From c342db356d4f451821781eb24eb9f3d39d6c0c5e Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Wed, 15 May 2019 21:57:59 -0400 Subject: subtree updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit poky: 4e511f0abc..a015ed7704: Adrian Bunk (22): gnutls: upgrade 3.6.5 -> 3.6.7 dhcp: Replace OE specific patch for compatibility with latest bind with upstream patch Set XZ_COMPRESSION_LEVEL to -9 gcc: Remove Java support variables Use the best xz compression for the SDK gnome-doc-utils: Remove stale patch libxcrypt: Stop adding -std=gnu99 to CPPFLAGS file: Stop adding -std=c99 to CFLAGS gnu-efi: Remove support patch for gcc < 4.7 grub: Use -Wno-error instead of doing this on a per-warning basis socat: upgrade 1.7.3.2 -> 1.7.3.3 bison: upgrade 3.0.4 -> 3.1 mmc-utils: update to the latest upstream code cogl: upgrade 1.22.2 -> 1.22.4 cogl: remove -Werror=maybe-uninitialized workaround libxcb: remove workaround patch for a bug that was fixed in gcc 5 in 2015 sysstat: inherit upstream-version-is-even ccache: upgrade 3.6 -> 3.7.1 lttng-modules: upgrade 2.10.8 -> 2.10.9 iproute2: Remove bogus workaround patch for musl openssl: Remove openssl10 Remove irda-utils and the irda feature Alejandro Enedino Hernandez Samaniego (1): run-postinsts: Fix full execution of scripts at first boot Alejandro del Castillo (1): opkg: add ptest Alex Kiernan (12): systemd-conf: simplify creation of machine-specific configuration systemctl-native: Rewrite in Python supporting preset-all and mask image: call systemctl preset-all for images uboot-sign: Fix build when UBOOT_DTB_BINARY is empty patchelf: Upgrade 0.9 -> 0.10 python3: Add ntpath.py to python core go: Exclude vcs files when installing deps recipetool: fix unbound variable when fixed SRCREV can't be found systemd: Default to non-stateless images systemd-systemctl: Restore support for enable command systemd: Restore mask and preset targets, fix instance creation shadow: Backport last change reproducibility Alexander Kanavin (38): python3: add a tr-tr locale for test_locale ptest gobject-introspection: update to 1.60.1 dtc: upgrade 1.4.7 -> 1.5.0 webkitgtk: update to 2.24.0 libdazzle: update to 3.32.1 vala: update to 0.44.3 libdnf: update to 0.28.1 libcomps: upgrade 0.1.10 -> 0.1.11 dnf: upgrade 4.1.0 -> 4.2.2 btrfs-tools: upgrade 4.20.1 -> 4.20.2 meson: update to 0.50.0 libmodulemd: update to 2.2.3 at-spi2-core: fix meson 0.50 build ffmpeg: update to 4.1.3 python: update to 2.7.16 python: update to 3.7.3 python-numpy: update to 1.16.2 icu: update to 64.1 epiphany: update to 3.32.1.2 python3: add another multilib fix meson: do not try to substitute the prefix in python supplied paths python3-pygobject: update to 3.32.0 meson: add missing Upstream-Status and SOB to a patch acpica: update to 20190405 msmtp: fix upstream version check python-scons: update to 3.0.5 python-setuptools: update to 41.0.1 python3-mako: update to 1.0.9 python3-pbr: update to 5.1.3 python3-pip: update to 19.0.3 buildhistory: call a dependency parser only on actual dependency lists gtk-doc.bbclass: unify option setting for meson-based recipes python3-pycairo: update to 1.18.1 maintainers.inc: take over as perl maintainer xorg-lib: drop native overrides for REQUIRED_DISTRO_FEATURES meson: update to 0.50.1 perl: update to 5.28.2 packagegroup-self-hosted: drop epiphany Alistair Francis (5): u-boot: Upgrade from 2019.01 to 2019.04 beaglebone-yocto: Update u-boot config to match u-boot 19.04 u-boot: Fix missing Python.h build failure libsoup: Upgrade from 2.64.2 to 2.66.1 qemu: Upgrade from 3.1.0 to 4.0.0 Andre Rosa (1): bitbake: utils: Let mkdirhier fail if existing path is not a folder Andreas Müller (17): gobject-introspection: auto-enable/-disable gobject-introspection for meson libmodulemd: use gobject-introspection.bbclass on/off mechanism gdk-pixbuf: use gobject-introspection.bbclass on/off mechanism json-glib: use gobject-introspection.bbclass on/off mechanism libdazzle: use gobject-introspection.bbclass on/off mechanism clutter-gtk-1.0: use gobject-introspection.bbclass on/off mechanism pango: use gobject-introspection.bbclass on/off mechanism at-spi2-core: use gobject-introspection.bbclass on/off mechanism atk: use gobject-introspection.bbclass on/off mechanism libsoup-2.4: use gobject-introspection.bbclass on/off mechanism glib-networking: upgrade 2.58.0 -> 2.60.1 gst-plugins: move 'inherit gobject-introspection' to recipes supporting GI gstreamer1.0-python: rework gobject-introspection handling insane.bbclass: Trigger unrecognzed configure option for meson vte: upgrade 0.52.2 -> 0.56.1 vte: move shell auto scripts into seperate package qemu: split out vte into seperate PACKAGECONFIG Andreas Obergschwandtner (1): uboot-sign: add support for different u-boot configurations Andrej Valek (2): dropbear: update to 2019.78 systemd: upgrade to 242 Angus Lees (1): Revert "wic: Set a miniumum FAT16 volume size." Anuj Mittal (4): gcc: fix CVE-2018-18484 gdb: fix CVE-2017-9778 binutils: fix CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077 openssh: fix CVE-2018-20685, CVE-2019-6109, CVE-2019-6111 Armin Kuster (8): resulttool: add ltp test support logparser: Add decoding ltp logs ltp: add runtime test resulttool: add LTP compliance section logparser: Add LTP compliance section ltp_compliance: add new runtime manual compliance: remove bits done at runtime nss: cleanup recipe to match OE style Beniamin Sandu (1): kernel-devsrc: check for localversion files in the kernel source tree Breno Leitao (3): weston-init: Fix tab indentation weston-init: Add support for non-root start weston-init: Fix WESTON_USER typo Bruce Ashfield (8): linux-yocto/5.0: update to v5.0.5 linux-yocto-rt: update to 5.0.5-rt3 linux-yocto/5.0: update to v5.0.7 linux-yocto/4.19: update to v4.19.34 linux-yocto-rt/4.19: fix merge conflict in lru_drain linux-yocto/5.0: port RAID configuration tweaks from master linux-yocto/5.0: integrate TCP timeout / hang fix linux-yocto/5.0: update TCP patch to mainline version Changhyeok Bae (2): iw: upgrade 4.14 -> 5.0.1 iptables: upgrade 1.6.2 -> 1.8.2 Changqing Li (11): ruby: make ext module fiddle can compile success ruby: add ptest cogl: fix compile error caused by -Werror=maybe-uninitialized systemd: change default locale from C.UTF-8 to C m4: add ptest support gettext: add ptest support waffle: supprt build waffle without x11 piglit: support build piglit without x11 dbus: fix ptest failure populate_sdk_base: provide options to set sdk type python3: fix do_install fail for parallel buiild Chee Yang Lee (1): wic/bootimg-efi: replace hardcoded volume name with label Chen Qi (9): runqemu: do not check return code of tput busybox: fix ptest failure about 'dc' base-files: move hostname operations out of issue file settings webkitgtk: set CVE_PRODUCT dropbear: set CVE_PRODUCT libsdl: set CVE_PRODUCT ghostscript: set CVE_PRODUCT flac: also add flac to CVE_PRODUCT squashfs-tools: set CVE_PRODUCT David Reyna (1): bitbake: toaster: update to Warrior Dengke Du (2): perf: workaround the error cased by maybe-uninitialized warning linux-yocto_5.0: set devicetree for armv5 Denys Dmytriyenko (1): weston: upgrade 5.0.0 -> 6.0.0 Douglas Royds (2): distutils: Run python from the PATH in the -native case as well distutils: Tidy and simplify for readability Fabio Berton (1): mesa: Update 19.0.1 -> 19.0.3 He Zhe (2): ltp: Fix setrlimit03 call succeeded unexpectedly systemd: Bump up SRCREV to systemd-stable top to include the fix for shutdown now hang Hongxu Jia (15): image_types.bbclass: fix a race between the ubi and ubifs FSTYPES cpio/tar/native.bbclass: move rmt to sbindir and add a prefix to avoid native clashing acpica: use update-alternatives for acpidump apr: upgrade 1.6.5 -> 1.7.0 man-pages: upgrade 4.16 -> 5.01 man-db: upgrade 2.8.4 -> 2.8.5 bash: upgrade 4.4.18 -> 5.0 ncurses: fix incorrect UPSTREAM_CHECK_GITTAGREGEX gpgme: upgrade 1.12.0 -> 1.13.0 subversion: upgrade 1.11.1 -> 1.12.0 groff: upgrade 1.22.3 -> 1.22.4 libxml2: upgrade 2.9.8 -> 2.9.9 ghostscript: 9.26 -> 9.27 groff: imporve musl support oeqa/targetcontrol.py: fix qemuparams not work in runqemu with launch_cmd Jacob Kroon (3): grub-efi-native: Install grub-editenv bitbake: knotty: Pretty print