[PATCH v2 1/2] Revert "iputils: Fix build determinism"

[PATCH v2 1/2] Revert "iputils: Fix build determinism"

[Jate Sujjavanich]

This reverts commit d10da5f6e6d6d3600645dbe43ed412ff23b55095.
---
 meta/recipes-extended/iputils/iputils_s20200821.bb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta/recipes-extended/iputils/iputils_s20200821.bb b/meta/recipes-extended/iputils/iputils_s20200821.bb
index 28dd194a12..8b63a23c61 100644
--- a/meta/recipes-extended/iputils/iputils_s20200821.bb
+++ b/meta/recipes-extended/iputils/iputils_s20200821.bb
@@ -38,8 +38,7 @@ PACKAGECONFIG[docs] = "-DBUILD_HTML_MANS=true -DBUILD_MANS=true,-DBUILD_HTML_MAN
 
 inherit meson systemd update-alternatives
 
-# Have to disable setcap/suid as its not deterministic
-EXTRA_OEMESON += "--prefix=${root_prefix}/ -DNO_SETCAP_OR_SUID=true"
+EXTRA_OEMESON += "--prefix=${root_prefix}/"
 
 ALTERNATIVE_PRIORITY = "100"
 
-- 
2.25.1

[PATCH v2 2/2] iputils: Use STAGING_DIR_NATIVE for setcap detection

[Jate Sujjavanich]

Search for setcap in STAGING_DIR_NATIVE to avoid host contamination. Add
DEPENDS for libcap-native to supply this if we select libcap for
PACKAGECONFIG.

The previous setting of NO_SETCAP_OR_SUID broke setuid or setcap of
/bin/ping and other executables.

Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
---
 ...ort-for-setcap-in-STAGING_DIR_NATIVE.patch | 39 +++++++++++++++++++
 .../iputils/iputils_s20200821.bb              |  5 ++-
 2 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-extended/iputils/iputils/0001-Add-support-for-setcap-in-STAGING_DIR_NATIVE.patch

diff --git a/meta/recipes-extended/iputils/iputils/0001-Add-support-for-setcap-in-STAGING_DIR_NATIVE.patch b/meta/recipes-extended/iputils/iputils/0001-Add-support-for-setcap-in-STAGING_DIR_NATIVE.patch
new file mode 100644
index 0000000000..fcd60fa673
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0001-Add-support-for-setcap-in-STAGING_DIR_NATIVE.patch
@@ -0,0 +1,39 @@
+From 701d390a6cdd9f1ff201b315400d4a32e990a2c8 Mon Sep 17 00:00:00 2001
+From: Jate Sujjavanich <jatedev@gmail.com>
+Date: Wed, 17 Feb 2021 02:13:34 +0000
+Subject: [PATCH] Add support for setcap in STAGING_DIR_NATIVE
+
+Upstream-Status: Pending
+---
+ meson.build       | 3 ++-
+ meson_options.txt | 3 +++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index aff75a2..f2babbc 100644
+--- a/meson.build
++++ b/meson.build
+@@ -215,7 +215,8 @@ config_h = configure_file(
+ 	output : 'config.h',
+ 	configuration : conf)
+ 
+-setcap = find_program('setcap', '/usr/sbin/setcap', '/sbin/setcap', required : false)
++stagingdirnative = get_option('stagingdirnative')
++setcap = find_program(stagingdirnative + '/usr/sbin/setcap', stagingdirnative + '/sbin/setcap', required : false)
+ if cap_dep.found() and setcap.found()
+ 	perm_type = 'caps'
+ 	setcap_path = setcap.path()
+diff --git a/meson_options.txt b/meson_options.txt
+index aade675..418e004 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -66,3 +66,6 @@ option('systemdunitdir', type: 'string', value: '',
+ 
+ option('USE_GETTEXT', type: 'boolean', value: true,
+ 	description: 'Enable I18N')
++
++option('stagingdirnative', type: 'string', value: '',
++	description: 'Directory for native binaries')
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/iputils/iputils_s20200821.bb b/meta/recipes-extended/iputils/iputils_s20200821.bb
index 8b63a23c61..feb97d5086 100644
--- a/meta/recipes-extended/iputils/iputils_s20200821.bb
+++ b/meta/recipes-extended/iputils/iputils_s20200821.bb
@@ -12,6 +12,7 @@ DEPENDS = "gnutls"
 
