Currently, we handle three kinds of tests: basic, defconfig, and
runtime, and we treat them totally independently ones from the others.
Except for the basic tests that are ignored when defconfig or runtime
tests are explicitly requested.
The basic tests are also run systematically on all our reference
branches: master, next (when it exists), and the maintenance branches:
YYYY.MM.x.
Furthermore, we can see that the conditions to run each set of tests
are very similar, with only the explicit queries differing by name.
Rework the script so that the conditions are expressed only once, and
each set of tests is decided for each condition. This makes it easier
to decide what tests should run under what conditions.
Using GitLab-CI's schedules, with a variable expressing the actual test
to run, would seem the obvious choice to trigger the pipelines. However,
a schedule is configured for a specific branch, which means we would
need one schedule per branch we want to build per test cases we want to
run, *and* that we update those schedules when we add/remove branches
(e.g. when we open/close 'next', or a maintenance branch). This is not
very nice, as it requires some manual tweaking and twiddling on the web
UI.
Instead, we resort to using triggers, that will be triggered from a
cronjob on some server. Using a cronjiob allows us to more easily manage
the branches we want to test and test cases we want to run, to more
easily spread the load over the week, etc...
Note: triggering a pipeline can be done with a simple curl invocation:
$ curl -X POST \
-F "token=${YOUR_TOKEN}" \
-F "ref=${BRANCH_TO_TEST}" \
-F "variables[BR_SCHEDULE_JOBS]=${TEST_TO_RUN}" \
"https://gitlab.com/api/v4/projects/${YOUR_PROJECT_ID}/trigger/pipeline"
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add tests to ensure the packages SELinux functionalities (being able to
select an extra SELinux module in the refpolicy, and being able to
provide a custom SELinux module) are working as expected.
We use a BR2_EXTERNAL folder, provided in the tests, to use a custom
SELinux enabled package.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a test for BR2_PACKAGE_REFPOLICY_CUSTOM_GIT (which allows to select
a custom location for the SELinux refpolicy). The test uses the official
refpolicy as a test (we only want to test the functionality is working,
not that another refpolicy is correctly building; that is an user
problematic).
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a test for the BR2_REFPOLICY_EXTRA_MODULES_DIRS functionality (which
allows to provide custom SELinux modules).
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds a test for the BR2_REFPOLICY_EXTRA_MODULES
functionality (which allows to select extra modules within the SELinux
refpolicy using Kconfig).
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a test called 'SELinuxSystemdSquashfs' which will perform the same
tests as the Ext4 version, but using a Squashfs filesystem. Thanks to
this, we'll have a test on a real only filesystem.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This adds a test called 'SELinuxSystemdExt4'. This test will build an
SELinux enabled image with systemd, boot it, and perform a few runtime
tests to check SELinux related capabilities.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
REFPOLICY_EXTRA_MODULES_DIRS contains
$(PACKAGES_SELINUX_EXTRA_MODULES_DIRS) which is filled in by
package/pkg-generic.mk with the list of packages that have a selinux/
sub-directory. Due to how variable expansion works, if there is an
ifeq/ifneq test of REFPOLICY_EXTRA_MODULES_DIRS, it will only see the
value of REFPOLICY_EXTRA_MODULES_DIRS with the list of packages
*before* refpolicy in alphabetic ordering. This means that packages
after refpolicy in alphabetic ordering would not be taken into
account.
To fix this, we switch to an $(if ...) test, which allows the variable
to really be evaluated during the refpolicy build. This makes sures
the expansion is correct.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Pass HOST_LDFLAGS to avoid the following build failure due to missing
RPATH:
*** ERROR: package host-sentry-cli installs executables without proper RPATH:
*** /srv/storage/autobuild/run/instance-3/output-1/host/bin/sentry-cli
Fixes:
- http://autobuild.buildroot.org/results/d52638baefec961ff693aecf833af7adfc482fe4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit fd5376a39d wrongly named the patch
as 0002-x.patch instead of 0001-x.patch
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The buildroot custom bareboxenv compile command misses the additional
include path 'scripts/include' to gain access to the local copy of the
kernel header files (which leads to compile error when using an older
toolchain).
This could be fixed by enhancing the custom bareboxenv compile command
(see [1]) or by using the barebox build system by simply enabling the
CONFIG_BAREBOXENV_TARGET option (available since April 2012, see [2])
instead (as suggested by Yann E. MORIN).
