Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- README.md | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 README.md

diff --git a/README.md b/README.md new file mode 100644 index 0000000..65fdcb3 --- /dev/null +++ b/README.md @@ -0,0 +1,98 @@ +meta-morello-distro +=================== + +This layer provides user space libraries machine translated to `Morello` +and recompiled with `purecap` (c64) for the ARM Morello SDK. + +It allows to run purecap and non purecap versions of the libraries +to be tested in parallel. Purecap libraries have a dedicated sysroot. + +# Building images + +``` +$ kas build ./meta-morello-distro/kas/debug-soc.yml +``` + +# Limitations +The purecap libraries are tested to a limited degree. + + +Yocto-wise: +- package Q&A is disabled and runtime dependency checks +- ptest is disabled/ignored +- recipes and package config can be incomplete/broken + +# Structure +Most of the recipes here are copies of existing recipes in other layers +postfixed with `morello`, source of the original recipe is listed +in the `MORELLO_SRC` variable, the original recipe path is preserved, ${PV} +is not. The git hashes of layers that were used as base of these recipes are +stored in `MORELLO_LAYER_SRC_REF` variable in the `layer.conf` file. + +The reason for this is that the c64 versions of the libraries live in +parallel to the a64 on the system, which is a design choice, hence a +simple `*.bbappend` would not cut it. + +The purecap libraries are placed in the purecap sysroot, as defined by +`${PURECAP_SYSROOT_DIR}` in meta-morello [1], which is where the +runtime linker shall look for all dependencies. + +Most of the `CHERI` patches are placed in the...`cheri-patches` folder at the +root of the said recipe. + +Some sources are pulled from `CHERI-BSD` repo and then patched further to +work on Linux. In some cases patches are taken from CHERI-BSD and rebased +on top of different versions of the said libraries. There are cases where +we were patching a library oblivious to the fact that a CHERI port already +exists. Some contributions were not found elsewhere. + +If you see any errors or are the author of these patches/recipes and think +we have missed something (patch authors etc.) please reach out to us and +it shall be fixed ! + +# The current userland libraries consist of: +- postgresql 9.6 +- zabbix 5.0.38 server/agent/proxy (with embedded JS) +- curl/openssl/zlib/ncurses/readline/ et al. + +# Adding new recipes: +- in theory the dev process should be as simple as: + - find existing recipe for the library you want + - copy over its content into library-morello_X.Y.Z.bb + - add: + + ``` + inherit pure-cap-kheaders purecap-sysroot + ... + TOOLCHAIN = "${MORELLO_TOOLCHAIN}" + ``` + - compile + - digest the logs + - create patches and put them in the cheri-patches folder + - repeat the last two steps until there are no errors + - add to the image + - watch it crash at runtime (FVP is reducing the length of the dev loop here) + - run through gdb + - create more cheri-patches + +- if the are no obvious runtime errors you are done + +We tend to stick inherit/requires at the top of the `*.bb` files for readability, +do the same where possible. + +Contributing +------------ + +We accept patches through the mailing list only, the patch should be named [meta-morello-distro] +https://op-lists.linaro.org/mailman3/lists/linux-morello-distros.op-lists.li... + + +References +---------- +[1] https://git.morello-project.org/morello/meta-morello + +maintainers +----------- +* Pawel Zalewski pzalewski@thegoodpenguin.co.uk +* Harrison Carter hcarter@thegoodpenguin.co.uk +

Co-authored-by: Harrison Carter hcarter@thegoodpenguin.co.uk Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- kas/base.yml | 38 +++++++++++++++++++++++++++++++++++++ kas/debug-fvp.yml | 20 +++++++++++++++++++ kas/debug-soc.yml | 10 ++++++++++ kas/morello-linux-debug.yml | 24 +++++++++++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 kas/base.yml create mode 100644 kas/debug-fvp.yml create mode 100644 kas/debug-soc.yml create mode 100644 kas/morello-linux-debug.yml

diff --git a/kas/base.yml b/kas/base.yml new file mode 100644 index 0000000..e796349 --- /dev/null +++ b/kas/base.yml @@ -0,0 +1,38 @@ +header: + version: 11 + includes: + - repo: meta-morello + file: kas/base.yml + +defaults: + repos: + refspec: kirkstone + +repos: + meta-morello-distro: + + meta-morello: + url: "https://git.morello-project.org/morello/meta-morello.git" + refspec: "431908fa33773d2df2b0fafb72491793f3f33d41" + layers: + meta-morello: + meta-morello-toolchain: + + meta-openembedded: + url: "https://github.com/openembedded/meta-openembedded" + refspec: "278ec081a64e6a7679d6def550101158126cd935" + layers: + meta-oe: + meta-python: + meta-networking: + meta-filesystems: + meta-webserver: + +machine: unset + +target: + - morello-image + +local_conf_header: + base: | + DISTRO = "morello" diff --git a/kas/debug-fvp.yml b/kas/debug-fvp.yml new file mode 100644 index 0000000..a87f06b --- /dev/null +++ b/kas/debug-fvp.yml @@ -0,0 +1,20 @@ +header: + version: 11 + includes: + - base.yml + - morello-linux-debug.yml + +machine: morello-fvp + +local_conf_header: + fvp-config: | + + LICENSE_FLAGS_ACCEPTED:append = " Arm-FVP-EULA" + + INHERIT += "fvpboot" + + CORE_IMAGE_EXTRA_INSTALL:append = " ssh-pregen-hostkeys" + + FVP_CONSOLES[default] = "terminal_uart_ap" +target: + - core-image-minimal \ No newline at end of file diff --git a/kas/debug-soc.yml b/kas/debug-soc.yml new file mode 100644 index 0000000..d6b0638 --- /dev/null +++ b/kas/debug-soc.yml @@ -0,0 +1,10 @@ +header: + version: 11 + includes: + - base.yml + - morello-linux-debug.yml + +machine: morello-soc + +target: + - morello-image diff --git a/kas/morello-linux-debug.yml b/kas/morello-linux-debug.yml new file mode 100644 index 0000000..bbb535e --- /dev/null +++ b/kas/morello-linux-debug.yml @@ -0,0 +1,24 @@ +header: + version: 11 + includes: + - base.yml + +local_conf_header: + + setup: | + LOGIN_PASSWORD = "NOPASSWD:" + + data_collectors: | + DB_USER ?= "admin" + DB_PASSWORD ?= "admin" + + DB_ROOT_PASSWORD ?= "root" + + DB_ZABBIX_USER_SERVER ?= "zabbix" + DB_ZABBIX_USER_AGENT ?= "zabbtx" + DB_ZABBIX_PASSWORD ?= "zabbix" + DB_ZABBIX_NAME ?= "zabbix" + + image: | + EXTRA_IMAGE_FEATURES ?= "debug-tweaks" + IMAGE_INSTALL:append = " nano"

purecap-sysroot: override path variables for purecap sysroot purecap-user-add: to be able to add users in purecap sysroot perl-hacks: to account for lack of perl in purecap sysroot

Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- classes/perl-hacks.bbclass | 53 +++++++++++++++++++++++++++++ classes/purecap-sysroot.bbclass | 59 +++++++++++++++++++++++++++++++++ classes/purecap-useradd.bbclass | 1 + 3 files changed, 113 insertions(+) create mode 100644 classes/perl-hacks.bbclass create mode 100644 classes/purecap-sysroot.bbclass create mode 100644 classes/purecap-useradd.bbclass

diff --git a/classes/perl-hacks.bbclass b/classes/perl-hacks.bbclass new file mode 100644 index 0000000..b105a3a --- /dev/null +++ b/classes/perl-hacks.bbclass @@ -0,0 +1,53 @@ +# Sourced from poky/meta/classes/perl-version.bbclass - MIT license + +# We do not have perl in the purecap sysroot, thus we use hacks. + +# Determine the staged version of perl from the perl configuration file +# Assign vardepvalue, because otherwise signature is changed before and after +# perl is built (from None to real version in config.sh). +get_perl_version[vardepvalue] = "${PERL_OWN_DIR}" +def get_perl_version(d): + import re + cfg = d.expand('${STAGING_DIR_HOST}/usr/lib${PERL_OWN_DIR}/perl5/config.sh') + try: + f = open(cfg, 'r') + except IOError: + return None + l = f.readlines(); + f.close(); + r = re.compile(r"^version='(\d*.\d*.\d*)'") + for s in l: + m = r.match(s) + if m: + return m.group(1) + return None + +PERLVERSION := "${@get_perl_version(d)}" +PERLVERSION[vardepvalue] = "" + + +# Determine the staged arch of perl from the perl configuration file +# Assign vardepvalue, because otherwise signature is changed before and after +# perl is built (from None to real version in config.sh). +def get_perl_arch(d): + import re + cfg = d.expand('${STAGING_DIR_HOST}/usr/lib${PERL_OWN_DIR}/perl5/config.sh') + try: + f = open(cfg, 'r') + except IOError: + return None + l = f.readlines(); + f.close(); + r = re.compile("^archname='([^']*)'") + for s in l: + m = r.match(s) + if m: + return m.group(1) + return None + +PERLARCH := "${@get_perl_arch(d)}" +PERLARCH[vardepvalue] = "" + + +STAGING_LIBDIR_HACK="${STAGING_DIR_HOST}/usr/lib" +STAGING_BASELIBDIR_HACK="${STAGING_DIR_HOST}/lib" \ No newline at end of file diff --git a/classes/purecap-sysroot.bbclass b/classes/purecap-sysroot.bbclass new file mode 100644 index 0000000..3295d40 --- /dev/null +++ b/classes/purecap-sysroot.bbclass @@ -0,0 +1,59 @@ +# Prefix all of the paths (root AND usr) with ${PURECAP_SYSROOT_DIR}, apart from the systemd. +# We allow non purecap systemd app to manage purecap packages for now (which with further hacks is achievable) + +# Path prefixes +export base_prefix = "${PURECAP_SYSROOT_DIR}" +export prefix = "${PURECAP_SYSROOT_DIR}/usr" +export exec_prefix = "${prefix}" + +root_prefix = "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '${exec_prefix}', '${base_prefix}', d)}" + +# Base paths +export base_bindir = "${root_prefix}/bin" +export base_sbindir = "${root_prefix}/sbin" +export base_libdir = "${root_prefix}/${baselib}" +export nonarch_base_libdir = "${root_prefix}/lib" + +# Architecture independent paths +export sysconfdir = "${base_prefix}/etc" +export servicedir = "${base_prefix}/srv" +export sharedstatedir = "${base_prefix}/com" +export localstatedir = "${base_prefix}/var" +export datadir = "${prefix}/share" +export infodir = "${datadir}/info" +export mandir = "${datadir}/man" +export docdir = "${datadir}/doc" + +export nonarch_libdir = "${exec_prefix}/lib" + +export systemd_user_unitdir = "/lib/systemd/user" +export systemd_unitdir = "/lib/systemd" +export systemd_system_unitdir = "/lib/systemd/system" + +# Architecture dependent paths +export bindir = "${exec_prefix}/bin" +export sbindir = "${exec_prefix}/sbin" +export libdir = "${exec_prefix}/${baselib}" +export libexecdir = "${exec_prefix}/libexec" +export includedir = "${exec_prefix}/include" +export oldincludedir = "${exec_prefix}/include" + +# Disable QA for now +INSANE_SKIP:${PN} += "file-rdeps" +EXCLUDE_FROM_SHLIBS = "1" +do_package_qa[noexec] = "1" + +# Stop debian class creating pkg duplicates +AUTO_LIBNAME_PKGS = "" + +# Debug purecap, worth double checking linkage etc. +PURECAP_DEBUGDIR = "/morello-debug" + +do_install:append:class-target() { + install -d ${D}${PURECAP_DEBUGDIR} +} + +FILES:${PN}-dbg += "${PURECAP_DEBUGDIR}" + +OBJDUMP_COMMAND = "${OBJDUMP} -D" +READELF_COMMAND = "${READELF} -a" diff --git a/classes/purecap-useradd.bbclass b/classes/purecap-useradd.bbclass new file mode 100644 index 0000000..2a0e0da --- /dev/null +++ b/classes/purecap-useradd.bbclass @@ -0,0 +1 @@ +DEPENDS += "base-passwd-morello" \ No newline at end of file

Co-authored-by: Harrison Carter hcarter@thegoodpenguin.co.uk Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- recipes-httpd/nginx/files/fastcgi-php.conf | 13 ++++ recipes-httpd/nginx/files/http_status.conf | 7 ++ recipes-httpd/nginx/files/zabbix-web.conf | 79 ++++++++++++++++++++++ recipes-httpd/nginx/nginx_%.bbappend | 29 ++++++++ 4 files changed, 128 insertions(+) create mode 100644 recipes-httpd/nginx/files/fastcgi-php.conf create mode 100644 recipes-httpd/nginx/files/http_status.conf create mode 100644 recipes-httpd/nginx/files/zabbix-web.conf create mode 100644 recipes-httpd/nginx/nginx_%.bbappend

diff --git a/recipes-httpd/nginx/files/fastcgi-php.conf b/recipes-httpd/nginx/files/fastcgi-php.conf new file mode 100644 index 0000000..467a9e7 --- /dev/null +++ b/recipes-httpd/nginx/files/fastcgi-php.conf @@ -0,0 +1,13 @@ +# regex to split $uri to $fastcgi_script_name and $fastcgi_path +fastcgi_split_path_info ^(.+?.php)(/.*)$; + +# Check that the PHP script exists before passing it +try_files $fastcgi_script_name =404; + +# Bypass the fact that try_files resets $fastcgi_path_info +# see: http://trac.nginx.org/nginx/ticket/321 +set $path_info $fastcgi_path_info; +fastcgi_param PATH_INFO $path_info; + +fastcgi_index index.php; +include fastcgi.conf; diff --git a/recipes-httpd/nginx/files/http_status.conf b/recipes-httpd/nginx/files/http_status.conf new file mode 100644 index 0000000..c24d54b --- /dev/null +++ b/recipes-httpd/nginx/files/http_status.conf @@ -0,0 +1,7 @@ +server { + location = /basic_status { + stub_status; + allow 127.0.0.1; + deny all; + } +} \ No newline at end of file diff --git a/recipes-httpd/nginx/files/zabbix-web.conf b/recipes-httpd/nginx/files/zabbix-web.conf new file mode 100644 index 0000000..5e2a639 --- /dev/null +++ b/recipes-httpd/nginx/files/zabbix-web.conf @@ -0,0 +1,79 @@ +server { + listen 8080; + server_name myzabbix.com; + + root /usr/share/zabbix; + + index index.php; + + location = /favicon.ico { + log_not_found off; + } + + location / { + try_files $uri $uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /.ht { + deny all; + } + + location ~ /(api/|conf[^.]|include|locale) { + deny all; + return 404; + } + + location /vendor { + deny all; + return 404; + } + + location ~ [^/].php(/|$) { + fastcgi_pass unix:/var/run/php/zabbix.sock; + fastcgi_split_path_info ^(.+.php)(/.+)$; + fastcgi_index index.php; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } + + # Enable php-fpm status page + location ~ ^/(status|ping)$ { + ## disable access logging for request if you prefer + access_log off; + + ## Only allow trusted IPs for security, deny everyone else + # allow 127.0.0.1; + # allow 1.2.3.4; # your IP here + # deny all; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + include fastcgi_params; + ## Now the port or socket of the php-fpm pool we want the status of + fastcgi_pass 127.0.0.1:9000; + # fastcgi_pass unix:/run/php-fpm/your_socket.sock; + } +} diff --git a/recipes-httpd/nginx/nginx_%.bbappend b/recipes-httpd/nginx/nginx_%.bbappend new file mode 100644 index 0000000..ee38f9d --- /dev/null +++ b/recipes-httpd/nginx/nginx_%.bbappend @@ -0,0 +1,29 @@ + +FILESEXTRAPATHS:append := "${THISDIR}/files:" + +SRC_URI:append = " \ + file://http_status.conf \ + file://zabbix-web.conf \ + file://fastcgi-php.conf \ + " + +EXTRA_OECONF+= "\ + --with-http_stub_status_module \ + " + +do_install:append() { + + install -d ${D}${sysconfdir}/nginx/conf.d/ + cp ${WORKDIR}/zabbix-web.conf ${D}${sysconfdir}/nginx/conf.d/zabbix.conf + + install -d ${D}${sysconfdir}/nginx/snippets/ + install -m 0644 ${WORKDIR}/fastcgi-php.conf ${D}${sysconfdir}/nginx/snippets/ + + install -d ${D}${sysconfdir}/${BPN}/conf.d/ + install -m 0644 ${WORKDIR}/http_status.conf ${D}${sysconfdir}/${BPN}/conf.d/ + + install -d ${D}${localstatedir}/lib/php/sessions + chown www-data:www-data -R ${D}${localstatedir}/lib/php/sessions +} + +CONFFILES:${PN} = " http_status.conf "

Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- ...st-ncurses-silence-capability-misuse.patch | 37 ++++++++ recipes-core/ncurses/ncurses-morello.inc | 87 +++++++++++++++++++ recipes-core/ncurses/ncurses-morello_6.4.bb | 16 ++++ recipes-core/ncurses/site_config/headers | 5 ++ 4 files changed, 145 insertions(+) create mode 100644 recipes-core/ncurses/cheri-patches/0001-test-ncurses-silence-capability-misuse.patch create mode 100644 recipes-core/ncurses/ncurses-morello.inc create mode 100644 recipes-core/ncurses/ncurses-morello_6.4.bb create mode 100644 recipes-core/ncurses/site_config/headers

diff --git a/recipes-core/ncurses/cheri-patches/0001-test-ncurses-silence-capability-misuse.patch b/recipes-core/ncurses/cheri-patches/0001-test-ncurses-silence-capability-misuse.patch new file mode 100644 index 0000000..4b13aa6 --- /dev/null +++ b/recipes-core/ncurses/cheri-patches/0001-test-ncurses-silence-capability-misuse.patch @@ -0,0 +1,37 @@ +From 41fce85513400f5fc6324516d5ac23628fc38ae2 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Tue, 11 Apr 2023 15:36:28 +0100 +Subject: [PATCH] test/ncurses: silence capability-misuse + +Cast the data to uintptr_t to silence the warning. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + test/ncurses.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/ncurses.c b/test/ncurses.c +index afa631ad..65040902 100644 +--- a/test/ncurses.c ++++ b/test/ncurses.c +@@ -6392,7 +6392,7 @@ make_field(int frow, int fcol, int rows, int cols, bool secure) + + if (f) { + set_field_back(f, A_UNDERLINE); +- set_field_userptr(f, (void *) 0); ++ set_field_userptr(f, (void *)(uintptr_t)0); + } + return (f); + } +@@ -6487,7 +6487,7 @@ edit_secure(FIELD *me, int c) + break; + } + } +- set_field_userptr(me, (void *) len); ++ set_field_userptr(me, (void *)(uintptr_t)len); + free(temp); + } + } +-- +2.34.1 + diff --git a/recipes-core/ncurses/ncurses-morello.inc b/recipes-core/ncurses/ncurses-morello.inc new file mode 100644 index 0000000..b45aaf1 --- /dev/null +++ b/recipes-core/ncurses/ncurses-morello.inc @@ -0,0 +1,87 @@ +inherit autotools pkgconfig purecap-sysroot + +MORELLO_SRC = "poky/meta/recipes-core/ncurses/*" + +SUMMARY = "The New Curses library" +DESCRIPTION = "SVr4 and XSI-Curses compatible curses library and terminfo tools including tic, infocmp, captoinfo. Supports color, multiple highlights, forms-drawing characters, and automatic recognition of keypad and function-key sequences. Extensions include resizable windows and mouse support on both xterm and Linux console using the gpm library." +HOMEPAGE = "http://www.gnu.org/software/ncurses/ncurses.html" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=c5a4600fdef86384c41ca33ecc70a4b8;endline=27" +SECTION = "libs" + +TOOLCHAIN = "${MORELLO_TOOLCHAIN}" + +DEPENDS += "ncurses-native" + +do_configure() { + oe_runconf \ + --without-debug \ + --without-ada \ + --without-gpm \ + --enable-termcap \ + --enable-echo \ + --enable-warnings \ + --with-shared \ + --disable-big-core \ + --program-prefix= \ + --with-manpage-format=normal \ + --without-manpage-renames \ + --disable-stripping \ + --disable-rpath-hack \ + --without-cxx-binding \ + --without-cxx \ + --enable-overwrite +} + +do_compile() { + oe_runmake all +} + +do_install:append() { + ${OBJDUMP_COMMAND} ${D}${libdir}/libcurses.so > ${D}${PURECAP_DEBUGDIR}/libcurses.dump + ${READELF_COMMAND} ${D}${libdir}/libcurses.so > ${D}${PURECAP_DEBUGDIR}/libcurses.readelf +} + +PACKAGES += " \ + ${PN}-tools \ + ${PN}-terminfo-base \ + ${PN}-terminfo \ +" + +FILES:${PN} += "\ + ${bindir}/tput \ + ${bindir}/tset \ + ${bindir}/ncurses5-config \ + ${bindir}/ncursesw5-config \ + ${bindir}/ncurses6-config \ + ${bindir}/ncursesw6-config \ + ${datadir}/tabset \ +" + +# This keeps only tput/tset in ncurses +# clear/reset are in already busybox +FILES:${PN}-tools = "\ + ${bindir}/tic \ + ${bindir}/toe \ + ${bindir}/infotocap \ + ${bindir}/captoinfo \ + ${bindir}/infocmp \ + ${bindir}/tack \ + ${bindir}/tabs \ + ${bindir}/clear \ + ${bindir}/reset \ + " + +FILES:${PN}-terminfo = "\ + ${datadir}/terminfo \ + ${libdir}/terminfo \ +" + +FILES:${PN}-terminfo-base = "\ + ${sysconfdir}/terminfo \ +" + +# Putting terminfo into the sysroot adds around 2800 files to +# each recipe specific sysroot. We can live without this, particularly +# as many recipes may have native and target copies. +SYSROOT_DIRS:remove = "${datadir}" \ No newline at end of file diff --git a/recipes-core/ncurses/ncurses-morello_6.4.bb b/recipes-core/ncurses/ncurses-morello_6.4.bb new file mode 100644 index 0000000..6ba7111 --- /dev/null +++ b/recipes-core/ncurses/ncurses-morello_6.4.bb @@ -0,0 +1,16 @@ +require ncurses-morello.inc + +FILESEXTRAPATHS:prepend := "${THISDIR}/cheri-patches:" + +SRC_URI += "git://github.com/mirror/ncurses;protocol=https;branch=${SRCBRANCH} \ + file://0001-test-ncurses-silence-capability-misuse.patch \ + " + +SRCBRANCH = "master" +SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f" + +S = "${WORKDIR}/git" + +RPROVIDES:${PN} = "ncurses-morello" + +RDEPENDS:${PN} += "bash" diff --git a/recipes-core/ncurses/site_config/headers b/recipes-core/ncurses/site_config/headers new file mode 100644 index 0000000..087b7bf --- /dev/null +++ b/recipes-core/ncurses/site_config/headers @@ -0,0 +1,5 @@ +curses.h +ncurses/curses.h +ncurses.h +ncurses/termcap.h +

Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- .../util-linux/util-linux-morello_2.37.4.bb | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 recipes-core/util-linux/util-linux-morello_2.37.4.bb

diff --git a/recipes-core/util-linux/util-linux-morello_2.37.4.bb b/recipes-core/util-linux/util-linux-morello_2.37.4.bb new file mode 100644 index 0000000..98ad321 --- /dev/null +++ b/recipes-core/util-linux/util-linux-morello_2.37.4.bb @@ -0,0 +1,23 @@ +require recipes-core/util-linux/util-linux.inc + +inherit autotools gettext pkgconfig pure-cap-kheaders purecap-sysroot + +MORELLO_SRC = "poky/meta/recipes-core/util-linux/util-linux_2.37.4.bb" + +SUMMARY = "A suite of basic system administration utilities" + +TOOLCHAIN = "${MORELLO_TOOLCHAIN}" + +PV = "2.37.4" + +S = "${WORKDIR}/util-linux-${PV}" +EXTRA_OECONF += "--disable-all-programs --enable-libuuid" +LICENSE = "BSD-3-Clause" + +do_install() { + install_dir="${D}" + install -d ${install_dir} + oe_runmake DESTDIR=${install_dir} install + rm -rf ${install_dir}${datadir} ${install_dir}${bindir} ${install_dir}${base_bindir} \ + ${install_dir}${sbindir} ${install_dir}${base_sbindir} ${install_dir}${exec_prefix}/sbin +} \ No newline at end of file

Co-authored-by: Harrison Carter hcarter@thegoodpenguin.co.uk Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- ...gument-order-to-qsort_r-to-match-pos.patch | 45 ++ ...change-defines-from-freebsd-to-cheri.patch | 57 +++ ...n-bypass-autoconf-2.69-version-check.patch | 30 ++ recipes-dbs/postgresql/postgresql-morello.inc | 400 ++++++++++++++++++ .../postgresql/postgresql-morello_9.6.bb | 155 +++++++ recipes-dbs/postgresql/postgresql/pg_config | 15 + .../postgresql/postgresql/postgres-bench | 16 + .../postgresql/postgresql/postgres-test | 49 +++ .../postgresql/postgresql/postgresql-init | 64 +++ .../postgresql/postgresql-init.service | 19 + .../postgresql/postgresql-morello.init | 193 +++++++++ .../postgresql/postgresql-morello.service | 29 ++ .../postgresql/postgresql/postgresql-profile | 4 + .../postgresql/postgresql/postgresql-setup | 73 ++++ .../postgresql/postgresql/postgresql.pam | 4 + .../postgresql/postgresql/test-schedule | 1 + recipes-dbs/postgresql/postgresql_%.bbappend | 7 + 17 files changed, 1161 insertions(+) create mode 100644 recipes-dbs/postgresql/cheri-patches/0001-port.h-change-argument-order-to-qsort_r-to-match-pos.patch create mode 100644 recipes-dbs/postgresql/cheri-patches/0002-qsort-change-defines-from-freebsd-to-cheri.patch create mode 100644 recipes-dbs/postgresql/files/0003-configure.in-bypass-autoconf-2.69-version-check.patch create mode 100644 recipes-dbs/postgresql/postgresql-morello.inc create mode 100644 recipes-dbs/postgresql/postgresql-morello_9.6.bb create mode 100755 recipes-dbs/postgresql/postgresql/pg_config create mode 100644 recipes-dbs/postgresql/postgresql/postgres-bench create mode 100644 recipes-dbs/postgresql/postgresql/postgres-test create mode 100644 recipes-dbs/postgresql/postgresql/postgresql-init create mode 100644 recipes-dbs/postgresql/postgresql/postgresql-init.service create mode 100644 recipes-dbs/postgresql/postgresql/postgresql-morello.init create mode 100644 recipes-dbs/postgresql/postgresql/postgresql-morello.service create mode 100644 recipes-dbs/postgresql/postgresql/postgresql-profile create mode 100644 recipes-dbs/postgresql/postgresql/postgresql-setup create mode 100644 recipes-dbs/postgresql/postgresql/postgresql.pam create mode 100644 recipes-dbs/postgresql/postgresql/test-schedule create mode 100644 recipes-dbs/postgresql/postgresql_%.bbappend

