2a3de2d6aa65c"
diff --git a/recipes-security/selinux/secilc.inc b/recipes-security/selinux/secilc_3.2.bb
similarity index 66%
rename from recipes-security/selinux/secilc.inc
rename to recipes-security/selinux/secilc_3.2.bb
index e263f11..60ab2fe 100644
--- a/recipes-security/selinux/secilc.inc
+++ b/recipes-security/selinux/secilc_3.2.bb
@@ -2,10 +2,14 @@ SUMMARY = "SELinux Common Intermediate Language (CIL) compiler"
DESCRIPTION = "\
This package contains secilc, the SELinux Common Intermediate \
Language (CIL) compiler."
-
SECTION = "base"
LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c7e802b9a3b0c2c852669864c08b9138"
+
+require selinux_common.inc

DEPENDS += "libsepol xmlto-native"

+S = "${WORKDIR}/git/secilc"
+
BBCLASSEXTEND = "native"
--
2.25.1


[meta-selinux][PATCH 06/16] checkpolicy: update to 3.2

Yi Zhao
 

Merge inc file into bb file.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-security/selinux/checkpolicy_3.1.bb | 7 -------
.../selinux/{checkpolicy.inc => checkpolicy_3.2.bb} | 10 +++++++---
2 files changed, 7 insertions(+), 10 deletions(-)
delete mode 100644 recipes-security/selinux/checkpolicy_3.1.bb
rename recipes-security/selinux/{checkpolicy.inc => checkpolicy_3.2.bb} (71%)

diff --git a/recipes-security/selinux/checkpolicy_3.1.bb b/recipes-security/selinux/checkpolicy_3.1.bb
deleted file mode 100644
index 71045b8..0000000
--- a/recipes-security/selinux/checkpolicy_3.1.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-require selinux_20200710.inc
-require ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "1302676cd8853f740a963fd6d5bb4172"
-SRC_URI[sha256sum] = "dfc7707070520c93b14fbbdfdbe081364d806bf28e3e79e10318c2594c77bbb2"
diff --git a/recipes-security/selinux/checkpolicy.inc b/recipes-security/selinux/checkpolicy_3.2.bb
similarity index 71%
rename from recipes-security/selinux/checkpolicy.inc
rename to recipes-security/selinux/checkpolicy_3.2.bb
index 1d84ebb..552dc26 100644
--- a/recipes-security/selinux/checkpolicy.inc
+++ b/recipes-security/selinux/checkpolicy_3.2.bb
@@ -5,18 +5,22 @@ required for building policies. It uses libsepol to generate the \
binary policy. checkpolicy uses the static libsepol since it deals \
with low level details of the policy that have not been \
encapsulated/abstracted by a proper shared library interface."
-
SECTION = "base"
LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+require selinux_common.inc

DEPENDS += "libsepol bison-native flex-native"

EXTRA_OEMAKE += "LEX='flex'"
EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"

+S = "${WORKDIR}/git/checkpolicy"
+
do_install_append() {
- install test/dismod ${D}/${bindir}/sedismod
- install test/dispol ${D}/${bindir}/sedispol
+ install test/dismod ${D}/${bindir}/sedismod
+ install test/dispol ${D}/${bindir}/sedispol
}

BBCLASSEXTEND = "native"
--
2.25.1


[meta-selinux][PATCH 05/16] libsemanage: update to 3.2

Yi Zhao
 

* Merge inc file into bb file.
* Drop obsolete patches:
libsemanage-define-FD_CLOEXEC-as-necessary.patch

Signed-off-by: Yi Zhao <yi.zhao@...>
---
...anage-define-FD_CLOEXEC-as-necessary.patch | 35 -------------------
recipes-security/selinux/libsemanage_3.1.bb | 14 --------
.../{libsemanage.inc => libsemanage_3.2.bb} | 27 +++++++++-----
3 files changed, 18 insertions(+), 58 deletions(-)
delete mode 100644 recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
delete mode 100644 recipes-security/selinux/libsemanage_3.1.bb
rename recipes-security/selinux/{libsemanage.inc => libsemanage_3.2.bb} (59%)

diff --git a/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
deleted file mode 100644
index 45bcbe6..0000000
--- a/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 81f2e8b62ad2298a197c4b16e7182a133c1e116f Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe.macdonald@...>
-Date: Tue, 15 Oct 2013 10:17:38 -0400
-Subject: [PATCH] libsemanage: define FD_CLOEXEC as necessary
-
-In truly old systems, even FD_CLOEXEC may not be defined. Produce a
-warning and duplicate the #define for FD_CLOEXEC found in
-asm-generic/fcntl.h on more modern platforms.
-
-Upstream-Status: Inappropriate
-
-Signed-off-by: Joe MacDonald <joe.macdonald@...>
----
- src/semanage_store.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/semanage_store.c b/src/semanage_store.c
-index 1a94545..b586a8f 100644
---- a/src/semanage_store.c
-+++ b/src/semanage_store.c
-@@ -66,6 +66,11 @@ typedef struct dbase_policydb dbase_t;
-
- #define TRUE 1
-
-+#ifndef FD_CLOEXEC
-+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
-+#define FD_CLOEXEC 1
-+#endif
-+
- enum semanage_file_defs {
- SEMANAGE_ROOT,
- SEMANAGE_TRANS_LOCK,
---
-2.7.4
-
diff --git a/recipes-security/selinux/libsemanage_3.1.bb b/recipes-security/selinux/libsemanage_3.1.bb
deleted file mode 100644
index 8e6781f..0000000
--- a/recipes-security/selinux/libsemanage_3.1.bb
+++ /dev/null
@@ -1,14 +0,0 @@
-require selinux_20200710.inc
-require ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI[md5sum] = "d16eee8c1dc8cf43f59957d575d6bd29"
-SRC_URI[sha256sum] = "22d6c75526e40d1781c30bcf29abf97171bdfe6780923f11c8e1c76a75a21ff8"
-
-SRC_URI += "\
- file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
- file://libsemanage-define-FD_CLOEXEC-as-necessary.patch \
- file://libsemanage-allow-to-disable-audit-support.patch \
- file://libsemanage-disable-expand-check-on-policy-load.patch \
- "
diff --git a/recipes-security/selinux/libsemanage.inc b/recipes-security/selinux/libsemanage_3.2.bb
similarity index 59%
rename from recipes-security/selinux/libsemanage.inc
rename to recipes-security/selinux/libsemanage_3.2.bb
index 0139511..58b6da4 100644
--- a/recipes-security/selinux/libsemanage.inc
+++ b/recipes-security/selinux/libsemanage_3.2.bb
@@ -5,12 +5,22 @@ as by programs like load_policy that need to perform specific transformations \
on binary policies such as customizing policy boolean settings."
SECTION = "base"
LICENSE = "LGPLv2.1+"
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+require selinux_common.inc

inherit lib_package python3native

+SRC_URI += "file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
+ file://libsemanage-allow-to-disable-audit-support.patch \
+ file://libsemanage-disable-expand-check-on-policy-load.patch \
+ "
+
DEPENDS += "libsepol libselinux bzip2 python3 bison-native flex-native swig-native"
DEPENDS_append_class-target = " audit"

