From 15ae2509e522678e761046cdb8693291c09cf78c Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Tue, 18 Jun 2019 21:44:24 -0400 Subject: subtree updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit meta-openembedded: f3018013ff..3b245e4fe8: Adrian Bunk (8): Remove start-stop-daemon dvb-apps: Remove workaround patch for ancient target compilers Remove ipsec-tools and umip gpsd: Switch PACKAGECONFIG[qt] from Qt4 to Qt5 samba: Upgrade 4.8.11 -> 4.8.12 recipes-devtools: Move back from meta-networking to meta-perl wireless-regdb: Upgrade 2019.03.01 -> 2019.06.03 mcelog: Remove manual RDEPENDS from PN-ptest to PN package Alejandro del Castillo (1): apache2: add all extra/*.conf to conffiles Alistair Francis (1): python-obd: Uprade from 0.7.0 to 0.7.1 Andreas Müller (1): python-six: put python2/3 variant together Andrei Gherzan (2): modemmanager: Update to 1.10.0 networkmanager: Update to 1.18.0 Ankit Navik (1): safec: Initial recipe for safe C library Carlos Rafael Giani (1): openh264: Fix armv7ve build Changqing Li (11): syslog-ng: add rconflict for package syslog-ng-libs netkit-telnet: add rconflicts samba/libldb: add rconflicts php-fpm-apache: fix module path phoronix-test-suite: upgrade from 8.6.0 -> 8.8.1 python-pygobject: upgrade 3.28.3 -> 3.32.1 rrdtool: upgrade 1.7.1 -> 1.7.2 php: upgrade 7.3.4 -> 7.3.6 xf86-video-ati: upgrade 18.0.1 -> 19.0.1 pavucontrol: upgrade 3.0 -> 4.0 multipath-tools: upgrade 0.8.0 -> 0.8.1 Herman van Hazendonk (1): Geoclue: Update to 2.5.3 Hongxu Jia (4): rrdtool: improve reproducibility crash: do not use unstable github archive tarballs postgresql: improve reproducibility net-snmp: split net-snmp-config to package net-snmp-dev Hongzhi.Song (1): spice: fix compile errors on 32bit system Horvath, Chris (1): lcov: Upgrade 1.11 -> 1.14 James Feist (1): libgpiod: Enable cxx bindings by default Kai Kang (16): xfce4-session: 4.13.1 -> 4.13.2 xfce4-screensaver: add recipe packagegroup-xfce-extended: add xfce4-screensaver lxdm: provides fake gdmflexiserver for xfce desktop environment thunar: 1.8.4 -> 1.8.6 xfdesktop: 4.13.3 -> 4.13.4 xfce4-panel: 4.13.4 -> 4.13.5 thunar-volman: 0.9.1 -> 0.9.2 xfce4-appfinder: 4.13.2 -> 4.13.3 libxfce4util: 4.13.2 -> 4.13.3 xfwm4: 4.13.1 -> 4.13.2 xfconf: 4.13.6 -> 4.13.7 libxfce4ui: 4.13.4 -> 4.13.5 xfce4-power-manager: 1.6.1 -> 1.6.2 xfce4-settings: set default theme Adwaita lxdm: provides fake gdmflexiserver for xfce desktop environment Khem Raj (8): libnfc: Fix build with musl openocd: Fix build on x86_64 spice,spice-protocol: Uprev to 0.14.0 udisks: Install bash_completion script in OE familiar dir udisks: Remove bash dependency python-jsmin,python-pytoml,python-which: Add recipes mozjs: Upgrade to version 60.x polkit: Upgrade to 0.116 Liwei Song (1): turbostat: copy bits.h from kernel to turbostat Marek Belisko (1): libsrtp: Fix compilation and add pkgconfig Martin Jansa (17): igmpproxy: remove 0001-src-igmpproxy.h-Include-sys-types.h-for-u_short-u_in.patch and _GNU_SOURCE ne10, libopus: add armv7ve override as well pidgin: upgrade to 2.13.0 funyahoo-plusplus, icyque, pidgin-sipe, purple-skypeweb: add couple plugins for pidgin hunspell: use git fetcher instead of github archive hunspell-dictionaries: import from meta-luneos to make hunspell in meta-oe a bit more useful ttf-mplus, ttf-vlgothic: add ttf-mplus license android-tools-conf: import one more improvement for android-gadget-setup from meta-luneos uriparser: upgrade to 0.9.3 libmikmod: fix SRC_URI leptonica: fix SRC_URI libmikmod: upgrade to 3.3.11.1 open-vm-tools: refresh the patches so that they can be easily applied with devtool or git am open-vm-tools: import gcc9 fixes from fedora spice: append to CFLAGS instead of += cpprest: temporary ignore deprecated-copy and redundant-move errors detected by gcc9 oprofile: drop virtual/kernel dependency and switch back to TUNE_PKGARCH Mingli Yu (4): mariadb: Upgrade to 10.3.15 kea: Upgrade to 1.5.0 hwloc: Upgrade to 1.11.12 kea: replace -Og with -O Naveen Saini (1): pm-graph: add recipe Oleksandr Kravchuk (12): opensaf: update to 5.19.03 python-ldap: update to 3.2.0 rp-pppoe: update to 3.13 atftp: update to 0.7.2 ipcalc: update to 2.2.3 mtr: update to 0.92 nbd: update to 3.19 mdns: update to 878.200.35 lldpd: update to 1.0.3 libp11: update to 0.4.10 nano: update to 4.2 libspatialite: update to 4.3.0a