diff --git a/recipes-dbs/postgresql/cheri-patches/0001-port.h-change-argument-order-to-qsort_r-to-match-pos.patch b/recipes-dbs/postgresql/cheri-patches/0001-port.h-change-argument-order-to-qsort_r-to-match-pos.patch new file mode 100644 index 0000000..a88b780 --- /dev/null +++ b/recipes-dbs/postgresql/cheri-patches/0001-port.h-change-argument-order-to-qsort_r-to-match-pos.patch @@ -0,0 +1,45 @@ +From daa2184cb2d3df09e1911402e768685ff456cc1f Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Fri, 10 Nov 2023 14:12:37 +0000 +Subject: [PATCH] port.h: change argument order to qsort_r to match posix + +The original codebase is aimed at FreeBSD OS. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk + +--- + src/include/port.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/include/port.h b/src/include/port.h +index 10c8ba1194..bddb510e8a 100644 +--- a/src/include/port.h ++++ b/src/include/port.h +@@ -440,7 +440,7 @@ extern void pg_qsort(void *base, size_t nel, size_t elsize, + /* Use ifdef FreeBSD and not __CHERI_PURE_CAPABILITY__ so that we use the same code path for MIPS and CHERI */ + #ifdef __FreeBSD__ + /* Postgres qsort_arg is broken for capabilities so we replace it with qsort_r but that uses a different parameter order for cmp */ +-typedef int (*qsort_arg_comparator) (void *arg, const void *a, const void *b); ++typedef int (*qsort_arg_comparator) (const void *a, const void *b, void *arg); + /* + * XXXAR: the postgres version of qsort_arg does not work with capabilities (swap + * is broken) so we have to make sure to use the libc function qsort_r instead +@@ -448,15 +448,15 @@ typedef int (*qsort_arg_comparator) (void *arg, const void *a, const void *b); + static inline void + qsort_arg(void *a, size_t n, size_t es, qsort_arg_comparator cmp, void *arg) + { +- qsort_r(a, n, es, arg, cmp); ++ qsort_r(a, n, es, cmp, arg); + } + // NOTE: FreeBSD and Linux qsort_r are completely incompatible due to different argument order + // Generating a non-obvious function name avoids stupid errors like in tsrank.c where the function is then called wrongly + + #define QSORT_ARG_COMPARATOR_FUNC(name, a, b) \ +- int _##name##_freebsd_cmp(void *arg, const void *a, const void *b) ++ int _##name##_freebsd_cmp(const void *a, const void *b, void *arg) + #define QSORT_ARG_COMPARATOR_PTR(name) &_##name##_freebsd_cmp +-#define CALL_QSORT_ARG_COMPARATOR(name, a, b, arg) _##name##_freebsd_cmp(arg, a, b) ++#define CALL_QSORT_ARG_COMPARATOR(name, a, b, arg) _##name##_freebsd_cmp(a, b, arg) + #else + /* #warning "Using postgres qsort" */ + #define qsort(a,b,c,d) pg_qsort(a,b,c,d) diff --git a/recipes-dbs/postgresql/cheri-patches/0002-qsort-change-defines-from-freebsd-to-cheri.patch b/recipes-dbs/postgresql/cheri-patches/0002-qsort-change-defines-from-freebsd-to-cheri.patch new file mode 100644 index 0000000..0267382 --- /dev/null +++ b/recipes-dbs/postgresql/cheri-patches/0002-qsort-change-defines-from-freebsd-to-cheri.patch @@ -0,0 +1,57 @@ +From d7c33a58cd02ae15ebdcc6585f568f5f3d8914bd Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Thu, 11 May 2023 15:37:01 +0100 +Subject: [PATCH] qsort: change defines from freebsd to cheri + +This is not FreeBSD OS, so the pre-processor will not do what it should +and the postgres qsrot will be used. + +Lets fix it without due care. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk + +--- + src/include/port.h | 2 +- + src/port/qsort.c | 2 +- + src/port/qsort_arg.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/include/port.h b/src/include/port.h +index bddb510e8a..27e7dad9c2 100644 +--- a/src/include/port.h ++++ b/src/include/port.h +@@ -438,7 +438,7 @@ extern void pg_qsort(void *base, size_t nel, size_t elsize, + int (*cmp) (const void *, const void *)); + + /* Use ifdef FreeBSD and not __CHERI_PURE_CAPABILITY__ so that we use the same code path for MIPS and CHERI */ +-#ifdef __FreeBSD__ ++#ifdef __CHERI_PURE_CAPABILITY__ + /* Postgres qsort_arg is broken for capabilities so we replace it with qsort_r but that uses a different parameter order for cmp */ + typedef int (*qsort_arg_comparator) (const void *a, const void *b, void *arg); + /* +diff --git a/src/port/qsort.c b/src/port/qsort.c +index 8a75ff492e..50af3ebb02 100644 +--- a/src/port/qsort.c ++++ b/src/port/qsort.c +@@ -46,7 +46,7 @@ + + #include "c.h" + +-#ifdef __FreeBSD__ ++#ifdef __CHERI_PURE_CAPABILITY__ + /* + * XXXAR: the postgres version of qsort does not work with capabilities (swap + * is broken) so we have to make sure to use the libc version +diff --git a/src/port/qsort_arg.c b/src/port/qsort_arg.c +index 90bbf16541..fb1d5fc6ff 100644 +--- a/src/port/qsort_arg.c ++++ b/src/port/qsort_arg.c +@@ -46,7 +46,7 @@ + + #include "c.h" + +-#ifndef __FreeBSD__ ++#ifndef __CHERI_PURE_CAPABILITY__ + #warning "using postgres custom qsort_arg function" + + static char *med3(char *a, char *b, char *c, diff --git a/recipes-dbs/postgresql/files/0003-configure.in-bypass-autoconf-2.69-version-check.patch b/recipes-dbs/postgresql/files/0003-configure.in-bypass-autoconf-2.69-version-check.patch new file mode 100644 index 0000000..d845b95 --- /dev/null +++ b/recipes-dbs/postgresql/files/0003-configure.in-bypass-autoconf-2.69-version-check.patch @@ -0,0 +1,30 @@ +From 632f02e741878b3e3d3b156cf33595c5f8329e27 Mon Sep 17 00:00:00 2001 +From: Yi Fan Yu yifan.yu@windriver.com +Date: Fri, 5 Feb 2021 17:15:42 -0500 +Subject: [PATCH] configure.ac: bypass autoconf 2.69 version check + +for upgrade to autoconf 2.71 + +Upstream-Status: Inappropriate [disable feature] + +Signed-off-by: Yi Fan Yu yifan.yu@windriver.com + +--- + configure.in | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/configure.in b/configure.in +index c669ff2a21..ff1b326eb7 100644 +--- a/configure.in ++++ b/configure.in +@@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros + + AC_INIT([PostgreSQL], [9.6.14], [pgsql-bugs@postgresql.org]) + +-m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. +-Untested combinations of 'autoconf' and PostgreSQL versions are not +-recommended. You can remove the check from 'configure.in' but it is then +-your responsibility whether the result works or not.])]) + AC_COPYRIGHT([Copyright (c) 1996-2016, PostgreSQL Global Development Group]) + AC_CONFIG_SRCDIR([src/backend/access/common/heaptuple.c]) + AC_CONFIG_AUX_DIR(config) diff --git a/recipes-dbs/postgresql/postgresql-morello.inc b/recipes-dbs/postgresql/postgresql-morello.inc new file mode 100644 index 0000000..e4bccbe --- /dev/null +++ b/recipes-dbs/postgresql/postgresql-morello.inc @@ -0,0 +1,400 @@ +inherit autotools pkgconfig perlnative python3native python3targetconfig +inherit useradd update-rc.d systemd gettext cpan-base pure-cap-kheaders purecap-sysroot purecap-useradd +inherit perl-hacks + +MORELLO_SRC = "meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_14.5" +MORELLO_SRC += "meta-cloud-services/meta-openstack/recipes-dbs/postgresql/*" + +SUMMARY = "PostgreSQL is a powerful, open source relational database system" +DESCRIPTION = "\ + PostgreSQL is an advanced Object-Relational database management system \ + (DBMS) that supports almost all SQL constructs (including \ + transactions, subselects and user-defined types and functions). The \ + postgresql package includes the client programs and libraries that \ + you'll need to access a PostgreSQL DBMS server. These PostgreSQL \ + client programs are programs that directly manipulate the internal \ + structure of PostgreSQL databases on a PostgreSQL server. These client \ + programs can be located on the same machine with the PostgreSQL \ + server, or may be on a remote machine which accesses a PostgreSQL \ + server over a network connection. This package contains the docs \ + in HTML for the whole package, as well as command-line utilities for \ + managing PostgreSQL databases on a PostgreSQL server. \ + \ + If you want to manipulate a PostgreSQL database on a local or remote \ + PostgreSQL server, you need this package. You also need to install \ + this package if you're installing the postgresql-server package. \ + \ +" +HOMEPAGE = "http://www.postgresql.com" +LICENSE = "0BSD" + +DEPENDS += "readline-morello zlib-morello openssl-morello util-linux-morello tcl-morello" +DEPENDS += "libnsl2 tzcode-native" + +TOOLCHAIN = "${MORELLO_TOOLCHAIN}" + +BPN_POSTGRESQL="postgresql" + +ARM_INSTRUCTION_SET = "arm" + +# used for hacking +MORELLO = "-morello" + +FILESEXTRAPATHS:prepend := "${THISDIR}/files:${THISDIR}/postgresql:" + +S = "${WORKDIR}/postgresql-${PV}" + +LEAD_SONAME = "libpq.so" + +# LDFLAGS for shared libraries +export LDFLAGS_SL = "${LDFLAGS}" + +CFLAGS += "-I${STAGING_DIR_HOST}/usr/include/${PYTHON_DIR} -I${STAGING_INCDIR}/tcl8.6 -Wno-unused-function -pipe -msoft-float -integrated-as -O0 -g" +CLAGS += "-Wno-deprecated-declarations -Wno-compound-token-split-by-macro" +LDFLAGS += "-pthread" + +SYSTEMD_SERVICE:${PN} = "postgresql.service" +SYSTEMD_AUTO_ENABLE:${PN} = "disable" + +pkg_postinst:${PN} () { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd sysvinit', 'true', 'false', d)}; then + if [ -n "$D" ]; then + OPTS="--root=$D" + fi + systemctl $OPTS mask postgresql-server.service + fi +} + +PACKAGECONFIG ??= " \ + ${@bb.utils.filter('DISTRO_FEATURES', 'pam systemd', d)} \ + openssl uuid tcl perl zlib \ +" + +EXTRA_OECONF += "--enable-thread-safety \ + --datadir=${datadir}/${BPN_POSTGRESQL} \ + --sysconfdir=${sysconfdir}/${BPN_POSTGRESQL} \ + --enable-debug \ + --without-systemd \ +" + +CFLAGS += "-DUSE_ASSERT_CHECKING" + +PACKAGES_DYNAMIC += "^${PN}-plperl \ + ^${PN}-pltcl \ + ^${PN}-plpython \ +" + +python populate_packages:prepend() { + + def fill_more(name): + if name is None or name.strip() == "": + return + + fpack=d.getVar('PACKAGES', False) or "" + fpack="${PN}-" + name + " " + fpack + d.setVar('PACKAGES', fpack) + + conf=(d.getVar('PACKAGECONFIG') or "").split() + pack=d.getVar('PACKAGES', False) or "" + bb.debug(1, "PACKAGECONFIG=%s" % conf) + bb.debug(1, "PACKAGES1=%s" % pack ) + + if "perl" in conf : + fill_more("plperl") + + if "tcl" in conf: + fill_more("pltcl") + + if "python" in conf: + fill_more("plpython") + + pack=d.getVar('PACKAGES') or "" + bb.debug(1, "PACKAGES2=%s" % pack) + +} + +# This will make native perl use target settings (for include dirs etc.) +# there is no perl in purecap, so yet another hack: hardcode the version and target +export PERLCONFIGTARGET = "${@is_target(d)}" +export PERL_ARCHLIB = "${STAGING_LIBDIR_HACK}${PERL_OWN_DIR}/perl5/${@get_perl_version(d)}/${@get_perl_arch(d)}" + +do_configure() { + + # do_configure + autotools_do_configure + + # do_configure:append + # workaround perl package related bugs + sed -i -e "s:-L/usr/local/lib:-L=/usr/local/lib:g" \ + ${B}/src/Makefile.global + LIBPNA="${STAGING_LIBDIR_NATIVE}/perl-native" + LIBNA="${STAGING_LIBDIR_NATIVE}" + BLIBNA="${STAGING_BASE_LIBDIR_NATIVE}" + sed -i -e "/^perl_archlibexp/s:${LIBPNA}:${STAGING_LIBDIR_HACK}:g" \ + ${B}/src/Makefile.global + sed -i -e "/^perl_privlibexp/s:/usr/lib:${STAGING_LIBDIR_HACK}:g" \ + ${B}/src/Makefile.global + # remove the rpath, replace with correct lib path + sed -i \ + -e "/^perl_embed_ldflags/s:-Wl,-rpath,${LIBNA}::g" \ + -e "/^perl_embed_ldflags/s:-Wl,-rpath,${BLIBNA}::g" \ + -e "/^perl_embed_ldflags/s:-Wl,-rpath-link,${LIBNA}::g" \ + -e "/^perl_embed_ldflags/s:-Wl,-rpath-link,${BLIBNA}::g" \ + -e "/^perl_embed_ldflags/s:${LIBPNA}:${STAGING_LIBDIR_HACK}:g" \ + -e "/^perl_embed_ldflags/s:${LIBNA}:${STAGING_LIBDIR_HACK}:g" \ + -e "/^perl_embed_ldflags/s:${BLIBNA}:${STAGING_BASELIBDIR_HACK}:g" \ + -e "/^TCLSH/s:=.*:= /usr/bin/tclsh:g" \ + ${B}/src/Makefile.global + + if ${@bb.utils.contains('PACKAGECONFIG', 'perl', 'true', 'false', d)}; then + # workaround perl package's libperl.so problem + # we are using perlnative so this perl should have same version + perl_version=`perl -v 2>/dev/null | \ + sed -n 's/This is perl.*v[a-z ]*([0-9].[0-9][0-9.]*).*$/\1/p'` + if [ ! -h "${STAGING_LIBDIR_HACK}/perl/$perl_version/CORE/libperl.so" -a \ + ! -h "${STAGING_LIBDIR_HACK}/libperl.so" ]; then + ln -sf ../../../libperl.so.5 \ + ${STAGING_LIBDIR_HACK}/perl/$perl_version/CORE/libperl.so + fi + fi +} + +do_compile:append() { + oe_runmake -C contrib all +} + +# server needs to configure user and group +usernum = "28" +groupnum = "28" +USERADD_PACKAGES = "${PN}" +USERADD_PARAM:${PN} = "-M -g postgres -o -r -d ${localstatedir}/lib/${BPN_POSTGRESQL} \ + -s /bin/sh -c 'PostgreSQL Server' -u ${usernum} postgres" +GROUPADD_PARAM:${PN} = "-g ${groupnum} -o -r postgres" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "${BPN}-server" +INITSCRIPT_PARAMS = "start 64 . stop 36 0 1 2 3 4 5 6 ." + +do_install() { + + install_dir="${D}" + + install -d ${install_dir} + oe_runmake DESTDIR=${install_dir} install + + # install contrib + oe_runmake DESTDIR=${install_dir} -C contrib install + # install tutorial + install -d -m 0755 ${install_dir}${libdir}/${BPN_POSTGRESQL}/tutorial + install ${B}/src/tutorial/* ${install_dir}${libdir}/${BPN_POSTGRESQL}/tutorial + + # install COPYRIGHT README HISTORY + install -d -m 0755 ${install_dir}${docdir}/${BPN_POSTGRESQL} + for i in ${B}/COPYRIGHT ${B}/README ${B}/HISTORY ${B}/doc/KNOWN_BUGS ${B}/doc/MISSING_FEATURES ${B}/doc/README* ${B}/doc/bug.template; do + [ -f $i ] && install $i ${install_dir}${docdir}/${BPN_POSTGRESQL} + done + + # install dirs and server init + install -d ${install_dir}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/postgresql-morello.init ${install_dir}${sysconfdir}/init.d/${BPN}-server + sed -i -e "s/^PGVERSION=.*$/PGVERSION=${PVBASE}/g" ${install_dir}${sysconfdir}/init.d/${BPN}-server + install -m 0755 ${WORKDIR}/postgresql-setup ${install_dir}${bindir}/${BPN}-setup + + install -d -m 700 ${install_dir}${localstatedir}/lib/${BPN_POSTGRESQL}/data + install -d -m 700 ${install_dir}${localstatedir}/lib/${BPN_POSTGRESQL}/backups + install -m 644 ${WORKDIR}/postgresql-profile ${install_dir}${localstatedir}/lib/${BPN_POSTGRESQL}/.profile + + chown -R postgres:postgres ${install_dir}${localstatedir}/lib/${BPN_POSTGRESQL} + + # multiple server config directory + install -d -m 700 ${install_dir}${sysconfdir}/default/${BPN_POSTGRESQL} + + if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + install -d ${install_dir}${sysconfdir}/pam.d + install -m 644 ${WORKDIR}/postgresql.pam ${install_dir}${sysconfdir}/pam.d/postgresql + fi + + # Remove the build path + if [ -f ${install_dir}${libdir}/${BPN_POSTGRESQL}/pgxs/src/Makefile.global ]; then + sed -i -e 's#${RECIPE_SYSROOT}##g' \ + -e 's#${RECIPE_SYSROOT_NATIVE}##g' \ + -e 's#${WORKDIR}##g' \ + -e 's#${TMPDIR}##g' \ + ${install_dir}${libdir}/${BPN_POSTGRESQL}/pgxs/src/Makefile.global + fi + + install -d ${install_dir}${libdir}/${BPN_POSTGRESQL}/pgxs/src/test/regress + cp -rf ${S}/src/test/regress ${install_dir}${libdir}/${BPN_POSTGRESQL}/pgxs/src/test +} + +do_install:append() { + # we need a fake pg_config as some lib configs will try to run pg_config... + # probably could do with a native flavour + + install -d ${D}${bindir}/pgconfig + install -m 755 ${WORKDIR}/pg_config ${D}${bindir}/pgconfig/pg_config +} + +SSTATE_SCAN_FILES += "Makefile.global" +SSTATE_SCAN_FILES:remove = "*_config" + +PACKAGES =+ "${PN}-client ${PN}-server-dev ${PN}-timezone \ + libecpg${MORELLO}compat libecpg${MORELLO}-compat-dev \ + libecpg${MORELLO} libecpg${MORELLO}-dev libecpg${MORELLO}-staticdev libecpg${MORELLO}-doc \ + libpq${MORELLO} libpq${MORELLO}-dev libpq${MORELLO}-staticdev \ + libpgtypes${MORELLO} libpgtypes${MORELLO}-staticdev libpgtypes${MORELLO}-dev \ + ${PN}-contrib \ +" + +RPROVIDES:${PN}-dbg += "libecpg${MORELLO}-compat-dbg \ + libecpg${MORELLO}-dbg \ + libpq${MORELLO}-dbg \ + libpgtypes${MORELLO}-dbg \ + ${PN}-contrib-dbg \ + ${PN}-pltcl-dbg \ + ${PN}-plpython-dbg \ + ${PN}-plperl-dbg \ + " + +FILES:${PN} += "${sysconfdir}/${BPN_POSTGRESQL} ${libdir} ${bindir}/pg_config_fake \ + ${sysconfdir}/init.d/${BPN}-server \ + ${localstatedir}/lib/${BPN_POSTGRESQL}/data ${localstatedir}/lib/${BPN_POSTGRESQL}/backups \ + ${localstatedir}/lib/${BPN_POSTGRESQL}/.profile ${sysconfdir}/default/${BPN_POSTGRESQL} \ + ${libdir}/${BPN_POSTGRESQL}/dict_snowball.so ${libdir}/${BPN_POSTGRESQL}/plpgsql.so \ + ${libdir}/${BPN_POSTGRESQL}/euc2004_sjis2004.so \ + ${libdir}/${BPN_POSTGRESQL}/libpqwalreceiver.so \ + ${libdir}/${BPN_POSTGRESQL}/*_and_*.so \ + ${@'${sysconfdir}/pam.d/postgresql-morello' \ + if 'pam' == d.getVar('enable_pam') \ + else ''} \ + ${datadir} \ +" + +FILES:${PN}-client = "${bindir}/clusterdb \ + ${bindir}/createdb \ + ${bindir}/createuser \ + ${bindir}/dropdb \ + ${bindir}/dropuser \ + ${bindir}/pg_dump \ + ${bindir}/pg_dumpall \ + ${bindir}/pg_restore \ + ${bindir}/psql \ + ${bindir}/reindexdb \ + ${bindir}/vacuumdb \ + ${bindir}/vacuumlo \ + ${datadir}/${BPN_POSTGRESQL}/psqlrc.sample \ +" +FILES:${PN}-client-doc = "${mandir}/man1/clusterdb.* \ + ${mandir}/man1/createdb.* ${mandir}/man1/createlang.* \ + ${mandir}/man1/createuser.* ${mandir}/man1/dropdb.* \ + ${mandir}/man1/droplang.* ${mandir}/man1/dropuser.* \ + ${mandir}/man1/pg_dump.* ${mandir}/man1/pg_dumpall.* \ + ${mandir}/man1/pg_restore.* ${mandir}/man1/psql.* \ + ${mandir}/man1/reindexdb.* ${mandir}/man1/vacuumdb.* \ + ${mandir}/man7/* \ +" +FILES:${PN}-doc += "${docdir}/${BPN_POSTGRESQL}/html ${libdir}/${BPN_POSTGRESQL}/tutorial/ \ + ${mandir}/man1/initdb.* ${mandir}/man1/pg_controldata.* \ + ${mandir}/man1/pg_ctl.* ${mandir}/man1/pg_resetxlog.* \ + ${mandir}/man1/postgres.* ${mandir}/man1/postmaster.* \ + ${mandir} ${docdir} \ +" +FILES:${PN}-timezone = "${datadir}/${BPN_POSTGRESQL}/timezone \ + ${datadir}/${BPN_POSTGRESQL}/timezonesets \ +" + +FILES:${PN}-server-dev = "${includedir}/${BPN_POSTGRESQL}/server \ + ${libdir}/${BPN_POSTGRESQL}/pgxs \ +" + +FILES:libecpg${MORELLO} = "${libdir}/libecpg*${SOLIBS}" +FILES:libecpg${MORELLO}-dev = "${libdir}/libecpg*${SOLIBSDEV} \ + ${libdir}/libpgtypes*${SOLIBSDEV} \ + ${includedir}/ecpg*.h ${includedir}/${BPN_POSTGRESQL}/ecpg*.h \ + ${includedir}/pgtypes*.h ${includedir}/${BPN_POSTGRESQL}/informix \ + ${includedir}/sql3types.h ${includedir}/sqlca.h \ +" + +FILES:libecpg${MORELLO}-doc = "${mandir}/man1/ecpg.*" +FILES:libecpg${MORELLO}-staticdev = "${libdir}/libecpg*.a" +SECTION:libecpg${MORELLO}-staticdev = "devel" +RDEPENDS:libecpg${MORELLO}-staticdev = "libecpg${MORELLO}-dev (= ${EXTENDPKGV})" + +FILES:libpq${MORELLO} = "${libdir}/libpq*${SOLIBS}" +FILES:libpq${MORELLO}-dev = "${libdir}/libpq*${SOLIBSDEV} \ + ${includedir} \ +" +FILES:libpq${MORELLO}-staticdev = "${libdir}/libpq*.a ${libdir}/libpgport.a" +SECTION:libpq${MORELLO}-staticdev = "devel" +RDEPENDS:libpq${MORELLO}-staticdev = "libpq${MORELLO}-dev (= ${EXTENDPKGV})" + +FILES:libecpg${MORELLO}-compat = "${libdir}/libecpg_compat*${SOLIBS}" +FILES:libecpg${MORELLO}-compat-dev = "${libdir}/libecpg_compat*${SOLIBS}" +FILES:libpgtypes${MORELLO} = "${libdir}/libpgtypes*${SOLIBS}" +FILES:libpgtypes${MORELLO}-staticdev = "${libdir}/libpgtypes*.a" +FILES:libpgtypes${MORELLO}-dev = "${libdir}/libpgtypes*${SOLIBS} ${includedir}/pgtypes*.h" + +FILES:${PN}-contrib = " ${bindir}/oid2name ${bindir}/pg_standby \ + ${S}/contrib/spi/*.example \ + ${libdir}/${BPN_POSTGRESQL}/_int.so ${libdir}/${BPN_POSTGRESQL}/adminpack.so \ + ${libdir}/${BPN_POSTGRESQL}/autoinc.so ${libdir}/${BPN_POSTGRESQL}/auto_explain.so \ + ${libdir}/${BPN_POSTGRESQL}/auth_delay.so ${libdir}/${BPN_POSTGRESQL}/btree_gin.so \ + ${libdir}/${BPN_POSTGRESQL}/btree_gist.so ${libdir}/${BPN_POSTGRESQL}/.so \ + ${libdir}/${BPN_POSTGRESQL}/chkpass.so ${libdir}/${BPN_POSTGRESQL}/citext.so \ + ${libdir}/${BPN_POSTGRESQL}/cube.so ${libdir}/${BPN_POSTGRESQL}/dblink.so \ + ${libdir}/${BPN_POSTGRESQL}/dict_int.so ${libdir}/${BPN_POSTGRESQL}/dict_xsyn.so \ + ${libdir}/${BPN_POSTGRESQL}/dummy_seclabel.so ${libdir}/${BPN_POSTGRESQL}/earthdistance.so \ + ${libdir}/${BPN_POSTGRESQL}/file_fdw.so ${libdir}/${BPN_POSTGRESQL}/fuzzystrmatch.so \ + ${libdir}/${BPN_POSTGRESQL}/hstore.so ${libdir}/${BPN_POSTGRESQL}/insert_username.so \ + ${libdir}/${BPN_POSTGRESQL}/isn.so ${libdir}/${BPN_POSTGRESQL}/lo.so \ + ${libdir}/${BPN_POSTGRESQL}/ltree.so ${libdir}/${BPN_POSTGRESQL}/moddatetime.so \ + ${libdir}/${BPN_POSTGRESQL}/pageinspect.so ${libdir}/${BPN_POSTGRESQL}/pg_buffercache.so \ + ${libdir}/${BPN_POSTGRESQL}/pg_freespacemap.so ${libdir}/${BPN_POSTGRESQL}/pg_trgm.so \ + ${libdir}/${BPN_POSTGRESQL}/pgcrypto.so ${libdir}/${BPN_POSTGRESQL}/pgrowlocks.so \ + ${libdir}/${BPN_POSTGRESQL}/pgstattuple.so ${libdir}/${BPN_POSTGRESQL}/pg_stat_statements.so \ + ${libdir}/${BPN_POSTGRESQL}/refint.so ${libdir}/${BPN_POSTGRESQL}/seg.so \ + ${libdir}/${BPN_POSTGRESQL}/sslinfo.so \ + ${libdir}/${BPN_POSTGRESQL}/tablefunc.so \ + ${libdir}/${BPN_POSTGRESQL}/test_parser.so ${libdir}/${BPN_POSTGRESQL}/timetravel.so \ + ${libdir}/${BPN_POSTGRESQL}/uuid-ossp.so \ + ${libdir}/${BPN_POSTGRESQL}/pgxml.so ${libdir}/${BPN_POSTGRESQL}/passwordcheck.so \ + ${libdir}/${BPN_POSTGRESQL}/pg_upgrade_support.so ${libdir}/${BPN_POSTGRESQL}/.so \ + ${libdir}/${BPN_POSTGRESQL}/unaccent.so \ +" +DESCRIPTION:${PN}-contrib = "The postgresql-contrib package contains \ + contributed packages that are included in the PostgreSQL distribution." + +FILES:${PN}-pltcl = "${libdir}/${BPN_POSTGRESQL}/pltcl.so ${bindir}/pltcl_delmod \ + ${binddir}/pltcl_listmod ${bindir}/pltcl_loadmod \ + ${datadir}/${BPN_POSTGRESQL}/unknown.pltcl" +SUMMARY:${PN}-pltcl = "The Tcl procedural language for PostgreSQL" +DESCRIPTION:${PN}-pltcl = "PostgreSQL is an advanced Object-Relational \ + database management system. The postgresql-pltcl package contains the PL/Tcl \ + procedural language for the backend." + +FILES:${PN}-plperl = "${libdir}/${BPN_POSTGRESQL}/plperl.so" +SUMMARY:${PN}-plperl = "The Perl procedural language for PostgreSQL" +DESCRIPTION:${PN}-plperl = "PostgreSQL is an advanced Object-Relational \ + database management system. The postgresql-plperl package contains the \ + PL/Perl procedural language for the backend." + +# In version 8, it will be plpython.so +# In version 9, it might be plpython{2,3}.so depending on python2 or 3 +FILES:${PN}-plpython = "${libdir}/${BPN_POSTGRESQL}/plpython*.so" +SUMMARY:${PN}-plpython = "The Python procedural language for PostgreSQL" +DESCRIPTION:${PN}-plpython = "PostgreSQL is an advanced Object-Relational \ + database management system. The postgresql-plpython package contains \ + the PL/Python procedural language for the backend." + + +FILES:${PN}-dbg += "gdb_debug \ + ${bindir}/pgbench \ + ${libdir}/${BPN_POSTGRESQL}/pgxs/src/test/regress/* \ + " + + +CVE_CHECK_IGNORE += "\ + CVE-2017-8806 \ +" + +SYSROOT_DIRS += "${bindir}/pgconfig" \ No newline at end of file diff --git a/recipes-dbs/postgresql/postgresql-morello_9.6.bb b/recipes-dbs/postgresql/postgresql-morello_9.6.bb new file mode 100644 index 0000000..6ca7934 --- /dev/null +++ b/recipes-dbs/postgresql/postgresql-morello_9.6.bb @@ -0,0 +1,155 @@ +require postgresql-morello.inc + +FILESEXTRAPATHS:prepend := "${THISDIR}/postgresql:${THISDIR}/cheri-patches:" + +PVBASE = "9.6" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=87da2b84884860b71f5f24ab37e7da78" + +SRC_URI = "git://github.com/CTSRD-CHERI/postgres;protocol=https;branch=${SRCBRANCH} \ + file://0003-configure.in-bypass-autoconf-2.69-version-check.patch \ + file://postgresql-morello.init \ + file://postgresql-profile \ + file://postgresql.pam \ + file://postgresql-setup \ + file://pg_config \ +" + +SRC_URI += "\ + file://0001-port.h-change-argument-order-to-qsort_r-to-match-pos.patch \ + file://0002-qsort-change-defines-from-freebsd-to-cheri.patch \ +" + +SRC_URI += " \ + file://postgresql-init \ + file://postgresql-init.service \ + file://postgresql-morello.service \ + " + +SRC_URI += "\ + file://postgres-test \ + file://postgres-bench \ + file://test-schedule \ + " + +SRC_URI[sha256sum] = "d4f72cb5fb857c9a9f75ec8cf091a1771272802f2178f0b2e65b7b6ff64f4a30" + +SRCBRANCH = "96-cheri" +SRCREV = "e94e514cac6a8ae2277b3e44970c734c9a066f34" + +S = "${WORKDIR}/git" + +CFLAGS:remove = "-O2" + +SYSTEMD_AUTO_ENABLE:${PN} = "enable" + +DB_DATADIR = "/var/lib/postgresql/data" + +PACKAGECONFIG[tcl] = "--with-tcl --with-tclconfig=${STAGING_BINDIR_CROSS},--without-tcl,tcl-morello tcl-native," +# PACKAGECONFIG[perl] = "--with-perl,--without-perl,perl,perl" +# PACKAGECONFIG[python] = "--with-python,--without-python,python3,python3" +# PACKAGECONFIG[gssapi] = "--with-gssapi,--without-gssapi,krb5" +# PACKAGECONFIG[pam] = "--with-pam,--without-pam,libpam" +PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap-morello" +#PACKAGECONFIG[systemd] = "--with-systemd,--without-systemd,systemd systemd-systemctl-native" +#PACKAGECONFIG[uuid] = "--with-uuid=e2fs,--without-uuid,util-linux" +#PACKAGECONFIG[libxml] = "--with-libxml,--without-libxml,libxml2,libxml2" +# PACKAGECONFIG[libxslt] = "--with-libxslt,--without-libxslt,libxslt" +PACKAGECONFIG[zlib] = "--with-zlib,--without-zlib,zlib-morello" +PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl-morello," + +export PRINTF_SIZE_T_SUPPORT="yes" + +do_install:append() { + + install_dir="${D}" + + D_DEST_DIR=${install_dir}${sysconfdir}/${BPN_POSTGRESQL} + + install -d ${D_DEST_DIR} + install -m 0755 ${WORKDIR}/postgresql-init ${D_DEST_DIR}/postgresql-init + + sed -e "s:%DB_DATADIR%:${DB_DATADIR}:g" -i ${D_DEST_DIR}/postgresql-init + sed -e "s:%PGINSTALLDIR%:${prefix}:g" -i ${D_DEST_DIR}/postgresql-init + sed -e "s:%BINDIR%:${bindir}:g" -i ${D_DEST_DIR}/postgresql-init + sed -e "s:%SYSCONFDIR%:${sysconfdir}:g" -i ${D_DEST_DIR}/postgresql-init + + install -d ${D}${systemd_unitdir}/system/ + + PG_INIT_SERVICE_FILE=${D}${systemd_unitdir}/system/postgresql-init.service + install -m 644 ${WORKDIR}/postgresql-init.service ${PG_INIT_SERVICE_FILE} + + sed -e "s:%PGINSTALLDIR%:${prefix}:g" -i ${PG_INIT_SERVICE_FILE} + + sed -e "s:%SYSCONFIGDIR%:${sysconfdir}:g" -i ${PG_INIT_SERVICE_FILE} + sed -e "s:%SYSCONFIGDIR%:${sysconfdir}:g" -i ${PG_INIT_SERVICE_FILE} + + sed -e "s:%DB_USER%:${DB_USER}:g" -i ${PG_INIT_SERVICE_FILE} + sed -e "s:%DB_PASSWORD%:${DB_PASSWORD}:g" -i ${PG_INIT_SERVICE_FILE} + + PG_SERVICE_FILE=${D}${systemd_unitdir}/system/postgresql.service + install -m 644 ${WORKDIR}/postgresql-morello.service ${PG_SERVICE_FILE} + + sed -e 's,%BINDIR%,${bindir},g' -i ${PG_SERVICE_FILE} + sed -e "s:%PGINSTALLDIR%:${prefix}:g" -i ${PG_SERVICE_FILE} + + # Update PGDATA throughout + files="${install_dir}${localstatedir}/lib/${BPN_POSTGRESQL}/.profile" + files="$files ${D}${systemd_unitdir}/system/postgresql.service" + files="$files ${install_dir}${bindir}/${BPN}-setup" + files="$files ${install_dir}${sysconfdir}/init.d/${BPN}-server" + for f in $files + do + sed -e "s:(PGDATA=).*$:\1${DB_DATADIR}:g" -i $f + done + + # Ensure DB is initialize before we attempt to start the service + FILE=${D}${systemd_unitdir}/system/postgresql.service + sed -e '/ExecStart=.*/i ExecStartPre=${sysconfdir}/${BPN_POSTGRESQL}/postgresql-init initdb' -i $FILE + sed -e '/ExecStartPre=.*/i PermissionsStartOnly=true' -i $FILE + + # Install test scripts + BENCH_SCRIPT=${D}/postgres-bench.sh + install -m 0755 ${WORKDIR}/postgres-bench ${BENCH_SCRIPT} + + sed -e "s:%BINDIR%:${bindir}:g" -i ${BENCH_SCRIPT} + sed -e "s:%LIBDIR%:${libdir}:g" -i ${BENCH_SCRIPT} + + TEST_SCRIPT=${D}/postgres-test.sh + install -m 0755 ${WORKDIR}/postgres-test ${TEST_SCRIPT} + + sed -e "s:%BINDIR%:${bindir}:g" -i ${TEST_SCRIPT} + sed -e "s:%LIBDIR%:${libdir}:g" -i ${TEST_SCRIPT} + + install -d ${install_dir}${libdir}/${BPN_POSTGRESQL}/pgxs/src/test/regress + install -m 644 ${WORKDIR}/test-schedule ${install_dir}${libdir}/${BPN_POSTGRESQL}/pgxs/src/test/regress/test_schedule +} + +do_install:append () { + + install -d "${D}${libdir}" + cp ${B}/src/test/regress/*.so ${D}${libdir} +} + +do_install:append() { + ${OBJDUMP_COMMAND} ${D}${bindir}/pg_ctl > ${D}${PURECAP_DEBUGDIR}/pgctl.dump + ${READELF_COMMAND} ${D}${bindir}/pg_ctl > ${D}${PURECAP_DEBUGDIR}/pgctl.readelf + ${OBJDUMP_COMMAND} ${D}${bindir}/postgres > ${D}${PURECAP_DEBUGDIR}/postgres.dump + ${READELF_COMMAND} ${D}${bindir}/postgres > ${D}${PURECAP_DEBUGDIR}/postgres.readelf +} + +PACKAGES += " ${PN}-setup" + +SYSTEMD_PACKAGES += "${PN}-setup" +SYSTEMD_SERVICE:${PN}-setup = "postgresql-init.service" + +FILES:${PN}-setup = " \ + ${systemd_unitdir}/system \ +" + +FILES:${PN}-dbg += " \ + postgres-test.sh \ + postgres-bench.sh \ + ${libdir}/${BPN_POSTGRESQL}/pgxs/src/test/regress/test-schedule \ +" + +FILES:${PN}-gdb-debug += "/gdb_debug" \ No newline at end of file diff --git a/recipes-dbs/postgresql/postgresql/pg_config b/recipes-dbs/postgresql/postgresql/pg_config new file mode 100755 index 0000000..1c147d2 --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/pg_config @@ -0,0 +1,15 @@ +#!/bin/bash + +if [[ "${1}" == "--includedir" ]]; then + + echo "${STAGING_DIR_TARGET}${includedir}" + +elif [[ "${1}" == "--libdir" ]]; then + + echo "${STAGING_DIR_TARGET}${libdir}" + +elif [[ "${1}" == "--version" ]]; then + + echo "9.6" + +fi \ No newline at end of file diff --git a/recipes-dbs/postgresql/postgresql/postgres-bench b/recipes-dbs/postgresql/postgresql/postgres-bench new file mode 100644 index 0000000..d9c1830 --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/postgres-bench @@ -0,0 +1,16 @@ +#!/bin/sh + +if [ -z "$1" ]; then + echo "Usage: ./postgres-bench.sh EXISTING_DB_NAME" + exit 1 +fi + +BINDIR=%BINDIR% +LIBDIR=%LIBDIR% +PURECAPLD="LD_LIBRARY_PATH=${LIBDIR}" +DB_NAME=$1 + +export ${PURECAPLD} + +${BINDIR}/pgbench -i ${DB_NAME} -U postgres +${BINDIR}/pgbench -U postgres -c 2 -T 180 ${DB_NAME} 2>&1 | tee /tmp/pgbench-results.txt \ No newline at end of file diff --git a/recipes-dbs/postgresql/postgresql/postgres-test b/recipes-dbs/postgresql/postgresql/postgres-test new file mode 100644 index 0000000..00b57c2 --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/postgres-test @@ -0,0 +1,49 @@ +#!/bin/sh +# stolen from postgresql-cheri + +BINDIR=%BINDIR% +LIBDIR=%LIBDIR% +PURECAPLD="LD_LIBRARY_PATH=${LIBDIR}" +LD_CHERI_LIBRARY_PATH=${LIBDIR} + +POSTGRES_INSTANCE="/tmp/postgres-test-cheri/instance" + +PG_REGRESS=${LIBDIR}/postgresql/pgxs/src/test/regress/pg_regress + +SCHEDULE_NAME=${SCHEDULE_NAME:-serial_schedule} + +OUTPUT_DIR="/tmp/pg_test" + +rm -rf $OUTPUT_DIR + +mkdir -p $OUTPUT_DIR +mkdir -p $OUTPUT_DIR/log +mkdir -p $OUTPUT_DIR/sql +mkdir -p $OUTPUT_DIR/expected +mkdir -p $OUTPUT_DIR/results +mkdir -p $OUTPUT_DIR/testtablespace +mkdir -p $POSTGRES_INSTANCE + +cd $OUTPUT_DIR + +if "${PG_REGRESS}" "--inputdir=${LIBDIR}/postgresql/pgxs/src/test/regress" "--bindir=${BINDIR}" "--dlpath=${LIBDIR}" "--schedule=${LIBDIR}/postgresql/pgxs/src/test/regress/${SCHEDULE_NAME}" "--outputdir=$OUTPUT_DIR" "--temp-instance=$POSTGRES_INSTANCE" "$@" +then + echo "TESTS SUCCCEEDED" +else + if [ "$?" = 1 ]; then + echo "TESTS UNSTABLE" + echo "CHECKING FOR ASSERTION FAILURES:" + grep TRAP "$OUTPUT_DIR/log/postmaster.log" || true + exit 0 + else + echo "Got test failures, reading initdb log: $OUTPUT_DIR/log/initdb.log" + cat "$OUTPUT_DIR/log/initdb.log" + false + fi +fi + +sudo cp /tmp/pg_test/regression.diffs regression.diffs +sudo cp /tmp/pg_test/regression.out regression.out +sudo cp -rf /tmp/pg_test/expected . +sudo cp -rf /tmp/pg_test/results . +sudo cp /tmp/pg_test/log/postmaster.log postmaster.log diff --git a/recipes-dbs/postgresql/postgresql/postgresql-init b/recipes-dbs/postgresql/postgresql/postgresql-init new file mode 100644 index 0000000..34e77ef --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/postgresql-init @@ -0,0 +1,64 @@ +#!/bin/sh +# set -x + +PN=postgresql-morello +DATA_DIR=%DB_DATADIR% +BIN_DIR=%BINDIR% +SYSCONF_DIR=%SYSCONFDIR% + +# called by postgresql.service.. +initdb(){ + + if [ ! -e $DATA_DIR ]; then + mkdir -p $DATA_DIR + chown postgres $DATA_DIR + fi + + if [ -e $DATA_DIR/PG_VERSION ]; then + # the database has already been initialized, return + exit 0 + fi + + # Create the DB + sudo -u postgres ${BIN_DIR}/initdb -D $DATA_DIR + + if [ $? -ne 0 ]; then + echo "[INFO] postgres: failed to initalise the DB" + exit 1 + fi + + # Allow readers/writers + echo "listen_addresses = '*'" >> $DATA_DIR/postgresql.conf + echo "local root all password" >> $DATA_DIR/pg_hba.conf +} + +if [ "$1" == "initdb" ]; then + initdb + exit 0 +fi + +count=0 +done=0 +while [ $count -le 10 ] && [ $done -eq 0 ]; do + + sudo -u postgres ${BIN_DIR}/psql -c "CREATE ROLE ${DB_USER} WITH SUPERUSER LOGIN PASSWORD '${DB_PASSWORD}'" 2> /dev/null + + if [ $? -ne 0 ]; then + echo "[INFO] postgres: failed to create account for ${DB_USER}, trying again" + systemctl stop postresql + sleep 3 + systemctl start postgresql + sleep 3 + else + echo "[INFO] postgres: created account for ${DB_USER}, continuing .. " + done=1 + fi + count=`expr $count + 1` +done + +if [ $done -eq 0 ]; then + echo "[ERROR] postgres: unable to create admin account" + exit 1 +fi + +ln -s /usr/share/zoneinfo %PGINSTALLDIR%/usr/share/postgresql/timezone || true diff --git a/recipes-dbs/postgresql/postgresql/postgresql-init.service b/recipes-dbs/postgresql/postgresql/postgresql-init.service new file mode 100644 index 0000000..d140c26 --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/postgresql-init.service @@ -0,0 +1,19 @@ +[Unit] +Description=Postgresql setup +Wants=postgresql.service +After=postgresql.service + +[Service] +Type=oneshot + +Environment=DB_USER=%DB_USER% +Environment=DB_PASSWORD=%DB_PASSWORD% + +Environment=PGROOT=%PGINSTALLDIR% + +ExecStart=%SYSCONFIGDIR%/postgresql/postgresql-init +ExecStartPost=/bin/bash -c '/bin/systemctl --no-reload disable postgresql-init.service' +RemainAfterExit=No + +[Install] +WantedBy=multi-user.target diff --git a/recipes-dbs/postgresql/postgresql/postgresql-morello.init b/recipes-dbs/postgresql/postgresql/postgresql-morello.init new file mode 100644 index 0000000..cb9b683 --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/postgresql-morello.init @@ -0,0 +1,193 @@ +#!/bin/sh +# +# postgresql This is the init script for starting up the PostgreSQL +# server. +# +# chkconfig: - 64 36 +# description: PostgreSQL database server. +# processname: postmaster +# pidfile: /var/run/postmaster.PORT.pid + +# This script is slightly unusual in that the name of the daemon (postmaster) +# is not the same as the name of the subsystem (postgresql) + +# PGVERSION is the full package version, e.g., 8.4.0 +# Note: the specfile inserts the correct value during package build +PGVERSION=9.2.4 +# PGMAJORVERSION is major version, e.g., 10 (this should match PG_VERSION) +PGMAJORVERSION=`echo "$PGVERSION" | sed 's/^([0-9]*).*$/\1/'` + +# Source function library. +. /etc/init.d/functions + +# Find the name of the script +NAME=`basename $0` +if [ ${NAME:0:1} = "S" -o ${NAME:0:1} = "K" ] +then + NAME=${NAME:3} +fi + +# For SELinux we need to use 'runuser' not 'su' +if [ -x /sbin/runuser ] +then + SU=runuser +else + SU=su +fi + + +# Set defaults for configuration variables +PGENGINE=/usr/bin +PGPORT=5432 +PGDATA=/var/lib/postgresql/data +PGLOG=/var/lib/postgresql/pgstartup.log +# Value to set as postmaster process's oom_adj +PG_OOM_ADJ=-17 + +# Override defaults from /etc/sysconfig/postgresql if file is present +[ -f /etc/default/postgresql/${NAME} ] && . /etc/default/postgresql/${NAME} + +export PGDATA +export PGPORT + +lockfile="/var/lock/subsys/${NAME}" +pidfile="/var/run/postmaster.${PGPORT}.pid" + +script_result=0 + +start(){ + [ -x "$PGENGINE/postmaster" ] || exit 5 + + PSQL_START=$"Starting ${NAME} service: " + + # Make sure startup-time log file is valid + if [ ! -e "$PGLOG" -a ! -h "$PGLOG" ] + then + touch "$PGLOG" || exit 4 + chown postgres:postgres "$PGLOG" + chmod go-rwx "$PGLOG" + [ -x /sbin/restorecon ] && /sbin/restorecon "$PGLOG" + fi + + # Check for the PGDATA structure + if [ -f "$PGDATA/PG_VERSION" ] && [ -d "$PGDATA/base" ] + then + # Check version of existing PGDATA + if [ x`cat "$PGDATA/PG_VERSION"` != x"$PGMAJORVERSION" ] + then + SYSDOCDIR="(Your System's documentation directory)" + if [ -d "/usr/doc/postgresql-$PGVERSION" ] + then + SYSDOCDIR=/usr/doc + fi + if [ -d "/usr/share/doc/postgresql-$PGVERSION" ] + then + SYSDOCDIR=/usr/share/doc + fi + if [ -d "/usr/doc/packages/postgresql-$PGVERSION" ] + then + SYSDOCDIR=/usr/doc/packages + fi + if [ -d "/usr/share/doc/packages/postgresql-$PGVERSION" ] + then + SYSDOCDIR=/usr/share/doc/packages + fi + echo + echo $"An old version of the database format was found." + echo $"You need to upgrade the data format before using PostgreSQL." + echo $"See $SYSDOCDIR/postgresql-$PGVERSION/README.rpm-dist for more information." + exit 1 + fi + else + # No existing PGDATA! Warn the user to initdb it. + echo + echo "$PGDATA is missing. Use "postgresql-setup initdb" to initialize the cluster first." + echo -n " [FAILED] " + echo + exit 1 + fi + + echo -n "$PSQL_START" + test x"$PG_OOM_ADJ" != x && echo "$PG_OOM_ADJ" > /proc/self/oom_score_adj + $SU -l postgres -c "$PGENGINE/postmaster -p '$PGPORT' -D '$PGDATA' ${PGOPTS} &" >> "$PGLOG" 2>&1 < /dev/null + sleep 2 + pid=`head -n 1 "$PGDATA/postmaster.pid" 2>/dev/null` + if [ "x$pid" != x ] + then + echo -n " [ OK ]" + touch "$lockfile" + echo $pid > "$pidfile" + echo + else + echo -n " [FAILED]" + echo + script_result=1 + fi +} + +stop(){ + echo -n $"Stopping ${NAME} service: " + if [ -e "$lockfile" ] + then + $SU -l postgres -c "$PGENGINE/pg_ctl stop -D '$PGDATA' -s -m fast" > /dev/null 2>&1 < /dev/null + ret=$? + if [ $ret -eq 0 ] + then + echo -n " [ OK ] " + rm -f "$pidfile" + rm -f "$lockfile" + else + echo -n " [FAILED] " + script_result=1 + fi + else + # not running; per LSB standards this is "ok" + echo -n " [ OK ] " + fi + echo +} + +restart(){ + stop + start +} + +condrestart(){ + [ -e "$lockfile" ] && restart || : +} + +reload(){ + $SU -l postgres -c "$PGENGINE/pg_ctl reload -D '$PGDATA' -s" > /dev/null 2>&1 < /dev/null +} + + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + status) + status postmaster + script_result=$? + ;; + restart) + restart + ;; + condrestart|try-restart) + condrestart + ;; + reload) + reload + ;; + force-reload) + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac + +exit $script_result \ No newline at end of file diff --git a/recipes-dbs/postgresql/postgresql/postgresql-morello.service b/recipes-dbs/postgresql/postgresql/postgresql-morello.service new file mode 100644 index 0000000..bce29b8 --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/postgresql-morello.service @@ -0,0 +1,29 @@ +[Unit] +Description=PostgreSQL database server +After=network.target + +[Service] +Type=forking +User=postgres +Group=postgres + +# Port number for server to listen on +Environment=PGPORT=5432 + +# Location of database directory +Environment=PGDATA=/var/lib/postgresql/data + +Environment=PGROOT=%PGINSTALLDIR% + +# Disable OOM kill on the postmaster +OOMScoreAdjust=-17 + +ExecStart=/bin/bash -c '%BINDIR%/pg_ctl start -D ${PGDATA} -s -o "-p ${PGPORT}" -w -t 300' +ExecStop=/bin/bash -c '%BINDIR%/pg_ctl stop -D ${PGDATA} -s -m fast' +ExecReload=/bin/bash -c '%BINDIR%/pg_ctl reload -D ${PGDATA} -s' + +# Give a reasonable amount of time for the server to start up/shut down +TimeoutSec=300 + +[Install] +WantedBy=multi-user.target diff --git a/recipes-dbs/postgresql/postgresql/postgresql-profile b/recipes-dbs/postgresql/postgresql/postgresql-profile new file mode 100644 index 0000000..1c931f3 --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/postgresql-profile @@ -0,0 +1,4 @@ +[ -f /etc/profile ] && source /etc/profile + +PGDATA=/var/lib/postgresql/data +export PGDATA diff --git a/recipes-dbs/postgresql/postgresql/postgresql-setup b/recipes-dbs/postgresql/postgresql/postgresql-setup new file mode 100644 index 0000000..75bb01e --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/postgresql-setup @@ -0,0 +1,73 @@ +#!/bin/sh +# +# postgresql-setup Initialization operation for PostgreSQL + +# For SELinux we need to use 'runuser' not 'su' +if [ -x /sbin/runuser ] +then + SU=runuser +else + SU=su +fi + +PGENGINE=/usr/bin +PGDATA=/var/lib/postgresql/data +PGLOG=/var/lib/postgresql/pgstartup.log +script_result=0 + +initdb(){ + if [ -f "$PGDATA/PG_VERSION" ] + then + echo -n "Data directory is not empty!" + echo -n " [FAILED] " + echo + script_result=1 + else + echo -n "Initializing database: " + if [ ! -e "$PGDATA" -a ! -h "$PGDATA" ] + then + mkdir -p "$PGDATA" || exit 1 + chown postgres:postgres "$PGDATA" + chmod go-rwx "$PGDATA" + fi + # Clean up SELinux tagging for PGDATA + [ -x /sbin/restorecon ] && /sbin/restorecon "$PGDATA" + + # Make sure the startup-time log file is OK, too + if [ ! -e "$PGLOG" -a ! -h "$PGLOG" ] + then + touch "$PGLOG" || exit 1 + chown postgres:postgres "$PGLOG" + chmod go-rwx "$PGLOG" + [ -x /sbin/restorecon ] && /sbin/restorecon "$PGLOG" + fi + + # Initialize the database + $SU -l postgres -c "$PGENGINE/initdb --pgdata='$PGDATA' --auth='ident'" >> "$PGLOG" 2>&1 < /dev/null + + # Create directory for postmaster log + mkdir "$PGDATA/pg_log" + chown postgres:postgres "$PGDATA/pg_log" + chmod go-rwx "$PGDATA/pg_log" + + if [ -f "$PGDATA/PG_VERSION" ] + then + echo -n " [ OK ] " + else + echo -n " [FAILED] " + script_result=1 + fi + echo + fi +} + +case "$1" in + initdb) + initdb + ;; + *) + echo "Usage: $0 initdb" + exit 2 +esac + +exit $script_result diff --git a/recipes-dbs/postgresql/postgresql/postgresql.pam b/recipes-dbs/postgresql/postgresql/postgresql.pam new file mode 100644 index 0000000..0b6fdc5 --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/postgresql.pam @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password diff --git a/recipes-dbs/postgresql/postgresql/test-schedule b/recipes-dbs/postgresql/postgresql/test-schedule new file mode 100644 index 0000000..b8808c9 --- /dev/null +++ b/recipes-dbs/postgresql/postgresql/test-schedule @@ -0,0 +1 @@ +test: type_sanity \ No newline at end of file diff --git a/recipes-dbs/postgresql/postgresql_%.bbappend b/recipes-dbs/postgresql/postgresql_%.bbappend new file mode 100644 index 0000000..66e03de --- /dev/null +++ b/recipes-dbs/postgresql/postgresql_%.bbappend @@ -0,0 +1,7 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/postgresql:" + +SYSTEMD_AUTO_ENABLE:${PN} = "disable" + +PROVIDES += "libpq" + +FILES:libpq = "${libdir}/libpq*${SOLIBS} ${includedir}"

Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- recipes-extended/bzip2/bzip2-morello_1.0.8.bb | 72 ++++++++++++++++++ recipes-extended/bzip2/files/Makefile.am | 74 +++++++++++++++++++ recipes-extended/bzip2/files/configure.ac | 11 +++ recipes-extended/bzip2/files/run-ptest | 2 + 4 files changed, 159 insertions(+) create mode 100644 recipes-extended/bzip2/bzip2-morello_1.0.8.bb create mode 100644 recipes-extended/bzip2/files/Makefile.am create mode 100644 recipes-extended/bzip2/files/configure.ac create mode 100644 recipes-extended/bzip2/files/run-ptest

diff --git a/recipes-extended/bzip2/bzip2-morello_1.0.8.bb b/recipes-extended/bzip2/bzip2-morello_1.0.8.bb new file mode 100644 index 0000000..f526263 --- /dev/null +++ b/recipes-extended/bzip2/bzip2-morello_1.0.8.bb @@ -0,0 +1,72 @@ +inherit autotools update-alternatives ptest relative_symlinks purecap-sysroot + +MORELLO_SRC = "poky/meta/recipes-extended/bzip2/bzip2_1.0.8.bb" + +SUMMARY = "Very high-quality data compression program - CHERI: sourced from poky/meta" +DESCRIPTION = "bzip2 compresses files using the Burrows-Wheeler block-sorting text compression algorithm, and \ +Huffman coding. Compression is generally considerably better than that achieved by more conventional \ +LZ77/LZ78-based compressors, and approaches the performance of the PPM family of statistical compressors." +HOMEPAGE = "https://sourceware.org/bzip2/" +SECTION = "console/utils" +LICENSE = "bzip2-1.0.6 & GPL-3.0-or-later & Apache-2.0 & MS-PL & BSD-3-Clause & Zlib" +LICENSE:${PN} = "bzip2-1.0.6" +LICENSE:${PN}-dev = "bzip2-1.0.6" +LICENSE:${PN}-dbg = "bzip2-1.0.6" +LICENSE:${PN}-doc = "bzip2-1.0.6" +LICENSE:${PN}-src = "bzip2-1.0.6" +LICENSE:libbz2 = "bzip2-1.0.6" +LICENSE:${PN}-ptest = "bzip2-1.0.6 & GPL-3.0-or-later & Apache-2.0 & MS-PL & BSD-3-Clause & Zlib" + +TOOLCHAIN = "${MORELLO_TOOLCHAIN}" + +BPN_BZIP2 = "bzip2" + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=4;endline=37;md5=600af43c50f1fcb82e32f19b32df4664 \ + file://${WORKDIR}/git/commons-compress/LICENSE.txt;md5=86d3f3a95c324c9479bd8986968f4327 \ + file://${WORKDIR}/git/dotnetzip/License.txt;md5=9cb56871eed4e748c3bc7e8ff352a54f \ + file://${WORKDIR}/git/dotnetzip/License.zlib.txt;md5=cc421ccd22eeb2e5db6b79e6de0a029f \ + file://${WORKDIR}/git/go/LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707 \ + file://${WORKDIR}/git/lbzip2/COPYING;md5=d32239bcb673463ab874e80d47fae504 \ +" + +SRC_URI = "https://sourceware.org/pub/%24%7BBPN_BZIP2%7D/%24%7BBPN_BZIP2%7D-%24%7BPV%7D... \ + git://sourceware.org/git/bzip2-tests.git;name=bzip2-tests;branch=master \ + file://configure.ac;subdir=${BPN_BZIP2}-${PV} \ + file://Makefile.am;subdir=${BPN_BZIP2}-${PV} \ + file://run-ptest \ + " + +S = "${WORKDIR}/${BPN_BZIP2}-${PV}" + +SRC_URI[md5sum] = "67e051268d0c475ea773822f7500d0e5" +SRC_URI[sha256sum] = "ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269" + +SRCREV_bzip2-tests = "f9061c030a25de5b6829e1abf373057309c734c0" + +UPSTREAM_CHECK_URI = "https://www.sourceware.org/pub/bzip2/" + +PACKAGES =+ "libbz2-morello" + +CFLAGS:append = " -fPIC -fpic -Winline -fno-strength-reduce -D_FILE_OFFSET_BITS=64" + +ALTERNATIVE_PRIORITY = "100" + +do_configure:prepend () { + sed -i -e "s|%BZIP2_VERSION%|${PV}|" ${S}/configure.ac +} + +PTEST_PATH = "${libdir}/bzip2/ptest" + +do_install_ptest () { + install -d ${D}${PTEST_PATH}/bzip2-tests + cp -r ${WORKDIR}/git/commons-compress ${D}${PTEST_PATH}/bzip2-tests/commons-compress + cp -r ${WORKDIR}/git/dotnetzip ${D}${PTEST_PATH}/bzip2-tests/dotnetzip + cp -r ${WORKDIR}/git/go ${D}${PTEST_PATH}/bzip2-tests/go + cp -r ${WORKDIR}/git/lbzip2 ${D}${PTEST_PATH}/bzip2-tests/lbzip2 + cp -r ${WORKDIR}/git/pyflate ${D}${PTEST_PATH}/bzip2-tests/pyflate + cp ${WORKDIR}/git/README ${D}${PTEST_PATH}/bzip2-tests/ + cp ${WORKDIR}/git/run-tests.sh ${D}${PTEST_PATH}/bzip2-tests/ + sed -i -e "s|^Makefile:|_Makefile:|" ${D}${PTEST_PATH}/Makefile +} + +RDEPENDS:${PN}-ptest += "make bash" \ No newline at end of file diff --git a/recipes-extended/bzip2/files/Makefile.am b/recipes-extended/bzip2/files/Makefile.am new file mode 100644 index 0000000..d12d3a4 --- /dev/null +++ b/recipes-extended/bzip2/files/Makefile.am @@ -0,0 +1,74 @@ + +lib_LTLIBRARIES = libbz2.la +libbz2_la_LDFLAGS = -version-info 1:8:0 + +libbz2_la_SOURCES = blocksort.c \ + huffman.c \ + crctable.c \ + randtable.c \ + compress.c \ + decompress.c \ + bzlib.c + +bin_PROGRAMS = bzip2 bzip2recover + +bzip2_SOURCES = bzip2.c +bzip2_LDADD = libbz2.la +bzip2_DEPENDENCIES = libbz2.la + +include_HEADERS = bzlib.h + +bzip2recover_SOURCES = bzip2recover.c +bzip2recover_LDADD = libbz2.la +bzip2recover_DEPENDENCIES = libbz2.la + +bin_SCRIPTS = bzgrep bzmore bzdiff + +man_MANS = bzip2.1 bzgrep.1 bzmore.1 bzdiff.1 +EXTRA_DIST = $(man_MANS) + +runtest: + ./bzip2 -1 < sample1.ref > sample1.rb2 + ./bzip2 -2 < sample2.ref > sample2.rb2 + ./bzip2 -3 < sample3.ref > sample3.rb2 + ./bzip2 -d < sample1.bz2 > sample1.tst + ./bzip2 -d < sample2.bz2 > sample2.tst + ./bzip2 -ds < sample3.bz2 > sample3.tst + @if cmp sample1.bz2 sample1.rb2; then echo "PASS: sample1 compress";\ + else echo "FAIL: sample1 compress"; fi + @if cmp sample2.bz2 sample2.rb2; then echo "PASS: sample2 compress";\ + else echo "FAIL: sample2 compress"; fi + @if cmp sample3.bz2 sample3.rb2; then echo "PASS: sample3 compress";\ + else echo "FAIL: sample3 compress"; fi + @if cmp sample1.tst sample1.ref; then echo "PASS: sample1 decompress";\ + else echo "FAIL: sample1 decompress"; fi + @if cmp sample2.tst sample2.ref; then echo "PASS: sample2 decompress";\ + else echo "FAIL: sample2 decompress"; fi + @if cmp sample3.tst sample3.ref; then echo "PASS: sample3 decompress";\ + else echo "FAIL: sample3 decompress"; fi + ./bzip2-tests/run-tests.sh --without-valgrind --tests-dir="$(PWD)/bzip2-tests" + +install-ptest: + sed -n '/^runtest:/,/^install-ptest:/{/^install-ptest:/!p}' \ + $(srcdir)/Makefile.am > $(DESTDIR)/Makefile + cp $(srcdir)/sample1.ref $(DESTDIR)/ + cp $(srcdir)/sample2.ref $(DESTDIR)/ + cp $(srcdir)/sample3.ref $(DESTDIR)/ + cp $(srcdir)/sample1.bz2 $(DESTDIR)/ + cp $(srcdir)/sample2.bz2 $(DESTDIR)/ + cp $(srcdir)/sample3.bz2 $(DESTDIR)/ + ln -s $(bindir)/bzip2 $(DESTDIR)/bzip2 + +install-exec-hook: + ln -s $(bindir)/bzip2$(EXEEXT) $(DESTDIR)$(bindir)/bunzip2$(EXEEXT) + ln -s $(bindir)/bzip2$(EXEEXT) $(DESTDIR)$(bindir)/bzcat$(EXEEXT) + ln -s $(bindir)/bzgrep$(EXEEXT) $(DESTDIR)$(bindir)/bzegrep$(EXEEXT) + ln -s $(bindir)/bzgrep$(EXEEXT) $(DESTDIR)$(bindir)/bzfgrep$(EXEEXT) + ln -s $(bindir)/bzmore$(EXEEXT) $(DESTDIR)$(bindir)/bzless$(EXEEXT) + ln -s $(bindir)/bzdiff$(EXEEXT) $(DESTDIR)$(bindir)/bzcmp$(EXEEXT) + +install-data-hook: + echo ".so man1/bzgrep.1" > $(DESTDIR)$(mandir)/man1/bzegrep.1 + echo ".so man1/bzgrep.1" > $(DESTDIR)$(mandir)/man1/bzfgrep.1 + echo ".so man1/bzmore.1" > $(DESTDIR)$(mandir)/man1/bzless.1 + echo ".so man1/bzdiff.1" > $(DESTDIR)$(mandir)/man1/bzcmp.1 diff --git a/recipes-extended/bzip2/files/configure.ac b/recipes-extended/bzip2/files/configure.ac new file mode 100644 index 0000000..b8abade --- /dev/null +++ b/recipes-extended/bzip2/files/configure.ac @@ -0,0 +1,11 @@ +AC_PREREQ([2.57]) + +AC_INIT(bzip2, %BZIP2_VERSION%) +AM_INIT_AUTOMAKE(foreign) +AM_MAINTAINER_MODE + +AC_PROG_CC +AC_PROG_LIBTOOL + +AC_OUTPUT([Makefile]) + diff --git a/recipes-extended/bzip2/files/run-ptest b/recipes-extended/bzip2/files/run-ptest new file mode 100644 index 0000000..3b20fce --- /dev/null +++ b/recipes-extended/bzip2/files/run-ptest @@ -0,0 +1,2 @@ +#!/bin/sh +make -k runtest

Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- ...ow-for-storing-caps-in-shared-memory.patch | 30 +++++++++++++++ .../linux/files/0003-defconfig-modify.patch | 38 +++++++++++++++++++ recipes-kernel/linux/linux-morello_%.bbappend | 6 +++ 3 files changed, 74 insertions(+) create mode 100644 recipes-kernel/linux/cheri-patches/0001-mman-allow-for-storing-caps-in-shared-memory.patch create mode 100644 recipes-kernel/linux/files/0003-defconfig-modify.patch create mode 100644 recipes-kernel/linux/linux-morello_%.bbappend

diff --git a/recipes-kernel/linux/cheri-patches/0001-mman-allow-for-storing-caps-in-shared-memory.patch b/recipes-kernel/linux/cheri-patches/0001-mman-allow-for-storing-caps-in-shared-memory.patch new file mode 100644 index 0000000..9a2d208 --- /dev/null +++ b/recipes-kernel/linux/cheri-patches/0001-mman-allow-for-storing-caps-in-shared-memory.patch @@ -0,0 +1,30 @@ +From c3c49bd74d4d0b8b30c25841ba1ccca3fd3fe6b5 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Thu, 20 Apr 2023 15:32:50 +0100 +Subject: [PATCH] mman: allow for storing caps in shared memory + +This is a temporary hack to keep the work with postgresql +going. It does require for sharing pointers in this way. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + arch/arm64/include/asm/mman.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/mman.h b/arch/arm64/include/asm/mman.h +index 39b1023ac9bc..ccea9fa3d3df 100644 +--- a/arch/arm64/include/asm/mman.h ++++ b/arch/arm64/include/asm/mman.h +@@ -44,7 +44,8 @@ static inline unsigned long arch_calc_vm_flag_bits(unsigned long flags) + * tags. Might need to explicitly allow or explicitly disallow certain + * filesystems. + */ +- if (system_supports_morello() && ((flags & MAP_TYPE) == 0x02 /* MAP_PRIVATE */)) ++ if (system_supports_morello() && ((flags & MAP_TYPE) == 0x02 ++ || (flags & MAP_TYPE) == 0x01 )) /* MAP_PRIVATE | MAP_SHARED */ + ret |= VM_READ_CAPS | VM_WRITE_CAPS; + + return ret; +-- +2.34.1 + diff --git a/recipes-kernel/linux/files/0003-defconfig-modify.patch b/recipes-kernel/linux/files/0003-defconfig-modify.patch new file mode 100644 index 0000000..7b81a05 --- /dev/null +++ b/recipes-kernel/linux/files/0003-defconfig-modify.patch @@ -0,0 +1,38 @@ +From 2c53215daa9c483f823a9313243347394f8c40ae Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Mon, 24 Apr 2023 10:11:21 +0100 +Subject: [PATCH] defconfig: modify + +Add more debug. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + arch/arm64/configs/morello_transitional_pcuabi_defconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig +index 515e50ce58aa..d19bbe4d1790 100644 +--- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig ++++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig +@@ -165,3 +165,18 @@ CONFIG_DEBUG_FS=y + # CONFIG_FTRACE is not set + CONFIG_CORESIGHT=y + CONFIG_MEMTEST=y ++ ++CONFIG_FTRACE=y ++CONFIG_BOOTTIME_TRACING=y ++CONFIG_FUNCTION_TRACER=y ++CONFIG_STACK_TRACER=y ++CONFIG_IRQSOFF_TRACER=y ++CONFIG_PREEMPT_TRACER=y ++CONFIG_SCHED_TRACER=y ++CONFIG_HWLAT_TRACER=y ++CONFIG_OSNOISE_TRACER=y ++CONFIG_TIMERLAT_TRACER=y ++CONFIG_ENABLE_DEFAULT_TRACERS=y ++CONFIG_FTRACE_SYSCALLS=y ++CONFIG_TRACER_SNAPSHOT=y ++CONFIG_DYNAMIC_DEBUG=y +-- +2.34.1 + diff --git a/recipes-kernel/linux/linux-morello_%.bbappend b/recipes-kernel/linux/linux-morello_%.bbappend new file mode 100644 index 0000000..9c0d986 --- /dev/null +++ b/recipes-kernel/linux/linux-morello_%.bbappend @@ -0,0 +1,6 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}:${THISDIR}/cheri-patches:" + +SRC_URI += "\ + file://0001-mman-allow-for-storing-caps-in-shared-memory.patch \ + file://files/0003-defconfig-modify.patch \ + "

Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- ...01-pcre_jit_compile-cheri-provenance.patch | 89 +++++++++ ...2-sljitNativeARM_64-cheri-provenance.patch | 61 ++++++ .../0003-sljitUtils-cheri-provenance.patch | 39 ++++ recipes-support/libpcre/files/Makefile | 183 ++++++++++++++++++ recipes-support/libpcre/files/run-ptest | 3 + .../libpcre/libpcre-morello_8.45.bb | 91 +++++++++ 6 files changed, 466 insertions(+) create mode 100644 recipes-support/libpcre/cheri-patches/0001-pcre_jit_compile-cheri-provenance.patch create mode 100644 recipes-support/libpcre/cheri-patches/0002-sljitNativeARM_64-cheri-provenance.patch create mode 100644 recipes-support/libpcre/cheri-patches/0003-sljitUtils-cheri-provenance.patch create mode 100644 recipes-support/libpcre/files/Makefile create mode 100644 recipes-support/libpcre/files/run-ptest create mode 100644 recipes-support/libpcre/libpcre-morello_8.45.bb

diff --git a/recipes-support/libpcre/cheri-patches/0001-pcre_jit_compile-cheri-provenance.patch b/recipes-support/libpcre/cheri-patches/0001-pcre_jit_compile-cheri-provenance.patch new file mode 100644 index 0000000..7677c0e --- /dev/null +++ b/recipes-support/libpcre/cheri-patches/0001-pcre_jit_compile-cheri-provenance.patch @@ -0,0 +1,89 @@ +From 69e5f4de49027e37d3a232cfc9ec882038091a13 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Thu, 9 Nov 2023 11:50:36 +0000 +Subject: [PATCH 1/3] pcre_jit_compile: cheri provenance + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + pcre_jit_compile.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/pcre_jit_compile.c b/pcre_jit_compile.c +index 4dcf8fc..b7b2cbc 100644 +--- a/pcre_jit_compile.c ++++ b/pcre_jit_compile.c +@@ -2486,7 +2486,7 @@ while (current != NULL) + break; + + case type_mark: +- if (STRCMP_UC_UC(skip_arg, (pcre_uchar *)current[2]) == 0) ++ if (STRCMP_UC_UC(skip_arg, (pcre_uchar *)(uintptr_t)current[2]) == 0) + return current[3]; + break; + +@@ -2495,7 +2495,7 @@ while (current != NULL) + break; + } + SLJIT_ASSERT(current[0] == 0 || current < (sljit_sw*)current[0]); +- current = (sljit_sw*)current[0]; ++ current = (sljit_sw*)(uintptr_t)current[0]; + } + return 0; + } +@@ -3683,7 +3683,7 @@ while (TRUE) + + case OP_DIGIT: + #if defined SUPPORT_UTF && defined COMPILE_PCRE8 +- if (common->utf && !is_char7_bitset((const sljit_u8 *)common->ctypes - cbit_length + cbit_digit, FALSE)) ++ if (common->utf && !is_char7_bitset((const sljit_u8 *)(uintptr_t)(common->ctypes - cbit_length + cbit_digit), FALSE)) + return consumed; + #endif + any = TRUE; +@@ -3692,7 +3692,7 @@ while (TRUE) + + case OP_WHITESPACE: + #if defined SUPPORT_UTF && defined COMPILE_PCRE8 +- if (common->utf && !is_char7_bitset((const sljit_u8 *)common->ctypes - cbit_length + cbit_space, FALSE)) ++ if (common->utf && !is_char7_bitset((const sljit_u8 *)(uintptr_t)(common->ctypes - cbit_length + cbit_space), FALSE)) + return consumed; + #endif + any = TRUE; +@@ -3701,7 +3701,7 @@ while (TRUE) + + case OP_WORDCHAR: + #if defined SUPPORT_UTF && defined COMPILE_PCRE8 +- if (common->utf && !is_char7_bitset((const sljit_u8 *)common->ctypes - cbit_length + cbit_word, FALSE)) ++ if (common->utf && !is_char7_bitset((const sljit_u8 *)(uintptr_t)(common->ctypes - cbit_length + cbit_word), FALSE)) + return consumed; + #endif + any = TRUE; +@@ -6422,7 +6422,7 @@ switch(type) + if (check_str_ptr) + detect_partial_match(common, backtracks); + #if defined SUPPORT_UTF && defined COMPILE_PCRE8 +- if (common->utf && is_char7_bitset((const sljit_u8 *)common->ctypes - cbit_length + cbit_digit, FALSE)) ++ if (common->utf && is_char7_bitset((const sljit_u8 *)(uintptr_t)(common->ctypes - cbit_length + cbit_digit), FALSE)) + read_char7_type(common, type == OP_NOT_DIGIT); + else + #endif +@@ -6437,7 +6437,7 @@ switch(type) + if (check_str_ptr) + detect_partial_match(common, backtracks); + #if defined SUPPORT_UTF && defined COMPILE_PCRE8 +- if (common->utf && is_char7_bitset((const sljit_u8 *)common->ctypes - cbit_length + cbit_space, FALSE)) ++ if (common->utf && is_char7_bitset((const sljit_u8 *)(uintptr_t)(common->ctypes - cbit_length + cbit_space), FALSE)) + read_char7_type(common, type == OP_NOT_WHITESPACE); + else + #endif +@@ -6451,7 +6451,7 @@ switch(type) + if (check_str_ptr) + detect_partial_match(common, backtracks); + #if defined SUPPORT_UTF && defined COMPILE_PCRE8 +- if (common->utf && is_char7_bitset((const sljit_u8 *)common->ctypes - cbit_length + cbit_word, FALSE)) ++ if (common->utf && is_char7_bitset((const sljit_u8 *)(uintptr_t)(common->ctypes - cbit_length + cbit_word), FALSE)) + read_char7_type(common, type == OP_NOT_WORDCHAR); + else + #endif +-- +2.34.1 + diff --git a/recipes-support/libpcre/cheri-patches/0002-sljitNativeARM_64-cheri-provenance.patch b/recipes-support/libpcre/cheri-patches/0002-sljitNativeARM_64-cheri-provenance.patch new file mode 100644 index 0000000..9c0880c --- /dev/null +++ b/recipes-support/libpcre/cheri-patches/0002-sljitNativeARM_64-cheri-provenance.patch @@ -0,0 +1,61 @@ +From b6c4c1121f09698ff8bc5c491898aeda33b449c8 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Thu, 9 Nov 2023 11:50:55 +0000 +Subject: [PATCH 2/3] sljitNativeARM_64: cheri provenance + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + sljit/sljitNativeARM_64.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/sljit/sljitNativeARM_64.c b/sljit/sljitNativeARM_64.c +index e15b345..6d450f1 100644 +--- a/sljit/sljitNativeARM_64.c ++++ b/sljit/sljitNativeARM_64.c +@@ -24,6 +24,7 @@ + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + ++#include <stdint.h> + SLJIT_API_FUNC_ATTRIBUTE const char* sljit_get_platform_name(void) + { + return "ARM-64" SLJIT_CPUINFO; +@@ -324,7 +325,7 @@ SLJIT_API_FUNC_ATTRIBUTE void* sljit_generate_code(struct sljit_compiler *compil + while (jump) { + do { + addr = (jump->flags & JUMP_LABEL) ? jump->u.label->addr : jump->u.target; +- buf_ptr = (sljit_ins *)jump->addr; ++ buf_ptr = (sljit_ins *)(uintptr_t)jump->addr; + + if (jump->flags & PATCH_B) { + addr = (sljit_sw)(addr - (sljit_uw)SLJIT_ADD_EXEC_OFFSET(buf_ptr, executable_offset)) >> 2; +@@ -358,7 +359,7 @@ SLJIT_API_FUNC_ATTRIBUTE void* sljit_generate_code(struct sljit_compiler *compil + put_label = compiler->put_labels; + while (put_label) { + addr = put_label->label->addr; +- buf_ptr = (sljit_ins *)put_label->addr; ++ buf_ptr = (sljit_ins *)(uintptr_t)put_label->addr; + + buf_ptr[0] |= (addr & 0xffff) << 5; + buf_ptr[1] |= ((addr >> 16) & 0xffff) << 5; +@@ -2020,7 +2021,7 @@ SLJIT_API_FUNC_ATTRIBUTE struct sljit_put_label* sljit_emit_put_label(struct slj + + SLJIT_API_FUNC_ATTRIBUTE void sljit_set_jump_addr(sljit_uw addr, sljit_uw new_target, sljit_sw executable_offset) + { +- sljit_ins* inst = (sljit_ins*)addr; ++ sljit_ins* inst = (sljit_ins*)(uintptr_t)addr; + modify_imm64_const(inst, new_target); + inst = (sljit_ins *)SLJIT_ADD_EXEC_OFFSET(inst, executable_offset); + SLJIT_CACHE_FLUSH(inst, inst + 4); +@@ -2028,7 +2029,7 @@ SLJIT_API_FUNC_ATTRIBUTE void sljit_set_jump_addr(sljit_uw addr, sljit_uw new_ta + + SLJIT_API_FUNC_ATTRIBUTE void sljit_set_const(sljit_uw addr, sljit_sw new_constant, sljit_sw executable_offset) + { +- sljit_ins* inst = (sljit_ins*)addr; ++ sljit_ins* inst = (sljit_ins*)(uintptr_t)addr; + modify_imm64_const(inst, new_constant); + inst = (sljit_ins *)SLJIT_ADD_EXEC_OFFSET(inst, executable_offset); + SLJIT_CACHE_FLUSH(inst, inst + 4); +-- +2.34.1 + diff --git a/recipes-support/libpcre/cheri-patches/0003-sljitUtils-cheri-provenance.patch b/recipes-support/libpcre/cheri-patches/0003-sljitUtils-cheri-provenance.patch new file mode 100644 index 0000000..5fb8b5c --- /dev/null +++ b/recipes-support/libpcre/cheri-patches/0003-sljitUtils-cheri-provenance.patch @@ -0,0 +1,39 @@ +From ac44bb2ccdf9c926c2a217e1002f5c4a49c549a8 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Thu, 9 Nov 2023 14:07:09 +0000 +Subject: [PATCH 3/3] sljitUtils: cheri provenance + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + sljit/sljitUtils.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sljit/sljitUtils.c b/sljit/sljitUtils.c +index 857492a..094cb5a 100644 +--- a/sljit/sljitUtils.c ++++ b/sljit/sljitUtils.c +@@ -312,7 +312,7 @@ SLJIT_API_FUNC_ATTRIBUTE sljit_u8 *SLJIT_FUNC sljit_stack_resize(struct sljit_st + return NULL; + } + else { +- if (!VirtualFree((void*)aligned_old_start, aligned_new_start - aligned_old_start, MEM_DECOMMIT)) ++ if (!VirtualFree((void*)(uintptr_t)aligned_old_start, aligned_new_start - aligned_old_start, MEM_DECOMMIT)) + return NULL; + } + } +@@ -323,10 +323,10 @@ SLJIT_API_FUNC_ATTRIBUTE sljit_u8 *SLJIT_FUNC sljit_stack_resize(struct sljit_st + /* If madvise is available, we release the unnecessary space. */ + #if defined(MADV_DONTNEED) + if (aligned_new_start > aligned_old_start) +- madvise((void*)aligned_old_start, aligned_new_start - aligned_old_start, MADV_DONTNEED); ++ madvise((void*)(uintptr_t)aligned_old_start, aligned_new_start - aligned_old_start, MADV_DONTNEED); + #elif defined(POSIX_MADV_DONTNEED) + if (aligned_new_start > aligned_old_start) +- posix_madvise((void*)aligned_old_start, aligned_new_start - aligned_old_start, POSIX_MADV_DONTNEED); ++ posix_madvise((void*)(uintptr_t)aligned_old_start, aligned_new_start - aligned_old_start, POSIX_MADV_DONTNEED); + #endif + } + #endif +-- +2.34.1 + diff --git a/recipes-support/libpcre/files/Makefile b/recipes-support/libpcre/files/Makefile new file mode 100644 index 0000000..708d807 --- /dev/null +++ b/recipes-support/libpcre/files/Makefile @@ -0,0 +1,183 @@ +TESTS = pcre_stringpiece_unittest RunTest RunGrepTest +subdir = . +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red=''; \ + grn=''; \ + lgn=''; \ + blu=''; \ + mgn=''; \ + brg=''; \ + std=''; \ + fi; \ +} +am__rst_title = { sed 's/.*/ & /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; } +am__sh_e_setup = case $$- in *e*) set +e;; esac +am__common_driver_flags = \ + --color-tests "$$am__color_tests" \ + --enable-hard-errors "$$am__enable_hard_errors" \ + --expect-failure "$$am__expect_failure" +am__check_pre = \ +$(am__sh_e_setup); \ +$(am__vpath_adj_setup) $(am__vpath_adj) \ +$(am__tty_colors); \ +srcdir=$(srcdir); export srcdir; \ +case "$@" in \ + */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;; \ + *) am__odir=.;; \ +esac; \ +test "x$$am__odir" = x"." || test -d "$$am__odir" \ + || $(MKDIR_P) "$$am__odir" || exit $$?; \ +if test -f "./$$f"; then dir=./; \ +elif test -f "$$f"; then dir=; \ +else dir="$(srcdir)/"; fi; \ +tst=$$dir$$f; log='$@'; \ +if test -n '$(DISABLE_HARD_ERRORS)'; then \ + am__enable_hard_errors=no; \ +else \ + am__enable_hard_errors=yes; \ +fi; +am__set_TESTS_bases = \ + bases='$(TEST_LOGS)'; \ + bases=`for i in $$bases; do echo $$i; done | sed 's/.log$$//'`; \ + bases=`echo $$bases` +RECHECK_LOGS = $(TEST_LOGS) +TEST_SUITE_LOG = test-suite.log +TEST_EXTENSIONS = .test +LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver +am__test_logs1 = $(TESTS:=.log) +am__test_logs2 = $(am__test_logs1:.log=.log) +TEST_LOGS = $(am__test_logs2:.test.log=.log) +MKDIR_P = /bin/mkdir -p +PACKAGE_STRING = PCRE 8.36 +SHELL = /bin/sh +srcdir = . +top_srcdir = . +$(TEST_SUITE_LOG): $(TEST_LOGS) + @$(am__set_TESTS_bases); \ + am__f_ok () { test -f "$$1" && test -r "$$1"; }; \ + redo_bases=`for i in $$bases; do \ + am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \ + done`; \ + st=0; \ + errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \ + for i in $$redo_bases; do \ + test -f $$i.trs && test -r $$i.trs \ + || { echo "$$errmsg $$i.trs" >&2; st=1; }; \ + test -f $$i.log && test -r $$i.log \ + || { echo "$$errmsg $$i.log" >&2; st=1; }; \ + done; \ + test $$st -eq 0 || exit 1; + @$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \ + ws='[ ]'; \ + results=`for b in $$bases; do echo $$b.trs; done`; \ + test -n "$$results" || results=/dev/null; \ + all=` grep "^$$ws*:test-result:" $$results | wc -l`; \ + pass=` grep "^$$ws*:test-result:$$ws*PASS" $$results | wc -l`; \ + fail=` grep "^$$ws*:test-result:$$ws*FAIL" $$results | wc -l`; \ + skip=` grep "^$$ws*:test-result:$$ws*SKIP" $$results | wc -l`; \ + xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \ + xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \ + error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \ + if test `expr $$fail + $$xpass + $$error` -eq 0; then \ + success=true; \ + else \ + success=false; \ + fi; \ + br='==================='; br=$$br$$br$$br$$br; \ + result_count () \ + { \ + if test x"$$1" = x"--maybe-color"; then \ + maybe_colorize=yes; \ + elif test x"$$1" = x"--no-color"; then \ + maybe_colorize=no; \ + else \ + echo "$@: invalid 'result_count' usage" >&2; exit 4; \ + fi; \ + shift; \ + desc=$$1 count=$$2; \ + if test $$maybe_colorize = yes && test $$count -gt 0; then \ + color_start=$$3 color_end=$$std; \ + else \ + color_start= color_end=; \ + fi; \ + echo "$${color_start}# $$desc $$count$${color_end}"; \ + }; \ + create_testsuite_report () \ + { \ + result_count $$1 "TOTAL:" $$all "$$brg"; \ + result_count $$1 "PASS: " $$pass "$$grn"; \ + result_count $$1 "SKIP: " $$skip "$$blu"; \ + result_count $$1 "XFAIL:" $$xfail "$$lgn"; \ + result_count $$1 "FAIL: " $$fail "$$red"; \ + result_count $$1 "XPASS:" $$xpass "$$red"; \ + result_count $$1 "ERROR:" $$error "$$mgn"; \ + }; \ + { \ + echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" | \ + $(am__rst_title); \ + create_testsuite_report --no-color; \ + echo; \ + echo ".. contents:: :depth: 2"; \ + echo; \ + for b in $$bases; do echo $$b; done; \ + } >$(TEST_SUITE_LOG).tmp || exit 1; \ + mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG); \ + if $$success; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ + fi; \ + echo "$${col}$$br$${std}"; \ + echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}$$br$${std}"; \ + create_testsuite_report --maybe-color; \ + echo "$$col$$br$$std"; \ + if $$success; then :; else \ + echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}"; \ + echo "$$col$$br$$std"; \ + fi; \ + $$success || exit 1 +check-TESTS: + @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + log_list=`echo $$log_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ + exit $$?; +pcre_stringpiece_unittest.log: pcre_stringpiece_unittest$(EXEEXT) + @p='pcre_stringpiece_unittest$(EXEEXT)'; \ + b='pcre_stringpiece_unittest'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) -- "$$tst" +RunTest.log: RunTest + @p='RunTest'; \ + b='RunTest'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) -- "$$tst" +RunGrepTest.log: RunGrepTest + @p='RunGrepTest'; \ + b='RunGrepTest'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) -- "$$tst" diff --git a/recipes-support/libpcre/files/run-ptest b/recipes-support/libpcre/files/run-ptest new file mode 100644 index 0000000..990d4a1 --- /dev/null +++ b/recipes-support/libpcre/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +make check-TESTS diff --git a/recipes-support/libpcre/libpcre-morello_8.45.bb b/recipes-support/libpcre/libpcre-morello_8.45.bb new file mode 100644 index 0000000..82e8c38 --- /dev/null +++ b/recipes-support/libpcre/libpcre-morello_8.45.bb @@ -0,0 +1,91 @@ +inherit autotools binconfig-disabled ptest purecap-sysroot + +MORELLO_SRC = "poky/meta/recipes-support/libpcre/libpcre_8.45.bb" + +DESCRIPTION = "The PCRE library is a set of functions that implement regular \ +expression pattern matching using the same syntax and semantics as Perl 5. PCRE \ +has its own native API, as well as a set of wrapper functions that correspond \ +to the POSIX regular expression API." +SUMMARY = "Perl Compatible Regular Expressions" +HOMEPAGE = "http://www.pcre.org" +SECTION = "devel" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENCE;md5=b5d5d1a69a24ea2718263f1ff85a1c58" + +FILESEXTRAPATHS:prepend := "${THISDIR}/cheri-patches:" + +TOOLCHAIN = "${MORELLO_TOOLCHAIN}" + +SRC_URI = "${SOURCEFORGE_MIRROR}/pcre/pcre-${PV}.tar.bz2 \ + file://run-ptest \ + file://Makefile \ + " + +SRC_URI += "file://0001-pcre_jit_compile-cheri-provenance.patch \ + file://0002-sljitNativeARM_64-cheri-provenance.patch \ + file://0003-sljitUtils-cheri-provenance.patch \ + " + +SRC_URI[sha256sum] = "4dae6fdcd2bb0bb6c37b5f97c33c2be954da743985369cddac3546e3218bffb8" + +CVE_PRODUCT = "pcre" + +S = "${WORKDIR}/pcre-${PV}" + +PROVIDES += "pcre-morello" +DEPENDS += "bzip2-morello zlib-morello" + +PACKAGECONFIG ??= "pcre8 unicode-properties jit" + +PACKAGECONFIG[pcre8] = "--enable-pcre8,--disable-pcre8" +PACKAGECONFIG[pcre16] = "--enable-pcre16,--disable-pcre16" +PACKAGECONFIG[pcre32] = "--enable-pcre32,--disable-pcre32" +PACKAGECONFIG[pcretest-readline] = "--enable-pcretest-libreadline,--disable-pcretest-libreadline,readline-morello," +PACKAGECONFIG[unicode-properties] = "--enable-unicode-properties,--disable-unicode-properties" +PACKAGECONFIG[jit] = "--enable-jit=auto,--disable-jit" + +BINCONFIG = "${bindir}/pcre-config" + +EXTRA_OECONF = "--enable-utf --disable-cpp" + +PACKAGES =+ "libpcrecpp-morello libpcreposix-morello pcregrep-morello pcregrep-doc-morello pcretest-morello pcretest-doc-morello" + +SUMMARY:libpcrecpp-morello = "${SUMMARY} - C++ wrapper functions" +SUMMARY:libpcreposix-morello = "${SUMMARY} - C wrapper functions based on the POSIX regex API" +SUMMARY:pcregrep-morello = "grep utility that uses perl 5 compatible regexes" +SUMMARY:pcregrep-doc-morello = "grep utility that uses perl 5 compatible regexes - docs" +SUMMARY:pcretest-morello = "program for testing Perl-comatible regular expressions" +SUMMARY:pcretest-doc-morello = "program for testing Perl-comatible regular expressions - docs" + + +FILES:libpcrecpp-morello = "${libdir}/libpcrecpp.so.*" +FILES:libpcreposix-morello = "${libdir}/libpcreposix.so.*" +FILES:pcregrep-morello = "${bindir}/pcregrep" +FILES:pcregrep-doc-morello = "${mandir}/man1/pcregrep.1" +FILES:pcretest-morello = "${bindir}/pcretest" +FILES:pcretest-doc-morello = "${mandir}/man1/pcretest.1" + +do_install:append() { + ${OBJDUMP_COMMAND} ${D}${libdir}/libpcre.so.1.2.13 > ${D}${PURECAP_DEBUGDIR}/libpcre.dump + ${READELF_COMMAND} ${D}${libdir}/libpcre.so.1.2.13 > ${D}${PURECAP_DEBUGDIR}/libpcre.readelf +} + +PTEST_PATH = "${libdir}/libpcre/ptest" + +do_install_ptest() { + t=${D}${PTEST_PATH} + cp ${WORKDIR}/Makefile $t + cp -r ${S}/testdata $t + for i in pcre_stringpiece_unittest pcregrep pcretest; \ + do cp ${B}/.libs/$i $t; \ + done + for i in RunTest RunGrepTest test-driver; \ + do cp ${S}/$i $t; \ + done + # Skip the fr_FR locale test. If the locale fr_FR is found, it is tested. + # If not found, the test is skipped. The test program assumes fr_FR is non-UTF-8 + # locale so the test fails if fr_FR is UTF-8 locale. + sed -i -e 's:do3=yes:do3=no:g' ${D}${PTEST_PATH}/RunTest +} + +RDEPENDS:${PN}-ptest += "make" \ No newline at end of file

Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- .../0001-config-fix-provenance-errors.patch | 807 ++++++++++++++++++ .../0002-tpool-remove-errors.patch | 37 + .../0003-config-Remove-format-error.patch | 42 + .../0004-main-Remove-format-error.patch | 28 + ...0005-connection-fix-provenance-error.patch | 67 ++ .../0006-sets-fix-provenance-error.patch | 36 + ...07-slapd-search-fix-cheri-provenance.patch | 152 ++++ .../0001-build-top.mk-unset-STRIP_OPTS.patch | 38 + ...if-filter-fix-parallel-build-failure.patch | 32 + ...-Makefile.in-ignore-the-mkdir-errors.patch | 33 + ...de-ldap_pvt_thread.h-before-redefini.patch | 54 ++ .../openldap/openldap-morello/initscript | 35 + .../remove-user-host-pwd-from-version.patch | 39 + .../openldap/openldap-morello/slapd.service | 10 + .../openldap-morello/use-urandom.patch | 35 + .../openldap/openldap-morello_2.5.12.bb | 255 ++++++ 16 files changed, 1700 insertions(+) create mode 100644 recipes-support/openldap/cheri-patches/0001-config-fix-provenance-errors.patch create mode 100644 recipes-support/openldap/cheri-patches/0002-tpool-remove-errors.patch create mode 100644 recipes-support/openldap/cheri-patches/0003-config-Remove-format-error.patch create mode 100644 recipes-support/openldap/cheri-patches/0004-main-Remove-format-error.patch create mode 100644 recipes-support/openldap/cheri-patches/0005-connection-fix-provenance-error.patch create mode 100644 recipes-support/openldap/cheri-patches/0006-sets-fix-provenance-error.patch create mode 100644 recipes-support/openldap/cheri-patches/0007-slapd-search-fix-cheri-provenance.patch create mode 100644 recipes-support/openldap/openldap-morello/0001-build-top.mk-unset-STRIP_OPTS.patch create mode 100644 recipes-support/openldap/openldap-morello/0001-ldif-filter-fix-parallel-build-failure.patch create mode 100644 recipes-support/openldap/openldap-morello/0001-libraries-Makefile.in-ignore-the-mkdir-errors.patch create mode 100644 recipes-support/openldap/openldap-morello/0001-librewrite-include-ldap_pvt_thread.h-before-redefini.patch create mode 100644 recipes-support/openldap/openldap-morello/initscript create mode 100644 recipes-support/openldap/openldap-morello/remove-user-host-pwd-from-version.patch create mode 100644 recipes-support/openldap/openldap-morello/slapd.service create mode 100644 recipes-support/openldap/openldap-morello/use-urandom.patch create mode 100644 recipes-support/openldap/openldap-morello_2.5.12.bb

