summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2019-02-08 10:53:08 -0500
committerStephane Desneux <stephane.desneux@iot.bzh>2019-04-04 18:02:11 +0200
commit7faccb97d69c7581e338f88ce3a2153cdd69fd16 (patch)
tree57dd664e04593af6eed43cb6ecffab438d93d860 /meta-security/recipes-security
parente978a20f40916eac57a5e1af8f65b6ed9f719e50 (diff)
Upgrade to thud
Changes include: - Add LAYERSERIES_COMPAT definitions to layer.conf files - Remove now unnecessary SECURITY_*FLAGS over-rides from distro configuration - Set intel-corei7-64 preferred kernel version to 4.19 to match latest linux-intel kernel available in meta-intel - Update qemuarm preferred kernel version to 4.18 to match latest linux-yocto - Update firmware package and devicetree file names for raspberrypi3 - Remove linux-firmware bbappend specific to raspberrypi, it seems no longer required and breaks the cross SDK build - Update linux-intel bbappend to 4.19, remove now unnecessary patch - Remove now unnecessary lttng-modules backport - Update linux-raspberrypi bbappend to 4.14 kernel - Added kernel configuration fragment for raspberrypi to disable Kprobes. This is required until linux-raspberrypi is updated to greater than 4.14.104 to avoid a build failure in lttng-modules related to a check for known breakage in the kernel CONFIG_OPTPROBES code. - Replace obsolete base_conditional usage with oe.utils.conditional - Add gstreamer1.0-plugins-bad bbappend for raspberrypi3 to disable faad PACKAGECONFIG to avoid commercial license issues - Remove unused and unbuildable Vayu gstreamer recipes - Update linux-ti-staging bbappend for new BSP kernel - Regen dcan2_pinmux_enable.patch for linux-ti-staging to remove fuzz warning, and remove upstreamed fix_dcan_addresses.patch - Remove ipumm-fw from meta-agl-bsp/meta-ti, as newer version is available in the upstream BSP - Update meta-agl-bsp/meta-ti weston patch to apply against 5.0.0 - Update meta-agl-bsp/meta-ti wayland-ivi-extension patch to apply against 2.2.0 - Add ti-sgx-ddk-km patch to add AGL toolchain configuration file - Remove now unnecessary fdtoverlay recipe - Update core.cfg and ivishell.cfg in weston-ini-conf recipe to handle move of ivi-controller.so configuration in Weston 5.0.0 - Update connman-ncurses patch to remove fuzz warning - Add installation of systemd over-ride file for run-postinsts.service in run-postinsts bbappend to workaround race condition between ldconfig.service and the /sbin/ldconfig invocations in the post-install scripts run by run-postinsts.service. The observed failure was cynara's post-install script failing and its database not being created. - Remove now unnecessary valgrind backport - Add patches to fix most driver compilation against newer kernels - Update libmicrohttpd bbappend - Remove libssp-dev from agl-image-graphical-qt5-crosssdk and agl-demo-platform-html5-crosssdk, upstream have removed it from non-mingw32 platform SDKs - Update wayland-ivi-extension recipe to build 2.2.0, and update local patches - Update weston patches for 5.0.0. Patches: 0016-ivi-shell_add_screen_remove_layer_api.patch 0017-ivi-shell-register-ivi_layout_interface.patch have been removed as they have been applied upstream and are no longer necessary. Patches: 0018-compositor-add-output-type-to-weston_output.patch 0019-compositor-drm-introduce-drm_get_dmafd_from_view.patch (both related to Waltham) have been disabled for now as they need significant rework. - Remove weston-conf RRECOMMENDS in weston bbappend to avoid conflict with weston-ini-conf - Add OECMAKE_GENERATOR = "Unix Makefiles" to aglwgt.bbclass to work around CMake+ninja issue in cmake-apps-module - Update dbus cynara patches for 1.12.10 - Add do_install_append in cynara recipe to remove /var/cynara from cynara package so the directory creation and labelling in the post-install scriptlet will function as intended - Remove now unnecessary e2fsprogs backport - Remove now unnecessary libcap-ng backport - Update pulseaudio patches to remove fuzz warnings - Update neardal patch to remove fuzz warning - Update freetype patch to remove fuzz warning - Rename opencv bbappend to 3.