[PATCH 1/3] openssl: disable execstack flag to prevent problems with SELinux

[PATCH 1/3] openssl: disable execstack flag to prevent problems with SELinux

[Paul Eggleton]

The execstack flag gets set on libcrypto.so by default which causes SELinux
to prevent it from being loaded on systems using SELinux, which includes
Fedora. This patch disables the execstack flag. (Note: Red Hat do this in
their openssl packaging.)

Signed-off-by: Paul Eggleton <paul.eggleton@intel.com>
---
 meta/recipes-connectivity/openssl/openssl.inc      |    2 +-
 .../recipes-connectivity/openssl/openssl_0.9.8p.bb |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index da90456..15144b1 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -15,7 +15,7 @@ S = "${WORKDIR}/openssl-${PV}"
 
 AR_append = " r"
 CFLAG = "${@base_conditional('SITEINFO_ENDIANESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \
-	-DTERMIO ${FULL_OPTIMIZATION} -Wall"
+	-DTERMIO ${FULL_OPTIMIZATION} -Wall -Wa,--noexecstack"
 
 # -02 does not work on mipsel: ssh hangs when it tries to read /dev/urandom
 CFLAG_mtx-1 := "${@'${CFLAG}'.replace('-O2', '')}"
diff --git a/meta/recipes-connectivity/openssl/openssl_0.9.8p.bb b/meta/recipes-connectivity/openssl/openssl_0.9.8p.bb
index 3949540..fe02272 100644
--- a/meta/recipes-connectivity/openssl/openssl_0.9.8p.bb
+++ b/meta/recipes-connectivity/openssl/openssl_0.9.8p.bb
@@ -1,6 +1,6 @@
 require openssl.inc
 
-PR = "r0"
+PR = "r1"
 SRC_URI += "file://debian/ca.patch \
             file://debian/config-hurd.patch;apply=no \
             file://debian/debian-targets.patch \
-- 
1.7.1

---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

[PATCH 2/3] sanity.bbclass: add wget to required utilities

[Paul Eggleton]

Signed-off-by: Paul Eggleton <paul.eggleton@intel.com>
---
 meta/classes/sanity.bbclass |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 7f1f800..06aeddc 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -106,7 +106,7 @@ def check_sanity(e):
 	if not check_app_exists('${BUILD_PREFIX}g++', e.data):
 		missing = missing + "C++ Compiler (%sg++)," % data.getVar("BUILD_PREFIX", e.data, True)
 
-	required_utilities = "patch help2man diffstat texi2html makeinfo cvs svn bzip2 tar gzip gawk hg chrpath"
+	required_utilities = "patch help2man diffstat texi2html makeinfo cvs svn bzip2 tar gzip gawk hg chrpath wget"
 
 	# qemu-native needs gcc 3.x
 	if "qemu-native" not in assume_provided and "gcc3-native" in assume_provided:
-- 
1.7.1

---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

[PATCH 3/3] qemu: fix failure to find zlib header files during configure

[Paul Eggleton]

Corrects problems during configure of qemu-native due to the BUILD_CFLAGS
not being included when attempting to compile the test program for zlib
within the configure script.

Signed-off-by: Paul Eggleton <paul.eggleton@intel.com>
---
 .../qemu/qemu-0.12.4/fix-configure-checks.patch    |   16 ++++++++++++++++
 meta/recipes-devtools/qemu/qemu_0.12.4.bb          |    3 ++-
 2 files changed, 18 insertions(+), 1 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu-0.12.4/fix-configure-checks.patch

diff --git a/meta/recipes-devtools/qemu/qemu-0.12.4/fix-configure-checks.patch b/meta/recipes-devtools/qemu/qemu-0.12.4/fix-configure-checks.patch
new file mode 100644
index 0000000..e397848
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu-0.12.4/fix-configure-checks.patch
@@ -0,0 +1,16 @@
+Adds BUILD_CFLAGS to QEMU_CFLAGS so that zlib configure check succeeds.
+Without this, zlib configure check was failing without zlib headers installed
+on the host system.
+
+Author: Paul Eggleton <paul.eggleton@intel.com>
+
+--- qemu-0.12.4.orig/configure
++++ qemu-0.12.4/configure
+@@ -99,6 +99,7 @@ QEMU_CFLAGS="-Wstrict-prototypes -Wredun
+ QEMU_CFLAGS="-D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE $QEMU_CFLAGS"
+ QEMU_CFLAGS="-U_FORTIFY_SOURCE $QEMU_CFLAGS"
+ QEMU_CFLAGS="-I. -I\$(SRC_PATH) $QEMU_CFLAGS"
++QEMU_CFLAGS="$QEMU_CFLAGS $BUILD_CFLAGS"
+ LDFLAGS="-g $LDFLAGS"
+ 
+ gcc_flags="-Wold-style-declaration -Wold-style-definition"
diff --git a/meta/recipes-devtools/qemu/qemu_0.12.4.bb b/meta/recipes-devtools/qemu/qemu_0.12.4.bb
index 6e7d86f..ec0d9d2 100644
--- a/meta/recipes-devtools/qemu/qemu_0.12.4.bb
+++ b/meta/recipes-devtools/qemu/qemu_0.12.4.bb
@@ -1,6 +1,6 @@
 require qemu.inc
 
