meta-openembedded: subtree update:4fe1065655..2449e5f07a
Alexander Kanavin (1):
remmina: make avahi support optional and off by default
Alexander Vickberg (1):
hostapd: fix building with CONFIG_TLS=internal
Andreas Müller (63):
mariadb: Fix configure
evolution-data-server: Backport upstream patch to fix configure on latest CMake
libgtop: tidy up recipe
xfce4-systemload-plugin: upgrade 1.3.0 -> 1.3.1 / introduce PACKAGECONFIGs
xfce4-clipman-plugin: upgrade 1.6.1 -> 1.6.2
xfce4-panel: upgrade 4.16.2 -> 4.16.3
fluidsynth: upgrade 2.2.0 -> 2.2.1
gparted: upgrade 1.2.0 -> 1.3.0
poppler: upgrade 21.04.0 -> 21.05.0
tracker: upgrade 2.3.6 -> 3.0.4
tracker-miners: upgrade 2.3.5 -> 3.0.5
nautilus: upgrade 3.36.3 -> 40.1
gnome-photos: upgrade 3.34.2 -> 40.0
file-roller: upgrade 3.36.3 -> 3.38.1
tepl: upgrade 4.4.0 -> 6.00.0
gedit: upgrade 3.36.2 -> 40.1
evince: upgrade 3.38.0 -> 40.1
gnome-calculator: upgrade 3.36.0 -> 40.1
gnome-system-monitor: upgrade 3.36.1 -> 40.1
dconf-editor: upgrade 3.38.2 -> 3.38.3
libwnck3: upgrade 3.36.0 -> 40.0
babl: upgrade 0.1.84 -> 0.1.86
gimp: upgrade 2.10.22 -> 2.10.24
gegl: add PACKAGECONFIG libraw and enable it by default
gegl: add poppler PCAKAGECONFIG and enable it by default
Revert "gimp: Disable svg icons on arm"
grilo-plugins: initial add 0.3.13
gnome-photos: rrecommend grilo-plugins
gnome-photos: Let all desktops add gnome-photos to their start menu
meta-gnome: remove upstream-version-is-even from inherit on 40.x version recipes
portaudio-v19: upgrade 19.6.0 -> 19.7.0
mousepad: upgrade 0.5.4 -> 0.5.5
network-manager-applet: upgrade 1.18.0 -> 1.22.0
nano: upgrade 5.6 -> 5.7
gnuplot: upgrade 5.2.8 -> 5.4.1
zsh: upgrade 5.4.2 -> 5.8
ttf-lohit: upgrade 2 -> 2.92.1
xrdp: upgrade 0.9.15 -> 0.9.16
snappy: upgrade 1.1.8 -> 1.1.9
redis: upgrade 6.2.2 -> 6.2.3
remmina: upgrade 1.4.11 -> 1.4.17
libpeas: upgrade 1.26.0 -> 1.30.0
modemmanager: upgrade 1.16.2 -> 1.16.4
mm-common: upgrade 1.0.2 -> 1.0.3
protobuf: upgrade 3.15.2 -> 3.17.0
qpdf: upgrade 10.2.0 -> 10.3.2
libmxml: upgrade 3.1 -> 3.2
libgusb: upgrade 0.3.5 -> 0.3.6
libeigen: upgrade 3.3.7 -> 3.3.9
giflib: upgrade 5.1.4 -> 5.2.1
fltk: upgrade 1.3.5 -> 1.3.6
botan: upgrade 2.14.0 -> 2.18.1
dialog: upgrade 1.3-20210319 -> 1.3-20210509
colord: upgrade 1.4.4 -> 1.4.5
flatbuffers: upgrade 1.12.0 -> 2.0.0
gtkwave: upgrade 3.3.108 -> 3.3.109 / move to gtk3 / tidy up recipe
hwdata: upgrade 0.346 -> 0.347
mime-support: upgrade 3.48 -> 3.62
mpv: upgrade 0.32.0 -> 0.33.1
renderdoc: upgrade 1.7 -> 1.13
xfce4-screenshooter: upgrade 1.9.8 -> 1.9.9
hunspell-dictionaries: use better names for dictionary files
gupnp: upgrade 1.2.4 -> 1.2.6
Andrej Kozemcak (1):
squid: upgrade 4.14 -> 4.15
Armin Kuster (6):
audit: migrate from meta-selinux
packagegroup-meta-oe: add audit to pkg grp
python3-scapy: move from meta-security
python3-scapy: add pkg to pkg grp
python3-scapy: drop from pkg grp
python3-scapy: drop this recipe
Ayoub Zaki (1):
evemu-tools: Add initial recipe
Bartosz Golaszewski (3):
python3-pycocotools: new package
python3-pydbus-manager: add runtime dependencies
python3-asyncio-glib: new package