diff --git a/recipes-support/openldap/cheri-patches/0001-config-fix-provenance-errors.patch b/recipes-support/openldap/cheri-patches/0001-config-fix-provenance-errors.patch new file mode 100644 index 0000000..b7a40d3 --- /dev/null +++ b/recipes-support/openldap/cheri-patches/0001-config-fix-provenance-errors.patch @@ -0,0 +1,807 @@ +From f3bf7b22898961bb1ff3bdc0fe7d24a1ee1b8e6e Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Thu, 6 Jul 2023 17:19:19 +0100 +Subject: [PATCH 1/7] config: fix provenance errors + +Cast to uintptr_t. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + build/openldap.m4 | 13 +++- + configure | 189 ++++++++++++++++++++++++++++++++++++++-------- + configure.ac | 9 +++ + 3 files changed, 176 insertions(+), 35 deletions(-) + +diff --git a/build/openldap.m4 b/build/openldap.m4 +index c7fa19e..6945c1d 100644 +--- a/build/openldap.m4 ++++ b/build/openldap.m4 +@@ -296,6 +296,9 @@ dnl -------------------------------------------------------------------- + AC_DEFUN([OL_PTHREAD_TEST_INCLUDES], [[ + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -306,7 +309,7 @@ AC_DEFUN([OL_PTHREAD_TEST_INCLUDES], [[ + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + ]]) + AC_DEFUN([OL_PTHREAD_TEST_FUNCTION],[[ +@@ -407,6 +410,9 @@ AC_DEFUN([OL_HEADER_GNU_PTH_PTHREAD_H], [ + [ol_cv_header_gnu_pth_pthread_h], + [AC_EGREP_CPP(__gnu_pth__, + [#include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #ifdef _POSIX_THREAD_IS_GNU_PTH + __gnu_pth__; + #endif +@@ -437,7 +443,10 @@ AC_DEFUN([OL_HEADER_LINUX_THREADS], [ + AC_CACHE_CHECK([for LinuxThreads pthread.h], + [ol_cv_header_linux_threads], + [AC_EGREP_CPP(pthread_kill_other_threads_np, +- [#include <pthread.h>], ++ [#include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++], + [ol_cv_header_linux_threads=yes], + [ol_cv_header_linux_threads=no]) + ]) +diff --git a/configure b/configure +index bea23a1..7236a75 100755 +--- a/configure ++++ b/configure +@@ -17688,6 +17688,9 @@ if ac_fn_c_try_compile "$LINENO"; then : + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + + _ACEOF + if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | +@@ -17717,6 +17720,9 @@ else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + + _ACEOF + if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | +@@ -17777,6 +17783,9 @@ else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + _ACEOF + if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "pthread_kill_other_threads_np" >/dev/null 2>&1; then : +@@ -17805,6 +17814,9 @@ else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #ifdef _POSIX_THREAD_IS_GNU_PTH + __gnu_pth__; + #endif +@@ -17852,6 +17864,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -17862,7 +17877,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -17932,6 +17947,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -17942,7 +17960,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -18037,6 +18055,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18047,7 +18068,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -18117,6 +18138,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18127,7 +18151,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -18227,6 +18251,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18237,7 +18264,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -18307,6 +18334,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18317,7 +18347,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -18417,6 +18447,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18427,7 +18460,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -18497,6 +18530,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18507,7 +18543,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -18607,6 +18643,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18617,7 +18656,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -18687,6 +18726,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18697,7 +18739,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -18797,6 +18839,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18807,7 +18852,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -18877,6 +18922,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18887,7 +18935,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -18988,6 +19036,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -18998,7 +19049,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -19068,6 +19119,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -19078,7 +19132,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -19178,6 +19232,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -19188,7 +19245,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -19258,6 +19315,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -19268,7 +19328,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -19369,6 +19429,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -19379,7 +19442,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -19449,6 +19512,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -19459,7 +19525,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -19560,6 +19626,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -19570,7 +19639,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -19640,6 +19709,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -19650,7 +19722,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -19750,6 +19822,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -19760,7 +19835,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -19830,6 +19905,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -19840,7 +19918,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -19941,6 +20019,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -19951,7 +20032,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -20021,6 +20102,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -20031,7 +20115,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -20132,6 +20216,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -20142,7 +20229,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -20212,6 +20299,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -20222,7 +20312,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -20322,6 +20412,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -20332,7 +20425,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -20402,6 +20495,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -20412,7 +20508,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -20512,6 +20608,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -20522,7 +20621,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -20592,6 +20691,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -20602,7 +20704,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -20703,6 +20805,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -20713,7 +20818,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + int +@@ -20783,6 +20888,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -20793,7 +20901,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -20974,6 +21082,9 @@ else + /* end confdefs.h. */ + + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + pthread_rwlock_t rwlock; + + int +@@ -21011,6 +21122,9 @@ else + /* end confdefs.h. */ + + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #ifndef NULL + #define NULL (void*)0 + #endif +@@ -21125,6 +21239,9 @@ else + + /* pthread test headers */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #if HAVE_PTHREADS < 7 + #include <errno.h> + #endif +@@ -21135,7 +21252,7 @@ else + static void *task(p) + void *p; + { +- return (void *) (p == NULL); ++ return (void *) ((uintptr_t)(p == NULL)); + } + + +@@ -21235,6 +21352,9 @@ else + #include <sys/time.h> + #include <unistd.h> + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #ifndef NULL + #define NULL (void*) 0 + #endif +@@ -21552,6 +21672,9 @@ else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + _ACEOF + if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "pthread_kill_other_threads_np" >/dev/null 2>&1; then : +diff --git a/configure.ac b/configure.ac +index 0978eeb..8f5d122 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1452,6 +1452,9 @@ dnl [ol_cv_pthread_lpthread_lexc]) + dnl save the flags + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + pthread_rwlock_t rwlock; + ]], [[pthread_rwlock_destroy(&rwlock);]])],[ol_cv_func_pthread_rwlock_destroy=yes],[ol_cv_func_pthread_rwlock_destroy=no]) + ]) +@@ -1467,6 +1470,9 @@ pthread_rwlock_t rwlock; + dnl save the flags + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #ifndef NULL + #define NULL (void*)0 + #endif +@@ -1529,6 +1535,9 @@ dnl esac + #include <sys/time.h> + #include <unistd.h> + #include <pthread.h> ++#include <stdio.h> ++#include <stdint.h> ++ + #ifndef NULL + #define NULL (void*) 0 + #endif +-- +2.34.1 + diff --git a/recipes-support/openldap/cheri-patches/0002-tpool-remove-errors.patch b/recipes-support/openldap/cheri-patches/0002-tpool-remove-errors.patch new file mode 100644 index 0000000..4f2a878 --- /dev/null +++ b/recipes-support/openldap/cheri-patches/0002-tpool-remove-errors.patch @@ -0,0 +1,37 @@ +From cbf9e2e7eccb51ebfa3036c81b3c08691b19ef13 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Thu, 6 Jul 2023 17:42:48 +0100 +Subject: [PATCH 2/7] tpool: remove errors + +Cast the RHS to uintptr_t. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + libraries/libldap/tpool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libraries/libldap/tpool.c b/libraries/libldap/tpool.c +index 797d59e..ce4a840 100644 +--- a/libraries/libldap/tpool.c ++++ b/libraries/libldap/tpool.c +@@ -258,7 +258,7 @@ ldap_pvt_thread_pool_init_q ( + LDAP_FREE(pool); + return(-1); + } +- pool->ltp_wqs[i] = (struct ldap_int_thread_poolq_s *)(((size_t)ptr + CACHELINE-1) & ~(CACHELINE-1)); ++ pool->ltp_wqs[i] = (struct ldap_int_thread_poolq_s *)((uintptr_t)(((size_t)ptr + CACHELINE-1) & ~(CACHELINE-1))); + pool->ltp_wqs[i]->ltp_free = ptr; + } + +@@ -594,7 +594,7 @@ ldap_pvt_thread_pool_queues( + pool->ltp_wqs[i] = NULL; + return(-1); + } +- pq = (struct ldap_int_thread_poolq_s *)(((size_t)ptr + CACHELINE-1) & ~(CACHELINE-1)); ++ pq = (struct ldap_int_thread_poolq_s *)((uintptr_t)(((size_t)ptr + CACHELINE-1) & ~(CACHELINE-1))); + pq->ltp_free = ptr; + pool->ltp_wqs[i] = pq; + pq->ltp_pool = pool; +-- +2.34.1 + diff --git a/recipes-support/openldap/cheri-patches/0003-config-Remove-format-error.patch b/recipes-support/openldap/cheri-patches/0003-config-Remove-format-error.patch new file mode 100644 index 0000000..a30a231 --- /dev/null +++ b/recipes-support/openldap/cheri-patches/0003-config-Remove-format-error.patch @@ -0,0 +1,42 @@ +From 9d3e1f69ccd087fb219bebd578252aafc82f224a Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Fri, 7 Jul 2023 09:37:26 +0100 +Subject: [PATCH 3/7] config: Remove format error. + +Cast to unsigned char * + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + servers/lloadd/config.c | 2 +- + servers/slapd/config.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/servers/lloadd/config.c b/servers/lloadd/config.c +index 12b4406..56a69ca 100644 +--- a/servers/lloadd/config.c ++++ b/servers/lloadd/config.c +@@ -2113,7 +2113,7 @@ lload_config_find_keyword( ConfigTable *Conf, ConfigArgs *c ) + size_t decode_len = LUTIL_BASE64_DECODE_LEN( c->linelen ); + ch_free( c->tline ); + c->tline = ch_malloc( decode_len + 1 ); +- c->linelen = lutil_b64_pton( c->line, c->tline, decode_len ); ++ c->linelen = lutil_b64_pton( c->line, (unsigned char *)c->tline, decode_len ); + if ( c->linelen < 0 ) { + ch_free( c->tline ); + c->tline = NULL; +diff --git a/servers/slapd/config.c b/servers/slapd/config.c +index 8823c74..3ae7d1f 100644 +--- a/servers/slapd/config.c ++++ b/servers/slapd/config.c +@@ -134,7 +134,7 @@ ConfigTable *config_find_keyword(ConfigTable *Conf, ConfigArgs *c) { + size_t decode_len = LUTIL_BASE64_DECODE_LEN(c->linelen); + ch_free( c->tline ); + c->tline = ch_malloc( decode_len+1 ); +- c->linelen = lutil_b64_pton( c->line, c->tline, decode_len ); ++ c->linelen = lutil_b64_pton( c->line, (unsigned char *)c->tline, decode_len ); + if ( c->linelen < 0 ) + { + ch_free( c->tline ); +-- +2.34.1 + diff --git a/recipes-support/openldap/cheri-patches/0004-main-Remove-format-error.patch b/recipes-support/openldap/cheri-patches/0004-main-Remove-format-error.patch new file mode 100644 index 0000000..e55ab08 --- /dev/null +++ b/recipes-support/openldap/cheri-patches/0004-main-Remove-format-error.patch @@ -0,0 +1,28 @@ +From ace0b9cd1c47662133e599a2f77597dfd184a5d0 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Fri, 7 Jul 2023 09:47:39 +0100 +Subject: [PATCH 4/7] main: Remove format error. + +cast to unsigned int + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + servers/slapd/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/main.c b/servers/slapd/main.c +index 11e7a8f..6f69087 100644 +--- a/servers/slapd/main.c ++++ b/servers/slapd/main.c +@@ -396,7 +396,7 @@ static void debug_print( const char *data ) + + buf[sizeof(buf)-1] = '\0'; + snprintf( buf, sizeof(buf)-1, "%lx." TS " %p %s", +- (long)tv.tv_sec, Tfrac, (void *)ldap_pvt_thread_self(), data ); ++ (long)tv.tv_sec, (unsigned int)Tfrac, (void *)ldap_pvt_thread_self(), data ); + ber_logger( buf ); + } + +-- +2.34.1 + diff --git a/recipes-support/openldap/cheri-patches/0005-connection-fix-provenance-error.patch b/recipes-support/openldap/cheri-patches/0005-connection-fix-provenance-error.patch new file mode 100644 index 0000000..04451a2 --- /dev/null +++ b/recipes-support/openldap/cheri-patches/0005-connection-fix-provenance-error.patch @@ -0,0 +1,67 @@ +From b9d319b8e5a71eb036937959da051d3780f9c27d Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Fri, 7 Jul 2023 09:59:36 +0100 +Subject: [PATCH 5/7] connection: fix provenance error + +Use uintptr_t not int for pointers. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + servers/slapd/connection.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c +index b8ea92a..33a6c13 100644 +--- a/servers/slapd/connection.c ++++ b/servers/slapd/connection.c +@@ -25,6 +25,7 @@ + + #include "portable.h" + ++#include <stdint.h> + #include <stdio.h> + #ifdef HAVE_LIMITS_H + #include <limits.h> +@@ -1246,7 +1247,7 @@ static int connection_read( ber_socket_t s, conn_readinfo *cri ); + + static void* connection_read_thread( void* ctx, void* argv ) + { +- int rc ; ++ int rc; + conn_readinfo cri = { NULL, NULL, NULL, NULL, 0 }; + ber_socket_t s = (long)argv; + +@@ -1257,17 +1258,17 @@ static void* connection_read_thread( void* ctx, void* argv ) + cri.ctx = ctx; + if( ( rc = connection_read( s, &cri ) ) < 0 ) { + Debug( LDAP_DEBUG_CONNS, "connection_read(%d) error\n", s ); +- return (void*)(long)rc; ++ return (void*)(uintptr_t)rc; + } + + /* execute a single queued request in the same thread */ + if( cri.op && !cri.nullop ) { +- rc = (long)connection_operation( ctx, cri.op ); ++ rc = connection_operation( ctx, cri.op ); + } else if ( cri.func ) { +- rc = (long)cri.func( ctx, cri.arg ); ++ rc = cri.func( ctx, cri.arg ); + } + +- return (void*)(long)rc; ++ return (void*)(uintptr_t)rc; + } + + int connection_read_activate( ber_socket_t s ) +@@ -1284,7 +1285,7 @@ int connection_read_activate( ber_socket_t s ) + return rc; + + rc = ldap_pvt_thread_pool_submit( &connection_pool, +- connection_read_thread, (void *)(long)s ); ++ connection_read_thread, (void *)(uintptr_t)s ); + + if( rc != 0 ) { + Debug( LDAP_DEBUG_ANY, +-- +2.34.1 + diff --git a/recipes-support/openldap/cheri-patches/0006-sets-fix-provenance-error.patch b/recipes-support/openldap/cheri-patches/0006-sets-fix-provenance-error.patch new file mode 100644 index 0000000..cb6b1d0 --- /dev/null +++ b/recipes-support/openldap/cheri-patches/0006-sets-fix-provenance-error.patch @@ -0,0 +1,36 @@ +From e0fbb1b9512e85f33497a96d7a9ade87be9d170e Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Fri, 7 Jul 2023 10:52:37 +0100 +Subject: [PATCH 6/7] sets: fix provenance error + +Use uintptr_t not int for pointers. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + servers/slapd/sets.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/servers/slapd/sets.c b/servers/slapd/sets.c +index 9ab2b36..8a2dc58 100644 +--- a/servers/slapd/sets.c ++++ b/servers/slapd/sets.c +@@ -15,6 +15,7 @@ + + #include "portable.h" + ++#include <stdint.h> + #include <stdio.h> + #include <ac/string.h> + +@@ -553,7 +554,7 @@ slap_set_filter( SLAP_SET_GATHER gatherer, + #define SF_POP() ( (BerVarray)( ( stp < 0 ) ? 0 : stack[ stp-- ] ) ) + #define SF_PUSH(x) do { \ + if ( stp >= ( STACK_SIZE - 1 ) ) SF_ERROR( overflow ); \ +- stack[ ++stp ] = (BerVarray)(long)(x); \ ++ stack[ ++stp ] = (BerVarray)(uintptr_t)(x); \ + } while ( 0 ) + + BerVarray set, lset; +-- +2.34.1 + diff --git a/recipes-support/openldap/cheri-patches/0007-slapd-search-fix-cheri-provenance.patch b/recipes-support/openldap/cheri-patches/0007-slapd-search-fix-cheri-provenance.patch new file mode 100644 index 0000000..08fea7e --- /dev/null +++ b/recipes-support/openldap/cheri-patches/0007-slapd-search-fix-cheri-provenance.patch @@ -0,0 +1,152 @@ +From 2d39482eea00f2afe2598ed5c469d7bffc097ebc Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Fri, 14 Jul 2023 08:00:42 +0100 +Subject: [PATCH 7/7] slapd:search: fix cheri provenance + +Pre-cast the integer to uintptr_t. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + servers/slapd/back-meta/search.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c +index cfd2f4b..28dcbd4 100644 +--- a/servers/slapd/back-meta/search.c ++++ b/servers/slapd/back-meta/search.c +@@ -868,7 +868,7 @@ getconn:; + + case META_SEARCH_ERR: + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + rc = -1; +@@ -995,7 +995,7 @@ getconn:; + rc = rs->sr_err = op->o_protocol >= LDAP_VERSION3 ? + LDAP_ADMINLIMIT_EXCEEDED : LDAP_OTHER; + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + goto finish; +@@ -1008,7 +1008,7 @@ getconn:; + doabandon = 1; + rc = rs->sr_err = LDAP_TIMELIMIT_EXCEEDED; + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + goto finish; +@@ -1047,7 +1047,7 @@ getconn:; + candidates[ i ].sr_err = rs->sr_err; + if ( META_BACK_ONERR_STOP( mi ) ) { + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + goto finish; +@@ -1076,7 +1076,7 @@ getconn:; + candidates[ i ].sr_err = rs->sr_err; + if ( META_BACK_ONERR_STOP( mi ) ) { + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + goto finish; +@@ -1161,7 +1161,7 @@ really_bad:; + candidates[ i ].sr_err = rs->sr_err; + if ( META_BACK_ONERR_STOP( mi ) ) { + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + goto finish; +@@ -1189,7 +1189,7 @@ really_bad:; + candidates[ i ].sr_err = rs->sr_err; + if ( META_BACK_ONERR_STOP( mi ) ) { + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + goto finish; +@@ -1236,13 +1236,13 @@ really_bad:; + + e = ldap_first_entry( msc->msc_ld, msg ); + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + rs->sr_err = meta_send_entry( op, rs, mc, i, e ); + + switch ( rs->sr_err ) { + case LDAP_SIZELIMIT_EXCEEDED: + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + rs->sr_err = LDAP_SUCCESS; +@@ -1311,7 +1311,7 @@ really_bad:; + if ( rs->sr_ref != NULL && !BER_BVISNULL( &rs->sr_ref[ 0 ] ) ) { + /* ignore return value by now */ + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + ( void )send_search_reference( op, rs ); + op->o_private = savepriv; + +@@ -1580,7 +1580,7 @@ err_pr:; + candidates[ i ].sr_err = rs->sr_err; + if ( META_BACK_ONERR_STOP( mi ) ) { + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + ldap_controls_free( ctrls ); +@@ -1629,7 +1629,7 @@ err_pr:; + got_err: + save_text = rs->sr_text; + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + rs->sr_text = candidates[ i ].sr_text; + send_ldap_result( op, rs ); + rs->sr_text = save_text; +@@ -1682,7 +1682,7 @@ got_err: + candidates[ i ].sr_err = rs->sr_err; + if ( META_BACK_ONERR_STOP( mi ) ) { + savepriv = op->o_private; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + send_ldap_result( op, rs ); + op->o_private = savepriv; + ldap_msgfree( res ); +@@ -1806,7 +1806,7 @@ free_message:; + * FIXME: only the last one gets caught! + */ + savepriv = op->o_private; +- op->o_private = (void *)(long)mi->mi_ntargets; ++ op->o_private = (void *)(uintptr_t)mi->mi_ntargets; + if ( candidate_match > 0 ) { + struct berval pmatched = BER_BVNULL; + +@@ -1844,7 +1844,7 @@ free_message:; + op->o_tmpfree( pmatched.bv_val, op->o_tmpmemctx ); + } + pmatched = pbv; +- op->o_private = (void *)i; ++ op->o_private = (void *)(uintptr_t)i; + + } else { + op->o_tmpfree( pbv.bv_val, op->o_tmpmemctx ); +-- +2.34.1 + diff --git a/recipes-support/openldap/openldap-morello/0001-build-top.mk-unset-STRIP_OPTS.patch b/recipes-support/openldap/openldap-morello/0001-build-top.mk-unset-STRIP_OPTS.patch new file mode 100644 index 0000000..9d25f2c --- /dev/null +++ b/recipes-support/openldap/openldap-morello/0001-build-top.mk-unset-STRIP_OPTS.patch @@ -0,0 +1,38 @@ +From 321839cbd1d57f12d3d6695254d2003473d8dd1a Mon Sep 17 00:00:00 2001 +From: Yi Zhao yi.zhao@windriver.com +Date: Wed, 8 Dec 2021 16:58:55 +0800 +Subject: [PATCH] build/top.mk: unset STRIP_OPTS + +Unset STRIP_OPTS to disable strip to fix QA errors: + +ERROR: openldap-2.5.9-r0 do_package: QA Issue: File +'/usr/bin/ldapcompare' from openldap was already stripped, this will +prevent future debugging! [already-stripped] + +ERROR: openldap-2.5.9-r0 do_package: QA Issue: File +'/usr/bin/ldapdelete' from openldap was already stripped, this will +prevent future debugging! [already-stripped] + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao yi.zhao@windriver.com +--- + build/top.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/build/top.mk b/build/top.mk +index 38ce146..6e9fe1f 100644 +--- a/build/top.mk ++++ b/build/top.mk +@@ -60,7 +60,7 @@ INSTALL_PROGRAM = $(INSTALL) + INSTALL_DATA = $(INSTALL) -m 644 + INSTALL_SCRIPT = $(INSTALL) + +-STRIP_OPTS = -s ++STRIP_OPTS = + + LINT = lint + 5LINT = 5lint +-- +2.17.1 + diff --git a/recipes-support/openldap/openldap-morello/0001-ldif-filter-fix-parallel-build-failure.patch b/recipes-support/openldap/openldap-morello/0001-ldif-filter-fix-parallel-build-failure.patch new file mode 100644 index 0000000..b42bd97 --- /dev/null +++ b/recipes-support/openldap/openldap-morello/0001-ldif-filter-fix-parallel-build-failure.patch @@ -0,0 +1,32 @@ +From 9e4ccd1e78ceac8de1ab66ee62ee216f1fbd4956 Mon Sep 17 00:00:00 2001 +From: Yi Zhao yi.zhao@windriver.com +Date: Thu, 2 Dec 2021 11:38:15 +0800 +Subject: [PATCH] ldif-filter: fix parallel build failure + +Add slapd-common.o as dependency for ldif-filter to fix the parallel +build failure: + ld: cannot find slapd-common.o: No such file or directory + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao yi.zhao@windriver.com +--- + tests/progs/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/progs/Makefile.in b/tests/progs/Makefile.in +index 13f1e8be2..e4f4ccf98 100644 +--- a/tests/progs/Makefile.in ++++ b/tests/progs/Makefile.in +@@ -56,7 +56,7 @@ slapd-modify: slapd-modify.o $(OBJS) $(XLIBS) + slapd-bind: slapd-bind.o $(OBJS) $(XLIBS) + $(LTLINK) -o $@ slapd-bind.o $(OBJS) $(LIBS) + +-ldif-filter: ldif-filter.o $(XLIBS) ++ldif-filter: ldif-filter.o $(OBJS) $(XLIBS) + $(LTLINK) -o $@ ldif-filter.o $(OBJS) $(LIBS) + + slapd-mtread: slapd-mtread.o $(OBJS) $(XLIBS) +-- +2.25.1 + diff --git a/recipes-support/openldap/openldap-morello/0001-libraries-Makefile.in-ignore-the-mkdir-errors.patch b/recipes-support/openldap/openldap-morello/0001-libraries-Makefile.in-ignore-the-mkdir-errors.patch new file mode 100644 index 0000000..552726b --- /dev/null +++ b/recipes-support/openldap/openldap-morello/0001-libraries-Makefile.in-ignore-the-mkdir-errors.patch @@ -0,0 +1,33 @@ +From 690f69791eb6cd0d7e94b4d73219ee864de27f62 Mon Sep 17 00:00:00 2001 +From: Yi Zhao yi.zhao@windriver.com +Date: Mon, 10 Jan 2022 10:13:51 +0800 +Subject: [PATCH] libraries/Makefile.in: ignore the mkdir errors + +Ignore the mkdir errors to fix the parallel build failure: + +../../build/shtool mkdir -p TOPDIR/tmp-glibc/work/cortexa15t2hf-neon-wrs-linux-gnueabi/openldap/2.5.9-r0/image/usr/lib +mkdir: cannot create directory 'TOPDIR/tmp-glibc/work/cortexa15t2hf-neon-wrs-linux-gnueabi/openldap/2.5.9-r0/image/usr/lib': File exists + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao yi.zhao@windriver.com +--- + libraries/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/Makefile.in b/libraries/Makefile.in +index d9cb2ff..c6b251f 100644 +--- a/libraries/Makefile.in ++++ b/libraries/Makefile.in +@@ -24,7 +24,7 @@ PKGCONFIG_DIR=$(DESTDIR)$(libdir)/pkgconfig + PKGCONFIG_SRCDIRS=liblber libldap + + install-local: +- @$(MKDIR) $(PKGCONFIG_DIR) ++ @-$(MKDIR) $(PKGCONFIG_DIR) + @for i in $(PKGCONFIG_SRCDIRS); do \ + $(INSTALL_DATA) $$i/*.pc $(PKGCONFIG_DIR); \ + done +-- +2.17.1 + diff --git a/recipes-support/openldap/openldap-morello/0001-librewrite-include-ldap_pvt_thread.h-before-redefini.patch b/recipes-support/openldap/openldap-morello/0001-librewrite-include-ldap_pvt_thread.h-before-redefini.patch new file mode 100644 index 0000000..bcd1525 --- /dev/null +++ b/recipes-support/openldap/openldap-morello/0001-librewrite-include-ldap_pvt_thread.h-before-redefini.patch @@ -0,0 +1,54 @@ +From 79381ab335898c9184e22dd25b544adefa9bf6c5 Mon Sep 17 00:00:00 2001 +From: Khem Raj raj.khem@gmail.com +Date: Mon, 7 Feb 2022 16:26:57 -0800 +Subject: [PATCH] librewrite: include ldap_pvt_thread.h before redefining + calloc + +This helps compiling with musl, where sched.h is included by +ldap_pvt_thread.h which provides prototype for calloc() and conflicts + +/usr/include/sched.h:84:7: error: conflicting types for 'ber_memcalloc' +| void *calloc(size_t, size_t); +| ^1 +| warning and 1 error generated. +| ./rewrite-int.h:44:21: note: expanded from macro 'calloc' +| #define calloc(x,y) ber_memcalloc(x,y) +| ^ + +Upstream-Status: Pending +Signed-off-by: Khem Raj raj.khem@gmail.com +--- + libraries/librewrite/rewrite-int.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/libraries/librewrite/rewrite-int.h b/libraries/librewrite/rewrite-int.h +index 4481dd3..5ec226d 100644 +--- a/libraries/librewrite/rewrite-int.h ++++ b/libraries/librewrite/rewrite-int.h +@@ -40,6 +40,11 @@ + + #include <rewrite.h> + ++#ifndef NO_THREADS ++#define USE_REWRITE_LDAP_PVT_THREADS ++#include <ldap_pvt_thread.h> ++#endif ++ + #define malloc(x) ber_memalloc(x) + #define calloc(x,y) ber_memcalloc(x,y) + #define realloc(x,y) ber_memrealloc(x,y) +@@ -47,11 +52,6 @@ + #undef strdup + #define strdup(x) ber_strdup(x) + +-#ifndef NO_THREADS +-#define USE_REWRITE_LDAP_PVT_THREADS +-#include <ldap_pvt_thread.h> +-#endif +- + /* + * For details, see RATIONALE. + */ +-- +2.35.1 + diff --git a/recipes-support/openldap/openldap-morello/initscript b/recipes-support/openldap/openldap-morello/initscript new file mode 100644 index 0000000..08d1067 --- /dev/null +++ b/recipes-support/openldap/openldap-morello/initscript @@ -0,0 +1,35 @@ +#! /bin/sh +# +# This is an init script for openembedded +# Copy it to /etc/init.d/openldap and type +# > update-rc.d openldap defaults 60 +# + +# Source function library. +. /etc/init.d/functions + +slapd=/usr/sbin/slapd +test -x "$slapd" || exit 0 + + +case "$1" in + start) + echo -n "Starting OpenLDAP: " + start-stop-daemon --start --quiet --exec $slapd + echo "." + ;; + stop) + echo -n "Stopping OpenLDAP: " + start-stop-daemon --stop --quiet --pidfile /var/run/slapd.pid + echo "." + ;; + status) + status $slapd; + exit $? + ;; + *) + echo "Usage: /etc/init.d/openldap {start|stop|status}" + exit 1 +esac + +exit 0 diff --git a/recipes-support/openldap/openldap-morello/remove-user-host-pwd-from-version.patch b/recipes-support/openldap/openldap-morello/remove-user-host-pwd-from-version.patch new file mode 100644 index 0000000..7a1b5aa --- /dev/null +++ b/recipes-support/openldap/openldap-morello/remove-user-host-pwd-from-version.patch @@ -0,0 +1,39 @@ +From 868a04b0596e2df708ba14ed70815b1411db3db1 Mon Sep 17 00:00:00 2001 +From: Changqing Li changqing.li@windriver.com +Date: Thu, 21 Feb 2019 11:33:24 +0800 +Subject: [PATCH] mkversion: remove user host pwd from version + +Upstream-Status: Pending + +Update this patch to version 2.4.47 + +Signed-off-by: Changqing Li changqing.li@windriver.com +--- + build/mkversion | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/build/mkversion ++++ b/build/mkversion +@@ -53,8 +53,12 @@ APPLICATION=$1 + # Reproducible builds set SOURCE_DATE_EPOCH, want constant strings + if [ -n "${SOURCE_DATE_EPOCH}" ]; then + WHOWHERE="openldap" ++ DATE=$(date -d@$SOURCE_DATE_EPOCH +' %b %d %Y ') ++ TIME=$(date -d@$SOURCE_DATE_EPOCH +' %H:%M:%S ') + else +- WHOWHERE="$USER@$(uname -n):$(pwd)" ++ WHOWHERE="openldap" ++ DATE='" __DATE__ "' ++ TIME='" __TIME__ "' + fi + + cat << __EOF__ +@@ -77,7 +81,7 @@ static const char copyright[] = + "COPYING RESTRICTIONS APPLY\n"; + + $static $const char $SYMBOL[] = +-"@(#) $$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") $\n" ++"@(#) $$PACKAGE: $APPLICATION $VERSION ($DATE $TIME) $\n" + "\t$WHOWHERE\n"; + + __EOF__ diff --git a/recipes-support/openldap/openldap-morello/slapd.service b/recipes-support/openldap/openldap-morello/slapd.service new file mode 100644 index 0000000..f5f83fd --- /dev/null +++ b/recipes-support/openldap/openldap-morello/slapd.service @@ -0,0 +1,10 @@ +[Unit] +Description=Standalone LDAP Daemon +After=syslog.target network.target + +[Service] +Type=forking +ExecStart=@SBINDIR@/slapd + +[Install] +WantedBy=multi-user.target diff --git a/recipes-support/openldap/openldap-morello/use-urandom.patch b/recipes-support/openldap/openldap-morello/use-urandom.patch new file mode 100644 index 0000000..0b7e3a2 --- /dev/null +++ b/recipes-support/openldap/openldap-morello/use-urandom.patch @@ -0,0 +1,35 @@ +openldap: assume /dev/urandom exists + +When we are cross-compiling, we want to assume +that /dev/urandom exists. We could change the source +code to look for it, but this is the easy way out. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Joe Slater jslater@windriver.com + +--- a/configure.ac ++++ b/configure.ac +@@ -2117,6 +2117,7 @@ AC_SUBST(systemdsystemunitdir) + + dnl ---------------------------------------------------------------- + dnl Check for entropy sources ++dev=no + if test $cross_compiling != yes && test "$ac_cv_mingw32" != yes ; then + dev=no + if test -r /dev/urandom ; then +@@ -2131,9 +2132,11 @@ if test $cross_compiling != yes && test "$ac_cv_mingw32" != yes ; then + dev="/idev/random"; + fi + +- if test $dev != no ; then +- AC_DEFINE_UNQUOTED(URANDOM_DEVICE,"$dev",[set to urandom device]) +- fi ++elif test $cross_compiling == yes ; then ++ dev="/dev/urandom"; ++fi ++if test $dev != no ; then ++ AC_DEFINE_UNQUOTED(URANDOM_DEVICE,"$dev",[set to urandom device]) + fi + + dnl ---------------------------------------------------------------- diff --git a/recipes-support/openldap/openldap-morello_2.5.12.bb b/recipes-support/openldap/openldap-morello_2.5.12.bb new file mode 100644 index 0000000..34ac852 --- /dev/null +++ b/recipes-support/openldap/openldap-morello_2.5.12.bb @@ -0,0 +1,255 @@ +inherit autotools-brokensep update-rc.d systemd pkgconfig pure-cap-kheaders purecap-sysroot + +MORELLO_SRC = "meta-openembedded/meta-oe/recipes-support/openldap/openldap_2.5.12.bb" + +SUMMARY = "OpenLDAP Directory Service" + +DESCRIPTION = "OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol." +HOMEPAGE = "http://www.OpenLDAP.org/license.html" +# The OpenLDAP Public License - see the HOMEPAGE - defines +# the license. www.openldap.org claims this is Open Source +# (see http://www.openldap.org), the license appears to be +# basically BSD. opensource.org does not record this license +# at present (so it is apparently not OSI certified). +LICENSE = "OpenLDAP" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=beceb5ac7100b6430640c61655b25c1f \ + file://LICENSE;md5=153d07ef052c4a37a8fac23bc6031972 \ + " +SECTION = "libs" + +BPN_LDAP = "openldap" + +TOOLCHAIN = "${MORELLO_TOOLCHAIN}" +FILESEXTRAPATHS:prepend := "${THISDIR}/cheri-patches:" + +LDAP_VER = "${@'.'.join(d.getVar('PV').split('.')[0:2])}" + +SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/%24%7BBP... \ + file://use-urandom.patch \ + file://initscript \ + file://slapd.service \ + file://remove-user-host-pwd-from-version.patch \ + file://0001-ldif-filter-fix-parallel-build-failure.patch \ + file://0001-build-top.mk-unset-STRIP_OPTS.patch \ + file://0001-libraries-Makefile.in-ignore-the-mkdir-errors.patch \ + file://0001-librewrite-include-ldap_pvt_thread.h-before-redefini.patch \ +" + +SRC_URI += "\ + file://0001-config-fix-provenance-errors.patch \ + file://0002-tpool-remove-errors.patch \ + file://0003-config-Remove-format-error.patch \ + file://0004-main-Remove-format-error.patch \ + file://0005-connection-fix-provenance-error.patch \ + file://0006-sets-fix-provenance-error.patch \ + file://0007-slapd-search-fix-cheri-provenance.patch \ +" + +SRC_URI[sha256sum] = "d5086cbfc49597fa7d0670a429a9054552d441b16ee8b2435412797ab0e37b96" + +S = "${WORKDIR}/${BPN_LDAP}-${PV}" + +DEPENDS += "util-linux-morello groff-native libtool-native openssl-morello" +RDEPENDS:${PN} += "openssl-morello" + +# CV SETTINGS +# Required to work round AC_FUNC_MEMCMP which gets the wrong answer +# when cross compiling (should be in site?) +EXTRA_OECONF += "ac_cv_func_memcmp_working=yes" + +# CONFIG DEFINITIONS +# The following is necessary because it cannot be determined for a +# cross compile automagically. Select should yield fine on all OE +# systems... +EXTRA_OECONF += "--with-yielding-select=yes" +# Shared libraries are nice... +EXTRA_OECONF += "-disable-modules -disable-static" + +PACKAGECONFIG ??= "asyncmeta gnutls modules \ + mdb ldap meta null passwd proxycache dnssrv \ + ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ +" +#--with-tls with TLS/SSL support auto|openssl|gnutls [auto] +PACKAGECONFIG[openssl] = "--with-tls=openssl,,openssl-morello" + +PACKAGECONFIG[sasl] = "--with-cyrus-sasl,--without-cyrus-sasl,cyrus-sasl" +PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6" + +# SLAPD options +# +# UNIX crypt(3) passwd support: +EXTRA_OECONF += "--enable-crypt" + + +# SLAPD BACKEND +# +# The backend must be set by the configuration. This controls the +# required database. +# +# Backends="asyncmeta dnssrv ldap mdb meta ndb null passwd perl relay sock sql wt" +# +# Note that multiple backends can be built. The ldbm backend requires a +# build-time choice of database API. To use the gdbm (or other) API the +# Berkely database module must be removed from the build. +md = "${libexecdir}/openldap" + +# #--enable-asyncmeta enable asyncmeta backend no|yes|mod no +PACKAGECONFIG[asyncmeta] = "--enable-asyncmeta=yes,--enable-asyncmeta=no" + +# #--enable-dnssrv enable dnssrv backend no|yes|mod no +PACKAGECONFIG[dnssrv] = "--enable-dnssrv=yes,--enable-dnssrv=no" + +# #--enable-ldap enable ldap backend no|yes|mod no +PACKAGECONFIG[ldap] = "--enable-ldap=yes,--enable-ldap=no," + +# #--enable-mdb enable mdb database backend no|yes|mod [yes] +PACKAGECONFIG[mdb] = "--enable-mdb=yes,--enable-mdb=no," + +# #--enable-meta enable metadirectory backend no|yes|mod no +PACKAGECONFIG[meta] = "--enable-meta=yes,--enable-meta=no," + +# #--enable-ndb enable MySQL NDB Cluster backend no|yes|mod [no] +PACKAGECONFIG[ndb] = "--enable-ndb=yes,--enable-ndb=no," + +# #--enable-null enable null backend no|yes|mod no +PACKAGECONFIG[null] = "--enable-null=yes,--enable-null=no," + +# #--enable-passwd enable passwd backend no|yes|mod no +PACKAGECONFIG[passwd] = "--enable-passwd=yes,--enable-passwd=no," + +# #--enable-perl enable perl backend no|yes|mod no +# # This requires a loadable perl dynamic library, if enabled without +# # doing something appropriate (building perl?) the build will pick +# # up the build machine perl - not good (inherit perlnative?) +PACKAGECONFIG[perl] = "--enable-perl=yes,--enable-perl=no,perl" + +# #--enable-relay enable relay backend no|yes|mod [yes] +PACKAGECONFIG[relay] = "--enable-relay=yes,--enable-relay=no," + +# #--enable-sock enable sock backend no|yes|mod [no] +PACKAGECONFIG[sock] = "--enable-sock=yes,--enable-sock=no," + +# #--enable-sql enable sql backend no|yes|mod no +# # sql requires some sql backend which provides sql.h, sqlite* provides +# # sqlite.h (which may be compatible but hasn't been tried.) +PACKAGECONFIG[sql] = "--enable-sql=yes,--enable-sql=no,sqlite3" + +# #--enable-wt enable wt backend no|yes|mod no +# # back-wt is marked currently as experimental +PACKAGECONFIG[wt] = "--enable-wt=yes,--enable-wt=no" + +# #--enable-dyngroup Dynamic Group overlay no|yes|mod no +# # This is a demo, Proxy Cache defines init_module which conflicts with the +# # same symbol in dyngroup +PACKAGECONFIG[dyngroup] = "--enable-dyngroup=yes,--enable-dyngroup=no," + +# #--enable-proxycache Proxy Cache overlay no|yes|mod no +PACKAGECONFIG[proxycache] = "--enable-proxycache=yes,--enable-proxycache=no," +FILES:${PN}-overlay-proxycache = "${md}/pcache-*.so.*" +PACKAGES += "${PN}-overlay-proxycache" + +# Append URANDOM_DEVICE='/dev/urandom' to CPPFLAGS: +# This allows tls to obtain random bits from /dev/urandom, by default +# it was disabled for cross-compiling. +CPPFLAGS:append = " -D_GNU_SOURCE -DURANDOM_DEVICE='/dev/urandom' -fPIC" + +LDFLAGS:append = " -pthread" + +do_configure() { + + export CPPFLAGS="${CPPFLAGS} ${CC_PURECAP_FLAGS}" + + rm -f ${S}/libtool + aclocal + libtoolize --force --copy + gnu-configize + cp ${STAGING_DATADIR_NATIVE}/libtool/build-aux/ltmain.sh ${S}/build + cp ${STAGING_DATADIR_NATIVE}/libtool/build-aux/missing ${S}/build + cp ${STAGING_DATADIR_NATIVE}/libtool/build-aux/compile ${S}/build + autoconf + oe_runconf +} + +do_install:append() { + install -d ${D}${sysconfdir}/init.d + cat ${WORKDIR}/initscript > ${D}${sysconfdir}/init.d/openldap + chmod 755 ${D}${sysconfdir}/init.d/openldap + # This is duplicated in /etc/openldap and is for slapd + rm -f ${D}{localstatedir}/openldap-data/DB_CONFIG.example + + # Installing slapd under ${sbin} is more FHS and LSB compliance + mv ${D}${libexecdir}/slapd ${D}${sbindir}/slapd + rmdir --ignore-fail-on-non-empty ${D}${libexecdir} + SLAPTOOLS="slapadd slapcat slapdn slapindex slappasswd slaptest slapauth slapacl slapschema slapmodify" + cd ${D}${sbindir}/ + rm -f ${SLAPTOOLS} + for i in ${SLAPTOOLS}; do ln -sf slapd $i; done + + rmdir "${D}${localstatedir}/run" + rmdir --ignore-fail-on-non-empty "${D}${localstatedir}" + + install -d ${D}${systemd_unitdir}/system/ + install -m 0644 ${WORKDIR}/slapd.service ${D}${systemd_unitdir}/system/slapd-morello.service + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/*.service + + # Uses mdm as the database + # and localstatedir as data directory ... + sed -e 's/# modulepath/modulepath/' \ + -e 's/# moduleload\s*back_bdb.*/moduleload back_mdb/' \ + -e 's/database\s*bdb/database mdb/' \ + -e 's%^directory\s*.*%directory ${localstatedir}/${BPN_LDAP}/data/%' \ + -i ${D}${sysconfdir}/openldap/slapd.conf + + mkdir -p ${D}${localstatedir}/${BPN_LDAP}/data +} + +do_install:append() { + ${OBJDUMP_COMMAND} ${D}${libdir}/libldap-2.5.so.0 > ${D}${PURECAP_DEBUGDIR}/libldap-2.5.dump + ${READELF_COMMAND} ${D}${libdir}/libldap-2.5.so.0 > ${D}${PURECAP_DEBUGDIR}/libldap-2.5.readelf + + ${OBJDUMP_COMMAND} ${D}${libdir}/liblber-2.5.so.0 > ${D}${PURECAP_DEBUGDIR}/liblber-2.5.dump + ${READELF_COMMAND} ${D}${libdir}/liblber-2.5.so.0 > ${D}${PURECAP_DEBUGDIR}/liblber-2.5.readelf +} + +LEAD_SONAME = "libldap-${LDAP_VER}.so.*" + +# The executables go in a separate package. This allows the +# installation of the libraries with no daemon support. +# Each module also has its own package - see above. +PACKAGES += "${PN}-slapd ${PN}-slurpd ${PN}-bin" + +# Package contents - shift most standard contents to -bin +FILES:${PN} = "${libdir}/lib*.so.* ${sysconfdir}/openldap/ldap.* \ + ${localstatedir}/${BPN_LDAP}/data ${libdir} \ + " +FILES:${PN}-slapd = "${sysconfdir}/init.d ${libexecdir}/slapd ${sbindir} ${localstatedir}/run ${localstatedir}/volatile/run \ + ${sysconfdir}/openldap/slapd.* ${sysconfdir}/openldap/schema \ + ${sysconfdir}/openldap/DB_CONFIG.example ${systemd_unitdir}/system/*" +FILES:${PN}-slurpd = "${libexecdir}/slurpd ${localstatedir}/openldap-slurp" +FILES:${PN}-bin = "${bindir}" +FILES:${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so ${libdir}/pkgconfig/*.pc" +FILES:${PN}-dbg += "${libexecdir}/openldap/.debug ${datadir}" + +FILES:${PN}-static-dev = "${libdir}/libldap.a ${libdir}/liblber.a" + +INITSCRIPT_PACKAGES = "${PN}-slapd" +INITSCRIPT_NAME:${PN}-slapd = "openldap" +INITSCRIPT_PARAMS:${PN}-slapd = "defaults" + +SYSTEMD_PACKAGES = "${PN}-slapd" +SYSTEMD_SERVICE:${PN}-slapd = "slapd-morello.service" +SYSTEMD_AUTO_ENABLE:${PN}-slapd ?= "disable" + +PACKAGES_DYNAMIC += "^${PN}-backends.* ^${PN}-backend-.*" + +# The modules require their .so to be dynamicaly loaded +INSANE_SKIP:${PN}-backend-asyncmeta += "dev-so" +INSANE_SKIP:${PN}-backend-dnssrv += "dev-so" +INSANE_SKIP:${PN}-backend-ldap += "dev-so" +INSANE_SKIP:${PN}-backend-meta += "dev-so" +INSANE_SKIP:${PN}-backend-mdb += "dev-so" +INSANE_SKIP:${PN}-backend-null += "dev-so" +INSANE_SKIP:${PN}-backend-passwd += "dev-so" + +# CVE-2015-3276 has no target code. +CVE_CHECK_IGNORE += "CVE-2015-3276"

