* [meta-security][PATCH 1/7] apparmor: fix build for on musl
@ 2020-10-09 14:08 akuster
2020-10-09 14:08 ` [meta-security][PATCH 2/7] gitlab-ci: add qemux86 and qemuarm64 musl builds akuster
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: akuster @ 2020-10-09 14:08 UTC (permalink / raw)
To: yocto
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-mac/AppArmor/apparmor_3.0.bb | 11 +++++-
...-aa_status-Fix-build-issue-with-musl.patch | 31 ++++++++++++++++
...or-add-missing-include-for-socklen_t.patch | 36 ++++++++++++++++++
...dont-force-host-cpp-to-detect-reallo.patch | 37 +++++++++++++++++++
...aa_features_new_from_file-to-public-.patch | 37 +++++++++++++++++++
...-add-_aa_asprintf-to-private-symbols.patch | 34 +++++++++++++++++
6 files changed, 185 insertions(+), 1 deletion(-)
create mode 100644 recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
create mode 100644 recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
create mode 100644 recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
create mode 100644 recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
create mode 100644 recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
diff --git a/recipes-mac/AppArmor/apparmor_3.0.bb b/recipes-mac/AppArmor/apparmor_3.0.bb
index 9c98199..35e95a0 100644
--- a/recipes-mac/AppArmor/apparmor_3.0.bb
+++ b/recipes-mac/AppArmor/apparmor_3.0.bb
@@ -25,6 +25,11 @@ SRC_URI = " \
file://run-ptest \
file://0001-apparmor-fix-manpage-order.patch \
file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
+ file://0001-libapparmor-add-missing-include-for-socklen_t.patch \
+ file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \
+ file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \
+ file://0001-aa_status-Fix-build-issue-with-musl.patch \
+ file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \
"
SRCREV = "5d51483bfecf556183558644dc8958135397a7e2"
@@ -175,8 +180,12 @@ PACKAGES += "mod-${PN}"
FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
FILES_mod-${PN} = "${libdir}/apache2/modules/*"
+DEPENDS_append_libc-musl = " fts "
+RDEPENDS_${PN}_libc-musl += "musl-utils"
+RDEPENDS_${PN}_libc-glibc += "glibc-utils"
+
# Add coreutils and findutils only if sysvinit scripts are in use
-RDEPENDS_${PN} += "glibc-utils ${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
+RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"
diff --git a/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
new file mode 100644
index 0000000..239562a
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
@@ -0,0 +1,31 @@
+From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 7 Oct 2020 08:27:11 -0700
+Subject: [PATCH] aa_status: Fix build issue with musl
+
+add limits.h
+
+aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'?
+| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char));
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ binutils/aa_status.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b03409..41f1954e 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -10,6 +10,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
+--
+2.17.1
+
diff --git a/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
new file mode 100644
index 0000000..2a56d8b
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
@@ -0,0 +1,36 @@
+From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Sat, 3 Oct 2020 20:37:55 +0200
+Subject: [PATCH] libapparmor: add missing include for `socklen_t`
+
+While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
+include the `<sys/socket.h>` header to make its declaration available.
+While this works on systems using glibc via transitive includes, it
+breaks compilation on musl libc.
+
+Fix the issue by including the header.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ libraries/libapparmor/include/sys/apparmor.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d06..d70eff94 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -21,6 +21,7 @@
+ #include <stdbool.h>
+ #include <stdint.h>
+ #include <unistd.h>
++#include <sys/socket.h>
+ #include <sys/types.h>
+
+ #ifdef __cplusplus
+--
+2.17.1
+
diff --git a/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
new file mode 100644
index 0000000..9f7ad3c
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
@@ -0,0 +1,37 @@
+From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Wed, 7 Oct 2020 20:50:38 -0700
+Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray
+
+In cross build environments, using the hosts cpp gives incorrect
+detection of reallocarray. Change cpp to a variable.
+
+fixes:
+parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)':
+| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope
+| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1);
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upstream-Status: Pending
+
+---
+ parser/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser/Makefile b/parser/Makefile
+index acef3d77..8250ac45 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -54,7 +54,7 @@ endif
+ CPPFLAGS += -D_GNU_SOURCE
+
+ STDLIB_INCLUDE:="\#include <stdlib.h>"
+-HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true)
++HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true)
+
+ WARNINGS = -Wall
+ CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}
+--
+2.17.1
+
diff --git a/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
new file mode 100644
index 0000000..333f40f
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
@@ -0,0 +1,37 @@
+From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Sat, 3 Oct 2020 20:58:45 +0200
+Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public
+ symbols
+
+With AppArmor release 3.0, a new function `aa_features_new_from_file`
+was added, but not added to the list of public symbols. As a result,
+it's not possible to make use of this function when linking against
+libapparmor.so.