task elapsed time base-passwd: Add kvm group Jaewon Lee (1): Adding back wrapper and using OEPYTHON3HOME variable for python3 Jens Rehsack (1): kernel-module-split.bbclass: support CONFIG_MODULE_COMPRESS=y Jonas Bonn (3): systemd: don't build firstboot by default systemd: do not create machine-id systemd: create preset files instead of installing in image Joshua Watt (6): classes/waf: Set WAFLOCK resulttool: Load results from URL resulttool: Add log subcommand qemux86: Allow higher tunes bitbake.conf: Account for older versions of bitbake resulttool: Add option to dump all ptest logs Kai Kang (5): msmtp: 1.6.6 -> 1.8.3 cryptodev: fix module loading error target-sdk-provides-dummy: resolve sstate conflict bitbake.conf: set NO_RECOMMENDATIONS with weak assignment webkitgtk: fix compile error for arm64 Kevin Hao (1): meta-yocto-bsp: Bump to the latest stable kernel for all the BSP Khem Raj (9): gcc-cross-canadian: Make baremetal specific code generic musl: Upgrade to master past 1.1.22 webkitgtk: Fix build with clang mdadm: Disable Werror gcc-target: Do not set --with-sysroot and gxx-include-dir paths systemd: Add -Wno-error=format-overflow to fix build with gcc9 systemd: Backport patch to fix build with gcc9 libgfortan: Package target gcc include directory to fix gcc-9: Add recipes for gcc 9.1 release Lei Maohui (2): dnf: Enable nativesdk icu: Added armeb support. Lei Yang (1): recipetool: add missed module Luca Boccassi (1): systemd: add cgroupv2 PACKAGECONFIG Mardegan, Alberto (1): oeqa/core/runner: dump stdout and stderr of each test case Mariano Lopez (5): update-alternatives.bbclass: Add function to get metadata ptest.bbclass: Add feature to populate a binary directory util-linux: Use PTEST binary directory busybox: Use PTEST binary directory ptest.bbclass: Use d.getVar instead of os.environ Martin Jansa (6): connman: add PACKAGECONFIG for nfc, fix MACHINE_ARCH signature when l2tp is enabled icecc.bbclass: stop causing everything to be effectivelly MACHINE_ARCH glibc: always use bfd linker opkg: fix ptest packaging when OPKGLIBDIR == libdir kexec-tools: refresh patches with devtool perf: make sure that the tools/include/uapi/asm-generic directory exists Matthias Schiffer (1): systemd: move "machines" symlinks to systemd-container Max Kellermann (2): useradd-staticids: print exception after parse_args() error initrdscripts: merge multiple "mkdir" calls Michael Scott (2): kernel-fitimage: support RISC-V procps: update legacy sysctl.conf to fix rp_filter sysctl issue Mikko Rapeli (3): elfutils: remove Elfutils-Exception and include GPLv2 for shared libraries oeqa/sdk: use bash to execute SDK test commands openssh: recommend rng-tools with sshd Mingli Yu (6): nettle: fix ptest failure elfutils: add ptest support elfutils: fix build failure with musl gcc-sanitizers: fix -Werror=maybe-uninitialized issue nettle: fix the Segmentation fault nettle: fix ptest failure Nathan Rossi (1): ccmake.bbclass: Fix up un-escaped quotes in output formatting Naveen Saini (5): core-image-rt: make sure that we append to DEPENDS core-image-rt-sdk: make sure that we append to DEPENDS bitbake.conf: add git-lfs to HOSTTOOLS_NONFATAL bitbake: bitbake: fetch2/git: git-lfs check linux-yocto: update genericx86* SRCREV for 4.19 Oleksandr Kravchuk (52): iproute2: update to 5.0.0 curl: update to 7.64.1 libxext: update to 1.3.4 x11perf: update to 1.6.1 libxdmcp: update to 1.1.3 libxkbfile: update 1.1.0 libxvmc: update to 1.0.11 libxrandr: update to 1.5.2 connman: update to 1.37 ethtool: update to 5.0 tar: update to 1.32 ffmpeg: update to 4.1.2 librepo: update to 1.9.6 libxmu: update to 1.1.3 libxcrypt: update to 4.4.4 wget: update to 1.20.2 libsecret: 0.18.8 createrepo-c: update to 0.12.2 libinput: update to 1.13.0 cronie: update to 1.5.4 libyaml: update to 0.2.2 fontconfig: update to 2.13.1 makedepend: update to 1.0.6 libdrm: update to 2.4.98 libinput: update to 1.13.1 libnotify: update to 0.7.8 libpng: update to 1.6.37 libcroco: update to 0.6.13 libpsl: update to 0.21.0 git: update to 2.21.0 quota: update to 4.05 gnupg: update to 2.2.15 lz4: update to 1.9.0 orc: update to 0.4.29 help2man-native: update to 1.47.10 cups: update to 2.2.11 pixman: update to 0.38.4 libcap: update to 2.27 ninja: add Upstream-Status and SOB for musl patch python-numpy: update to 1.16.3 python3-pygobject: update to 3.32.1 wget: update to 1.20.3 libsolv: update to 0.7.4 ell: add recipe sqlite3: update to 3.28.0 kmscube: update to latest revision coreutils: update to 8.31 mtools: update to 4.0.23 msmtp: update to 1.8.4 wpa-supplicant: update to 2.8 bitbake.conf: use https instead of http ell: update to 0.20 Paul Barker (3): oe.path: Add copyhardlink() helper function license_image: Use new oe.path.copyhardlink() helper gdb: Fix aarch64 build with musl Peter Kjellerstedt (1): systemd: Use PACKAGECONFIG definition to depend on libnss-myhostname Randy MacLeod (5): valgrind: update from 3.14.0 to 3.15.0 valgrind: fix vg_regtest return code valgrind: update the ptest subdirs list valgrind: adjust test filters and expected output valgrind: fix call/cachegrind ptests Richard Purdie (52): pseudo: Update to gain key bugfixes python3: Avoid hanging tests python3: Fix ptest output parsing go.bbclass: Remove unused override goarch.bbclass: Simplify logic e2fsprogs: Skip slow ptest tests bitbake: bitbake: Update version to 1.42.0 poky.conf: Bump version for 2.7 warrior release build-appliance-image: Update to warrior head revision bitbake: bitbake: Post release version bumnp to 1.43 poky.conf: Post release version bump build-appliance-image: Update to master head revision Revert "nettle: fix ptest failure" core-image-sato-sdk-ptest: Try and keep image below 4GB limit core-image-sato-ptest-fast: Add 'fast' ptest execution image core-image-sato-sdk-ptest: Include more ptests in ptest image core-image-sato-sdk-ptest: Add temporary PROVIDES core-image-sato-ptest resultool/resultutils: Fix module import error lttng-tools: Add missing patch Upstream-Status utils/multiprocess_launch: Improve failing subprocess output python3: Drop ptest hack ptest-packagelists: Add m4 and gettext as 'fast' ptests bitbake: knotty: Implement console 'keepalive' output bitbake: build: Ensure warning for invalid task dependencies is useful bitbake: build: Disable warning about dependent tasks for now oeqa/ssh: Avoid unicode decode exceptions elfutils: ptest fixes elfutils: Fix ptest compile failures on musl bitbake: bitbake: Add initial pass of SPDX license headers to source code bitbake: bitbake: Drop duplicate license boilerplace text bitbake: bitbake: Strip old editor directives from file headers bitbake: HEADER: Drop it openssh/systemd/python/qemu: Fix patch Upstream-Status scripts/pybootchart: Fix mixed indentation scripts/pybootchart: Port to python3 scripts/pybootchart/draw: Clarify some variable names scripts/pybootchart/draw: Fix some bounding problems coreutils: Fix patch upstream status field oeqa: Drop OETestID meta/lib+scripts: Convert to SPDX license headers oeqa/core/runner: Handle unexpectedSucesses oeqa/systemd_boot: Drop OETestID oeqa/runner: Fix subunit setupClass/setupModule failure handling oeqa/concurrenttest: Patch subunit module to handle classSetup failures tcmode-default: Add PREFERRED_VERSION for libgfortran oeqa/selftest: Automate manual pybootchart tests openssh: Avoid PROVIDES warning from rng-tools dependency oeqa/target/ssh: Replace suggogatepass with ignoring errors core-image-sato-sdk-ptest: Tweak size to stay within 4GB limit valgrind: Include debugging symbols in ptests dbus-test: Improve ptest dependencies dependencies ptest: Add RDEPENDS frpm PN-ptest to PN package Robert Joslyn (1): qemu: Add PACKAGECONFIG for snappy Robert Yang (6): bitbake: bitbake-diffsigs: Use 4 spaces as indent for recursecb bitbake: bb: siggen: Make dump_sigfile and compare_sigfiles print uuid4 bitbake: bb: siggen: Print more info when basehash are mis-matched bitbake: BBHandler: Fix addtask and deltask bitbake: build.py: check dependendent task for addtask bitbake: tests/parse.py: Add testcase for addtask and deltask Ross Burton (14): lttng-tools: fix Upstream-Status acpica: upgrade to 20190215 staging: add ${datadir}/gtk-doc/html to the