Date   

Mirroring meta-kernel on git.yoctoproject.org

 

Hey folks,

I'd like to get the meta-kernel layer mirrored on git.yoctoproject.org
so that we've got a backup available in case of any issues with
GitLab. This has been requested by one of our users
(https://gitlab.com/openembedded/community/meta-kernel/-/issues/11). I
also think it's important now that meta-arm-bsp and a few other layers
depend on meta-kernel.

I can enable an automatic push from GitLab whenever the repository is
updated so all we would need on git.yoctoproject.org is a meta-kernel
repository and push access from the relevant SSH keys.

Thanks,

--
Paul Barker
Konsulko Group


[meta-security][PATCH] libseccomp: fix cross compile error for mips

kai
 

From: Kai Kang <kai.kang@windriver.com>

Backport patch to fix cross compile error for mips:

| syscalls.h:44:6: error: expected identifier or '(' before numeric constant
| 44 | int mips;
| | ^~~~

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../files/fix-mips-build-failure.patch | 49 +++++++++++++++++++
.../libseccomp/libseccomp_2.5.0.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 recipes-security/libseccomp/files/fix-mips-build-failure.patch

diff --git a/recipes-security/libseccomp/files/fix-mips-build-failure.patch b/recipes-security/libseccomp/files/fix-mips-build-failure.patch
new file mode 100644
index 0000000..7d17a03
--- /dev/null
+++ b/recipes-security/libseccomp/files/fix-mips-build-failure.patch
@@ -0,0 +1,49 @@
+Backport patch to fix cross compile error for mips:
+
+| syscalls.h:44:6: error: expected identifier or '(' before numeric constant
+| 44 | int mips;
+| | ^~~~
+
+Upstream-Status: Submitted [https://github.com/seccomp/libseccomp/pull/279/commits/04c519e5]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 04c519e5b1de53592e98307813e5c6db7418f91b Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Sun, 2 Aug 2020 09:57:39 -0400
+Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS
+ targets
+
+It turns out that the MIPS GCC compiler defines a "mips" cpp macro
+which was resulting in build failures on MIPS so we need to
+undefine the "mips" macro during build. As this should be safe
+to do in all architectures, just add it to the compiler flags by
+default.
+
+This was reported in the following GH issue:
+* https://github.com/seccomp/libseccomp/issues/274
+
+Reported-by: Rongwei Zhang <pudh4418@gmail.com>
+Suggested-by: Rongwei Zhang <pudh4418@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ configure.ac | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 40d9dcbb..3e877348 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+
+ dnl ####
+ dnl build flags
++dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it
++dnl for us which wreaks havoc on the build
+ dnl ####
+ AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include"
+-AM_CFLAGS="-Wall"
++AM_CFLAGS="-Wall -Umips"
+ AM_LDFLAGS="-Wl,-z -Wl,relro"
+ AC_SUBST([AM_CPPFLAGS])
+ AC_SUBST([AM_CFLAGS])
diff --git a/recipes-security/libseccomp/libseccomp_2.5.0.bb b/recipes-security/libseccomp/libseccomp_2.5.0.bb
index 7a6b483..35365d5 100644
--- a/recipes-security/libseccomp/libseccomp_2.5.0.bb
+++ b/recipes-security/libseccomp/libseccomp_2.5.0.bb
@@ -10,6 +10,7 @@ SRCREV = "f13f58efc690493fe7aa69f54cb52a118f3769c1"

SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \
file://run-ptest \
+ file://fix-mips-build-failure.patch \
"

COMPATIBLE_HOST_riscv32 = "null"
--
2.17.1


libtool: library search path "/usr/lib" is unsafe for cross-compilation

yoc
 

Hi,

I am coming across the following issue when cross compiling: The install log indicates that host include and/or library paths were used

A closer look at the log shows the following:

Making install in libfreshclam
make[1]: Entering directory '/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/build/libfreshclam'
make[2]: Entering directory '/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/build/libfreshclam'
 /workdir/build/tmp/hosttools/mkdir -p '/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/image/usr/lib'
 /workdir/build/tmp/hosttools/mkdir -p '/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/image/usr/include'
 /bin/bash ../libtool --tag CXX  --mode=install /workdir/build/tmp/hosttools/install -c   libfreshclam.la '/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/image/usr/lib'
 /workdir/build/tmp/hosttools/install -c -m 644 /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/git/libfreshclam/libfreshclam.h '/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/image/usr/include'
libtool: warning: relinking 'libfreshclam.la'
libtool: install: (cd /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/build/libfreshclam; /bin/bash "/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/build/libtool" --tag CXX --mode=relink aarch64-poky-linux-gcc -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib -thread-safe -version-info 2:0:0 -no-undefined -Wl,--version-script,/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/git/libfreshclam/libfreshclam.map -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -fstack-protector-strong -Wl,-z,relro,-z,now -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib -o libfreshclam.la -rpath /usr/lib output.lo optparser.lo getopt.lo misc.lo cdiff.lo tar.lo cert_util.lo libfreshclam.lo libfreshclam_internal.lo dns.lo cert_util_linux.lo ../libclamav/libclamav.la -lresolv -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib -lcurl -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib -lz -lcurl -lssl -lcrypto -lz -lltdl -lpthread -lm -inst-prefix-dir /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/image)
libtool: relink: aarch64-poky-linux-g++  -march=armv8-a+crc -fstack-protector-strong  -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot -fPIC -DPIC -shared -nostdlib /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib/crti.o /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib/aarch64-poky-linux/9.3.0/crtbeginS.o .libs/output.o .libs/optparser.o .libs/getopt.o .libs/misc.o .libs/cdiff.o .libs/tar.o .libs/cert_util.o .libs/libfreshclam.o .libs/libfreshclam_internal.o .libs/dns.o .libs/cert_util_linux.o -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/image/usr/lib -L/usr/lib -lclamav -lresolv -lcurl -lssl -lcrypto -lz -lltdl -lpthread -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../lib/aarch64-poky-linux/gcc/aarch64-poky-linux/9.3.0 -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../lib/aarch64-poky-linux/gcc -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/lib -L/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib/aarch64-poky-linux/9.3.0 -lstdc++ -lm -lc -lgcc_s /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib/aarch64-poky-linux/9.3.0/crtendS.o /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot/usr/lib/crtn.o -Wl,--version-script -Wl,/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/git/libfreshclam/libfreshclam.map -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -fstack-protector-strong -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,-soname -Wl,libfreshclam.so.2 -o .libs/libfreshclam.so.2.0.0
/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../libexec/aarch64-poky-linux/gcc/aarch64-poky-linux/9.3.0/ld: warning: library search path "/usr/lib" is unsafe for cross-compilation
libtool: install: /workdir/build/tmp/hosttools/install -c .libs/libfreshclam.so.2.0.0T /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/image/usr/lib/libfreshclam.so.2.0.0
libtool: install: (cd /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/image/usr/lib && { ln -s -f libfreshclam.so.2.0.0 libfreshclam.so.2 || { rm -f libfreshclam.so.2 && ln -s libfreshclam.so.2.0.0 libfreshclam.so.2; }; })
libtool: install: (cd /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/image/usr/lib && { ln -s -f libfreshclam.so.2.0.0 libfreshclam.so || { rm -f libfreshclam.so && ln -s libfreshclam.so.2.0.0 libfreshclam.so; }; })
libtool: install: /workdir/build/tmp/hosttools/install -c .libs/libfreshclam.lai /workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/image/usr/lib/libfreshclam.la
libtool: warning: remember to run 'libtool --finish /usr/lib'
make[2]: Leaving directory '/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/build/libfreshclam'
make[1]: Leaving directory '/workdir/build/tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/build/libfreshclam'

