diff options
Diffstat (limited to 'meta/classes')
-rw-r--r-- | meta/classes/cve-check.bbclass | 31 | ||||
-rw-r--r-- | meta/classes/kernel-fitimage.bbclass | 6 | ||||
-rw-r--r-- | meta/classes/kernel-yocto.bbclass | 3 | ||||
-rw-r--r-- | meta/classes/kernel.bbclass | 2 | ||||
-rw-r--r-- | meta/classes/kernelsrc.bbclass | 2 | ||||
-rw-r--r-- | meta/classes/pypi.bbclass | 4 | ||||
-rw-r--r-- | meta/classes/relocatable.bbclass | 20 | ||||
-rw-r--r-- | meta/classes/sanity.bbclass | 12 |
8 files changed, 49 insertions, 31 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 01b3637469..514897e8b8 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -52,17 +52,20 @@ python do_cve_check () { | |||
52 | """ | 52 | """ |
53 | 53 | ||
54 | if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): | 54 | if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): |
55 | patched_cves = get_patches_cves(d) | 55 | try: |
56 | patched, unpatched = check_cves(d, patched_cves) | 56 | patched_cves = get_patches_cves(d) |
57 | except FileNotFoundError: | ||
58 | bb.fatal("Failure in searching patches") | ||
59 | whitelisted, patched, unpatched = check_cves(d, patched_cves) | ||
57 | if patched or unpatched: | 60 | if patched or unpatched: |
58 | cve_data = get_cve_info(d, patched + unpatched) | 61 | cve_data = get_cve_info(d, patched + unpatched) |
59 | cve_write_data(d, patched, unpatched, cve_data) | 62 | cve_write_data(d, patched, unpatched, whitelisted, cve_data) |
60 | else: | 63 | else: |
61 | bb.note("No CVE database found, skipping CVE check") | 64 | bb.note("No CVE database found, skipping CVE check") |
62 | 65 | ||
63 | } | 66 | } |
64 | 67 | ||
65 | addtask cve_check before do_build | 68 | addtask cve_check before do_build after do_fetch |
66 | do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db" | 69 | do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db" |
67 | do_cve_check[nostamp] = "1" | 70 | do_cve_check[nostamp] = "1" |
68 | 71 | ||
@@ -129,6 +132,10 @@ def get_patches_cves(d): | |||
129 | for url in src_patches(d): | 132 | for url in src_patches(d): |
130 | patch_file = bb.fetch.decodeurl(url)[2] | 133 | patch_file = bb.fetch.decodeurl(url)[2] |
131 | 134 | ||
135 | if not os.path.isfile(patch_file): | ||
136 | bb.error("File Not found: %s" % patch_file) | ||
137 | raise FileNotFoundError | ||
138 | |||
132 | # Check patch file name for CVE ID | 139 | # Check patch file name for CVE ID |
133 | fname_match = cve_file_name_match.search(patch_file) | 140 | fname_match = cve_file_name_match.search(patch_file) |
134 | if fname_match: | 141 | if fname_match: |
@@ -172,13 +179,13 @@ def check_cves(d, patched_cves): | |||
172 | products = d.getVar("CVE_PRODUCT").split() | 179 | products = d.getVar("CVE_PRODUCT").split() |
173 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) | 180 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) |
174 | if not products: | 181 | if not products: |
175 | return ([], []) | 182 | return ([], [], []) |
176 | pv = d.getVar("CVE_VERSION").split("+git")[0] | 183 | pv = d.getVar("CVE_VERSION").split("+git")[0] |
177 | 184 | ||
178 | # If the recipe has been whitlisted we return empty lists | 185 | # If the recipe has been whitlisted we return empty lists |
179 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): | 186 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): |
180 | bb.note("Recipe has been whitelisted, skipping check") | 187 | bb.note("Recipe has been whitelisted, skipping check") |
181 | return ([], []) | 188 | return ([], [], []) |
182 | 189 | ||
183 | old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") | 190 | old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") |
184 | if old_cve_whitelist: | 191 | if old_cve_whitelist: |
@@ -214,7 +221,7 @@ def check_cves(d, patched_cves): | |||
214 | (_, _, _, version_start, operator_start, version_end, operator_end) = row | 221 | (_, _, _, version_start, operator_start, version_end, operator_end) = row |