sysroot blacklist mpg123: port to use libsdl2 meta-poky: remove obsolete DISTRO_FEATURES_LIBC m4: update patch status packagegroup-core-full-cmdline: remove zlib wic: change expand behaviour to match docs wic: add global debug option gtk-icon-cache: clean up DEPENDS patch: add minver and maxver parameters glib-2.0: fix locale handling glib-2.0: add missing locales for the tests glib-2.0: fix last failing ptest Scott Rifenbark (34): bitbake: poky.ent: Removed "ECLIPSE" entity variables. bitbake: bitbake-user-manual: Added section on modifying variables Makefile: Removed Eclipse support Documentation: Removed customization.xsl files for Eclipse mega-manual: Removed two Eclipse figures from tarball list mega-manual, overview-manual: Added updated index releases figure poky.ent: Removed Eclipse related variables. mega-manual: Removed the Eclipse chapters dev-manual: Removed all references to Eclipse. overview-manual: Removed all references to Eclipse profile-manual: Removed all references to Eclipse ref-manual: Removed all references to Eclipse sdk-manual: Removed all references to Eclipse sdk-manual: Removed all references to Eclipse dev-manual; brief-yoctoprojectqs: Updated checkout branch example dev-manual: Added reasoning blurb to "Viewing Variables" section. ref-manual: Inserted Migration 2.7 section. ref-manual: Added Eclipse removal for migration section. ref-manual: Added "License Value Corrections to migration. ref-manual: Added Fedora 29 to the supported distros list. poky.ent: changed 2.7 release variable date to "May 2019" ref-manual: Review comments applied to 2.7 migration section. documentation: Prepared for 2.8 release bsp-guide: Removed inaccurate "container layer" references. ref-manual: Updated the "Container Layer" term. bsp-guide: Updated the "beaglebone-yocto.conf" example. documentation: Cleaned up "plug-in"/"plugin" terminology. bsp-guide: Updated the BSP kernel recipe example. ref-manual: Updated PREFERRED_VERSION variable to use 5.0 bsp-guide: More corrections to the BSP Kernel Recipe example dev-manual: Added cross-link to "Fetchers" section in BB manual. bitbake: bitbake-user-manual: Added npm to other fetcher list. overview-manual: Updated SMC section to link to fetchers ref-manual: Added "npm" information to the SRC_URI variable. Stefan Kral (1): bitbake: build: Add verbnote to shell log commands Stefan Müller-Klieser (1): cml1.bbclass: fix undefined behavior Steven Hung (洪于玉) (1): kernel.bbclass: convert base_do_unpack_append() to a task Tom Rini (2): vim: Rework to not rely on relative directories vim: Update to 8.1.1240 Wenlin Kang (1): systemd: install libnss-myhostname.so when myhostname be enabled Yeoh Ee Peng (1): resulttool/manualexecution: Refactor and remove duplicate code Yi Zhao (2): harfbuzz: update source checksums after upstream replaced the tarball libyaml: update SRC_URI[md5sum] and SRC_URI[sha256sum] Ying-Chun Liu (PaulLiu) (1): uboot-sign: Fix u-boot-nodtb symlinks Zang Ruochen (10): libatomic-ops:upgrade 7.6.8 -> 7.6.10 libgpg-error:upgrade 1.35 -> 1.36 libxft:upgrade 2.3.2 -> 2.3.3 libxxf86dga:upgrade 1.1.4 -> 1.1.5 nss:upgrade 3.42.1 -> 3.43 sysprof:upgrade 3.30.2 -> 3.32.0 libtirpc:upgrade 1.0.3 -> 1.1.4 xtrans:upgrade 1.3.5 -> 1.4.0 harfbuzz:upgrade 2.3.1 -> 2.4.0 icu: Upgrade 64.1 -> 64.2 Zheng Ruoqin (1): sanity: check_perl_modules bug fix sangeeta jain (1): resulttool/manualexecution: Enable test case configuration option meta-openembedded: 4a9deabbc8..1ecd8b4364: Adrian Bunk (34): linux-atm: Remove DEPENDS on virtual/kernel and PACKAGE_ARCH linux-atm: Replace bogus on_exit removal with musl-specific hack ledmon: Mark as incompatible on musl instead of adding bogus patch efivars: Drop workaround patch for host gcc < 4.7 sshfs-fuse: upgrade 2.8 -> 2.10 wv: upgrade 1.2.4 -> 1.2.9 caps: Upgrade 0.9.24 -> 0.9.26 dvb-apps: Remove dvb-fe-xc5000c-4.1.30.7.fw schroedinger: Remove the obsolete DEPENDS on liboil vlc: Remove workaround and patches for problems fixed upstream Remove liboil dnrd: Remove stale files of recipe removed 2 years ago postfix: Upgrade 3.4.1 -> 3.4.5 pptp-linux: Upgrade 1.9.0 -> 1.10.0 dovecot: Upgrade 2.2.36 -> 2.2.36.3 postgresql: Upgrade 11.2 -> 11.3 rocksdb: Upgrade 5.18.2 -> 5.18.3 cloud9: Remove stale files of recipe removed 2 years ago fluentbit: Upgrade 0.12.1 -> 0.12.19 libcec: Upgrade 4.0.2 -> 4.0.4 libqb: Upgrade 1.0.3 -> 1.0.5 openwsman: Upgrade 2.6.8 -> 2.6.9 glm: Upgrade 0.9.9.3 -> 0.9.9.5 fvwm: Upgrade 2.6.7 -> 2.6.8 augeas: Upgrade 1.11.0 -> 1.12.0 ccid: Upgrade 1.4.24 -> 1.4.30 daemonize: Upgrade 1.7.7 -> 1.7.8 inotify-tools: Upgrade 3.14 -> 3.20.1 liboop: Upgrade 1.0 -> 1.0.1 ode: Remove stale file of recipe removed 2 years ago openwbem: Remove stale files of recipe removed 2 years ago catch2: Upgrade 2.6.1 -> 2.7.2 geos: Upgrade 3.4.2 -> 3.4.3 rdfind: Upgrade 1.3.4 -> 1.4.1 Akshay Bhat (3): python-urllib3: Set CVE_PRODUCT python3-pillow: Set CVE_PRODUCT python-requests: Set CVE_PRODUCT Alistair Francis (3): mycroft: Update the systemd service to ensure we are ready to start mycroft: Bump from 19.2.2 to 19.2.3 python-obd: Add missing RDEPENDS Andreas Müller (33): gvfs: remove executable permission from systemd user services udisks2: upgrade 2.8.1 -> 2.8.2 parole: upgrade 1.0.1 -> 1.0.2 ristretto: upgrade 0.8.3 -> 0.8.4 networkmanager: rework musl build gvfs: remove systemd user unit executable permission adjustment fltk: upgrade 1.3.4-2 -> 1.3.5 samba: install bundled libs into seperate packages samba: rework localstatedir package split fluidsynth: upgrade 2.0.4 -> 2.0.5 xfce4-vala: auto-detect vala api version gnome-desktop3: set correct meson gtk doc option vlc: rework qt PACKAGECONFIG evince: add patch to fix build with recent gobject-introspection xfce4-cpufreq-plugin: Fix memory leak and reduce CPU load packagegroup-meta-networking: replace DISTRO_FEATURE by DISTRO_FEATURES meta-xfce: add meta-networking to layer depends gtksourceview4: initial add 4.2.0 gtksourceview-classic-light: extend to gtksourceview4 itstool: rework - it went out too early fontforge: upgrade 20170731 -> 20190413 exo: upgrade 0.12.4 -> 0.12.5 xfce4-places-plugin: upgrade 1.7.0 -> 1.8.0 xfce4-datetime-plugin: upgrade 0.7.0 -> 0.7.1 xfce4-notifyd: upgrade 0.4.3 -> 0.4.4 desktop-file-utils: remove - a more recent version is in oe-core libwnck3: upgrade 3.30.0 and move to meson build xfce4-terminal: add vte-prompt to RRECOMMENDS xfce4-session: get rid of machine-host xfce4-session: remove strange entry in FILES_${PN} libxfce4ui: Add PACKAGECONFIG 'gladeui2' for glade (gtk3) support glade3: move to to meta-xfce Remove me as maintainer Andrej Valek (2): squid: upgrade squid 3.5.28 -> 4.6 ntp: upgrade 4.2.8p12 -> 4.2.8p13 Ankit Navik (1): libnfc: Initial recipe for Near Field Communication library. Armin Kuster (1): meta-filesystems: drop bitbake from README Changqing Li (5): gd: fix compile error caused by -Werror=maybe-uninitialized apache2: add back patch for set perlbin php: upgrade 7.3.2 -> 7.3.4 postgresql: fix compile error php: correct httpd path Chris Garren (1): python-cryptography: Move linker flag to .inc Denys Dmytriyenko (1): v4l-utils: upgrade 1.16.0 -> 1.16.5 Gianfranco Costamagna (1): cpprest: update to 2.10.13, drop 32bit build fix upstream Hains van den Bosch (1): libcdio: update to version 2.1.0 Hongxu Jia (1): pmtools: use update-alternatives for acpidump Hongzhi.Song (1): lua: upgrade from v5.3.4 to v5.3.5 Ivan Maidanski (1): bdwgc: upgrade 7.6.12 -> 8.0.4 Johannes Pointner (1): samba: update to 4.8.11 Kai Kang (3): gvfs: fix typo libexec drbd: fix compile errors drbd-utils: fix file conflict with base-files Khem Raj (3): redis: Upgrade to 4.0.14 squid: Link with libatomic on mips/ppc cpupower: Inherit bash completion class Leon Anavi (1): openbox: Add python-shell as a runtime dependency Liwei Song (1): ledmon: control hard disk led for RAID arrays Mark Asselstine (1): xfconf: fix 'Failed to get connection to xfconfd' during do_rootfs Martin Jansa (13): ftgl: add x11 to required DISTRO_FEATURES like freeglut libforms: add x11 to required DISTRO_FEATURES because of libx11 Revert "ell: remove recipe" ne10: set NE10_TARGET_ARCH with an override instead of anonymous python libopus: use