For some reason "/usr/lib" is being injected into the libtool install and I can't find out why this is happening.

For reference I am cross compiling the https://github.com/Cisco-Talos/clamav-devel on rel/0.102 branch

I found reference to the following https://lists.gnu.org/archive/html/libtool/2010-02/msg00001.html however I was wondering whether this is an appropriate solution or is there a better way to solve this issue?

Many Thanks,

Charlie


Re: [meta-security][meta-hardening][PATCH] meta-harden: Add a layer to demo harding OE/YP

Konrad Weihmann
 

Hi Armin,

that sounds good. Please keep me in the loop.
BTW did you/the project create any kind of roadmap, just out of interest?

BR
Konrad

On 02.08.20 17:24, akuster808 wrote:
On 8/2/20 2:47 AM, Konrad Weihmann wrote:
Hi,

is this just a demo, or are there plans to broaden the scope of this layer?
There are plans to broaden it.  Some of this was  came from another layer I have which did not belong.

To me it would make perfectly sense to have more of these features (besides sudo, openssh and root-pwd) and I'm willing to contribute, if this is something that will be actively pursued by the project.
That would be awesome and welcome.

IMHO this should be become a core feature (DISTRO_FEATURE for example) than having it separately
I need a DISTRO_FEATURE to have this work with the layer this work came from.  I have a DISTRO_FEATURE support almost working.


Regards
Konrad

On 26.07.20 22:10, akuster wrote:
diff --git a/meta-hardening/README b/meta-hardening/README
new file mode 100644
index 0000000..37a0b7e
--- /dev/null
+++ b/meta-hardening/README
@@ -0,0 +1,86 @@
+# This is an example for Security hardening an OE or Poky image
+
+
+Meta-hardening
+=============
+
+This layer provides examples for hardening OE/Yocto images.
+This layer does not provide 100% security protection.  This is only
+a framework from which a user can build from and can possible contribute to.
+The goal here is to capture use cases and examples the community decided shares for
+everyones benefit.
+
+Building the meta-hardening layer
+-------------------------------
+In order to add hardening support to the poky/OE build this layer should be added
+to your projects bblayers.conf file.
+
+By default the hardening components are disabled.  This conforms to the
+Yocto Project compatible guideline that indicate that simply including a
+layer should not change the system behavior.
+
+In order to use the components in this layer to take affect the
'harden' keyword must
+set the DISTRO as in "DISTRO = harden".   This enables the "NO ROOT access" idea or framework.
+
+If one wants the a more complete example of a hardened image, one must also build the image:
+harden-image-minimal
+
+There are default example userid and passwards:
+These can be over written in your local.conf via:
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+
+example:
+local.conf
+DISTRO = "harden"
+
+The default user and password are:
+User: "myadmin"
+Password: "1SimplePw!"
+
+bitbake {qemu machine} harden-image-minimal
+
+Dependencies
+============
+
+Branch: master
+
+This layer depends on:
+
+URI: git://git.yoctoproject.org/poky
+
+or this normal combo:
+
+URI: git://git.openembedded.org/meta-openembedded/meta-oe
+
+URI: git://git.openembedded.org/bitbake
+
+plus:
+
+URI: git://git.openembedded.org/meta-openembedded
+layers: meta-oe
+
+
+Maintenance
+-----------
+
+Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH'
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@yoctoproject.org
+$ git config format.subjectPrefix meta-hardening][PATCH
+
+Now you can just do 'git send-email origin/master' to send all local patches.
+
+Maintainers:  Armin Kuster <akuster808@gmail.com>
+
+License
+=======
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/meta-hardening/conf/distro/harden.conf b/meta-hardening/conf/distro/harden.conf
new file mode 100644
index 0000000..66db9b7
--- /dev/null
+++ b/meta-hardening/conf/distro/harden.conf
@@ -0,0 +1,11 @@
+DISTRO = "harden"
+DISTRO_NAME = "Simple Security hardening example"
+DISTRO_VERSION = "1.0"
+
+DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost"
+
+VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
+IMAGE_ROOTFS_EXTRA_SPACE = "524288"
+EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
+
+DISABLE_ROOT ?= "True"
diff --git a/meta-hardening/conf/layer.conf b/meta-hardening/conf/layer.conf
new file mode 100644
index 0000000..5896214
--- /dev/null
+++ b/meta-hardening/conf/layer.conf
@@ -0,0 +1,13 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have a recipes directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "harden-layer"
+BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_harden-layer = "10"
+
+LAYERSERIES_COMPAT_harden-layer = "dunfell"
+
+LAYERDEPENDS_harden-layer = "core openembedded-layer"
diff --git a/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100644
index 0000000..67be3f3
--- /dev/null
+++ b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,13 @@
+do_install_append_harden () {
+    # to hardend
+    sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+    sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config
+    sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config
+    sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config
+    sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config
+    sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+
+    if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+        sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config
+    fi
+}
diff --git a/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..3956304
--- /dev/null
+++ b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,4 @@
+
+do_install_append_harden () {
+    sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
+}
diff --git a/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-hardening/recipes-core/images/harden-image-minimal.bb
new file mode 100644
index 0000000..daed3fb
--- /dev/null
+++ b/meta-hardening/recipes-core/images/harden-image-minimal.bb
@@ -0,0 +1,25 @@
+SUMMARY = "A small image for an example hardening OE."
+
+IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
+IMAGE_INSTALL_append = " os-release"
+
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = " "
+
+LICENSE = "MIT"
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit core-image extrausers
+
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+DEFAULT_ADMIN_GROUP ?= "wheel"
+DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
+
+EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
+
+EXTRA_USERS_PARAMS += "useradd  ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS += "groupadd  ${DEFAULT_ADMIN_GROUP};"
+EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};"
diff --git a/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-hardening/recipes-core/initscripts/files/mountall.sh
new file mode 100755
index 0000000..e093f96
--- /dev/null
+++ b/meta-hardening/recipes-core/initscripts/files/mountall.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          mountall
+# Required-Start:    mountvirtfs
+# Required-Stop:
+# Default-Start:     S
+# Default-Stop:
+# Short-Description: Mount all filesystems.
+# Description:
+### END INIT INFO
+
+. /etc/default/rcS
+
+#
+# Mount local filesystems in /etc/fstab. For some reason, people
+# might want to mount "proc" several times, and mount -v complains
+# about this. So we mount "proc" filesystems without -v.
+#
+test "$VERBOSE" != no && echo "Mounting local filesystems..."
+mkdir -p /home
+mkdir -p /var
+mount -at nonfs,nosmbfs,noncpfs 2>/dev/null
+
+#
+# We might have mounted something over /dev, see if /dev/initctl is there.
+#
+if test ! -p /dev/initctl
+then
+    rm -f /dev/initctl
+    mknod -m 600 /dev/initctl p
+fi
+kill -USR1 1
+
+#
+# Execute swapon command again, in case we want to swap to
+# a file on a now mounted filesystem.
+#
+[ -x /sbin/swapon ] && swapon -a
+
+: exit 0
+
diff --git a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
new file mode 100644
index 0000000..896b039
--- /dev/null
+++ b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI_append_harden = " file://mountall.sh"
+
+do_install_append_harden() {
+    install -d ${D}${sysconfdir}/init.d
+    install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
+}
diff --git a/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
new file mode 100644
index 0000000..1dcd5fc
--- /dev/null
+++ b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
@@ -0,0 +1,19 @@
+#
+#
+#
+
+SUMMARY = "Hardening example group"
+
+inherit packagegroup
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = "${PN}  \
+    packagegroup-${PN} \
+"
+
+RDEPENDS_${PN} = "\
+    init-ifupdown \
+    ${VIRTUAL-RUNTIME_base-utils-syslog} \
+    sudo \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \
+"
diff --git a/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 0000000..3f363f0
--- /dev/null
+++ b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,10 @@
+do_install_append_harden () {
+    # to hardend
+    sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs
+}
diff --git a/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000..a31c081
--- /dev/null
+++ b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,7 @@
+
+PACKAGECONFIG_append_harden = " pam-wheel"
+do_install_append_harden () {
+    if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+        sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers
+    fi
+}




