Date   

[meta-selinux][PATCH 2/2] net-tools: drop patch

Yi Zhao
 

The netstat-selinux-support.patch has been merged upstream. So drop it.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
.../files/netstat-selinux-support.patch | 244 ------------------
.../net-tools/net-tools_selinux.inc | 4 -
2 files changed, 248 deletions(-)
delete mode 100644 recipes-extended/net-tools/files/netstat-selinux-support.patch

diff --git a/recipes-extended/net-tools/files/netstat-selinux-support.patch b/recipes-extended/net-tools/files/netstat-selinux-support.patch
deleted file mode 100644
index f089041..0000000
--- a/recipes-extended/net-tools/files/netstat-selinux-support.patch
+++ /dev/null
@@ -1,244 +0,0 @@
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Wed, 13 Jun 2012 13:32:01 +0800
-Subject: [PATCH] net-tools: netstat add SELinux support.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
----
- Makefile | 9 ++++++++-
- netstat.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
- 2 files changed, 74 insertions(+), 4 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 8fcc55c..0b5c395 100644
---- a/Makefile
-+++ b/Makefile
-@@ -116,6 +116,13 @@ NET_LIB = $(NET_LIB_PATH)/lib$(NET_LIB_NAME).a
- CFLAGS = $(COPTS) -I. -idirafter ./include/ -I$(NET_LIB_PATH)
- LDFLAGS = $(LOPTS) -L$(NET_LIB_PATH)
-
-+ifeq ($(HAVE_SELINUX),1)
-+SELINUX_LDFLAGS = -lselinux
-+CFLAGS += -DHAVE_SELINUX
-+else
-+SELINUX_LDFLAGS =
-+endif
-+
- SUBDIRS = man/ $(NET_LIB_PATH)/
-
- ifeq ($(origin CC), undefined)
-@@ -209,7 +216,7 @@ plipconfig: $(NET_LIB) plipconfig.o
- $(CC) $(LDFLAGS) -o plipconfig plipconfig.o $(NLIB)
-
- netstat: $(NET_LIB) netstat.o statistics.o
-- $(CC) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB)
-+ $(CC) $(SELINUX_LDFLAGS) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB)
-
- iptunnel: $(NET_LIB) iptunnel.o
- $(CC) $(LDFLAGS) -o iptunnel iptunnel.o $(NLIB) $(RESLIB)
-diff --git a/netstat.c b/netstat.c
-index fc10414..a773e81 100644
---- a/netstat.c
-+++ b/netstat.c
-@@ -90,6 +90,12 @@
- #include <sys/types.h>
- #include <asm-generic/param.h>
-
-+#if HAVE_SELINUX
-+#include <selinux/selinux.h>
-+#else
-+#define security_context_t char*
-+#endif
-+
- #include "net-support.h"
- #include "pathnames.h"
- #include "version.h"
-@@ -101,6 +107,7 @@
- #include "proc.h"
-
- #define PROGNAME_WIDTH 20
-+#define SELINUX_WIDTH 50
-
- #if !defined(s6_addr32) && defined(in6a_words)
- #define s6_addr32 in6a_words /* libinet6 */
-@@ -180,6 +187,7 @@ int flag_wide= 0;
- int flag_prg = 0;
- int flag_arg = 0;
- int flag_ver = 0;
-+int flag_selinux = 0;
-
- FILE *procinfo;
-
-@@ -243,12 +251,17 @@ FILE *procinfo;
- #define PROGNAME_WIDTH1(s) PROGNAME_WIDTH2(s)
- #define PROGNAME_WIDTH2(s) #s
-
-+#define SELINUX_WIDTHs SELINUX_WIDTH1(SELINUX_WIDTH)
-+#define SELINUX_WIDTH1(s) SELINUX_WIDTH2(s)
-+#define SELINUX_WIDTH2(s) #s
-+
- #define PRG_HASH_SIZE 211
-
- static struct prg_node {
- struct prg_node *next;
- unsigned long inode;
- char name[PROGNAME_WIDTH];
-+ char scon[SELINUX_WIDTH];
- } *prg_hash[PRG_HASH_SIZE];
-
- static char prg_cache_loaded = 0;
-@@ -256,9 +269,12 @@ static char prg_cache_loaded = 0;
- #define PRG_HASHIT(x) ((x) % PRG_HASH_SIZE)
-
- #define PROGNAME_BANNER "PID/Program name"
-+#define SELINUX_BANNER "Security Context"
-
- #define print_progname_banner() do { if (flag_prg) printf("%-" PROGNAME_WIDTHs "s"," " PROGNAME_BANNER); } while (0)
-
-+#define print_selinux_banner() do { if (flag_selinux) printf("%-" SELINUX_WIDTHs "s"," " SELINUX_BANNER); } while (0)
-+
- #define PRG_LOCAL_ADDRESS "local_address"
- #define PRG_INODE "inode"
- #define PRG_SOCKET_PFX "socket:["
-@@ -280,7 +296,7 @@ static char prg_cache_loaded = 0;
- /* NOT working as of glibc-2.0.7: */
- #undef DIRENT_HAVE_D_TYPE_WORKS
-
--static void prg_cache_add(unsigned long inode, char *name)
-+static void prg_cache_add(unsigned long inode, char *name, char *scon)
- {
- unsigned hi = PRG_HASHIT(inode);
- struct prg_node **pnp,*pn;
-@@ -301,6 +317,14 @@ static void prg_cache_add(unsigned long inode, char *name)
