from:"Victor Kamensky via Openembedded\-core"

[OE-core] [PATCH] make: disable use of posix_spawn on mips

2020-02-29 Thread Victor Kamensky via Openembedded-core

After make-4.3 migration child_execute_job function started
using posix_spawn function, which happens to be broken on mips.

It manifests itself as when make executed by root, it switches
real user id to wrong value because of some issues with direct
setresuid system call done in glibc __spawni_child function
through inline assemble and/or gcc compiling it produces wrong
code. I.e instead of passing -1 posix_spawn function incorrectly
passes 127 as ruid. Subsequently job started by make can fail
with permission issue because they run under wrong user.

For now workaround is used by explicitly disabling posix_spawn
call use by make on mips through configure variable.

Signed-off-by: Victor Kamensky 
---
 meta/recipes-devtools/make/make_4.3.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/make/make_4.3.bb 
b/meta/recipes-devtools/make/make_4.3.bb
index 70caf0ae16..5fa7059169 100644
--- a/meta/recipes-devtools/make/make_4.3.bb
+++ b/meta/recipes-devtools/make/make_4.3.bb
@@ -12,6 +12,9 @@ SRC_URI += "\
 
 EXTRA_OECONF += "--without-guile"
 
+EXTRA_OECONF_append_mips=" ac_cv_func_posix_spawn=no"
+EXTRA_OECONF_append_mips64=" ac_cv_func_posix_spawn=no"
+
 SRC_URI[md5sum] = "d5c40e7bd1e97a7404f5d3be982f479a"
 SRC_URI[sha256sum] = 
"de1a441c4edf952521db30bfca80baae86a0ff1acd0a00402999344f04c45e82"
 
-- 
2.21.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 4/5] linux-yocto: Fix systemtap issue on armv7

2019-03-10 Thread Victor Kamensky via Openembedded-core





On Sun, 10 Mar 2019, Bruce Ashfield wrote:


On Sun, Mar 10, 2019 at 11:12 PM Richard Purdie
 wrote:


Testing stap on armv7 machines was failing due to intermixing of thumb/arm
instructions. Patch the kernel to always use the v7 march options since
we know our gcc versions support it to avoid the failure and allow
systemtap to work.


I'd rather just merge this into the kernel directly. I can do a quick
merge and bump
of the SRCREV. If you send the patch against linux-yocto, that makes it easier
for me to grab and integrate it, versus having to dig it out of here
(since my access
is pretty limited at the moment).


BTW please note I posted on ARM linux kernel mailing list
IMO more appropriate and possibly upstreamable fix for the same issue

http://lists.infradead.org/pipermail/linux-arm-kernel/2019-March/637809.html

It seems quite urgent so Richard's fix might work as well as short term.

More inline.


Bruce



[YOCTO #13153]

Signed-off-by: Richard Purdie 
---
 ...0001-arm-Makefile-Fix-systemtap-4.19.patch | 60 +++
 .../0001-arm-Makefile-Fix-systemtap.patch | 60 +++
 meta/recipes-kernel/linux/linux-yocto_4.19.bb |  3 +-
 meta/recipes-kernel/linux/linux-yocto_5.0.bb  |  3 +-
 4 files changed, 124 insertions(+), 2 deletions(-)
 create mode 100644 
meta/recipes-kernel/linux/linux-yocto/0001-arm-Makefile-Fix-systemtap-4.19.patch
 create mode 100644 
meta/recipes-kernel/linux/linux-yocto/0001-arm-Makefile-Fix-systemtap.patch

diff --git 
a/meta/recipes-kernel/linux/linux-yocto/0001-arm-Makefile-Fix-systemtap-4.19.patch
 
b/meta/recipes-kernel/linux/linux-yocto/0001-arm-Makefile-Fix-systemtap-4.19.patch
new file mode 100644
index 000..53bd53b276c
--- /dev/null
+++ 
b/meta/recipes-kernel/linux/linux-yocto/0001-arm-Makefile-Fix-systemtap-4.19.patch
@@ -0,0 +1,60 @@
+From c2995494e311c113177db50ff140cebd94fd4011 Mon Sep 17 00:00:00 2001
+From: Richard Purdie 
+Date: Sun, 10 Mar 2019 06:43:15 +
+Subject: [PATCH] arm/Makefile: Fix systemtap
+
+Currently systemtap fails to operate correctly on armv7 systems such as 
beaglebone and
+soon, qemuarm.
+
+
+root@qemuarm:/usr/src/kernel# env -uARCH -uKBUILD_EXTMOD -uCROSS_COMPILE 
-uKBUILD_IMAGE -uKCONFIG_CONFIG -uINSTALL_PATH -uLD_LIBRARY_PATH 
PATH=/usr/bin:/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin 
make -C /lib/modules/4.19.19-yocto-standard/build M=/tmp/staptcNU6M modules 
CONFIG_DEBUG_INFO= CONFIG_STACK_VALIDATION= ARCH=arm stap_4321_src.i 
--no-print-directory -j2 V=1
+test -e include/generated/autoconf.h -a -e include/config/auto.conf || (   
\
+echo >&2;  \
+echo >&2 "  ERROR: Kernel configuration is invalid.";  \
+echo >&2 " include/generated/autoconf.h or include/config/auto.conf are 
missing.";\
+echo >&2 " Run 'make oldconfig && make prepare' on kernel src to fix 
it."; \
+echo >&2 ; \
+/bin/false)
+mkdir -p /tmp/staptcNU6M/.tmp_versions ; rm -f /tmp/staptcNU6M/.tmp_versions/*
+make -f ./scripts/Makefile.build obj=/tmp/staptcNU6M
+(cat /dev/null;   echo kernel//tmp/staptcNU6M/stap_4321.ko;) > 
/tmp/staptcNU6M/modules.order
+  gcc -Wp,-MD,/tmp/staptcNU6M/.stap_4321_src.o.d  -nostdinc -isystem 
/usr/lib/gcc/arm-poky-linux-gnueabi/8.3.0/include -I./arch/arm/include 
-I./arch/arm/include/generated  -I./include -I./arch/arm/include/uapi 
-I./arch/arm/include/generated/uapi -I./include/uapi -I./include/generated/uapi 
-include ./include/linux/kconfig.h -include ./include/linux/compiler_types.h 
-D__KERNEL__ -mlittle-endian -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs 
-fno-strict-aliasing -fno-common -fshort-wchar 
-Werror-implicit-function-declaration -Wno-format-security -std=gnu89 -fno-PIE 
-DCC_HAVE_ASM_GOTO -fno-dwarf2-cfi-asm -fno-omit-frame-pointer -mapcs 
-mno-sched-prolog -fno-ipa-sra -mabi=aapcs-linux -mfpu=vfp -funwind-tables 
-marm -Wa,-mno-warn-deprecated -D__LINUX_ARM_ARCH__=7 -march=armv5t 
-Wa,-march=armv7-a -msoft-float -Uarm -fno-delete-null-pointer-checks 
-Wno-frame-address -Wno-format-truncation -Wno-format-overflow 
-Wno-int-in-bool-context -Os -Wno-maybe-uninitialized --param=allow-s

t

ore-data-races=0 -Wframe-larger-than=1024 -fstack-protector-strong -Wno-unused-but-set-variable 
-Wno-unused-const-variable -fno-omit-frame-pointer -fno-optimize-sibling-calls -fno-var-tracking-assignments 
-pg -Wdeclaration-after-statement -Wno-pointer-sign -Wno-stringop-truncation -fno-strict-overflow 
-fno-merge-all-constants -fmerge-constants -fno-stack-check -fconserve-stack -Werror=implicit-int 
-Werror=strict-prototypes -Werror=date-time -Werror=incompatible-pointer-types -Werror=designated-init 
-fmacro-prefix-map=./= -Wno-packed-not-aligned -Iinclude2/asm/mach-default 
-I/lib/modules/4.19.19-yocto-standard/build -include /tmp/staptcNU6M/stapconf_4321.h -D 
"STP_NO_VELREL_CHECK" -freorder-blocks -fasynchronous-unwind-tables

Re: [OE-core] [PATCH] sysklogd: add alternatives for klogd and syslogd

2018-10-29 Thread Victor Kamensky via Openembedded-core

Hi Mark,

On Mon, 29 Oct 2018, Mark Hatle wrote:

On 10/26/18 2:55 AM, Victor Kamensky wrote:

On Fri, 26 Oct 2018, Markus Lehtonen wrote:

'why would you want to have multiple, alternative
syslog daemons on the system? Wouldn't a better
fix be to move the syslogd and klogd symlinks to the
busybox-syslog package? It doesn't seem to make much
sense to have a syslogd binary on the system without
an init script(?)