+S = "${WORKDIR}/git/libsemanage"
+
PACKAGES =+ "${PN}-python"

# For /usr/libexec/selinux/semanage_migrate_store
@@ -19,27 +29,26 @@ RDEPENDS_${PN}-python += "python3-core"
FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \
${libexecdir}/selinux/semanage_migrate_store"
FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug/*"
-
FILES_${PN} += "${libexecdir}"

EXTRA_OEMAKE_class-native += "DISABLE_AUDIT=y"

do_compile_append() {
oe_runmake pywrap \
- PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
- PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
- PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
+ PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+ PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
+ PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
}

do_install_append() {
oe_runmake install-pywrap \
- PYCEXT='.so' \
- PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
- PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages'
+ PYCEXT='.so' \
+ PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+ PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages'

# Update "policy-version" for semanage.conf
- sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 31/' \
- ${D}/etc/selinux/semanage.conf
+ sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 33/' \
+ ${D}/etc/selinux/semanage.conf
}

BBCLASSEXTEND = "native"
--
2.25.1


[meta-selinux][PATCH 04/16] libselinux-python: update to 3.2

Yi Zhao
 

Merge inc file into bb file.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
.../selinux/libselinux-python_3.1.bb | 26 -------------------
...ux-python.inc => libselinux-python_3.2.bb} | 25 ++++++++++++------
2 files changed, 17 insertions(+), 34 deletions(-)
delete mode 100644 recipes-security/selinux/libselinux-python_3.1.bb
rename recipes-security/selinux/{libselinux-python.inc => libselinux-python_3.2.bb} (61%)

diff --git a/recipes-security/selinux/libselinux-python_3.1.bb b/recipes-security/selinux/libselinux-python_3.1.bb
deleted file mode 100644
index 854eca9..0000000
--- a/recipes-security/selinux/libselinux-python_3.1.bb
+++ /dev/null
@@ -1,26 +0,0 @@
-SELINUX_RELEASE = "20200710"
-
-SRC_URI = "https://github.com/SELinuxProject/selinux/releases/download/${SELINUX_RELEASE}/libselinux-${PV}.tar.gz"
-
-require ${BPN}.inc
-
-inherit python3targetconfig
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
-
-SRC_URI[md5sum] = "693680c021feb69a4b258b0370021461"
-SRC_URI[sha256sum] = "ea5dcbb4d859e3f999c26a13c630da2f16dff9462e3cc8cb7b458ac157d112e7"
-
-SRC_URI += "\
- file://libselinux-make-O_CLOEXEC-optional.patch \
- file://libselinux-make-SOCK_CLOEXEC-optional.patch \
- file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
- file://0001-Makefile-fix-python-modules-install-path-for-multili.patch \
- file://0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch \
- "
-
-SRC_URI_append_libc-musl = " \
- file://0001-libselinux-do-not-define-gettid-for-musl.patch \
- "
-
-S = "${WORKDIR}/libselinux-${PV}"
diff --git a/recipes-security/selinux/libselinux-python.inc b/recipes-security/selinux/libselinux-python_3.2.bb
similarity index 61%
rename from recipes-security/selinux/libselinux-python.inc
rename to recipes-security/selinux/libselinux-python_3.2.bb
index 7149d94..b741449 100644
--- a/recipes-security/selinux/libselinux-python.inc
+++ b/recipes-security/selinux/libselinux-python_3.2.bb
@@ -4,11 +4,20 @@ process and file security contexts and to obtain security policy \
decisions. Required for any applications that use the SELinux API."
SECTION = "base"
LICENSE = "PD"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"

-FILESEXTRAPATHS_prepend := "${THISDIR}/libselinux:"
+require selinux_common.inc

inherit python3native python3targetconfig

+FILESEXTRAPATHS_prepend := "${THISDIR}/libselinux:"
+SRC_URI += "\
+ file://0001-Makefile-fix-python-modules-install-path-for-multili.patch \
+ file://0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch \
+ "
+
+S = "${WORKDIR}/git/libselinux"
+
DEPENDS += "python3 swig-native libpcre libsepol"
RDEPENDS_${PN} += "libselinux python3-core python3-shell"

@@ -18,8 +27,8 @@ def get_policyconfigarch(d):
p = re.compile('i.86')
target = p.sub('i386',target)
return "ARCH=%s" % (target)
-EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"

+EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"
EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'"
EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"

@@ -28,14 +37,14 @@ INSANE_SKIP_${PN} = "dev-so"

do_compile() {
oe_runmake pywrap -j1 \
- PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
- PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
- PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
+ PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+ PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
+ PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
}

do_install() {
oe_runmake install-pywrap \
- DESTDIR=${D} \
- PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
- PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages'
+ DESTDIR=${D} \
+ PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+ PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages'
}
--
2.25.1


[meta-selinux][PATCH 03/16] libselinux: update to 3.2

Yi Zhao
 

* Merge inc file into bb file.
* Drop obsolete patches:
0001-libselinux-do-not-define-gettid-for-musl.patch
libselinux-define-FD_CLOEXEC-as-necessary.patch
libselinux-make-O_CLOEXEC-optional.patch
libselinux-make-SOCK_CLOEXEC-optional.patch

