ecryptfs-utils: add new recipe

eCryptfs is a stacked cryptographic filesystem that ships in Linux kernel versions 2.6.19 and above. This package provides the mount helper and supporting libraries to perform key management and mount functions. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Jackie Huang <jackie.huang@windriver.com> 2017-05-24 10:22:37 +0800
committer: Armin Kuster <akuster808@gmail.com> 2017-06-01 08:01:34 -0700
commit: 4f2a08e3faf46c3179e334af5882045fd9cb5162 (patch)
tree: c87b43f898aa494f5fe8e531fc7343b058dbcc6a /recipes-security
parent: 37c47c164e4d02e6e9b1c106a73695e8a0094c30 (diff)
download: meta-security-4f2a08e3faf46c3179e334af5882045fd9cb5162.tar.gz
3 files changed, 137 insertions, 0 deletions
diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
new file mode 100644
index 0000000..f55b0c3
--- /dev/null
+++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
@@ -0,0 +1,63 @@
+SUMMARY = "The eCryptfs mount helper and support libraries"
+DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \
+    that ships in Linux kernel versions 2.6.19 and above. This \
+    package provides the mount helper and supporting libraries \
+    to perform key management and mount functions."
+HOMEPAGE = "https://launchpad.net/ecryptfs"
+SECTION = "base"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
+DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native"
+SRC_URI = "\
+    https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.gz \
+    file://ecryptfs-utils-CVE-2016-6224.patch \
+    file://ecryptfs.service \
+    "
+SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
+SRC_URI[sha256sum] = "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f"
+inherit autotools pkgconfig systemd
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE_${PN} = "ecryptfs.service"
+EXTRA_OECONF = "\
+    --libdir=${base_libdir} \
+    --disable-pywrap \
+    --disable-nls \
+    "
+PACKAGECONFIG ??= "nss \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
+    "
+PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss,"
+PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl,"
+PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,"
+do_configure_prepend() {
+    export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3"
+    export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3"
+    export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
+    export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
+}
+do_install_append() {
+    chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private
+    mkdir -p ${D}/${libdir}
+    mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}
+    sed -i -e 's:-I${STAGING_INCDIR}::' \
+           -e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc
+    sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:" ${D}${bindir}/ecryptfs-setup-swap
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        install -D -m 0644 ${WORKDIR}/ecryptfs.service ${D}${systemd_system_unitdir}/ecryptfs.service
+    fi
+}
+FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
+RDEPENDS_${PN} += "cryptsetup"
+RRECOMMENDS_${PN} = "gettext-runtime"
diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
new file mode 100644
index 0000000..4252f97
--- /dev/null
+++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
@@ -0,0 +1,65 @@
+From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Mon, 5 Sep 2016 10:28:08 +0800
+Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
+src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
+being automatically enabled by systemd. This bug affected GPT partitioned
+NVMe/MMC drives and resulted in the swap partition being used without
+encryption. It also resulted in a usability issue in that users were
+erroneously prompted to enter a pass-phrase to unlock their swap partition
+at boot. (LP: #1597154)
+the patch comes from:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
+https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
+Upstream-Status: backport
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ ChangeLog                     |  9 +++++++++
+ src/utils/ecryptfs-setup-swap | 10 ++++++++--
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index d255a94..2c9c73e 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,12 @@
+ecryptfs-utils-112
+  [ Jason Gerard DeRose ]
+  * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
+    being automatically enabled by systemd. This bug affected GPT partitioned
+    NVMe/MMC drives and resulted in the swap partition being used without
+    encryption. It also resulted in a usability issue in that users were
+    erroneously prompted to enter a pass-phrase to unlock their swap partition
+    at boot. (LP: #1597154)
+
+ ecryptfs-utils-74
+   [ Michal Hlavinka ]
+   * Changes for RH/Fedora release
+diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
+index 41cf18a..e4785d7 100755
+--- a/src/utils/ecryptfs-setup-swap
+++ b/src/utils/ecryptfs-setup-swap
+@@ -166,8 +166,14 @@ for swap in $swaps; do
+        # If this is a GPT partition, mark it as no-auto mounting, to avoid
+        # auto-activating it on boot
+        if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
+-               drive="${swap%[0-9]*}"
+-               partno="${swap#$drive}"
+               # Correctly handle NVMe/MMC drives, as well as any similar physical
+               # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
+               if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
+                       drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
+               else
+                       drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
+               fi
+               partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
+                if [ -b "$drive" ]; then
+                        if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then
+                                echo "$swap is already marked as no-auto"
+-- 
+1.9.1
diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs.service b/recipes-security/ecryptfs-utils/files/ecryptfs.service
new file mode 100644
index 0000000..c23a03a
--- /dev/null
+++ b/recipes-security/ecryptfs-utils/files/ecryptfs.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=A userspace daemon that runs as the user perform file operations under the eCryptfs mount point
+After=udev.service
+[Service]
+ExecStart=/usr/bin/ecryptfsd -f
+[Install]
+WantedBy=multi-user.target
author	Jackie Huang <jackie.huang@windriver.com>	2017-05-24 10:22:37 +0800
committer	Armin Kuster <akuster808@gmail.com>	2017-06-01 08:01:34 -0700
commit	4f2a08e3faf46c3179e334af5882045fd9cb5162 (patch)
tree	c87b43f898aa494f5fe8e531fc7343b058dbcc6a /recipes-security
parent	37c47c164e4d02e6e9b1c106a73695e8a0094c30 (diff)
download	meta-security-4f2a08e3faf46c3179e334af5882045fd9cb5162.tar.gz

diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb new file mode 100644 index 0000000..f55b0c3 --- /dev/null +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
@@ -0,0 +1,63 @@
	1	SUMMARY = "The eCryptfs mount helper and support libraries"
	2	DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \
	3	that ships in Linux kernel versions 2.6.19 and above. This \
	4	package provides the mount helper and supporting libraries \
	5	to perform key management and mount functions."
	6	HOMEPAGE = "https://launchpad.net/ecryptfs"
	7	SECTION = "base"
	8
	9	LICENSE = "GPL-2.0"
	10	LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
	11
	12	DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native"
	13
	14	SRC_URI = "\
	15	https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.gz \
	16	file://ecryptfs-utils-CVE-2016-6224.patch \
	17	file://ecryptfs.service \
	18	"
	19
	20	SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
	21	SRC_URI[sha256sum] = "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f"
	22
	23	inherit autotools pkgconfig systemd
	24
	25	SYSTEMD_PACKAGES = "${PN}"
	26	SYSTEMD_SERVICE_${PN} = "ecryptfs.service"
	27
	28	EXTRA_OECONF = "\
	29	--libdir=${base_libdir} \
	30	--disable-pywrap \
	31	--disable-nls \
	32	"
	33
	34	PACKAGECONFIG ??= "nss \
	35	${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
	36	"
	37	PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss,"
	38	PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl,"
	39	PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,"
	40
	41	do_configure_prepend() {
	42	export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3"
	43	export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3"
	44	export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
	45	export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
	46	}
	47
	48	do_install_append() {
	49	chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private
	50	mkdir -p ${D}/${libdir}
	51	mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}
	52	sed -i -e 's:-I${STAGING_INCDIR}::' \
	53	-e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc
	54	sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:" ${D}${bindir}/ecryptfs-setup-swap
	55	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
	56	install -D -m 0644 ${WORKDIR}/ecryptfs.service ${D}${systemd_system_unitdir}/ecryptfs.service
	57	fi
	58	}
	59
	60	FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
	61
	62	RDEPENDS_${PN} += "cryptsetup"
	63	RRECOMMENDS_${PN} = "gettext-runtime"


diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch new file mode 100644 index 0000000..4252f97 --- /dev/null +++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
@@ -0,0 +1,65 @@
	1	From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001
	2	From: Li Zhou <li.zhou@windriver.com>
	3	Date: Mon, 5 Sep 2016 10:28:08 +0800
	4	Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
	5
	6	src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
	7	being automatically enabled by systemd. This bug affected GPT partitioned
	8	NVMe/MMC drives and resulted in the swap partition being used without
	9	encryption. It also resulted in a usability issue in that users were
	10	erroneously prompted to enter a pass-phrase to unlock their swap partition
	11	at boot. (LP: #1597154)
	12
	13	the patch comes from:
	14	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
	15	https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
	16
	17	Upstream-Status: backport
	18
	19	Signed-off-by: Li Zhou <li.zhou@windriver.com>
	20	---
	21	ChangeLog \| 9 +++++++++
	22	src/utils/ecryptfs-setup-swap \| 10 ++++++++--
	23	2 files changed, 17 insertions(+), 2 deletions(-)
	24
	25	diff --git a/ChangeLog b/ChangeLog
	26	index d255a94..2c9c73e 100644
	27	--- a/ChangeLog
	28	+++ b/ChangeLog
	29	@@ -1,3 +1,12 @@
	30	+ecryptfs-utils-112
	31	+ [ Jason Gerard DeRose ]
	32	+ * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
	33	+ being automatically enabled by systemd. This bug affected GPT partitioned
	34	+ NVMe/MMC drives and resulted in the swap partition being used without
	35	+ encryption. It also resulted in a usability issue in that users were
	36	+ erroneously prompted to enter a pass-phrase to unlock their swap partition
	37	+ at boot. (LP: #1597154)
	38	+
	39	ecryptfs-utils-74
	40	[ Michal Hlavinka ]
	41	* Changes for RH/Fedora release
	42	diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
	43	index 41cf18a..e4785d7 100755
	44	--- a/src/utils/ecryptfs-setup-swap
	45	+++ b/src/utils/ecryptfs-setup-swap
	46	@@ -166,8 +166,14 @@ for swap in $swaps; do
	47	# If this is a GPT partition, mark it as no-auto mounting, to avoid
	48	# auto-activating it on boot
	49	if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
	50	- drive="${swap%[0-9]*}"
	51	- partno="${swap#$drive}"
	52	+ # Correctly handle NVMe/MMC drives, as well as any similar physical
	53	+ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
	54	+ if echo "$swap" \| grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
	55	+ drive=$(echo "$swap" \| sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
	56	+ else
	57	+ drive=$(echo "$swap" \| sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
	58	+ fi
	59	+ partno=$(echo "$swap" \| sed "s:.\+[^0-9]\([0-9]\+\):\1:")
	60	if [ -b "$drive" ]; then
	61	if printf "x\np\n" \| fdisk "$drive" \| grep -q "^$swap .* GUID:.*\b63\b"; then
	62	echo "$swap is already marked as no-auto"
	63	--
	64	1.9.1
	65


diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs.service b/recipes-security/ecryptfs-utils/files/ecryptfs.service new file mode 100644 index 0000000..c23a03a --- /dev/null +++ b/recipes-security/ecryptfs-utils/files/ecryptfs.service
@@ -0,0 +1,9 @@
	1	[Unit]
	2	Description=A userspace daemon that runs as the user perform file operations under the eCryptfs mount point
	3	After=udev.service
	4
	5	[Service]
	6	ExecStart=/usr/bin/ecryptfsd -f
	7
	8	[Install]
	9	WantedBy=multi-user.target