The original problem really was related to managing
init scripts with alternatives (and I think that
problem still persists, and, it shouldn't be done).
So, using alternatives for the binaries wouldn't
cause any problems. The question is just why to
do this, instead of "fixing" the (binary) package
content so that existing rconflicts would handle it.

Thank you, Markus. Please see ChenQi reply on the
thread. I has already been fixed by Richard in the
way you suggested.

My problem was because similar fix was not present
in meta-selinux busybox.bbappend ... meta-selinux practically
has a copy of alternative handling for busybox
because of SELinux labeling requirements and it was
negating Richard's change.

As a maintainer for meta-selinux, if meta-selinux is broken.. it's
meta-selinux's fault.. NOT oe-core.
oe-core must work for itself first.

Fix OE-core properly and the other layers will follow.

Please see

http://lists.openembedded.org/pipermail/openembedded-core/2018-October/157078.html

oe-core is fine: ef11c54ba9. In order to follow
meta-selinux needs something like this to avoid
'update-alternatives: Error:' mentioned on the thead:

From dd75b2ca77b3bfcb14030c353e6b2bfc7df8dfec Mon Sep 17 00:00:00 2001

From: Victor Kamensky 
Date: Mon, 29 Oct 2018 11:16:09 -0700
Subject: [PATCH] busybox: Put klogd/syslogd alternative links in syslog
 package

Port "ef11c54ba9 busybox: Put klogd/syslogd alternative links in
syslog package" from oe-core to meta-selinux copy of
update-alternative handling in busybox.bbappend

Signed-off-by: Victor Kamensky 
---
 recipes-core/busybox/busybox_selinux.inc | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/recipes-core/busybox/busybox_selinux.inc 
b/recipes-core/busybox/busybox_selinux.inc
index df7c117..b8cfcd7 100644
--- a/recipes-core/busybox/busybox_selinux.inc
+++ b/recipes-core/busybox/busybox_selinux.inc
@@ -37,7 +37,11 @@ python create_sh_wrapper_reset_alternative_vars () {
 # Match coreutils
 if alt_name == '[':
 alt_name = 'lbracket'
-d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name)
+if alt_name == 'klogd' or alt_name == 'syslogd':
+d.appendVar('ALTERNATIVE_%s-syslog' % (pn), ' ' + alt_name)
+else:
+d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name)
+
 d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name)
 if os.path.exists(alt_wppath_dest):
 d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath)
--
2.14.4

I don't know yet what mailing list I should use for meta-selinux. As
time permits I'll try to figure out and post above patch there, if
it is still needed.

Thanks,
Victor

--Mark

So it is sorted out now.

Thanks,
Victor

Cheers,
 Markus

On 26/10/2018, 7.55, "Victor Kamensky"  wrote:

   Otherwise when used in presense of busybox that provides
   its own version of klogd and syslogd, image packaging
   complains that klogd exists and it is not syymbolic link.
   Failure happens only if image packaging script install
   sysklogd package first followed by installtion of busybox
   package. If during packaging reverse installtion order
   happens, busybox first followed by sysklogd, packaging
   succeed.

   Note this fix along with recently committed
   55ba9dc1f8 sysklogd: Re-enable alternatives for syslogd.8 man page
   effectively reverts this commit
   988aad01b2 sysklogd: don't use update-alternatives

   Signed-off-by: Victor Kamensky 
   ---
   Hi Guys,

   Here is more details. Example of failure that I observe:

   update-alternatives: Error: not linking 
/home/wd8/oe/20181021/build/tmp-glibc/work/intel_corei7_64-oe-linux/kdevel-console-devel-image/1.0-r0/rootfs/sbin/klogd
 to /usr/lib/busybox/sbin/klogd since 
/home/wd8/oe/20181021/build/tmp-glibc/work/intel_corei7_64-oe-linux/kdevel-console-devel-image/1.0-r0/rootfs/sbin/klogd
 exists and is not a link

   Also 988aad01b2 says:

  > Using update-alternatives for managing init scripts has proved to be
  > problematic. And, sysklogd rconflicts with other syslog daemons so there
  > is no point in using update-alternatives from this perspective, either.

   I am not sure why "managing init scripts has proved to be problematic" and
   syslogd and klogd are not really init script per se, aren't they? Also
   klogd and syslogd actually come from busybox, not busybox-syslog as listed
   in sysklogd RCONFLICTS. Maybe it what has changed since 988aad01b2.
   busybox-syslog now contains only init script

[OE-core] [PATCH] meson: map powerpc64 TARGET_ARCH to ppc64 for the cross file

2018-10-29 Thread Victor Kamensky via Openembedded-core

Meson uses 'ppc64' for 64 bit powerpc. Issue came up while
building systemd for MACHINE that uses ppc64e5500 tune.

Signed-off-by: Victor Kamensky 
---
BTW very nice diagnostic message through
https://wiki.yoctoproject.org/wiki/Meson/UnknownCPU, that led directly 
to the fix

 meta/classes/meson.bbclass | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/classes/meson.bbclass b/meta/classes/meson.bbclass
index 7e63e12588..3cbdcf18c2 100644
--- a/meta/classes/meson.bbclass
+++ b/meta/classes/meson.bbclass
@@ -52,6 +52,8 @@ def meson_cpu_family(var, d):
 arch = d.getVar(var)
 if arch == 'powerpc':
 return 'ppc'
+elif arch == 'powerpc64':
+return 'ppc64'
 elif arch == 'mipsel':
 return 'mips'
 elif re.match(r"i[3-6]86", arch):
-- 
2.14.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] sysklogd: add alternatives for klogd and syslogd

2018-10-26 Thread Victor Kamensky via Openembedded-core

On Fri, 26 Oct 2018, Markus Lehtonen wrote:

'why would you want to have multiple, alternative
syslog daemons on the system? Wouldn't a better
fix be to move the syslogd and klogd symlinks to the
busybox-syslog package? It doesn't seem to make much
sense to have a syslogd binary on the system without
an init script(?)

The original problem really was related to managing
init scripts with alternatives (and I think that
problem still persists, and, it shouldn't be done).
So, using alternatives for the binaries wouldn't
cause any problems. The question is just why to
do this, instead of "fixing" the (binary) package
content so that existing rconflicts would handle it.

Thank you, Markus. Please see ChenQi reply on the
thread. I has already been fixed by Richard in the
way you suggested.

My problem was because similar fix was not present
in meta-selinux busybox.bbappend ... meta-selinux practically
has a copy of alternative handling for busybox
because of SELinux labeling requirements and it was
negating Richard's change.

So it is sorted out now.

Thanks,
Victor

Cheers,
Markus

On 26/10/2018, 7.55, "Victor Kamensky" wrote:

Otherwise when used in presense of busybox that provides
its own version of klogd and syslogd, image packaging
complains that klogd exists and it is not syymbolic link.
Failure happens only if image packaging script install
sysklogd package first followed by installtion of busybox
package. If during packaging reverse installtion order
happens, busybox first followed by sysklogd, packaging
succeed.

Note this fix along with recently committed
55ba9dc1f8 sysklogd: Re-enable alternatives for syslogd.8 man page
effectively reverts this commit
988aad01b2 sysklogd: don't use update-alternatives

Signed-off-by: Victor Kamensky
---
Hi Guys,

Here is more details. Example of failure that I observe:

update-alternatives: Error: not linking
/home/wd8/oe/20181021/build/tmp-glibc/work/intel_corei7_64-oe-linux/kdevel-console-devel-image/1.0-r0/rootfs/sbin/klogd
to /usr/lib/busybox/sbin/klogd since
/home/wd8/oe/20181021/build/tmp-glibc/work/intel_corei7_64-oe-linux/kdevel-console-devel-image/1.0-r0/rootfs/sbin/klogd
exists and is not a link

Also 988aad01b2 says:

> Using update-alternatives for managing init scripts has proved to be
> problematic. And, sysklogd rconflicts with other syslog daemons so there
> is no point in using update-alternatives from this perspective, either.

