On 4/21/20 11:50 AM, Cguerin@... wrote:

I am with The Middleby Corporation.  We manufacture a wide variety of
commercial ovens, ice machines, coffee brewers, microwaves, soft-serve
machines and virtually anything you’d find in a commercial restaurant
kitchen.  Much of our equipment has a touch-screen display on it – often
4.3” to 10.1” in size.  This is part of an embedded control system that
includes a separate I/O board to talk to motors, heating elements, etc. 
The touch-screen control are most often running Yocto Linux with a QT or
similar application running on top of Linux.  Recently, we have been
asked to explore enabling SELinux security provisions in our
applications.  In speaking with several of our vendors, they all
indicated they don’t generally need to enable SELinux and have never
done so in the past.  

I now know what SELinux is, but I can’t get a good answer if it even is
needed to be enabled on a touch-screen application on equipment that a
16 year old kid generally operates.  We often do have USB ports on our
equipment for software updates and some is connected to the internet as
well, but I still don’t see how the security access provisions in
SELinux are needed for our application. 

Generally devices having ports, or being connected to Internet can
become a door to your network and cause some serious damage, so you
sould assess the security needs for your devices, I would think. As far
as technologies needed to achieve security needs SELinux is one of many
options, you have apparmor, tomoyo, and other MAC technologies, and I
would think you should do some experiments to see which of these will
fit your needs to manage MAC. Then there are other methods to address
security concerns.

Lastly, I'm not a programmer. I manage the business end of all of
Middleby's electronic controls, so the aim of this message is to ask for
general guidance regarding the need for SELinux or not.

I would think you need security, SELinux is one cog in the wheel and
there are other options, I would think doing some proof of concept
within your setups after you have done some security analysis, would be
the steps to take.

On 4/23/20 5:14 AM, Robert P. J. Day wrote:

On Thu, 23 Apr 2020, Nicolas Dechesne wrote:

On Thu, Apr 23, 2020 at 1:18 PM Robert P. J. Day <rpjday@...> wrote:

  just noticed that, given that since YP 3.0 one could select systemd
as the init manager via the single variable INIT_MANAGER, which pulled
in init-manager-systemd.inc:

# Use systemd for system initialization
DISTRO_FEATURES_append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED_append = " sysvinit"
VIRTUAL-RUNTIME_init_manager ??= "systemd"
VIRTUAL-RUNTIME_initscripts ??= "systemd-compat-units"
VIRTUAL-RUNTIME_login_manager ??= "shadow-base"


INIT_MANAGER was added in 3.0, see:
https://git.openembedded.org/openembedded-core/commit/?id=8d0b4704a526a48cd5e67df6
1b613424bbbdccde

i know, that's what i mentioned above.

  this doesn't quite seem to match this snippet from
meta/lib/oeqa/selftest/cases/imagefeatures.py:

# Switch to systemd
DISTRO_FEATURES += "systemd"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = ""
VIRTUAL-RUNTIME_syslog = ""
VIRTUAL-RUNTIME_login_manager = "shadow-base"
DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"


this is the 'old' (pre 3.0) method, and it can (and should) be
replaced with INIT_MANAGER, i believe.

i suspected as much, i just wanted to point out that those two
snippets are not *exactly* equivalent so someone should make sure that
INIT_MANAGER usage is precisely defined.

perhaps imagefeatures.py should be updated to sync with INIT_MANAGER
settings.

rday

On 4/23/20 2:26 AM, sateesh m wrote:

Hi Guys,

             I want to test Distro testing in my yocto build image. for
that I need setup configurations and how can i check results and where i
can get results. can anybody knows please suggest me .

you can check ptest images perhaps see [1]


[1] https://wiki.yoctoproject.org/wiki/Image_tests

On 4/23/20 12:01 AM, Per Hallsmark wrote:

Hi Nicholas,

Thanks, I was thinking as providing it to Yocto but not maintaining it
myself. Too much other stuff going on
so it would be a slowly updated layer then.

Give it some time and see if someone steps up to maintain it, if not you
can also put these recipes in other layers

BR,
Per

On Thu, 23 Apr 2020 at 07:59, Nicholas Krause <xerofoify@...
<mailto:xerofoify@...>> wrote:



On 4/23/20 1:28 AM, per@... <mailto:per@...> wrote:

Hello fellow Yocto developers,

To be able todo efficient HTML5 programming we of course needs
some javascript libraries.
I've not seen Yocto have them packaged so I made up this idea of
putting them into their own /usr/lib/js path
with a subdir for each javascript library. It is published here :

https://gitlab.com/saxofon/meta-javascripts

With an example usage here :

https://github.com/Wind-River/device-remote-gui

Would this be something yoctoproject is interested of perhaps?