Ovidiu Panait (1): xfsprogs: Fix host contamination Paolo Valente (1): s-suite: push SRCREV to version 3.4 Pascal Bach (1): rocksdb: 5.18.3 -> 6.0.2 Qi.Chen@windriver.com (2): polkit: fix CVE-2019-6133 .gitignore: add *.pyc and *.pyo Randy MacLeod (1): imagemagick: update from 7.0.8-43 to 7.0.8-47 Robert Joslyn (4): cryptsetup: Add PACKAGECONFIG options lmsensors: Update to 3.5.0 xfce4-session: Add xrdb RDEPENDS xfce4-session: Reformat DEPENDS and RDEPENDS Slater, Joseph (1): php-7: mark two tests as expected to fail Stefan Agner (1): haveged: fix CPU cache size detection Tim Orling (13): libterm-readkey-perl: upgrade 2.37 -> 2.38; fix upstream check; enable ptest libtest-deep-perl: add recipe for v1.128 libcgi-perl: upgrade 4.38 -> 4.43; enable ptest libcrypt-openssl-guess-perl: rename from libcrypt-openssl-guess; enable ptest libcrypt-openssl-rsa-perl: upgrade 0.30 -> 0.31; enable ptest libcrypt-openssl-random-perl: upgrade 0.11 -> 0.15; enable ptest libextutils-installpaths-perl: upgrade 0.011 -> 0.012; enable ptest libexutils-config-perl: enable ptest libhtml-tagset-perl: add recipe for v3.20 libhtml-parser-perl: enable ptest libstrictures-perl: upgrade 2.000003 -> 2.000006; enable ptest libxml-libxml-perl: enable ptest libcapture-tiny-perl: upgrade 0.46 -> 0.48; enable ptest William A. Kennington III via Openembedded-devel (1): cli11: 1.6.2 -> 1.7.1 Yi Zhao (8): python-ldap: add python-pyasn1 and python-pyasn1-modules as runtime dependencies fuse: upgrade 2.9.8 -> 2.9.9 yaffs2-utils: update to latest master xfsprogs: upgrade 4.18.0 -> 5.0.0 fcgi: upgrade 2.4.1+git -> 2.4.2 xdebug: upgrade 2.7.0RC2 -> 2.7.2 phpmyadmin: upgrade 4.8.5 -> 4.9.0.1 openipmi: upgrade 2.0.25 -> 2.0.27 Zang Ruochen (13): python-pywbem: solved the conflict with python3-pywbem python3-pywbem:solved the conflict with python-pywbem python-pbr: upgrade 5.2.0 -> 5.2.1 python-mako: upgrade 1.0.10 -> 1.0.12 python-babel: upgrade 2.6.0 -> 2.7.0 python-cachetools: upgrade 3.1.0 -> 3.1.1 python-cryptography: upgrade 2.6.1 -> 2.7 python-cryptography-vectors: upgrade 2.6.1 -> 2.7 python-cython: upgrade 0.29.7 -> 0.29.10 python-lxml: upgrade 4.3.3 -> 4.3.4 python-psutil: upgrade 5.6.2 -> 5.6.3 python-requests: upgrade 2.21.0 -> 2.22.0 python-urllib3: upgrade 1.25.2 -> 1.25.3 nick83ola (5): nginx: update to version 1.17.0 nginx: update stable version to 1.16.0 nginx: add PACKAGECONFIG[http-auth-request] nginx: fix kill path in nginx systemd unit file uthash: do not use unstable github archive tarballs thstead (1): Upgraded python-pysnmp from version 4.3.5. to 4.4.9. Łukasz Łaguna (1): gsl: update to version 2.5 meta-security: 9f5cc2a7eb..c28b72e91d: Armin Kuster (17): checksec: update to 1.11.1 keyutils: fix library install path checksec: add runtime test meta-integrity: port over from meta-intel-iot-security layer.conf: add LAYERSERIES_COMPAT README: update ima-evm-utils: cleanup and update to tip ima.cfg: update to 5.0 kernel linux: update bbappend base-files: add appending to automount securityfs ima-policy-hashed: add new recipe ima_policy_simple: add another sample policy policy: add ima appraise all policy data: remove policies initramfs: clean up to pull in packages. runtime qa: moderize ima test image: add image for testing Changqing Li (1): samhain: add rconflict for client and server mode Zang Ruochen (4): bastille: solved the conflict with perl-module-text-wrap and base-files python-scapy: Remove redundant sed operations python-scapy: solved the conflict with python3-scapy python3-scapy: solved the conflict with python-scapy leimaohui (1): python3-fail2ban: Fix build error of xrange. poky: 797916f93a..111b7173fe: Adrian Bunk (25): nss-myhostname: Stop trying to build for musl systemd: Some upstreamable musl patches have been upstreamed libnss-mdns: Stop trying to build for musl icu: Remove workaround for musl issue fixed upstream 2 years ago socat: Remove workaround for musl issue now fixed upstream ofono: Use external ell instead of an internal copy ofono: Fix another race condition during the build squashfs-tools: Mark as incompatible with musl apt: Remove workaround patches for no longer supported host distributions m4/tar: Remove remove-gets.patch pinentry: Switch pinentry-qt from Qt4 to Qt5 librsvg: Replace workaround for old host systems with upstream fix vim: Move PACKAGECONFIG[gtkgui] from