diff options
author | Dave Cobbley <david.j.cobbley@linux.intel.com> | 2018-08-14 20:05:37 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-08-23 04:26:31 +0300 |
commit | eb8dc40360f0cfef56fb6947cc817a547d6d9bc6 (patch) | |
tree | de291a73dc37168da6370e2cf16c347d1eba9df8 /meta-security/recipes-security/ecryptfs-utils | |
parent | 9c3cf826d853102535ead04cebc2d6023eff3032 (diff) | |
download | openbmc-eb8dc40360f0cfef56fb6947cc817a547d6d9bc6.tar.xz |
[Subtree] Removing import-layers directory
As part of the move to subtrees, need to bring all the import layers
content to the top level.
Change-Id: I4a163d10898cbc6e11c27f776f60e1a470049d8f
Signed-off-by: Dave Cobbley <david.j.cobbley@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-security/recipes-security/ecryptfs-utils')
3 files changed, 137 insertions, 0 deletions
diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb new file mode 100644 index 000000000..f55b0c390 --- /dev/null +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -0,0 +1,63 @@ +SUMMARY = "The eCryptfs mount helper and support libraries" +DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \ + that ships in Linux kernel versions 2.6.19 and above. This \ + package provides the mount helper and supporting libraries \ + to perform key management and mount functions." +HOMEPAGE = "https://launchpad.net/ecryptfs" +SECTION = "base" + +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" + +DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native" + +SRC_URI = "\ + https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.gz \ + file://ecryptfs-utils-CVE-2016-6224.patch \ + file://ecryptfs.service \ + " + +SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd" +SRC_URI[sha256sum] = "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f" + +inherit autotools pkgconfig systemd + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "ecryptfs.service" + +EXTRA_OECONF = "\ + --libdir=${base_libdir} \ + --disable-pywrap \ + --disable-nls \ + " + +PACKAGECONFIG ??= "nss \ + ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ + " +PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss," +PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl," +PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam," + +do_configure_prepend() { + export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" + export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3" + export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" + export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils" +} + +do_install_append() { + chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private + mkdir -p ${D}/${libdir} + mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir} + sed -i -e 's:-I${STAGING_INCDIR}::' \ + -e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc + sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:" ${D}${bindir}/ecryptfs-setup-swap + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -D -m 0644 ${WORKDIR}/ecryptfs.service ${D}${systemd_system_unitdir}/ecryptfs.service + fi +} + +FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" + +RDEPENDS_${PN} += "cryptsetup" +RRECOMMENDS_${PN} = "gettext-runtime" diff --git a/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch new file mode 100644 index 000000000..4252f97c3 --- /dev/null +++ b/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch @@ -0,0 +1,65 @@ +From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001 +From: Li Zhou <li.zhou@windriver.com> +Date: Mon, 5 Sep 2016 10:28:08 +0800 +Subject: [PATCH] ecryptfs-utils: CVE-2016-6224 + +src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from +being automatically enabled by systemd. This bug affected GPT partitioned +NVMe/MMC drives and resulted in the swap partition being used without +encryption. It also resulted in a usability issue in that users were +erroneously prompted to enter a pass-phrase to unlock their swap partition +at boot. (LP: #1597154) + +the patch comes from: +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224 +https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882 + +Upstream-Status: backport + +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + ChangeLog | 9 +++++++++ + src/utils/ecryptfs-setup-swap | 10 ++++++++-- + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index d255a94..2c9c73e 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,12 @@ ++ecryptfs-utils-112 ++ [ Jason Gerard DeRose ] ++ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from ++ being automatically enabled by systemd. This bug affected GPT partitioned ++ NVMe/MMC drives and resulted in the swap partition being used without ++ encryption. It also resulted in a usability issue in that users were ++ erroneously prompted to enter a pass-phrase to unlock their swap partition ++ at boot. (LP: #1597154) ++ + ecryptfs-utils-74 + [ Michal Hlavinka ] + * Changes for RH/Fedora release +diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap +index 41cf18a..e4785d7 100755 +--- a/src/utils/ecryptfs-setup-swap ++++ b/src/utils/ecryptfs-setup-swap +@@ -166,8 +166,14 @@ for swap in $swaps; do + # If this is a GPT partition, mark it as no-auto mounting, to avoid + # auto-activating it on boot + if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then +- drive="${swap%[0-9]*}" +- partno="${swap#$drive}" ++ # Correctly handle NVMe/MMC drives, as well as any similar physical ++ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154) ++ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then ++ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:") ++ else ++ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:") ++ fi ++ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:") + if [ -b "$drive" ]; then + if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then + echo "$swap is already marked as no-auto" +-- +1.9.1 + diff --git a/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs.service b/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs.service new file mode 100644 index 000000000..c23a03aa4 --- /dev/null +++ b/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs.service @@ -0,0 +1,9 @@ +[Unit] +Description=A userspace daemon that runs as the user perform file operations under the eCryptfs mount point +After=udev.service + +[Service] +ExecStart=/usr/bin/ecryptfsd -f + +[Install] +WantedBy=multi-user.target |