% to handle 3.x backports in upstream - Updated qtwayland patch to remove fuzz warning Changes from Stephane Desneux <stephane.desneux@iot.bzh>: - Remove wayland-ivi-extension PREFERRED_VERSION - Remove now unnecessary nativesdk-cmake patch - Remove now unnecessary ptest-runner patches - Remove now unnecessary harfbuzz patches - Disable waltham-transmitter as it does not build against weston 5.0.0 - Update af-main, cynara, and security-manager to use pkg_postinst_ontarget - Bump connman-ncurses revision to avoid deprecated ncurses functions - Update libva package usage with new intel-vaapi-driver name - Add patches to security-manager to fix compilation with gcc8 - Updated systemd bbappend Changes from Jan-Simon Möller <jsmoeller@linuxfoundation.org>: - Remove meta-agl-bsp/ROCKO.FIXMEs - Remove linux-yocto_4.12.bbappend and now unnecessary associated patch - Remove now unneeded kern-tools-native patch - Bump gstreamer PREFERRED_VERSIONs to 1.14.x - Remove latencytop from packagegroup-agl-core-devel, it has been dropped by upstream - Remove now unnecessary rpm patches - Update pulseaudio bbappend to 12.2 - Update opencv bbappend to 3.4 - Update freetype bbappend to 2.9.1 - Update dbus bbappend to 1.12.10 - Update weston bbappend to 5.0.0 - Update cynara patches to remove fuzz warnings - Add patch to cynara to fix compilation with gcc8 - Add xmlsec1 bbappend to clear EXTRA_OECONF to fix compilation on sumo or newer Changes from Ronan Le Martet <ronan.lemartet@iot.bzh>: - Update meta-rcar-gen3-adas layer gstreamer1.0-plugin-vspfilter bbappend to version 1.0.1 Known issues (marked with FIXME): - CMake+ninja issue in cmake-apps-module has been worked around with OECMAKE_GENERATOR - waltham-transmitter and the patches to weston related to it have been disabled - Currently unclear if patch to libcap-native is actually required or not Bug-AGL: SPEC-1837 Change-Id: I7b8b9ef667aec2d229952eace6663dfc761654d0 Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Diffstat (limited to 'meta-security/recipes-security')
-rw-r--r--meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch8
-rw-r--r--meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch35
-rw-r--r--meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch8
-rw-r--r--meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch8
-rw-r--r--meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch8
-rw-r--r--meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch228
-rw-r--r--meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch8
-rw-r--r--meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch14
-rw-r--r--meta-security/recipes-security/cynara/cynara_0.14.10.bb20
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch79
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng/python.patch39
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb39
-rw-r--r--meta-security/recipes-security/security-manager/security-manager.inc8
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch127
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch32
-rw-r--r--meta-security/recipes-security/security-manager/security-manager_git.bb4
-rw-r--r--meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend3
17 files changed, 401 insertions, 267 deletions
diff --git a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
index 11387b98b..e1d0cfac9 100644
--- a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
+++ b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
@@ -1,7 +1,7 @@
-From 3d387993b5a4283e8aebd8e777b2ccd45d233959 Mon Sep 17 00:00:00 2001
+From 8bf90bf3e7a821dbd3b7029d87aa592eec6f1754 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Thu, 25 Jan 2018 12:00:18 +0100
-Subject: [PATCH 1/6] Add fallthrough tags
+Subject: [PATCH] Add fallthrough tags
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -12,6 +12,7 @@ to the next after some processing.
Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+
---
src/admin/api/admin-api.cpp | 1 +
src/client-async/logic/Logic.cpp | 1 +
@@ -54,6 +55,3 @@ index b1ca4f7..f4394e5 100644
default:
return true;
}
---
-2.14.3
-
diff --git a/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch
new file mode 100644
index 000000000..40e11ce5d
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch
@@ -0,0 +1,35 @@
+From ca28ec4a0781a1ab9ec5f015387436beb51adfc3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan-Simon=20M=C3=B6ller?= <jsmoeller@linuxfoundation.org>
+Date: Fri, 19 Oct 2018 08:09:28 +0000
+Subject: [PATCH] fix fallthrough in cmdlineparser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
+
+---
+ src/service/main/CmdlineParser.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/service/main/CmdlineParser.cpp b/src/service/main/CmdlineParser.cpp
+index ca56e39..e07ea52 100644