I am not sure why "managing init scripts has proved to be problematic" and
syslogd and klogd are not really init script per se, aren't they? Also
klogd and syslogd actually come from busybox, not busybox-syslog as listed
in sysklogd RCONFLICTS. Maybe it what has changed since 988aad01b2.
busybox-syslog now contains only init script for syslog and its
configuration.

Adding Markus for further comments.

meta/recipes-extended/sysklogd/sysklogd.inc | 5 +
1 file changed, 5 insertions(+)

diff --git a/meta/recipes-extended/sysklogd/sysklogd.inc
b/meta/recipes-extended/sysklogd/sysklogd.inc
index f151dd87f7..4393a39180 100644
--- a/meta/recipes-extended/sysklogd/sysklogd.inc
+++ b/meta/recipes-extended/sysklogd/sysklogd.inc
@@ -60,9 +60,14 @@ FILES_${PN} +=
"${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}

ALTERNATIVE_PRIORITY = "100"

+ALTERNATIVE_${PN} = "syslogd klogd"
+
ALTERNATIVE_${PN}-doc = "syslogd.8"
ALTERNATIVE_LINK_NAME[syslogd.8] = "${mandir}/man8/syslogd.8"

+ALTERNATIVE_LINK_NAME[syslogd] = "${base_sbindir}/syslogd"
+ALTERNATIVE_LINK_NAME[klogd] = "${base_sbindir}/klogd"
+
pkg_prerm_${PN} () {
if test "x$D" = "x"; then
if test "$1" = "upgrade" -o "$1" = "remove"; then
--
2.17.2

--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] sysklogd: add alternatives for klogd and syslogd

2018-10-26 Thread Victor Kamensky via Openembedded-core


Hi Chen,

On Fri, 26 Oct 2018, ChenQi wrote:


On 10/26/2018 12:53 PM, Victor Kamensky via Openembedded-core wrote:

Otherwise when used in presense of busybox that provides
its own version of klogd and syslogd, image packaging
complains that klogd exists and it is not syymbolic link.
Failure happens only if image packaging script install
sysklogd package first followed by installtion of busybox
package.


Hi Victor,

I think this problem has been fixed by the following commit.

"""
commit ef11c54ba99af261a70ec31091216cdd1556da24
Author: Richard Purdie 
Date:   Wed Sep 5 17:39:31 2018 +0100

   busybox: Put klogd/syslogd alternative links in syslog package

   Currently these are in ${PN} and ${PN}-syslog may get replaced by
   other packages but update-alternatives would error in the postinst
   if other files were installed first. Avoid the problems by putting
   the links in the correct package.

   Signed-off-by: Richard Purdie 
"""

For the current status, the update-alternatives operations for syslogd and 
klogd should be in the busybox-syslog package, which conflicts with sysklogd 
package.


Could you please help check this?


Thank you! That helps. I see it now. Apprently busybox.bbappend
from meta-selinux layer:

http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-core/busybox/busybox_selinux.inc

is effectively undoing effect of above commit in my workspace.

meta-selinux is doing it because of

http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?id=521ca9c9cf370840e9f8c808a7955aa5da7c356e

It seems changes similar to above Richard's commit needed to
be applied there as well. After applying that to busybox_selinux.inc
in meta-selinux my problem goes away.

No need for proposed below patch.

Thanks,
Victor


Best Regards,
Chen Qi


  If during packaging reverse installtion order
happens, busybox first followed by sysklogd, packaging
succeed.

Note this fix along with recently committed
55ba9dc1f8 sysklogd: Re-enable alternatives for syslogd.8 man page
effectively reverts this commit
988aad01b2 sysklogd: don't use update-alternatives

Signed-off-by: Victor Kamensky 
---
Hi Guys,

Here is more details. Example of failure that I observe:

update-alternatives: Error: not linking 
/home/wd8/oe/20181021/build/tmp-glibc/work/intel_corei7_64-oe-linux/kdevel-console-devel-image/1.0-r0/rootfs/sbin/klogd 
to /usr/lib/busybox/sbin/klogd since 
/home/wd8/oe/20181021/build/tmp-glibc/work/intel_corei7_64-oe-linux/kdevel-console-devel-image/1.0-r0/rootfs/sbin/klogd 
exists and is not a link


Also 988aad01b2 says:


Using update-alternatives for managing init scripts has proved to be
problematic. And, sysklogd rconflicts with other syslog daemons so there
is no point in using update-alternatives from this perspective, either.

I am not sure why "managing init scripts has proved to be problematic" and
syslogd and klogd are not really init script per se, aren't they? Also
klogd and syslogd actually come from busybox, not busybox-syslog as listed
in sysklogd RCONFLICTS. Maybe it what has changed since 988aad01b2.
busybox-syslog now contains only init script for syslog and its
configuration.

Adding Markus for further comments.

  meta/recipes-extended/sysklogd/sysklogd.inc | 5 +
  1 file changed, 5 insertions(+)

diff --git a/meta/recipes-extended/sysklogd/sysklogd.inc 
b/meta/recipes-extended/sysklogd/sysklogd.inc

index f151dd87f7..4393a39180 100644
--- a/meta/recipes-extended/sysklogd/sysklogd.inc
+++ b/meta/recipes-extended/sysklogd/sysklogd.inc
@@ -60,9 +60,14 @@ FILES_${PN} += 
"${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}

ALTERNATIVE_PRIORITY = "100"
  +ALTERNATIVE_${PN} = "syslogd klogd"
+
  ALTERNATIVE_${PN}-doc = "syslogd.8"
  ALTERNATIVE_LINK_NAME[syslogd.8] = "${mandir}/man8/syslogd.8"
  +ALTERNATIVE_LINK_NAME[syslogd] = "${base_sbindir}/syslogd"
+ALTERNATIVE_LINK_NAME[klogd] = "${base_sbindir}/klogd"
+
  pkg_prerm_${PN} () {
if test "x$D" = "x"; then
if test "$1" = "upgrade" -o "$1" = "remove"; then





--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] sysklogd: add alternatives for klogd and syslogd

2018-10-25 Thread Victor Kamensky via Openembedded-core

Otherwise when used in presense of busybox that provides
its own version of klogd and syslogd, image packaging
complains that klogd exists and it is not syymbolic link.
Failure happens only if image packaging script install
sysklogd package first followed by installtion of busybox
package. If during packaging reverse installtion order
happens, busybox first followed by sysklogd, packaging
succeed.

Note this fix along with recently committed
55ba9dc1f8 sysklogd: Re-enable alternatives for syslogd.8 man page
effectively reverts this commit
988aad01b2 sysklogd: don't use update-alternatives

Signed-off-by: Victor Kamensky 
---
Hi Guys,

Here is more details. Example of failure that I observe:

update-alternatives: Error: not linking 
/home/wd8/oe/20181021/build/tmp-glibc/work/intel_corei7_64-oe-linux/kdevel-console-devel-image/1.0-r0/rootfs/sbin/klogd
 to /usr/lib/busybox/sbin/klogd since 
/home/wd8/oe/20181021/build/tmp-glibc/work/intel_corei7_64-oe-linux/kdevel-console-devel-image/1.0-r0/rootfs/sbin/klogd
 exists and is not a link

Also 988aad01b2 says:

> Using update-alternatives for managing init scripts has proved to be
> problematic. And, sysklogd rconflicts with other syslog daemons so there
> is no point in using update-alternatives from this perspective, either.

I am not sure why "managing init scripts has proved to be problematic" and
syslogd and klogd are not really init script per se, aren't they? Also
klogd and syslogd actually come from busybox, not busybox-syslog as listed
in sysklogd RCONFLICTS. Maybe it what has changed since 988aad01b2.
busybox-syslog now contains only init script for syslog and its
configuration.