Bruce Mitchell (1):
makedumpfile: Bump srcrev
Changqing Li (3):
python3-paho-mqtt: add package python3-paho-mqtt-examples
nmap: change shebang to python3
libgtop: fix do_compile error
Chen Qi (1):
mutter: add polkit to REQUIRED_DISTRO_FEATRUES
Daniel Ammann (1):
nyancat: add new package
Gianfranco (1):
vboxguestdrivers: upgrade 6.1.20 -> 6.1.22
Guy Morand (1):
qperf: add qperf recipe
Hongxu Jia (1):
cdrkit: add nativesdk support
Kai Kang (1):
thunar: 4.16.6 -> 4.16.8
Khem Raj (47):
liburing: Upgrade to 2.0
catch2: Upgrade to 2.13.6
mongodb: Update to 4.4.6-rc0
icewm: Upgrade to 2.3.3
python3-m2crypto: Pass correct ABI defines to swig
python3-lazy-object-proxy: Add missing dep on pip
python3-markdown: Remove
sdbus-c++-libsystemd: Avoid hard dependency on rsync
libmusicbrainz: Rework native and target pieces
abseil-cpp: Upgrade to lts_2021_03_24
grpc: Upgrade to 1.37.1
minicoredumper: Replace pthread_mutexattr_setrobust_np with pthread_mutexattr_setrobust
libupnp: Do not use _np versions of mutex APIs
mariadb: Upgrade to 10.5.10
apitrace: Upgrade to 0.10
evolution-data-server: Update to 3.40.1
mongodb: Do not use MINSIGSTKSZ
tbb: Fix build with GCC 11
breakpad: Fix type mismatch for SIGSTKSZ
packagegroup-meta-networking.bb: Add http-parser to packagegroup-meta-networking-support
nautilus: Exclude from builds
python3-m2crypto: Fix build on riscv and mips
googletest: Update to tip of trunk
libraw: Move from meta-qt5-extra to meta-oe
Revert "nautilus: Exclude from builds"
libcamera: Update to latest master tip
python3-haversine: Fix build with latest python/setuptools
opencv: Disable tbb on riscv/musl
rdma-core: Upgrade to 35.0
wireshark: Add zstd via packageconfig
dhcp-relay: Use recent config.guess and config.sub for bind
projucer: Update to latest master tip
opencv: Do not lock to gcc only compiler
minifi-cpp: Fix build with llvm C++ runtime
sdbus-cpp: Do not fetch googletest on the fly
python3-grpcio: Update to 1.38.0
heaptrack: Fix build with clang and llvm libunwind
grpc: Upgrade to 1.38.0
packagegroup-meta-oe: Add qperf package
dovecot: Fix build with llvm libunwind
mpich: Upgrade to 3.4.2
packagegroup-meta-oe: Add evemu-tools
vk-gl-cts: Fix O_TRUNC conflict with fcntl.h
dhcp-relay: Fix libtool files for internal bind build
mongodb: Change PV to 4.4.6
mongodb: Fix -Wc++11-narrowing warning on 32bit
mariadb: Include missing sys/type.h for ssize_t
Leon Anavi (81):
python3-pywbemtools: Upgrade 0.8.1 -> 0.9.0
python3-humanize: Upgrade 3.4.1 -> 3.5.0
python3-elementpath: Upgrade 2.2.1 -> 2.2.2
python3-typing-extensions: Upgrade 3.7.4.3 -> 3.10.0.0
python3-watchdog: Upgrade 2.0.3 -> 2.1.0
python3-greenlet: Upgrade 1.0.0 -> 1.1.0
python3-bitarray: Upgrade 2.0.1 -> 2.1.0
python3-websockets: Upgrade 8.1 -> 9.0.1
python3-babel: Upgrade 2.9.0 -> 2.9.1
python3-croniter: Upgrade 1.0.12 -> 1.0.13
python3-serpent: Upgrade 1.30.2 -> 1.40
python3-cerberus: Upgrade 1.3.3 -> 1.3.4
python3-aiohue: Upgrade 2.2.0 -> 2.3.0
python3-robotframework: Upgrade 4.0.1 -> 4.0.2
python3-sentry-sdk: Upgrade 1.0.0 -> 1.1.0
python3-aiohue: Upgrade 2.3.0 -> 2.3.1
