Re: [yocto] [meta-selinux][PATCH] audit: fix host contamination for swig

Thu, 02 Jan 2020 06:29:52 -0800 

[Re: [meta-selinux][PATCH] audit: fix host contamination for swig] On 19.12.31 
(Tue 14:20) Yi Zhao wrote:

> 
> On 12/31/19 12:24 PM, Joe MacDonald wrote:
> > Hi Yi,
> > 
> > So, just to confirm, this is needed in your experience (I don't have any
> > builders that are that old, so I haven't verified).  I just ask because
> > we only just dropped this patch to begin with:
> > 
> > commit 6edbe15c3dba7da0cffc1c11099867553e9d5570
> > Author: Yi Zhao <[email protected]>
> > Date:   Thu Nov 14 09:49:01 2019 +0800
> > 
> >      audit: switch to python3
> >      * Switch to python3
> >      * Drop patches:
> >        audit-python-configure.patch
> >        audit-python.patch
> >        fix-swig-host-contamination.patch
> >      Signed-off-by: Yi Zhao <[email protected]>
> >      Signed-off-by: Joe MacDonald <[email protected]>
> > 
> > If we need to bring it back, though, obviously no concerns about it since 
> > the
> > last time I did and update I carried it along.  :-)
> 
> 
> When I dropped it in my previous patch I just tested it on some modern Linux
> distributions (e.g. Ubuntu 16.04/18.04 Fedora 31). There is no such error
> because the audit.h on the host is matched to our audit recipe. Then we
> found the build failure on some old distros (e.g. CentOS 7) because of the
> old version autdit.h on host. The CentOS7 is still on Yocto support distros
> list. See: meta-poky/conf/distro/poky.conf. I'm afraid we should bring it
> back.

Heh, telling that 16.04 is a modern Ubuntu in this context.  :-)

Anyway, yeah, I don't even have a 16.xx builder anymore, so I'm not
surprised this only shows up on really old systems.  I'd be inclined to
just drop it entirely since on the CentOS download page now the main
(only?) way to get to any CentOS 7.x release is with the link here:

        Legacy versions of CentOS are no longer supported. For
        historical purposes, CentOS keeps an archive of older versions.
        If you’re absolutely sure you need an older version then click
        here »

But Yocto still supports 7 as a build distro and CentOS did do a 7.x
update in September past, so I guess we'll carry it for one more
release.

Thanks for the follow-up.
-J.