Signed-off-by: Yi Zhao <yi.zhao@...>
---
...elinux-do-not-define-gettid-for-musl.patch | 47 ---------
...linux-define-FD_CLOEXEC-as-necessary.patch | 33 -------
.../libselinux-make-O_CLOEXEC-optional.patch | 99 -------------------
...ibselinux-make-SOCK_CLOEXEC-optional.patch | 38 -------
recipes-security/selinux/libselinux_3.1.bb | 17 ----
.../{libselinux.inc => libselinux_3.2.bb} | 7 +-
6 files changed, 6 insertions(+), 235 deletions(-)
delete mode 100644 recipes-security/selinux/libselinux/0001-libselinux-do-not-define-gettid-for-musl.patch
delete mode 100644 recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
delete mode 100644 recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
delete mode 100644 recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
delete mode 100644 recipes-security/selinux/libselinux_3.1.bb
rename recipes-security/selinux/{libselinux.inc => libselinux_3.2.bb} (84%)

diff --git a/recipes-security/selinux/libselinux/0001-libselinux-do-not-define-gettid-for-musl.patch b/recipes-security/selinux/libselinux/0001-libselinux-do-not-define-gettid-for-musl.patch
deleted file mode 100644
index 5d6e409..0000000
--- a/recipes-security/selinux/libselinux/0001-libselinux-do-not-define-gettid-for-musl.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 5f6f4a095bc82b29c3871d4d8a15d9c16cef39ef Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@...>
-Date: Wed, 6 Jan 2021 10:42:11 +0800
-Subject: [PATCH] libselinux: do not define gettid() for musl
-
-The musl has implemented gettid() function:
-http://git.musl-libc.org/cgit/musl/commit/?id=d49cf07541bb54a5ac7aec1feec8514db33db8ea
-
-Fixes:
-procattr.c:38:14: error: static declaration of 'gettid' follows non-static declaration
- 38 | static pid_t gettid(void)
- | ^~~~~~
-In file included from procattr.c:2:
-/build/tmp/work/core2-32-poky-linux-musl/libselinux/3.1-r0/recipe-sysroot/usr/include/unistd.h:194:7:
-note: previous declaration of 'gettid' was here
- 194 | pid_t gettid(void);
- | ^~~~~~
-
-Upstream-Status: Pending
-
-Signed-off-by: Yi Zhao <yi.zhao@...>
----
- src/procattr.c | 8 +-------
- 1 file changed, 1 insertion(+), 7 deletions(-)
-
-diff --git a/src/procattr.c b/src/procattr.c
-index 926ee54..519e515 100644
---- a/src/procattr.c
-+++ b/src/procattr.c
-@@ -24,13 +24,7 @@ static __thread char destructor_initialized;
-
- /* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and
- * has a definition for it */
--#ifdef __BIONIC__
-- #define OVERRIDE_GETTID 0
--#elif !defined(__GLIBC_PREREQ)
-- #define OVERRIDE_GETTID 1
--#elif !__GLIBC_PREREQ(2,30)
-- #define OVERRIDE_GETTID 1
--#else
-+#if !defined(__GLIBC_)
- #define OVERRIDE_GETTID 0
- #endif
-
---
-2.17.1
-
diff --git a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
deleted file mode 100644
index 25d4b24..0000000
--- a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From d0aaf391ab30b253aa22ef6547a039bcac840fc6 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe.macdonald@...>
-Date: Tue, 15 Oct 2013 10:14:41 -0400
-Subject: [PATCH] libselinux: define FD_CLOEXEC as necessary
-
-In truly old systems, even FD_CLOEXEC may not be defined. Produce a
-warning and duplicate the #define for FD_CLOEXEC found in
-asm-generic/fcntl.h on more modern platforms.
-
-Upstream-Status: Inappropriate
-
-Signed-off-by: Joe MacDonald <joe.macdonald@...>
-
----
- src/setrans_client.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/setrans_client.c b/src/setrans_client.c
-index fa188a8..a94f02c 100644
---- a/src/setrans_client.c
-+++ b/src/setrans_client.c
-@@ -39,6 +39,11 @@ static pthread_key_t destructor_key;
- static int destructor_key_initialized = 0;
- static __thread char destructor_initialized;
-
-+#ifndef FD_CLOEXEC
-+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
-+#define FD_CLOEXEC 1
-+#endif
-+
- /*
- * setransd_open
- *
diff --git a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
deleted file mode 100644
index 1d6f3a7..0000000
--- a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 802d224953294463fa9bc793e46f664ecfea057a Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe.macdonald@...>
-Date: Fri, 11 Oct 2013 09:56:25 -0400
-Subject: [PATCH] libselinux: make O_CLOEXEC optional
-
-Various commits in the selinux tree in the current release added O_CLOEXEC
-to open() calls in an attempt to address file descriptor leaks as
-described:
-
- http://danwalsh.livejournal.com/53603.html
-
-However O_CLOEXEC isn't available on all platforms, so make it a
-compile-time option and generate a warning when it is not available. The
-actual impact of leaking these file descriptors is minimal, though it does
-produce curious AVC Denied messages.
-
-Upstream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
-
-Signed-off-by: Joe MacDonald <joe.macdonald@...>
-Signed-off-by: Wenzong Fan <wenzong.fan@...>
-
----
- src/procattr.c | 16 ++++++++++++++--
- src/sestatus.c | 8 +++++++-
- src/stringrep.c | 8 +++++++-
- 3 files changed, 28 insertions(+), 4 deletions(-)
-
-diff --git a/src/procattr.c b/src/procattr.c
-index 48dd8af..8bf8432 100644
---- a/src/procattr.c
-+++ b/src/procattr.c
-@@ -79,7 +79,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
- rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
- if (rc < 0)
- return -1;
-- fd = open(path, flags | O_CLOEXEC);
-+ fd = open(path, flags
-+#ifdef O_CLOEXEC
-+ | O_CLOEXEC
-+#else
-+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+ );
- if (fd >= 0 || errno != ENOENT)
- goto out;
- free(path);
-@@ -92,7 +98,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
- if (rc < 0)
- return -1;
-
-- fd = open(path, flags | O_CLOEXEC);
-+ fd = open(path, flags
-+#ifdef O_CLOEXEC
-+ | O_CLOEXEC
-+#else
-+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+ );
- out:
- free(path);
- return fd;
-diff --git a/src/sestatus.c b/src/sestatus.c
-index ed29dc5..0cb15b6 100644
---- a/src/sestatus.c
-+++ b/src/sestatus.c
-@@ -268,7 +268,13 @@ int selinux_status_open(int fallback)
- return -1;
-
- snprintf(path, sizeof(path), "%s/status", selinux_mnt);
-- fd = open(path, O_RDONLY | O_CLOEXEC);
-+ fd = open(path, O_RDONLY
-+#ifdef O_CLOEXEC
-+ | O_CLOEXEC
-+#else
-+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+ );
- if (fd < 0)
- goto error;
-
-diff --git a/src/stringrep.c b/src/stringrep.c
-index 2d83f96..17e9232 100644
---- a/src/stringrep.c
-+++ b/src/stringrep.c
-@@ -105,7 +105,13 @@ static struct discover_class_node * discover_class(const char *s)
- struct stat m;
-
- snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
-- fd = open(path, O_RDONLY | O_CLOEXEC);
-+ fd = open(path, O_RDONLY
-+#ifdef O_CLOEXEC
-+ | O_CLOEXEC
-+#else
-+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+ );
- if (fd < 0)
- goto err4;
-
diff --git a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
deleted file mode 100644
index 77a9136..0000000
--- a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From e630805d15a3b8d09330353f87a7e4a9fcc9998a Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe.macdonald@...>
-Date: Tue, 15 Oct 2013 10:07:43 -0400
-Subject: [PATCH] libselinux: make SOCK_CLOEXEC optional
-
-libselinux/src/setrans_client.c checks for the existence of SOCK_CLOEXEC
-before using it, however libselinux/src/avc_internal.c does not. Since
-SOCK_CLOEXEC suffers the same problem as O_CLOEXEC on some older
-platforms, we need to ensure we protect the references it it in the same
-way.
-
-Upstream-Status: Inappropriate
-
-Signed-off-by: Joe MacDonald <joe.macdonald@...>
-
----
- src/avc_internal.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/avc_internal.c b/src/avc_internal.c
-index 49cecc9..148cc83 100644
---- a/src/avc_internal.c
-+++ b/src/avc_internal.c
-@@ -60,7 +60,13 @@ int avc_netlink_open(int blocking)
- int len, rc = 0;
- struct sockaddr_nl addr;
-
-- fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX);
-+ fd = socket(PF_NETLINK, SOCK_RAW
-+#ifdef SOCK_CLOEXEC
-+ | SOCK_CLOEXEC
-+#else
-+#warning SOCK_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+ , NETLINK_SELINUX);
- if (fd < 0) {
- rc = fd;
- goto out;
diff --git a/recipes-security/selinux/libselinux_3.1.bb b/recipes-security/selinux/libselinux_3.1.bb
deleted file mode 100644
index 9d1cda5..0000000
--- a/recipes-security/selinux/libselinux_3.1.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-require selinux_20200710.inc
-require ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
-
-SRC_URI[md5sum] = "693680c021feb69a4b258b0370021461"
-SRC_URI[sha256sum] = "ea5dcbb4d859e3f999c26a13c630da2f16dff9462e3cc8cb7b458ac157d112e7"
-
-SRC_URI += "\
- file://libselinux-make-O_CLOEXEC-optional.patch \
- file://libselinux-make-SOCK_CLOEXEC-optional.patch \
- file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
- "
-
-SRC_URI_append_libc-musl = " \
- file://0001-libselinux-do-not-define-gettid-for-musl.patch \
- "
diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux_3.2.bb
similarity index 84%
rename from recipes-security/selinux/libselinux.inc
rename to recipes-security/selinux/libselinux_3.2.bb
index fe8c087..5acd576 100644
--- a/recipes-security/selinux/libselinux.inc
+++ b/recipes-security/selinux/libselinux_3.2.bb
@@ -4,20 +4,25 @@ process and file security contexts and to obtain security policy \
decisions. Required for any applications that use the SELinux API."
SECTION = "base"
LICENSE = "PD"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
+
+require selinux_common.inc