python3-watchdog: Upgrade 2.1.0 -> 2.1.1
python3-itsdangerous: Upgrade 1.1.0 -> 2.0.0
python3-websocket-client: Upgrade 0.58.0 -> 0.59.0
python3-google-api-python-client: Upgrade 2.2.0 -> 2.4.0
python3-configargparse: Upgrade 1.4 -> 1.4.1
python3-click: Upgrade 7.1.2 -> 8.0.0
python3-pysonos: Upgrade 0.0.43 -> 0.0.46
python3-rfc3339-validator: Upgrade 0.1.3 -> 0.1.4
python3-pymongo: Upgrade 3.11.3 -> 3.11.4
python3-alembic: Upgrade 1.5.8 -> 1.6.2
python3-deprecated: Add recipe
python3-pymisp: Upgrade 2.4.142 -> 2.4.143
python3-aiohue: Upgrade 2.3.1 -> 2.4.0
python3-pyroute2: Upgrade 0.5.18 -> 0.5.19
python3-matplotlib-inline: Add recipe
python3-ipython: Upgrade 7.22.0 -> 7.23.1
python3-sh: Upgrade 1.14.1 -> 1.14.2
python3-javaobj-py3: Upgrade 0.4.2 -> 0.4.3
python3-pyjwt: Upgrade 2.0.1 -> 2.1.0
python3-aiofiles: Upgrade 0.6.0 -> 0.7.0
python3-aiohue: Upgrade 2.4.0 -> 2.5.0
python3-cbor2: Upgrade 5.2.0 -> 5.3.0
python3-websockets: Upgrade 9.0.1 -> 9.0.2
python3-decorator: Upgrade 5.0.7 -> 5.0.9
python3-websocket-client: Upgrade 0.59.0 -> 1.0.0
python3-pysonos: Upgrade 0.0.46 -> 0.0.48
surf: Upgrade 2.0 -> 2.1
python3-pywbem: Upgrade 1.1.3 -> 1.2.0
python3-watchdog: Upgrade 2.1.1 -> 2.1.2
python3-click: Upgrade 8.0.0 -> 8.0.1
python3-pysonos: Upgrade 0.0.48 -> 0.0.49
python3-pytest-runner: Upgrade 5.3.0 -> 5.3.1
python3-xmlschema: Upgrade 1.6.1 -> 1.6.2
python3-websocket-client: Upgrade 1.0.0 -> 1.0.1
python3-alembic: Upgrade 1.6.2 -> 1.6.4
python3-sqlalchemy: Upgrade 1.4.11 -> 1.4.15
python3-flask-migrate: Upgrade 2.7.0 -> 3.0.0
python3-flask: Upgrade 1.1.2 -> 2.0.1
python3-flask-wtf: Upgrade 0.14.3 -> 0.15.1
python3-flask-socketio: Upgrade 5.0.1 -> 5.0.3
python3-werkzeug: Upgrade 1.0.1 -> 2.0.1
python3-bidict: Add recipe
python3-socketio: Upgrade 5.1.0 -> 5.3.0
python3-robotframework: Upgrade 4.0.2 -> 4.0.3
python3-flask-restful: Upgrade 0.3.8 -> 0.3.9
python3-pysonos: Upgrade 0.0.49 -> 0.0.50
python3-aenum: Upgrade 3.0.0 -> 3.1.0
python3-pyscaffold: Upgrade 4.0.1 -> 4.0.2
python3-urllib3: Upgrade 1.26.4 -> 1.26.5
python3-tqdm: Upgrade 4.60.0 -> 4.61.0
python3-flask: Extend RDEPENDS
python3-ecdsa: Upgrade 0.16.1 -> 0.17.0
python3-alembic: Upgrade 1.6.4 -> 1.6.5
python3-websockets: Upgrade 9.0.2 -> 9.1
python3-pyzmq: Upgrade 22.0.3 -> 22.1.0
python3-ntplib: Upgrade 0.3.4 -> 0.4.0
python3-humanize: Upgrade 3.5.0 -> 3.6.0
python3-astroid: Upgrade 2.5.6 -> 2.5.7
python3-netifaces: Upgrade 0.10.9 -> 0.11.0
python3-certifi: Upgrade 2020.12.5 -> 2021.5.30
python3-click-repl: Upgrade 0.1.6 -> 0.2.0
python3-google-api-python-client: Upgrade 2.4.0 -> 2.6.0
python3-pytest-helpers-namespace: Upgrade 2021.3.24 -> 2021.4.29
python3-ipython: Upgrade 7.23.1 -> 7.24.0
python3-ruamel-yaml: Upgrade 0.17.4 -> 0.17.7
LiweiSong (1):
pm-graph: parse separated cpu exec line
Martin Jansa (7):
ostree: switch from default master branch to main to fix do_fetch failure
snappy: explicity disable building tests and benchmark
libtinyxml2: restore building shared library
zsh: work around file-rdeps QA issues with usrmerge in DISTRO_FEATURES
snappy: fix native build with older gcc on host
