Initial commit

meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch

@@ -0,0 +1,32 @@
+From ab671b02e3aaf65dd1fd279789ea933b8140fe52 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Tue, 27 Aug 2019 16:08:00 +0800
+Subject: [PATCH] avoid race condition
+
+The rootsbin directory is self defined. The install-rootsbinPROGRAMS
+is actually treated as part of install-data.
+
+This would avoid race condition which causes install failure.
+
+Upstream-Status: Pending
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/utils/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/utils/Makefile.am b/src/utils/Makefile.am
+index 83cf851..344883a 100644
+--- a/src/utils/Makefile.am
++++ b/src/utils/Makefile.am
+@@ -67,6 +67,6 @@ ecryptfs_stat_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la
+ test_SOURCES = test.c io.c
+ test_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la
+ 
+-install-exec-hook:	install-rootsbinPROGRAMS
++install-data-hook:	install-rootsbinPROGRAMS
+ 	-rm -f "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private"
+ 	$(LN_S) "mount.ecryptfs_private" "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private"
+-- 
+2.17.1
+

meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch

@@ -0,0 +1,17 @@
+Upstream-Status: Pending
+
+Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c
+===================================================================
+--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c
++++ ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c
+@@ -45,6 +45,10 @@
+ #include <values.h>
+ #include "../include/ecryptfs.h"
+ 
++#ifndef __SWORD_TYPE
++typedef __typeof__( ((struct statfs *)0)->f_type )	__SWORD_TYPE;
++#endif
++
+ /* Perhaps a future version of this program will allow these to be configurable
+  * by the system administrator (or user?) at run time.  For now, these are set
+  * to reasonable values to reduce the burden of input validation.

meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch

@@ -0,0 +1,65 @@
+From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 5 Sep 2016 10:28:08 +0800
+Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
+
+src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
+being automatically enabled by systemd. This bug affected GPT partitioned
+NVMe/MMC drives and resulted in the swap partition being used without
+encryption. It also resulted in a usability issue in that users were
+erroneously prompted to enter a pass-phrase to unlock their swap partition
+at boot. (LP: #1597154)
+
+the patch comes from:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
+https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
+
+Upstream-Status: Backport
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ ChangeLog                     |  9 +++++++++
+ src/utils/ecryptfs-setup-swap | 10 ++++++++--
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index d255a94..2c9c73e 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,12 @@
++ecryptfs-utils-112
++  [ Jason Gerard DeRose ]
++  * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
++    being automatically enabled by systemd. This bug affected GPT partitioned
++    NVMe/MMC drives and resulted in the swap partition being used without
++    encryption. It also resulted in a usability issue in that users were
++    erroneously prompted to enter a pass-phrase to unlock their swap partition
++    at boot. (LP: #1597154)
++
+ ecryptfs-utils-74
+   [ Michal Hlavinka ]
+   * Changes for RH/Fedora release
+diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
+index 41cf18a..e4785d7 100755
+--- a/src/utils/ecryptfs-setup-swap
++++ b/src/utils/ecryptfs-setup-swap
+@@ -166,8 +166,14 @@ for swap in $swaps; do
+ 	# If this is a GPT partition, mark it as no-auto mounting, to avoid
+ 	# auto-activating it on boot
+ 	if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
+-		drive="${swap%[0-9]*}"
+-		partno="${swap#$drive}"
++		# Correctly handle NVMe/MMC drives, as well as any similar physical
++		# block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
++		if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
++			drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
++		else
++			drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
++		fi
++		partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
+ 		if [ -b "$drive" ]; then
+ 			if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then
+ 				echo "$swap is already marked as no-auto"
+-- 
+1.9.1
+

meta-security/recipes-security/ecryptfs-utils/files/ecryptfs.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=A userspace daemon that runs as the user perform file operations under the eCryptfs mount point
+After=udev.service
+
+[Service]
+ExecStart=/usr/bin/ecryptfsd -f
+
+[Install]
+WantedBy=multi-user.target