inherit lib_package python3native

DEPENDS += "libsepol libpcre"
DEPENDS_append_libc-musl = " fts"

+S = "${WORKDIR}/git/libselinux"
+
def get_policyconfigarch(d):
import re
target = d.getVar('TARGET_ARCH')
p = re.compile('i.86')
target = p.sub('i386',target)
return "ARCH=%s" % (target)
-EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"

+EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"
EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'"
EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"

--
2.25.1


[meta-selinux][PATCH 02/16] libsepol: update to 3.2

Yi Zhao
 

Merge inc file into bb file.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-security/selinux/libsepol_3.1.bb | 8 --------
.../selinux/{libsepol.inc => libsepol_3.2.bb} | 5 +++++
2 files changed, 5 insertions(+), 8 deletions(-)
delete mode 100644 recipes-security/selinux/libsepol_3.1.bb
rename recipes-security/selinux/{libsepol.inc => libsepol_3.2.bb} (81%)

diff --git a/recipes-security/selinux/libsepol_3.1.bb b/recipes-security/selinux/libsepol_3.1.bb
deleted file mode 100644
index 1568025..0000000
--- a/recipes-security/selinux/libsepol_3.1.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-require selinux_20200710.inc
-require ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI[md5sum] = "b56dc01b76b97dcb730ab4e2fd1c9dea"
-SRC_URI[sha256sum] = "ae6778d01443fdd38cd30eeee846494e19f4d407b09872580372f4aa4bf8a3cc"
-
diff --git a/recipes-security/selinux/libsepol.inc b/recipes-security/selinux/libsepol_3.2.bb
similarity index 81%
rename from recipes-security/selinux/libsepol.inc
rename to recipes-security/selinux/libsepol_3.2.bb
index a8ee749..48d5f49 100644
--- a/recipes-security/selinux/libsepol.inc
+++ b/recipes-security/selinux/libsepol_3.2.bb
@@ -5,9 +5,14 @@ as by programs like load_policy that need to perform specific transformations \
on binary policies such as customizing policy boolean settings."
SECTION = "base"
LICENSE = "LGPLv2+"
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+require selinux_common.inc

inherit lib_package

+S = "${WORKDIR}/git/libsepol"
+
# Change RANLIB for cross compiling, use host-tools $(AR) rather than
# local ranlib.
EXTRA_OEMAKE += "RANLIB='$(AR) s'"
--
2.25.1


[meta-selinux][PATCH 01/16] selinux: update inc file to 3.2

Yi Zhao
 

* Drop selinux_DATE.inc since upstream now uses X.Y version instead of
date for release tag[1]. Move its content to selinux_common.inc.
* Switch to git repo in SRC_URI, then all selinux recipes can use
unified source.