- if (strlen(name)>sizeof(pn->name)-1)
- name[sizeof(pn->name)-1]='\0';
- strcpy(pn->name,name);
-+
-+ {
-+ int len=(strlen(scon)-sizeof(pn->scon))+1;
-+ if (len > 0)
-+ strcpy(pn->scon,&scon[len+1]);
-+ else
-+ strcpy(pn->scon,scon);
-+ }
- }
-
- static const char *prg_cache_get(unsigned long inode)
-@@ -313,6 +337,16 @@ static const char *prg_cache_get(unsigned long inode)
- return("-");
- }
-
-+static const char *prg_cache_get_con(unsigned long inode)
-+{
-+ unsigned hi=PRG_HASHIT(inode);
-+ struct prg_node *pn;
-+
-+ for (pn=prg_hash[hi];pn;pn=pn->next)
-+ if (pn->inode==inode) return(pn->scon);
-+ return("-");
-+}
-+
- static void prg_cache_clear(void)
- {
- struct prg_node **pnp,*pn;
-@@ -384,6 +418,7 @@ static void prg_cache_load(void)
- const char *cs,*cmdlp;
- DIR *dirproc=NULL,*dirfd=NULL;
- struct dirent *direproc,*direfd;
-+ security_context_t scon=NULL;
-
- if (prg_cache_loaded || !flag_prg) return;
- prg_cache_loaded=1;
-@@ -453,7 +488,15 @@ static void prg_cache_load(void)
- }
-
- snprintf(finbuf, sizeof(finbuf), "%s/%s", direproc->d_name, cmdlp);
-- prg_cache_add(inode, finbuf);
-+#if HAVE_SELINUX
-+ if (getpidcon(atoi(direproc->d_name), &scon) == -1) {
-+ scon=strdup("-");
-+ }
-+ prg_cache_add(inode, finbuf, scon);
-+ freecon(scon);
-+#else
-+ prg_cache_add(inode, finbuf, "-");
-+#endif
- }
- closedir(dirfd);
- dirfd = NULL;
-@@ -573,6 +616,8 @@ static void finish_this_one(int uid, unsigned long inode, const char *timers)
- }
- if (flag_prg)
- printf(" %-16s",prg_cache_get(inode));
-+ if (flag_selinux)
-+ printf("%-" SELINUX_WIDTHs "s",prg_cache_get_con(inode));
- if (flag_opt)
- printf(" %s", timers);
- putchar('\n');
-@@ -1566,6 +1611,8 @@ static void unix_do_one(int nr, const char *line)
- printf("- ");
- if (flag_prg)
- printf("%-" PROGNAME_WIDTHs "s",(has & HAS_INODE?prg_cache_get(inode):"-"));
-+ if (flag_selinux)
-+ printf("%-" SELINUX_WIDTHs "s",(has & HAS_INODE?prg_cache_get_con(inode):"-"));
- puts(path);
- }
-
-@@ -1584,6 +1631,7 @@ static int unix_info(void)
-
- printf(_("\nProto RefCnt Flags Type State I-Node "));
- print_progname_banner();
-+ print_selinux_banner();
- printf(_(" Path\n")); /* xxx */
-
- {
-@@ -1874,6 +1922,7 @@ static void usage(void)
- fprintf(stderr, _(" -o, --timers display timers\n"));
- fprintf(stderr, _(" -F, --fib display Forwarding Information Base (default)\n"));
- fprintf(stderr, _(" -C, --cache display routing cache instead of FIB\n\n"));
-+ fprintf(stderr, _(" -Z, --context display SELinux security context for sockets\n\n"));
-
- fprintf(stderr, _(" <Socket>={-t|--tcp} {-u|--udp} {-S|--sctp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom\n"));
- fprintf(stderr, _(" <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: %s\n"), DFLT_AF);
-@@ -1920,6 +1969,7 @@ int main
- {"cache", 0, 0, 'C'},
- {"fib", 0, 0, 'F'},
- {"groups", 0, 0, 'g'},
-+ {"context", 0, 0, 'Z'},
- {NULL, 0, 0, 0}
- };
-
-@@ -1931,7 +1981,7 @@ int main
- getroute_init(); /* Set up AF routing support */
-
- afname[0] = '\0';
-- while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxl64", longopts, &lop)) != EOF)
-+ while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxlZ64", longopts, &lop)) != EOF)
- switch (i) {
- case -1:
- break;
-@@ -2036,6 +2086,19 @@ int main
- if (aftrans_opt("unix"))
- exit(1);
- break;
-+ case 'Z':
-+#if HAVE_SELINUX
-+ if (is_selinux_enabled() <= 0) {
-+ fprintf(stderr, _("SELinux is not enabled on this machine.\n"));
-+ exit(1);
-+ }
-+ flag_prg++;
-+ flag_selinux++;
-+#else
-+ fprintf(stderr, _("SELinux is not enabled for this application.\n"));
-+ exit(1);
-+#endif
-+ break;
- case '?':
- case 'h':
- usage();
---
-1.9.1
-
diff --git a/recipes-extended/net-tools/net-tools_selinux.inc b/recipes-extended/net-tools/net-tools_selinux.inc
index cc3196f..1bcf7be 100644
--- a/recipes-extended/net-tools/net-tools_selinux.inc
+++ b/recipes-extended/net-tools/net-tools_selinux.inc
@@ -1,7 +1,3 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-SRC_URI += "file://netstat-selinux-support.patch"
-
inherit selinux