Re: [meta-security] Clamav libclammspack.so missing from image

yoc
 

After a closer look I realised that there isnt a difference between the stock libmspack and the internal clamav libmspack so 1 can be ignored.

I have submitted a patch for 3.

I have also tested updating the recipe to rel/0.102 the latest release.

There was a couple of problems during configure with curl.

1) The configure script looks for curl-config under /usr/bin but the location under sysroot is /usr/bin/crossscripts/curl-config. I patched the configure script to change the path it looks for and this worked but do not know if this is the best solution?
2) The configure script checks the version of curl due to this feature https://www.clamav.net/documents/on-access-scanning#on-access-scanning Currently on the dunfell branch this check fails due to the curl recipe version not being >= 7.45
     I used the suggested work around of adding --disable-clamonacc to EXTRA_OECONF_CLAMAV for now

Once these two issues were sorted everything build and ran as expected.

What are your thoughts on the way forward with the two curl issues?

Kind Regards,

Charlie


[meta-security][PATCH] clamav: add INSTALL_CLAMAV_CVD flag to do_install

Charlie Davies
 

Recipe provides INSTALL_CLAMAV_CVD flag to bypass clamav
cvd db creation. During do_install this flag should be
used to conditionally skip install of cvd db if needed.

Signed-off-by: Charlie Davies <charles.davies@whitetree.xyz>
---
recipes-scanners/clamav/clamav_0.101.5.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/recipes-scanners/clamav/clamav_0.101.5.bb b/recipes-scanners=
/clamav/clamav_0.101.5.bb
index 2ea2c9b..770186a 100644
--- a/recipes-scanners/clamav/clamav_0.101.5.bb
+++ b/recipes-scanners/clamav/clamav_0.101.5.bb
@@ -89,7 +89,9 @@ do_install_append_class-target () {
install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/de=
fault/volatiles/volatiles.03_clamav
sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclam=
av.pc
rm ${D}/${libdir}/libclamav.so
- install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
+ if [ "${INSTALL_CLAMAV_CVD}" =3D "1" ]; then
+ install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav=
/.
+ fi
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d=
)};then
install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitd=
ir}/system/clamav.service
install -d ${D}${sysconfdir}/tmpfiles.d
--=20
2.27.0


Re: [meta-security][meta-hardening][PATCH] meta-harden: Add a layer to demo harding OE/YP

Armin Kuster
 



On 8/2/20 2:47 AM, Konrad Weihmann wrote:
Hi,

is this just a demo, or are there plans to broaden the scope of this layer?

There are plans to broaden it.  Some of this was  came from another layer I have which did not belong.

To me it would make perfectly sense to have more of these features (besides sudo, openssh and root-pwd) and I'm willing to contribute, if this is something that will be actively pursued by the project.
That would be awesome and welcome.

IMHO this should be become a core feature (DISTRO_FEATURE for example) than having it separately

I need a DISTRO_FEATURE to have this work with the layer this work came from.  I have a DISTRO_FEATURE support almost working.


