diff options
3 files changed, 137 insertions, 0 deletions
diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb new file mode 100644 index 0000000..f55b0c3 --- /dev/null +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb | |||
@@ -0,0 +1,63 @@ | |||
1 | SUMMARY = "The eCryptfs mount helper and support libraries" | ||
2 | DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \ | ||
3 | that ships in Linux kernel versions 2.6.19 and above. This \ | ||
4 | package provides the mount helper and supporting libraries \ | ||
5 | to perform key management and mount functions." | ||
6 | HOMEPAGE = "https://launchpad.net/ecryptfs" | ||
7 | SECTION = "base" | ||
8 | |||
9 | LICENSE = "GPL-2.0" | ||
10 | LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" | ||
11 | |||
12 | DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native" | ||
13 | |||
14 | SRC_URI = "\ | ||
15 | https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.gz \ | ||
16 | file://ecryptfs-utils-CVE-2016-6224.patch \ | ||
17 | file://ecryptfs.service \ | ||
18 | " | ||
19 | |||
20 | SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd" | ||
21 | SRC_URI[sha256sum] = "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f" | ||
22 | |||
23 | inherit autotools pkgconfig systemd | ||
24 | |||
25 | SYSTEMD_PACKAGES = "${PN}" | ||
26 | SYSTEMD_SERVICE_${PN} = "ecryptfs.service" | ||
27 | |||
28 | EXTRA_OECONF = "\ | ||
29 | --libdir=${base_libdir} \ | ||
30 | --disable-pywrap \ | ||
31 | --disable-nls \ | ||
32 | " | ||
33 | |||
34 | PACKAGECONFIG ??= "nss \ | ||
35 | ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ | ||
36 | " | ||
37 | PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss," | ||
38 | PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl," | ||
39 | PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam," | ||
40 | |||
41 | do_configure_prepend() { | ||
42 | export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" | ||
43 | export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3" | ||
44 | export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" | ||
45 | export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils" | ||
46 | } | ||
47 | |||
48 | do_install_append() { | ||
49 | chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private | ||
50 | mkdir -p ${D}/${libdir} | ||
51 | mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir} | ||
52 | sed -i -e 's:-I${STAGING_INCDIR}::' \ | ||
53 | -e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc | ||
54 | sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:" ${D}${bindir}/ecryptfs-setup-swap | ||
55 | if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then | ||
56 | install -D -m 0644 ${WORKDIR}/ecryptfs.service ${D}${systemd_system_unitdir}/ecryptfs.service | ||
57 | fi | ||
58 | } | ||
59 | |||
60 | FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" | ||
61 | |||
62 | RDEPENDS_${PN} += "cryptsetup" | ||
63 | RRECOMMENDS_${PN} = "gettext-runtime" | ||
diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch new file mode 100644 index 0000000..4252f97 --- /dev/null +++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00 2001 | ||
2 | From: Li Zhou <li.zhou@windriver.com> | ||
3 | Date: Mon, 5 Sep 2016 10:28:08 +0800 | ||
4 | Subject: [PATCH] ecryptfs-utils: CVE-2016-6224 | ||
5 | |||
6 | src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from | ||
7 | being automatically enabled by systemd. This bug affected GPT partitioned | ||
8 | NVMe/MMC drives and resulted in the swap partition being used without | ||
9 | encryption. It also resulted in a usability issue in that users were | ||
10 | erroneously prompted to enter a pass-phrase to unlock their swap partition | ||
11 | at boot. (LP: #1597154) | ||
12 | |||
13 | the patch comes from: | ||
14 | https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224 | ||
15 | https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882 | ||
16 | |||
17 | Upstream-Status: backport | ||
18 | |||
19 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
20 | --- | ||
21 | ChangeLog | 9 +++++++++ | ||
22 | src/utils/ecryptfs-setup-swap | 10 ++++++++-- | ||
23 | 2 files changed, 17 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/ChangeLog b/ChangeLog | ||
26 | index d255a94..2c9c73e 100644 | ||
27 | --- a/ChangeLog | ||
28 | +++ b/ChangeLog | ||
29 | @@ -1,3 +1,12 @@ | ||
30 | +ecryptfs-utils-112 | ||
31 | + [ Jason Gerard DeRose ] | ||
32 | + * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from | ||
33 | + being automatically enabled by systemd. This bug affected GPT partitioned | ||
34 | + NVMe/MMC drives and resulted in the swap partition being used without | ||
35 | + encryption. It also resulted in a usability issue in that users were | ||
36 | + erroneously prompted to enter a pass-phrase to unlock their swap partition | ||
37 | + at boot. (LP: #1597154) | ||
38 | + | ||
39 | ecryptfs-utils-74 | ||
40 | [ Michal Hlavinka ] | ||
41 | * Changes for RH/Fedora release | ||
42 | diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap | ||
43 | index 41cf18a..e4785d7 100755 | ||
44 | --- a/src/utils/ecryptfs-setup-swap | ||
45 | +++ b/src/utils/ecryptfs-setup-swap | ||
46 | @@ -166,8 +166,14 @@ for swap in $swaps; do | ||
47 | # If this is a GPT partition, mark it as no-auto mounting, to avoid | ||
48 | # auto-activating it on boot | ||
49 | if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then | ||
50 | - drive="${swap%[0-9]*}" | ||
51 | - partno="${swap#$drive}" | ||
52 | + # Correctly handle NVMe/MMC drives, as well as any similar physical | ||
53 | + # block device that follow the "/dev/foo0p1" pattern (LP: #1597154) | ||
54 | + if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then | ||
55 | + drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:") | ||
56 | + else | ||
57 | + drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:") | ||
58 | + fi | ||
59 | + partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:") | ||
60 | if [ -b "$drive" ]; then | ||
61 | if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then | ||
62 | echo "$swap is already marked as no-auto" | ||
63 | -- | ||
64 | 1.9.1 | ||
65 | |||
diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs.service b/recipes-security/ecryptfs-utils/files/ecryptfs.service new file mode 100644 index 0000000..c23a03a --- /dev/null +++ b/recipes-security/ecryptfs-utils/files/ecryptfs.service | |||
@@ -0,0 +1,9 @@ | |||
1 | [Unit] | ||
2 | Description=A userspace daemon that runs as the user perform file operations under the eCryptfs mount point | ||
3 | After=udev.service | ||
4 | |||
5 | [Service] | ||
6 | ExecStart=/usr/bin/ecryptfsd -f | ||
7 | |||
8 | [Install] | ||
9 | WantedBy=multi-user.target | ||