DEPENDS += "${LIBSELINUX}"
--
2.17.1


Re: Remove connman package from yocto sdk.

Quentin Schulz
 

Hi,

On Tue, Jul 28, 2020 at 09:02:45AM +0200, Josef Holzmayr-Khosh Amoz wrote:
Howdy!

Am Di., 28. Juli 2020 um 07:19 Uhr schrieb NIKHIL PATIL <nikhilvp29@gmail.com>:

hi,
Still we ar facing same issue ,
If anyone know, please help.

On Fri, Jul 24, 2020 at 6:14 PM NIKHIL PATIL <nikhilvp29@gmail.com> wrote:

Hi team,
We want to use NetworkManager to access internet using LTE module . but connman and Networkmaanger both are installed.

I struggled so much to remove connman, I tried as follows :-
1) Added IMAGE_INSTALL_remove = "connman" in local.conf
but it still come with sato image.

2) Added DISTRO_FEATURE_remove = "connman" in local.conf
but it still come with sato image.

By default connman is coming in image , how to remove connman ?
Do not remove connman. If you don't need it, then do not even build
and install it. find out what pulls it in, and change that.
Additionally, tinkering with that through local.conf is a bad
practise: create your own image recipe and start from there.
Don't know if it works but was always wondering if adding
PACKAGE_EXCLUDE = "connman" would be a way to know for sure at least one
recipe that is "adding" connman to the image exists (and this also makes
sure connman does not make it to the final image.. which incidentally
fails the build if it **has** to make it to the image (RDEPENDS of a
recipe or directly added to the image by the machine, distro conf files
or image recipe.

Just throwing this idea here, no idea if this works and I didn't have
the opportunity to test in our layers yet.

Quentin


Re: Remove connman package from yocto sdk.

Josef Holzmayr
 

Howdy!

Am Di., 28. Juli 2020 um 07:19 Uhr schrieb NIKHIL PATIL <nikhilvp29@gmail.com>:

hi,
Still we ar facing same issue ,
If anyone know, please help.

On Fri, Jul 24, 2020 at 6:14 PM NIKHIL PATIL <nikhilvp29@gmail.com> wrote:

Hi team,
We want to use NetworkManager to access internet using LTE module . but connman and Networkmaanger both are installed.

I struggled so much to remove connman, I tried as follows :-
1) Added IMAGE_INSTALL_remove = "connman" in local.conf
but it still come with sato image.

2) Added DISTRO_FEATURE_remove = "connman" in local.conf
but it still come with sato image.

By default connman is coming in image , how to remove connman ?
Do not remove connman. If you don't need it, then do not even build
and install it. find out what pulls it in, and change that.
Additionally, tinkering with that through local.conf is a bad
practise: create your own image recipe and start from there.

Greetz


Re: #toolchain #yocto #devtool #linux #devtool #linux #toolchain #yocto

Josef Holzmayr
 

Howdy!

Am Di., 28. Juli 2020 um 07:09 Uhr schrieb <andymishra97@gmail.com>:

Hi,
I am trying to build a yocto demo-coreip-cli image for my custom RISC-V SOC which only supports imafd instructions. For the compilation of cross toolchain that is used by Bitbake, I tried changing cross-binutils.inc recipe and cross-gcc.inc recipe in openembedded-core layer by including “–with-arch=rv64imafd” in "EXTRA_OECONF " variable. Is there anything else I am missing or doing wrong? Thank You.
Patching the cross toolchain should be the last resort. First, you
should create a MACHINE definition that suits your needs and adjust
the tune flags there.

Greetz


Re: [meta-java] icedtea7-native fails to build with error: cc1plus: all warnings being treated as errors

Jeff Ithier
 

Hi Robert,

Thanks for the tip, it seems to have worked and I've gotten past the compilation step.

Unfortunately, now the build seems to be failing the do_package_rpm task with the following error:

Exception: bb.process.ExecutionError: Execution of '../build/tmp/work/aarch64-poky-linux/icedtea7-native/%-r0/temp/run.BUILDSPEC.153296' failed with exit code 127:
../build/tmp/work/aarch64-poky-linux/icedtea7-native/%-r0/temp/run.BUILDSPEC.153296: 106: rpmbuild: not found
WARNING: exit code 127 from a shell command.

Did you also encounter this ?

Cheers
Jeff

On 7/28/20 5:28 AM, Robert Joslyn wrote:
On Mon, 2020-07-27 at 06:16 -0700, ithijme@gmail.com wrote:
Hi,

I am trying to build openjdk-8-native, however its icedtea7 dependency
fails to build.
The error is a little hard to parse but it appears to be due to warnings
being treated as errors.
There are a lot of logs like the following:

| In function ‘int fprintf(FILE*, const char*, ...)’,
| inlined from ‘void ADLParser::frame_parse()’ at
.../build/tmp/work/x86_64-linux/icedtea7-native/2.1.3-r1.0/icedtea-
2.1.3/build/openjdk-boot/hotspot/src/share/vm/adlc/adlparse.cpp:1118:34:
| /usr/include/x86_64-linux-gnu/bits/stdio2.h:100:24: error: ‘%s’
directive argument is null [-Werror=format-overflow=]
| 100 | return __fprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1,
__fmt,
| |
~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 101 | __va_arg_pack ());
| | ~~~~~~~~~~~~~~~~~
| cc1plus: all warnings being treated as errors
| make[7]: *** [.../build/tmp/work/x86_64-linux/icedtea7-native/2.1.3-
r1.0/icedtea-2.1.3/build/openjdk-
boot/hotspot/make/linux/makefiles/adlc.make:207:
../generated/adfiles/adlparse.o] Error 1
| make[7]: *** Waiting for unfinished jobs....
| cc1plus: all warnings being treated as errors

I am using the following bblayers:
* poky/meta
* poky/meta-poky
* meta-openembedded/meta-oe
* meta-java

All layers are from the dunfell branch of their respective repositories
and are up to date.

Can anybody offer any advice on how to successfully build the openjdk-8-
native recipe ? Anybody have it working themselves ?