Adding Markus for further comments.

 meta/recipes-extended/sysklogd/sysklogd.inc | 5 +
 1 file changed, 5 insertions(+)

diff --git a/meta/recipes-extended/sysklogd/sysklogd.inc 
b/meta/recipes-extended/sysklogd/sysklogd.inc
index f151dd87f7..4393a39180 100644
--- a/meta/recipes-extended/sysklogd/sysklogd.inc
+++ b/meta/recipes-extended/sysklogd/sysklogd.inc
@@ -60,9 +60,14 @@ FILES_${PN} += 
"${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}
 
 ALTERNATIVE_PRIORITY = "100"
 
+ALTERNATIVE_${PN} = "syslogd klogd"
+
 ALTERNATIVE_${PN}-doc = "syslogd.8"
 ALTERNATIVE_LINK_NAME[syslogd.8] = "${mandir}/man8/syslogd.8"
 
+ALTERNATIVE_LINK_NAME[syslogd] = "${base_sbindir}/syslogd"
+ALTERNATIVE_LINK_NAME[klogd] = "${base_sbindir}/klogd"
+
 pkg_prerm_${PN} () {
if test "x$D" = "x"; then
if test "$1" = "upgrade" -o "$1" = "remove"; then
-- 
2.17.2

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] systemtap: 3.3 -> 4.0

2018-10-25 Thread Victor Kamensky via Openembedded-core


Hi Guys,

On Wed, 17 Oct 2018, Victor Kamensky wrote:


stap-exporter service is a new feature in SystemTap 4.0, I've never used
it before. I'll dig in and will try to make sure that it is functional
in resulting OE image.


I've had a chance to look at stap-exporter and its service more closely.

It looks like it is simple HTTP server that allows to run stap scripts
on target and relay its information to Prometheus monitoring system.
Please check.

https://www.mankier.com/8/stap-exporter

https://prometheus.io

Since it is HTTP server, and its man page says that it is not supposed
to run in untrusted environment I am quite hesitant to have it enabled
by default. Moreover, it comes with some default example scripts that
actually fail to compile in OE core-image-lsb-sdk because it does not
include kernel-vmlinux package by default. stap-exporter is not
prepared to handle script compilation failure and tries to compile it
in the loop, so in core-image-lsb-sdk systemd image where 
stap-exporter.service would be enabled by default it would trash the

system.

Considering all that I suggest stap-exporter to be moved in separate
systemtap-exporter package, so it can be installed explcitely. I
posted patch for it at

http://lists.openembedded.org/pipermail/openembedded-core/2018-October/157073.html

BTW in FC it is separate systemtap-exporter package.

I've tested systemtap-exporter and stap-exporter, if installed
along with proper prerequisites (kernel-vmlinux) is functioning
OK with given default example as far as my manual http testing
with curl shows. I did not test it with prometheus.

Thanks,
Victor
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] systemtap: move systemtap-exporter into separate package

2018-10-25 Thread Victor Kamensky via Openembedded-core

stap-exporter runs a set of systemtap scripts and relays
their procfs outputs to remote HTTP clients on demand.

systemtap-exporter is not supposed to run in untrusted
environment. It starts HTTP server on some port. It does
not look safe enough to be included by default along with
the rest of systemtap.

Move systemtap-exporter, its systemd unit, configuration
files and examples scripts into separate package. So if one
needs it and understand its implication, he/she can include
it explicitely.

Signed-off-by: Victor Kamensky 
---
 meta/recipes-kernel/systemtap/systemtap_git.bb | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb 
b/meta/recipes-kernel/systemtap/systemtap_git.bb
index 904ecdd106..6ee3e1c0f7 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.bb
+++ b/meta/recipes-kernel/systemtap/systemtap_git.bb
@@ -27,7 +27,16 @@ PACKAGECONFIG[python3-probes] = 
"--with-python3-probes,--without-python3-probes,
 
 inherit autotools gettext pkgconfig distutils3-base systemd
 
-SYSTEMD_SERVICE_${PN} = "stap-exporter.service"
+PACKAGES =+ "${PN}-exporter"
+
+FILES_${PN}-exporter = "${sysconfdir}/stap-exporter/* \
+${sysconfdir}/sysconfig/stap-exporter \
+${systemd_unitdir}/system/stap-exporter.service \
+${sbindir}/stap-exporter"
+
+RDEPENDS_${PN}-exporter = "${PN} python3-core python3-netclient"
+
+SYSTEMD_SERVICE_${PN}-exporter = "stap-exporter.service"
 
 do_configure_prepend () {
 # Improve reproducibility for c++ object files
-- 
2.17.2

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] kernel-devsrc: add selinux include files needed by scripts/selinux build

2018-10-23 Thread Victor Kamensky via Openembedded-core

If CONFIG_SECURITY_SELINUX=y is enabled in kernel configuration, then
'make scripts' command in /usr/src/kernel fails to build
utilities under scripts/selinux that would be pulled in by this config:

  HOSTCC  scripts/selinux/genheaders/genheaders
scripts/selinux/genheaders/genheaders.c:19:10: fatal error: classmap.h: No such 
file or directory
 #include "classmap.h"

To address this issue add security/selinux/include files into
kernel-devsrc.

Signed-off-by: Victor Kamensky 
---
To reproduce this issue add to conf/local.conf selinux fragment:
KERNEL_EXTRA_FEATURES_append = " cgl/features/selinux/selinux.scc"
build core-image-lsb-sdk and run 'cd /usr/src/kernel; make scripts'

 meta/recipes-kernel/linux/kernel-devsrc.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/linux/kernel-devsrc.bb 
b/meta/recipes-kernel/linux/kernel-devsrc.bb
index 5758572221..361ad21e1f 100644
--- a/meta/recipes-kernel/linux/kernel-devsrc.bb
+++ b/meta/recipes-kernel/linux/kernel-devsrc.bb
@@ -210,6 +210,9 @@ do_install() {
cp -a --parents kernel/bounds.c $kerneldir/build
cp -a --parents Kbuild $kerneldir/build
fi
+
+# required to build scripts/selinux/genheaders/genheaders
+cp -a --parents security/selinux/include/* $kerneldir/build/
 )
 
 # Make sure the Makefile and version.h have a matching timestamp so that
-- 
2.17.2

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] systemtap: 3.3 -> 4.0

2018-10-17 Thread Victor Kamensky via Openembedded-core

On Wed, 17 Oct 2018, Martin Jansa wrote:

systemd.bbclass won't include that .service file in FILES_ without setting 
SYSTEMD_SERVICE_.
I'll send fix for that in few minutes.

Martin, Richard, thank you for the help. I've reproduced
the issue reported by Martin in systemd enabled image, and
verified that his fix solves the issue.

The lesson I learnt:

o Look for WARNINGs

o Test systemd enabled image, along with default sysvinit

stap-exporter service is a new feature in SystemTap 4.0, I've never used
it before. I'll dig in and will try to make sure that it is functional
in resulting OE image.

Thanks,
Victor

On Wed, Oct 17, 2018 at 5:07 PM  wrote:
  On Wed, 2018-10-17 at 16:50 +0200, Martin Jansa wrote:
  > There seems to be one more issue in current master (for which I
  > haven't seen a fix in master-next or ML):
  >
  > ERROR: systemtap-4.0-r0 do_package: QA Issue: systemtap:
  > Files/directories were installed but not shipped in any package:
  >   /lib
  >   /lib/systemd
  >   /lib/systemd/system
  >   /lib/systemd/system/stap-exporter.service
  > Please set FILES such that these items are packaged. Alternatively if
  > they are unneeded, avoid installing them or delete them within
  > do_install.
  > systemtap: 4 installed and not shipped files. [installed-vs-shipped]

http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=3b77e7b7852549dcfbc426d4ce258e6e857c0acd
  was supposed to fix that :(

  Cheers,

  Richard

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] systemtap: 3.3 -> 4.0

2018-10-16 Thread Victor Kamensky via Openembedded-core





On Tue, 16 Oct 2018, Richard Purdie wrote:


On Tue, 2018-10-16 at 10:27 +0100, Burton, Ross wrote:

On Mon, 15 Oct 2018 at 19:22, Victor Kamensky 
wrote:

Upgrade systemtap from 3.3 to 4.0: Removed backported patch.