armv7a, aarch64 overrides when adding ne10 dependency esound: fix SRC_URI for multilib opusfile: fix SRC_URI for multilib miniupnpd: fix SRC_URI for multilib zbar: fix SRC_URI for multilib libvncserver: set PV in the recipe efivar: prevent native efivar depending on target kernel libdbi-perl: prevent native libdbi-perl depending on target perl aufs-util: prevent native aufs-util depending on target kernel Ming Liu (1): libmodbus: add documentation PACKAGECONFIG Mingli Yu (6): indent: Upgrade to 2.2.12 hostapd: Upgrade to 2.8 hwdata: Upgrade to 0.322 rrdtool: Upgrade to 1.7.1 libdev-checklib-perl: add new recipe libdbd-mysql-perl: Upgrade to 4.050 Nathan Rossi (1): fatresize_1.0.2.bb: Add recipe for fatresize command line tool Nicolas Dechesne (3): cpupower: remove LIC_FILES_CHKSUM bpftool: remove LIC_FILES_CHKSUM cannelloni: move from meta-oe to meta-networking Oleksandr Kravchuk (38): smcroute: update to 2.4.4 phytool: update to v2 fwknop: update to 2.6.10 cifs-utils: update to 6.9 keepalived: update to 2.0.15 usbredir: update to 0.8.0 open-isns: update to 0.99 nanomsg: update to 1.1.5 stunnel: update to 5.51 babeld: update to 1.8.4 drbd-utils: update to 9.8.0 drbd: update to 9.0.17-1 macchanger: update to 1.7.0 wolfssl: update to 4.0.0 ell: remove recipe analyze-suspend: update to 5.3 chrony: update to 3.4 nghttp2: update to 1.38 nano: update to 4.1 networkmanager-openvpn: update to 1.8.10 wpan-tools: update to 0.9 uftp: update to 4.9.9 vblade: add UPSTREAM_CHECK_URI traceroute: add UPSTREAM_CHECK_URI nuttcp: update to 8.2.2 nfacct: add UPSTREAM_CHECK_URI nftables: add UPSTREAM_CHECK_URI libnetfilter-queue: update to 1.0.3 arno-iptables-firewall: update to 2.0.3 ypbind-mt: update to 2.6 ebtables: add UPSTREAM_CHECK_URI doxygen: replace ninja 1.9.0 fix with official one libnetfilter-queue: fix update to 1.0.3 networkd-dispatcher: update to 2.0.1 opensaf: update to 5.19.01 libnetfilter-conntrack: update to 1.0.7 conntrack-tools: update to 1.4.5 openvpn: update to 2.4.7 Paolo Valente (1): s-suite: push SRCREV to version 3.2 Parthiban Nallathambi (6): python3-aiohttp: add version 3.5.4 python3-supervisor: add version 4.0.2 python3-websocket-client: add version 0.56.0 python3-tinyrecord: add version 0.1.5 python3-sentry-sdk: add version 0.7.14 python3-raven: add version 6.10.0 Pascal Bach (2): paho-mqtt-c: 1.2.1 -> 1.3.0 thrift: update to 0.12.0 Pavel Modilaynen (1): jsoncpp: add native BBCLASSEXTEND Peter Kjellerstedt (2): apache2: Correct appending to SYSROOT_PREPROCESS_FUNCS apache2: Correct packaging of build and doc related files Philip Balister (1): sip: Update to 4.19.16. Qi.Chen@windriver.com (4): multipath-tools: fix up patch to avoid segfault netkit-rsh: add tag to CVE patch ipsec-tools: fix CVE tag in patch gd: set CVE_PRODUCT Randy MacLeod (1): imagemagick: update from 7.0.8-35 to 7.0.8-43 Robert Joslyn (5): gpm: Fix gpm path in unit file gpm: Add PID file to systemd unit file gpm: Generate documentation gpm: Remove duplicate definition of _GNU_SOURCE gpm: Recipe cleanup Sean Nyekjaer (2): cannelloni: new package, CAN to ethernet proxy ser2net: upgrade to version 3.5.1 Vincent Prince (1): mongodb: Fix build with gcc Wenlin Kang (1): samba: add PACKAGECONFIG for libunwind Yi Zhao (7): python-flask-socketio: move to meta-python directory apache2: upgrade 2.4.34 -> 2.4.39 apache-websocket: upgrade to latest git rev netkit-rsh: security fixes openhpi: fix failure of ptest case ohpi_035 openhpi: update openhpi-fix-testfail-errors.patch phpmyadmin: upgrade 4.8.3 -> 4.8.5 Zang Ruochen (43): xlsatoms: upgrade 1.1.2 -> 1.1.3 xrdb: upgrade 1.1.1 -> 1.2.0 xrefresh: upgrade 1.0.5 -> 1.0.6 xsetroot: upgrade 1.1.1 -> 1.1.2 xstdcmap: upgrade 1.0.3 -> 1.0.4 xbitmaps: upgrade 1.1.1 -> 1.1.2 wireshark: upgrade 3.0.0 -> 3.0.1 python-cffi: upgrade 1.11.5 -> 1.12.2 python-attrs: upgrade 18.1.0 -> 19.1.0 python-certifi: upgrade 2018.8.13 -> 2019.3.9 python-beabutifulsoup4: upgrade 4.6.0 -> 4.7.1 python-dateutil: upgrade 2.7.3 -> 2.8.0 python-mako: upgrade 1.0.7 -> 1.0.9 python-msgpack: upgrade 0.6.0 -> 0.6.1 python-paste: upgrade 3.0.6 -> 3.0.8 python-psutil: upgrade 5.4.6 -> 5.6.1 python-py: upgrade 1.6.0 -> 1.8.0 python-pymongo: upgrade 3.7.1 -> 3.7.2 python-pyopenssl: upgrade 18.0.0 -> 19.0.0 python-pytz: upgrade 2018.5 -> 2019.1 python-stevedore: upgrade 1.29.0 -> 1.30.1 python-pbr: upgrade 4.2.0 -> 5.1.3 python-cython: upgrade 0.28.5 -> 0.29.6 python-editor: upgrade 1.0.3 -> 1.0.4 python-jinja2: upgrade 2.10 -> 2.10.1 python-lxml: upgrade 4.3.1 -> 4.3.3 python-alembic: upgrade 1.0.0 -> 1.0.9 python-cffi: upgrade 1.12.2 -> 1.12.3 python-hyperlink: upgrade 18.0.0 -> 19.0.0 python-twisted: upgrade 18.4.0 -> 19.2.0 python-zopeinterface: upgrade 4.5.0 -> 4.6.0 python-decorator: upgrade 4.3.0 -> 4.4.0 python-pip: upgrade 18.0 -> 19.1 python-pyasn1: upgrade 0.4.4 -> 0.4.5 libnet-dns-perl: upgrade 1.19 -> 1.20 python-alembic: upgrade 1.0.9 -> 1.0.10 python-cython: upgrade 0.29.6 -> 0.29.7 python-mock: upgrade 2.0.0 -> 3.0.5 python-pbr: upgrade 5.1.3 -> 5.2.0 python-psutil: upgrade 5.6.1 -> 5.6.2 python-pymongo: upgrade 3.7.2 -> 3.8.0 python-pyperclip: upgrade 1.6.2 -> 1.7.0 python-rfc3987: upgrade 1.3.7 -> 1.3.8 leimaohui (3): To fix confilict error with python3-pbr. python-pycodestyle: Fix conflict error with python3-pycodestyle during do_rootfs mozjs: Make mozjs support arm32BE. meta-raspberrypi: 9ceb84ee9e..7059c37451: Francesco Giancane (1): qtbase_%.bbappend: update PACKAGECONFIG name for xkbcommon Gianluigi Tiesi (1): psplash: Raise alternatives priority to 200 Martin Jansa (3): linux_raspberrypi_4.19: Update to 4.19.34 bluez5: apply the same patches and pi-bluetooth dependency for all rpi MACHINEs userland: use default PACKAGE_ARCH Paul Barker (3): linux-raspberrypi: Update 4.14.y kernel linux-raspberrypi: Switch default back to 4.14.y linux-raspberrypi 4.9: Drop old version meta-security: 8a1f54a246..9f5cc2a7eb: Alexander Kanavin (1): apparmor: fetch from git Armin Kuster (15): clamav runtime: add resolve.conf support clamav: fix llvm reference version libldb: add waf-cross-answeres clamav: runtime fix local routing clamav: add clamav-cvd package for cvd db clamav-native: fix new build issue apparmor: fix fragment for 5.0 kernel apparmor: add a few more runtime smack: move patch to smack dir smack-test: add smack tests from meta-intel-iot-security samhain: add more tests and fix ret checks libldb: add earlier version libseccomp: update to 2.4.1 oe-selftest: add running cve checker smack: kernel fragment update Yi Zhao (2): meta-tpm/conf/layer.conf: update layer dependencies meta-tpm/README: update Change-Id: I9e02cb75a779f25fca84395144025410bb609dfa Signed-off-by: Brad Bishop --- meta-security/files/waf-cross-answers/README | 3 + .../waf-cross-answers/cross-answers-aarch64.txt | 39 ++ .../waf-cross-answers/cross-answers-aarch64_be.txt | 39 ++ .../files/waf-cross-answers/cross-answers-arm.txt | 40 ++ .../waf-cross-answers/cross-answers-armeb.txt | 40 ++ .../files/waf-cross-answers/cross-answers-i586.txt | 40 ++ .../files/waf-cross-answers/cross-answers-i686.txt | 40 ++ .../files/waf-cross-answers/cross-answers-mips.txt | 40 ++ .../waf-cross-answers/cross-answers-mips64.txt | 39 ++ .../waf-cross-answers/cross-answers-mips64el.txt | 39 ++ .../waf-cross-answers/cross-answers-mipsel.txt | 40 ++ .../waf-cross-answers/cross-answers-powerpc.txt | 40 ++ .../waf-cross-answers/cross-answers-powerpc64.txt | 40 ++ .../waf-cross-answers/cross-answers-riscv64.txt | 39 ++ .../waf-cross-answers/cross-answers-x86_64.txt | 39 ++ meta-security/lib/oeqa/runtime/cases/apparmor.py | 19 + meta-security/lib/oeqa/runtime/cases/clamav.py | 30 ++ meta-security/lib/oeqa/runtime/cases/samhain.py | 31 +- meta-security/lib/oeqa/runtime/cases/smack.py | 529 +++++++++++++++++++++ .../lib/oeqa/selftest/cases/cvechecker.py | 27 ++ meta-security/meta-tpm/README | 57 +++ meta-security/meta-tpm/conf/layer.conf | 1 + .../linux/linux-yocto-5.0/apparmor.cfg | 6 - .../recipes-kernel/linux/linux-yocto-5.0/smack.cfg | 11 +- .../recipes-mac/AppArmor/apparmor_2.13.2.bb | 6 +- meta-security/recipes-mac/smack/files/run-ptest | 3 - .../smack/files/smack_generator_make_fixup.patch | 18 - .../recipes-mac/smack/mmap-smack-test/mmap.c | 7 + .../recipes-mac/smack/mmap-smack-test_1.0.bb | 16 + .../recipes-mac/smack/smack-test/notroot.py | 33 ++ .../smack/smack-test/smack_test_file_access.sh | 54 +++ .../test_privileged_change_self_label.sh | 18 + .../smack/smack-test/test_smack_onlycap.sh | 27 ++ meta-security/recipes-mac/smack/smack-test_1.0.bb | 21 + meta-security/recipes-mac/smack/smack/run-ptest | 3 + .../smack/smack/smack_generator_make_fixup.patch | 18 + .../recipes-mac/smack/tcp-smack-test/tcp_client.c | 111 +++++ .../recipes-mac/smack/tcp-smack-test/tcp_server.c | 118 +++++ .../smack/tcp-smack-test/test_smack_tcp_sockets.sh | 108 +++++ .../recipes-mac/smack/tcp-smack-test_1.0.bb | 24 + .../smack/udp-smack-test/test_smack_udp_sockets.sh | 107 +++++ .../recipes-mac/smack/udp-smack-test/udp_client.c | 75 +++ .../recipes-mac/smack/udp-smack-test/udp_server.c | 93 ++++ .../recipes-mac/smack/udp-smack-test_1.0.bb | 23 + .../recipes-security/clamav/clamav_0.99.4.bb | 64 ++- .../clamav/files/freshclam-native.conf | 224 +++++++++ .../libseccomp/libseccomp_2.4.0.bb | 41 -- .../libseccomp/libseccomp_2.4.1.bb | 41 ++ .../libldb/avoid-openldap-unless-wanted.patch | 13 + ...