Cheers
Jeff
I had the same problem about a month ago. My quick fix was to create an
icedtea7-native_%.bbappend in my own layer to disable turning that warning
into an error:

CFLAGS_append = " -Wno-error=format-overflow"

I assume it's due to the compiler on your build machine being newer (or at
least different) than what the recipe is expecting.

Robert


Re: Remove connman package from yocto sdk.

NIKHIL PATIL
 

hi,
 Still we ar facing same issue  ,
  If anyone know, please help.

On Fri, Jul 24, 2020 at 6:14 PM NIKHIL PATIL <nikhilvp29@...> wrote:
Hi team,
          We want to use NetworkManager to access internet using LTE module . but connman and Networkmaanger both are installed.
               
          I struggled so much to remove connman,  I tried as follows :-
           1) Added IMAGE_INSTALL_remove = "connman"  in local.conf
                            but it still come with sato image.

            2) Added DISTRO_FEATURE_remove = "connman"  in local.conf
                            but it still come with sato image.
   
    By default connman is coming in image , how to remove connman ?
      


#toolchain #yocto #devtool #linux #devtool #linux #toolchain #yocto

andymishra97@...
 

Hi,
I am trying to build a yocto demo-coreip-cli image for my custom RISC-V SOC which only supports imafd instructions. For the compilation of cross toolchain that is used by Bitbake, I tried changing cross-binutils.inc recipe and cross-gcc.inc recipe in openembedded-core layer by including “–with-arch=rv64imafd” in "EXTRA_OECONF " variable. Is there anything else I am missing or doing wrong? Thank You.


Re: [meta-java] icedtea7-native fails to build with error: cc1plus: all warnings being treated as errors

Robert Joslyn
 

On Mon, 2020-07-27 at 06:16 -0700, ithijme@gmail.com wrote:
Hi,

I am trying to build openjdk-8-native, however its icedtea7 dependency
fails to build.
The error is a little hard to parse but it appears to be due to warnings
being treated as errors.
There are a lot of logs like the following:

| In function ‘int fprintf(FILE*, const char*, ...)’,
| inlined from ‘void ADLParser::frame_parse()’ at
.../build/tmp/work/x86_64-linux/icedtea7-native/2.1.3-r1.0/icedtea-
2.1.3/build/openjdk-boot/hotspot/src/share/vm/adlc/adlparse.cpp:1118:34:
| /usr/include/x86_64-linux-gnu/bits/stdio2.h:100:24: error: ‘%s’
directive argument is null [-Werror=format-overflow=]
| 100 | return __fprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1,
__fmt,
| |
~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 101 | __va_arg_pack ());
| | ~~~~~~~~~~~~~~~~~
| cc1plus: all warnings being treated as errors
| make[7]: *** [.../build/tmp/work/x86_64-linux/icedtea7-native/2.1.3-
r1.0/icedtea-2.1.3/build/openjdk-
boot/hotspot/make/linux/makefiles/adlc.make:207:
../generated/adfiles/adlparse.o] Error 1
| make[7]: *** Waiting for unfinished jobs....
| cc1plus: all warnings being treated as errors

I am using the following bblayers:
* poky/meta
* poky/meta-poky
* meta-openembedded/meta-oe
* meta-java

All layers are from the dunfell branch of their respective repositories
and are up to date.

Can anybody offer any advice on how to successfully build the openjdk-8-
native recipe ? Anybody have it working themselves ?

Cheers
Jeff
I had the same problem about a month ago. My quick fix was to create an
icedtea7-native_%.bbappend in my own layer to disable turning that warning
into an error:

CFLAGS_append = " -Wno-error=format-overflow"

I assume it's due to the compiler on your build machine being newer (or at
least different) than what the recipe is expecting.

Robert


Re: How to enable preempt-rt in Yocto Zeus or Warrior?

Bruce Ashfield
 



On Mon, Jul 27, 2020 at 3:51 PM Scott Whitney <sdw@...> wrote:

Hi Yocto group,

 

I’m working with a newly-released copy of Yocto Zeus from Variscite for the i.MX8MM Mini, although the same option seems to apply to the previous Yocto Warrior. 

 

I understand that a Linux real-time kernel can be enabled by setting LINUX_KERNEL_TYPE = “preempt-rt”.  Where does this option need to be set so that when I bitbake fsl-image-qt5, I get the Linux “preempt-rt” kernel instead of the “standard” kernel?

 

Is there a specific configuration file that needs to be modified, or a new recipe in a layer?  I am confused and hoping that you can help.


If you aren't using linux-yocto, you'll need to arrange for the preempt-rt patch(es) to be applied to whatever kernel you are using. Which means you are creating a new recipe, bbappending an existing one, or if you are lucky the kernel provider already has a -rt recipe available.

If you are using linux-yocto, it's as simple as setting the preferred provider of the kernel as linux-yocto-rt  and building.

Bruce

 

 

Best regards,

 

Scott D. Whitney

Principal Software Engineer


Intertech Engineering Associates, Inc.
100 Lowder Brook Drive, Suite 2500
Westwood, MA  02090
sdw@...    |     T: 781-801-1152    |     F: 781-801-1108    |     www.inea.com

 




--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end
- "Use the force Harry" - Gandalf, Star Trek II


Enhancements/Bugs closed WW30!

Stephen Jolley
 

All,

The below were the owners of enhancements or bugs closed during the last week!

Who

Count

richard.purdie@...

5

steve@...

1

trevor.gamblin@...

1

kexin.hao@...

1

guillaume.bonnet@...

1

timothy.t.orling@...

1

Grand Total

10

 

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Current high bug count owners for Yocto Project 3.2

Stephen Jolley
 

All,

Below is the list as of top 30 bug owners as of the end of WW30 of who have open medium or higher bugs and enhancements against YP 3.2.   There are 67 possible work days left until the final release candidates for YP 3.2 needs to be released.