WARNING: systemtap-4.0-r0 do_package_qa: QA Issue: systemtap:
/systemtap/etc/stap-exporter/EXAMPLE is owned by uid 1000, which is
the same as the user running bitbake. This may be due to host
contamination
systemtap: /systemtap/etc/stap-exporter/EXAMPLE_NOERROR is owned by
uid 1000, which is the same as the user running bitbake. This may be
due to host contamination
systemtap: /systemtap/etc/stap-exporter/errno.stp is owned by uid
1000, which is the same as the user running bitbake. This may be due
to host contamination
systemtap: /systemtap/etc/stap-exporter/syscalllatency.stp is owned
by
uid 1000, which is the same as the user running bitbake. This may be
due to host contamination
systemtap: /systemtap/etc/stap-exporter/timeout.stp is owned by uid
1000, which is the same as the user running bitbake. This may be due
to host contamination
systemtap: /systemtap/etc/stap-exporter/topsys.stp is owned by uid
1000, which is the same as the user running bitbake. This may be due
to host contamination [host-user-contaminated]


There are also other issues from the addition of systemd unit files in
4.0. I've a patch in -next which tweaks both issues which I'll put in
for testing.


Richard, thank you very prompt help.

In the long term it would be beneficial that those issues be
fixed in SystemTap itself, correct? If so, I can look at creating
proper patches and pushing them into SystemTap.

Also on my todo list is to attempt to push few existing
OE systemtap patches into SystemTap upstream source. I believe
they look like quite legit issues and I hope they could be
upstreamed.

Thanks,
Victor


Cheers,

Richard



--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] systemtap: 3.3 -> 4.0

2018-10-15 Thread Victor Kamensky via Openembedded-core


Hi Randy,

On Mon, 15 Oct 2018, Randy MacLeod wrote:


On 10/15/2018 02:21 PM, Victor Kamensky wrote:

Upgrade systemtap from 3.3 to 4.0: Removed backported patch.

Very short summary of major changes from SystemTap 4.0
announcement by Frank Ch. Eigler :


prometheus exporter network service; ebpf support extensions including
strings and implementation of traditional log(), sprintf() functions;
rebuilt rich tapset coverage for 4.17+ syscalls and for
tracepoint-based syscalls; script language tweaks for supporting
machine-generated scripts


Fixes [YOCTO #12950]

Signed-off-by: Victor Kamensky 
---
Hi Guys,

I'll let you to decide whether you want to accept
it for 2.6 at this point or push it for the next release.
On one hand after move to 4.18 kernel SystemTap 3.3
fails to trace any system call on x86_64 - it is major
functionality breakage. Look at:

https://bugzilla.redhat.com/show_bug.cgi?id=1596456


Ouch!



On other hand it is quite late to do major version
updates.


It is but nothing depends on systemtap so I think we
don't have much choice and we should do it unless there
are autobuilder tests that regress.


Personally, I agree. I had similar thoughts, since it
is leaf project risk is quite contained.



A quick read through the YP mega-manual suggests that
we don't have to change any of the text.
Victor,
Could you take a look and confirm that please?

I noticed that the link in section:
  20.3.3. Documentation
for:
  http://sourceware.org/systemtap/langref/
is dead. There is a pdf:
  http://sourceware.org/systemtap/langref.pdf
Perhaps this is temporary due to the recent release.


Yes, I agree. It is better to change link to langref.pdf
as you suggested. But I don't know how to do that. Is there
somewhere git that holds YP mega-manual sources?



I did go through limited set of tests on all
supported QEMU targets. As far as these tests
concerned proposed 4.0 matches 3.3 results.

Thanks,
Victor


Thanks Victor.

Talk about hot off the presses, 4.0 was released at:
  13-Oct-2018 18:54


Yes :), I was looking how to fix [YOCTO #12950] and was
about to write email to SystemTap guys asking when the
next release is planned and got email from Frank on
SystemTap mailing list announcing 4.0 release. It was
very good timing.

My understanding is that FC28 and FC27 will get SystemTap
4.0 very soon since they moved to 4.18 kernel too.

Thanks,
Victor


$ git log --oneline release-3.3..release-4.0 | wc -l
252

$ git diff release-3.3..release-4.0 | diffstat | tail -1
1574 files changed, 50756 insertions(+), 23604 deletions(-)

Lots of changes to docs, testsuite but also quite a bit to core code
and tapsets:

$ git diff release-3.3..release-4.0 | diffstat  | cut -d"/" -f-2 | uniq -c 
|grep -v "   [1-5] "

   770  b/doc
16  b/httpd
 8  b/man
 9  b/po
18  b/runtime
15  b/stap-exporter
 6  b/staprun
   440  b/tapset
   223  b/testsuite


../Randy



  ...entrypc-avoid-usage-of-uninitialized.patch | 46 ---
  .../systemtap/systemtap_git.inc   |  5 +-
  2 files changed, 2 insertions(+), 49 deletions(-)
  delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch


diff --git 
a/meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch 
b/meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch

deleted file mode 100644
index d0082a1094..00
--- 
a/meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch

+++ /dev/null
@@ -1,46 +0,0 @@
-From 8466fca2a074323a235ef38d425f994a2ff7e64f Mon Sep 17 00:00:00 2001
-From: Victor Kamensky 
-Date: Mon, 9 Jul 2018 09:31:19 -0700
-Subject: [PATCH] dwflpp::function_entrypc avoid usage of uninitialized 
memory

-
-Failure on 3.3 release was observed. Failure was elusive and
-disappeared after seemingly random configure option change, or when
-code was compiled with -O1 or -O0 (vs default -O2). Running failing
-test case under valgrind memcheck pointed to couple places where
-'Conditional jump or move depends on uninitialised value(s)' occured.
-
-After addressing these in two places in dwflpp::function_entrypc,
-valgrind memcheck run is clean and original issue got fixed.
-
-Upstream-Status: Backport
-Signed-off-by: Victor Kamensky 

- dwflpp.cxx | 6 +-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/dwflpp.cxx b/dwflpp.cxx
-index bfbb6b096..2172e705a 100644
 a/dwflpp.cxx
-+++ b/dwflpp.cxx
-@@ -2465,13 +2465,17 @@ bool
- dwflpp::function_entrypc (Dwarf_Addr * addr)
- {
-   assert (function);
-+
-+  // assign default value
-+  *addr = 0;
-+
-   // PR10574: reject 0, which tends to be eliminated COMDAT
-   if (dwarf_entrypc (function, addr) == 0 && *addr != 0)
- return true;
-
-   /* Assume the entry pc is the base address, or (if zero)
-  the first address of the ranges covering this

[OE-core] [PATCH] systemtap: 3.3 -> 4.0

2018-10-15 Thread Victor Kamensky via Openembedded-core

Upgrade systemtap from 3.3 to 4.0: Removed backported patch.

Very short summary of major changes from SystemTap 4.0
announcement by Frank Ch. Eigler :

> prometheus exporter network service; ebpf support extensions including
> strings and implementation of traditional log(), sprintf() functions;
> rebuilt rich tapset coverage for 4.17+ syscalls and for
> tracepoint-based syscalls; script language tweaks for supporting
> machine-generated scripts

Fixes [YOCTO #12950]

Signed-off-by: Victor Kamensky 
---
Hi Guys,

I'll let you to decide whether you want to accept
it for 2.6 at this point or push it for the next release.
On one hand after move to 4.18 kernel SystemTap 3.3
fails to trace any system call on x86_64 - it is major
functionality breakage. Look at:

https://bugzilla.redhat.com/show_bug.cgi?id=1596456

On other hand it is quite late to do major version
updates.

I did go through limitted set of tests on all
supported QEMU targets. As far as these tests
concerned proposed 4.0 matches 3.3 results.

