summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security/libcap-ng
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2019-02-08 10:53:08 -0500
committerStephane Desneux <stephane.desneux@iot.bzh>2019-04-04 18:02:11 +0200
commit7faccb97d69c7581e338f88ce3a2153cdd69fd16 (patch)
tree57dd664e04593af6eed43cb6ecffab438d93d860 /meta-security/recipes-security/libcap-ng
parente978a20f40916eac57a5e1af8f65b6ed9f719e50 (diff)
Upgrade to thud
Changes include: - Add LAYERSERIES_COMPAT definitions to layer.conf files - Remove now unnecessary SECURITY_*FLAGS over-rides from distro configuration - Set intel-corei7-64 preferred kernel version to 4.19 to match latest linux-intel kernel available in meta-intel - Update qemuarm preferred kernel version to 4.18 to match latest linux-yocto - Update firmware package and devicetree file names for raspberrypi3 - Remove linux-firmware bbappend specific to raspberrypi, it seems no longer required and breaks the cross SDK build - Update linux-intel bbappend to 4.19, remove now unnecessary patch - Remove now unnecessary lttng-modules backport - Update linux-raspberrypi bbappend to 4.14 kernel - Added kernel configuration fragment for raspberrypi to disable Kprobes. This is required until linux-raspberrypi is updated to greater than 4.14.104 to avoid a build failure in lttng-modules related to a check for known breakage in the kernel CONFIG_OPTPROBES code. - Replace obsolete base_conditional usage with oe.utils.conditional - Add gstreamer1.0-plugins-bad bbappend for raspberrypi3 to disable faad PACKAGECONFIG to avoid commercial license issues - Remove unused and unbuildable Vayu gstreamer recipes - Update linux-ti-staging bbappend for new BSP kernel - Regen dcan2_pinmux_enable.patch for linux-ti-staging to remove fuzz warning, and remove upstreamed fix_dcan_addresses.patch - Remove ipumm-fw from meta-agl-bsp/meta-ti, as newer version is available in the upstream BSP - Update meta-agl-bsp/meta-ti weston patch to apply against 5.0.0 - Update meta-agl-bsp/meta-ti wayland-ivi-extension patch to apply against 2.2.0 - Add ti-sgx-ddk-km patch to add AGL toolchain configuration file - Remove now unnecessary fdtoverlay recipe - Update core.cfg and ivishell.cfg in weston-ini-conf recipe to handle move of ivi-controller.so configuration in Weston 5.0.0 - Update connman-ncurses patch to remove fuzz warning - Add installation of systemd over-ride file for run-postinsts.service in run-postinsts bbappend to workaround race condition between ldconfig.service and the /sbin/ldconfig invocations in the post-install scripts run by run-postinsts.service. The observed failure was cynara's post-install script failing and its database not being created. - Remove now unnecessary valgrind backport - Add patches to fix most driver compilation against newer kernels - Update libmicrohttpd bbappend - Remove libssp-dev from agl-image-graphical-qt5-crosssdk and agl-demo-platform-html5-crosssdk, upstream have removed it from non-mingw32 platform SDKs - Update wayland-ivi-extension recipe to build 2.2.0, and update local patches - Update weston patches for 5.0.0. Patches: 0016-ivi-shell_add_screen_remove_layer_api.patch 0017-ivi-shell-register-ivi_layout_interface.patch have been removed as they have been applied upstream and are no longer necessary. Patches: 0018-compositor-add-output-type-to-weston_output.patch 0019-compositor-drm-introduce-drm_get_dmafd_from_view.patch (both related to Waltham) have been disabled for now as they need significant rework. - Remove weston-conf RRECOMMENDS in weston bbappend to avoid conflict with weston-ini-conf - Add OECMAKE_GENERATOR = "Unix Makefiles" to aglwgt.bbclass to work around CMake+ninja issue in cmake-apps-module - Update dbus cynara patches for 1.12.10 - Add do_install_append in cynara recipe to remove /var/cynara from cynara package so the directory creation and labelling in the post-install scriptlet will function as intended - Remove now unnecessary e2fsprogs backport - Remove now unnecessary libcap-ng backport - Update pulseaudio patches to remove fuzz warnings - Update neardal patch to remove fuzz warning - Update freetype patch to remove fuzz warning - Rename opencv bbappend to 3.