-import-target-module-while-cross-compile.patch | 58 +++ .../libldb/libldb/options-1.3.1.patch | 193 ++++++++ .../recipes-support/libldb/libldb_1.3.1.bb | 64 +++ 52 files changed, 2749 insertions(+), 100 deletions(-) create mode 100644 meta-security/files/waf-cross-answers/README create mode 100644 meta-security/files/waf-cross-answers/cross-answers-aarch64.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-arm.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-armeb.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-i586.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-i686.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-mips.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-mips64.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-mips64el.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-mipsel.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-powerpc.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-riscv64.txt create mode 100644 meta-security/files/waf-cross-answers/cross-answers-x86_64.txt create mode 100644 meta-security/lib/oeqa/runtime/cases/smack.py create mode 100644 meta-security/lib/oeqa/selftest/cases/cvechecker.py delete mode 100644 meta-security/recipes-mac/smack/files/run-ptest delete mode 100644 meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch create mode 100644 meta-security/recipes-mac/smack/mmap-smack-test/mmap.c create mode 100644 meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb create mode 100644 meta-security/recipes-mac/smack/smack-test/notroot.py create mode 100644 meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh create mode 100644 meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh create mode 100644 meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh create mode 100644 meta-security/recipes-mac/smack/smack-test_1.0.bb create mode 100644 meta-security/recipes-mac/smack/smack/run-ptest create mode 100644 meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch create mode 100644 meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c create mode 100644 meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c create mode 100644 meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh create mode 100644 meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb create mode 100644 meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh create mode 100644 meta-security/recipes-mac/smack/udp-smack-test/udp_client.c create mode 100644 meta-security/recipes-mac/smack/udp-smack-test/udp_server.c create mode 100644 meta-security/recipes-mac/smack/udp-smack-test_1.0.bb create mode 100644 meta-security/recipes-security/clamav/files/freshclam-native.conf delete mode 100644 meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb create mode 100644 meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb create mode 100644 meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch create mode 100755 meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch create mode 100644 meta-security/recipes-support/libldb/libldb/options-1.3.1.patch create mode 100644 meta-security/recipes-support/libldb/libldb_1.3.1.bb (limited to 'meta-security') diff --git a/meta-security/files/waf-cross-answers/README b/meta-security/files/waf-cross-answers/README new file mode 100644 index 000000000..dda45c508 --- /dev/null +++ b/meta-security/files/waf-cross-answers/README @@ -0,0 +1,3 @@ +The files in this directory are cross answers files +used by waf-samba.bbclass, please see waf-samba.bbclass +for details about how they are used. diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-arm.txt b/meta-security/files/waf-cross-answers/cross-answers-arm.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-arm.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i586.txt b/meta-security/files/waf-cross-answers/cross-answers-i586.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-i586.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i686.txt b/meta-security/files/waf-cross-answers/cross-answers-i686.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-i686.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips.txt b/meta-security/files/waf-cross-answers/cross-answers-mips.txt new file mode 100644 index 000000000..3e239e727 --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mips.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt new file mode 100644 index 000000000..82e694fda --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: OK +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt new file mode 100644 index 000000000..82e694fda --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: OK +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt new file mode 100644 index 000000000..3e239e727 --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt new file mode 100644 index 000000000..27b9378a4 --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt new file mode 100644 index 000000000..7fd3092cb --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: (255, "") +Checking if can we convert from IBM850 to UCS-2LE: (255, "") +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/lib/oeqa/runtime/cases/apparmor.py b/meta-security/lib/oeqa/runtime/cases/apparmor.py index e2cb316d1..b6a9537e3 100644 --- a/meta-security/lib/oeqa/runtime/cases/apparmor.py +++ b/meta-security/lib/oeqa/runtime/cases/apparmor.py @@ -25,3 +25,22 @@ class ApparmorTest(OERuntimeTestCase): msg = ('aa-status failed. ' 'Status and output:%s and %s' % (status, output)) self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_status']) + def test_apparmor_aa_complain(self): + status, output = self.target.run('aa-complain /etc/apparmor.d/*') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-complain failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_complain']) + def test_apparmor_aa_enforce(self): + status, output = self.target.run('aa-enforce /etc/apparmor.d/*') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-enforce failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py index fc77330dd..d0bc645ae 100644 --- a/meta-security/lib/oeqa/runtime/cases/clamav.py +++ b/meta-security/lib/oeqa/runtime/cases/clamav.py @@ -1,6 +1,7 @@ # Copyright (C) 2019 Armin Kuster # import re +from tempfile import mkstemp from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends @@ -9,6 +10,22 @@ from oeqa.runtime.decorator.package import OEHasPackage class ClamavTest(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.tmp_fd, cls.tmp_path = mkstemp() + with os.fdopen(cls.tmp_fd, 'w') as f: + # use gooled public dns + f.write("nameserver 8.8.8.8") + f.write(os.linesep) + f.write("nameserver 8.8.4.4") + f.write(os.linesep) + f.write("nameserver 127.0.0.1") + f.write(os.linesep) + + @classmethod + def tearDownClass(cls): + os.remove(cls.tmp_path) + @OEHasPackage(['clamav']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_freshclam_help(self): @@ -18,6 +35,19 @@ class ClamavTest(OERuntimeTestCase): self.assertEqual(status, 0, msg = msg) @OETestDepends(['clamav.ClamavTest.test_freshclam_help']) + @OEHasPackage(['openssh-scp', 'dropbear']) + def test_ping_clamav_net(self): + dst = '/etc/resolv.conf' + self.tc.target.run('rm -f %s' % dst) + (status, output) = self.tc.target.copyTo(self.tmp_path, dst) + msg = 'File could not be copied. Output: %s' % output + self.assertEqual(status, 0, msg=msg) + + status, output = self.target.run('ping -c 1 database.clamav.net') + msg = ('ping database.clamav.net failed: output is:\n%s' % output) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net']) def test_freshclam_download(self): status, output = self.target.run('freshclam --show-progress') match = re.search('Database updated', output) diff --git a/meta-security/lib/oeqa/runtime/cases/samhain.py b/meta-security/lib/oeqa/runtime/cases/samhain.py index e4bae7bda..5043a38cc 100644 --- a/meta-security/lib/oeqa/runtime/cases/samhain.py +++ b/meta-security/lib/oeqa/runtime/cases/samhain.py @@ -1,6 +1,7 @@ # Copyright (C) 2019 Armin Kuster # import re +import os from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends @@ -11,10 +12,32 @@ class SamhainTest(OERuntimeTestCase): @OEHasPackage(['samhain-standalone']) @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_samhain_standalone_help(self): + def test_samhain_help(self): + machine = self.td.get('MACHINE', '') + status, output = self.target.run('echo "127.0.0.1 %s.localdomain %s" >> /etc/hosts' % (machine, machine)) + msg = ("samhain can't append hosts. " + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + status, output = self.target.run('samhain --help') - match = re.search('Please report bugs to support@la-samhna.de.', output) + msg = ('samhain command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['samhain.SamhainTest.test_samhain_help']) + def test_samhain_init_db(self): + status, output = self.target.run('samhain -t init') + match = re.search('FAILED: 0 ', output) + if not match: + msg = ('samhain database init had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['samhain.SamhainTest.test_samhain_init_db']) + def test_samhain_db_check(self): + status, output = self.target.run('samhain -t check') + match = re.search('FAILED: 0 ', output) if not match: - msg = ('samhain-standalone command does not work as expected. ' + msg = ('samhain errors found in db. ' 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 1, msg = msg) + self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py new file mode 100644 index 000000000..35e87ef32 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/smack.py @@ -0,0 +1,529 @@ +import unittest +import re +import os +import string +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +MAX_LABEL_LEN = 255 +LABEL = "a" * MAX_LABEL_LEN + +class SmackBasicTest(OERuntimeTestCase): + ''' base smack test ''' + + @classmethod + def setUpClass(cls): + cls.smack_path = "" + cls.current_label = "" + cls.uid = 1000 + + @skipIfNotFeature('smack', + 'Test requires smack to be in DISTRO_FEATURES') + @OEHasPackage(['smack-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_smack_basic(self): + status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'") + self.smack_path = output + status,output = self.target.run("cat /proc/self/attr/current") + self.current_label = output.strip() + +class SmackAccessLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_access_label(self): + ''' Test if chsmack can correctly set a SMACK label ''' + filename = "/tmp/test_access_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack access label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=access=")\S+(?=")', output) + if m is None: + self.fail("Did not find access attribute") + else: + label_retrieved = m .group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) + + +class SmackExecLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_exec_label(self): + '''Test if chsmack can correctly set a SMACK Exec label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack exec label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m= re.search('(?<=execute=")\S+(?=")', output) + if m is None: + self.fail("Did not find execute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackMmapLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_mmap_label(self): + '''Test if chsmack can correctly set a SMACK mmap label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack mmap label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=mmap=")\S+(?=")', output) + if m is None: + self.fail("Did not find mmap attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackTransmutable(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_transmutable(self): + '''Test if chsmack can correctly set a SMACK transmutable mode''' + + directory = "~/test_transmutable" + self.target.run("mkdir -p %s" %directory) + status, output = self.target.run("chsmack -t %s" %directory) + self.assertEqual(status, 0, "Cannot set smack transmutable. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %directory) + self.target.run("rmdir %s" %directory) + m = re.search('(?<=transmute=")\S+(?=")', output) + if m is None: + self.fail("Did not find transmute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + "TRUE", label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackChangeSelfLabelPrivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_privileged_change_self_label(self): + '''Test if privileged process (with CAP_MAC_ADMIN privilege) + can change its label. + ''' + + labelf = "/proc/self/attr/current" + command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) + + status, output = self.target.run( + "notroot.py 0 %s %s" %(self.current_label, command)) + + self.assertIn("PRIVILEGED", output, + "Privilege process did not change label.Output: %s" %output) + +class SmackChangeSelfLabelUnprivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_unprivileged_change_self_label(self): + '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) + cannot change its label''' + + command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL + status, output = self.target.run( + "notroot.py %d %s %s" + %(self.uid, self.current_label, command) + + " 2>&1 | grep 'Operation not permitted'" ) + + self.assertEqual( + status, 0, + "Unprivileged process should not be able to change its label") + + +class SmackChangeFileLabelPrivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_unprivileged_change_file_label(self): + '''Test if unprivileged process cannot change file labels''' + + status, chsmack = self.target.run("which chsmack") + status, touch = self.target.run("which touch") + filename = "/tmp/test_unprivileged_change_file_label" + + self.target.run("touch %s" % filename) + self.target.run("notroot.py %d %s" %(self.uid, self.current_label)) + status, output = self.target.run( + "notroot.py " + + "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + + "| grep 'Operation not permitted'" ) + + self.target.run("rm %s" % filename) + self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename) + +class SmackLoadRule(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_load_smack_rule(self): + '''Test if new smack access rules can be loaded''' + + # old 23 character format requires special spaces formatting + # 12345678901234567890123456789012345678901234567890123 + ruleA="TheOne TheOther rwxat" + ruleB="TheOne TheOther r----" + clean="TheOne TheOther -----" + modeA = "rwxat" + modeB = "r" + + status, output = self.target.run('echo -n "%s" > %s/load' %(ruleA, self.smack_path)) + status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + self.assertEqual(status, 0, "Rule A was not added") + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( mode, modeA, "Mode A was not set correctly; mode: %s" %mode) + + status, output = self.target.run( 'echo -n "%s" > %s/load' %(ruleB, self.smack_path)) + status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( mode, modeB, "Mode B was not set correctly; mode: %s" %mode) + + self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) + + +class SmackOnlycap(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_onlycap(self): + '''Test if smack onlycap label can be set + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh") + self.assertEqual(status, 0, output) + +class SmackNetlabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_netlabel(self): + + test_label="191.191.191.191 TheOne" + expected_label="191.191.191.191/32 TheOne" + + status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( status, 0, "Netlabel /32 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( expected_label, output, "Did not find expected label in output: %s" %output) + + test_label="253.253.253.0/24 TheOther" + status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( status, 0, "Netlabel /24 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( + test_label, output, + "Did not find expected label in output: %s" %output) + +class SmackCipso(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_cipso(self): + '''Test if smack cipso rules can be set''' + # 12345678901234567890123456789012345678901234567890123456 + ruleA="TheOneA 2 0 " + ruleB="TheOneB 3 1 55 " + ruleC="TheOneC 4 2 17 33 " + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label A. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneA'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule A was not set") + self.assertIn(" 2", output, "Rule A was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label B. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneB'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule B was not set") + self.assertIn("/55", output, "Rule B was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path)) + self.assertEqual( + status, 0, + "Could not set cipso label C. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneC'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule C was not set") + self.assertIn("/17,33", output, "Rule C was not set correctly") + +class SmackDirect(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_direct(self): + status, initial_direct = self.target.run( + "cat %s/direct" %self.smack_path) + + test_direct="17" + status, output = self.target.run( + "echo '%s' > %s/direct" %(test_direct, self.smack_path)) + self.assertEqual(status, 0 , + "Could not set smack direct. Output: %s" %output) + status, new_direct = self.target.run("cat %s/direct" %self.smack_path) + # initial label before checking + status, output = self.target.run( + "echo '%s' > %s/direct" %(initial_direct, self.smack_path)) + self.assertEqual( + test_direct, new_direct.strip(), + "Smack direct label does not match.") + + +class SmackAmbient(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_ambient(self): + test_ambient = "test_ambient" + status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(test_ambient, self.smack_path)) + self.assertEqual(status, 0, + "Could not set smack ambient. Output: %s" %output) + + status, output = self.target.run("cat %s/ambient" %self.smack_path) + # Filter '\x00', which is sometimes added to the ambient label + new_ambient = ''.join(filter(lambda x: x in string.printable, output)) + initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient)) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path)) + self.assertEqual( + test_ambient, new_ambient.strip(), + "Ambient label does not match") + + +class SmackloadBinary(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smackload(self): + '''Test if smackload command works''' + rule="testobject testsubject rwx" + + status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule) + status, output = self.target.run("smackload /tmp/rules") + self.assertEqual( status, 0, "Smackload failed to load rule. Output: %s" %output) + + status, output = self.target.run( "cat %s/load | grep '%s'" %(self.smack_path, rule)) + self.assertEqual(status, 0, "Smackload rule was loaded correctly") + + +class SmackcipsoBinary(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smackcipso(self): + '''Test if smackcipso command works''' + # 12345678901234567890123456789012345678901234567890123456 + rule="cipsolabel 2 2 " + + status, output = self.target.run("echo '%s' | smackcipso" %rule) + self.assertEqual( status, 0, "Smackcipso failed to load rule. Output: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep 'cipsolabel'" %self.smack_path) + self.assertEqual(status, 0, "smackcipso rule was loaded correctly") + self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output) + + +class SmackEnforceFileAccess(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_enforce_file_access(self): + '''Test if smack file access is enforced (rwx) + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("sh /usr/sbin/smack_test_file_access.sh") + self.assertEqual(status, 0, output) + + +class SmackEnforceMmap(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_mmap_enforced(self): + '''Test if smack mmap access is enforced''' + raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") + + # 12345678901234567890123456789012345678901234567890123456 + delr1="mmap_label mmap_test_label1 -----" + delr2="mmap_label mmap_test_label2 -----" + delr3="mmap_file_label mmap_test_label1 -----" + delr4="mmap_file_label mmap_test_label2 -----" + + RuleA="mmap_label mmap_test_label1 rw---" + RuleB="mmap_label mmap_test_label2 r--at" + RuleC="mmap_file_label mmap_test_label1 rw---" + RuleD="mmap_file_label mmap_test_label2 rwxat" + + mmap_label="mmap_label" + file_label="mmap_file_label" + test_file = "/usr/sbin/smack_test_mmap" + mmap_exe = "/tmp/mmap_test" + status, echo = self.target.run("which echo") + status, output = self.target.run( + "notroot.py %d %s %s 'test' > %s" \ + %(self.uid, self.current_label, echo, test_file)) + status, output = self.target.run("ls %s" %test_file) + self.assertEqual(status, 0, "Could not create mmap test file") + self.target.run("chsmack -m %s %s" %(file_label, test_file)) + self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) + + # test with no rules with mmap label or exec label as subject + # access should be granted + self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access without rules. Output: %s" %output) + + # add rules that do not match access required + self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with unmatching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with unmatching rules") + + # add rule to match only partially (one way) + self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with partial matching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with partial matching rules") + + # add rule to match fully + self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access with full matching rules." + + "Output: %s" %output) + + +class SmackEnforceTransmutable(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_transmute_dir(self): + '''Test if smack transmute attribute works + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + test_dir = "/tmp/smack_transmute_dir" + label="transmute_label" + status, initial_label = self.target.run("cat /proc/self/attr/current") + + self.target.run("mkdir -p %s" % test_dir) + self.target.run("chsmack -a %s %s" % (label, test_dir)) + self.target.run("chsmack -t %s" % test_dir) + self.target.run("echo -n '%s %s rwxat' | smackload" %(initial_label, label) ) + + self.target.run("touch %s/test" % test_dir) + status, output = self.target.run("chsmack %s/test" % test_dir) + self.assertIn( 'access="%s"' %label, output, + "Did not get expected label. Output: %s" % output) + + +class SmackTcpSockets(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_tcp_sockets(self): + '''Test if smack is enforced on tcp sockets + + whole test takes places on image, depends on tcp_server/tcp_client''' + + status, output = self.target.run("sh /usr/sbin/test_smack_tcp_sockets.sh") + self.assertEqual(status, 0, output) + + +class SmackUdpSockets(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_udp_sockets(self): + '''Test if smack is enforced on udp sockets + + whole test takes places on image, depends on udp_server/udp_client''' + + status, output = self.target.run("sh /usr/sbin/test_smack_udp_sockets.sh") + self.assertEqual(status, 0, output) + + +class SmackFileLabels(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_labels(self): + '''Check for correct Smack labels.''' + expected = ''' +/tmp/ access="*" +/etc/ access="System::Shared" transmute="TRUE" +/etc/passwd