Upgrade to thud

Changes include:
- Add LAYERSERIES_COMPAT definitions to layer.conf files
- Remove now unnecessary SECURITY_*FLAGS over-rides from distro
  configuration
- Set intel-corei7-64 preferred kernel version to 4.19 to match
  latest linux-intel kernel available in meta-intel
- Update qemuarm preferred kernel version to 4.18 to match latest
  linux-yocto
- Update firmware package and devicetree file names for raspberrypi3
- Remove linux-firmware bbappend specific to raspberrypi, it seems no
  longer required and breaks the cross SDK build
- Update linux-intel bbappend to 4.19, remove now unnecessary patch
- Remove now unnecessary lttng-modules backport
- Update linux-raspberrypi bbappend to 4.14 kernel
- Added kernel configuration fragment for raspberrypi to disable
  Kprobes. This is required until linux-raspberrypi is updated to
  greater than 4.14.104 to avoid a build failure in lttng-modules
  related to a check for known breakage in the kernel CONFIG_OPTPROBES
  code.
- Replace obsolete base_conditional usage with oe.utils.conditional
- Add gstreamer1.0-plugins-bad bbappend for raspberrypi3 to disable
  faad PACKAGECONFIG to avoid commercial license issues
- Remove unused and unbuildable Vayu gstreamer recipes
- Update linux-ti-staging bbappend for new BSP kernel
- Regen dcan2_pinmux_enable.patch for linux-ti-staging to remove fuzz
  warning, and remove upstreamed fix_dcan_addresses.patch
- Remove ipumm-fw from meta-agl-bsp/meta-ti, as newer version is
  available in the upstream BSP
- Update meta-agl-bsp/meta-ti weston patch to apply against 5.0.0
- Update meta-agl-bsp/meta-ti wayland-ivi-extension patch to apply
  against 2.2.0
- Add ti-sgx-ddk-km patch to add AGL toolchain configuration file
- Remove now unnecessary fdtoverlay recipe
- Update core.cfg and ivishell.cfg in weston-ini-conf recipe to handle
  move of ivi-controller.so configuration in Weston 5.0.0
- Update connman-ncurses patch to remove fuzz warning
- Add installation of systemd over-ride file for run-postinsts.service
  in run-postinsts bbappend to workaround race condition between
  ldconfig.service and the /sbin/ldconfig invocations in the
  post-install scripts run by run-postinsts.service.  The observed
  failure was cynara's post-install script failing and its database
  not being created.
- Remove now unnecessary valgrind backport
- Add patches to fix most driver compilation against newer kernels
- Update libmicrohttpd bbappend
- Remove libssp-dev from agl-image-graphical-qt5-crosssdk and
  agl-demo-platform-html5-crosssdk, upstream have removed it from
  non-mingw32 platform SDKs
- Update wayland-ivi-extension recipe to build 2.2.0, and update
  local patches
- Update weston patches for 5.0.0. Patches:

  0016-ivi-shell_add_screen_remove_layer_api.patch
  0017-ivi-shell-register-ivi_layout_interface.patch

  have been removed as they have been applied upstream and are no longer
  necessary. Patches:

  0018-compositor-add-output-type-to-weston_output.patch
  0019-compositor-drm-introduce-drm_get_dmafd_from_view.patch

  (both related to Waltham) have been disabled for now as they need
  significant rework.
- Remove weston-conf RRECOMMENDS in weston bbappend to avoid conflict
  with weston-ini-conf
- Add OECMAKE_GENERATOR = "Unix Makefiles" to aglwgt.bbclass to work
  around CMake+ninja issue in cmake-apps-module
- Update dbus cynara patches for 1.12.10
- Add do_install_append in cynara recipe to remove /var/cynara from
  cynara package so the directory creation and labelling in the
  post-install scriptlet will function as intended
- Remove now unnecessary e2fsprogs backport
- Remove now unnecessary libcap-ng backport
- Update pulseaudio patches to remove fuzz warnings
- Update neardal patch to remove fuzz warning
- Update freetype patch to remove fuzz warning
- Rename opencv bbappend to 3.% to handle 3.x backports in upstream
- Updated qtwayland patch to remove fuzz warning

Changes from Stephane Desneux <stephane.desneux@iot.bzh>:
- Remove wayland-ivi-extension PREFERRED_VERSION
- Remove now unnecessary nativesdk-cmake patch
- Remove now unnecessary ptest-runner patches
- Remove now unnecessary harfbuzz patches
- Disable waltham-transmitter as it does not build against weston 5.0.0
- Update af-main, cynara, and security-manager to use pkg_postinst_ontarget
- Bump connman-ncurses revision to avoid deprecated ncurses functions
- Update libva package usage with new intel-vaapi-driver name
- Add patches to security-manager to fix compilation with gcc8
- Updated systemd bbappend

