From 5ee41311c723fce700d3253598576b3e6ef87202 Mon Sep 17 00:00:00 2001 From: Chris Rogers Date: Mon, 22 Jul 2019 13:02:29 -0400 Subject: [PATCH] [sqlite3] Upgrade sqlite3 and pseudo The pseudo upgrade is required because 1.8.2 can't build against sqlite3 3.29.0. 3.29.0 gets us the latest CVEs. OXT-1629 Signed-off-by: Chris Rogers (cherry picked from commit 9424cc868d24edac25c0bea15531856594ed66d4) --- .../0001-configure-Prune-PIE-flags.patch | 44 +++++ recipes-devtools/pseudo/files/fallback-group | 3 + recipes-devtools/pseudo/files/fallback-passwd | 3 + .../pseudo/files/moreretries.patch | 19 +++ .../pseudo/files/toomanyfiles.patch | 71 ++++++++ recipes-devtools/pseudo/pseudo.inc | 155 ++++++++++++++++++ recipes-devtools/pseudo/pseudo_git.bb | 14 ++ recipes-support/sqlite/sqlite3_3.20.0.bb | 11 -- recipes-support/sqlite/sqlite3_3.29.0.bb | 8 + 9 files changed, 317 insertions(+), 11 deletions(-) create mode 100644 recipes-devtools/pseudo/files/0001-configure-Prune-PIE-flags.patch create mode 100644 recipes-devtools/pseudo/files/fallback-group create mode 100644 recipes-devtools/pseudo/files/fallback-passwd create mode 100644 recipes-devtools/pseudo/files/moreretries.patch create mode 100644 recipes-devtools/pseudo/files/toomanyfiles.patch create mode 100644 recipes-devtools/pseudo/pseudo.inc create mode 100644 recipes-devtools/pseudo/pseudo_git.bb delete mode 100644 recipes-support/sqlite/sqlite3_3.20.0.bb create mode 100644 recipes-support/sqlite/sqlite3_3.29.0.bb diff --git a/recipes-devtools/pseudo/files/0001-configure-Prune-PIE-flags.patch b/recipes-devtools/pseudo/files/0001-configure-Prune-PIE-flags.patch new file mode 100644 index 0000000000..43504eaab9 --- /dev/null +++ b/recipes-devtools/pseudo/files/0001-configure-Prune-PIE-flags.patch @@ -0,0 +1,44 @@ +From b5545c08e6c674c49aef14b47a56a3e92df4d2a7 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Wed, 17 Feb 2016 07:36:34 +0000 +Subject: [pseudo][PATCH] configure: Prune PIE flags + +LDFLAGS are not taken from environment and CFLAGS is used for LDFLAGS +however when using security options -fpie and -pie options are coming +as part of ARCH_FLAGS and they get into LDFLAGS of shared objects as +well so we end up with conflicting options -shared -pie, which gold +rejects outright and bfd linker lets the one appearning last in cmdline +take effect. This create quite a unpleasant situation in OE when +security flags are enabled and gold or not-gold options are used +it errors out but errors are not same. + +Anyway, with this patch we filter pie options from ARCH_FLAGS +ouright and take control of generating PIC objects + +Helps with errors like + +| /mnt/oe/build/tmp-glibc/sysroots/x86_64-linux/usr/libexec/x86_64-oe-linux/gcc/x86_64-oe-linux/5.3.0/ld: pseudo_client.o: relocation R_X86_64_PC32 against symbol `pseudo_util_debug_flags' can not be used when making a shared object; recompile with -fPIC +| /mnt/oe/build/tmp-glibc/sysroots/x86_64-linux/usr/libexec/x86_64-oe-linux/gcc/x86_64-oe-linux/5.3.0/ld: final link failed: Bad value +| collect2: error: ld returned 1 exit status +| make: *** [lib/pseudo/lib64/libpseudo.so] Error 1 + +Signed-off-by: Khem Raj +--- +Upstream-Status: Submitted + + configure | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/configure b/configure +index e5ef9ce..83b0890 100755 +--- a/configure ++++ b/configure +@@ -339,3 +339,5 @@ sed -e ' + s,@ARCH@,'"$opt_arch"',g + s,@BITS@,'"$opt_bits"',g + ' < Makefile.in > Makefile ++ ++sed -i -e 's/\-[f]*pie//g' Makefile +-- +1.8.3.1 + diff --git a/recipes-devtools/pseudo/files/fallback-group