Who

Count

david.reyna@...

10

mark.morton@...

7

bluelightning@...

7

ross@...

7

richard.purdie@...

7

michael@...

5

Qi.Chen@...

5

raj.khem@...

3

randy.macleod@...

2

chee.yang.lee@...

2

kai.kang@...

2

kergoth@...

2

yi.zhao@...

2

sakib.sajal@...

2

trevor.gamblin@...

2

JPEWhacker@...

2

timothy.t.orling@...

2

rpjday@...

2

changqing.li@...

1

mark.hatle@...

1

jaewon@...

1

maxime.roussinbelanger@...

1

matthew.zeng@...

1

jpuhlman@...

1

bruce.ashfield@...

1

liu.ming50@...

1

kai.ruhnau@...

1

hongxu.jia@...

1

matt.ranostay@...

1

anuj.mittal@...

1

Grand Total

83

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Yocto Project Newcomer & Unassigned Bugs - Help Needed

Stephen Jolley
 

All,

 

The triage team is starting to try and collect up and classify bugs which a newcomer to the project would be able to work on in a way which means people can find them. They're being listed on the triage page under the appropriate heading:

 

https://wiki.yoctoproject.org/wiki/Bug_Triage#Newcomer_Bugs

 

The idea is these bugs should be straight forward for a person to help work on who doesn't have deep experience with the project.  If anyone can help, please take ownership of the bug and send patches!  If anyone needs help/advice there are people on irc who can likely do so, or some of the more experienced contributors will likely be happy to help too.

 

Also, the triage team meets weekly and does its best to handle the bugs reported into the Bugzilla. The number of people attending that meeting has fallen, as have the number of people available to help fix bugs. One of the things we hear users report is they don't know how to help. We (the triage team) are therefore going to start reporting out the currently 336 unassigned or newcomer bugs.

 

We're hoping people may be able to spare some time now and again to help out with these.  Bugs are split into two types, "true bugs" where things don't work as they should and "enhancements" which are features we'd want to add to the system.  There are also roughly four different "priority" classes right now, “3.1”, “3.2, "3.99" and "Future", the more pressing/urgent issues being in "3.1" and then “3.2”.

 

Please review this link and if a bug is something you would be able to help with either take ownership of the bug, or send me (sjolley.yp.pm@...) an e-mail with the bug number you would like and I will assign it to you (please make sure you have a Bugzilla account).  The list is at: https://wiki.yoctoproject.org/wiki/Bug_Triage_Archive#Unassigned_or_Newcomer_Bugs

 

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


How to enable preempt-rt in Yocto Zeus or Warrior?

Scott Whitney <sdw@...>
 

Hi Yocto group,

 

I’m working with a newly-released copy of Yocto Zeus from Variscite for the i.MX8MM Mini, although the same option seems to apply to the previous Yocto Warrior. 

 

I understand that a Linux real-time kernel can be enabled by setting LINUX_KERNEL_TYPE = “preempt-rt”.  Where does this option need to be set so that when I bitbake fsl-image-qt5, I get the Linux “preempt-rt” kernel instead of the “standard” kernel?

 

Is there a specific configuration file that needs to be modified, or a new recipe in a layer?  I am confused and hoping that you can help.

 

Best regards,

 

Scott D. Whitney

Principal Software Engineer


Intertech Engineering Associates, Inc.
100 Lowder Brook Drive, Suite 2500
Westwood, MA  02090
sdw@...    |     T: 781-801-1152    |     F: 781-801-1108    |     www.inea.com

 


Re: Offline Build #yocto

Fred Baksik
 


On Mon, Jul 27, 2020, at 12:38 AM, Amrun Nisha.R wrote:
Hi Fred,

check whether the downloads folder has all the files. I found that while checking the folders, I can't able to find the branches and ref folders in the git2 folder (downloads/git2). Once i placed the empty folders branch and ref, it works fine for me. And I didnt update on the config file.
-=-=-=-=-=-=-=-=-=-=-=-



The downloads folder that I used to setup the pre-mirror didn't even contain the git2 folder.  From the directions:
Optionally Remove Any Git or other SCM Subdirectories From the Downloads Directory: If you want, you can clean up your downloads directory by removing any Git or other Source Control Management (SCM) subdirectories such as ${DL_DIR}/git2/*. The tarballs already contain these subdirectories.

FYI, the documentation states for DL_DIR:
By default, DL_DIR gets files suitable for mirroring for everything except Git repositories. If you want tarballs of Git repositories, use the BB_GENERATE_MIRROR_TARBALLS variable.

All I can say is that following these directions for replicating the build offline worked.
When skipping any of the steps I saw similar errors like the one in the original post.


Re: [bitbake-devel] [yocto] Stable Warrior branch

Armin Kuster
 

Adrian,

On 7/21/20 1:53 AM, Richard Purdie wrote:
On Tue, 2020-07-14 at 16:56 +0300, Adrian Bunk wrote:
On Thu, Jun 04, 2020 at 09:28:00PM -0700, akuster wrote:
Hello,

The Warrior branch of Poky has had its last official dot release.
It
will be moving to Community support and EOL within 6 weeks if no
one
steps up.
If someone is interested in taking on the responsibilities of
maintaining the "Warrior" branch moving forward, please email this
list.
I have an interest in keeping warrior branch alive in poky and meta-
oe,
and I'll take this responsibility since noone else seems to be
interested.
Are you still interested?

-armin
Please look at the
https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS for what
will
be expected.
I have some ideas, but not yet a fixed plan how I will set this up.
Ok. FWIW we are struggling a little with keeping the older releases
building on the autobuilder as the workers change. We do have plans for
handling this with buildtools but its not rolled out on the older
autobuilder-helper branches.