-PR = "r22"
+PR = "r23"
 
 FILESPATH = "${FILE_DIRNAME}/qemu-${PV}"
 FILESDIR = "${WORKDIR}"
@@ -21,6 +21,7 @@ SRC_URI = "\
     file://arm-cp15-fix.patch \
     file://cursor-shadow-fix.patch \
     file://vmware-vga-fifo-rewind.patch \
+    file://fix-configure-checks.patch \
     file://powerpc_rom.bin"
 
 do_install_append () {
-- 
1.7.1

---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

[PATCH 0/3] Patches for successful Fedora 14 build

[Paul Eggleton]

These patches were required to get a successful Poky build on Fedora 14. (Note
that these patches were posted to the list last week and are unchanged aside from
some additional comments.)

Pull URL: git://git.pokylinux.org/poky-contrib.git
  Branch: paule/fixes
  Browse: http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=paule/fixes

Thanks,
    Paul Eggleton <paul.eggleton@intel.com>
---


Paul Eggleton (3):
  openssl: disable execstack flag to prevent problems with SELinux
  sanity.bbclass: add wget to required utilities
  qemu: fix failure to find zlib header files during configure

 meta/classes/sanity.bbclass                        |    2 +-
 meta/recipes-connectivity/openssl/openssl.inc      |    2 +-
 .../recipes-connectivity/openssl/openssl_0.9.8p.bb |    2 +-
 .../qemu/qemu-0.12.4/fix-configure-checks.patch    |   16 ++++++++++++++++
 meta/recipes-devtools/qemu/qemu_0.12.4.bb          |    3 ++-
 5 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu-0.12.4/fix-configure-checks.patch

---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

Re: [PATCH 3/3] qemu: fix failure to find zlib header files during configure

[Richard Purdie]

Hi Paul,

On Fri, 2010-11-19 at 12:37 +0000, Paul Eggleton wrote:
> Corrects problems during configure of qemu-native due to the BUILD_CFLAGS
> not being included when attempting to compile the test program for zlib
> within the configure script.
> 
> Signed-off-by: Paul Eggleton <paul.eggleton@intel.com>
> ---
>  .../qemu/qemu-0.12.4/fix-configure-checks.patch    |   16 ++++++++++++++++
>  meta/recipes-devtools/qemu/qemu_0.12.4.bb          |    3 ++-
>  2 files changed, 18 insertions(+), 1 deletions(-)
>  create mode 100644 meta/recipes-devtools/qemu/qemu-0.12.4/fix-configure-checks.patch
> 
> diff --git a/meta/recipes-devtools/qemu/qemu-0.12.4/fix-configure-checks.patch b/meta/recipes-devtools/qemu/qemu-0.12.4/fix-configure-checks.patch
> new file mode 100644
> index 0000000..e397848
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu-0.12.4/fix-configure-checks.patch
> @@ -0,0 +1,16 @@
> +Adds BUILD_CFLAGS to QEMU_CFLAGS so that zlib configure check succeeds.
> +Without this, zlib configure check was failing without zlib headers installed
> +on the host system.
> +
> +Author: Paul Eggleton <paul.eggleton@intel.com>
> +
> +--- qemu-0.12.4.orig/configure
> ++++ qemu-0.12.4/configure
> +@@ -99,6 +99,7 @@ QEMU_CFLAGS="-Wstrict-prototypes -Wredun
> + QEMU_CFLAGS="-D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE $QEMU_CFLAGS"
> + QEMU_CFLAGS="-U_FORTIFY_SOURCE $QEMU_CFLAGS"
> + QEMU_CFLAGS="-I. -I\$(SRC_PATH) $QEMU_CFLAGS"
> ++QEMU_CFLAGS="$QEMU_CFLAGS $BUILD_CFLAGS"
> + LDFLAGS="-g $LDFLAGS"
> + 

Should this be $CFLAGS? I just wonder what the effect of injecting
BUILD_CFLAGS would be in the target case (qemu vs. qemu-native)?

In the native case CFLAGS == BUILD_CFLAGS.

Cheers,

Richard

Re: [PATCH 3/3] qemu: fix failure to find zlib header files during configure

[Paul Eggleton]

On Monday 22 November 2010 17:05:11 Richard Purdie wrote:
> Should this be $CFLAGS? I just wonder what the effect of injecting
> BUILD_CFLAGS would be in the target case (qemu vs. qemu-native)?
> 
> In the native case CFLAGS == BUILD_CFLAGS.

Yes, actually the initial version of my patch used CFLAGS which works just fine (for qemu-native, I have to admit to not testing qemu), so I'm happy to for that to be changed.