+--- a/src/service/main/CmdlineParser.cpp
++++ b/src/service/main/CmdlineParser.cpp
+@@ -112,13 +112,16 @@ struct CmdLineOptions handleCmdlineOptions(int argc, char * const *argv) {
+ case ':': // Missing argument
+ ret.m_error = true;
+ ret.m_exit = true;
++ /*@fallthrough@*/
+ switch (optopt) {
+ case CmdlineOpt::Mask:
+ case CmdlineOpt::User:
+ case CmdlineOpt::Group:
+ printMissingArgument(execName, argv[optind - 1]);
+ return ret;
++ /*@fallthrough@*/
+ }
++ /*@fallthrough@*/
+ //intentional fall to Unknown option
+ case '?': // Unknown option
+ default:
diff --git a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
index 760a1c5b2..b8dbfac4d 100644
--- a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
+++ b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
@@ -1,9 +1,10 @@
-From b18e66ce7f81c56e3a97ed075cb60d5a43b2e57c Mon Sep 17 00:00:00 2001
+From e2d8414b0d1c6c59baf1bb73e856e93aaabaf955 Mon Sep 17 00:00:00 2001
From: Changhyeok Bae <changhyeok.bae@gmail.com>
Date: Sun, 17 Dec 2017 15:28:28 +0000
-Subject: [PATCH 2/6] gcc-7 requires include <functional> for std::function
+Subject: [PATCH] gcc-7 requires include <functional> for std::function
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
+
---
src/common/types/PolicyBucket.h | 1 +
src/cyad/AdminPolicyParser.h | 1 +
@@ -33,6 +34,3 @@ index 53dde23..f38c194 100644
#include <cyad/CynaraAdminPolicies.h>
---
-2.14.3
-
diff --git a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
index 8c47c3b26..1b105a00c 100644
--- a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
+++ b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
@@ -1,7 +1,7 @@
-From 6ad54c5e732e7cf0a29f29f48fa757e3e56d6860 Mon Sep 17 00:00:00 2001
+From fdcf2a68a4bfec588b1c6c969caa0be20961b807 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Thu, 25 Jan 2018 11:38:16 +0100
-Subject: [PATCH 3/6] Avoid warning when compiling without smack
+Subject: [PATCH] Avoid warning when compiling without smack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -14,6 +14,7 @@ with the following message:
Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+
---
src/admin/CMakeLists.txt | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
@@ -40,6 +41,3 @@ index e4f354a..38b8669 100644
SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin)
---
-2.14.3
-
diff --git a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
index 164542899..f19cdfb50 100644
--- a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
+++ b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
@@ -1,7 +1,7 @@
-From 2bd62bca98a8a8cf194fb2b68aed68d982f58520 Mon Sep 17 00:00:00 2001
+From 233fb8a93343c3c9c04914e1148ef5ab87a808a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Thu, 25 Jan 2018 12:52:39 +0100
-Subject: [PATCH 4/6] Fix mode of sockets
+Subject: [PATCH] Fix mode of sockets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -10,6 +10,7 @@ Setting execution bit on the socket serves nothing.
Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+
---
systemd/cynara-admin.socket | 2 +-
systemd/cynara.socket | 2 +-
@@ -39,6 +40,3 @@ index 9f2a870..fad2745 100644
SmackLabelIPIn=*
SmackLabelIPOut=@
---
-2.14.3
-
diff --git a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
index b4a2d74e8..e954c7f21 100644
--- a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
+++ b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
@@ -1,7 +1,7 @@
-From d919b110a2fbccdce084c651f4d7d7de66f2f869 Mon Sep 17 00:00:00 2001
+From ebde8e9fdba7bc1c8152f7e45c551030a36ece82 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Thu, 25 Jan 2018 13:47:37 +0100
-Subject: [PATCH 5/6] Allow to tune sockets
+Subject: [PATCH] Allow to tune sockets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -17,17 +17,26 @@ through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP
Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+
---
- systemd/CMakeLists.txt | 19 +++++++++++++++----
- .../{cynara-admin.socket => cynara-admin.socket.in} | 2 +-
- .../{cynara-agent.socket => cynara-agent.socket.in} | 4 ++--
- ...onitor-get.socket => cynara-monitor-get.socket.in} | 4 ++--
- systemd/{cynara.socket => cynara.socket.in} | 2 +-
- 5 files changed, 21 insertions(+), 10 deletions(-)
- rename systemd/{cynara-admin.socket => cynara-admin.socket.in} (78%)
- rename systemd/{cynara-agent.socket => cynara-agent.socket.in} (66%)
- rename systemd/{cynara-monitor-get.socket => cynara-monitor-get.socket.in} (64%)