> 
> 
> Thanks,
> 
> Yi
> 
> 
> > 
> > -J.
> > 
> > [[meta-selinux][PATCH] audit: fix host contamination for swig] On 19.12.27 
> > (Fri 10:43) Yi Zhao wrote:
> > 
> > > The audit build uses swig to generate a python wrapper. But there is a
> > > hardcoded include directory in auditswig.i, which causes header files on
> > > the host to be used when building. This will cause build error on some
> > > old systems. e.g. on CentOS7 with buildtools:
> > >    audit_wrap.c: In function '_wrap_audit_rule_flags_set':
> > >    audit_wrap.c:5018:19: error: dereferencing pointer to incomplete type 
> > > 'struct audit_rule'
> > >    5018  if (arg1) (arg1)->flags = arg2;
> > >          ^~
> > > 
> > > Signed-off-by: Yi Zhao <[email protected]>
> > > ---
> > >   .../Fixed-swig-host-contamination-issue.patch | 57 +++++++++++++++++++
> > >   recipes-security/audit/audit_2.8.5.bb         |  1 +
> > >   2 files changed, 58 insertions(+)
> > >   create mode 100644 
> > > recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
> > > 
> > > diff --git 
> > > a/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch 
> > > b/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
> > > new file mode 100644
> > > index 0000000..7c26995
> > > --- /dev/null
> > > +++ 
> > > b/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
> > > @@ -0,0 +1,57 @@
> > > +From a07271f1cce82122610b622bcea4a8a37528f321 Mon Sep 17 00:00:00 2001
> > > +From: Li xin <[email protected]>
> > > +Date: Sun, 19 Jul 2015 02:42:58 +0900
> > > +Subject: [PATCH] audit: Fixed swig host contamination issue
> > > +
> > > +The audit build uses swig to generate a python wrapper.
> > > +Unfortunately, the swig info file references host include
> > > +directories.  Some of these were previously noticed and
> > > +eliminated, but the one fixed here was not.
> > > +
> > > +Upstream-Status: Inappropriate [embedded specific]
> > > +
> > > +Signed-off-by: Anders Hedlund <[email protected]>
> > > +Signed-off-by: Joe Slater <[email protected]>
> > > +Signed-off-by: Yi Zhao <[email protected]>
> > > +---
> > > + bindings/swig/python3/Makefile.am | 3 ++-
> > > + bindings/swig/src/auditswig.i     | 2 +-
> > > + 2 files changed, 3 insertions(+), 2 deletions(-)
> > > +
> > > +diff --git a/bindings/swig/python3/Makefile.am 
> > > b/bindings/swig/python3/Makefile.am
> > > +index 9938418..fa46aac 100644
> > > +--- a/bindings/swig/python3/Makefile.am
> > > ++++ b/bindings/swig/python3/Makefile.am
> > > +@@ -22,6 +22,7 @@
> > > + CONFIG_CLEAN_FILES = *.loT *.rej *.orig
> > > + AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS)
> > > + AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib 
> > > $(PYTHON3_INCLUDES)
> > > ++STDINC ?= /usr/include
> > > + LIBS = $(top_builddir)/lib/libaudit.la
> > > + SWIG_FLAGS = -python -py3 -modern
> > > + SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib 
> > > $(PYTHON3_INCLUDES)
> > > +@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h 
> > > ${top_builddir}/lib/libaudi
> > > + _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la
> > > + nodist__audit_la_SOURCES  = audit_wrap.c
> > > + audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i
> > > +-        swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} 
> > > ${srcdir}/../src/auditswig.i
> > > ++        swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) 
> > > ${srcdir}/../src/auditswig.i
> > > +
> > > + CLEANFILES = audit.py* audit_wrap.c *~
> > > +
> > > +diff --git a/bindings/swig/src/auditswig.i 
> > > b/bindings/swig/src/auditswig.i
> > > +index 7ebb373..424fb68 100644
> > > +--- a/bindings/swig/src/auditswig.i
> > > ++++ b/bindings/swig/src/auditswig.i
> > > +@@ -39,7 +39,7 @@ signed
> > > + #define __attribute(X) /*nothing*/
> > > + typedef unsigned __u32;
> > > + typedef unsigned uid_t;
> > > +-%include "/usr/include/linux/audit.h"
> > > ++%include "linux/audit.h"
> > > + #define __extension__ /*nothing*/
> > > + #include <stdint.h>
> > > + %include "../lib/libaudit.h"
> > > +--
> > > +2.7.4
> > > +
> > > diff --git a/recipes-security/audit/audit_2.8.5.bb 
> > > b/recipes-security/audit/audit_2.8.5.bb
> > > index 1e76d5f..ee3b3b5 100644
> > > --- a/recipes-security/audit/audit_2.8.5.bb
> > > +++ b/recipes-security/audit/audit_2.8.5.bb
> > > @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = 
> > > "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
> > >   SRC_URI = 
> > > "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance 
> > > \
> > >              file://Add-substitue-functions-for-strndupa-rawmemchr.patch \
> > > +           file://Fixed-swig-host-contamination-issue.patch \
> > >              file://auditd \
> > >              file://auditd.service \
> > >              file://audit-volatile.conf \
> > > -- 
> > > 2.17.1
> > > 

-- 
-Joe MacDonald.
:wq

Attachment: signature.asc
Description: PGP signature

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#47842): https://lists.yoctoproject.org/g/yocto/message/47842
Mute This Topic: https://lists.yoctoproject.org/mt/69281245/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub  
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to