215 | #bb.debug(2, "Evaluating row " + str(row)) | 222 | #bb.debug(2, "Evaluating row " + str(row)) |
216 | 223 | ||
217 | if (operator_start == '=' and pv == version_start): | 224 | if (operator_start == '=' and pv == version_start) or version_start == '-': |
218 | vulnerable = True | 225 | vulnerable = True |
219 | else: | 226 | else: |
220 | if operator_start: | 227 | if operator_start: |
@@ -256,7 +263,7 @@ def check_cves(d, patched_cves): | |||
256 | 263 | ||
257 | conn.close() | 264 | conn.close() |
258 | 265 | ||
259 | return (list(patched_cves), cves_unpatched) | 266 | return (list(cve_whitelist), list(patched_cves), cves_unpatched) |
260 | 267 | ||
261 | def get_cve_info(d, cves): | 268 | def get_cve_info(d, cves): |
262 | """ | 269 | """ |
@@ -280,7 +287,7 @@ def get_cve_info(d, cves): | |||
280 | conn.close() | 287 | conn.close() |
281 | return cve_data | 288 | return cve_data |
282 | 289 | ||
283 | def cve_write_data(d, patched, unpatched, cve_data): | 290 | def cve_write_data(d, patched, unpatched, whitelisted, cve_data): |
284 | """ | 291 | """ |
285 | Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and | 292 | Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and |
286 | CVE manifest if enabled. | 293 | CVE manifest if enabled. |
@@ -294,9 +301,11 @@ def cve_write_data(d, patched, unpatched, cve_data): | |||
294 | 301 | ||
295 | for cve in sorted(cve_data): | 302 | for cve in sorted(cve_data): |
296 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") | 303 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") |
297 | write_string += "PACKAGE VERSION: %s\n" % d.getVar("PV") | 304 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) |
298 | write_string += "CVE: %s\n" % cve | 305 | write_string += "CVE: %s\n" % cve |
299 | if cve in patched: | 306 | if cve in whitelisted: |
307 | write_string += "CVE STATUS: Whitelisted\n" | ||
308 | elif cve in patched: | ||
300 | write_string += "CVE STATUS: Patched\n" | 309 | write_string += "CVE STATUS: Patched\n" |
301 | else: | 310 | else: |
302 | unpatched_cves.append(cve) | 311 | unpatched_cves.append(cve) |
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 1bcb09c598..6cd1b76fde 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass | |||
@@ -53,6 +53,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= "" | |||
53 | # fitImage Hash Algo | 53 | # fitImage Hash Algo |
54 | FIT_HASH_ALG ?= "sha256" | 54 | FIT_HASH_ALG ?= "sha256" |
55 | 55 | ||
56 | # fitImage Signature Algo | ||
57 | FIT_SIGN_ALG ?= "rsa2048" | ||
58 | |||
56 | # | 59 | # |
57 | # Emit the fitImage ITS header | 60 | # Emit the fitImage ITS header |
58 | # | 61 | # |
@@ -246,6 +249,7 @@ EOF | |||
246 | fitimage_emit_section_config() { | 249 | fitimage_emit_section_config() { |
247 | 250 | ||
248 | conf_csum="${FIT_HASH_ALG}" | 251 | conf_csum="${FIT_HASH_ALG}" |
252 | conf_sign_algo="${FIT_SIGN_ALG}" | ||
249 | if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then | 253 | if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then |
250 | conf_sign_keyname="${UBOOT_SIGN_KEYNAME}" | 254 | conf_sign_keyname="${UBOOT_SIGN_KEYNAME}" |
251 | fi | 255 | fi |
@@ -327,7 +331,7 @@ EOF | |||
327 | 331 | ||
328 | cat << EOF >> ${1} | 332 | cat << EOF >> ${1} |
329 | signature@1 { | 333 | signature@1 { |
330 | algo = "${conf_csum},rsa2048"; | 334 | algo = "${conf_csum},${conf_sign_algo}"; |
331 | key-name-hint = "${conf_sign_keyname}"; | 335 | key-name-hint = "${conf_sign_keyname}"; |
332 | ${sign_line} | 336 | ${sign_line} |
333 | }; | 337 | }; |
diff --git a/meta/classes/kernel-yocto.bbclass b/meta/classes/kernel-yocto.bbclass index ed9bcfa57c..ab05ac91f4 100644 --- a/meta/classes/kernel-yocto.bbclass +++ b/meta/classes/kernel-yocto.bbclass | |||
@@ -1,5 +1,5 @@ | |||
1 | # remove tasks that modify the source tree in case externalsrc is inherited | 1 | # remove tasks that modify the source tree in case externalsrc is inherited |
