jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
+72
View File
@@ -0,0 +1,72 @@
SUMMARY = "The eCryptfs mount helper and support libraries"
DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \
that ships in Linux kernel versions 2.6.19 and above. This \
package provides the mount helper and supporting libraries \
to perform key management and mount functions."
HOMEPAGE = "https://launchpad.net/ecryptfs"
SECTION = "base"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native"
SRC_URI = "\
https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.gz \
file://ecryptfs-utils-CVE-2016-6224.patch \
file://0001-avoid-race-condition.patch \
file://ecryptfs.service \
file://define_musl_sword_type.patch \
"
SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
SRC_URI[sha256sum] = "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f"
UPSTREAM_CHECK_URI = "https://launchpad.net/ecryptfs/+download"
inherit autotools pkgconfig systemd
SYSTEMD_PACKAGES = "${PN}"
SYSTEMD_SERVICE:${PN} = "ecryptfs.service"
EXTRA_OECONF = "\
--libdir=${base_libdir} \
--disable-pywrap \
--disable-nls \
--with-pamdir=${base_libdir}/security \
--disable-openssl \
"
PACKAGECONFIG ??= "nss \
${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
"
PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss,"
PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,"
do_configure:prepend() {
export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr -I${STAGING_INCDIR}/nss3"
export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3"
export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
sed -i -e "s;rootsbindir=\"/sbin\";rootsbindir=\"\${base_sbindir}\";g" ${S}/configure.ac
}
do_install:append() {
chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private
# ${base_libdir} is identical to ${libdir} when usrmerge enabled
if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then
mkdir -p ${D}/${libdir}
mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}
fi
sed -i -e 's:-I${STAGING_INCDIR}::' \
-e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc
sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:" ${D}${bindir}/ecryptfs-setup-swap
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
install -D -m 0644 ${WORKDIR}/ecryptfs.service ${D}${systemd_system_unitdir}/ecryptfs.service
fi
}
FILES:${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
RDEPENDS:${PN} += "cryptsetup"
RRECOMMENDS:${PN} = "gettext-runtime"
meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch
+32
View File
@@ -0,0 +1,32 @@
From ab671b02e3aaf65dd1fd279789ea933b8140fe52 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Tue, 27 Aug 2019 16:08:00 +0800
Subject: [PATCH] avoid race condition
The rootsbin directory is self defined. The install-rootsbinPROGRAMS
is actually treated as part of install-data.
This would avoid race condition which causes install failure.
Upstream-Status: Pending
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
src/utils/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/utils/Makefile.am b/src/utils/Makefile.am
index 83cf851..344883a 100644
--- a/src/utils/Makefile.am
+++ b/src/utils/Makefile.am
@@ -67,6 +67,6 @@ ecryptfs_stat_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la
test_SOURCES = test.c io.c
test_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la
-install-exec-hook: install-rootsbinPROGRAMS
+install-data-hook: install-rootsbinPROGRAMS
-rm -f "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private"
$(LN_S) "mount.ecryptfs_private" "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private"
--
2.17.1
meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
+17
View File
@@ -0,0 +1,17 @@
Upstream-Status: Pending
Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c
===================================================================
--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c
+++ ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c
@@ -45,6 +45,10 @@
#include <values.h>
#include "../include/ecryptfs.h"
+#ifndef __SWORD_TYPE
+typedef __typeof__( ((struct statfs *)0)->f_type ) __SWORD_TYPE;
+#endif
+
/* Perhaps a future version of this program will allow these to be configurable
* by the system administrator (or user?) at run time. For now, these are set
* to reasonable values to reduce the burden of input validation.
meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
+65
View File
@@ -0,0 +1,65 @@
From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Mon, 5 Sep 2016 10:28:08 +0800
Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
being automatically enabled by systemd. This bug affected GPT partitioned
NVMe/MMC drives and resulted in the swap partition being used without
encryption. It also resulted in a usability issue in that users were
erroneously prompted to enter a pass-phrase to unlock their swap partition
at boot. (LP: #1597154)
the patch comes from:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
Upstream-Status: Backport
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
ChangeLog | 9 +++++++++
src/utils/ecryptfs-setup-swap | 10 ++++++++--
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index d255a94..2c9c73e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+ecryptfs-utils-112
+ [ Jason Gerard DeRose ]
+ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
+ being automatically enabled by systemd. This bug affected GPT partitioned
+ NVMe/MMC drives and resulted in the swap partition being used without
+ encryption. It also resulted in a usability issue in that users were
+ erroneously prompted to enter a pass-phrase to unlock their swap partition
+ at boot. (LP: #1597154)
+
ecryptfs-utils-74
[ Michal Hlavinka ]
* Changes for RH/Fedora release
diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
index 41cf18a..e4785d7 100755
--- a/src/utils/ecryptfs-setup-swap
+++ b/src/utils/ecryptfs-setup-swap
@@ -166,8 +166,14 @@ for swap in $swaps; do
# If this is a GPT partition, mark it as no-auto mounting, to avoid
# auto-activating it on boot
if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
- drive="${swap%[0-9]*}"
- partno="${swap#$drive}"
+ # Correctly handle NVMe/MMC drives, as well as any similar physical
+ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
+ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
+ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
+ else
+ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
+ fi
+ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
if [ -b "$drive" ]; then
if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then
echo "$swap is already marked as no-auto"
--
1.9.1
meta-security/recipes-security/ecryptfs-utils/files/ecryptfs.service
+9
View File
@@ -0,0 +1,9 @@
[Unit]
Description=A userspace daemon that runs as the user perform file operations under the eCryptfs mount point
After=udev.service
[Service]
ExecStart=/usr/bin/ecryptfsd -f
[Install]
WantedBy=multi-user.target