- rename systemd/{cynara.socket => cynara.socket.in} (80%)
+ systemd/CMakeLists.txt | 19 +++++++++++++++----
+ systemd/cynara-admin.socket | 14 --------------
+ systemd/cynara-admin.socket.in | 14 ++++++++++++++
+ systemd/cynara-agent.socket | 15 ---------------
+ systemd/cynara-agent.socket.in | 15 +++++++++++++++
+ systemd/cynara-monitor-get.socket | 15 ---------------
+ systemd/cynara-monitor-get.socket.in | 15 +++++++++++++++
+ systemd/cynara.socket | 14 --------------
+ systemd/cynara.socket.in | 14 ++++++++++++++
+ 9 files changed, 73 insertions(+), 62 deletions(-)
+ delete mode 100644 systemd/cynara-admin.socket
+ create mode 100644 systemd/cynara-admin.socket.in
+ delete mode 100644 systemd/cynara-agent.socket
+ create mode 100644 systemd/cynara-agent.socket.in
+ delete mode 100644 systemd/cynara-monitor-get.socket
+ create mode 100644 systemd/cynara-monitor-get.socket.in
+ delete mode 100644 systemd/cynara.socket
+ create mode 100644 systemd/cynara.socket.in
diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
index 20accf0..1b75c12 100644
@@ -62,66 +71,167 @@ index 20accf0..1b75c12 100644
DESTINATION
${SYSTEMD_UNIT_DIR}
)
-diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket.in
-similarity index 78%
-rename from systemd/cynara-admin.socket
-rename to systemd/cynara-admin.socket.in
-index ed38386..2364c3e 100644
+diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket
+deleted file mode 100644
+index ed38386..0000000
--- a/systemd/cynara-admin.socket
-+++ b/systemd/cynara-admin.socket.in
-@@ -1,5 +1,5 @@
- [Socket]
++++ /dev/null
+@@ -1,14 +0,0 @@
+-[Socket]
-ListenStream=/run/cynara/cynara-admin.socket
+-SocketMode=0600
+-SmackLabelIPIn=@
+-SmackLabelIPOut=@
+-
+-Service=cynara.service
+-
+-[Unit]
+-Wants=cynara.target
+-Before=cynara.target
+-
+-[Install]
+-WantedBy=sockets.target
+diff --git a/systemd/cynara-admin.socket.in b/systemd/cynara-admin.socket.in
+new file mode 100644
+index 0000000..2364c3e
+--- /dev/null
++++ b/systemd/cynara-admin.socket.in
+@@ -0,0 +1,14 @@
++[Socket]
+ListenStream=@SOCKET_DIR@/cynara-admin.socket
- SocketMode=0600
- SmackLabelIPIn=@
- SmackLabelIPOut=@
-diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket.in
-similarity index 66%
-rename from systemd/cynara-agent.socket
-rename to systemd/cynara-agent.socket.in
-index 5a677e0..4f86c9d 100644
++SocketMode=0600
++SmackLabelIPIn=@
++SmackLabelIPOut=@
++
++Service=cynara.service
++
++[Unit]
++Wants=cynara.target
++Before=cynara.target
++
++[Install]
++WantedBy=sockets.target
+diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket
+deleted file mode 100644
+index 5a677e0..0000000
--- a/systemd/cynara-agent.socket
-+++ b/systemd/cynara-agent.socket.in
-@@ -1,6 +1,6 @@
- [Socket]
++++ /dev/null
+@@ -1,15 +0,0 @@
+-[Socket]
-ListenStream=/run/cynara/cynara-agent.socket
-SocketGroup=security_fw
+-SocketMode=0060
+-SmackLabelIPIn=*
+-SmackLabelIPOut=@
+-
+-Service=cynara.service
+-
+-[Unit]
+-Wants=cynara.target
+-Before=cynara.target
+-
+-[Install]
+-WantedBy=sockets.target
+diff --git a/systemd/cynara-agent.socket.in b/systemd/cynara-agent.socket.in
+new file mode 100644
+index 0000000..4f86c9d
+--- /dev/null
++++ b/systemd/cynara-agent.socket.in
+@@ -0,0 +1,15 @@
++[Socket]
+ListenStream=@SOCKET_DIR@/cynara-agent.socket
+SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@
- SocketMode=0060
- SmackLabelIPIn=*
- SmackLabelIPOut=@
-diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket.in
-similarity index 64%
-rename from systemd/cynara-monitor-get.socket
-rename to systemd/cynara-monitor-get.socket.in
-index a50feeb..b88dbf7 100644
++SocketMode=0060
++SmackLabelIPIn=*
++SmackLabelIPOut=@
++
++Service=cynara.service
++
++[Unit]
++Wants=cynara.target
++Before=cynara.target
++
++[Install]
++WantedBy=sockets.target
+diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket
+deleted file mode 100644
+index a50feeb..0000000
--- a/systemd/cynara-monitor-get.socket
-+++ b/systemd/cynara-monitor-get.socket.in
-@@ -1,6 +1,6 @@
- [Socket]
++++ /dev/null
+@@ -1,15 +0,0 @@
+-[Socket]
-ListenStream=/run/cynara/cynara-monitor-get.socket
-SocketGroup=security_fw
+-SocketMode=0060
+-SmackLabelIPIn=@
+-SmackLabelIPOut=@
+-
+-Service=cynara.service
+-
+-[Unit]
+-Wants=cynara.target
+-Before=cynara.target
+-
+-[Install]
+-WantedBy=sockets.target
+diff --git a/systemd/cynara-monitor-get.socket.in b/systemd/cynara-monitor-get.socket.in
+new file mode 100644