Regards
Konrad

On 26.07.20 22:10, akuster wrote:
diff --git a/meta-hardening/README b/meta-hardening/README
new file mode 100644
index 0000000..37a0b7e
--- /dev/null
+++ b/meta-hardening/README
@@ -0,0 +1,86 @@
+# This is an example for Security hardening an OE or Poky image
+
+
+Meta-hardening
+=============
+
+This layer provides examples for hardening OE/Yocto images.
+This layer does not provide 100% security protection.  This is only
+a framework from which a user can build from and can possible contribute to.
+The goal here is to capture use cases and examples the community decided shares for
+everyones benefit.
+
+Building the meta-hardening layer
+-------------------------------
+In order to add hardening support to the poky/OE build this layer should be added
+to your projects bblayers.conf file.
+
+By default the hardening components are disabled.  This conforms to the
+Yocto Project compatible guideline that indicate that simply including a
+layer should not change the system behavior.
+
+In order to use the components in this layer to take affect the  'harden' keyword must
+set the DISTRO as in "DISTRO = harden".   This enables the "NO ROOT access" idea or framework.
+
+If one wants the a more complete example of a hardened image, one must also build the image:
+harden-image-minimal
+
+There are default example userid and passwards:
+These can be over written in your local.conf via:
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+
+example:
+local.conf
+DISTRO = "harden"
+
+The default user and password are:
+User: "myadmin"
+Password: "1SimplePw!"
+
+bitbake {qemu machine} harden-image-minimal
+
+Dependencies
+============
+
+Branch: master
+
+This layer depends on:
+
+URI: git://git.yoctoproject.org/poky
+
+or this normal combo:
+
+URI: git://git.openembedded.org/meta-openembedded/meta-oe
+
+URI: git://git.openembedded.org/bitbake
+
+plus:
+
+URI: git://git.openembedded.org/meta-openembedded
+layers: meta-oe
+
+
+Maintenance
+-----------
+
+Send pull requests, patches, comments or questions to yocto@...
+
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@... --subject-prefix=meta-hardening][PATCH'
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@...
+$ git config format.subjectPrefix meta-hardening][PATCH
+
+Now you can just do 'git send-email origin/master' to send all local patches.
+
+Maintainers:  Armin Kuster <akuster808@...>
+
+License
+=======
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/meta-hardening/conf/distro/harden.conf b/meta-hardening/conf/distro/harden.conf
new file mode 100644
index 0000000..66db9b7
--- /dev/null
+++ b/meta-hardening/conf/distro/harden.conf
@@ -0,0 +1,11 @@
+DISTRO = "harden"
+DISTRO_NAME = "Simple Security hardening example"
+DISTRO_VERSION = "1.0"
+
+DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost"
+
+VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
+IMAGE_ROOTFS_EXTRA_SPACE = "524288"
+EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
+
+DISABLE_ROOT ?= "True"
diff --git a/meta-hardening/conf/layer.conf b/meta-hardening/conf/layer.conf
new file mode 100644
index 0000000..5896214
--- /dev/null
+++ b/meta-hardening/conf/layer.conf
@@ -0,0 +1,13 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have a recipes directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "harden-layer"
+BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_harden-layer = "10"
+
+LAYERSERIES_COMPAT_harden-layer = "dunfell"
+
+LAYERDEPENDS_harden-layer = "core openembedded-layer"
diff --git a/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100644
index 0000000..67be3f3
--- /dev/null
+++ b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,13 @@
+do_install_append_harden () {
+    # to hardend
+    sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+    sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config
+    sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config
+    sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config
+    sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config
+    sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+
+    if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+        sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config
+    fi
+}
diff --git a/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..3956304
--- /dev/null
+++ b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,4 @@
+
+do_install_append_harden () {
+    sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
+}
diff --git a/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-hardening/recipes-core/images/harden-image-minimal.bb
new file mode 100644
index 0000000..daed3fb
--- /dev/null
+++ b/meta-hardening/recipes-core/images/harden-image-minimal.bb
@@ -0,0 +1,25 @@
+SUMMARY = "A small image for an example hardening OE."
+
+IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
+IMAGE_INSTALL_append = " os-release"
+
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = " "
+
+LICENSE = "MIT"
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit core-image extrausers
+
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+DEFAULT_ADMIN_GROUP ?= "wheel"
+DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
+
+EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
+
+EXTRA_USERS_PARAMS += "useradd  ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS += "groupadd  ${DEFAULT_ADMIN_GROUP};"
+EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP}  ${DEFAULT_ADMIN_ACCOUNT};"
diff --git a/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-hardening/recipes-core/initscripts/files/mountall.sh
new file mode 100755
index 0000000..e093f96
--- /dev/null
+++ b/meta-hardening/recipes-core/initscripts/files/mountall.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          mountall
+# Required-Start:    mountvirtfs
+# Required-Stop:
+# Default-Start:     S
+# Default-Stop:
+# Short-Description: Mount all filesystems.
+# Description:
+### END INIT INFO
+
+. /etc/default/rcS
+
+#
+# Mount local filesystems in /etc/fstab. For some reason, people
+# might want to mount "proc" several times, and mount -v complains
+# about this. So we mount "proc" filesystems without -v.
+#
+test "$VERBOSE" != no && echo "Mounting local filesystems..."
+mkdir -p /home
+mkdir -p /var
+mount -at nonfs,nosmbfs,noncpfs 2>/dev/null
+
+#
+# We might have mounted something over /dev, see if /dev/initctl is there.
+#
+if test ! -p /dev/initctl
+then
+    rm -f /dev/initctl
+    mknod -m 600 /dev/initctl p
+fi
+kill -USR1 1
+
+#
+# Execute swapon command again, in case we want to swap to
+# a file on a now mounted filesystem.
+#
+[ -x /sbin/swapon ] && swapon -a
+
+: exit 0
+
diff --git a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
new file mode 100644
index 0000000..896b039
--- /dev/null
+++ b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI_append_harden = " file://mountall.sh"
+
+do_install_append_harden() {
+    install -d ${D}${sysconfdir}/init.d
+    install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
+}
diff --git a/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
new file mode 100644
index 0000000..1dcd5fc
--- /dev/null
+++ b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
@@ -0,0 +1,19 @@
+#
+#
+#
+
+SUMMARY = "Hardening example group"
+
+inherit packagegroup
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = "${PN}  \
+    packagegroup-${PN} \
+"
+
+RDEPENDS_${PN} = "\
+    init-ifupdown \
+    ${VIRTUAL-RUNTIME_base-utils-syslog} \
+    sudo \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \
+"
diff --git a/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 0000000..3f363f0
--- /dev/null
+++ b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,10 @@
+do_install_append_harden () {
+    # to hardend
+    sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs
+    sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs
+}
diff --git a/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000..a31c081
--- /dev/null
+++ b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,7 @@
+
+PACKAGECONFIG_append_harden = " pam-wheel"
+do_install_append_harden () {
+    if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+        sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers
+    fi
+}






    


Re: [meta-security][meta-hardening][PATCH] meta-harden: Add a layer to demo harding OE/YP

Konrad Weihmann
 

Hi,

is this just a demo, or are there plans to broaden the scope of this layer?
To me it would make perfectly sense to have more of these features (besides sudo, openssh and root-pwd) and I'm willing to contribute, if this is something that will be actively pursued by the project.
IMHO this should be become a core feature (DISTRO_FEATURE for example) than having it separately