GTK 2 to GTK 3 Remove Go 1.11 go: Remove INSANE_SKIP_* textrel that are now handled in go.bbclass dpkg: Remove workaround patches for no longer supported host distributions lrzsz: Add implicit declaration fixes from Debian tcp-wrappers: Add compile warning fixes from Debian libpam: Upgrade 1.3.0 -> 1.3.1 vte: Fix the license information gcc: Remove 0006-gcc-disable-MASK_RELAX_PIC_CALLS-bit.patch openssl: Upgrade 1.1.1b -> 1.1.1c Remove manual RDEPENDS from PN-ptest to PN package ref-manual: Remove irda feature lttng-modules: Upgrade 2.10.9 -> 2.10.10 Adrian Freihofer (3): qemurunner: fix undefined variable testimage: consider QB_DEFAULT_FSTYPE runqemu: QB_FSINFO to support fstype wic images Alejandro Enedino Hernandez Samaniego (1): python-numpy: Avoid installing copy of f2py script Alejandro Hernandez Samaniego (2): newlib: Upgrade to 3.1.0 newlib: export CC_FOR_TARGET as CC Alejandro del Castillo (1): opkg-utils: upgrade to version 0.4.1 Alex Kiernan (2): kernel-fitimage: uboot-sign: Check UBOOT_DTB_BINARY before adding deps systemd: Backport OpenSSL BUF_MEM fix Alexander Kanavin (53): vim: split the common part into vim.inc libpcre2: upgrade 10.32 -> 10.33 librepo: upgrade 1.9.6 -> 1.10.2 libmodulemd: upgrade 2.2.3 -> 2.4.0 libmodulemd: fix erroneous linking against v2 library when v1 was requested createrepo-c: upgrade 0.12.2 -> 0.14.0 libdazzle: upgrade 3.32.1 -> 3.32.2 adwaita-icon-theme: upgrade 3.30.1 -> 3.32.0 bison: upgrade 3.1 -> 3.3.2 atk: upgrade 2.30.0 -> 2.32.0 python3-mako: upgrade 1.0.9 -> 1.0.10 nss: upgrade 3.43 -> 3.44 go: update 1.12.1->1.12.5 systemtap: upgrade 4.0 -> 4.1 gawk: upgrade 4.2.1 -> 5.0.0 alsa-plugins: upgrade 1.1.8 -> 1.1.9 alsa-utils: upgrade 1.1.8 -> 1.1.9 alsa-lib: upgrade 1.1.8 -> 1.1.9 lz4: upgrade 1.9.0 -> 1.9.1 libxcrypt: upgrade 4.4.4 -> 4.4.6 python3-pip: upgrade 19.0.3 -> 19.1.1 pkgconf: upgrade 1.6.0 -> 1.6.1 at-spi2-core: upgrade 2.30.0 -> 2.32.1 at-spi2-atk: upgrade 2.30.0 -> 2.32.0 glib-networking: upgrade 2.60.1 -> 2.60.2 libsoup-2.4: upgrade 2.66.1 -> 2.66.2 x264: upgrade to latest revision linux-firmware: upgrade to latest revision python3-pbr: upgrade 5.1.3 -> 5.2.0 bash-completion: upgrade 2.8 -> 2.9 gst-examples: upgrade to 1.16.0 acpica: upgrade 20190405 -> 20190509 freetype: upgrade 2.9.1 -> 2.10.0 usbutils: upgrade 010->012 webkitgtk: update to 2.24.2 epiphany: update to 3.32.2 btrfs-tools: update to 5.1 iproute2: upgrade 5.0.0 -> 5.1.0 chkconfig: do not use unstable github archive tarballs chkconfig: fix upstream version check perl: update to 5.30.0 piglit: upgrade to latest revision ccache: fix upstream version check Revert "ncurses: fix incorrect UPSTREAM_CHECK_GITTAGREGEX" sysstat: add UPSTREAM_VERSION_UNKNOWN python3-pygments: add a recipe gtk-doc: upgrade 1.29 -> 1.30 libpsl: fix the gtk-doc 1.30 build source-highlight: remove the recipe mesa-demos: update to 8.4.0 glib-2.0: udpate 2.58.3 -> 2.60.3 gdk-pixbuf: update 2.38.0 -> 2.38.1 gtk+3: update 3.24.5 -> 3.24.8 Alistair Francis (3): gdb: Upgrade from 8.2.1 to 8.3 gnu-config: Update to latest SHA qemu: Backport the arm segfault fix Andreas Müller (1): gsettings-desktop-schemas: upgrade 3.28.1 -> 3.32.0 Andrei Gherzan (1): ca-certificates: Fix openssl runtime dependencies Anuj Mittal (8): Revert "image_types: use pigz to create .gz files" Revert "pigz: pigz is not gzip" libva: upgrade 2.4.0 -> 2.4.1 ffmpeg: add PACKAGECONFIG for mfx libpam: fix upstream version check serf: cleanup recipe scons: inherit python3native python3-scons: fix regex replacing python by python3 Bonnans, Laurent (1): kernel-uboot: compress arm64 kernels Bruce Ashfield (11): linux-yocto/5.0: update to v5.0.13 linux-yocto/4.19: update to v4.19.40 linux-yocto/4.19: update to v4.19.44 kernel: package modules.builtin.modinfo linux-yocto-dev: bump to v5.2-rc linux-yocto/5.0: update to v5.0.17 linux-yocto-rt/5.0: update to -rt9 linux-yocto/5.0: update to v5.0.19 linux-yocto-rt/5.0: update to -rt11 linux-yocto/5.0: fix systemtap on arm linux-yocto: ptest: Add SCSI debug configuration for util-linux Carlos Rafael Giani (6): gstreamer1.0-plugins-base: upgrade to version 1.16.0 gstreamer1.0-plugins-good: upgrade to version 1.16.0 gstreamer1.0-plugins-bad: upgrade to version 1.16.0 gstreamer1.0-plugins-ugly: upgrade to version 1.16.0 gstreamer1.0-libav: upgrade to version 1.16.0 