Thanks,
Victor

 ...entrypc-avoid-usage-of-uninitialized.patch | 46 ---
 .../systemtap/systemtap_git.inc   |  5 +-
 2 files changed, 2 insertions(+), 49 deletions(-)
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch

diff --git 
a/meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch
 
b/meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch
deleted file mode 100644
index d0082a1094..00
--- 
a/meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 8466fca2a074323a235ef38d425f994a2ff7e64f Mon Sep 17 00:00:00 2001
-From: Victor Kamensky 
-Date: Mon, 9 Jul 2018 09:31:19 -0700
-Subject: [PATCH] dwflpp::function_entrypc avoid usage of uninitialized memory
-
-Failure on 3.3 release was observed. Failure was elusive and
-disappeared after seemingly random configure option change, or when
-code was compiled with -O1 or -O0 (vs default -O2). Running failing
-test case under valgrind memcheck pointed to couple places where
-'Conditional jump or move depends on uninitialised value(s)' occured.
-
-After addressing these in two places in dwflpp::function_entrypc,
-valgrind memcheck run is clean and original issue got fixed.
-
-Upstream-Status: Backport
-Signed-off-by: Victor Kamensky 

- dwflpp.cxx | 6 +-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/dwflpp.cxx b/dwflpp.cxx
-index bfbb6b096..2172e705a 100644
 a/dwflpp.cxx
-+++ b/dwflpp.cxx
-@@ -2465,13 +2465,17 @@ bool
- dwflpp::function_entrypc (Dwarf_Addr * addr)
- {
-   assert (function);
-+
-+  // assign default value
-+  *addr = 0;
-+
-   // PR10574: reject 0, which tends to be eliminated COMDAT
-   if (dwarf_entrypc (function, addr) == 0 && *addr != 0)
- return true;
- 
-   /* Assume the entry pc is the base address, or (if zero)
-  the first address of the ranges covering this DIE.  */
--  Dwarf_Addr start, end;
-+  Dwarf_Addr start = 0, end;
-   if (dwarf_ranges (function, 0, addr, , ) >= 0)
- {
-   if (*addr == 0)
--- 
-2.17.1
-
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.inc 
b/meta/recipes-kernel/systemtap/systemtap_git.inc
index 06924fc240..274fcde5c1 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.inc
+++ b/meta/recipes-kernel/systemtap/systemtap_git.inc
@@ -1,7 +1,7 @@
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRCREV = "48867d1cface9445d58e3c6e14497770b7eb77e1"
-PV = "3.3"
+SRCREV = "428f84e9e656bce71018e8902e4edb8aacafcc0e"
+PV = "4.0"
 
 SRC_URI = "git://sourceware.org/git/systemtap.git \
file://configure-allow-to-disable-libvirt.patch \
@@ -11,7 +11,6 @@ SRC_URI = "git://sourceware.org/git/systemtap.git \

file://0001-Do-not-let-configure-write-a-python-location-into-th.patch \
file://0001-Install-python-modules-to-correct-library-dir.patch \

file://0001-staprun-stapbpf-don-t-support-installing-a-non-root.patch \
-   
file://0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch \
"
 
 COMPATIBLE_HOST = '(x86_64|i.86|powerpc|arm|aarch64|microblazeel|mips).*-linux'
-- 
2.17.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

2018-08-04 Thread Victor Kamensky via Openembedded-core





On Sat, 4 Aug 2018, Alexander Kanavin wrote:


How reliable is NVD database for such automated scans? Previously, we
have repeatedly concluded that it should not be trusted, and proper
patching of vulnerabilities must involve humans looking at
vulnerability reports and making appropriate decisions - same as
Debian is doing for example.


I don't think scanning NVD database and generating proper
reports and having people looking at vulnerability reports are
mutually exclusive. I think rather both should be done.

The patches and tools we are proposing do scanning and
reporting, while looking at versions, pattches applied, for
a given image. Correctly analazying CVEs and applying right
patches is a separate thing.

Just an example please find below reports generated for sumo
that I pulled today, core-image-lsb image qemux86-64 MACHINE.

As one may see in below report it is not perfect. There are
clearly false positives, misplaced entries based on, as you
mentioned on not fully reliable NVD data. I.e CVE-2013-4598
reported against gcc the one I could spot - it is wrong. But it
does not negate value of cases where it is reported correctly.
So it boils down to a question whether value of useful signal
against cost of filtering some noise. From our experience using
this tool for a while internally to fix outstanding CVEs for
krogoth branch, the right signal definitely has very good value.

Grygorii, btw I had trouble pulling your patches from email,
it seems that there were posted as Text/HTML (at least it is what
my mailer tells me). Could you please repost them as Text/PLAIN,
i.e using git send-mail

report-foss.txt:

  patched |  5.5 | CVE-2017-15873 | busybox | 1.27.2
  patched |  8.8 | CVE-2017-16544 | busybox | 1.27.2
  patched |  6.5 | CVE-2016-3189  | bzip2 | 1.0.6
  patched |  7.5 | CVE-2017-9814  | cairo | 1.14.12
  patched |  9.8 | CVE-2016-6354  | flex | 2.6.0
  patched |  7.3 | CVE-2015-8560  | foomatic-filters | 4.0.17
  patched |  7.5 | CVE-2015-8327  | foomatic-filters | 4.0.17
  patched |  7.8 | CVE-2017-11714 | ghostscript | 9.21
  patched |  7.8 | CVE-2017-9835  | ghostscript | 9.21
  patched |  8.1 | CVE-2018-11236 | glibc | 2.27
  patched |  6.5 | CVE-2017-14166 | libarchive | 3.3.2
  patched |  7.5 | CVE-2017-14502 | libarchive | 3.3.2
  patched |  5.5 | CVE-2017-8361  | libsndfile | 1.0.28
  patched |  5.5 | CVE-2017-8362  | libsndfile | 1.0.28
  patched |  5.5 | CVE-2017-8363  | libsndfile | 1.0.28
  patched |  5.5 | CVE-2017-8365  | libsndfile | 1.0.28
  patched |  8.8 | CVE-2017-6892  | libsndfile | 1.0.28
  patched |  6.5 | CVE-2017-18013 | libtiff | 4.0.9
  patched |  6.5 | CVE-2018-10963 | libtiff | 4.0.9
  patched |  6.5 | CVE-2018-5784  | libtiff | 4.0.9
  patched |  6.5 | CVE-2018-7456  | libtiff | 4.0.9
  patched |  8.8 | CVE-2018-8905  | libtiff | 4.0.9
  patched |  6.5 | CVE-2017-14633 | libvorbis | 1.3.5
  patched |  9.8 | CVE-2017-14632 | libvorbis | 1.3.5
  patched |  7.5 | CVE-2018-6951  | patch | 2.7.6
  patched |  7.8 | CVE-2018-1000156   | patch | 2.7.6
  patched |  7.5 | CVE-2017-12837 | perl | 5.24.1
  patched |  9.1 | CVE-2017-12883 | perl | 5.24.1
  patched |  7.5 | CVE-2017-8779  | rpcbind | 0.2.4
  patched |  4.0 | CVE-2014-9913  | unzip | 6.0
  patched |  4.0 | CVE-2016-9844  | unzip | 6.0
  patched |  4.3 | CVE-2015-7697  | unzip | 6.0
  patched |  5.0 | CVE-2014-9636  | unzip | 6.0
  patched |  6.8 | CVE-2015-7696  | unzip | 6.0
  patched |  5.3 | CVE-2017-13078 | wpa_supplicant | 2.6
  patched |  5.3 | CVE-2017-13079 | wpa_supplicant | 2.6
  patched |  5.3 | CVE-2017-13080 | wpa_supplicant | 2.6
  patched |  5.3 | CVE-2017-13081 | wpa_supplicant | 2.6
  patched |  5.3 | CVE-2017-13087 | wpa_supplicant | 2.6
  patched |  5.3 | CVE-2017-13088 | wpa_supplicant | 2.6
  patched |  6.8 | CVE-2017-13077 | wpa_supplicant | 2.6
  patched |  6.8 | CVE-2017-13086 | wpa_supplicant | 2.6
  patched |  8.1 | CVE-2017-13082 | wpa_supplicant | 2.6
unpatched |  5.5 | CVE-2018-10372 | binutils | 2.30
unpatched |  5.5 | CVE-2018-10534 | binutils | 2.30
unpatched |  5.5 | CVE-2018-10535 | binutils | 2.30
unpatched |  5.5 | CVE-2018-6759  | binutils | 2.30
unpatched |  5.5 | CVE-2018-6872  | binutils | 2.30
unpatched |  5.5 | CVE-2018-7568  | binutils | 2.30
unpatched |  5.5 | CVE-2018-7569  | binutils | 2.30
unpatched |  5.5 | CVE-2018-7570  | binutils | 2.30
unpatched |  5.5 | CVE-2018-7642  | binutils | 2.30
unpatched |  5.5 | CVE-2018-8945  | binutils | 2.30
unpatched |  5.5 | CVE-2018-9138  | binutils | 2.30
unpatched |  5.5 | CVE-2018-9996  | binutils | 2.30
unpatched |  6.5 | CVE-2018-10373 | binutils | 2.30
unpatched |  7.8 | CVE-2018-6543  | binutils | 2.30
unpatched |  7.8 | CVE-2018-7208  | binutils | 2.30
unpatched |  7.8 | CVE-2018-7643

Re: [OE-core] [PATCH] package: skip strip on signed kernel modules

2018-08-03 Thread Victor Kamensky via Openembedded-core





On Fri, 3 Aug 2018, Ocampo Coronado, Omar wrote:


Yes, we would like to keep the symbols on a signed kernel module.