% to handle 3.x backports in upstream - Updated qtwayland patch to remove fuzz warning Changes from Stephane Desneux <stephane.desneux@iot.bzh>: - Remove wayland-ivi-extension PREFERRED_VERSION - Remove now unnecessary nativesdk-cmake patch - Remove now unnecessary ptest-runner patches - Remove now unnecessary harfbuzz patches - Disable waltham-transmitter as it does not build against weston 5.0.0 - Update af-main, cynara, and security-manager to use pkg_postinst_ontarget - Bump connman-ncurses revision to avoid deprecated ncurses functions - Update libva package usage with new intel-vaapi-driver name - Add patches to security-manager to fix compilation with gcc8 - Updated systemd bbappend Changes from Jan-Simon Möller <jsmoeller@linuxfoundation.org>: - Remove meta-agl-bsp/ROCKO.FIXMEs - Remove linux-yocto_4.12.bbappend and now unnecessary associated patch - Remove now unneeded kern-tools-native patch - Bump gstreamer PREFERRED_VERSIONs to 1.14.x - Remove latencytop from packagegroup-agl-core-devel, it has been dropped by upstream - Remove now unnecessary rpm patches - Update pulseaudio bbappend to 12.2 - Update opencv bbappend to 3.4 - Update freetype bbappend to 2.9.1 - Update dbus bbappend to 1.12.10 - Update weston bbappend to 5.0.0 - Update cynara patches to remove fuzz warnings - Add patch to cynara to fix compilation with gcc8 - Add xmlsec1 bbappend to clear EXTRA_OECONF to fix compilation on sumo or newer Changes from Ronan Le Martet <ronan.lemartet@iot.bzh>: - Update meta-rcar-gen3-adas layer gstreamer1.0-plugin-vspfilter bbappend to version 1.0.1 Known issues (marked with FIXME): - CMake+ninja issue in cmake-apps-module has been worked around with OECMAKE_GENERATOR - waltham-transmitter and the patches to weston related to it have been disabled - Currently unclear if patch to libcap-native is actually required or not Bug-AGL: SPEC-1837 Change-Id: I7b8b9ef667aec2d229952eace6663dfc761654d0 Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Diffstat (limited to 'meta-security/recipes-security/libcap-ng')
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch79
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng/python.patch39
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb39
3 files changed, 0 insertions, 157 deletions
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
deleted file mode 100644
index d7a868d2c..000000000
--- a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-Upstream-Status: Pending
-
-diff --git a/docs/capng_lock.3 b/docs/capng_lock.3
-index 7683119..a070c1e 100644
---- a/docs/capng_lock.3
-+++ b/docs/capng_lock.3
-@@ -8,12 +8,13 @@ int capng_lock(void);
-
- .SH "DESCRIPTION"
-
--capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
-+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel.
-
-+This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error.
-
- .SH "RETURN VALUE"
-
--This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.
-+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options.
-
- .SH "SEE ALSO"
-
-diff --git a/src/cap-ng.c b/src/cap-ng.c
-index bd105ba..422f2bc 100644
---- a/src/cap-ng.c
-+++ b/src/cap-ng.c
-@@ -45,6 +45,7 @@
- * 2.6.24 kernel XATTR_NAME_CAPS
- * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2
- * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3
-+ * 3.5 kernel PR_SET_NO_NEW_PRIVS
- */
-
- /* External syscall prototypes */
-@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data);
- #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
- #endif
-
-+/* prctl values that we use */
-+#ifndef PR_SET_SECUREBITS
-+#define PR_SET_SECUREBITS 28
-+#endif
-+#ifndef PR_SET_NO_NEW_PRIVS
-+#define PR_SET_NO_NEW_PRIVS 38
-+#endif
-+
- // States: new, allocated, initted, updated, applied
- typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT,
- CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t;
-@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag)
-
- int capng_lock(void)
- {
--#ifdef PR_SET_SECUREBITS
-- int rc = prctl(PR_SET_SECUREBITS,
-- 1 << SECURE_NOROOT |
-- 1 << SECURE_NOROOT_LOCKED |
-- 1 << SECURE_NO_SETUID_FIXUP |
-- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
-+ int rc;
-+
-+ // On Linux 3.5 and up, we can directly prevent ourselves and
-+ // our descendents from gaining privileges.