+index 0000000..b88dbf7
+--- /dev/null
++++ b/systemd/cynara-monitor-get.socket.in
+@@ -0,0 +1,15 @@
++[Socket]
+ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket
+SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@
- SocketMode=0060
- SmackLabelIPIn=@
- SmackLabelIPOut=@
-diff --git a/systemd/cynara.socket b/systemd/cynara.socket.in
-similarity index 80%
-rename from systemd/cynara.socket
-rename to systemd/cynara.socket.in
-index fad2745..ba76549 100644
++SocketMode=0060
++SmackLabelIPIn=@
++SmackLabelIPOut=@
++
++Service=cynara.service
++
++[Unit]
++Wants=cynara.target
++Before=cynara.target
++
++[Install]
++WantedBy=sockets.target
+diff --git a/systemd/cynara.socket b/systemd/cynara.socket
+deleted file mode 100644
+index fad2745..0000000
--- a/systemd/cynara.socket
-+++ b/systemd/cynara.socket.in
-@@ -1,5 +1,5 @@
- [Socket]
++++ /dev/null
+@@ -1,14 +0,0 @@
+-[Socket]
-ListenStream=/run/cynara/cynara.socket
+-SocketMode=0666
+-SmackLabelIPIn=*
+-SmackLabelIPOut=@
+-
+-Service=cynara.service
+-
+-[Unit]
+-Wants=cynara.target
+-Before=cynara.target
+-
+-[Install]
+-WantedBy=sockets.target
+diff --git a/systemd/cynara.socket.in b/systemd/cynara.socket.in
+new file mode 100644
+index 0000000..ba76549
+--- /dev/null
++++ b/systemd/cynara.socket.in
+@@ -0,0 +1,14 @@
++[Socket]
+ListenStream=@SOCKET_DIR@/cynara.socket
- SocketMode=0666
- SmackLabelIPIn=*
- SmackLabelIPOut=@
---
-2.14.3
-
++SocketMode=0666
++SmackLabelIPIn=*
++SmackLabelIPOut=@
++
++Service=cynara.service
++
++[Unit]
++Wants=cynara.target
++Before=cynara.target
++
++[Install]
++WantedBy=sockets.target
diff --git a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
index 0cfc785c1..68864f1ed 100644
--- a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
+++ b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
@@ -1,13 +1,14 @@
-From d54e425b0685c9e3e06f5b4efcbd206950d14f3c Mon Sep 17 00:00:00 2001
+From 23f1a7cb34dd4ef88bac5a43057feaf7f50559aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Thu, 25 Jan 2018 14:09:23 +0100
-Subject: [PATCH 6/6] Install socket activation by default
+Subject: [PATCH] Install socket activation by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+
---
packaging/cynara.spec | 5 -----
systemd/CMakeLists.txt | 7 +++++++
@@ -75,6 +76,3 @@ index 0000000..c0e5a5b
@@ -0,0 +1 @@
+../cynara.socket
\ No newline at end of file
---
-2.14.3
-
diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
index cbf372ad9..c14418923 100644
--- a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
+++ b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
@@ -1,7 +1,7 @@
-From 297774fa4d01156c0327d6e6380a7ecae30bf875 Mon Sep 17 00:00:00 2001
+From 3605e9f8a3ea1252d1cf221398431e0d7a3ea34d Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Mon, 23 Mar 2015 15:01:39 -0700
-Subject: [PATCH 1/2] cynara-db-migration.in: abort on errors
+Subject: [PATCH] cynara-db-migration.in: abort on errors
"set -e" enables error checking for all commands invoked by the script.
Previously, errors were silently ignored.
@@ -9,12 +9,13 @@ Previously, errors were silently ignored.
Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8]
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
---
- migration/cynara-db-migration | 2 ++
+ migration/cynara-db-migration.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in
-index ff9bd61..f6e7f94 100644
+index 7b666d4..0682df6 100644
--- a/migration/cynara-db-migration.in
+++ b/migration/cynara-db-migration.in
@@ -19,6 +19,8 @@
@@ -25,7 +26,4 @@ index ff9bd61..f6e7f94 100644
+
##### Constants (these must not be modified by shell)
- STATE_PATH='@LOCAL_STATE_DIR@/@PROJECT_NAME@'
---
-1.8.4.5
-
+ PATH=/bin:/usr/bin:/sbin:/usr/sbin
diff --git a/meta-security/recipes-security/cynara/cynara_0.14.10.bb b/meta-security/recipes-security/cynara/cynara_0.14.10.bb
index 6c187fced..d2a09c693 100644
--- a/meta-security/recipes-security/cynara/cynara_0.14.10.bb
+++ b/meta-security/recipes-security/cynara/cynara_0.14.10.bb
@@ -15,6 +15,7 @@ SRC_URI += " \
file://0004-Fix-mode-of-sockets.patch \
file://0005-Allow-to-tune-sockets.patch \
file://0006-Install-socket-activation-by-default.patch \
+ file://0001-fix-fallthrough-in-cmdlineparser.patch \
"
DEPENDS = " \
@@ -84,6 +85,12 @@ USERADD_PARAM_${PN} = "\
# ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket
#}
+# We want the post-install logic to create and label /var/cynara, so
+# it should not be in the package.