b/recipes-devtools/pseudo/files/fallback-group new file mode 100644 index 0000000000..bb3dbca606 --- /dev/null +++ b/recipes-devtools/pseudo/files/fallback-group @@ -0,0 +1,3 @@ +root:*:0: +mail:*:8: +nobody:*:99: diff --git a/recipes-devtools/pseudo/files/fallback-passwd b/recipes-devtools/pseudo/files/fallback-passwd new file mode 100644 index 0000000000..08611baaf4 --- /dev/null +++ b/recipes-devtools/pseudo/files/fallback-passwd @@ -0,0 +1,3 @@ +root::0:0:root:/home/root:/bin/sh +pseudopasswd:*:1:1:this-is-the-pseudo-passwd:/nonexistent:/bin/sh +nobody:*:65534:65534:nobody:/nonexistent:/bin/sh diff --git a/recipes-devtools/pseudo/files/moreretries.patch b/recipes-devtools/pseudo/files/moreretries.patch new file mode 100644 index 0000000000..adea2665b0 --- /dev/null +++ b/recipes-devtools/pseudo/files/moreretries.patch @@ -0,0 +1,19 @@ +Increase the number of retries in pseudo due to occasional slow +server shutdowns. + +Upstream-Status: Pending +RP 2016/2/28 + +Index: git/pseudo_client.c +=================================================================== +--- git.orig/pseudo_client.c ++++ git/pseudo_client.c +@@ -1282,7 +1282,7 @@ pseudo_client_setup(void) { + } + } + +-#define PSEUDO_RETRIES 20 ++#define PSEUDO_RETRIES 250 + static pseudo_msg_t * + pseudo_client_request(pseudo_msg_t *msg, size_t len, const char *path) { + pseudo_msg_t *response = 0; diff --git a/recipes-devtools/pseudo/files/toomanyfiles.patch b/recipes-devtools/pseudo/files/toomanyfiles.patch new file mode 100644 index 0000000000..bda7e4b202 --- /dev/null +++ b/recipes-devtools/pseudo/files/toomanyfiles.patch @@ -0,0 +1,71 @@ +From b0b25fbc041a148d1de09f5a6503cd95973ec77c Mon Sep 17 00:00:00 2001 +From: Richard Purdie +Date: Tue, 25 Apr 2017 15:25:54 +0100 +Subject: [PATCH 3/3] pseudo: Handle too many files deadlock + +Currently if we max out the maximum number of files, pseudo can deadlock, unable to +accept new connections yet unable to move forward and unblock the other processes +waiting either. + +Rather than hang, when this happens, close out inactive connections, allowing us +to accept the new ones. The disconnected clients will simply reconnect. There is +a small risk of data loss here sadly but its better than hanging. + +RP +2017/4/25 + +Upstream-Status: Submitted [Peter is aware of the issue] + +--- + pseudo_server.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/pseudo_server.c b/pseudo_server.c +index dac3258..15a3e8f 100644 +--- a/pseudo_server.c ++++ b/pseudo_server.c +@@ -802,6 +802,7 @@ pseudo_server_loop(void) { + struct sigaction eat_usr2 = { + .sa_handler = set_do_list_clients + }; ++ int hitmaxfiles; + + clients = malloc(16 * sizeof(*clients)); + +@@ -820,6 +821,7 @@ pseudo_server_loop(void) { + active_clients = 1; + max_clients = 16; + highest_client = 0; ++ hitmaxfiles = 0; + + pseudo_debug(PDBGF_SERVER, "server loop started.\n"); + if (listen_fd < 0) { +@@ -878,10 +880,15 @@ pseudo_server_loop(void) { + } else { + serve_client(i); + } ++ } else if (hitmaxfiles) { ++ /* Only close one per loop iteration in the interests of caution */ ++ close_client(i); ++ hitmaxfiles = 0; + } + if (die_forcefully) + break; + } ++ hitmaxfiles = 0; + if (!die_forcefully && + (FD_ISSET(clients[0].fd, &events) || + FD_ISSET(clients[0].fd, &reads))) { +@@ -903,6 +910,9 @@ pseudo_server_loop(void) { + */ + pseudo_server_timeout = DEFAULT_PSEUDO_SERVER_TIMEOUT; + die_peacefully = 0; ++ } else if (errno == EMFILE) { ++ hitmaxfiles = 1; ++ pseudo_debug(PDBGF_SERVER, "Hit max open files, dropping a client.