2 | SRCTREECOVEREDTASKS += "do_kernel_configme do_validate_branches do_kernel_configcheck do_kernel_checkout do_fetch do_unpack do_patch" | 2 | SRCTREECOVEREDTASKS += "do_validate_branches do_kernel_configcheck do_kernel_checkout do_fetch do_unpack do_patch" |
3 | PATCH_GIT_USER_EMAIL ?= "kernel-yocto@oe" | 3 | PATCH_GIT_USER_EMAIL ?= "kernel-yocto@oe" |
4 | PATCH_GIT_USER_NAME ?= "OpenEmbedded" | 4 | PATCH_GIT_USER_NAME ?= "OpenEmbedded" |
5 | 5 | ||
@@ -301,6 +301,7 @@ do_validate_branches[depends] = "kern-tools-native:do_populate_sysroot" | |||
301 | do_kernel_configme[depends] += "virtual/${TARGET_PREFIX}binutils:do_populate_sysroot" | 301 | do_kernel_configme[depends] += "virtual/${TARGET_PREFIX}binutils:do_populate_sysroot" |
302 | do_kernel_configme[depends] += "virtual/${TARGET_PREFIX}gcc:do_populate_sysroot" | 302 | do_kernel_configme[depends] += "virtual/${TARGET_PREFIX}gcc:do_populate_sysroot" |
303 | do_kernel_configme[depends] += "bc-native:do_populate_sysroot bison-native:do_populate_sysroot" | 303 | do_kernel_configme[depends] += "bc-native:do_populate_sysroot bison-native:do_populate_sysroot" |
304 | do_kernel_configme[depends] += "kern-tools-native:do_populate_sysroot" | ||
304 | do_kernel_configme[dirs] += "${S} ${B}" | 305 | do_kernel_configme[dirs] += "${S} ${B}" |
305 | do_kernel_configme() { | 306 | do_kernel_configme() { |
306 | set +e | 307 | set +e |
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass index 750988f4e5..9ace74564c 100644 --- a/meta/classes/kernel.bbclass +++ b/meta/classes/kernel.bbclass | |||
@@ -452,7 +452,7 @@ do_shared_workdir () { | |||
452 | 452 | ||
453 | # Copy files required for module builds | 453 | # Copy files required for module builds |
454 | cp System.map $kerneldir/System.map-${KERNEL_VERSION} | 454 | cp System.map $kerneldir/System.map-${KERNEL_VERSION} |
455 | cp Module.symvers $kerneldir/ | 455 | [ -e Module.symvers ] && cp Module.symvers $kerneldir/ |
456 | cp .config $kerneldir/ | 456 | cp .config $kerneldir/ |
457 | mkdir -p $kerneldir/include/config | 457 | mkdir -p $kerneldir/include/config |
458 | cp include/config/kernel.release $kerneldir/include/config/kernel.release | 458 | cp include/config/kernel.release $kerneldir/include/config/kernel.release |
diff --git a/meta/classes/kernelsrc.bbclass b/meta/classes/kernelsrc.bbclass index 675d40ec9a..a951ba3325 100644 --- a/meta/classes/kernelsrc.bbclass +++ b/meta/classes/kernelsrc.bbclass | |||
@@ -1,7 +1,7 @@ | |||
1 | S = "${STAGING_KERNEL_DIR}" | 1 | S = "${STAGING_KERNEL_DIR}" |
2 | deltask do_fetch | 2 | deltask do_fetch |
3 | deltask do_unpack | 3 | deltask do_unpack |
4 | do_patch[depends] += "virtual/kernel:do_patch" | 4 | do_patch[depends] += "virtual/kernel:do_shared_workdir" |
5 | do_patch[noexec] = "1" | 5 | do_patch[noexec] = "1" |
6 | do_package[depends] += "virtual/kernel:do_populate_sysroot" | 6 | do_package[depends] += "virtual/kernel:do_populate_sysroot" |
7 | KERNEL_VERSION = "${@get_kernelversion_file("${STAGING_KERNEL_BUILDDIR}")}" | 7 | KERNEL_VERSION = "${@get_kernelversion_file("${STAGING_KERNEL_BUILDDIR}")}" |
diff --git a/meta/classes/pypi.bbclass b/meta/classes/pypi.bbclass index e5d7ab3ce1..87b4c85fc0 100644 --- a/meta/classes/pypi.bbclass +++ b/meta/classes/pypi.bbclass | |||
@@ -22,5 +22,5 @@ SECTION = "devel/python" | |||
22 | SRC_URI += "${PYPI_SRC_URI}" | 22 | SRC_URI += "${PYPI_SRC_URI}" |
23 | S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}" | 23 | S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}" |
24 | 24 | ||
25 | UPSTREAM_CHECK_URI ?= "https://pypi.python.org/pypi/${PYPI_PACKAGE}/" | 25 | UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${PYPI_PACKAGE}/" |
26 | UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)" | 26 | UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/" |