+do_install_append () {
+ rmdir ${D}${localstatedir}/cynara
+}
+
FILES_${PN} += "${systemd_system_unitdir}"
# Cynara itself has no dependency on Smack. Only its installation
@@ -101,18 +108,7 @@ DEPENDS_append_with-lsm-smack = " smack smack-native"
EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System"
CHSMACK_with-lsm-smack = "chsmack"
CHSMACK = "true"
-pkg_postinst_${PN} () {
- # Fail on error.
- set -e
-
- # It would be nice to run the code below while building an image,
- # but currently the calls to cynara-db-chsgen (a binary) in
- # cynara-db-migration (a script) prevent that. Rely instead
- # on OE's support for running failed postinst scripts at first boot.
- if [ x"$D" != "x" ]; then
- exit 1
- fi
-
+pkg_postinst_ontarget_${PN} () {
mkdir -p $D${sysconfdir}/cynara
${CHSMACK} -a System $D${sysconfdir}/cynara
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
deleted file mode 100644
index d7a868d2c..000000000
--- a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-Upstream-Status: Pending
-
-diff --git a/docs/capng_lock.3 b/docs/capng_lock.3
-index 7683119..a070c1e 100644
---- a/docs/capng_lock.3
-+++ b/docs/capng_lock.3
-@@ -8,12 +8,13 @@ int capng_lock(void);
-
- .SH "DESCRIPTION"
-
--capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
-+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel.
-
-+This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error.
-
- .SH "RETURN VALUE"
-
--This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.
-+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options.
-
- .SH "SEE ALSO"
-
-diff --git a/src/cap-ng.c b/src/cap-ng.c
-index bd105ba..422f2bc 100644
---- a/src/cap-ng.c
-+++ b/src/cap-ng.c
-@@ -45,6 +45,7 @@
- * 2.6.24 kernel XATTR_NAME_CAPS
- * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2
- * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3
-+ * 3.5 kernel PR_SET_NO_NEW_PRIVS
- */
-
- /* External syscall prototypes */
-@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data);
- #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
- #endif
-
-+/* prctl values that we use */
-+#ifndef PR_SET_SECUREBITS
-+#define PR_SET_SECUREBITS 28
-+#endif
-+#ifndef PR_SET_NO_NEW_PRIVS
-+#define PR_SET_NO_NEW_PRIVS 38
-+#endif
-+
- // States: new, allocated, initted, updated, applied
- typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT,
- CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t;
-@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag)
-
- int capng_lock(void)
- {
--#ifdef PR_SET_SECUREBITS
-- int rc = prctl(PR_SET_SECUREBITS,
-- 1 << SECURE_NOROOT |
-- 1 << SECURE_NOROOT_LOCKED |
-- 1 << SECURE_NO_SETUID_FIXUP |
-- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
-+ int rc;
-+
-+ // On Linux 3.5 and up, we can directly prevent ourselves and
-+ // our descendents from gaining privileges.
-+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
-+ return 0;
-+
-+ // This kernel is too old or otherwise doesn't support
-+ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits.
-+ rc = prctl(PR_SET_SECUREBITS,
-+ 1 << SECURE_NOROOT |
-+ 1 << SECURE_NOROOT_LOCKED |
-+ 1 << SECURE_NO_SETUID_FIXUP |
-+ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
- if (rc)
- return -1;
--#endif
-
- return 0;
- }
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch
deleted file mode 100644
index d82ceb454..000000000
--- a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-configure.ac - Avoid an incorrect check for python.
-Makefile.am - avoid hard coded host include paths.