Regards
Konrad

On 26.07.20 22:10, akuster wrote:
diff --git a/meta-hardening/README b/meta-hardening/README
new file mode 100644
index 0000000..37a0b7e
--- /dev/null
+++ b/meta-hardening/README
@@ -0,0 +1,86 @@
+# This is an example for Security hardening an OE or Poky image
+
+
+Meta-hardening
+=============
+
+This layer provides examples for hardening OE/Yocto images.
+This layer does not provide 100% security protection. This is only
+a framework from which a user can build from and can possible contribute to.
+The goal here is to capture use cases and examples the community decided shares for
+everyones benefit.
+
+Building the meta-hardening layer
+-------------------------------
+In order to add hardening support to the poky/OE build this layer should be added
+to your projects bblayers.conf file.
+
+By default the hardening components are disabled. This conforms to the
+Yocto Project compatible guideline that indicate that simply including a
+layer should not change the system behavior.
+
+In order to use the components in this layer to take affect the 'harden' keyword must
+set the DISTRO as in "DISTRO = harden". This enables the "NO ROOT access" idea or framework.
+
+If one wants the a more complete example of a hardened image, one must also build the image:
+harden-image-minimal
+
+There are default example userid and passwards:
+These can be over written in your local.conf via:
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+
+example:
+local.conf
+DISTRO = "harden"
+
+The default user and password are:
+User: "myadmin"
+Password: "1SimplePw!"
+
+bitbake {qemu machine} harden-image-minimal
+
+Dependencies
+============
+
+Branch: master
+
+This layer depends on:
+
+URI: git://git.yoctoproject.org/poky
+
+or this normal combo:
+
+URI: git://git.openembedded.org/meta-openembedded/meta-oe
+
+URI: git://git.openembedded.org/bitbake
+
+plus:
+
+URI: git://git.openembedded.org/meta-openembedded
+layers: meta-oe
+
+
+Maintenance
+-----------
+
+Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH'
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@yoctoproject.org
+$ git config format.subjectPrefix meta-hardening][PATCH
+
+Now you can just do 'git send-email origin/master' to send all local patches.
+
+Maintainers: Armin Kuster <akuster808@gmail.com>
+
+License
+=======
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/meta-hardening/conf/distro/harden.conf b/meta-hardening/conf/distro/harden.conf
new file mode 100644
index 0000000..66db9b7
--- /dev/null
+++ b/meta-hardening/conf/distro/harden.conf
@@ -0,0 +1,11 @@
+DISTRO = "harden"
+DISTRO_NAME = "Simple Security hardening example"
+DISTRO_VERSION = "1.0"
+
+DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost"
+
+VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
+IMAGE_ROOTFS_EXTRA_SPACE = "524288"
+EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
+
+DISABLE_ROOT ?= "True"
diff --git a/meta-hardening/conf/layer.conf b/meta-hardening/conf/layer.conf
new file mode 100644
index 0000000..5896214
--- /dev/null
+++ b/meta-hardening/conf/layer.conf
@@ -0,0 +1,13 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have a recipes directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "harden-layer"
+BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_harden-layer = "10"
+
+LAYERSERIES_COMPAT_harden-layer = "dunfell"
+
+LAYERDEPENDS_harden-layer = "core openembedded-layer"
diff --git a/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100644
index 0000000..67be3f3
--- /dev/null
+++ b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,13 @@
+do_install_append_harden () {
+ # to hardend
+ sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+
+ if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+ sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config
+ fi
+}
diff --git a/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..3956304
--- /dev/null
+++ b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,4 @@
+
+do_install_append_harden () {
+ sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
+}
diff --git a/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-hardening/recipes-core/images/harden-image-minimal.bb
new file mode 100644
index 0000000..daed3fb
--- /dev/null
+++ b/meta-hardening/recipes-core/images/harden-image-minimal.bb
@@ -0,0 +1,25 @@
+SUMMARY = "A small image for an example hardening OE."
+
+IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
+IMAGE_INSTALL_append = " os-release"
+
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = " "
+
+LICENSE = "MIT"
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit core-image extrausers
+
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+DEFAULT_ADMIN_GROUP ?= "wheel"
+DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
+
+EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
+
+EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};"
+EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};"
diff --git a/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-hardening/recipes-core/initscripts/files/mountall.sh
new file mode 100755
index 0000000..e093f96
--- /dev/null
+++ b/meta-hardening/recipes-core/initscripts/files/mountall.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: mountall
+# Required-Start: mountvirtfs
+# Required-Stop:
+# Default-Start: S
+# Default-Stop:
+# Short-Description: Mount all filesystems.
+# Description:
+### END INIT INFO
+
+. /etc/default/rcS
+
+#
+# Mount local filesystems in /etc/fstab. For some reason, people
+# might want to mount "proc" several times, and mount -v complains
+# about this. So we mount "proc" filesystems without -v.
+#
+test "$VERBOSE" != no && echo "Mounting local filesystems..."
+mkdir -p /home
+mkdir -p /var
+mount -at nonfs,nosmbfs,noncpfs 2>/dev/null
+
+#
+# We might have mounted something over /dev, see if /dev/initctl is there.
+#
+if test ! -p /dev/initctl
+then
+ rm -f /dev/initctl
+ mknod -m 600 /dev/initctl p
+fi
+kill -USR1 1
+
+#
+# Execute swapon command again, in case we want to swap to
+# a file on a now mounted filesystem.
+#
+[ -x /sbin/swapon ] && swapon -a
+
+: exit 0
+
diff --git a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
new file mode 100644
index 0000000..896b039
--- /dev/null
+++ b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI_append_harden = " file://mountall.sh"
+
+do_install_append_harden() {
+ install -d ${D}${sysconfdir}/init.d
+ install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
+}
diff --git a/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
new file mode 100644
index 0000000..1dcd5fc
--- /dev/null
+++ b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
@@ -0,0 +1,19 @@
+#
+#
+#
+
+SUMMARY = "Hardening example group"
+
+inherit packagegroup
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = "${PN} \
+ packagegroup-${PN} \
+"
+
+RDEPENDS_${PN} = "\
+ init-ifupdown \
+ ${VIRTUAL-RUNTIME_base-utils-syslog} \
+ sudo \
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \
+"
diff --git a/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 0000000..3f363f0
--- /dev/null
+++ b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,10 @@
+do_install_append_harden () {
+ # to hardend
+ sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs
+}
diff --git a/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000..a31c081
--- /dev/null
+++ b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,7 @@
+
+PACKAGECONFIG_append_harden = " pam-wheel"
+do_install_append_harden () {
+ if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+ sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers
+ fi
+}