access="System::Shared" +/etc/terminfo access="System::Shared" transmute="TRUE" +/etc/skel/ access="System::Shared" transmute="TRUE" +/etc/skel/.profile access="System::Shared" +/var/log/ access="System::Log" transmute="TRUE" +/var/tmp/ access="*" +''' + files = ' '.join([x.split()[0] for x in expected.split('\n') if x]) + files_wildcard = ' '.join([x + '/*' for x in files.split()]) + # Auxiliary information. + status, output = self.target.run( + 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % ( + ' '.join([x.rstrip('/') for x in files.split()]), files, files + ) + ) + msg = "File status:\n" + output + status, output = self.target.run('chsmack %s' % files) + self.assertEqual( + status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg)) + self.longMessage = True + self.maxDiff = None + self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg) diff --git a/meta-security/lib/oeqa/selftest/cases/cvechecker.py b/meta-security/lib/oeqa/selftest/cases/cvechecker.py new file mode 100644 index 000000000..23ca7d222 --- /dev/null +++ b/meta-security/lib/oeqa/selftest/cases/cvechecker.py @@ -0,0 +1,27 @@ +import os +import re + +from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import bitbake, get_bb_var + +class CveCheckerTests(OESelftestTestCase): + def test_cve_checker(self): + image = "core-image-sato" + + deploy_dir = get_bb_var("DEPLOY_DIR_IMAGE") + image_link_name = get_bb_var('IMAGE_LINK_NAME', image) + + manifest_link = os.path.join(deploy_dir, "%s.cve" % image_link_name) + + self.logger.info('CVE_CHECK_MANIFEST = "%s"' % manifest_link) + if (not 'cve-check' in get_bb_var('INHERIT')): + add_cve_check_config = 'INHERIT += "cve-check"' + self.append_config(add_cve_check_config) + self.append_config('CVE_CHECK_MANIFEST = "%s"' % manifest_link) + result = bitbake("-k -c cve_check %s" % image, ignore_status=True) + if (not 'cve-check' in get_bb_var('INHERIT')): + self.remove_config(add_cve_check_config) + + isfile = os.path.isfile(manifest_link) + self.assertEqual(True, isfile, 'Failed to create cve data file : %s' % manifest_link) + diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README index bbc70bbaa..dd662b3d4 100644 --- a/meta-security/meta-tpm/README +++ b/meta-security/meta-tpm/README @@ -2,3 +2,60 @@ meta-tpm layer ============== This layer contains base TPM recipes. + +Dependencies +============ + +This layer depends on: + + URI: git://git.openembedded.org/openembedded-core + branch: master + revision: HEAD + prio: default + + URI: git://git.openembedded.org/meta-openembedded/meta-oe + branch: master + revision: HEAD + prio: default + +Adding the meta-tpm layer to your build +======================================== + +In order to use this layer, you need to make the build system aware of +it. + +Assuming this layer exists at the top-level of your +yocto build tree, you can add it to the build system by adding the +location of the meta-tpm layer to bblayers.conf, along with any +other layers needed. e.g.: + + BBLAYERS ?= " \ + /path/to/oe-core/meta \ + /path/to/meta-openembedded/meta-oe \ + /path/to/layer/meta-tpm \ + + +Maintenance +----------- + +Send pull requests, patches, comments or questions to yocto@yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-security][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +Maintainers: Armin Kuster + + +License +======= + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 15a2befcf..bf9a76ea6 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -12,4 +12,5 @@ LAYERSERIES_COMPAT_tpm-layer = "thud warrior" LAYERDEPENDS_tpm-layer = " \ core \ + openembedded-layer \ " diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg index b5f9bb2a6..ae6cdcdf0 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg +++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg @@ -1,15 +1,9 @@ CONFIG_AUDIT=y -# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_PATH=y -# CONFIG_SECURITY_SELINUX is not set CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -# CONFIG_SECURITY_APPARMOR_DEBUG is not set CONFIG_INTEGRITY_AUDIT=y CONFIG_DEFAULT_SECURITY_APPARMOR=y -# CONFIG_DEFAULT_SECURITY_DAC is not set CONFIG_DEFAULT_SECURITY="apparmor" CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg index 62f465a45..0d5fc645c 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg +++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg @@ -1,8 +1,7 @@ -CONFIG_IP_NF_SECURITY=m -CONFIG_IP6_NF_SECURITY=m -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_SECURITY=y +CONFIG_NETLABEL=y +CONFIG_SECURITY_NETWORK=y +# CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_SMACK=y +CONFIG_SECURITY_SMACK_BRINGUP=y +CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y CONFIG_TMPFS_XATTR=y diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb index 62ed61148..4eaec001e 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" DEPENDS = "bison-native apr gettext-native coreutils-native" SRC_URI = " \ - http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ file://disable_perl_h_check.patch \ file://crosscompile_perl_bindings.patch \ file://apparmor.rc \ @@ -24,8 +24,8 @@ SRC_URI = " \ file://run-ptest \ " -SRC_URI[md5sum] = "2439b35266b5a3a461b0a2dba6e863c3" -SRC_URI[sha256sum] = "844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30" +SRCREV = "af4808b5f6b58946f5c5a4de4b77df5e0eae6ca0" +S = "${WORKDIR}/git" PARALLEL_MAKE = "" diff --git a/meta-security/recipes-mac/smack/files/run-ptest b/meta-security/recipes-mac/smack/files/run-ptest deleted file mode 100644 index 049a9b47a..000000000 --- a/meta-security/recipes-mac/smack/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -./tests/make_policies.bash ./tests/generator -./tests/make_policies.bash ./tests/generator labels diff --git a/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch b/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch deleted file mode 100644 index 4d677e751..000000000 --- a/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch +++ /dev/null @@ -1,18 +0,0 @@ -Upstream-Status: Pending - -Signed-off-by: Armin Kuster - - -Index: git/tests/Makefile -=================================================================== ---- git.orig/tests/Makefile -+++ git/tests/Makefile -@@ -4,7 +4,7 @@ clean: - rm -rf ./out ./generator - - generator: generator.c -- gcc -Wall -O3 generator.c -o ./generator -+ ${CC} ${LDFLAGS} generator.c -o ./generator - - policies: ./generator ./make_policies.bash - ./make_policies.bash ./generator diff --git a/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c b/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c new file mode 100644 index 000000000..f358d27b5 --- /dev/null +++ b/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c @@ -0,0 +1,7 @@ +#include + +int main(int argc, char **argv) +{ + printf("Original test program removed while investigating its license.\n"); + return 1; +} diff --git a/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb b/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb new file mode 100644 index 000000000..9d11509d0 --- /dev/null +++ b/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb @@ -0,0 +1,16 @@ +SUMMARY = "Mmap binary used to test smack mmap attribute" +DESCRIPTION = "Mmap binary used to test smack mmap attribute" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://mmap.c" + +S = "${WORKDIR}" +do_compile() { + ${CC} mmap.c ${LDFLAGS} -o mmap_test +} + +do_install() { + install -d ${D}${bindir} + install -m 0755 mmap_test ${D}${bindir} +} diff --git a/meta-security/recipes-mac/smack/smack-test/notroot.py b/meta-security/recipes-mac/smack/smack-test/notroot.py new file mode 100644 index 000000000..f0eb0b5b9 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test/notroot.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python +# +# Script used for running executables with custom labels, as well as custom uid/gid +# Process label is changed by writing to /proc/self/attr/curent +# +# Script expects user id and group id to exist, and be the same. +# +# From adduser manual: +# """By default, each user in Debian GNU/Linux is given a corresponding group +# with the same name. """ +# +# Usage: root@desk:~# python notroot.py