p7zip: refresh patches with devtool to apply cleanly
gtkwave: set REQUIRED_DISTRO_FEATURES only to wayland
Nisha Parrakat (1):
p7zip: build and package lib7z.so needed for fastboot
Nuno Sá (2):
libiio: add serial backend support
libiio: mark libxml2 as depends for usb_backend
Robert Joslyn (1):
ctags: Use PACKAGECONFIG for build options
Romain Naour (4):
poke: add recipe for version 1.2
poke: add optional json-c dependency
packagegroup-meta-oe: Add poke to packagegroup-meta-oe-devtools
libiec61850: Upgrade to 1.5.0
Ross Burton (3):
nss: disable -Werror
nss: remove -march vs -mcpu workaround
meta-gnome: add Cogl/Clutter from oe-core
Saul Wold (2):
opencv: remove tbb packageconfig for powerpc
sysdig: disable building for ppc
Stefan Ghinea (1):
thunar: fix CVE-2021-32563
Stefan Wiehler (3):
http-parser: add recipe
restinio: add recipe
restinio: fix license
Trevor Gamblin (6):
python3-django: upgrade 2.2.20 -> 2.2.22
python3-django: upgrade 3.2 -> 3.2.2
python3-django: upgrade 2.2.22 -> 2.2.23
python3-django: upgrade 3.2.2 -> 3.2.3
python3-ujson: fix ptests
python3-prettytable: add python3-sqlite3 for ptest
William A. Kennington III (1):
span-lite: upgrade 0.8.1 -> 0.9.2
Yi Zhao (1):
dhcp-relay: add recipe
wangmy (11):
uftrace: Fix a plthook crash on aarch64 with binutils2.35.1 and later versions on aarch64
exiv2: Fix CVE-2021-29457
exiv2: Fix CVE-2021-29458
exiv2: Fix CVE-2021-29463
exiv2: Fix CVE-2021-3482
exiv2: Fix CVE-2021-29464
exiv2: Fix CVE-2021-29470
exiv2: Fix CVE-2021-29473
libsdl: Fix CVE-2019-13616
trace-cmd: Conflict resolution
uftrace: upgrade 0.9.4 -> 0.10
zangrc (21):
ifenslave: upgrade 2.11 -> 2.12
lksctp-tools: upgrade 1.0.18 -> 1.0.19
nbdkit: upgrade 1.25.6 -> 1.25.7
tcpreplay: upgrade 4.3.3 -> 4.3.4
cloc: upgrade 1.88 -> 1.90
gensio: upgrade 2.2.4 -> 2.2.5
iwd: upgrade 1.13 -> 1.14
makedumpfile: upgrade 1.6.8 -> 1.6.9
postgresql: upgrade 13.2 -> 13.3
libencode-perl: upgrade 3.08 -> 3.10
python3-xlsxwriter: upgrade 1.4.0 -> 1.4.3
python3-itsdangerous: upgrade 2.0.0 -> 2.0.1
python3-protobuf: upgrade 3.14.0 -> 3.17.0
python3-pulsectl: upgrade 21.3.4 -> 21.5.17
python3-engineio: upgrade 3.13.0 -> 4.2.0
python3-can: upgrade 3.3.3 -> 3.3.4
gexiv2: upgrade 0.12.1 -> 0.12.2
gnome-autoar: upgrade 0.3.1 -> 0.3.2
gnome-bluetooth: upgrade 3.34.1 -> 3.34.5
libgweather: upgrade 3.36.1 -> 3.36.2
libstemmer: upgrade 2.0.0 -> 2.1.0
zhengruoqin (8):
libdivecomputer: upgrade 0.6.0 -> 0.7.0
libjcat: upgrade 0.1.6 -> 0.1.7
libxmlb: upgrade 0.3.0 -> 0.3.1
chrony: upgrade 4.0 -> 4.1
libqmi: upgrade 1.28.2 -> 1.28.4
libtinyxml2: upgrade 8.0.0 -> 8.1.0
libndp: upgrade 1.7 -> 1.8
valijson: upgrade 0.3 -> 0.4
Change-Id: I8a1f42af3063886d88a7c0c5c79a45dde55c34da
Signed-off-by: William A. Kennington III <wak@google.com>
diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/meta-openembedded/meta-oe/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
new file mode 100644
index 0000000..bb6c61e8
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
@@ -0,0 +1,133 @@
+From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 26 Feb 2019 18:33:33 -0500
+Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
+
+Upstream-Status: Backport
+[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e]
+---
+ auparse/auparse.c | 12 +++++++++++-
+ auparse/interpret.c | 9 ++++++++-
+ configure.ac | 14 +++++++++++++-
+ src/ausearch-lol.c | 12 +++++++++++-
+ 4 files changed, 43 insertions(+), 4 deletions(-)
+
+diff --git a/auparse/auparse.c b/auparse/auparse.c
+index 650db02..2e1c737 100644
+--- a/auparse/auparse.c
++++ b/auparse/auparse.c
+@@ -1,5 +1,5 @@
+ /* auparse.c --
+- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina.
++ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e)
+ return 0;
+ }
+
++#ifndef HAVE_STRNDUPA
++static inline char *strndupa(const char *old, size_t n)
++{
++ size_t len = strnlen(old, n);
++ char *tmp = alloca(len + 1);
++ tmp[len] = 0;
++ return memcpy(tmp, old, len);
++}
++#endif
++
+ /* Returns 0 on success and 1 on error */
+ static int extract_timestamp(const char *b, au_event_t *e)
+ {
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index 51c4a5e..67b7b77 100644
+--- a/auparse/interpret.c
++++ b/auparse/interpret.c
+@@ -853,6 +853,13 @@ err_out:
+ return print_escaped(id->val);
+ }
+
++// rawmemchr is faster. Let's use it if we have it.
++#ifdef HAVE_RAWMEMCHR
++#define STRCHR rawmemchr
++#else
++#define STRCHR strchr
++#endif
++
+ static const char *print_proctitle(const char *val)
+ {
+ char *out = (char *)print_escaped(val);
+@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val)
+ // Proctitle has arguments separated by NUL bytes
+ // We need to write over the NUL bytes with a space
+ // so that we can see the arguments
+- while ((ptr = rawmemchr(ptr, '\0'))) {
++ while ((ptr = STRCHR(ptr, '\0'))) {
+ if (ptr >= end)
+ break;
+ *ptr = ' ';
+diff --git a/configure.ac b/configure.ac
+index 54bdbf1..aef07fb 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1,7 +1,7 @@
+ dnl
+ define([AC_INIT_NOTICE],
+ [### Generated automatically using autoconf version] AC_ACVERSION [
+-### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com>
++### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com>
+ ###
+ ### Permission is hereby granted, free of charge, to any person obtaining a
+ ### copy of this software and associated documentation files (the "Software"),
+@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote
+ AC_CHECK_FUNCS([posix_fallocate])
+ dnl; signalfd is needed for libev
+ AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ])
++dnl; check if rawmemchr is available
++AC_CHECK_FUNCS([rawmemchr])
++dnl; check if strndupa is available
++AC_LINK_IFELSE(
++ [AC_LANG_SOURCE(
++ [[
++ #define _GNU_SOURCE
++ #include <string.h>
++ int main() { (void) strndupa("test", 10); return 0; }]])],
++ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])],
++ []
++)
+
+ ALLWARNS=""
+ ALLDEBUG="-g"
+diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
+index 5d17a72..758c33e 100644
+--- a/src/ausearch-lol.c
++++ b/src/ausearch-lol.c
+@@ -1,6 +1,6 @@
+ /*
+ * ausearch-lol.c - linked list of linked lists library
+-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina.
++* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This software may be freely redistributed and/or modified under the
+@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2)
+ return 0;
+ }
+
++#ifndef HAVE_STRNDUPA
++static inline char *strndupa(const char *old, size_t n)
++{
++ size_t len = strnlen(old, n);
++ char *tmp = alloca(len + 1);
++ tmp[len] = 0;
++ return memcpy(tmp, old, len);
++}
++#endif
++
+ /*
+ * This function will look at the line and pick out pieces of it.
+ */
+--
+2.7.4
+
diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/meta-openembedded/meta-oe/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
new file mode 100644
index 0000000..740bcb5
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
@@ -0,0 +1,57 @@
+From 3d13f92c1bb293523670ba01aea7e655b00a6709 Mon Sep 17 00:00:00 2001
+From: Li xin <lixin.fnst@cn.fujitsu.com>
+Date: Sun, 19 Jul 2015 02:42:58 +0900
+Subject: [PATCH] audit: Fixed swig host contamination issue
+
+The audit build uses swig to generate a python wrapper.
+Unfortunately, the swig info file references host include
+directories. Some of these were previously noticed and
+eliminated, but the one fixed here was not.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com>
+Signed-off-by: Joe Slater <jslater@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ bindings/swig/python3/Makefile.am | 3 ++-
+ bindings/swig/src/auditswig.i | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am
+index dd9d934..61b486d 100644
+--- a/bindings/swig/python3/Makefile.am
++++ b/bindings/swig/python3/Makefile.am
+@@ -22,6 +22,7 @@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+ AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS)
+ AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
++STDINC ?= /usr/include
+ LIBS = $(top_builddir)/lib/libaudit.la
+ SWIG_FLAGS = -python -py3 -modern
+ SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
+@@ -36,7 +37,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi
+ _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la
+ nodist__audit_la_SOURCES = audit_wrap.c
+ audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i
+- swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i
++ swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i
+
+ CLEANFILES = audit.py* audit_wrap.c *~
+
+diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
+index 21aafca..dd0f62c 100644
+--- a/bindings/swig/src/auditswig.i
++++ b/bindings/swig/src/auditswig.i
+@@ -39,7 +39,7 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
+-%include "/usr/include/linux/audit.h"
++%include "linux/audit.h"
+ #define __extension__ /*nothing*/
+ %include <stdint.i>
+ %include "../lib/libaudit.h"
+--
+2.17.1
+
diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/audit-volatile.conf b/meta-openembedded/meta-oe/recipes-security/audit/audit/audit-volatile.conf
new file mode 100644
index 0000000..9cbe154
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/audit-volatile.conf
@@ -0,0 +1 @@
+d /var/log/audit 0750 root root -
diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd b/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd
new file mode 100644
index 0000000..6aa7f94
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd
@@ -0,0 +1,153 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: auditd
+# Required-Start: $local_fs
+# Required-Stop: $local_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Audit Daemon
+# Description: Collects audit information from Linux 2.6 Kernels.
+### END INIT INFO
+
+# Author: Philipp Matthias Hahn <pmhahn@debian.org>
+# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init
+
+# June, 2012: Adopted for yocto <amy.fong@windriver.com>
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="audit daemon"
+NAME=auditd
+DAEMON=/sbin/auditd
+PIDFILE=/var/run/"$NAME".pid
+SCRIPTNAME=/etc/init.d/"$NAME"
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME"
+
+. /etc/default/rcS
+
+. /etc/init.d/functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \
+ || return 1
+ start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \
+ $EXTRAOPTIONS \
+ || return 2
+ if [ -f /etc/audit/audit.rules ]
+ then
+ /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
+ fi
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME"
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f "$PIDFILE"
+ rm -f /var/run/audit_events
+ # Remove watches so shutdown works cleanly
+ case "$AUDITD_CLEAN_STOP" in
+ no|NO) ;;
+ *) /sbin/auditctl -D >/dev/null ;;
+ esac
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+if [ ! -e /var/log/audit ]; then
+ mkdir -p /var/log/audit
+ [ -x /sbin/restorecon ] && /sbin/restorecon -F $(readlink -f /var/log/audit)
+fi
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && echo 0 ;;
+ 2) [ "$VERBOSE" != no ] && echo 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && echo 0 ;;
+ 2) [ "$VERBOSE" != no ] && echo 1 ;;
+ esac
+ ;;
+ reload|force-reload)
+ echo "Reloading $DESC" "$NAME"
+ do_reload
+ echo $?