-+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
-+ return 0;
-+
-+ // This kernel is too old or otherwise doesn't support
-+ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits.
-+ rc = prctl(PR_SET_SECUREBITS,
-+ 1 << SECURE_NOROOT |
-+ 1 << SECURE_NOROOT_LOCKED |
-+ 1 << SECURE_NO_SETUID_FIXUP |
-+ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
- if (rc)
- return -1;
--#endif
-
- return 0;
- }
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch
deleted file mode 100644
index d82ceb454..000000000
--- a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-configure.ac - Avoid an incorrect check for python.
-Makefile.am - avoid hard coded host include paths.
-
-Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
-
---- libcap-ng-0.6.5/configure.ac.orig 2012-01-17 13:59:03.645898989 -0600
-+++ libcap-ng-0.6.5/configure.ac 2012-01-17 13:59:46.353959252 -0600
-@@ -120,17 +120,8 @@
- else
- AC_MSG_RESULT(testing)
- AM_PATH_PYTHON
--if test -f /usr/include/python${am_cv_python_version}/Python.h ; then
-- python_found="yes"
-- AC_MSG_NOTICE(Python bindings will be built)
--else
-- python_found="no"
-- if test x$use_python = xyes ; then
-- AC_MSG_ERROR([Python explicitly required and python headers found])
-- else
-- AC_MSG_WARN("Python headers not found - python bindings will not be made")
-- fi
--fi
-+python_found="yes"
-+AC_MSG_NOTICE(Python bindings will be built)
- fi
- AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes")
-
---- libcap-ng-0.6.5/bindings/python/Makefile.am.orig 2010-11-03 12:31:59.000000000 -0500
-+++ libcap-ng-0.6.5/bindings/python/Makefile.am 2012-01-17 14:05:50.199834467 -0600
-@@ -24,7 +24,8 @@
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC
- PYLIBVER ?= python$(PYTHON_VERSION)
--INCLUDES = -I. -I$(top_builddir) -I/usr/include/$(PYLIBVER)
-+PYINC ?= /usr/include/$(PYLIBVER)
-+INCLUDES = -I. -I$(top_builddir) -I$(PYINC)
- LIBS = $(top_builddir)/src/libcap-ng.la
- pyexec_PYTHON = capng.py
- pyexec_LTLIBRARIES = _capng.la
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
deleted file mode 100644
index e729518e9..000000000
--- a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
+++ /dev/null
@@ -1,39 +0,0 @@
-SUMMARY = "An alternate posix capabilities library"
-DESCRIPTION = "The libcap-ng library is intended to make programming \
-with POSIX capabilities much easier than the traditional libcap library."
-HOMEPAGE = "http://freecode.com/projects/libcap-ng"
-SECTION = "base"
-LICENSE = "GPLv2+ & LGPLv2.1+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
- file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06"
-
-SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \
- file://python.patch \
- file://CVE-2014-3215.patch \
- "
-
-inherit lib_package autotools pythonnative
-
-SRC_URI[md5sum] = "610afb774f80a8032b711281df126283"
-SRC_URI[sha256sum] = "5ca441c8d3a1e4cfe8a8151907977662679457311ccaa7eaac91447c33a35bb1"
-
-DEPENDS += "swig-native python"
-
-EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' PYINC='${STAGING_INCDIR}/${PYLIBVER}'"
-
-PACKAGES += "${PN}-python"
-
-FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
-
-BBCLASSEXTEND = "native"
-
-do_install_append() {
- # Moving libcap-ng to base_libdir
- if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then
- mkdir -p ${D}/${base_libdir}/
- mv -f ${D}${libdir}/libcap-ng.so.* ${D}${base_libdir}/
- relpath=${@os.path.relpath("${base_libdir}", "${libdir}")}
- ln -sf ${relpath}/libcap-ng.so.0.0.0 ${D}${libdir}/libcap-ng.so
- fi
-}