\n"); + } + } + pseudo_debug(PDBGF_SERVER, "server loop complete [%d clients left]\n", active_clients); +-- +2.15.1 + diff --git a/recipes-devtools/pseudo/pseudo.inc b/recipes-devtools/pseudo/pseudo.inc new file mode 100644 index 0000000000..8b05735bb1 --- /dev/null +++ b/recipes-devtools/pseudo/pseudo.inc @@ -0,0 +1,155 @@ +# Note: Due to the bitbake wrapper script, making changes to pseudo can be +# difficult. To work around the current version of the wrapper use: +# BBFETCH2=True PSEUDO_BUILD=1 ../bitbake/bin/bitbake pseudo-native [-c CMD] + +SUMMARY = "Pseudo gives fake root capabilities to a normal user" +HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/pseudo" +LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" +SECTION = "base" +LICENSE = "LGPL2.1" +DEPENDS = "sqlite3 attr" + +FILES_${PN} = "${prefix}/lib/pseudo/lib*/libpseudo.so ${bindir}/* ${localstatedir}/pseudo ${prefix}/var/pseudo" +INSANE_SKIP_${PN} += "libdir" +INSANE_SKIP_${PN}-dbg += "libdir" + +PROVIDES += "virtual/fakeroot" + +MAKEOPTS = "" + +inherit siteinfo pkgconfig + +do_configure () { + : +} + +NO32LIBS ??= "1" +NO32LIBS_class-nativesdk = "1" + +PSEUDO_EXTRA_OPTS ?= "--enable-force-async --without-passwd-fallback --enable-epoll --enable-xattr" + +# Compile for the local machine arch... +do_compile () { + SQLITE_LDADD='$(SQLITE)/$(SQLITE_LIB)/libsqlite3.a' + for sqlite_link_opt in $(pkg-config sqlite3 --libs --static) + do + case "$sqlite_link_opt" in + -lsqlite3) + ;; + -l*) + SQLITE_LDADD="${SQLITE_LDADD} ${sqlite_link_opt}" + ;; + *) + ;; + esac + done + if [ "${SITEINFO_BITS}" = "64" ]; then + ${S}/configure ${PSEUDO_EXTRA_OPTS} --prefix=${prefix} --libdir=${prefix}/lib/pseudo/lib${SITEINFO_BITS} --with-sqlite-lib=${baselib} --with-sqlite=${STAGING_DIR_TARGET}${exec_prefix} --cflags="${CFLAGS}" --bits=${SITEINFO_BITS} --with-static-sqlite="$SQLITE_LDADD" --without-rpath + else + ${S}/configure ${PSEUDO_EXTRA_OPTS} --prefix=${prefix} --libdir=${prefix}/lib/pseudo/lib --with-sqlite-lib=${baselib} --with-sqlite=${STAGING_DIR_TARGET}${exec_prefix} --cflags="${CFLAGS}" --bits=${SITEINFO_BITS} --with-static-sqlite="$SQLITE_LDADD" --without-rpath + fi + oe_runmake ${MAKEOPTS} +} +do_compile[vardepsexclude] = "SITEINFO_BITS" + +maybe_make32() { + # We probably don't need to build 32-bit binaries. + make32=false + if [ "${SITEINFO_BITS}" = "64" ]; then + case "${NO32LIBS}" in + 0) make32=true + ;; + 1) make32=false + ;; + *) # If unset, build 32-bit if we think we can. + if [ -e "/usr/include/gnu/stubs-32.h" ]; then + make32=true + fi + ;; + esac + fi + if $make32; then + if ! [ -e "/usr/include/gnu/stubs-32.h" ]; then + warn_32bit_missing + else + bbnote "Attempting to build 32-bit libpseudo.so for ${PN}." + fi + else + bbnote "Building/installing only 64-bit libpseudo.so for ${PN}." + bbnote "If you need to run 32-bit executables, ensure that NO32LIBS is set to 0." + fi +} +maybe_make32[vardepsexclude] = "SITEINFO_BITS" + +warn_32bit_missing() { + bbwarn "Can't find stubs-32.h, but usually need it to build 32-bit libpseudo." + bbwarn "If the build fails, install 32-bit developer packages." + bbwarn "If you are using 32-bit binaries, the 32-bit libpseudo is NOT optional." +} + +# Two below are the same +# If necessary compile for the alternative machine arch. This is only +# necessary in a native build. +do_compile_prepend_class-native () { + maybe_make32 + if $make32; then + # We need the 32-bit libpseudo on a 64-bit machine... + # Note that this is not well-tested outside of x86/x86_64. + + # if we're being rebuilt due to a dependency change, we need to make sure + # everything is clean before we configure and build -- if we haven't