 SRC_URI = "git://github.com/iputils/iputils \
            file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \
+           file://0001-Add-support-for-setcap-in-STAGING_DIR_NATIVE.patch \
            "
 SRCREV = "23c3782ae0c7f9c6ae59dbed8ad9204f8758542b"
 
@@ -26,7 +27,7 @@ CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214"
 PACKAGECONFIG ??= "libcap rarpd \
                    ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ninfod traceroute6', '', d)} \
                    ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
-PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap"
+PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap libcap-native"
 PACKAGECONFIG[libidn] = "-DUSE_IDN=true, -DUSE_IDN=false, libidn2"
 PACKAGECONFIG[gettext] = "-DUSE_GETTEXT=true, -DUSE_GETTEXT=false, gettext"
 PACKAGECONFIG[ninfod] = "-DBUILD_NINFOD=true,-DBUILD_NINFOD=false,"
@@ -38,7 +39,7 @@ PACKAGECONFIG[docs] = "-DBUILD_HTML_MANS=true -DBUILD_MANS=true,-DBUILD_HTML_MAN
 
 inherit meson systemd update-alternatives
 
-EXTRA_OEMESON += "--prefix=${root_prefix}/"
+EXTRA_OEMESON += "--prefix=${root_prefix}/ -Dstagingdirnative=${STAGING_DIR_NATIVE}"
 
 ALTERNATIVE_PRIORITY = "100"
 
-- 
2.25.1

Re: [PATCH v2 2/2] iputils: Use STAGING_DIR_NATIVE for setcap detection

[Alexander Kanavin]

[-- Attachment #1: Type: text/plain, Size: 551 bytes --]

On Thu, 18 Feb 2021 at 20:22, Jate Sujjavanich <jatedev@gmail.com> wrote:

> +-setcap = find_program('setcap', '/usr/sbin/setcap', '/sbin/setcap',
> required : false)
> ++stagingdirnative = get_option('stagingdirnative')
> ++setcap = find_program(stagingdirnative + '/usr/sbin/setcap',
> stagingdirnative + '/sbin/setcap', required : false)
>

Just remove the hardcoded paths from find_program altogether (see meson
manual), and it will take the binary from PATH env var, which is exactly
how native sysroots are supposed to work.

Alex

[-- Attachment #2: Type: text/html, Size: 913 bytes --]

Re: [PATCH v2 2/2] iputils: Use STAGING_DIR_NATIVE for setcap detection

[Richard Purdie]

On Thu, 2021-02-18 at 20:58 +0100, Alexander Kanavin wrote:
> On Thu, 18 Feb 2021 at 20:22, Jate Sujjavanich <jatedev@gmail.com> wrote:
> > +-setcap = find_program('setcap', '/usr/sbin/setcap', '/sbin/setcap', required : false)
> > ++stagingdirnative = get_option('stagingdirnative')
> > ++setcap = find_program(stagingdirnative + '/usr/sbin/setcap', stagingdirnative + '/sbin/setcap', required
> > : false)
> > 
> 
> Just remove the hardcoded paths from find_program altogether (see meson manual), and it will take the binary
> from PATH env var, which is exactly how native sysroots are supposed to work.

I'm guessing upstream does this so you can build as a normal user who
doesn't have sbin in PATH and still use setcap during "make install".

We need something upstream might accept. I suspect what we need here 
is a way to specify a specific path to the util and then fall back on 
the current approach if the feature is enabled but no path provided. 
Please do ensure that it won't look in the host's directories unless 
its enabled though.