+
+Fix the issue by adding it to the symbol map.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ libraries/libapparmor/src/libapparmor.map | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
+index bbff51f5..1579509a 100644
+--- a/libraries/libapparmor/src/libapparmor.map
++++ b/libraries/libapparmor/src/libapparmor.map
+@@ -117,6 +117,7 @@ APPARMOR_2.13.1 {
+
+ APPARMOR_3.0 {
+ global:
++ aa_features_new_from_file;
+ aa_features_write_to_fd;
+ aa_features_value;
+ local:
+--
+2.17.1
+
diff --git a/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
new file mode 100644
index 0000000..543c7a1
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
@@ -0,0 +1,34 @@
+From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Sat, 3 Oct 2020 21:04:57 +0200
+Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols
+
+While `_aa_asprintf` is supposed to be of private visibility, it's used
+by apparmor_parser and thus required to be visible when linking. This
+commit thus adds it to the list of private symbols to make it available
+for linking in apparmor_parser.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ libraries/libapparmor/src/libapparmor.map | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
+index 1579509a..41e541ac 100644
+--- a/libraries/libapparmor/src/libapparmor.map
++++ b/libraries/libapparmor/src/libapparmor.map
+@@ -127,6 +127,7 @@ APPARMOR_3.0 {
+ PRIVATE {
+ global:
+ _aa_is_blacklisted;
++ _aa_asprintf;
+ _aa_autofree;
+ _aa_autoclose;
+ _aa_autofclose;
+--
+2.17.1
+
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [meta-security][PATCH 2/7] gitlab-ci: add qemux86 and qemuarm64 musl builds
2020-10-09 14:08 [meta-security][PATCH 1/7] apparmor: fix build for on musl akuster
@ 2020-10-09 14:08 ` akuster
2020-10-09 14:08 ` [meta-security][PATCH 3/7] ecryptfs-utils: fix musl build akuster
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: akuster @ 2020-10-09 14:08 UTC (permalink / raw)
To: yocto
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.gitlab-ci.yml | 9 +++++++++
kas/qemuarm64-musl.yml | 10 ++++++++++
kas/qemux86-musl.yml | 10 ++++++++++
3 files changed, 29 insertions(+)
create mode 100644 kas/qemuarm64-musl.yml
create mode 100644 kas/qemux86-musl.yml
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0be5741..50bfe4f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -126,6 +126,15 @@ qemux86-64-multi:
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
+qemux86-musl:
+ extends: .build
+ script:
+ - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+
+qemuarm64-musl:
+ extends: .build
+ script:
+ - kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemux86-test:
extends: .build
diff --git a/kas/qemuarm64-musl.yml b/kas/qemuarm64-musl.yml
new file mode 100644
index 0000000..b353eb4
--- /dev/null
+++ b/kas/qemuarm64-musl.yml
@@ -0,0 +1,10 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ musl: |
+ TCLIBC = "musl"
+
+machine: qemuarm64
diff --git a/kas/qemux86-musl.yml b/kas/qemux86-musl.yml
new file mode 100644
index 0000000..61d9572
--- /dev/null
+++ b/kas/qemux86-musl.yml
@@ -0,0 +1,10 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ musl: |
+ TCLIBC = "musl"
+
+machine: qemux86
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [meta-security][PATCH 3/7] ecryptfs-utils: fix musl build
2020-10-09 14:08 [meta-security][PATCH 1/7] apparmor: fix build for on musl akuster
2020-10-09 14:08 ` [meta-security][PATCH 2/7] gitlab-ci: add qemux86 and qemuarm64 musl builds akuster
@ 2020-10-09 14:08 ` akuster
2020-10-09 14:08 ` [meta-security][PATCH 4/7] libest: " akuster
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: akuster @ 2020-10-09 14:08 UTC (permalink / raw)
To: yocto
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../ecryptfs-utils/ecryptfs-utils_111.bb | 1 +
.../files/define_musl_sword_type.patch | 15 +++++++++++++++
2 files changed, 16 insertions(+)
create mode 100644 recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
index d8cd06f..4a99b5a 100644
--- a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
+++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
@@ -16,6 +16,7 @@ SRC_URI = "\
file://ecryptfs-utils-CVE-2016-6224.patch \
file://0001-avoid-race-condition.patch \
file://ecryptfs.service \
+ file://define_musl_sword_type.patch \
"
SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
diff --git a/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch b/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
new file mode 100644
index 0000000..3b29be0
--- /dev/null
+++ b/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
@@ -0,0 +1,15 @@
+Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c
+===================================================================
+--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c
++++ ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c
+@@ -45,6 +45,10 @@
+ #include <values.h>
+ #include "../include/ecryptfs.h"
+
++#ifndef __SWORD_TYPE
++typedef __typeof__( ((struct statfs *)0)->f_type ) __SWORD_TYPE;
++#endif
++
+ /* Perhaps a future version of this program will allow these to be configurable
+ * by the system administrator (or user?) at run time. For now, these are set
+ * to reasonable values to reduce the burden of input validation.