BR,
Per

Hi,

I'm not a maintainer but you may want to see if you or other  people
are able to maintain
then as a open embedded layer as part of the index. Not sure if
someone else can
chip in if this is a useful recipe set to add to the open embedded
index.

That would ideally be where you would want this to go if this is
useful and maintained,

Nick

Hi,

There is no simply answer to your question. Most generally speaking any type of security, not just for computers and embedded systems, is a tradeoff between risk and cost.

The fact that your appliances have USB ports and are potentially connected to the Internet makes them vulnerable for attacks. They can potentially be used to gain access to your appliances, put malicious software on them, potentially damage them. be used as bots for cyber attacks, etc. An expert and embedded security can assess the risk by examining your appliances, software etc. You only can assess the risk for your business and the business of your customers. What will it mean for a customer and your business if multiple appliances are hacked and not functioning anymore and the customer cannot deliver their product and services possibly for days until you are able to reinstall the software? What does that mean for your business if that happens at many of your customers' locations at the same time?

It does not need to be professional hackers that are out for financial gain doing that. Your proverbial 16 year old kid operating the equipment could be an aspiring embedded systems engineer who is curious about what's behind the scenes of the appliances.

It's never a bad idea to think about security for your embedded systems. Having done a whole lot deal of embedded systems in automotive and explicitly for securing content and devices for digital television I can only advise you to take it seriously. It's better to be proactive then reactive. Bad embedded systems security practices are all around. Just because your vendors have not done it does not really mean anything.

SELinux is only one consideration. There are other things that go into hardening an embedded system.

Best regards,
Rudi

I am with The Middleby Corporation.  We manufacture a wide variety of commercial ovens, ice machines, coffee brewers, microwaves, soft-serve machines and virtually anything you’d find in a commercial restaurant kitchen.  Much of our equipment has a touch-screen display on it – often 4.3” to 10.1” in size.  This is part of an embedded control system that includes a separate I/O board to talk to motors, heating elements, etc.  The touch-screen control are most often running Yocto Linux with a QT or similar application running on top of Linux.  Recently, we have been asked to explore enabling SELinux security provisions in our applications.  In speaking with several of our vendors, they all indicated they don’t generally need to enable SELinux and have never done so in the past.  

I now know what SELinux is, but I can’t get a good answer if it even is needed to be enabled on a touch-screen application on equipment that a 16 year old kid generally operates.  We often do have USB ports on our equipment for software updates and some is connected to the internet as well, but I still don’t see how the security access provisions in SELinux are needed for our application. 

Lastly, I'm not a programmer. I manage the business end of all of Middleby's electronic controls, so the aim of this message is to ask for general guidance regarding the need for SELinux or not.  

-- 
-----
Rudolf J Streif
CEO/CTO ibeeto
+1.855.442.3386 x700

On Wed, 2020-04-22 at 14:43 -1000, Steve Sakoman wrote:

We were mistakenly doing a force push if the branch was in either
BUILD_HISTORY_FORKPUSH or BUILD_HISTORY_DIRECTPUSH.

Now we force push for branches in BUILD_HISTORY_FORKPUSH, regular push
for branches in BUILD_HISTORY_DIRECTPUSH, and no push if the branch is
in neither list.

Signed-off-by: Steve Sakoman <steve@...>
---
scripts/send-qa-email | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/send-qa-email b/scripts/send-qa-email
index 205f6d1..b4d4cec 100755
--- a/scripts/send-qa-email
+++ b/scripts/send-qa-email
@@ -80,10 +80,10 @@ if 'poky' in repos and os.path.exists(resulttool) and args.results_dir:
extraopts = None

subprocess.check_call([resulttool, "store", args.results_dir, tempdir])
- if basebranch:
+ if comparebranch:
subprocess.check_call(["git", "push", "--all", "--force"], cwd=tempdir)
subprocess.check_call(["git", "push", "--tags", "--force"], cwd=tempdir)
- else:
+ elif basebranch:
subprocess.check_call(["git", "push", "--all"], cwd=tempdir)
subprocess.check_call(["git", "push", "--tags"], cwd=tempdir)

Thanks, well found!

I tweaked the first patch to use comparerepo instead of baserepo. The
confusion came from cut and paste from the buildhistory code.