+ ;;
+ restart)
+ echo "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) echo 0 ;;
+ 1) echo 1 ;; # Old process is still running
+ *) echo 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ echo 1
+ ;;
+ esac
+ ;;
+ rotate)
+ echo "Rotating $DESC logs" "$NAME"
+ start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME"
+ echo $?
+ ;;
+ status)
+ pidofproc "$DAEMON" >/dev/null
+ status=$?
+ if [ $status -eq 0 ]; then
+ echo "$NAME is running."
+ else
+ echo "$NAME is not running."
+ fi
+ exit $status
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2
+ exit 3
+ ;;
+esac
+
+:
diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd.service b/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd.service
new file mode 100644
index 0000000..06c63f0
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=Security Auditing Service
+DefaultDependencies=no
+After=local-fs.target systemd-tmpfiles-setup.service
+Before=sysinit.target shutdown.target
+Conflicts=shutdown.target
+ConditionKernelCommandLine=!audit=0
+
+[Service]
+Type=forking
+PIDFile=/run/auditd.pid
+ExecStart=/sbin/auditd
+## To use augenrules, uncomment the next line and comment/delete the auditctl line.
+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+#ExecStartPost=-/sbin/augenrules --load
+ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+# By default we don't clear the rules on exit.
+# To enable this, uncomment the next line.
+#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+
+### Security Settings ###
+MemoryDenyWriteExecute=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit_2.8.5.bb b/meta-openembedded/meta-oe/recipes-security/audit/audit_2.8.5.bb
new file mode 100644
index 0000000..ee3b3b5
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-security/audit/audit_2.8.5.bb
@@ -0,0 +1,105 @@
+SUMMARY = "User space tools for kernel auditing"
+DESCRIPTION = "The audit package contains the user space utilities for \
+storing and searching the audit records generated by the audit subsystem \
+in the Linux kernel."
+HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"
+SECTION = "base"
+LICENSE = "GPLv2+ & LGPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \
+ file://Add-substitue-functions-for-strndupa-rawmemchr.patch \
+ file://Fixed-swig-host-contamination-issue.patch \
+ file://auditd \
+ file://auditd.service \
+ file://audit-volatile.conf \
+"
+
+S = "${WORKDIR}/git"
+SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c"
+
+inherit autotools python3native update-rc.d systemd
+
+UPDATERCPN = "auditd"
+INITSCRIPT_NAME = "auditd"
+INITSCRIPT_PARAMS = "defaults"
+
+SYSTEMD_PACKAGES = "auditd"
+SYSTEMD_SERVICE_auditd = "auditd.service"
+
+DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native"
+
+EXTRA_OECONF += "--without-prelude \
+ --with-libwrap \
+ --enable-gssapi-krb5=no \
+ --with-libcap-ng=yes \
+ --with-python3=yes \
+ --libdir=${base_libdir} \
+ --sbindir=${base_sbindir} \
+ --without-python \
+ --without-golang \
+ --disable-zos-remote \
+ "
+EXTRA_OECONF_append_arm = " --with-arm=yes"
+EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes"
+
+EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \
+ PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
+ pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
+ STDINC='${STAGING_INCDIR}' \
+ pkgconfigdir=${libdir}/pkgconfig \
+ "
+
+SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher"
+DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \
+interface to the audit system, audispd. These plugins can do things \
+like relay events to remote machines or analyze events for suspicious \
+behavior."