I do have work in progress working with Jeremy for thud
(contrib/rpurdie/thud), much of which should apply to warrior too
(contrib/rpurdie/warrior is a guess). I just really want to highlight
that there may be some initial work to get these older branches to the
point where they continue to work on the infrastructure.

I think we may have to accept backporting a lot of patches in helper to
bring things more into sync with master/dunfell to make all this easier
to maintain/get working.

Cheers,

Richard


[meta-java] icedtea7-native fails to build with error: cc1plus: all warnings being treated as errors

Jeff Ithier
 

Hi,

I am trying to build openjdk-8-native, however its icedtea7 dependency fails to build.
The error is a little hard to parse but it appears to be due to warnings being treated as errors.
There are a lot of logs like the following:

| In function ‘int fprintf(FILE*, const char*, ...)’,
|     inlined from ‘void ADLParser::frame_parse()’ at .../build/tmp/work/x86_64-linux/icedtea7-native/2.1.3-r1.0/icedtea-2.1.3/build/openjdk-boot/hotspot/src/share/vm/adlc/adlparse.cpp:1118:34:
| /usr/include/x86_64-linux-gnu/bits/stdio2.h:100:24: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
|   100 |   return __fprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1, __fmt,
|       |          ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|   101 |    __va_arg_pack ());
|       |    ~~~~~~~~~~~~~~~~~
| cc1plus: all warnings being treated as errors
| make[7]: *** [.../build/tmp/work/x86_64-linux/icedtea7-native/2.1.3-r1.0/icedtea-2.1.3/build/openjdk-boot/hotspot/make/linux/makefiles/adlc.make:207: ../generated/adfiles/adlparse.o] Error 1
| make[7]: *** Waiting for unfinished jobs....
| cc1plus: all warnings being treated as errors

I am using the following bblayers:
* poky/meta
* poky/meta-poky
* meta-openembedded/meta-oe
* meta-java

All layers are from the dunfell branch of their respective repositories and are up to date.

Can anybody offer any advice on how to successfully build the openjdk-8-native recipe ? Anybody have it working themselves ?

Cheers
Jeff


Re: ERRORS while building customized yocto image for Raspberrypi #yocto

Quentin Schulz
 

Hi Bhavya,

On Fri, Jul 24, 2020 at 09:12:09PM -0700, paruchuribhavyasree@gmail.com wrote:
Hi Quentin

I tried changing it but facing same kind of error during Build.
Your S = "${WORKDIR}" is probably wrong then.

Is there only a directory "at the root" of the tarball? I mean if you
untar it, do you get one directory where all your source code is? In
that case, if the subdirectory is named "gsm-${PV}" (replace PV with the
correct and full number), you don't need to define S because the default
should be just enough IIRC.

Otherwise, S = "${WORKDIR}/<whatever_name_of_the_dir_in_gsm-${PV}.tar.gz_is>"

Finally, since your license is not in the tarball (but it should really
be actually), you need to prefix your LIC_FILES_CHKSUM with "../"
otherwise the license won't be found.

Moreover, you can't reassign twice the same variable and expect them to
be merged. That's what you did for SRC_URI but I missed that you also
did it for LICENSE, if it's dual licensed: LICENSE = "GNUC | GPLv3" or
LICENSE = "GNUC & GPLv3", the meaning is obviously not the same but you
only can know what to put there.

N.B.: You still need the SRC_URI as I gave you in an earlier mail.

Quentin


Re: ERRORS while building customized yocto image for Raspberrypi #yocto

paruchuribhavyasree@...
 

Hi,
 
I'am trying to build Yocto image for a customized code, where the source code is in my local files, so here is my recipe :
 
----------------------------------------------------------------------------------------------------------------------------------
DESCRIPTION = "GSM-ASTERISK-SPI"
HOMEPAGE = ""
SECTION = "GSM build for Asterisk"
PR = "r1"
LICENSE = "GNUC"
LICENSE = "GPLv3"
LIC_FILES_CHKSUM = "file://license;md5=d41d8cd98f00b204e9800998ecf8427e"

FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-${PV}:"

DEPENDS = "asterisk"
SRCREV = "0.1"
SRC_URI = "file://gsm-${PV}.tar.gz"
SRC_URI = "file://license"

S = "${WORKDIR}"

inherit autotools

#PARALLEL_MAKE = ""
----------------------------------------------------------------------------------------------------------------------------------
 
Here I am facing few errors in do_compile as mentioned below.
 
 
-----------------------------------------------------------------------------------------------------------------------------------
WARNING: Layer example should set LAYERSERIES_COMPAT_example in its conf/layer.conf file to list the core layer names it is compatible with.
WARNING: Layer example should set LAYERSERIES_COMPAT_example in its conf/layer.conf file to list the core layer names it is compatible with.
Loading cache: 100% |###########################################################################################################| Time: 0:00:00
Loaded 2422 entries from dependency cache.
Parsing recipes: 100% |#########################################################################################################| Time: 0:00:00
Parsing of 1631 .bb files complete (1630 cached, 1 parsed). 2422 targets, 116 skipped, 0 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION           = "1.46.0"
BUILD_SYS            = "x86_64-linux"
NATIVELSBSTRING      = "universal"
TARGET_SYS           = "arm-poky-linux-gnueabi"
MACHINE              = "raspberrypi3"
DISTRO               = "poky"
DISTRO_VERSION       = "3.1.1"
TUNE_FEATURES        = "arm vfp cortexa7 neon vfpv4 thumb callconvention-hard"
TARGET_FPU           = "hard"
meta                 
meta-poky            
meta-yocto-bsp       = "dunfell:febbe2944c0c4a04b85fa98fdc261186115954d8"
meta-rpi             = "master:39cf54c3cb429f2c6e0a000e79f6f06b39e2fa8b"
meta-oe              = "master:81ee0b68fa32bcd60e1226f612ec63b1e672f263"
meta-example         = "master:8148d045406cbb2b66a6848ea93371808d206323"
meta-telephony       = "master:9e50dbdd1ee672494758d29482444cf40a36d1ba"