Cheers,

Richard

On Thu, 23 Apr 2020, Nicolas Dechesne wrote:

On Thu, Apr 23, 2020 at 1:18 PM Robert P. J. Day <rpjday@...> wrote:

  just noticed that, given that since YP 3.0 one could select systemd
as the init manager via the single variable INIT_MANAGER, which pulled
in init-manager-systemd.inc:

# Use systemd for system initialization
DISTRO_FEATURES_append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED_append = " sysvinit"
VIRTUAL-RUNTIME_init_manager ??= "systemd"
VIRTUAL-RUNTIME_initscripts ??= "systemd-compat-units"
VIRTUAL-RUNTIME_login_manager ??= "shadow-base"


INIT_MANAGER was added in 3.0, see:
https://git.openembedded.org/openembedded-core/commit/?id=8d0b4704a526a48cd5e67df6
1b613424bbbdccde

i know, that's what i mentioned above.

  this doesn't quite seem to match this snippet from
meta/lib/oeqa/selftest/cases/imagefeatures.py:

# Switch to systemd
DISTRO_FEATURES += "systemd"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = ""
VIRTUAL-RUNTIME_syslog = ""
VIRTUAL-RUNTIME_login_manager = "shadow-base"
DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"


this is the 'old' (pre 3.0) method, and it can (and should) be
replaced with INIT_MANAGER, i believe.

i suspected as much, i just wanted to point out that those two
snippets are not *exactly* equivalent so someone should make sure that
INIT_MANAGER usage is precisely defined.

rday

just noticed that, given that since YP 3.0 one could select systemd
as the init manager via the single variable INIT_MANAGER, which pulled
in init-manager-systemd.inc:

# Use systemd for system initialization
DISTRO_FEATURES_append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED_append = " sysvinit"
VIRTUAL-RUNTIME_init_manager ??= "systemd"
VIRTUAL-RUNTIME_initscripts ??= "systemd-compat-units"
VIRTUAL-RUNTIME_login_manager ??= "shadow-base"

this doesn't quite seem to match this snippet from
meta/lib/oeqa/selftest/cases/imagefeatures.py:

# Switch to systemd
DISTRO_FEATURES += "systemd"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = ""
VIRTUAL-RUNTIME_syslog = ""
VIRTUAL-RUNTIME_login_manager = "shadow-base"
DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"

not sure if that second snippet could be replaced with a simple
assignment to INIT_MANAGER or whether those two snippets are
effectively equivalent ... i'll let someone else make that call.

rday

--

========================================================================
Robert P. J. Day Ottawa, Ontario, CANADA
http://crashcourse.ca

Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
========================================================================

Hi Guys,

             I want to test Distro testing in my yocto build image. for that I need setup configurations and how can i check results and where i can get results. can anybody knows please suggest me .

From: Changqing Li <changqing.li@...>

when host arch and target arch are different, the extension
suffix of host is different with target one, so there will
be a invalid link. Fix by update the way to create the link.

Signed-off-by: Changqing Li <changqing.li@...>
---
recipes-security/selinux/libselinux-python_3.0.bb | 1 +
...PYCEXT-and-rely-on-the-installed-file-nam.patch | 52 ++++++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 recipes-security/selinux/libselinux/0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch

diff --git a/recipes-security/selinux/libselinux-python_3.0.bb b/recipes-security/selinux/libselinux-python_3.0.bb
index e024a22..2b5438d 100644
--- a/recipes-security/selinux/libselinux-python_3.0.bb
+++ b/recipes-security/selinux/libselinux-python_3.0.bb
@@ -16,5 +16,6 @@ SRC_URI += "\
file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
file://0001-Fix-building-against-musl-and-uClibc-libc-libraries.patch \
file://0001-Makefile-fix-python-modules-install-path-for-multili.patch \
+ file://0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch \
"
S = "${WORKDIR}/libselinux-${PV}"
diff --git a/recipes-security/selinux/libselinux/0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch b/recipes-security/selinux/libselinux/0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
new file mode 100644
index 0000000..b7cd59d
--- /dev/null
+++ b/recipes-security/selinux/libselinux/0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
@@ -0,0 +1,52 @@
+From 0d4da8093bc2ef92b7c6f7fd1f4804f6ebc6cb56 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@...>
+Date: Fri, 25 Oct 2019 13:37:14 +0200
+Subject: [PATCH] Do not use PYCEXT, and rely on the installed file name
+
+PYCEXT is computed by asking the Python intrepreter what is the
+file extension used for native Python modules.
+
+Unfortunately, when cross-compiling, the host Python doesn't give the
+proper result: it gives the result matching the build machine, and not
+the target machine. Due to this, the symlink has an incorrect name,
+and doesn't point to the .so file that was actually built/installed.
+
+To address this and keep things simple, this patch just changes the ln
+invocation to rely on the name of the _selinux*.so Python module that
+was installed.
+
+[Upstream: https://github.com/SELinuxProject/selinux/pull/184]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@...>
+
+Upstream-Status: Denied [https://patchwork.kernel.org/patch/11212405/]
+
+[Refreshed for 3.0]
+Signed-off-by: Changqing Li <changqing.li@...>
+---
+ src/Makefile | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index a384a10..82adf82 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -15,7 +15,6 @@ INCLUDEDIR ?= $(PREFIX)/include
+ PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
+ PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
+ PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
+-PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])')
+ RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
+ RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
+ RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]')
+@@ -175,7 +174,7 @@ install: all
+ install-pywrap: pywrap
+ $(PYTHON) setup.py install --prefix=$(PREFIX) --root=$(DESTDIR) --install-lib=$(PYTHONLIBDIR)
+ install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+- ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
++ ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux*.so $(DESTDIR)$(PYTHONLIBDIR)/
+
+ install-rubywrap: rubywrap
+ test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL)
+--
+2.24.1
+
--
2.7.4