diff --git a/meta/classes/relocatable.bbclass b/meta/classes/relocatable.bbclass index 582812c1cf..af04be5cca 100644 --- a/meta/classes/relocatable.bbclass +++ b/meta/classes/relocatable.bbclass | |||
@@ -6,13 +6,15 @@ python relocatable_binaries_preprocess() { | |||
6 | rpath_replace(d.expand('${SYSROOT_DESTDIR}'), d) | 6 | rpath_replace(d.expand('${SYSROOT_DESTDIR}'), d) |
7 | } | 7 | } |
8 | 8 | ||
9 | relocatable_native_pcfiles () { | 9 | relocatable_native_pcfiles() { |
10 | if [ -d ${SYSROOT_DESTDIR}${libdir}/pkgconfig ]; then | 10 | for dir in ${libdir}/pkgconfig ${datadir}/pkgconfig; do |
11 | rel=${@os.path.relpath(d.getVar('base_prefix'), d.getVar('libdir') + "/pkgconfig")} | 11 | files_template=${SYSROOT_DESTDIR}$dir/*.pc |
12 | sed -i -e "s:${base_prefix}:\${pcfiledir}/$rel:g" ${SYSROOT_DESTDIR}${libdir}/pkgconfig/*.pc | 12 | # Expand to any files matching $files_template |
13 | fi | 13 | files=$(echo $files_template) |
14 | if [ -d ${SYSROOT_DESTDIR}${datadir}/pkgconfig ]; then | 14 | # $files_template and $files will differ if any files were found |
15 | rel=${@os.path.relpath(d.getVar('base_prefix'), d.getVar('datadir') + "/pkgconfig")} | 15 | if [ "$files_template" != "$files" ]; then |
16 | sed -i -e "s:${base_prefix}:\${pcfiledir}/$rel:g" ${SYSROOT_DESTDIR}${datadir}/pkgconfig/*.pc | 16 | rel=$(realpath -m --relative-to=$dir ${base_prefix}) |
17 | fi | 17 | sed -i -e "s:${base_prefix}:\${pcfiledir}/$rel:g" $files |
18 | fi | ||
19 | done | ||
18 | } | 20 | } |
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass index 936fe913b4..5c2f8f9d75 100644 --- a/meta/classes/sanity.bbclass +++ b/meta/classes/sanity.bbclass | |||
@@ -625,13 +625,14 @@ def check_sanity_version_change(status, d): | |||
625 | # In other words, these tests run once in a given build directory and then | 625 | # In other words, these tests run once in a given build directory and then |
626 | # never again until the sanity version or host distrubution id/version changes. | 626 | # never again until the sanity version or host distrubution id/version changes. |
627 | 627 | ||
628 | # Check the python install is complete. glib-2.0-natives requries | 628 | # Check the python install is complete. Examples that are often removed in |
629 | # xml.parsers.expat | 629 | # minimal installations: glib-2.0-natives requries # xml.parsers.expat and icu |
630 | # requires distutils.sysconfig. | ||
630 | try: | 631 | try: |
631 | import xml.parsers.expat | 632 | import xml.parsers.expat |
632 | except ImportError: | 633 | import distutils.sysconfig |
633 | status.addresult('Your python is not a full install. Please install the module xml.parsers.expat (python-xml on openSUSE and SUSE Linux).\n') | 634 | except ImportError as e: |
634 | import stat | 635 | status.addresult('Your Python 3 is not a full install. Please install the module %s (see the Getting Started guide for further information).\n' % e.name) |
635 | 636 | ||
636 | status.addresult(check_make_version(d)) | 637 | status.addresult(check_make_version(d)) |
637 | status.addresult(check_patch_version(d)) | 638 | status.addresult(check_patch_version(d)) |
@@ -667,6 +668,7 @@ def check_sanity_version_change(status, d): | |||
667 | status.addresult('Please use ASSUME_PROVIDED +=, not ASSUME_PROVIDED = in your local.conf\n') | 668 | status.addresult('Please use ASSUME_PROVIDED +=, not ASSUME_PROVIDED = in your local.conf\n') |
668 | 669 | ||
669 | # Check that TMPDIR isn't on a filesystem with limited filename length (eg. eCryptFS) | 670 | # Check that TMPDIR isn't on a filesystem with limited filename length (eg. eCryptFS) |
671 | import stat | ||
670 | tmpdir = d.getVar('TMPDIR') | 672 | tmpdir = d.getVar('TMPDIR') |
671 | status.addresult(check_create_long_filename(tmpdir, "TMPDIR")) | 673 | status.addresult(check_create_long_filename(tmpdir, "TMPDIR")) |
672 | tmpdirmode = os.stat(tmpdir).st_mode | 674 | tmpdirmode = os.stat(tmpdir).st_mode |