Initialising tasks: 100% |######################################################################################################| Time: 0:00:00
Sstate summary: Wanted 33 Found 28 Missed 5 Current 634 (84% match, 99% complete)
NOTE: Executing Tasks
ERROR: gsm-1.0-r1 do_compile: oe_runmake failed
ERROR: gsm-1.0-r1 do_compile: Execution of '/home/bhavya/dialtronics/yocto/workspace/yocto_rpi/tmp/work/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/gsm/1.0-r1/temp/run.do_compile.9167' failed with exit code 1:
make: *** No targets specified and no makefile found.  Stop.
WARNING: exit code 1 from a shell command.

ERROR: Logfile of failure stored in: /home/bhavya/dialtronics/yocto/workspace/yocto_rpi/tmp/work/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/gsm/1.0-r1/temp/log.do_compile.9167
Log data follows:
| DEBUG: Executing python function autotools_aclocals
| DEBUG: SITE files ['endian-little', 'bit-32', 'arm-common', 'arm-32', 'common-linux', 'common-glibc', 'arm-linux', 'arm-linux-gnueabi', 'common']
| DEBUG: Python function autotools_aclocals finished
| DEBUG: Executing shell function do_compile
| NOTE: make -j 8
| make: *** No targets specified and no makefile found.  Stop.
| ERROR: oe_runmake failed
| WARNING: exit code 1 from a shell command.
| ERROR: Execution of '/home/bhavya/dialtronics/yocto/workspace/yocto_rpi/tmp/work/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/gsm/1.0-r1/temp/run.do_compile.9167' failed with exit code 1:
| make: *** No targets specified and no makefile found.  Stop.
| WARNING: exit code 1 from a shell command.
|
ERROR: Task (/home/bhavya/dialtronics/yocto/poky-dunfell/meta-telephony/recipes-gsm/gsm/gsm_1.0.bb:do_compile) failed with exit code '1'
NOTE: Tasks Summary: Attempted 2064 tasks of which 2063 didn't need to be rerun and 1 failed.

Summary: 1 task failed:
  /home/bhavya/dialtronics/yocto/poky-dunfell/meta-telephony/recipes-gsm/gsm/gsm_1.0.bb:do_compile
Summary: There were 2 WARNING messages shown.
Summary: There were 2 ERROR messages shown, returning a non-zero exit code.
-------------------------------------------------------------------------------------------------------------------------------
 
Should I involve anything when I am choosing the source code from local file? need help in solving this error
 
Thank you in Advance
bhavya


Re: Offline Build #yocto

Amrun Nisha.R
 

Hi Fred,

check whether the downloads folder has all the files. I found that while checking the folders, I can't able to find the branches and ref folders in the git2 folder (downloads/git2). Once i placed the empty folders branch and ref, it works fine for me. And I didnt update on the config file.


[meta-security][meta-hardening][PATCH] meta-harden: Add a layer to demo harding OE/YP

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-hardening/README | 86 +++++++++++++++++++
meta-hardening/conf/distro/harden.conf | 11 +++
meta-hardening/conf/layer.conf | 13 +++
.../openssh/openssh_%.bbappend | 13 +++
.../base-files/base-files_%.bbappend | 4 +
.../images/harden-image-minimal.bb | 25 ++++++
.../initscripts/files/mountall.sh | 41 +++++++++
.../initscripts/initscripts_1.0.bbappend | 8 ++
.../packagegroups/packagegroup-hardening.bb | 19 ++++
.../recipes-extended/shadow/shadow_%.bbappend | 10 +++
.../recipes-extended/sudo/sudo_%.bbappend | 7 ++
11 files changed, 237 insertions(+)
create mode 100644 meta-hardening/README
create mode 100644 meta-hardening/conf/distro/harden.conf
create mode 100644 meta-hardening/conf/layer.conf
create mode 100644 meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
create mode 100644 meta-hardening/recipes-core/base-files/base-files_%.bbappend
create mode 100644 meta-hardening/recipes-core/images/harden-image-minimal.bb
create mode 100755 meta-hardening/recipes-core/initscripts/files/mountall.sh
create mode 100644 meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
create mode 100644 meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
create mode 100644 meta-hardening/recipes-extended/shadow/shadow_%.bbappend
create mode 100644 meta-hardening/recipes-extended/sudo/sudo_%.bbappend

