CVE-2021-43816: "Unprivileged pod using `hostPath` can side-step active LSM when
it is SELinux"
Containers launched through containerd’s CRI implementation on Linux systems
which use the SELinux security module and containerd versions since v1.5.0 can
cause arbitrary files and directories on the host to be relabeled to match the
container process label through the use of specially-configured bind mounts in a
hostPath volume. This relabeling elevates permissions for the container,
granting full read/write access over the affected files and directories.
Kubernetes and crictl can both be configured to use containerd’s CRI
implementation.
https://github.com/advisories/GHSA-mvff-h3cj-wj9chttps://github.com/containerd/containerd/releases/tag/v1.5.9
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix the following build failure raised since bump of meson to version
0.61.0 in commit a8dc871139:
../output-1/build/gvfs-1.48.1/daemon/meson.build:368:7: ERROR: Function does not take positional arguments.
Fixes:
- http://autobuild.buildroot.org/results/6231649fac82a70b215186c3396b879a28a96f60
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
ZynAddSubFX is a fully featured open source software synthesizer
capable of making a countless number of instruments, from some
common heard from expensive hardware to interesting sounds that
you'll boost to an amazing universe of sounds.
https://zynaddsubfx.sourceforge.io/
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
pjsip:pjsip has been deprecated by teluu:pjsip since September 2021:
<cpe-23:cpe23-item name="cpe:2.3🅰️pjsip:pjsip:2.7.1:*:*:*:*:*:*:*">
<cpe-23:deprecated-by name="cpe:2.3🅰️teluu:pjsip:2.7.1:*:*:*:*:*:*:*" type="NAME_CORRECTION"/>
<cpe-item name="cpe:/a:pjsip:pjsip:2.7.2" deprecated="true" deprecation_date="2021-09-02T14:49:19.527Z">
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
RK3399_ROCKPRO64 has been picked from pine64/rockpro64 but here we deal
with orangepi-rk3399, so let's change the label to RK3399_ORANGEPI.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit add a simple test doing symmetric encryption/decryption
to check this python interface with the gpg binary is working fine.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This will use gcc-ar, gcc-nm and gcc-ranlib instead of the
normal binutils tools. The difference is that with the
wrappers, gcc plugins will be automatically picked up,
which is necessary to build with LTO.
With this enabled, it is possible to build everything (including libgcc
and libstdc++) with LTO by setting BR2_TARGET_OPTIMIZATION="-flto".
Note that you'd expect that the GCC build system would automatically do
this when --enable-lto is set, but this is not the case. There are some
open bugs [1][2] to allow building libgcc and libstdc++ with LTO support
but it's apparently not done yet.
Note that there are also reports of problems building libstdc++ with LTO
[3], but it seems that's no longer a problem (and the bug didn't get
updated).
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=59893
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77278
[3] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60160
Monitoring the target/ and host/ directories and so on, will serve to
generate lists of files installed by the packages. Those lists are then
used to generate graphs of the size those package take on the target
for example.
With PPD, we will also want to use those lists to only copy those files
actually installed by each dependencies of a package, recursively.
Currently, those lists are not entirely reliable, as the starting points
are established before we apply PPD fixup hooks. As such, at the end of
a package installation, fixed up files will be found to belong to the
current package, while they were in fact provided by one of its
dependency.
While this does no big harm, if at all, for the size graphs, it will
trigger overwrite detection when we eventually gather packages together
to aggregate a PPD or te final host and target. So, we better have the
lists of files be reliable.
So, we only start monitoring the directories after we apply the PPD
fixups (or seen the other way around for a smaller diff: we apply the
PPD fixups before we start monitoring the directories).
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Herve Codina <herve.codina@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Some files contain hard-coded absolute paths that point to the host
and/or staging directories.
With per-package directories (aka. PPD), these paths point to the PPD
of the package that created the files, when we want them to point to the
PPD of the package that uses them.
Up until now, we had two hooks that attempted to fix those files:
- a libtool-specific hook that searches for all .la files and seds
them with the proper PPD,
- a python-specific hook that tweaks just the sysconfigdata and
removes the byte-compiled version of the sysconfigdata.
But now, we also have a few other kinds of files for which we need to
fix the PPD: .cmake, .pc, or .pri files, and probably a bunch of others
as well.
We solve this issue by just replacing any PPD in text files, with the
current package's PPD.
This is very similar to, and inspired from what is done when relocating
the SDK. However, we can't use the existing relocate-sdk script, because
that needs to know the original location, which we do not have when we
aggregate the PPD (we could store it, but we can easily do without it).
Furthermore, we use a construct that is way more efficient than
relocate-sdk. First, we skip binary files with grep, which means we have
way less files to check with 'file' [0]. Second, we use xargs to sed
multiple files at once: printf is a shell built-in, so it's fast, and so
we do not have to spawn a sed for each file to fixup.