Re: dunfell gcc-sanitizers-arm-8.3 fails to build

Ryan Harkin <ryan.harkin@...>
 



On Sat, 1 Aug 2020, 15:19 Sumit Garg, <sumit.garg@...> wrote:
On Sat, 1 Aug 2020 at 19:40, Sumit Garg via lists.yoctoproject.org
<sumit.garg=linaro.org@...> wrote:
>
> On Sat, 1 Aug 2020 at 14:57, Ryan Harkin <ryan.harkin@...> wrote:
> >
> >
> >
> > On Sat, 1 Aug 2020 at 10:09, Ryan Harkin <ryan.harkin@...> wrote:
> >>
> >> Hi Khem,
> >>
> >> On Fri, 31 Jul 2020, 21:58 Khem Raj, <raj.khem@...> wrote:
> >>>
> >>> On Fri, Jul 31, 2020 at 8:35 AM Ryan Harkin <ryan.harkin@...> wrote:
> >>> >
> >>> > Hello,
> >>> >
> >>> > I'm migrating from Warrior to Dunfell and I'm getting a curious build failure in gcc-sanitizers.
> >>> >
> >>> > Here's the full gory detail:
> >>> >     https://pastebin.ubuntu.com/p/nh4cDKMvgS/
> >>> >
> >>> > However, the main error is this:
> >>> >
> >>> > | In file included from ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:193:
> >>> > | ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:317:72: error: size of array 'assertion_failed__1152' is negative
> >>> > |      typedef char IMPL_PASTE(assertion_failed_##_, line)[2*(int)(pred)-1]
> >>> >
> >>> > I have no idea where to begin with this. I don't even know why gcc-sanitizers is included in the build, what it does, or why I need it. I'm building an image with dev packages and gcc, so I guess that's why.
> >>> >
> >>> > I've hacked meta-arm to patch sanitizer_platform_limits_posix.cc to null out the macros and that builds fine. I'm sure it won't work, should someone want to use it, mind you.
> >>> >
> >>> > Is there something obvious that I should be doing as part of a Warrior -> Dunfell migration to get this to work?
> >>> >
> >>> > note: Warrior used meta-linaro-toolchain and for Dunfell, it's moved to meta-arm-toolchain.
> >>> >
> >>>
> >>> is gcc 8.3 the latest for linaro
> >>
> >>
> >> I assume so. I haven't attempted to change the default.
> >
> >
> > I'm sorry, that's incorrect: local.conf has an over-ride to specify 8.3.
> > I've just removed it and now it's using 9.3. And it's building fine.
> >

It's using GCC 9.3 from OE core. If you wish to use Arm toolchain then
you need to override the default OE core GCC version with Arm
toolchain GCC version:

GCCVERSION = "arm-9.2"

Ah, right, I see! Yes, I think I'll stick with that suggestion.

Thanks for the explanation.



-Sumit

> > Sumit, do you know if there's a reason for using 9.2 in RPB instead of 9.3?
> >
>
> Arm GCC 9.3 toolchain isn't released yet (see here [1]).
>
> [1] https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-a/downloads
>
> -Sumit
>
> >>
> >>>
> >>> > Regards,
> >>> > Ryan.
> >>> >
>


ERROR : Building SDK for RPI

Bobby
 

image.png

"I am trying to build SDK for raspberry
While i am trying to build the SDK
I got these errors,
and now I am trying to solve this error
can you please help me

~bobby
Thank you  soo much


Re: dunfell gcc-sanitizers-arm-8.3 fails to build

Sumit Garg
 

On Sat, 1 Aug 2020 at 19:40, Sumit Garg via lists.yoctoproject.org
<sumit.garg=linaro.org@lists.yoctoproject.org> wrote:

On Sat, 1 Aug 2020 at 14:57, Ryan Harkin <ryan.harkin@linaro.org> wrote:



On Sat, 1 Aug 2020 at 10:09, Ryan Harkin <ryan.harkin@linaro.org> wrote:

Hi Khem,

On Fri, 31 Jul 2020, 21:58 Khem Raj, <raj.khem@gmail.com> wrote:

On Fri, Jul 31, 2020 at 8:35 AM Ryan Harkin <ryan.harkin@linaro.org> wrote:

Hello,

I'm migrating from Warrior to Dunfell and I'm getting a curious build failure in gcc-sanitizers.

Here's the full gory detail:
https://pastebin.ubuntu.com/p/nh4cDKMvgS/

However, the main error is this:

| In file included from ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:193:
| ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:317:72: error: size of array 'assertion_failed__1152' is negative
| typedef char IMPL_PASTE(assertion_failed_##_, line)[2*(int)(pred)-1]

I have no idea where to begin with this. I don't even know why gcc-sanitizers is included in the build, what it does, or why I need it. I'm building an image with dev packages and gcc, so I guess that's why.

I've hacked meta-arm to patch sanitizer_platform_limits_posix.cc to null out the macros and that builds fine. I'm sure it won't work, should someone want to use it, mind you.

Is there something obvious that I should be doing as part of a Warrior -> Dunfell migration to get this to work?

note: Warrior used meta-linaro-toolchain and for Dunfell, it's moved to meta-arm-toolchain.
is gcc 8.3 the latest for linaro

I assume so. I haven't attempted to change the default.

I'm sorry, that's incorrect: local.conf has an over-ride to specify 8.3.
I've just removed it and now it's using 9.3. And it's building fine.
It's using GCC 9.3 from OE core. If you wish to use Arm toolchain then
you need to override the default OE core GCC version with Arm
toolchain GCC version:

GCCVERSION = "arm-9.2"

-Sumit

Sumit, do you know if there's a reason for using 9.2 in RPB instead of 9.3?
Arm GCC 9.3 toolchain isn't released yet (see here [1]).

[1] https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-a/downloads

-Sumit



Regards,
Ryan.


Re: dunfell gcc-sanitizers-arm-8.3 fails to build

Sumit Garg
 

On Sat, 1 Aug 2020 at 14:57, Ryan Harkin <ryan.harkin@linaro.org> wrote:



On Sat, 1 Aug 2020 at 10:09, Ryan Harkin <ryan.harkin@linaro.org> wrote:

Hi Khem,

On Fri, 31 Jul 2020, 21:58 Khem Raj, <raj.khem@gmail.com> wrote:

On Fri, Jul 31, 2020 at 8:35 AM Ryan Harkin <ryan.harkin@linaro.org> wrote:

Hello,

I'm migrating from Warrior to Dunfell and I'm getting a curious build failure in gcc-sanitizers.

Here's the full gory detail:
https://pastebin.ubuntu.com/p/nh4cDKMvgS/

However, the main error is this:

| In file included from ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:193:
| ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:317:72: error: size of array 'assertion_failed__1152' is negative
| typedef char IMPL_PASTE(assertion_failed_##_, line)[2*(int)(pred)-1]

I have no idea where to begin with this. I don't even know why gcc-sanitizers is included in the build, what it does, or why I need it. I'm building an image with dev packages and gcc, so I guess that's why.

I've hacked meta-arm to patch sanitizer_platform_limits_posix.cc to null out the macros and that builds fine. I'm sure it won't work, should someone want to use it, mind you.

Is there something obvious that I should be doing as part of a Warrior -> Dunfell migration to get this to work?

note: Warrior used meta-linaro-toolchain and for Dunfell, it's moved to meta-arm-toolchain.
is gcc 8.3 the latest for linaro

I assume so. I haven't attempted to change the default.

I'm sorry, that's incorrect: local.conf has an over-ride to specify 8.3.
I've just removed it and now it's using 9.3. And it's building fine.

Sumit, do you know if there's a reason for using 9.2 in RPB instead of 9.3?
Arm GCC 9.3 toolchain isn't released yet (see here [1]).

[1] https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-a/downloads

-Sumit



Regards,
Ryan.