previously + # built this will fail and be ignored. + make ${MAKEOPTS} distclean || : + + ./configure ${PSEUDO_EXTRA_OPTS} --prefix=${prefix} --libdir=${prefix}/lib/pseudo/lib --with-sqlite-lib=${baselib} --with-sqlite=${STAGING_DIR_TARGET}${exec_prefix} --bits=32 --without-rpath + save_traps=$(trap) + trap 'warn_32bit_missing' 0 + oe_runmake ${MAKEOPTS} libpseudo + eval "$save_traps" + # prevent it from removing the lib, but remove everything else + make 'LIB=foo' ${MAKEOPTS} distclean + fi +} + +do_compile_prepend_class-nativesdk () { + maybe_make32 + if $make32; then + # We need the 32-bit libpseudo on a 64-bit machine. + # Note that this is not well-tested outside of x86/x86_64. + ./configure ${PSEUDO_EXTRA_OPTS} --prefix=${prefix} --libdir=${prefix}/lib/pseudo/lib --with-sqlite-lib=${baselib} --with-sqlite=${STAGING_DIR_TARGET}${exec_prefix} --bits=32 --without-rpath + oe_runmake ${MAKEOPTS} libpseudo + # prevent it from removing the lib, but remove everything else + make 'LIB=foo' ${MAKEOPTS} distclean + fi +} + +do_install () { + oe_runmake 'DESTDIR=${D}' ${MAKEOPTS} 'LIB=lib/pseudo/lib$(MARK64)' install +} + +do_install_append_class-native () { + install -d ${D}${sysconfdir} + # The fallback files should never be modified + install -m 444 ${WORKDIR}/fallback-passwd ${D}${sysconfdir}/passwd + install -m 444 ${WORKDIR}/fallback-group ${D}${sysconfdir}/group + + # Two native/nativesdk entries below are the same + # If necessary install for the alternative machine arch. This is only + # necessary in a native build. + maybe_make32 + if $make32; then + mkdir -p ${D}${prefix}/lib/pseudo/lib + cp lib/pseudo/lib/libpseudo.so ${D}${prefix}/lib/pseudo/lib/. + fi +} + +do_install_append_class-nativesdk () { + maybe_make32 + if $make32; then + mkdir -p ${D}${prefix}/lib/pseudo/lib + cp lib/pseudo/lib/libpseudo.so ${D}${prefix}/lib/pseudo/lib/. + fi + chrpath -d ${D}${prefix}/lib/pseudo/lib*/libpseudo.so +} + +BBCLASSEXTEND = "native nativesdk" diff --git a/recipes-devtools/pseudo/pseudo_git.bb b/recipes-devtools/pseudo/pseudo_git.bb new file mode 100644 index 0000000000..51db84c4d4 --- /dev/null +++ b/recipes-devtools/pseudo/pseudo_git.bb @@ -0,0 +1,14 @@ +require pseudo.inc + +SRC_URI = "git://git.yoctoproject.org/pseudo \ + file://0001-configure-Prune-PIE-flags.patch \ + file://fallback-passwd \ + file://fallback-group \ + file://moreretries.patch \ + file://toomanyfiles.patch \ + " + +SRCREV = "3fa7c853e0bcd6fe23f7524c2a3c9e3af90901c3" +S = "${WORKDIR}/git" +PV = "1.9.0+git${SRCPV}" + diff --git a/recipes-support/sqlite/sqlite3_3.20.0.bb b/recipes-support/sqlite/sqlite3_3.20.0.bb deleted file mode 100644 index fc75c2abc3..0000000000 --- a/recipes-support/sqlite/sqlite3_3.20.0.bb +++ /dev/null @@ -1,11 +0,0 @@ -require recipes-support/sqlite/sqlite3.inc - -LICENSE = "PD" -LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" - -SRC_URI = "\ - http://www.sqlite.org/2017/sqlite-autoconf-${SQLITE_PV}.tar.gz \ - " -SRC_URI[md5sum] = "e262a28b73cc330e7e83520c8ce14e4d" -SRC_URI[sha256sum] = "3814c6f629ff93968b2b37a70497cfe98b366bf587a2261a56a5f750af6ae6a0" - diff --git a/recipes-support/sqlite/sqlite3_3.29.0.bb b/recipes-support/sqlite/sqlite3_3.29.0.bb new file mode 100644 index 0000000000..6ddb5ae39d --- /dev/null +++ b/recipes-support/sqlite/sqlite3_3.29.0.bb @@ -0,0 +1,8 @@ +require recipes-support/sqlite/sqlite3.inc + +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" + +SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz" +SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc" +SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b"