+
+PACKAGES =+ "audispd-plugins"
+PACKAGES += "auditd ${PN}-python"
+
+FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
+FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*"
+FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \
+ ${sysconfdir}/audisp/plugins.d/au-remote.conf \
+ ${sbindir}/audisp-remote ${localstatedir}/spool/audit \
+ "
+FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
+
+CONFFILES_auditd += "${sysconfdir}/audit/audit.rules"
+RDEPENDS_auditd += "bash"
+
+do_install_append() {
+ rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
+ rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la
+
+ # reuse auditd config
+ [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default
+ mv ${D}/etc/sysconfig/auditd ${D}/etc/default
+ rmdir ${D}/etc/sysconfig/
+
+ # replace init.d
+ install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd
+ rm -rf ${D}/etc/rc.d
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d/
+ install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
+ fi
+
+ # install systemd unit files
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
+
+ # audit-2.5 doesn't install any rules by default, so we do that here
+ mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d
+ cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules
+
+ chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d
+ chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules
+
+ # Based on the audit.spec "Copy default rules into place on new installation"
+ cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules
+}
diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.1.bb b/meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.1.bb
new file mode 100644
index 0000000..ba24d36
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.1.bb
@@ -0,0 +1,109 @@
+SUMMARY = "User space tools for kernel auditing"
+DESCRIPTION = "The audit package contains the user space utilities for \
+storing and searching the audit records generated by the audit subsystem \
+in the Linux kernel."
+HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"
+SECTION = "base"
+LICENSE = "GPLv2+ & LGPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master \
+ file://Fixed-swig-host-contamination-issue.patch \
+ file://auditd \
+ file://auditd.service \
+ file://audit-volatile.conf \
+"
+
+S = "${WORKDIR}/git"
+SRCREV = "46cb7d92443c9ec7b3af15fb0baa65f65f6415d3"
+
+inherit autotools python3native update-rc.d systemd
+
+UPDATERCPN = "auditd"
+INITSCRIPT_NAME = "auditd"
+INITSCRIPT_PARAMS = "defaults"
+
+SYSTEMD_PACKAGES = "auditd"
+SYSTEMD_SERVICE_auditd = "auditd.service"
+
+DEPENDS = "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native"
+
+EXTRA_OECONF = " --with-libwrap \
+ --enable-gssapi-krb5=no \
+ --with-libcap-ng=yes \
+ --with-python3=yes \
+ --libdir=${base_libdir} \
+ --sbindir=${base_sbindir} \
+ --without-python \
+ --without-golang \
+ --disable-zos-remote \
+ --with-arm=yes \
+ --with-aarch64=yes \
+ "
+
+EXTRA_OEMAKE = "PYLIBVER='python${PYTHON_BASEVERSION}' \
+ PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
+ pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
+ STDINC='${STAGING_INCDIR}' \
+ pkgconfigdir=${libdir}/pkgconfig \
+ "
+
+SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher"
+DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \
+interface to the audit system, audispd. These plugins can do things \
+like relay events to remote machines or analyze events for suspicious \
+behavior."
+
+PACKAGES =+ "audispd-plugins"
+PACKAGES += "auditd ${PN}-python"
+
+FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
+FILES_auditd = "${bindir}/* ${base_sbindir}/* ${sysconfdir}/* ${datadir}/audit/*"
+FILES_audispd-plugins = "${sysconfdir}/audit/audisp-remote.conf \
+ ${sysconfdir}/audit/plugins.d/au-remote.conf \
+ ${sysconfdir}/audit/plugins.d/syslog.conf \
+ ${base_sbindir}/audisp-remote \
+ ${base_sbindir}/audisp-syslog \
+ ${localstatedir}/spool/audit \
+ "
+FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
+
+CONFFILES_auditd = "${sysconfdir}/audit/audit.rules"
+RDEPENDS_auditd = "bash"
+
+do_install_append() {
+ rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
+ rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la
+
+ # reuse auditd config
+ [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default
+ mv ${D}/etc/sysconfig/auditd ${D}/etc/default
+ rmdir ${D}/etc/sysconfig/
+
+ # replace init.d
+ install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd
+ rm -rf ${D}/etc/rc.d
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ # install systemd unit files
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
+
+ install -d ${D}${sysconfdir}/tmpfiles.d/
+ install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
+ fi
+
+ # audit-2.5 doesn't install any rules by default, so we do that here
+ mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d
+ cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules
+
+ chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d
+ chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules
+
+ # Based on the audit.spec "Copy default rules into place on new installation"
+ cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules
+
+ # Create /var/spool/audit directory for audisp-remote
+ install -m 0700 -d ${D}${localstatedir}/spool/audit
+}