-
-Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
-
---- libcap-ng-0.6.5/configure.ac.orig 2012-01-17 13:59:03.645898989 -0600
-+++ libcap-ng-0.6.5/configure.ac 2012-01-17 13:59:46.353959252 -0600
-@@ -120,17 +120,8 @@
- else
- AC_MSG_RESULT(testing)
- AM_PATH_PYTHON
--if test -f /usr/include/python${am_cv_python_version}/Python.h ; then
-- python_found="yes"
-- AC_MSG_NOTICE(Python bindings will be built)
--else
-- python_found="no"
-- if test x$use_python = xyes ; then
-- AC_MSG_ERROR([Python explicitly required and python headers found])
-- else
-- AC_MSG_WARN("Python headers not found - python bindings will not be made")
-- fi
--fi
-+python_found="yes"
-+AC_MSG_NOTICE(Python bindings will be built)
- fi
- AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes")
-
---- libcap-ng-0.6.5/bindings/python/Makefile.am.orig 2010-11-03 12:31:59.000000000 -0500
-+++ libcap-ng-0.6.5/bindings/python/Makefile.am 2012-01-17 14:05:50.199834467 -0600
-@@ -24,7 +24,8 @@
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC
- PYLIBVER ?= python$(PYTHON_VERSION)
--INCLUDES = -I. -I$(top_builddir) -I/usr/include/$(PYLIBVER)
-+PYINC ?= /usr/include/$(PYLIBVER)
-+INCLUDES = -I. -I$(top_builddir) -I$(PYINC)
- LIBS = $(top_builddir)/src/libcap-ng.la
- pyexec_PYTHON = capng.py
- pyexec_LTLIBRARIES = _capng.la
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
deleted file mode 100644
index e729518e9..000000000
--- a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
+++ /dev/null
@@ -1,39 +0,0 @@
-SUMMARY = "An alternate posix capabilities library"
-DESCRIPTION = "The libcap-ng library is intended to make programming \
-with POSIX capabilities much easier than the traditional libcap library."
-HOMEPAGE = "http://freecode.com/projects/libcap-ng"
-SECTION = "base"
-LICENSE = "GPLv2+ & LGPLv2.1+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
- file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06"
-
-SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \
- file://python.patch \
- file://CVE-2014-3215.patch \
- "
-
-inherit lib_package autotools pythonnative
-
-SRC_URI[md5sum] = "610afb774f80a8032b711281df126283"
-SRC_URI[sha256sum] = "5ca441c8d3a1e4cfe8a8151907977662679457311ccaa7eaac91447c33a35bb1"
-
-DEPENDS += "swig-native python"
-
-EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' PYINC='${STAGING_INCDIR}/${PYLIBVER}'"
-
-PACKAGES += "${PN}-python"
-
-FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
-
-BBCLASSEXTEND = "native"
-
-do_install_append() {
- # Moving libcap-ng to base_libdir
- if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then
- mkdir -p ${D}/${base_libdir}/
- mv -f ${D}${libdir}/libcap-ng.so.* ${D}${base_libdir}/
- relpath=${@os.path.relpath("${base_libdir}", "${libdir}")}
- ln -sf ${relpath}/libcap-ng.so.0.0.0 ${D}${libdir}/libcap-ng.so
- fi
-}
diff --git a/meta-security/recipes-security/security-manager/security-manager.inc b/meta-security/recipes-security/security-manager/security-manager.inc
index 810106d75..ddd87a930 100644
--- a/meta-security/recipes-security/security-manager/security-manager.inc
+++ b/meta-security/recipes-security/security-manager/security-manager.inc
@@ -89,10 +89,6 @@ FILES_${PN}-policy = " \
${bindir}/security-manager-policy-reload \
"
RDEPENDS_${PN}-policy += "sqlite3 cynara"
-pkg_postinst_${PN}-policy () {
- if [ x"$D" = "x" ] && ${bindir}/security-manager-policy-reload; then
- exit 0
- else
- exit 1
- fi
+pkg_postinst_ontarget_${PN}-policy () {
+ ${bindir}/security-manager-policy-reload
}
diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch
new file mode 100644
index 000000000..f598fdc82
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch
@@ -0,0 +1,127 @@
+From 14c8842ed8a37fecbc70d46e27b49ae929b0c85f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Fri, 1 Feb 2019 15:37:44 +0100
+Subject: [PATCH] Avoid casting from "const T&" to "void*"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Latest version of g++ refuse the cast
+
+ reinterpret_cast<void (Service::*)(void*)>(serviceFunction)
+
+I made no investigation to know if the problem
+is coming from the const or not.