gstreamer1.0-vaapi: upgrade to version 1.16.0 Changqing Li (8): connman: add networkmanager as rconflict dropbear: add openssh/openssh-sshd as rconflict busybox-inittab/sysvinit-inittab: add rconflicts inetutils: fix wrong package name systemd: add rconflicts tiny-init: add rconflicts multilib: add override for image recipe qemu: fix qemu ptest cannot work Chee Yang Lee (3): wic: bootimg-efi: add label source parameter wic/engine: include .wks.in in wic search and list wic/plugins: kernel image refer to KERNEL_IMAGETYPE Chen Qi (5): libxfont2: set CVE_PRODUCT systemd: avoid musl specific patches affect glibc systems util-linux: upgrade to 2.33.2 oescripts.py: avoid error when cairo module is not available context.py: fix skipping function Chris Laplante (5): base.bbclass: Add OE_EXTRA_IMPORTS bitbake: knotty: allow progress rate for indeterminate bars bitbake: build: extract progress handler creation logic into its own method bitbake: build/progress: use context managers for progress handlers bitbake: build: implement custom progress handlers injected via OE_EXTRA_IMPORTS David Frey (1): bluez5: manage udev dependency with PACKAGECONFIG David Reyna (1): bitbake: toaster: Fix Thud Bitbake release metadata Diego Rondini (1): bluez5: fix obex packaging Douglas Royds via Openembedded-core (1): json-c: Backport --disable-werror patch to allow compilation under icecc Fabio Berton (3): mesa: Update 19.0.3 -> 19.0.5 mesa: Update 19.0.5 -> 19.0.6 mesa: Update 19.0.6 -> 19.1.0 Filip Jareš (1): recipes: Fix license "names"/versions. Haiqing Bai (1): kernel.bbclass: Make task clean depend on cleaning of make-mod-scripts He Zhe (1): lttng-modules: Add git based recipe Hongxu Jia (5): grub/grub-efi: fix unrecognized command line option '-pipe-Wno-error' in CFLAGS lib/oe/reciputils.py: support character `+' in git pv groff: improve reproducibility diffutils/run-ptest: support to run at arbitrary path openssh: fix potential signed overflow in pointer arithmatic Jaewon Lee (2): gstreamer1.0-python_1.16.0.bb: Override libpython dir devicetree.bbclass: Combine stderr into stdout to see actual dtc error Jean-Marie LEMETAYER (4): npm: get npm package name from npm pack npm: fix node and npm default directory conflict npm: remove some temporary build files bitbake: bitbake: fetch2/npm: fix npw view parsing Jiping Ma (1): dhcp:"dhclient -x eth0" action is not correct. Joe Slater (1): slang: modify an array test Jon Mason (2): resulttool: modify to be multi-machine resulttool: Remove prints if no tests occur Jonathan Rajotte (4): lttng-tools: prevent test timeout when lttng-modules is not present lttng-tools: add lttng-modules to ptest dependencies liburcu: update to 0.11.0 liburcu: update to 0.11.1 Joshua Watt (11): avahi: Add PACKAGECONFIG for libdns_sd perl: Preserve attributes when applying cross files btrfs-tools: Pass DEBUG_MAP_PREFIX flags to Python bitbake: bitbake: cooker: Rename __depends in all multiconfigs bitbake: bitbake: Show base multiconfig environment perl: Set build date to SOURCE_DATE_EPOCH glibc-locale: DEPEND on virtual/libc zip: Remove build date to improve reproducibility classes/package: Sort ELF file list bash: Replace uninative loader path in ptest oeqa: Add reproducible build selftest Kai Kang (3): systemd-conf: configure wired network with dhcp qemu/qemu-system-native: depend bison-native openssl: fix failure of ptest test_shlibload Kevin Hao (3): runqemu: Add the support to pass multi ports to tcpserial parameter oeqa/utils/qemurunner: Set both the threadport&serverport with tcpserial parameter tune-thunderx: Set the correct PACKAGE_EXTRA_ARCHS_tune-thunderx Khem Raj (6): mesa: Fix a case when gbm is enabled but DRIDRIVERS is not defined ofono: Add TEMP_FAILURE_RETRY optional definition Revert "musl: Add TEMP_FAILURE_RETRY from glibc" binutils: Workaround mips assembler crash on target musl: Upgrade to master tip gdb: Let gdbserver be empty for riscv64 Lei Maohui (1): meson.bbclass: Make meson support aarch64_be. Luca Boccassi (2): python*-setuptools: add separate packages for pkg_resources module mdadm: use ${systemd_unitdir} rather than /lib/systemd Maciej Pijanowski (1): recipetool: add python3 support Mariano López (3): util-linux: Add missing ptest dependencies util-linux: Stop udevd to run ptests linux-yocto: Add scsi_debug module when ptest is in