diff --git a/meta-hardening/README b/meta-hardening/README
new file mode 100644
index 0000000..37a0b7e
--- /dev/null
+++ b/meta-hardening/README
@@ -0,0 +1,86 @@
+# This is an example for Security hardening an OE or Poky image
+
+
+Meta-hardening
+=============
+
+This layer provides examples for hardening OE/Yocto images.
+This layer does not provide 100% security protection. This is only
+a framework from which a user can build from and can possible contribute to.
+The goal here is to capture use cases and examples the community decided shares for
+everyones benefit.
+
+Building the meta-hardening layer
+-------------------------------
+In order to add hardening support to the poky/OE build this layer should be added
+to your projects bblayers.conf file.
+
+By default the hardening components are disabled. This conforms to the
+Yocto Project compatible guideline that indicate that simply including a
+layer should not change the system behavior.
+
+In order to use the components in this layer to take affect the 'harden' keyword must
+set the DISTRO as in "DISTRO = harden". This enables the "NO ROOT access" idea or framework.
+
+If one wants the a more complete example of a hardened image, one must also build the image:
+harden-image-minimal
+
+There are default example userid and passwards:
+These can be over written in your local.conf via:
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+
+example:
+local.conf
+DISTRO = "harden"
+
+The default user and password are:
+User: "myadmin"
+Password: "1SimplePw!"
+
+bitbake {qemu machine} harden-image-minimal
+
+Dependencies
+============
+
+Branch: master
+
+This layer depends on:
+
+URI: git://git.yoctoproject.org/poky
+
+or this normal combo:
+
+URI: git://git.openembedded.org/meta-openembedded/meta-oe
+
+URI: git://git.openembedded.org/bitbake
+
+plus:
+
+URI: git://git.openembedded.org/meta-openembedded
+layers: meta-oe
+
+
+Maintenance
+-----------
+
+Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH'
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@yoctoproject.org
+$ git config format.subjectPrefix meta-hardening][PATCH
+
+Now you can just do 'git send-email origin/master' to send all local patches.
+
+Maintainers: Armin Kuster <akuster808@gmail.com>
+
+License
+=======
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/meta-hardening/conf/distro/harden.conf b/meta-hardening/conf/distro/harden.conf
new file mode 100644
index 0000000..66db9b7
--- /dev/null
+++ b/meta-hardening/conf/distro/harden.conf
@@ -0,0 +1,11 @@
+DISTRO = "harden"
+DISTRO_NAME = "Simple Security hardening example"
+DISTRO_VERSION = "1.0"
+
+DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost"
+
+VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
+IMAGE_ROOTFS_EXTRA_SPACE = "524288"
+EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
+
+DISABLE_ROOT ?= "True"
diff --git a/meta-hardening/conf/layer.conf b/meta-hardening/conf/layer.conf
new file mode 100644
index 0000000..5896214
--- /dev/null
+++ b/meta-hardening/conf/layer.conf
@@ -0,0 +1,13 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have a recipes directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "harden-layer"
+BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_harden-layer = "10"
+
+LAYERSERIES_COMPAT_harden-layer = "dunfell"
+
+LAYERDEPENDS_harden-layer = "core openembedded-layer"
diff --git a/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100644
index 0000000..67be3f3
--- /dev/null
+++ b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,13 @@
+do_install_append_harden () {
+ # to hardend
+ sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+
+ if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+ sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config
+ fi
+}
diff --git a/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..3956304
--- /dev/null
+++ b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,4 @@
+
+do_install_append_harden () {
+ sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
+}
diff --git a/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-hardening/recipes-core/images/harden-image-minimal.bb
new file mode 100644
index 0000000..daed3fb
--- /dev/null
+++ b/meta-hardening/recipes-core/images/harden-image-minimal.bb
@@ -0,0 +1,25 @@
+SUMMARY = "A small image for an example hardening OE."
+
+IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
+IMAGE_INSTALL_append = " os-release"
+
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = " "
+
+LICENSE = "MIT"
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit core-image extrausers
+
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+DEFAULT_ADMIN_GROUP ?= "wheel"
+DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
+
+EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
+
+EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};"
+EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};"
diff --git a/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-hardening/recipes-core/initscripts/files/mountall.sh
new file mode 100755
index 0000000..e093f96
--- /dev/null
+++ b/meta-hardening/recipes-core/initscripts/files/mountall.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: mountall
+# Required-Start: mountvirtfs
+# Required-Stop:
+# Default-Start: S
+# Default-Stop:
+# Short-Description: Mount all filesystems.
+# Description:
+### END INIT INFO
+
+. /etc/default/rcS
+
+#
+# Mount local filesystems in /etc/fstab. For some reason, people
+# might want to mount "proc" several times, and mount -v complains
+# about this. So we mount "proc" filesystems without -v.
+#
+test "$VERBOSE" != no && echo "Mounting local filesystems..."
+mkdir -p /home
+mkdir -p /var
+mount -at nonfs,nosmbfs,noncpfs 2>/dev/null
+
+#
+# We might have mounted something over /dev, see if /dev/initctl is there.
+#
+if test ! -p /dev/initctl
+then
+ rm -f /dev/initctl
+ mknod -m 600 /dev/initctl p
+fi
+kill -USR1 1
+
+#
+# Execute swapon command again, in case we want to swap to
+# a file on a now mounted filesystem.
+#
+[ -x /sbin/swapon ] && swapon -a
+
+: exit 0
+
diff --git a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
new file mode 100644
index 0000000..896b039
--- /dev/null
+++ b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI_append_harden = " file://mountall.sh"
+
+do_install_append_harden() {
+ install -d ${D}${sysconfdir}/init.d
+ install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
+}
diff --git a/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
new file mode 100644
index 0000000..1dcd5fc
--- /dev/null
+++ b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
@@ -0,0 +1,19 @@
+#
+#
+#
+
+SUMMARY = "Hardening example group"
+
+inherit packagegroup
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = "${PN} \
+ packagegroup-${PN} \
+"
+
+RDEPENDS_${PN} = "\
+ init-ifupdown \
+ ${VIRTUAL-RUNTIME_base-utils-syslog} \
+ sudo \
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \
+"
diff --git a/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 0000000..3f363f0
--- /dev/null
+++ b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,10 @@
+do_install_append_harden () {
+ # to hardend
+ sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs
+}
diff --git a/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000..a31c081
--- /dev/null
+++ b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,7 @@
+
+PACKAGECONFIG_append_harden = " pam-wheel"
+do_install_append_harden () {
+ if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+ sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers
+ fi
+}
--
2.17.1

4181 - 4200 of 54277