+
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/server/main/include/service-thread.h | 43 ++++++++++--------------
+ 1 file changed, 18 insertions(+), 25 deletions(-)
+
+diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h
+index 964d168..92b0ec8 100644
+--- a/src/server/main/include/service-thread.h
++++ b/src/server/main/include/service-thread.h
+@@ -9,78 +94,72 @@ public:
+ Join();
+ while (!m_eventQueue.empty()){
+ auto front = m_eventQueue.front();
+- delete front.eventPtr;
++ delete front;
+ m_eventQueue.pop();
+ }
+ }
+
+ template <class T>
+ void Event(const T &event,
+ Service *servicePtr,
+ void (Service::*serviceFunction)(const T &))
+ {
+- EventDescription description;
+- description.serviceFunctionPtr =
+- reinterpret_cast<void (Service::*)(void*)>(serviceFunction);
+- description.servicePtr = servicePtr;
+- description.eventFunctionPtr = &ServiceThread::EventCall<T>;
+- description.eventPtr = new T(event);
++ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction);
+ {
+ std::lock_guard<std::mutex> lock(m_eventQueueMutex);
+- m_eventQueue.push(description);
++ m_eventQueue.push(ec);
+ }
+ m_waitCondition.notify_one();
+ }
+
+ protected:
+
+- struct EventDescription {
+- void (Service::*serviceFunctionPtr)(void *);
+- Service *servicePtr;
+- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event);
+- GenericEvent* eventPtr;
+- };
+-
+- template <class T>
+- void EventCall(const EventDescription &desc) {
+- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr);
+- const T& eventLocale = *(static_cast<T*>(desc.eventPtr));
+- (desc.servicePtr->*fun)(eventLocale);
+- }
++ struct EventCallerBase {
++ virtual void fire() = 0;
++ virtual ~EventCallerBase() {}
++ };
+
++ template <class T>
++ struct EventCaller : public EventCallerBase {
++ T *event; Service *target; void (Service::*function)(const T&);
++ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {}
++ ~EventCaller() { delete event; }
++ void fire() { (target->*function)(*event); }
++ };
++
+ static void ThreadLoopStatic(ServiceThread *ptr) {
+ ptr->ThreadLoop();
+ }
+
+ void ThreadLoop(){
+ for (;;) {
+- EventDescription description = {NULL, NULL, NULL, NULL};
++ EventCallerBase *ec = NULL;
+ {
+ std::unique_lock<std::mutex> ulock(m_eventQueueMutex);
+ if (m_quit)
+ return;
+ if (!m_eventQueue.empty()) {
+- description = m_eventQueue.front();
++ ec = m_eventQueue.front();
+ m_eventQueue.pop();
+ } else {
+ m_waitCondition.wait(ulock);
+ }
+ }
+
+- if (description.eventPtr != NULL) {
++ if (ec != NULL) {
+ UNHANDLED_EXCEPTION_HANDLER_BEGIN
+ {
+- (this->*description.eventFunctionPtr)(description);
+- delete description.eventPtr;
++ ec->fire();
+ }
+ UNHANDLED_EXCEPTION_HANDLER_END
++ delete ec;
+ }
+ }
+ }
+
+ std::thread m_thread;
+ std::mutex m_eventQueueMutex;
+- std::queue<EventDescription> m_eventQueue;
++ std::queue<EventCallerBase*> m_eventQueue;
+ std::condition_variable m_waitCondition;
+
+ State m_state;
+--
+2.17.2
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch
new file mode 100644
index 000000000..5a55a3128
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch
@@ -0,0 +1,32 @@
+From 37c63c280eaec8cae3a321d45404d6c03a68c9d9 Mon Sep 17 00:00:00 2001
+From: Stephane Desneux <stephane.desneux@iot.bzh>
+Date: Fri, 1 Feb 2019 12:26:17 +0000
+Subject: [PATCH] Fix gcc8 warning/error [-Werror=catch-value=]
+
+Fixes the following warning/error during compile:
+
+src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=]
+| } catch (Exception) {
+| ^~~~~~~~~
+
+Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
+---
+ src/dpl/core/src/assert.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp
+index 63538a2..fc60ce9 100644
+--- a/src/dpl/core/src/assert.cpp
++++ b/src/dpl/core/src/assert.cpp
+@@ -58,7 +58,7 @@ void AssertProc(const char *condition,
+ INTERNAL_LOG("### Function: " << function);
+ INTERNAL_LOG(
+ "################################################################################");
+- } catch (Exception) {
++ } catch (Exception const&) {
+ // Just ignore possible double errors
+ }
+
+--
+2.11.0
+
diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb
index 65134d31a..3cbc3aea8 100644
--- a/meta-security/recipes-security/security-manager/security-manager_git.bb
+++ b/meta-security/recipes-security/security-manager/security-manager_git.bb
@@ -14,6 +14,8 @@ file://c-11-replace-depracated-auto_ptr.patch \
file://socket-manager-removes-tizen-specific-call.patch \
file://Removing-tizen-platform-config.patch \
file://removes-dependency-to-libslp-db-utils.patch \
+file://0001-Fix-gcc8-warning-error-Werror-catch-value.patch \
+file://0001-Avoid-casting-from-const-T-to-void.patch \
"
##########################################
@@ -32,3 +34,5 @@ SRC_URI += "\
file://include-linux-xattr.patch;apply=${APPLY} \
"
+# Use make with cmake and not ninja
+OECMAKE_GENERATOR = "Unix Makefiles"
diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend b/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend
new file mode 100644
index 000000000..9c6080fcf
--- /dev/null
+++ b/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend
@@ -0,0 +1,3 @@
+# remove the EXTRA_OECONF from the recipe to
+# avoid an build error in >= YP SUMO
+EXTRA_OECONF = ""