DISTRO_FEATURES Mark Hatle (1): bitbake: svn.py: Stop SVN from directly pulling from an external layer w/o fetcher Martin Jansa (5): python: add a fix for CVE-2019-9948 and CVE-2019-9636 glib-networking: add PACKAGECONFIG for openssl bc: use u-a for bc as well opkg-utils: fix opkg-list-fields script pigz: install pigz, unpigz, pigzcat in native and nativesdk builds again Matthias Schiffer (1): bitbake: fetch2: runfetchcmd(): unset _PYTHON_SYSCONFIGDATA_NAME Matthias Schoepfer via Openembedded-core (1): python3: fix build on softfloat mips Michael Ho (1): base.bbclass: add named SRCREVs to the sstate hash Mike Crowe (1): cmake: Avoid passing empty prefix to os.path.relpath Mingli Yu (3): elfutils: fix ptest failures dbus: Upgrade to 1.12.16 dbus-test: Upgrade 1.12.16 Nicola Lunghi (3): connman: fix segfault with musl >v1.1.21 rng-tools: recipe cleanup rng-tools: harmonise systemd and sysvinit Oleksandr Kravchuk (6): ethtool: update to 5.1 file: update to 5.37 p11-kit: update to 0.23.16.1 popt: fix SRC_URI selftest/devtool: fix URI to MarkupSafe package bitbake: cooker: list all nonexistent bblayer directories Oliver Stäbler (1): packagegroup-core-full-cmdline: Make nfs-utils/rpcbind optional Peter Kjellerstedt (3): texinfo-dummy-native: A little clean up of template.py texinfo-dummy-native: Rewrite template.py to use argparse package.bbclass: Clean up writing of runtime pkgdata files Philippe Normand (9): gstreamer1.0: upgrade to version 1.16.0 gstreamer1.0-omx: upgrade to version 1.16.0 gstreamer1.0-rtsp-server: upgrade to version 1.16.0 gstreamer1.0-python: upgrade to version 1.16.0 gst-validate: upgrade to version 1.16.0 cmake: Use compiler launcher variable when ccache is enabled at-spi2: Make X11 support truly optional gnutls: Use ca-certificates as default trust store file gnutls: Use the sysconfdir variable for the ca-certificates path Quentin Schulz (2): meta: license: fix non-SPDX license being removed from INCOMPATIBLE_LICENSE selftests: add tests for INCOMPATIBLE_LICENSE Randy MacLeod (6): valgrind: Make ptest timestamps copasetic valgrind: add 'file' to ptest depends util-linux: add setpriv utility libcap-ng: split into libcap-ng/libcap-ng-python ptest-runner: enable child procs as session leader bash: use setpriv, sed.sed to run ptests Richard Purdie (46): perl-rdepends: Add missing module dependencies bash: Fix bash-ptest dependencies openssh: Add sudo dependency for ptest libpcre: Add make dependency for ptest m4: Add coreutils and diffutils dependency for ptest perl/modules: Add various missing ptest perl module dependencies layer.conf: Whitelist lttng-tools->lttng-modules dependency tcmode-default: Make gcc9 the default lttng-tools: Fix patch Upstream-Status mesa: Fix patch Upstream-Status uninative-tarball: Fix file generation after class changes populate_sdk_base: Use highest compression level for xz uninative-tarball: Use xz compression and SDK_ARCHIVE_CMD strace: Tweak ptest disk space management ptest-packagelists: Add mdadm util-linux: Fix ptest dependencies mdadm: Add missing ptest dependency yocto-uninative: Update to 2.5 release uninative: Switch from bz2 to xz bitbake: main: Fix error message typo qemuarm64: Add QB_CPU_KVM to allow kvm acceleration runqemu: Add support for kvm on aarch64 useradd: Fix build architecture corruption of sstate artefacts useradd: Ensure do_populate_sysroot has dependency on useradd variables beaglebone-yocto: Add missing wic image u-boot deploy dependency quilt: Add patch depends for quilt-ptest libtest-needs-perl: Fix ptest dependencies libtimedate-perl: Fix ptest dependencies perl: Add missing perl module dependency liburi-perl: Fix module ptest dependencies libconvert-aan1-perl: Fix module and ptest dependencies libxml-sax-perl: Fix module ptest dependencies libxml-perl: Fix module and ptest dependencies e2fsprogs: Fix missing ptest dependencies glib-2.0: ptest fixes openssh: Add missing ptest dependency on coreutils gpg_sign/selftest: Fix secmem parameter handling gawk: ptest fixes openssh: Document skipped test dependency multiconfig: Adapt to bitbake switch 'multiconfig' -> 'mc' bitbake: multiconfig: Switch from 'multiconfig' -> 'mc' bitbake: cooker: Add compability handling for multiconfig: prefix migration build-appliance-image: Update to master head revision bitbake: cooker: Ensure mcdeps are processed even if