Fixes (with BR2_TARGET_BAREBOX_BAREBOXENV enabled):
build/barebox-2019.12.0/scripts/bareboxenv.c💯10: fatal error: linux/list.h: No such file or directory
[1] http://lists.busybox.net/pipermail/buildroot/2020-January/270942.html
[2] https://git.pengutronix.de/cgit/barebox/commit/?id=afb03d7a554a2911a3742e316f011319fcb416f1
Note: a user who would previously provide a barebox config file which
had CONFIG_BAREBOXENV_TARGET=y, but a Buildroot config file which did
not have BR2_TARGET_BAREBOX_BAREBOXENV=y, would have bareboxenv-target
built, but it would not be installed in the target. Now, and unset
BR2_TARGET_BAREBOX_BAREBOXENV will not even build it, but his is not a
regression: it was anyway previously not installed.
Reported-by: Frederick Gotham <cauldwell.thomas@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
- also explicitly disable it when not selected
- rewrap commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Default value of MinTLSversion set to 1.2.
- mbed TLS updated to 2.23.0.
- Small bugfixes.
- Update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 80be040817 because
libsquirrel.so.0 and libsqstdlib.so.0 are missing in TARGET_DIR.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patches (already in version) and so autoreconf
- Update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gcc 10.2 is around, gcc 9.3 is the default version, so drop
7.5 in order to reduce the gcc choice.
See:
https://gcc.gnu.org/legacy-ml/gcc/2019-11/msg00099.html
The last defconfig using gcc 7 (roseapplepi_defconfig) has been
updated by 9cd0654380.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
[Peter: add Config.in.legacy entry]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
IV is actually used. This can lead to both decreased security and
incorrect encryption data.
- Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
cookie values, the cookie names are url-decoded. This may lead to
cookies with prefixes like __Host confused with cookies that decode to
such prefix, thus leading to an attacker being able to forge cookie
which is supposed to be secure. See also CVE-2020-8184 for more
information.
https://www.php.net/ChangeLog-7.php#7.4.11
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
All the python packages are inside a
if BR2_PACKAGE_PYTHON || BR2_PACKAGE_PYTHON3
conditional, so no need to repeat it in the Config.in.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 9e4ffdc8cf modified the output of
'setlocalversion' so that the Buildroot version tag is included in the
output, the version part was added in Makefile.
Due to differences in behavior of the used git and Mercurial commands, this
caused different output for the Mercurial case, in BR2_VERSION_FULL and thus
/etc/os-release and 'make print-version'. Assuming the official Buildroot
releases are tagged and no project-specific tags are present, the output
after commit 9e4ffdc8cf is:
-hg<commit>
whereas it is expected to be something like:
2020.02.6-hg<commit>
Change the Mercurial case in setlocalversion to behave similar to git,
looking up the latest tag if the current revision is not itself tagged.
The number of commits after the latest tag is not added, unlike in git, as
this value is not commonly present in Mercurial output, and its added value
can be disputed in this context. Even one commit could bring a huge change
to the sources, so in order to interpret the number one has to look at the
repository anyhow, in which case the commit ID can just be used.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The content of the license file (doc/readme.html) differs between lua 5.3
and 5.4, so we cannot use a shared .hash file for all versions.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since 52f188140c (qemu version bump to 5.1),
the image generated by qemu_riscv64_virt_defconfig doesn't boot anyore with
the following error:
rom: requested regions overlap (rom phdr #0: [...]/images//fw_jump.elf. free=0x000000008000e240, addr=0x0000000080000000)
qemu-system-riscv64: rom check and register reset failed
Update the qemu command line as described in the Qemu wiki for riscv64 [1]
Fixes:
https://gitlab.com/jugurthaB/buildroot/-/jobs/686104707
[1] https://wiki.qemu.org/Documentation/Platforms/RISCV#Booting_64-bit_OpenEmbedded_Images
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
Cc: Alistair Francis <alistair.francis@wdc.com>
Cc: Mark Corbin <mark@dibsco.co.uk>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since Qemu 5.1, this defconfig doesn't boot due to the to small SD card image size (60MB).
qemu-system-arm: sd_init failed: Invalid SD card size: 60 MiB
SD card size has to be a power of 2, e.g. 64 MiB.
You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
(note that this will lose data if you make the image smaller than it currently is).
qemu-system-arm: sd_init failed
From [1]:
"While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end."
Fixes:
https://gitlab.com/kubu93/buildroot/-/jobs/766482935
[1] https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