Re: dunfell gcc-sanitizers-arm-8.3 fails to build

Sumit Garg
 

On Sat, 1 Aug 2020 at 14:42, Ryan Harkin <ryan.harkin@linaro.org> wrote:

Hi Sumit,

On Sat, 1 Aug 2020, 07:51 Sumit Garg, <sumit.garg@linaro.org> wrote:

Hi Ryan,

On Fri, 31 Jul 2020 at 21:05, Ryan Harkin <ryan.harkin@linaro.org> wrote:

Hello,

I'm migrating from Warrior to Dunfell and I'm getting a curious build failure in gcc-sanitizers.

Here's the full gory detail:
https://pastebin.ubuntu.com/p/nh4cDKMvgS/

However, the main error is this:

| In file included from ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:193:
| ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:317:72: error: size of array 'assertion_failed__1152' is negative
| typedef char IMPL_PASTE(assertion_failed_##_, line)[2*(int)(pred)-1]

I have no idea where to begin with this. I don't even know why gcc-sanitizers is included in the build, what it does, or why I need it. I'm building an image with dev packages and gcc, so I guess that's why.

I've hacked meta-arm to patch sanitizer_platform_limits_posix.cc to null out the macros and that builds fine. I'm sure it won't work, should someone want to use it, mind you.

Is there something obvious that I should be doing as part of a Warrior -> Dunfell migration to get this to work?
I would suggest you to switch to GCC 9.2 Arm toolchain for Dunfell.
RPB does the same [1].

I can do that, I have no reason to use 8.3 other than it's the default. Is my problem a known issue with 8.3, or is moving to 9.2 a general suggestion?
AFAIK, as upstream OE switches to a newer GCC version, it stops
supporting older GCC versions. And since we are building here Arm
toolchain from source and rely on OE core recipes, so it is possible
that build could fail while trying to build an old toolchain version
using latest OE core recipes.

So the general recommendation is to keep the Arm toolchain version as
close to the OE core to avoid any possible build failures.

-Sumit


GCCVERSION = "arm-9.2"

[1] https://github.com/96boards/meta-rpb/blob/dunfell/conf/distro/include/rpb.inc#L31

Thanks for the pointer.



-Sumit


note: Warrior used meta-linaro-toolchain and for Dunfell, it's moved to meta-arm-toolchain.

Regards,
Ryan.


Re: dunfell gcc-sanitizers-arm-8.3 fails to build

Ryan Harkin <ryan.harkin@...>
 



On Sat, 1 Aug 2020 at 10:09, Ryan Harkin <ryan.harkin@...> wrote:
Hi Khem,

On Fri, 31 Jul 2020, 21:58 Khem Raj, <raj.khem@...> wrote:
On Fri, Jul 31, 2020 at 8:35 AM Ryan Harkin <ryan.harkin@...> wrote:
>
> Hello,
>
> I'm migrating from Warrior to Dunfell and I'm getting a curious build failure in gcc-sanitizers.
>
> Here's the full gory detail:
>     https://pastebin.ubuntu.com/p/nh4cDKMvgS/
>
> However, the main error is this:
>
> | In file included from ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:193:
> | ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:317:72: error: size of array 'assertion_failed__1152' is negative
> |      typedef char IMPL_PASTE(assertion_failed_##_, line)[2*(int)(pred)-1]
>
> I have no idea where to begin with this. I don't even know why gcc-sanitizers is included in the build, what it does, or why I need it. I'm building an image with dev packages and gcc, so I guess that's why.
>
> I've hacked meta-arm to patch sanitizer_platform_limits_posix.cc to null out the macros and that builds fine. I'm sure it won't work, should someone want to use it, mind you.
>
> Is there something obvious that I should be doing as part of a Warrior -> Dunfell migration to get this to work?
>
> note: Warrior used meta-linaro-toolchain and for Dunfell, it's moved to meta-arm-toolchain.
>

is gcc 8.3 the latest for linaro

I assume so. I haven't attempted to change the default.

I'm sorry, that's incorrect: local.conf has an over-ride to specify 8.3.
I've just removed it and now it's using 9.3. And it's building fine.

Sumit, do you know if there's a reason for using 9.2 in RPB instead of 9.3?



> Regards,
> Ryan.
>


Re: dunfell gcc-sanitizers-arm-8.3 fails to build

Ryan Harkin <ryan.harkin@...>
 

Hi Sumit,

On Sat, 1 Aug 2020, 07:51 Sumit Garg, <sumit.garg@...> wrote:
Hi Ryan,

On Fri, 31 Jul 2020 at 21:05, Ryan Harkin <ryan.harkin@...> wrote:
>
> Hello,
>
> I'm migrating from Warrior to Dunfell and I'm getting a curious build failure in gcc-sanitizers.
>
> Here's the full gory detail:
>     https://pastebin.ubuntu.com/p/nh4cDKMvgS/
>
> However, the main error is this:
>
> | In file included from ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:193:
> | ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:317:72: error: size of array 'assertion_failed__1152' is negative
> |      typedef char IMPL_PASTE(assertion_failed_##_, line)[2*(int)(pred)-1]
>
> I have no idea where to begin with this. I don't even know why gcc-sanitizers is included in the build, what it does, or why I need it. I'm building an image with dev packages and gcc, so I guess that's why.
>
> I've hacked meta-arm to patch sanitizer_platform_limits_posix.cc to null out the macros and that builds fine. I'm sure it won't work, should someone want to use it, mind you.
>
> Is there something obvious that I should be doing as part of a Warrior -> Dunfell migration to get this to work?

I would suggest you to switch to GCC 9.2 Arm toolchain for Dunfell.
RPB does the same [1].

I can do that, I have no reason to use 8.3 other than it's the default. Is my problem a known issue with 8.3, or is moving to 9.2 a general suggestion?


Thanks for the pointer.



-Sumit

>
> note: Warrior used meta-linaro-toolchain and for Dunfell, it's moved to meta-arm-toolchain.
>
> Regards,
> Ryan.


Re: dunfell gcc-sanitizers-arm-8.3 fails to build

Ryan Harkin <ryan.harkin@...>
 

Hi Khem,

On Fri, 31 Jul 2020, 21:58 Khem Raj, <raj.khem@...> wrote:
On Fri, Jul 31, 2020 at 8:35 AM Ryan Harkin <ryan.harkin@...> wrote:
>
> Hello,
>
> I'm migrating from Warrior to Dunfell and I'm getting a curious build failure in gcc-sanitizers.
>
> Here's the full gory detail:
>     https://pastebin.ubuntu.com/p/nh4cDKMvgS/
>
> However, the main error is this:
>
> | In file included from ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:193:
> | ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:317:72: error: size of array 'assertion_failed__1152' is negative
> |      typedef char IMPL_PASTE(assertion_failed_##_, line)[2*(int)(pred)-1]
>
> I have no idea where to begin with this. I don't even know why gcc-sanitizers is included in the build, what it does, or why I need it. I'm building an image with dev packages and gcc, so I guess that's why.
>
> I've hacked meta-arm to patch sanitizer_platform_limits_posix.cc to null out the macros and that builds fine. I'm sure it won't work, should someone want to use it, mind you.
>
> Is there something obvious that I should be doing as part of a Warrior -> Dunfell migration to get this to work?
>
> note: Warrior used meta-linaro-toolchain and for Dunfell, it's moved to meta-arm-toolchain.
>

is gcc 8.3 the latest for linaro

I assume so. I haven't attempted to change the default.