Cheers,

Richard

Re: [OE-core] [PATCH v2 2/2] iputils: Use STAGING_DIR_NATIVE for setcap detection

[Jose Quaresma]

[-- Attachment #1: Type: text/plain, Size: 1731 bytes --]

Hi,

The only change needed on the recipe are:

-PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap"
+PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap
libcap-native"

The patch 0001-Add-support-for-setcap-in-STAGING_DIR_NATIVE.patch is not
need because
with the addition of the libcap-native the meson find_program will find
the setcap binary on the native sysroot
and will use it.


Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia quinta,
18/02/2021 à(s) 21:44:

> On Thu, 2021-02-18 at 20:58 +0100, Alexander Kanavin wrote:
> > On Thu, 18 Feb 2021 at 20:22, Jate Sujjavanich <jatedev@gmail.com>
> wrote:
> > > +-setcap = find_program('setcap', '/usr/sbin/setcap', '/sbin/setcap',
> required : false)
> > > ++stagingdirnative = get_option('stagingdirnative')
> > > ++setcap = find_program(stagingdirnative + '/usr/sbin/setcap',
> stagingdirnative + '/sbin/setcap', required
> > > : false)
> > >
> >
> > Just remove the hardcoded paths from find_program altogether (see meson
> manual), and it will take the binary
> > from PATH env var, which is exactly how native sysroots are supposed to
> work.
>
> I'm guessing upstream does this so you can build as a normal user who
> doesn't have sbin in PATH and still use setcap during "make install".
>
> We need something upstream might accept. I suspect what we need here
> is a way to specify a specific path to the util and then fall back on
> the current approach if the feature is enabled but no path provided.
> Please do ensure that it won't look in the host's directories unless
> its enabled though.
>
> Cheers,
>
> Richard
>
>
> 
>
>

-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 2849 bytes --]

Re: [OE-core] [PATCH v2 2/2] iputils: Use STAGING_DIR_NATIVE for setcap detection

[Richard Purdie]

On Fri, 2021-02-19 at 11:26 +0000, Jose Quaresma wrote:
> The only change needed on the recipe are:
> 
> -PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap"
> +PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap libcap-native"
> 
> The patch 0001-Add-support-for-setcap-in-STAGING_DIR_NATIVE.patch is not need because
> with the addition of the libcap-native the meson find_program will find the setcap binary on the native
> sysroot and will use it.

Ok, we can take that change.

I'm assuming you still want/need the revert (patch 1/2) as well 
though?

That does give us a problem since on systems where libcap
isn't in PACKAGECONFIG, the binaries will be non-deterministic 
again.

Cheers,

Richard

Re: [OE-core] [PATCH v2 2/2] iputils: Use STAGING_DIR_NATIVE for setcap detection

[Jate Sujjavanich]

[-- Attachment #1: Type: text/plain, Size: 1440 bytes --]

I think we need the revert patch, the libcap-native DEPENDS, and then some
logic to exclude the hard-coded paths to setcap if we are cross-compiling.
This seems more mesonic and may be submittable upstream. Your hypothesis
that they hard code the setcap paths for non-root users makes sense,
Richard.

Per Alex, oe-core does exclude the build machine from PATH in the cross
environment. I was going by the PATH in the target devshell which adds the
build machine's paths.

Version 3 of the patchset is forthcoming.

- Jate

On Fri, Feb 19, 2021 at 6:34 AM Richard Purdie <
richard.purdie@linuxfoundation.org> wrote:

> On Fri, 2021-02-19 at 11:26 +0000, Jose Quaresma wrote:
> > The only change needed on the recipe are:
> >
> > -PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap"
> > +PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap
> libcap-native"
> >
> > The patch 0001-Add-support-for-setcap-in-STAGING_DIR_NATIVE.patch is not
> need because
> > with the addition of the libcap-native the meson find_program will find
> the setcap binary on the native
> > sysroot and will use it.
>
> Ok, we can take that change.
>
> I'm assuming you still want/need the revert (patch 1/2) as well
> though?
>
> That does give us a problem since on systems where libcap
> isn't in PACKAGECONFIG, the binaries will be non-deterministic
> again.
>
> Cheers,
>
> Richard
>
>
>

[-- Attachment #2: Type: text/html, Size: 1917 bytes --]