[1] https://github.com/SELinuxProject/selinux/commit/f63ac245f7addf832e8cde3cc4f26607b738994d

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-security/selinux/selinux_20200710.inc | 8 --------
recipes-security/selinux/selinux_common.inc | 15 ++++++++++-----
2 files changed, 10 insertions(+), 13 deletions(-)
delete mode 100644 recipes-security/selinux/selinux_20200710.inc

diff --git a/recipes-security/selinux/selinux_20200710.inc b/recipes-security/selinux/selinux_20200710.inc
deleted file mode 100644
index a8a76e9..0000000
--- a/recipes-security/selinux/selinux_20200710.inc
+++ /dev/null
@@ -1,8 +0,0 @@
-SELINUX_RELEASE = "20200710"
-
-SRC_URI = "https://github.com/SELinuxProject/selinux/releases/download/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz"
-
-UPSTREAM_CHECK_URI = "https://github.com/SELinuxProject/selinux/releases"
-UPSTREAM_CHECK_REGEX = "libselinux-(?P<pver>.+)\.tar\.gz"
-
-require selinux_common.inc
diff --git a/recipes-security/selinux/selinux_common.inc b/recipes-security/selinux/selinux_common.inc
index 09c0acc..f2e180f 100644
--- a/recipes-security/selinux/selinux_common.inc
+++ b/recipes-security/selinux/selinux_common.inc
@@ -1,14 +1,19 @@
HOMEPAGE = "https://github.com/SELinuxProject"

+SRC_URI = "git://github.com/SELinuxProject/selinux.git"
+SRCREV = "cf853c1a0c2328ad6c62fb2b2cc55d4926301d6b"
+
+UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"
+
do_compile() {
oe_runmake all
}

do_install() {
oe_runmake install \
- DESTDIR="${D}" \
- PREFIX="${prefix}" \
- INCLUDEDIR="${includedir}" \
- LIBDIR="${libdir}" \
- SHLIBDIR="${base_libdir}"
+ DESTDIR="${D}" \
+ PREFIX="${prefix}" \
+ INCLUDEDIR="${includedir}" \
+ LIBDIR="${libdir}" \
+ SHLIBDIR="${base_libdir}"
}
--
2.25.1


[meta-selinux][PATCH 00/16] selinux: update 3.1 -> 3.2

Yi Zhao
 

Yi Zhao (16):
selinux: update inc file to 3.2
libsepol: update to 3.2
libselinux: update to 3.2
libselinux-python: update to 3.2
libsemanage: update to 3.2
checkpolicy: update to 3.2
secilc: update to 3.2
policycoreutils: update to 3.2
mcstrans: update to 3.2
restorecond: update to 3.2
selinux-python: update to 3.2
selinux-dbus: update to 3.2
selinux-gui: update to 3.2
selinux-sandbox: update to 3.2
semodule-utils: update to 3.2
setools: upgrade 4.3.0 -> 4.4.0

recipes-security/selinux/checkpolicy_3.1.bb | 7 -
.../{checkpolicy.inc => checkpolicy_3.2.bb} | 10 +-
.../selinux/libselinux-python_3.1.bb | 26 ----
...ux-python.inc => libselinux-python_3.2.bb} | 25 ++-
...elinux-do-not-define-gettid-for-musl.patch | 47 ------
...linux-define-FD_CLOEXEC-as-necessary.patch | 33 ----
.../libselinux-make-O_CLOEXEC-optional.patch | 99 ------------
...ibselinux-make-SOCK_CLOEXEC-optional.patch | 38 -----
recipes-security/selinux/libselinux_3.1.bb | 17 --
.../{libselinux.inc => libselinux_3.2.bb} | 7 +-
...anage-define-FD_CLOEXEC-as-necessary.patch | 35 -----
recipes-security/selinux/libsemanage_3.1.bb | 14 --
.../{libsemanage.inc => libsemanage_3.2.bb} | 27 ++--
recipes-security/selinux/libsepol_3.1.bb | 8 -
.../selinux/{libsepol.inc => libsepol_3.2.bb} | 5 +
recipes-security/selinux/mcstrans_3.1.bb | 7 -
.../selinux/{mcstrans.inc => mcstrans_3.2.bb} | 13 +-
.../selinux/policycoreutils_3.1.bb | 7 -
...cycoreutils.inc => policycoreutils_3.2.bb} | 145 +++++++++---------
...icycoreutils-make-O_CLOEXEC-optional.patch | 48 ------
recipes-security/selinux/restorecond_3.1.bb | 7 -
.../{restorecond.inc => restorecond_3.2.bb} | 7 +-
recipes-security/selinux/secilc_3.1.bb | 7 -
.../selinux/{secilc.inc => secilc_3.2.bb} | 6 +-
recipes-security/selinux/selinux-dbus_3.1.bb | 7 -
.../{selinux-dbus.inc => selinux-dbus_3.2.bb} | 6 +-
recipes-security/selinux/selinux-gui_3.1.bb | 7 -
.../{selinux-gui.inc => selinux-gui_3.2.bb} | 6 +-
.../selinux/selinux-python_3.1.bb | 7 -
...linux-python.inc => selinux-python_3.2.bb} | 20 ++-
.../selinux/selinux-sandbox_3.1.bb | 7 -
...nux-sandbox.inc => selinux-sandbox_3.2.bb} | 9 +-
recipes-security/selinux/selinux_20200710.inc | 8 -
recipes-security/selinux/selinux_common.inc | 15 +-
.../selinux/semodule-utils_3.1.bb | 7 -
...module-utils.inc => semodule-utils_3.2.bb} | 7 +-
.../{setools_4.3.0.bb => setools_4.4.0.bb} | 6 +-
37 files changed, 192 insertions(+), 565 deletions(-)
delete mode 100644 recipes-security/selinux/checkpolicy_3.1.bb
rename recipes-security/selinux/{checkpolicy.inc => checkpolicy_3.2.bb} (71%)
delete mode 100644 recipes-security/selinux/libselinux-python_3.1.bb
rename recipes-security/selinux/{libselinux-python.inc => libselinux-python_3.2.bb} (61%)
delete mode 100644 recipes-security/selinux/libselinux/0001-libselinux-do-not-define-gettid-for-musl.patch
delete mode 100644 recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
delete mode 100644 recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
delete mode 100644 recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
delete mode 100644 recipes-security/selinux/libselinux_3.1.bb
rename recipes-security/selinux/{libselinux.inc => libselinux_3.2.bb} (84%)
delete mode 100644 recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
delete mode 100644 recipes-security/selinux/libsemanage_3.1.bb
rename recipes-security/selinux/{libsemanage.inc => libsemanage_3.2.bb} (59%)
delete mode 100644 recipes-security/selinux/libsepol_3.1.bb
rename recipes-security/selinux/{libsepol.inc => libsepol_3.2.bb} (81%)
delete mode 100644 recipes-security/selinux/mcstrans_3.1.bb
rename recipes-security/selinux/{mcstrans.inc => mcstrans_3.2.bb} (92%)
delete mode 100644 recipes-security/selinux/policycoreutils_3.1.bb
rename recipes-security/selinux/{policycoreutils.inc => policycoreutils_3.2.bb} (52%)
delete mode 100644 recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
delete mode 100644 recipes-security/selinux/restorecond_3.1.bb
rename recipes-security/selinux/{restorecond.inc => restorecond_3.2.bb} (88%)
delete mode 100644 recipes-security/selinux/secilc_3.1.bb
rename recipes-security/selinux/{secilc.inc => secilc_3.2.bb} (66%)
delete mode 100644 recipes-security/selinux/selinux-dbus_3.1.bb
rename recipes-security/selinux/{selinux-dbus.inc => selinux-dbus_3.2.bb} (75%)
delete mode 100644 recipes-security/selinux/selinux-gui_3.1.bb
rename recipes-security/selinux/{selinux-gui.inc => selinux-gui_3.2.bb} (75%)
delete mode 100644 recipes-security/selinux/selinux-python_3.1.bb
rename recipes-security/selinux/{selinux-python.inc => selinux-python_3.2.bb} (89%)
delete mode 100644 recipes-security/selinux/selinux-sandbox_3.1.bb
rename recipes-security/selinux/{selinux-sandbox.inc => selinux-sandbox_3.2.bb} (77%)
delete mode 100644 recipes-security/selinux/selinux_20200710.inc
delete mode 100644 recipes-security/selinux/semodule-utils_3.1.bb
rename recipes-security/selinux/{semodule-utils.inc => semodule-utils_3.2.bb} (83%)
rename recipes-security/setools/{setools_4.3.0.bb => setools_4.4.0.bb} (89%)