> Regards,
> Ryan.
>


Re: dunfell gcc-sanitizers-arm-8.3 fails to build

Sumit Garg
 

Hi Ryan,

On Fri, 31 Jul 2020 at 21:05, Ryan Harkin <ryan.harkin@linaro.org> wrote:

Hello,

I'm migrating from Warrior to Dunfell and I'm getting a curious build failure in gcc-sanitizers.

Here's the full gory detail:
https://pastebin.ubuntu.com/p/nh4cDKMvgS/

However, the main error is this:

| In file included from ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:193:
| ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:317:72: error: size of array 'assertion_failed__1152' is negative
| typedef char IMPL_PASTE(assertion_failed_##_, line)[2*(int)(pred)-1]

I have no idea where to begin with this. I don't even know why gcc-sanitizers is included in the build, what it does, or why I need it. I'm building an image with dev packages and gcc, so I guess that's why.

I've hacked meta-arm to patch sanitizer_platform_limits_posix.cc to null out the macros and that builds fine. I'm sure it won't work, should someone want to use it, mind you.

Is there something obvious that I should be doing as part of a Warrior -> Dunfell migration to get this to work?
I would suggest you to switch to GCC 9.2 Arm toolchain for Dunfell.
RPB does the same [1].

GCCVERSION = "arm-9.2"

[1] https://github.com/96boards/meta-rpb/blob/dunfell/conf/distro/include/rpb.inc#L31

-Sumit


note: Warrior used meta-linaro-toolchain and for Dunfell, it's moved to meta-arm-toolchain.

Regards,
Ryan.


Extracting files and creating directory tar.gz's from yocto created root filesystem #yocto

forstevers
 

I am successfully creating a root file-system for my project (roko version). I am interested in performing modifications to the root file-system after it has been constructed with a recipe.

I currently use a 
  ROOTFS_POSTUNINSTALL_COMMAND += "my_command "
in one of my recipes to perform some of my modifications.

I would like to tar.gz a sub-directory of the root file-system and save it to my build machine.

Any suggestions on how that could be performed?

Thanks


Re: dunfell gcc-sanitizers-arm-8.3 fails to build

Khem Raj
 

On Fri, Jul 31, 2020 at 8:35 AM Ryan Harkin <ryan.harkin@linaro.org> wrote:

Hello,

I'm migrating from Warrior to Dunfell and I'm getting a curious build failure in gcc-sanitizers.

Here's the full gory detail:
https://pastebin.ubuntu.com/p/nh4cDKMvgS/

However, the main error is this:

| In file included from ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:193:
| ../../../../../../../../../work-shared/gcc-arm-8.3-r2019.03/git/libsanitizer/sanitizer_common/sanitizer_internal_defs.h:317:72: error: size of array 'assertion_failed__1152' is negative
| typedef char IMPL_PASTE(assertion_failed_##_, line)[2*(int)(pred)-1]

I have no idea where to begin with this. I don't even know why gcc-sanitizers is included in the build, what it does, or why I need it. I'm building an image with dev packages and gcc, so I guess that's why.

I've hacked meta-arm to patch sanitizer_platform_limits_posix.cc to null out the macros and that builds fine. I'm sure it won't work, should someone want to use it, mind you.

Is there something obvious that I should be doing as part of a Warrior -> Dunfell migration to get this to work?

note: Warrior used meta-linaro-toolchain and for Dunfell, it's moved to meta-arm-toolchain.
is gcc 8.3 the latest for linaro

Regards,
Ryan.


Re: cannot build PDF docs

Armin Kuster
 

Rob,


On 7/31/20 8:19 AM, Rob Prowel wrote:
Is there some magic to building the PDF versions of the yocto docs? I've tried on multiple machines running debian and differing versions of ubuntu and consistently the PDF docs fail to build.

Font substitution errors are trivial, but not being able to locate the images that get are inserted is a pretty serious build bug.

What's the secret to building PDF docs, or where are they online?  and no, not interested in referring to cloud based HTML docs.  I want offline PDF documentation.


I believe you are hitting a known bug:  https://bugzilla.yoctoproject.org/show_bug.cgi?id=13767

regards,
Armin

Thanks!

$ make DOC=adt-manual pdf
cd adt-manual; ../tools/poky-docbook-to-pdf adt-manual.xml ../template; cd ..
Note: namesp. cut : stripped namespace before processing
            Yocto Project Application Developer's Guide

Making portrait pages on A4 paper (210mmx297mm)
Attributed 561 IDs for element, cleaned up 0
[warning] /usr/bin/fop: JVM flavor 'sun' not understood
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[INFO] FopConfParser - Default page-height set to: 11in
[INFO] FopConfParser - Default page-width set to: 8.26in
[ERROR] FOUserAgent - Image not found. URI: figures/adt-title.png. (See position 2:38206)
[WARN] FOUserAgent - Font "Symbol,normal,700" not found. Substituting with "Symbol,normal,400".
[WARN] FOUserAgent - Font "ZapfDingbats,normal,700" not found. Substituting with "ZapfDingbats,normal,400".
[ERROR] FOUserAgent - Image not found. URI: figures/adt-title.png. (No context info available)
[INFO] FOUserAgent - Rendered page #1.
[INFO] FOUserAgent - Rendered page #2.
[INFO] FOUserAgent - Rendered page #3.
[INFO] FOUserAgent - Rendered page #4.
[INFO] FOUserAgent - Rendered page #5.
[ERROR] FOUserAgent - Image not found. URI: figures/using-a-pre-built-image.png. (See position 736:275)
[WARN] FOUserAgent - Font "veramono,italic,400" not found. Substituting with "veramono,normal,400".
[WARN] FOUserAgent - The contents of fo:block line 1 exceed the available area in the inline-progression direction by more than 50 points. (See position 496:372)
[WARN] FOUserAgent - The contents of fo:block line 1 exceed the available area in the inline-progression direction by more than 50 points. (See position 496:372)
[WARN] FOUserAgent - The contents of fo:block line 1 exceed the available area in the inline-progression direction by more than 50 points. (See position 496:372)
[WARN] FOUserAgent - The contents of fo:block line 1 exceed


    

4121 - 4140 of 54277