only one multiconfig perl: Fix setgroup call regression from 5.30 perl: Move perl-sanity -> perl Ross Burton (13): insane: add sanity checks to SRC_URI libidn2: upgrade to 2.2.0 local.conf.sample: change default MACHINE to qemux86-64 libical: tidy up Perl finding wic/filemap: handle FIGETBSZ failing libxslt: add comment saying when a workaround can be removed parted: swap patches for the commits that landed upstream parted: drop patch for linux <2.6.20 support python-nose: python3-nose should be default bluez: fix test case failures with GCC 9 efivar: add efibootmgr: add gstreamer1.0-libav: disable API documentation Sakib Sajal (4): bash: add iso8859-1 gconv RDEPENDS needed by bash-ptest. bash: add big5hkscs gconv RDEPENDS needed by bash-ptest. bash: run bash ptest as non-root user ptest-runner: update SRCREV to latest HEAD on ptest-runner2 repo Scott Rifenbark (17): sdk-manual: Added link to BB manual fetcher section. ref-manual: Updated "do_fetch" to have a link to "Fetchers" dev-manual, ref-manual: removed "distrodata" class ref-manual: Removed bugzilla.bbclass ref-manual: Removed "distutils-tools" class. ref-manual: Udated devtool help output examples. ref-manual: New section "Checking Upgrade Status of a Recipe" dev-manual: Added check-upgrade-status blurb to upgrading recipes ref-manual: do_checkpkg - added link to checking upgrade status ref-manual: Updates to check-recipe-upgrade devtool command ref-manual: Grammar correction dev-manual: Added new section for creating NPM packages Makefile: Updated to support new NPM package creation section dev-manual: Updated the "Working with Packages" list ref-manual: Updated "npm.bbclass" section. overview-manual: Updated SCM section dev-manual: Fixed grammar issue. Tim Orling (8): libxml-parser-perl: fix ptest dependencies perl-rdepends.txt: improve dependencies for perl module ptests perl: install Config_git.pl perl-rdepends.txt: fix perl-module-data-dumper dependencies python3-scons-{native}: add recipe for v3.0.5 scons.bbclass: use python3-scons serf: switch to python3-scons-native oeqa/runtime: add simple test for scons Tom Rini (2): vim: Rework things so vim adds features not vim-tiny removes vim: Update to 8.1.1518 to fix CVE-2019-12735 Yeoh Ee Peng (3): resulttool/resultutils: Enable add extra configurations to results resulttool/store: Enable add EXECUTED_BY config to results resulttool/merge: Enable control TESTSERIES and extra configurations Zang Ruochen (3): openssh: Upgrade 7.9p1 -> 8.0p1 dbus: Upgrade 1.12.12 -> 1.12.14 dbus-test: Upgrade 1.12.12 -> 1.12.14 Zhixiong Chi (2): gcc: reduce the variables in symtab gcc: CVE-2018-12886 sangeeta jain (1): resulttool/manualexecution: Enable creation of test case configuration meta-raspberrypi: 7059c37451..40283f583b: Andrei Gherzan (1): gstreamer1.0-omx: Forward port bbappend and patches to v1.16.x Khem Raj (4): linux-raspberrypi_4.19.bb: Update to 4.19.44 rpi-default-versions: Switch defaults to 4.19 userland: Update to 20190501 firmware: Update 20190220 -> 20190517 malus-brandywine (1): sdcard_image-rpi : minor bug in use of FATPAYLOAD Change-Id: Idab4e8c2666bc776d0b47988a32dcb9f04885aff Signed-off-by: Brad Bishop --- .../recipes-kernel/linux/linux-%.bbappend | 3 + .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ++++++++ ...port-for-creating-files-using-the-mknodat.patch | 138 +++++++++++++++++++++ ...limit-file-hash-setting-by-user-to-fix-an.patch | 60 +++++++++ .../recipes-kernel/linux/linux/ima.cfg | 18 +++ .../recipes-kernel/linux/linux/ima_evm_root_ca.cfg | 3 + 6 files changed, 273 insertions(+) create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg (limited to 'meta-security/meta-integrity/recipes-kernel') diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend new file mode 100644 index 000000000..931854ef8 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" + +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}" diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch new file mode 100644 index 000000000..64016dd3e --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch @@ -0,0 +1,51 @@ +From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Tue, 8 Mar 2016 16:43:55 -0500 +Subject: [PATCH] ima: fix ima_inode_post_setattr + +Changing file metadata (eg. uid, guid) could result in having to +re-appraise a file's integrity, but does not change the "new file" +status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and +IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch +only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. + +With this patch, changing the file timestamp will not remove the +file signature on new files. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] + +Reported-by: Dmitry Rozhkov +Signed-off-by: Mimi Zohar +--- + security/integrity/ima/ima_appraise.c | 2 +- + security/integrity/integrity.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..a384ba1 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) + if (iint) { + iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | + IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | +- IMA_ACTION_FLAGS); ++ IMA_ACTION_RULE_FLAGS); + if (must_appraise) + iint->flags |= IMA_APPRAISE; + } +diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h +index 0fc9519..f9decae 100644 +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -28,6 +28,7 @@ + + /* iint cache flags */ + #define IMA_ACTION_FLAGS 0xff000000 ++#define IMA_ACTION_RULE_FLAGS 0x06000000 + #define IMA_DIGSIG 0x01000000 + #define IMA_DIGSIG_REQUIRED 0x02000000 + #define IMA_PERMIT_DIRECTIO 0x04000000 +-- +2.5.0 + diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch new file mode 100644 index 000000000..6ab7ce277 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch @@ -0,0 +1,138 @@ +From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Thu, 10 Mar 2016 18:19:20 +0200 +Subject: [PATCH] ima: add support for creating files using the mknodat + syscall + +Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" +stopped identifying empty files as new files. However new empty files +can be created using the mknodat syscall. On systems with IMA-appraisal +enabled, these empty files are not labeled with security.ima extended +attributes properly, preventing them from subsequently being opened in +order to write the file data contents. This patch marks these empty +files, created using mknodat, as new in order to allow the file data +contents to be written. + +Files with security.ima xattrs containing a file signature are considered +"immutable" and can not be modified. The file contents need to be +written, before signing the file. This patch relaxes this requirement +for new files, allowing the file signature to be written before the file +contents. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356] + +Signed-off-by: Mimi Zohar +--- + fs/namei.c | 2 ++ + include/linux/ima.h | 7 ++++++- + security/integrity/ima/ima_appraise.c | 3 +++ + security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++- + 4 files changed, 42 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index ccd7f98..19502da 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3526,6 +3526,8 @@ retry: + switch (mode & S_IFMT) { + case 0: case S_IFREG: + error = vfs_create(path.dentry->d_inode,dentry,mode,true); ++ if (!error) ++ ima_post_path_mknod(dentry); + break; + case S_IFCHR: case S_IFBLK: + error = vfs_mknod(path.dentry->d_inode,dentry,mode, +diff --git a/include/linux/ima.h b/include/linux/ima.h +index 120ccc5..7f51971 100644 +--- a/include/linux/ima.h ++++ b/include/linux/ima.h +@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file); + extern int ima_file_mmap(struct file *file, unsigned long prot); + extern int ima_module_check(struct file *file); + extern int ima_fw_from_file(struct file *file, char *buf, size_t size); +- ++extern void ima_post_path_mknod(struct dentry *dentry); + #else + static inline int ima_bprm_check(struct linux_binprm *bprm) + { +@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) + return 0; + } + ++static inline void ima_post_path_mknod(struct dentry *dentry) ++{ ++ return; ++} ++ + #endif /* CONFIG_IMA */ + + #ifdef CONFIG_IMA_APPRAISE +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..20806ea 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -274,6 +274,11 @@ out: + xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { + if (!ima_fix_xattr(dentry, iint)) + status = INTEGRITY_PASS; ++ } else if ((inode->i_size == 0) && ++ (iint->flags & IMA_NEW_FILE) && ++ (xattr_value && ++ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { ++ status = INTEGRITY_PASS; + } + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, + op, cause, rc, 0); +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index eeee00dc..705bf78 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function, + ima_audit_measurement(iint, pathname); + + out_digsig: +- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) ++ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && ++ !