Cheers,
Paul
---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

Re: [PATCH 1/3] openssl: disable execstack flag to prevent problems with SELinux

[Richard Purdie]

Hi Paul,

On Wed, 2010-11-17 at 11:37 +0000, Paul Eggleton wrote:
> The execstack flag gets set on libcrypto.so by default which causes SELinux
> to prevent it from being loaded on systems using SELinux, which includes
> Fedora. This patch disables the execstack flag. (Note: Red Hat do this in
> their openssl packaging.)
> 
> Signed-off-by: Paul Eggleton <paul.eggleton@intel.com>
> ---
>  meta/recipes-connectivity/openssl/openssl.inc      |    2 +-
>  .../recipes-connectivity/openssl/openssl_0.9.8p.bb |    2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> index da90456..15144b1 100644
> --- a/meta/recipes-connectivity/openssl/openssl.inc
> +++ b/meta/recipes-connectivity/openssl/openssl.inc
> @@ -15,7 +15,7 @@ S = "${WORKDIR}/openssl-${PV}"
>  
>  AR_append = " r"
>  CFLAG = "${@base_conditional('SITEINFO_ENDIANESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \
> -	-DTERMIO ${FULL_OPTIMIZATION} -Wall"
> +	-DTERMIO ${FULL_OPTIMIZATION} -Wall -Wa,--noexecstack"

Should this flag be used for both the -native and target versions or
just the native one?

If its just native specific, you should be able to do something like:

CFLAG_append_virtclass-native = " -Wa,--noexecstack"

Cheers,

Richard
 

Re: [PATCH 1/3] openssl: disable execstack flag to prevent problems with SELinux

[Paul Eggleton]

On Monday 22 November 2010 19:22:55 Richard Purdie wrote:
> >  CFLAG = "${@base_conditional('SITEINFO_ENDIANESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \
> > -	-DTERMIO ${FULL_OPTIMIZATION} -Wall"
> > +	-DTERMIO ${FULL_OPTIMIZATION} -Wall -Wa,--noexecstack"
> 
> Should this flag be used for both the -native and target versions or
> just the native one?

Well, we're trying to solve a native-only issue at this point, but it's conceivable that someone could want to use SELinux on the target, in which case assuming the same SELinux policies they would also need this fix. In any case leaving the execstack flag on doesn't really serve any purpose, since AFAICT the openssl libs don't actually need to execute the stack, the assembler just assumes they do since it hasn't been told otherwise and thus marks the binary as such.

If you'd prefer to apply it only to the native version however I wouldn't object.

Cheers,
Paul
---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

Re: [PATCH 3/3] qemu: fix failure to find zlib header files during configure

[Richard Purdie]

On Mon, 2010-11-22 at 17:18 +0000, Paul Eggleton wrote:
> On Monday 22 November 2010 17:05:11 Richard Purdie wrote:
> > Should this be $CFLAGS? I just wonder what the effect of injecting
> > BUILD_CFLAGS would be in the target case (qemu vs. qemu-native)?
> > 
> > In the native case CFLAGS == BUILD_CFLAGS.
> 
> Yes, actually the initial version of my patch used CFLAGS which works
> just fine (for qemu-native, I have to admit to not testing qemu), so
> I'm happy to for that to be changed.

Ok, I think it was me who suggested BUILD_CFLAGS to Joshua as I thought
this was a native only patch. Using CFLAGS in this context is fine.

I've updated the patch and also added a header to the patch indicating
what problem it solves and why its there. Please try and ensure you add
that next time as it really helps when you look at the patch again 12
months later and wonder what it does!

Cheers,

Richard

Re: [PATCH 3/3] qemu: fix failure to find zlib header files during configure

[Paul Eggleton]

On Sunday 28 November 2010 14:41:40 Richard Purdie wrote:
> I've updated the patch and also added a header to the patch indicating
> what problem it solves and why its there. Please try and ensure you add
> that next time as it really helps when you look at the patch again 12
> months later and wonder what it does!

That's a good point, but actually Joshua already mentioned this and that's why in the (revised) posted patch you're replying to you'll see there is a note at the top of the source patch explaining what it does. ;)

Of course I will endeavour to include this on all future source patches (and mark revised patches more clearly when posting to the list).

Cheers,
Paul

Re: [PATCH 3/3] qemu: fix failure to find zlib header files during configure

[Richard Purdie]

On Mon, 2010-11-29 at 10:28 +0000, Paul Eggleton wrote:
> On Sunday 28 November 2010 14:41:40 Richard Purdie wrote:
> > I've updated the patch and also added a header to the patch indicating
> > what problem it solves and why its there. Please try and ensure you add
> > that next time as it really helps when you look at the patch again 12
> > months later and wonder what it does!
> 
> That's a good point, but actually Joshua already mentioned this and
> that's why in the (revised) posted patch you're replying to you'll see
> there is a note at the top of the source patch explaining what it
> does. ;)
> 
> Of course I will endeavour to include this on all future source
> patches (and mark revised patches more clearly when posting to the
> list).

Sorry, I see it now. I must have got the two different versions confused
as the version I applied to my checkout didn't seem to have it :/

Cheers,

Richard