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [meta-security][PATCH 4/7] libest: fix musl build.
2020-10-09 14:08 [meta-security][PATCH 1/7] apparmor: fix build for on musl akuster
2020-10-09 14:08 ` [meta-security][PATCH 2/7] gitlab-ci: add qemux86 and qemuarm64 musl builds akuster
2020-10-09 14:08 ` [meta-security][PATCH 3/7] ecryptfs-utils: fix musl build akuster
@ 2020-10-09 14:08 ` akuster
2020-10-09 14:08 ` [meta-security][PATCH 5/7] sssd: update to latest ltm 1.16.5 akuster
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: akuster @ 2020-10-09 14:08 UTC (permalink / raw)
To: yocto
fixes
est.c:38:10: fatal error: execinfo.h: No such file or directory
| 38 | #include <execinfo.h>
| | ^~~~~~~~~~~~
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-security/libest/libest_3.2.0.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/recipes-security/libest/libest_3.2.0.bb b/recipes-security/libest/libest_3.2.0.bb
index 36ff5ca..f993bd6 100644
--- a/recipes-security/libest/libest_3.2.0.bb
+++ b/recipes-security/libest/libest_3.2.0.bb
@@ -10,11 +10,15 @@ SRC_URI = "git://github.com/cisco/libest"
DEPENDS = "openssl"
+#fatal error: execinfo.h: No such file or directory
+DEPENDS_append_libc-musl = " libexecinfo"
+
inherit autotools-brokensep
EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}"
CFLAGS += "-fcommon"
+LDFLAGS_append_libc-musl = " -lexecinfo"
S = "${WORKDIR}/git"
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [meta-security][PATCH 5/7] sssd: update to latest ltm 1.16.5
2020-10-09 14:08 [meta-security][PATCH 1/7] apparmor: fix build for on musl akuster
` (2 preceding siblings ...)
2020-10-09 14:08 ` [meta-security][PATCH 4/7] libest: " akuster
@ 2020-10-09 14:08 ` akuster
2020-10-09 14:08 ` [meta-security][PATCH 6/7] packagegroup-core-security: remove clamav from musl image akuster
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: akuster @ 2020-10-09 14:08 UTC (permalink / raw)
To: yocto
fix musl support
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...defines-which-otherwise-are-availabl.patch | 32 +++++++++++++++++++
.../sssd/{sssd_1.16.4.bb => sssd_1.16.5.bb} | 8 +++--
2 files changed, 37 insertions(+), 3 deletions(-)
create mode 100644 recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch
rename recipes-security/sssd/{sssd_1.16.4.bb => sssd_1.16.5.bb} (94%)
diff --git a/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch b/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch
new file mode 100644
index 0000000..1a22332
--- /dev/null
+++ b/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch
@@ -0,0 +1,32 @@
+From 37a0999e5a9f54e1c61a02a7fbab6fcd04738b3c Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Thu, 8 Oct 2020 05:54:13 -0700
+Subject: [PATCH] Provide missing defines which otherwise are available on
+ glibc system headers
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upsteam-Status: Pending
+
+---
+ src/util/util.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/util/util.h b/src/util/util.h
+index 8a754dbfd..6e55b4bdc 100644
+--- a/src/util/util.h
++++ b/src/util/util.h
+@@ -76,6 +76,10 @@
+ #define MAX(a, b) (((a) > (b)) ? (a) : (b))
+ #endif
+
++#ifndef ALLPERMS
++# define ALLPERMS (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)/* 07777 */
++#endif
++
+ #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS
+
+ #define SSSD_SERVER_OPTS(uid, gid) \
+--
+2.17.1
+
diff --git a/recipes-security/sssd/sssd_1.16.4.bb b/recipes-security/sssd/sssd_1.16.5.bb
similarity index 94%
rename from recipes-security/sssd/sssd_1.16.4.bb
rename to recipes-security/sssd/sssd_1.16.5.bb
index e54fa98..9784ec7 100644
--- a/recipes-security/sssd/sssd_1.16.4.bb
+++ b/recipes-security/sssd/sssd_1.16.5.bb
@@ -6,7 +6,9 @@ LICENSE = "GPLv3+"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
-DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent"
+DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent"
+
+DEPENDS_append_libc-musl = " musl-nscd"
# If no crypto has been selected, default to DEPEND on nss, since that's what
# sssd will pick if no active choice is made during configure
@@ -19,10 +21,10 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \
file://fix-ldblibdir.patch \
file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \
file://0001-nss-Collision-with-external-nss-symbol.patch \
+ file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \
"
-SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50"
-SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959"
+SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0"
inherit autotools pkgconfig gettext python3-dir features_check systemd
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [meta-security][PATCH 6/7] packagegroup-core-security: remove clamav from musl image
2020-10-09 14:08 [meta-security][PATCH 1/7] apparmor: fix build for on musl akuster
` (3 preceding siblings ...)