--
2.25.1


Re: Failing to patch u-boot .dts

Jonas Vautherin
 

Finally understood how to do it properly, and hence explaining here for the record.

In my machine configuration, I have this line (that I overlooked):

```
IMAGE_BOOT_FILES ?= "u-boot.${UBOOT_SUFFIX} MLO zImage am335x-pocketbeagle.dtb"
```

Which says that it should use the `am335x-pocketbeagle` device tree. I assume that it infers that it should compile `am335x-pocketbeagle.dts` into `am335x-pocketbeagle.dtb`. Because `am335x-evm` is listed as the default in the defconfig, I thought it was the one being used. But I was wrong.

I patched `am335x-pocketbeagle.dts` this time and it just worked.

On Thu, Mar 11, 2021 at 11:28 AM Jonas Vautherin <jonas.vautherin@...> wrote:
Hello!

I am using u-boot on a pocketbeagle which, according to "Default Device Tree for DT control" in `bitbake -c menuconfig u-boot`, uses am335x-evm, which I understand is the file in ./build/tmp/work/pocketbeagle-poky-linux-gnueabi/u-boot/1_2020.07-r0/git/arch/arm/dts/am335x-evm.dts. 

My issue is that this file ends up setting usb1 as `dr_mode = "host"` and usb0 as `dr_mode = "otg"`. I would like to use fastboot on my pocketbeagle, and therefore set them to `dr_mode = "peripheral"`.

In order to do that, I wrote a .bbappend that does the following:

```
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"

SRC_URI += "file://am335x-evm.dts.patch"
SRC_URI += "file://logging.cfg"
```

The patch sets both usb0 and usb1 to `dr_mode = "peripheral"`, while the cfg enables logging in u-boot. Because logging is effectively enabled, I get that my .bbappend is used. And I can confirm that ./build/tmp/work/pocketbeagle-poky-linux-gnueabi/u-boot/1_2020.07-r0/git/arch/arm/dts/am335x-evm.dts is patched indeed.

However, whatever I do, I can't seem to get that modification in my u-boot device tree at runtime, as usb0 always ends up as "otg" and usb1 as "host". I have even tried a full clean build where I removed build/tmp and cache_sstate.

I cannot really tell if my patched file is actually used or not. For instance, if I `bitbake -c cleansstate u-boot`, then `bitbake -c do_patch u-boot`, then `rm -rf ./build/tmp/work/pocketbeagle-poky-linux-gnueabi/u-boot/1_2020.07-r0/git/arch/arm/dts` and finally `bitbake u-boot`, it does not complain at all about a missing dts file.

What am I missing, and how could I make sure that my patched am335x-evm.dts is the device tree being used by my u-boot install?

Best Regards,
Jonas


Re: How can I create a truly minimal distribution that runs entirely from RAM?

p32@...
 

Thank you very much for your help on the second issue! I was unaware of the fact that another mkimage call is necessary. After taking a look at the the references you provided, I was able to boot the system from an initramfs.

However, my current approach requires two manual steps after running Yocto: I need to call mkimage on the cpio.xz file and to extend/configure the U-Boot environment in the running system. Is there a way to automate this?

More specifically, is it possible to...
  1. have Yocto generate an initramfs.cpio.xz.uboot file instead of just an initramfs.cpio.xz file and to
  2. modify the default environment that Yocto will compile into the U-Boot binary?


Re: debug symbols and INHIBIT_PACKAGE_STRIP = "1"

Khem Raj
 

check the build logs for the binary, see if there is some sort of symbol stripping happening. Perhaps its using install -s ?

On 3/12/21 3:17 AM, AFraser wrote:
Hi,
I'm using bitbake to build an application and I'd like to troubleshoot some segfaults that are taking place. I've set up gdbserver on a virtual machine running the application and can connect. My problem is that I cannot seem to get the image to build my binaries without stripping the symbol table.
Whenever I run:
|objdump -t _binary_|
it shows 'no symbols' under 'SYMBOL TABLE'.
So far I've added the following to build/conf/local.conf
|EXTRA_IMAGE_FEATURES = "debug-tweaks dbg-pkgs tools-sdk tools-debug "|
|INHIBIT_PACKAGE_STRIP = "1"|
|INHIBIT_PACKAGE_DEBUG_SPLIT= "1"|
I also tried adding the following to bitbake.conf:
|export CFLAGS = "${TARGET_CFLAGS} -g"|
|export LDFLAGS = "${TARGET_LDFLAGS} -g"|
Strangely, the size of the binary I'm looking at has increased. Since making these changes and the new build took much longer to run.
Running |bitbake -e _recipe_ | shows the environment of my recipe and reflects the changes made in local.conf.
Is there a way I can look at the exact gcc command that is being run to make sure it's not still being stripped somewhere? I can't seem to see it in the logs


Re: [meta-selinux][PATCH] openssh: don't overwrite sshd_config unconditionally

Joe MacDonald
 

Hi Purushottam,

[Re: [yocto] [meta-selinux][PATCH] openssh: don't overwrite sshd_config unconditionally] On 21.03.12 (Fri 12:05) Purushottam choudhary wrote:

Hi,

Please let me know if there any update on this change
& the tentative week when this change is going to merge in the code.
Sorry about that, I haven't merged it for a couple of reasons, but I
should have followed up before now on it. It doesn't appear to be against
the currnet head of tree, so I'd suggest a quick rebase on your part and
resend if you think it is still relevant.