Changes from Jan-Simon Möller <jsmoeller@linuxfoundation.org>:
- Remove meta-agl-bsp/ROCKO.FIXMEs
- Remove linux-yocto_4.12.bbappend and now unnecessary associated
  patch
- Remove now unneeded kern-tools-native patch
- Bump gstreamer PREFERRED_VERSIONs to 1.14.x
- Remove latencytop from packagegroup-agl-core-devel, it has been
  dropped by upstream
- Remove now unnecessary rpm patches
- Update pulseaudio bbappend to 12.2
- Update opencv bbappend to 3.4
- Update freetype bbappend to 2.9.1
- Update dbus bbappend to 1.12.10
- Update weston bbappend to 5.0.0
- Update cynara patches to remove fuzz warnings
- Add patch to cynara to fix compilation with gcc8
- Add xmlsec1 bbappend to clear EXTRA_OECONF to fix compilation on
  sumo or newer

Changes from Ronan Le Martet <ronan.lemartet@iot.bzh>:
- Update meta-rcar-gen3-adas layer gstreamer1.0-plugin-vspfilter
  bbappend to version 1.0.1

Known issues (marked with FIXME):
- CMake+ninja issue in cmake-apps-module has been worked around with
  OECMAKE_GENERATOR
- waltham-transmitter and the patches to weston related to it have been
  disabled
- Currently unclear if patch to libcap-native is actually required or
  not

Bug-AGL: SPEC-1837

Change-Id: I7b8b9ef667aec2d229952eace6663dfc761654d0
Signed-off-by: Scott Murray <scott.murray@konsulko.com>

1 files changed, 0 insertions, 79 deletions

diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
deleted file mode 100644
index d7a868d2c..000000000
--- a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-Upstream-Status: Pending
-
-diff --git a/docs/capng_lock.3 b/docs/capng_lock.3
-index 7683119..a070c1e 100644
---- a/docs/capng_lock.3
-+++ b/docs/capng_lock.3
-@@ -8,12 +8,13 @@ int capng_lock(void);
- 
- .SH "DESCRIPTION"
- 
--capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
-+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs.  This should be called while possessing the CAP_SETPCAP capability in the kernel.
- 
-+This function will do the following if permitted by the kernel:  If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it.  Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.  If both fail, it will return an error.
- 
- .SH "RETURN VALUE"
- 
--This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.
-+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options.
- 
- .SH "SEE ALSO"
- 
-diff --git a/src/cap-ng.c b/src/cap-ng.c
-index bd105ba..422f2bc 100644
---- a/src/cap-ng.c
-+++ b/src/cap-ng.c
-@@ -45,6 +45,7 @@
-  * 2.6.24 kernel	XATTR_NAME_CAPS
-  * 2.6.25 kernel	PR_CAPBSET_DROP, CAPABILITY_VERSION_2
-  * 2.6.26 kernel	PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3
-+ * 3.5    kernel	PR_SET_NO_NEW_PRIVS
-  */
- 
- /* External syscall prototypes */
-@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data);
- #define SECURE_NO_SETUID_FIXUP_LOCKED   3  /* make bit-2 immutable */
- #endif
- 
-+/* prctl values that we use */
-+#ifndef PR_SET_SECUREBITS
-+#define PR_SET_SECUREBITS		28
-+#endif
-+#ifndef PR_SET_NO_NEW_PRIVS
-+#define PR_SET_NO_NEW_PRIVS		38
-+#endif
-+
- // States: new, allocated, initted, updated, applied
- typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT,
- 	CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t;
-@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag)
- 
- int capng_lock(void)
- {
--#ifdef PR_SET_SECUREBITS
--	int rc = prctl(PR_SET_SECUREBITS,
--			1 << SECURE_NOROOT |
--			1 << SECURE_NOROOT_LOCKED |
--			1 << SECURE_NO_SETUID_FIXUP |
--			1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
-+	int rc;
-+
-+	// On Linux 3.5 and up, we can directly prevent ourselves and
-+	// our descendents from gaining privileges.
-+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
-+		return 0;
-+
-+	// This kernel is too old or otherwise doesn't support
-+	// PR_SET_NO_NEW_PRIVS.  Fall back to using securebits.
-+	rc = prctl(PR_SET_SECUREBITS,
-+		   1 << SECURE_NOROOT |
-+		   1 << SECURE_NOROOT_LOCKED |
-+		   1 << SECURE_NO_SETUID_FIXUP |
-+		   1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
- 	if (rc)
- 		return -1;
--#endif
- 
- 	return 0;
- }