2020-10-09 14:08 ` [meta-security][PATCH 5/7] sssd: update to latest ltm 1.16.5 akuster
@ 2020-10-09 14:08 ` akuster
2020-10-09 14:08 ` [meta-security][PATCH 7/7] suricata: update to 4.1.9 akuster
[not found] ` <163C5828A1566392.8231@lists.yoctoproject.org>
6 siblings, 0 replies; 8+ messages in thread
From: akuster @ 2020-10-09 14:08 UTC (permalink / raw)
To: yocto
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-core/packagegroup/packagegroup-core-security.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb
index 1a55c1b..0a4452e 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -53,6 +53,7 @@ RDEPENDS_packagegroup-security-scanners = "\
checksecurity \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
"
+RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam clamav-cvd"
SUMMARY_packagegroup-security-audit = "Security Audit tools "
RDEPENDS_packagegroup-security-audit = " \
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [meta-security][PATCH 7/7] suricata: update to 4.1.9
2020-10-09 14:08 [meta-security][PATCH 1/7] apparmor: fix build for on musl akuster
` (4 preceding siblings ...)
2020-10-09 14:08 ` [meta-security][PATCH 6/7] packagegroup-core-security: remove clamav from musl image akuster
@ 2020-10-09 14:08 ` akuster
[not found] ` <163C5828A1566392.8231@lists.yoctoproject.org>
6 siblings, 0 replies; 8+ messages in thread
From: akuster @ 2020-10-09 14:08 UTC (permalink / raw)
To: yocto
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-ids/suricata/{libhtp_0.5.33.bb => libhtp_0.5.35.bb} | 0
recipes-ids/suricata/suricata.inc | 4 ++--
recipes-ids/suricata/{suricata_4.1.8.bb => suricata_4.1.9.bb} | 0
3 files changed, 2 insertions(+), 2 deletions(-)
rename recipes-ids/suricata/{libhtp_0.5.33.bb => libhtp_0.5.35.bb} (100%)
rename recipes-ids/suricata/{suricata_4.1.8.bb => suricata_4.1.9.bb} (100%)
diff --git a/recipes-ids/suricata/libhtp_0.5.33.bb b/recipes-ids/suricata/libhtp_0.5.35.bb
similarity index 100%
rename from recipes-ids/suricata/libhtp_0.5.33.bb
rename to recipes-ids/suricata/libhtp_0.5.35.bb
diff --git a/recipes-ids/suricata/suricata.inc b/recipes-ids/suricata/suricata.inc
index c9dd9aa..b94285f 100644
--- a/recipes-ids/suricata/suricata.inc
+++ b/recipes-ids/suricata/suricata.inc
@@ -2,7 +2,7 @@ HOMEPAGE = "http://suricata-ids.org/"
SECTION = "security Monitor/Admin"
LICENSE = "GPLv2"
-VER = "4.1.8"
+VER = "4.1.9"
SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
-SRC_URI[sha256sum] = "c8a83a05f57cedc0ef81d833ddcfdbbfdcdb6f459a91b1b15dc2d5671f1aecbb"
+SRC_URI[sha256sum] = "3440cd1065b1b3999dc101a37c49321fab2791b38f16e2f7fe27369dd007eea7"
diff --git a/recipes-ids/suricata/suricata_4.1.8.bb b/recipes-ids/suricata/suricata_4.1.9.bb
similarity index 100%
rename from recipes-ids/suricata/suricata_4.1.8.bb
rename to recipes-ids/suricata/suricata_4.1.9.bb
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [yocto] [meta-security][PATCH 5/7] sssd: update to latest ltm 1.16.5
[not found] ` <163C5828A1566392.8231@lists.yoctoproject.org>
@ 2020-10-09 14:27 ` akuster
0 siblings, 0 replies; 8+ messages in thread
From: akuster @ 2020-10-09 14:27 UTC (permalink / raw)
To: yocto
this needs "musl-nscd" which was submitted to meta-oe if you plan on
building for musl
On 10/9/20 7:08 AM, akuster via lists.yoctoproject.org wrote:
> fix musl support
>
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
> ...defines-which-otherwise-are-availabl.patch | 32 +++++++++++++++++++
> .../sssd/{sssd_1.16.4.bb => sssd_1.16.5.bb} | 8 +++--
> 2 files changed, 37 insertions(+), 3 deletions(-)