At a more basic level, though, I don't know who or how many projects are
intending to use meta-selinux without PAM. The layer documentation does
make it clear we expect PAM to always be present:

45 1.2 - How does this layer do to enable SELinux features?
46
47 To enable SELinux features, this layers has done these works:
48
49 * new DISTRO_FEATURES "selinux" defined
50 * new DISTRO "poky-selinux" defined, with DISTRO_FEATURES += "pam selinux"
51 * config file for Linux kernel to enable SELinux
52 * recipes for SELinux userland libraries and tools
53 * package group (packagegroup-core-selinux) for SELinux userland packages
54 * bbappends for SELinux related recipes to build with SELinux enabled
55 * recipes for SELinux policy modified from refpolicy

The documentation is certainly in need of some updating, but I think the
majority of our users (if not all) are including PAM in their projects. I
would be interested to hear about your PAM-less meta-selinux project if
you can share some details.

It is certainly arguable whether the config file should be dumped in place
as it is being today, but I do think it's functioning as intended right
now. Shifting the PAM sshd configuration to a different directory is fine
with me, I don't have any particular love of everything in one files/
directory, but I also don't have any strong aversion to it until it
becomes an obvious problem (eg. two separate files that should have the
same name and different purposes, such as something to be installed in
/etc/defaults/ and /etc/X11/, maybe).

I hope that clears things up a bit. Thanks.

-Joe.


Thanks & Regards,
Purushottam

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
From: Purushottam Choudhary <purushottam.choudhary@...>
Sent: Friday, February 26, 2021 2:29 PM
To: yocto@... <yocto@...>
Cc: Nisha Parrakat <Nisha.Parrakat@...>
Subject: [meta-selinux][PATCH] openssh: don't overwrite sshd_config
unconditionally

The current implementation was overwriting the sshd_config and sshd
assuming PAM is needed by default.

openssh should use the default sshd_config packaged with the component
if no distro specific needs are present and not overwrite the full
sshd_config file.

1. If PAM is enabled as a distro then enable the UsePAM option in sshd_config.
2. Moved the file sshd to pam directory so that when pam is enabled,
then replace the default from poky by installing the same.

Signed-off-by: Purushottam Choudhary <purushottam.choudhary@...>
---
recipes-connectivity/openssh/files/{ => pam}/sshd | 0
recipes-connectivity/openssh/files/sshd_config | 118 ----------------------
recipes-connectivity/openssh/openssh_%.bbappend | 14 +++
3 files changed, 14 insertions(+), 118 deletions(-)
rename recipes-connectivity/openssh/files/{ => pam}/sshd (100%)
delete mode 100644 recipes-connectivity/openssh/files/sshd_config

diff --git a/recipes-connectivity/openssh/files/sshd b/recipes-connectivity/
openssh/files/pam/sshd
similarity index 100%
rename from recipes-connectivity/openssh/files/sshd
rename to recipes-connectivity/openssh/files/pam/sshd
diff --git a/recipes-connectivity/openssh/files/sshd_config b/
recipes-connectivity/openssh/files/sshd_config
deleted file mode 100644
index 1c33ad0..0000000
--- a/recipes-connectivity/openssh/files/sshd_config
+++ /dev/null
@@ -1,118 +0,0 @@
-# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
-
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options override the
-# default value.
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-#AuthorizedKeysFile .ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#PermitUserEnvironment no
-Compression no
-ClientAliveInterval 15
-ClientAliveCountMax 4
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# PermitTTY no
-# ForceCommand cvs server
diff --git a/recipes-connectivity/openssh/openssh_%.bbappend b/
recipes-connectivity/openssh/openssh_%.bbappend
index 7719d3b..b541c3e 100644
--- a/recipes-connectivity/openssh/openssh_%.bbappend
+++ b/recipes-connectivity/openssh/openssh_%.bbappend
@@ -1 +1,15 @@
require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}
_selinux.inc', '', d)}
+
+# if pam feature is enabled in the distro then take sshd from the pam
directory.
+FILESEXTRAPATHS_prepend := "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '$
{THISDIR}/files/pam:', ' ', d)}"
+
+do_install_append(){
+
+ if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
+ # Make sure UsePAM entry is in the sshd_config file.
+ # If entry not present then append it.
+ grep -q 'UsePAM' "${D}/etc/ssh/sshd_config" && \
+ sed -i 's/.*UsePAM.*/UsePAM yes/' "${D}/etc/ssh/sshd_config" || \
+ echo 'UsePAM yes' >> "${D}/etc/ssh/sshd_config"
+ fi
+}
--
2.7.4

This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.



--
-Joe MacDonald.
:wq


Re: [meta-selinux][PATCH] openssh: don't overwrite sshd_config unconditionally

Purushottam choudhary
 

Hi,

Please let me know if there any update on this change
& the tentative week when this change is going to merge in the code.

Thanks & Regards,
Purushottam


From: Purushottam Choudhary <purushottam.choudhary@...>
Sent: Friday, February 26, 2021 2:29 PM
To: yocto@... <yocto@...>
Cc: Nisha Parrakat <Nisha.Parrakat@...>
Subject: [meta-selinux][PATCH] openssh: don't overwrite sshd_config unconditionally
 
The current implementation was overwriting the sshd_config and sshd
assuming PAM is needed by default.

openssh should use the default sshd_config packaged with the component
if no distro specific needs are present and not overwrite the full
sshd_config file.

1. If PAM is enabled as a distro then enable the UsePAM option in sshd_config.
2. Moved the file sshd to pam directory so that when pam is enabled,
   then replace the default from poky by installing the same.