(iint->flags & IMA_NEW_FILE)) + rc = -EACCES; + kfree(xattr_value); + out_free: +@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened) + EXPORT_SYMBOL_GPL(ima_file_check); + + /** ++ * ima_post_path_mknod - mark as a new inode ++ * @dentry: newly created dentry ++ * ++ * Mark files created via the mknodat syscall as new, so that the ++ * file data can be written later. ++ */ ++void ima_post_path_mknod(struct dentry *dentry) ++{ ++ struct integrity_iint_cache *iint; ++ struct inode *inode; ++ int must_appraise; ++ ++ if (!dentry || !dentry->d_inode) ++ return; ++ ++ inode = dentry->d_inode; ++ if (inode->i_size != 0) ++ return; ++ ++ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); ++ if (!must_appraise) ++ return; ++ ++ iint = integrity_inode_get(inode); ++ if (iint) ++ iint->flags |= IMA_NEW_FILE; ++} ++ ++/** + * ima_module_check - based on policy, collect/store/appraise measurement. + * @file: pointer to the file to be measured/appraised + * +-- +2.5.0 + diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch new file mode 100644 index 000000000..157c007ba --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch @@ -0,0 +1,60 @@ +From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001 +From: Patrick Ohly +Date: Tue, 15 Nov 2016 10:10:23 +0100 +Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log + modes" + +This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533. + +The original motivation was security hardening ("File hashes are +automatically set and updated and should not be manually set.") + +However, that hardening ignores and breaks some valid use cases: +- File hashes might not be set because the file is currently + outside of the policy and therefore have to be set by the + creator. Examples: + - Booting into an initramfs with an IMA-enabled kernel but + without setting an IMA policy, then installing + the OS onto the target partition by unpacking a rootfs archive + which has the file hashes pre-computed. + - Unpacking a file into a staging area with meta data (like owner) + that leaves the file outside of the current policy, then changing + the meta data such that it becomes part of the current policy. +- "should not be set manually" implies that the creator is aware + of IMA semantic, the current system's configuration, and then + skips setting file hashes in security.ima if (and only if) the + kernel would prevent it. That's not the case for standard, unmodified + tools. Example: unpacking an archive with security.ima xattrs with + bsdtar or GNU tar. + +Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/] + +Signed-off-by: Patrick Ohly +--- + security/integrity/ima/ima_appraise.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4b9b4a4..b8b2dd9 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, + result = ima_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + if (result == 1) { +- bool digsig; +- + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) + return -EINVAL; +- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); +- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) +- return -EPERM; +- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); ++ ima_reset_appraise_flags(d_backing_inode(dentry), ++ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); + result = 0; + } + return result; +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg new file mode 100644 index 000000000..b3e47ba37 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg @@ -0,0 +1,18 @@ +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +CONFIG_IMA_DEFAULT_HASH_SHA1=y +CONFIG_IMA_DEFAULT_HASH="sha1" +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_SIGNATURE=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" + +#CONFIG_INTEGRITY_SIGNATURE=y +#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg new file mode 100644 index 000000000..9a454257a --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg @@ -0,0 +1,3 @@ +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" -- cgit v1.2.3