> create mode 100644 recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch
> rename recipes-security/sssd/{sssd_1.16.4.bb => sssd_1.16.5.bb} (94%)
>
> diff --git a/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch b/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch
> new file mode 100644
> index 0000000..1a22332
> --- /dev/null
> +++ b/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch
> @@ -0,0 +1,32 @@
> +From 37a0999e5a9f54e1c61a02a7fbab6fcd04738b3c Mon Sep 17 00:00:00 2001
> +From: Armin Kuster <akuster808@gmail.com>
> +Date: Thu, 8 Oct 2020 05:54:13 -0700
> +Subject: [PATCH] Provide missing defines which otherwise are available on
> + glibc system headers
> +
> +Signed-off-by: Armin Kuster <akuster808@gmail.com>
> +
> +Upsteam-Status: Pending
> +
> +---
> + src/util/util.h | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/src/util/util.h b/src/util/util.h
> +index 8a754dbfd..6e55b4bdc 100644
> +--- a/src/util/util.h
> ++++ b/src/util/util.h
> +@@ -76,6 +76,10 @@
> + #define MAX(a, b) (((a) > (b)) ? (a) : (b))
> + #endif
> +
> ++#ifndef ALLPERMS
> ++# define ALLPERMS (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)/* 07777 */
> ++#endif
> ++
> + #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS
> +
> + #define SSSD_SERVER_OPTS(uid, gid) \
> +--
> +2.17.1
> +
> diff --git a/recipes-security/sssd/sssd_1.16.4.bb b/recipes-security/sssd/sssd_1.16.5.bb
> similarity index 94%
> rename from recipes-security/sssd/sssd_1.16.4.bb
> rename to recipes-security/sssd/sssd_1.16.5.bb
> index e54fa98..9784ec7 100644
> --- a/recipes-security/sssd/sssd_1.16.4.bb
> +++ b/recipes-security/sssd/sssd_1.16.5.bb
> @@ -6,7 +6,9 @@ LICENSE = "GPLv3+"
> LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
>
> DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
> -DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent"
> +DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent"
> +
> +DEPENDS_append_libc-musl = " musl-nscd"
>
> # If no crypto has been selected, default to DEPEND on nss, since that's what
> # sssd will pick if no active choice is made during configure
> @@ -19,10 +21,10 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \
> file://fix-ldblibdir.patch \
> file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \
> file://0001-nss-Collision-with-external-nss-symbol.patch \
> + file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \
> "
>
> -SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50"
> -SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959"
> +SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0"
>
> inherit autotools pkgconfig gettext python3-dir features_check systemd
>
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-10-09 14:27 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-09 14:08 [meta-security][PATCH 1/7] apparmor: fix build for on musl akuster
2020-10-09 14:08 ` [meta-security][PATCH 2/7] gitlab-ci: add qemux86 and qemuarm64 musl builds akuster
2020-10-09 14:08 ` [meta-security][PATCH 3/7] ecryptfs-utils: fix musl build akuster
2020-10-09 14:08 ` [meta-security][PATCH 4/7] libest: " akuster
2020-10-09 14:08 ` [meta-security][PATCH 5/7] sssd: update to latest ltm 1.16.5 akuster
2020-10-09 14:08 ` [meta-security][PATCH 6/7] packagegroup-core-security: remove clamav from musl image akuster
2020-10-09 14:08 ` [meta-security][PATCH 7/7] suricata: update to 4.1.9 akuster
[not found] ` <163C5828A1566392.8231@lists.yoctoproject.org>
2020-10-09 14:27 ` [yocto] [meta-security][PATCH 5/7] sssd: update to latest ltm 1.16.5 akuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.