Signed-off-by: Purushottam Choudhary <purushottam.choudhary@...>
---
 recipes-connectivity/openssh/files/{ => pam}/sshd |   0
 recipes-connectivity/openssh/files/sshd_config    | 118 ----------------------
 recipes-connectivity/openssh/openssh_%.bbappend   |  14 +++
 3 files changed, 14 insertions(+), 118 deletions(-)
 rename recipes-connectivity/openssh/files/{ => pam}/sshd (100%)
 delete mode 100644 recipes-connectivity/openssh/files/sshd_config

diff --git a/recipes-connectivity/openssh/files/sshd b/recipes-connectivity/openssh/files/pam/sshd
similarity index 100%
rename from recipes-connectivity/openssh/files/sshd
rename to recipes-connectivity/openssh/files/pam/sshd
diff --git a/recipes-connectivity/openssh/files/sshd_config b/recipes-connectivity/openssh/files/sshd_config
deleted file mode 100644
index 1c33ad0..0000000
--- a/recipes-connectivity/openssh/files/sshd_config
+++ /dev/null
@@ -1,118 +0,0 @@
-#      $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-#AuthorizedKeysFile    .ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#PermitUserEnvironment no
-Compression no
-ClientAliveInterval 15
-ClientAliveCountMax 4
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# override default of no subsystems
-Subsystem      sftp    /usr/libexec/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#      X11Forwarding no
-#      AllowTcpForwarding no
-#      PermitTTY no
-#      ForceCommand cvs server
diff --git a/recipes-connectivity/openssh/openssh_%.bbappend b/recipes-connectivity/openssh/openssh_%.bbappend
index 7719d3b..b541c3e 100644
--- a/recipes-connectivity/openssh/openssh_%.bbappend
+++ b/recipes-connectivity/openssh/openssh_%.bbappend
@@ -1 +1,15 @@
 require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
+
+# if pam feature is enabled in the distro then take sshd from the pam directory.
+FILESEXTRAPATHS_prepend := "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${THISDIR}/files/pam:', ' ', d)}"
+
+do_install_append(){
+
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
+        # Make sure UsePAM entry is in the sshd_config file.
+        # If entry not present then append it.
+        grep -q 'UsePAM' "${D}/etc/ssh/sshd_config" && \
+        sed -i 's/.*UsePAM.*/UsePAM yes/' "${D}/etc/ssh/sshd_config" || \
+        echo 'UsePAM yes' >> "${D}/etc/ssh/sshd_config"
+    fi
+}
--
2.7.4

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.


debug symbols and INHIBIT_PACKAGE_STRIP = "1"

AFraser <afraser@...>
 

Hi,

I'm using bitbake to build an application and I'd like to troubleshoot some segfaults that are taking place. I've set up gdbserver on a virtual machine running the application and can connect. My problem is that I cannot seem to get the image to build my binaries without stripping the symbol table.

Whenever I run:

objdump -t _binary_

it shows 'no symbols' under 'SYMBOL TABLE'.

So far I've added the following to build/conf/local.conf

EXTRA_IMAGE_FEATURES = "debug-tweaks dbg-pkgs tools-sdk tools-debug "

INHIBIT_PACKAGE_STRIP = "1"

INHIBIT_PACKAGE_DEBUG_SPLIT= "1"

I also tried adding the following to bitbake.conf:

export CFLAGS = "${TARGET_CFLAGS} -g"

export LDFLAGS = "${TARGET_LDFLAGS} -g"

Strangely, the size of the binary I'm looking at has increased. Since making these changes and the new build took much longer to run.

Running bitbake -e _recipe_ shows the environment of my recipe and reflects the changes made in local.conf.

Is there a way I can look at the exact gcc command that is being run to make sure it's not still being stripped somewhere? I can't seem to see it in the logs


avahi_0.8 issue with latest version

sateesh m
 

Hi Guys,

 I  have installed avahi_0.8 version using gatesgreath version.  its compiled successfully .but  i am facing issue  with  pid is remove automatically when i restart my service.

 avahi configuration : hostname,domain name, allow ipv4, allow eth0,reflector =yes i did all this avahi-daemon.conf
dependencies: gtk+3,gtk,dbus,avahi-daemon,avahi-utils ,libnss-mdns.
is i miss any configuration or any patchwork work for this packages  please update me i will modify it.

( avahi-daemon[625]: Process 592 died: No such process; trying to remove PID file. (/run/avahi-daemon//pid))
               

0;1;32m*[[0m avahi-daemon.service - Avahi mDNS/DNS-SD Stack
     Loaded: loaded (/lib/systemd/system/avahi-daemon.service; enabled; vendor preset: enabled)
     Active: [[0;1;32mactive (running)[[0m since Fri 2021-03-05 13:12:17 UTC; 7min ago
TriggeredBy: [[0;1;32m*[[0m avahi-daemon.socket
   Main PID: 625 (avahi-daemon)
     Status: "avahi-daemon 0.8 starting up."
      Tasks: 2 (limit: 9561)
     Memory: 620.0K
     CGroup: /system.slice/avahi-daemon.service
             |-625 avahi-daemon: running [foo.local]
             `-626 avahi-daemon: chroot helper
 
Mar 05 13:12:17 mysystem systemd[1]: Starting Avahi mDNS/DNS-SD Stack...
Mar 05 13:12:17 mysystem avahi-daemon[625]: Process 592 died: No such process; trying to remove PID file. (/run/avahi-daemon//pid)
Mar 05 13:12:17 my system systemd[1]: Started Avahi mDNS/DNS-SD Stack.



root@mysystem:~# pgrep -f -l avahi
192 systemctl
200 systemctl
210 systemctl
216 journalctl
503 systemctl
539 systemctl
547 systemctl
559 systemctl
575 systemctl
582 systemctl
594 systemctl
625 avahi-daemon: running [foo.local]
626 avahi-daemon: chroot helper


Thanks & Regards,
Sateesh


[meta-security][PATCH] ima-evm-keys: add file-checksums to IMA_EVM_X509

Ming Liu <liu.ming50@...>
 

From: Ming Liu <liu.ming50@...>

This ensures when a end user change the IMA_EVM_X509 key file,
ima-evm-keys recipe will be rebuilt.

Signed-off-by: Ming Liu <liu.ming50@...>
---
meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.=
0.bb b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
index 62685bb..7708aef 100644
--- a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
+++ b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
@@ -14,3 +14,4 @@ do_install () {
lnr ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x=
509_ima.der
fi
}
+do_install[file-checksums] +=3D "${@'${IMA_EVM_X509}:%s' % os.path.exist=
s('${IMA_EVM_X509}')}"
--=20
2.29.0

4741 - 4760 of 57409