Andre shared this link:  
https://www.kernel.org/doc/html/v4.17/admin-guide/module-signing.html#signed-modules-and-stripping
 , from conversation topic: Re: [OE-core] Strip kernel modules and signatures


Thank you for the pointer. I did not expect that KLM signing
will be outside of ELF. Too bad that it is so brittle.

Ideally, it would be nice if one could disable KLM signing in
kernel makefile machinery and have mechanism to sign KLMs in OE
itself, just before packaging but after they got stripped.
IMO it would be more practical. I could not imagine if one
would want to ship KLMs with debug symbols inside. But even
if that is implemented, your code would still should stand ok -
if module signed already, it cannot be touched.


-28 are the last 28 bytes of the file. The same amount of bytes are being read 
by dracut to check if a module is signed.
And you are correct Victor, I'm unsure if this would work outside x86 arch.


I've checked that by building mips64 kernel with KLM signing
enabled and I looked at scripts/sign-file.c source, you are
fine: magic_number = "~Module signature appended~\n" will be
always at the end after KLM signing regardless of architecture.

Thanks,
Victor


Two pending fixes:
   1) This patch also needs to fix the mode of the file as the original may not 
be preserved.
   2)  Seems like 'return' is not accepted by oe.utils.multiprocess, still 
getting familiar with OE

-Original Message-
From: Victor Kamensky [mailto:kamen...@cisco.com]
Sent: Friday, August 3, 2018 3:28 PM
To: Ocampo Coronado, Omar 
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] package: skip strip on signed kernel modules



On Fri, 3 Aug 2018, omar.ocampo.coron...@intel.com wrote:


From: foocampo 

Executing strip action on kernel modules removes the signature.
Is not possible to strip and keep the signature, therefore avoid strip
signed kernel modules.

Signed-off-by: foocampo 
---
meta/lib/oe/package.py | 10 ++
1 file changed, 10 insertions(+)

diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py index
fa3428ad61..f7d2d3b7c4 100644
--- a/meta/lib/oe/package.py
+++ b/meta/lib/oe/package.py
@@ -24,6 +24,9 @@ def runstrip(arg):

# kernel module
if elftype & 16:
+if is_kernel_module_signed(file):
+bb.debug(1, "Skip strip on signed module %s" % file)
+return


It does not look right to me. Above means that signed KLM will go into image 
with symbols. Or I don't read code correctly?

Where is signature stored? Is it some kind of an ELF NOTE? In this case you would just 
need to drop only "--remove-section=.note"
from strip command. Wondering why .notes were stripped in the first place.


stripcmd.extend(["--strip-debug", "--remove-section=.comment",
"--remove-section=.note", "--preserve-dates"])


I suggest split above into two invocations and do second
stripcmd.extend(["--remove-section=.note"]) only for non signed modules.
Assuming that signature is in the .note section. If it is not .comment, do that with 
"--remove-section=.comment" instead.


# .so and shared library
@@ -46,6 +49,13 @@ def is_kernel_module(path):
with open(path) as f:
return mmap.mmap(f.fileno(), 0,
prot=mmap.PROT_READ).find(b"vermagic=") >= 0

+# Detect if .ko module is signed
+def is_kernel_module_signed(path):
+with open(path, "rb") as f:
+f.seek(-28, 2)


Where magic -28 comes from? Is it true for all cases, all CPU arches?
I think it could be done more cleanly here.

Thanks,
Victor


+module_tail = f.read()
+return "Module signature appended" in "".join(chr(c) for c in
+ bytearray(module_tail))
+
# Return type (bits):
# 0 - not elf
# 1 - ELF
--
2.18.0

--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core




--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] package: skip strip on signed kernel modules

2018-08-03 Thread Victor Kamensky via Openembedded-core





On Fri, 3 Aug 2018, omar.ocampo.coron...@intel.com wrote:


From: foocampo 

Executing strip action on kernel modules removes the signature.
Is not possible to strip and keep the signature, therefore avoid
strip signed kernel modules.

Signed-off-by: foocampo 
---
meta/lib/oe/package.py | 10 ++
1 file changed, 10 insertions(+)

diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
index fa3428ad61..f7d2d3b7c4 100644
--- a/meta/lib/oe/package.py
+++ b/meta/lib/oe/package.py
@@ -24,6 +24,9 @@ def runstrip(arg):

# kernel module
if elftype & 16:
+if is_kernel_module_signed(file):
+bb.debug(1, "Skip strip on signed module %s" % file)
+return


It does not look right to me. Above means that signed
KLM will go into image with symbols. Or I don't read
code correctly?

Where is signature stored? Is it some kind of an ELF NOTE? In
this case you would just need to drop only "--remove-section=.note"
from strip command. Wondering why .notes were stripped in the
first place.


stripcmd.extend(["--strip-debug", "--remove-section=.comment",
"--remove-section=.note", "--preserve-dates"])


I suggest split above into two invocations and do second
stripcmd.extend(["--remove-section=.note"]) only for non signed modules.
Assuming that signature is in the .note section. If it is not .comment,
do that with "--remove-section=.comment" instead.


# .so and shared library
@@ -46,6 +49,13 @@ def is_kernel_module(path):
with open(path) as f:
return mmap.mmap(f.fileno(), 0, prot=mmap.PROT_READ).find(b"vermagic=") 
>= 0

+# Detect if .ko module is signed
+def is_kernel_module_signed(path):
+with open(path, "rb") as f:
+f.seek(-28, 2)


Where magic -28 comes from? Is it true for all cases, all CPU arches?
I think it could be done more cleanly here.

Thanks,
Victor


+module_tail = f.read()
+return "Module signature appended" in "".join(chr(c) for c in 
bytearray(module_tail))
+
# Return type (bits):
# 0 - not elf
# 1 - ELF
--
2.18.0

--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core


--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 2/2] systemtap: fix unintialized memory accesses in dwflpp::function_entrypc

2018-07-20 Thread Victor Kamensky via Openembedded-core

Observed failure in SystemTap v3.3 unit testing, It was tracked down
to unintialized memory access in dwflpp::function_entrypc method.

Upstream-Status: Backport
Signed-off-by: Victor Kamensky 
---
 ...entrypc-avoid-usage-of-uninitialized.patch | 46 +++
 .../systemtap/systemtap_git.inc   |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch

diff --git 
a/meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch
 
b/meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch
new file mode 100644
index 00..d0082a1094
--- /dev/null
+++ 
b/meta/recipes-kernel/systemtap/systemtap/0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch
@@ -0,0 +1,46 @@
+From 8466fca2a074323a235ef38d425f994a2ff7e64f Mon Sep 17 00:00:00 2001
+From: Victor Kamensky 
+Date: Mon, 9 Jul 2018 09:31:19 -0700
+Subject: [PATCH] dwflpp::function_entrypc avoid usage of uninitialized memory
+
+Failure on 3.3 release was observed. Failure was elusive and
+disappeared after seemingly random configure option change, or when
+code was compiled with -O1 or -O0 (vs default -O2). Running failing
+test case under valgrind memcheck pointed to couple places where
+'Conditional jump or move depends on uninitialised value(s)' occured.
+
+After addressing these in two places in dwflpp::function_entrypc,
+valgrind memcheck run is clean and original issue got fixed.
+
+Upstream-Status: Backport
+Signed-off-by: Victor Kamensky 
+---
+ dwflpp.cxx | 6 +-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/dwflpp.cxx b/dwflpp.cxx
+index bfbb6b096..2172e705a 100644
+--- a/dwflpp.cxx
 b/dwflpp.cxx
+@@ -2465,13 +2465,17 @@ bool
+ dwflpp::function_entrypc (Dwarf_Addr * addr)
+ {
+   assert (function);
++
++  // assign default value
++  *addr = 0;
++
+   // PR10574: reject 0, which tends to be eliminated COMDAT
+   if (dwarf_entrypc (function, addr) == 0 && *addr != 0)
+ return true;
+ 
+   /* Assume the entry pc is the base address, or (if zero)
+  the first address of the ranges covering this DIE.  */
+-  Dwarf_Addr start, end;
++  Dwarf_Addr start = 0, end;
+   if (dwarf_ranges (function, 0, addr, , ) >= 0)
+ {
+   if (*addr == 0)
+-- 
+2.17.1
+
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.inc 
b/meta/recipes-kernel/systemtap/systemtap_git.inc
index a1e05579e6..06924fc240 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.inc
+++ b/meta/recipes-kernel/systemtap/systemtap_git.inc
@@ -11,6 +11,7 @@ SRC_URI = "git://sourceware.org/git/systemtap.git \