Hello fellow Yocto developers,

To be able todo efficient HTML5 programming we of course needs some javascript libraries.
I've not seen Yocto have them packaged so I made up this idea of putting them into their own /usr/lib/js path
with a subdir for each javascript library. It is published here :

https://gitlab.com/saxofon/meta-javascripts

With an example usage here :

https://github.com/Wind-River/device-remote-gui

Would this be something yoctoproject is interested of perhaps?

BR,
Per

Hi,

I'm not a maintainer but you may want to see if you or other  people are able to maintain
then as a open embedded layer as part of the index. Not sure if someone else can
chip in if this is a useful recipe set to add to the open embedded index.

That would ideally be where you would want this to go if this is useful and maintained,

Nick

Hello fellow Yocto developers,

To be able todo efficient HTML5 programming we of course needs some javascript libraries.
I've not seen Yocto have them packaged so I made up this idea of putting them into their own /usr/lib/js path
with a subdir for each javascript library. It is published here :

https://gitlab.com/saxofon/meta-javascripts

With an example usage here :

https://github.com/Wind-River/device-remote-gui

Would this be something yoctoproject is interested of perhaps?

BR,
Per

We were mistakenly doing a force push if the branch was in either
BUILD_HISTORY_FORKPUSH or BUILD_HISTORY_DIRECTPUSH.

Now we force push for branches in BUILD_HISTORY_FORKPUSH, regular push
for branches in BUILD_HISTORY_DIRECTPUSH, and no push if the branch is
in neither list.

Signed-off-by: Steve Sakoman <steve@...>
---
scripts/send-qa-email | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/send-qa-email b/scripts/send-qa-email
index 205f6d1..b4d4cec 100755
--- a/scripts/send-qa-email
+++ b/scripts/send-qa-email
@@ -80,10 +80,10 @@ if 'poky' in repos and os.path.exists(resulttool) and args.results_dir:
extraopts = None

subprocess.check_call([resulttool, "store", args.results_dir, tempdir])
- if basebranch:
+ if comparebranch:
subprocess.check_call(["git", "push", "--all", "--force"], cwd=tempdir)
subprocess.check_call(["git", "push", "--tags", "--force"], cwd=tempdir)
- else:
+ elif basebranch:
subprocess.check_call(["git", "push", "--all"], cwd=tempdir)
subprocess.check_call(["git", "push", "--tags"], cwd=tempdir)

--
2.17.1

Signed-off-by: Steve Sakoman <steve@...>
---
scripts/utils.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/utils.py b/scripts/utils.py
index 68652d9..25eba31 100644
--- a/scripts/utils.py
+++ b/scripts/utils.py
@@ -358,9 +358,9 @@ def getcomparisonbranch(ourconfig, reponame, branchname):
if (reponame + ":" + branchname) in getconfig("BUILD_HISTORY_FORKPUSH", ourconfig):
base = getconfig("BUILD_HISTORY_FORKPUSH", ourconfig)[reponame + ":" + branchname]
if base:
- baserepo, basebranch = base.split(":")
- print("Comparing to %s\n" % (basebranch))
- return branchname, basebranch
+ baserepo, comparebranch = base.split(":")
+ print("Comparing to %s\n" % (comparebranch))
+ return branchname, comparebranch
if (reponame + ":" + branchname) in getconfig("BUILD_HISTORY_DIRECTPUSH", ourconfig):
return branchname, None
return None, None
--
2.17.1

On Wed, 22 Apr 2020 at 16:58, Dan O'Donovan <dan.odonovan@...> wrote:

This meta-printing layer has worked well for me in the past:
https://github.com/rossburton/meta-printing.git

Those recipes exist in other layers, meta-printing is dead so please
don't use it.

Ross