[0] We still keep using 'file' as a safety net, to avoid mangling a
binary file that grep would have missed.
Finally, the existing python-specific macro is simplified to just remove
the pre-compiled sysconfigdata files. And we rename it accordingly.
And as for some timings, to see the impact, with the defconfig below,
and with the downloads already local, and with a PC mostly idle (mail
and IRC activity only):
Before Now Delta
- without PPD : 7min 27s 7min 23s -0.9%
- with PPD : 7min 51s 7min 59s +1.7%
- with PPD -j8: 5min 51s 5min 56s +1.4%
So we can see a slight increase in time, but it is mostly in the noise
(some builds without this change did exceed some builds with this
change, due to background noise). Also, depending on scheduling, there
can be less parallelism; for example, python3 does not build in
parallel, and with this special defconfig, python is on the critical
path of a lot of packages that are python modules, which can negatively
impact a parallel build too. A more realistic, bigger defconfig would
probably be more parallel... YMMV...
Delta without PPD is also due to background noise, as those hooks are
not used when PPD is not enabled.
Defconfig used:
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_PYTHON3=y
BR2_PACKAGE_PYTHON_AIOBLESCAN=y
BR2_PACKAGE_PYTHON_AIOCOAP=y
BR2_PACKAGE_PYTHON_AIOFILES=y
BR2_PACKAGE_PYTHON_AIOHTTP_CORS=y
BR2_PACKAGE_PYTHON_AIOHTTP_DEBUGTOOLBAR=y
BR2_PACKAGE_PYTHON_AIOHTTP_MAKO=y
BR2_PACKAGE_PYTHON_AIOHTTP_REMOTES=y
BR2_PACKAGE_PYTHON_AIOHTTP_SECURITY=y
BR2_PACKAGE_PYTHON_AIOHTTP_SESSION=y
BR2_PACKAGE_PYTHON_AIOHTTP_SSE=y
BR2_PACKAGE_PYTHON_AIOJOBS=y
BR2_PACKAGE_PYTHON_AIOLOGSTASH=y
BR2_PACKAGE_PYTHON_AIOMONITOR=y
BR2_PACKAGE_PYTHON_AIOPROCESSING=y
BR2_PACKAGE_PYTHON_AIOREDIS=y
BR2_PACKAGE_PYTHON_AIORWLOCK=y
BR2_PACKAGE_PYTHON_AIOZIPKIN=y
BR2_PACKAGE_LIGHTTPD=y
BR2_PACKAGE_LIGHTTPD_OPENSSL=y
BR2_PACKAGE_LIGHTTPD_ZLIB=y
BR2_PACKAGE_LIGHTTPD_BZIP2=y
BR2_PACKAGE_LIGHTTPD_PCRE=y
BR2_PACKAGE_LIGHTTPD_WEBDAV=y
# BR2_TARGET_ROOTFS_TAR is not set
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Adam Duskett <aduskett@gmail.com>
Cc: Louis-Paul CORDIER <lpdev@cordier.org>
Cc: Andreas Naumann <anaumann@ultratronik.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
License hash changed due to OCB patents expiry:
5d78d02220
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop patch that is now upstream.
Drop python2 support.
Drop python-six dependency which is no longer needed.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[yann.morin.1998@free.fr: update paramiko python3 dependency comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
License hash changed due to year update:
78beeb7d6f
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
License hash change due to copyright year update:
0bb3f87dcc
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop patches that are now upstream.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[yann.morin.1998@free.fr: don't duplicate _SETUP_TYPE]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- python 2 support has been dropped since version 2.0.0 and
e085f3eedf
- Update hash of license file (license standardized:
c880f85ccd)
- Update indentation in hash file (two spaces)
https://itsdangerous.palletsprojects.com/en/2.0.x/changes/#version-2-0-1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Update hash of LICENSE file (license updated to make it recognizable
by github:
a3016e7d69)
- Update indentation in hash file (two spaces)
https://github.com/giampaolo/pyftpdlib/blob/release-1.5.6/HISTORY.rst
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
They are loosely ordered according to the ordering of the gcc
documentation. It is not entirely correct as the generic x86-64,
x86-64-v2, x86-64-v3 and x86-64-v4 are listed before i386 in the gcc
documentation, but this nevertheless gives a good explanation for the
overall ordering of the list.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
These were added in gcc 9.x. The goldmont, goldmont-plus and tremont
are for the low-power CPUs. While cascadelake and tigerlake are for
the high-end ones.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The x86-64-v4 toolchain assumes availability of AVX512, as per the
definition of the x86-64-v4 "standard".
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>