file://0001-Do-not-let-configure-write-a-python-location-into-th.patch \
file://0001-Install-python-modules-to-correct-library-dir.patch \

file://0001-staprun-stapbpf-don-t-support-installing-a-non-root.patch \
+   
file://0001-dwflpp-function_entrypc-avoid-usage-of-uninitialized.patch \
"
 
 COMPATIBLE_HOST = '(x86_64|i.86|powerpc|arm|aarch64|microblazeel|mips).*-linux'
-- 
2.17.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 1/2] systemtap: 3.2 -> 3.3

2018-07-20 Thread Victor Kamensky via Openembedded-core

Upgrade systemtap from 3.2 to 3.3: Removed all backported patches.
Removed "remove quotes around -I include" pending patch since 3.3
got similar fix already. Resolved merge conflict in and
regenerated monitor-option.patch patch.

Signed-off-by: Victor Kamensky 
---
 ...dded-a-couple-of-small-sysroot-fixes.patch |  42 ---
 ...root-path-to-module-name-in-case-of-.patch |  61 
 ...pdating-the-use-of-timers-for-the-4..patch | 277 --
 .../systemtap/0001-Fixes-for-gcc-8.patch  | 215 --
 ...sysroot-paths-don-t-end-with-a-slash.patch | 128 
 ...when-looking-for-the-System.map-file.patch |  29 --
 ...ocate-needs-target-file-path-not-hos.patch |  39 ---
 ...-remove-quotes-around-I-include-line.patch |  38 ---
 ...-with-sysroot-case-do-not-remove-sys.patch |  42 ---
 ...t-release-r-option-handling-follow-u.patch |  40 ---
 ...-fix-short-release-r-option-handling.patch |  53 
 ...ymbolic-links-with-absolute-name-rel.patch | 117 
 .../systemtap/systemtap/monitor-option.patch  |  15 +-
 .../systemtap/systemtap_git.inc   |  16 +-
 14 files changed, 8 insertions(+), 1104 deletions(-)
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-Added-a-couple-of-small-sysroot-fixes.patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-Delay-adding-sysroot-path-to-module-name-in-case-of-.patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-Fix-PR22551-by-updating-the-use-of-timers-for-the-4..patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-Fixes-for-gcc-8.patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-Make-sure-sysroot-paths-don-t-end-with-a-slash.patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-Use-sysroot-when-looking-for-the-System.map-file.patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-_stp_umodule_relocate-needs-target-file-path-not-hos.patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-buildrun-remove-quotes-around-I-include-line.patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-debuginfo-lookup-with-sysroot-case-do-not-remove-sys.patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-sysroot-fix-short-release-r-option-handling-follow-u.patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-sysroot-fix-short-release-r-option-handling.patch
 delete mode 100644 
meta/recipes-kernel/systemtap/systemtap/0001-sysroot-handle-symbolic-links-with-absolute-name-rel.patch

diff --git 
a/meta/recipes-kernel/systemtap/systemtap/0001-Added-a-couple-of-small-sysroot-fixes.patch
 
b/meta/recipes-kernel/systemtap/systemtap/0001-Added-a-couple-of-small-sysroot-fixes.patch
deleted file mode 100644
index c0ceb5a412..00
--- 
a/meta/recipes-kernel/systemtap/systemtap/0001-Added-a-couple-of-small-sysroot-fixes.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From a714658727206d2a98a7194b7e6d29dbd3e27b8d Mon Sep 17 00:00:00 2001
-From: David Smith 
-Date: Mon, 19 Mar 2018 16:50:05 -0500
-Subject: [PATCH] Added a couple of small sysroot fixes.
-
-* tapsets.cxx (dwarf_builder::build): Fix commit 4ffecddf5.
-  (path_remove_sysroot): Fix extra '/' present at start of paths.
-
-Upstream-Status: Backport
-Signed-off-by: Victor Kamensky 

- tapsets.cxx | 10 +++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-Index: git/tapsets.cxx
-===
 git.orig/tapsets.cxx
-+++ git/tapsets.cxx
-@@ -1395,7 +1395,8 @@ string path_remove_sysroot(const systemt
-   string retval = path;
-   if (!sess.sysroot.empty() &&
-   (pos = retval.find(sess.sysroot)) != string::npos)
--retval.replace(pos, sess.sysroot.length(), "/");
-+retval.replace(pos, sess.sysroot.length(),
-+ (sess.sysroot.back() == '/' ? "/": ""));
-   return retval;
- }
- 
-@@ -8412,8 +8413,11 @@ dwarf_builder::build(systemtap_session &
- 
-   // PR13338: unquote glob results
-   module_name = unescape_glob_chars (module_name);
--  user_path = find_executable (module_name, "", sess.sysenv); // 
canonicalize it
--  if (!is_fully_resolved(user_path, sess.sysroot, sess.sysenv))
-+  user_path = find_executable (module_name, sess.sysroot, sess.sysenv); 
// canonicalize it
-+  // Note we don't need to pass the sysroot to
-+  // is_fully_resolved(), since we just passed it to
-+  // find_executable().
-+  if (!is_fully_resolved(user_path, "", sess.sysenv))
- throw SEMANTIC_ERROR(_F("cannot find executable '%s'",
- user_path.to_string().c_str()));
- 
diff --git 
a/meta/recipes-kernel/systemtap/systemtap/0001-Delay-adding-sysroot-path-to-module-name-in-case-of-.patch
 
b/meta/recipes-kernel/systemtap/systemtap/0001-Delay-adding-sysroot-path-to-module-name-in-case-of-.patch
deleted file mode 100644
index 89951a2f19..00
---

[OE-core] [PATCH] make: disable use of posix_spawn on mips

Re: [OE-core] [PATCH 4/5] linux-yocto: Fix systemtap issue on armv7

Re: [OE-core] [PATCH] sysklogd: add alternatives for klogd and syslogd

[OE-core] [PATCH] meson: map powerpc64 TARGET_ARCH to ppc64 for the cross file

Re: [OE-core] [PATCH] sysklogd: add alternatives for klogd and syslogd

Re: [OE-core] [PATCH] sysklogd: add alternatives for klogd and syslogd

[OE-core] [PATCH] sysklogd: add alternatives for klogd and syslogd

Re: [OE-core] [PATCH] systemtap: 3.3 -> 4.0

[OE-core] [PATCH] systemtap: move systemtap-exporter into separate package

[OE-core] [PATCH] kernel-devsrc: add selinux include files needed by scripts/selinux build

Re: [OE-core] [PATCH] systemtap: 3.3 -> 4.0

Re: [OE-core] [PATCH] systemtap: 3.3 -> 4.0

Re: [OE-core] [PATCH] systemtap: 3.3 -> 4.0

[OE-core] [PATCH] systemtap: 3.3 -> 4.0

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

Re: [OE-core] [PATCH] package: skip strip on signed kernel modules

Re: [OE-core] [PATCH] package: skip strip on signed kernel modules

[OE-core] [PATCH 2/2] systemtap: fix unintialized memory accesses in dwflpp::function_entrypc

[OE-core] [PATCH 1/2] systemtap: 3.2 -> 3.3

19 matches

Site Navigation

Mail list logo

Footer information