Co-authored-by: Harrison Carter hcarter@thegoodpenguin.co.uk Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- recipes-core/images/morello-image.bb | 73 ++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 recipes-core/images/morello-image.bb

diff --git a/recipes-core/images/morello-image.bb b/recipes-core/images/morello-image.bb new file mode 100644 index 0000000..3d2517e --- /dev/null +++ b/recipes-core/images/morello-image.bb @@ -0,0 +1,73 @@ +inherit core-image +inherit extrausers + +SUMMARY = "Morello SDK demo image" +LICENSE = "MIT" + +IMAGE_FSTYPES += "wic tar.bz2" + +IMAGE_LINGUAS = " en-us en-gb " +IMAGE_ROOTFS_SIZE ?= "8192" +IMAGE_ROOTFS_EXTRA_SPACE:append = "${@bb.utils.contains("DISTRO_FEATURES", "systemd", " + 4096", "", d)}" +IMAGE_OVERHEAD_FACTOR = "1.5" + +IMAGE_INSTALL = "packagegroup-core-boot ${CORE_IMAGE_EXTRA_INSTALL}" + +IMAGE_INSTALL:append = " \ + tzdata \ + localedef \ + sudo \ + " + +IMAGE_INSTALL:append = " \ + net-tools \ + netplan \ + iputils \ + iproute2 \ + openssh \ + nginx \ + " + +IMAGE_INSTALL:append = " \ + libpq \ + " + +IMAGE_INSTALL:append = " \ + php \ + php-cli \ + php-dev \ + php-fpm \ + " + +IMAGE_INSTALL:append = " \ + zlib-morello \ + ncurses-morello \ + openssl-morello \ + readline-morello \ + zabbix-server-morello \ + zabbix-agentd-morello \ + zabbix-frontend \ + net-snmp-morello \ + net-snmp-morello-mibs \ + net-snmp-morello-server-snmptrapd \ + openldap-morello \ + libevent-morello \ + libpcre-morello \ + postgresql-morello \ + libpq-morello\ + libpgtypes-morello \ + postgresql-morello-contrib \ + postgresql-morello-server-dev \ + postgresql-morello-client \ + postgresql-morello-timezone \ + postgresql-morello-setup \ + postgresql-morello-timezone \ + postgresql-morello-dbg \ + curl-morello \ + libcurl-morello \ + libidn2-morello \ + libunistring-morello \ + tcl-morello \ + base-passwd-morello \ + util-linux-morello \ + "

Co-authored-by: Harrison Carter hcarter@thegoodpenguin.co.uk Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- .../0000-net-fix-provenance-error.patch | 35 + ...000-sysinfo-fix-build-with-musl-libc.patch | 32 + ...emalloc-align-and-work-with-16-not-8.patch | 168 ++ ...002-duktape-set-shift-to-5-for-CHERI.patch | 55 + .../0003-duktape-add-aling-to-16.patch | 121 ++ ...ed-use-padding-of-16-not-8-for-alloc.patch | 85 + .../0005-embed-fix-alignment-issues.patch | 93 ++ ...6-duk_config-use-debug-and-self-test.patch | 46 + .../0007-duktape-fix-stack-reallocation.patch | 64 + recipes-connectivity/zabbix/files/COPYING | 341 ++++ .../files/zabbix-agentd-morello.service | 15 + .../zabbix/files/zabbix-agentd.conf | 536 ++++++ .../zabbix/files/zabbix-proxy.conf | 1461 +++++++++++++++++ .../zabbix/files/zabbix-proxy.service | 15 + .../files/zabbix-server-morello.service | 20 + .../zabbix/files/zabbix-server.conf | 990 +++++++++++ .../zabbix/files/zabbix.conf.php | 59 + .../zabbix/zabbix-agentd-morello_5.0.38.bb | 52 + .../zabbix/zabbix-frontend_5.0.38.bb | 24 + .../zabbix/zabbix-morello.inc | 103 ++ .../zabbix/zabbix-proxy-morello_5.0.38.bb | 65 + .../zabbix/zabbix-server-morello_5.0.38.bb | 71 + 22 files changed, 4451 insertions(+) create mode 100644 recipes-connectivity/zabbix/cheri-patches/0000-net-fix-provenance-error.patch create mode 100644 recipes-connectivity/zabbix/cheri-patches/0000-sysinfo-fix-build-with-musl-libc.patch create mode 100644 recipes-connectivity/zabbix/cheri-patches/0001-memalloc-align-and-work-with-16-not-8.patch create mode 100644 recipes-connectivity/zabbix/cheri-patches/0002-duktape-set-shift-to-5-for-CHERI.patch create mode 100644 recipes-connectivity/zabbix/cheri-patches/0003-duktape-add-aling-to-16.patch create mode 100644 recipes-connectivity/zabbix/cheri-patches/0004-embed-use-padding-of-16-not-8-for-alloc.patch create mode 100644 recipes-connectivity/zabbix/cheri-patches/0005-embed-fix-alignment-issues.patch create mode 100644 recipes-connectivity/zabbix/cheri-patches/0006-duk_config-use-debug-and-self-test.patch create mode 100644 recipes-connectivity/zabbix/cheri-patches/0007-duktape-fix-stack-reallocation.patch create mode 100644 recipes-connectivity/zabbix/files/COPYING create mode 100644 recipes-connectivity/zabbix/files/zabbix-agentd-morello.service create mode 100644 recipes-connectivity/zabbix/files/zabbix-agentd.conf create mode 100644 recipes-connectivity/zabbix/files/zabbix-proxy.conf create mode 100644 recipes-connectivity/zabbix/files/zabbix-proxy.service create mode 100644 recipes-connectivity/zabbix/files/zabbix-server-morello.service create mode 100644 recipes-connectivity/zabbix/files/zabbix-server.conf create mode 100644 recipes-connectivity/zabbix/files/zabbix.conf.php create mode 100644 recipes-connectivity/zabbix/zabbix-agentd-morello_5.0.38.bb create mode 100644 recipes-connectivity/zabbix/zabbix-frontend_5.0.38.bb create mode 100644 recipes-connectivity/zabbix/zabbix-morello.inc create mode 100644 recipes-connectivity/zabbix/zabbix-proxy-morello_5.0.38.bb create mode 100644 recipes-connectivity/zabbix/zabbix-server-morello_5.0.38.bb

diff --git a/recipes-connectivity/zabbix/cheri-patches/0000-net-fix-provenance-error.patch b/recipes-connectivity/zabbix/cheri-patches/0000-net-fix-provenance-error.patch new file mode 100644 index 0000000..844484a --- /dev/null +++ b/recipes-connectivity/zabbix/cheri-patches/0000-net-fix-provenance-error.patch @@ -0,0 +1,35 @@ +From 79323bc3b45a0fb67168dd91dc1cc72e200e7392 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Fri, 7 Jul 2023 17:10:02 +0100 +Subject: [PATCH 4/4] net: fix provenance error + +Socket expects an int, just cast the NULL to an int. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + src/libs/zbxsysinfo/linux/net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libs/zbxsysinfo/linux/net.c b/src/libs/zbxsysinfo/linux/net.c +index 9e9fe73..55e2986 100644 +--- a/src/libs/zbxsysinfo/linux/net.c ++++ b/src/libs/zbxsysinfo/linux/net.c +@@ -112,13 +112,13 @@ static int find_tcp_port_by_state_nl(unsigned short port, int state, int *found) + + struct sockaddr_nl s_sa = { AF_NETLINK, 0, 0, 0 }; + struct iovec s_io[1] = { { &request, sizeof(request) } }; +- struct msghdr s_msg = { (void *)&s_sa, sizeof(struct sockaddr_nl), s_io, 1, NULL, 0, 0}; ++ struct msghdr s_msg = { (void *)&s_sa, sizeof(struct sockaddr_nl), s_io, 1, (int)NULL, 0, 0}; + + char buffer[BUFSIZ] = { 0 }; + + struct sockaddr_nl r_sa = { AF_NETLINK, 0, 0, 0 }; + struct iovec r_io[1] = { { buffer, BUFSIZ } }; +- struct msghdr r_msg = { (void *)&r_sa, sizeof(struct sockaddr_nl), r_io, 1, NULL, 0, 0}; ++ struct msghdr r_msg = { (void *)&r_sa, sizeof(struct sockaddr_nl), r_io, 1, (int)NULL, 0, 0}; + + struct nlmsghdr *r_hdr; + +-- +2.34.1 + diff --git a/recipes-connectivity/zabbix/cheri-patches/0000-sysinfo-fix-build-with-musl-libc.patch b/recipes-connectivity/zabbix/cheri-patches/0000-sysinfo-fix-build-with-musl-libc.patch new file mode 100644 index 0000000..e0ba5e2 --- /dev/null +++ b/recipes-connectivity/zabbix/cheri-patches/0000-sysinfo-fix-build-with-musl-libc.patch @@ -0,0 +1,32 @@ +From d35e95600ee80e4c526a7ed1ab6bbda2bc0c8427 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Fri, 7 Jul 2023 15:21:23 +0100 +Subject: [PATCH 1/4] sysinfo: fix build with musl libc + +If we use <sys/sysinfo.h> and a musl libc we will get +redefinition error of the sysinfo struct due to <linux/kernel.h> + +Include <linux/const.h> and <linux/types.h> directly instead. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + include/sysinc.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/sysinc.h b/include/sysinc.h +index 1400ca8..f34356d 100644 +--- a/include/sysinc.h ++++ b/include/sysinc.h +@@ -131,7 +131,8 @@ + #endif + + #ifdef HAVE_LINUX_KERNEL_H +-# include <linux/kernel.h> ++# include <linux/const.h> ++# include <linux/types.h> + #endif + + #ifdef HAVE_ARPA_NAMESER_H +-- +2.34.1 + diff --git a/recipes-connectivity/zabbix/cheri-patches/0001-memalloc-align-and-work-with-16-not-8.patch b/recipes-connectivity/zabbix/cheri-patches/0001-memalloc-align-and-work-with-16-not-8.patch new file mode 100644 index 0000000..9740767 --- /dev/null +++ b/recipes-connectivity/zabbix/cheri-patches/0001-memalloc-align-and-work-with-16-not-8.patch @@ -0,0 +1,168 @@ +From ff061121e98773c7e144e884bf1f8fa96c5dd0a7 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Mon, 13 Nov 2023 12:11:16 +0000 +Subject: [PATCH 1/7] memalloc: align and work with 16, not 8 + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + include/memalloc.h | 2 +- + src/libs/zbxmemory/memalloc.c | 42 ++++++++++++++++++++++------------- + 2 files changed, 28 insertions(+), 16 deletions(-) + +diff --git a/include/memalloc.h b/include/memalloc.h +index 858c509..f449cd1 100644 +--- a/include/memalloc.h ++++ b/include/memalloc.h +@@ -23,7 +23,7 @@ + #include "common.h" + #include "mutexs.h" + +-#define MEM_MIN_ALLOC 24 /* should be a multiple of 8 and at least (2 * ZBX_PTR_SIZE) */ ++#define MEM_MIN_ALLOC (3*ZBX_PTR_SIZE) /* should be a multiple of 8 and at least (2 * ZBX_PTR_SIZE) */ + + #define MEM_MIN_BUCKET_SIZE MEM_MIN_ALLOC + #define MEM_MAX_BUCKET_SIZE 256 /* starting from this size all free chunks are put into the same bucket */ +diff --git a/src/libs/zbxmemory/memalloc.c b/src/libs/zbxmemory/memalloc.c +index f3d9618..1d88dfd 100644 +--- a/src/libs/zbxmemory/memalloc.c ++++ b/src/libs/zbxmemory/memalloc.c +@@ -92,6 +92,7 @@ + + static void *ALIGN4(void *ptr); + static void *ALIGN8(void *ptr); ++static void *ALIGN16(void *ptr); + static void *ALIGNPTR(void *ptr); + + static zbx_uint64_t mem_proper_alloc_size(zbx_uint64_t size); +@@ -114,7 +115,7 @@ static void *__mem_malloc(zbx_mem_info_t *info, zbx_uint64_t size); + static void *__mem_realloc(zbx_mem_info_t *info, void *old, zbx_uint64_t size); + static void __mem_free(zbx_mem_info_t *info, void *ptr); + +-#define MEM_SIZE_FIELD sizeof(zbx_uint64_t) ++#define MEM_SIZE_FIELD (ZBX_PTR_SIZE) + + #define MEM_FLG_USED ((__UINT64_C(1))<<63) + +@@ -136,19 +137,30 @@ static void *ALIGN8(void *ptr) + return (void *)((uintptr_t)((char *)ptr + 7) & (uintptr_t)~7); + } + ++static void *ALIGN16(void *ptr) ++{ ++#if __has_builtin(__builtin_align_up) ++ return __builtin_align_up(ptr, 16); ++#else ++ return (void *)((uintptr_t)((char *)ptr + 15) & (uintptr_t)~15); ++#endif ++} ++ + static void *ALIGNPTR(void *ptr) + { + if (4 == ZBX_PTR_SIZE) + return ALIGN4(ptr); + if (8 == ZBX_PTR_SIZE) + return ALIGN8(ptr); ++ if (16 == ZBX_PTR_SIZE) ++ return ALIGN16(ptr); + assert(0); + } + + static zbx_uint64_t mem_proper_alloc_size(zbx_uint64_t size) + { + if (size >= MEM_MIN_ALLOC) +- return size + ((8 - (size & 7)) & 7); /* allocate in multiples of 8... */ ++ return size + ((16 - (size & 15)) & 15); /* allocate in multiples of 16... */ + else + return MEM_MIN_ALLOC; /* ...and at least MEM_MIN_ALLOC */ + } +@@ -158,7 +170,7 @@ static int mem_bucket_by_size(zbx_uint64_t size) + if (size < MEM_MIN_BUCKET_SIZE) + return 0; + if (size < MEM_MAX_BUCKET_SIZE) +- return (size - MEM_MIN_BUCKET_SIZE) >> 3; ++ return (size - MEM_MIN_BUCKET_SIZE) >> 4; + return MEM_BUCKET_COUNT - 1; + } + +@@ -196,7 +208,7 @@ static void mem_set_next_chunk(void *chunk, void *next) + + static void **mem_ptr_to_prev_field(void *chunk) + { +- return (NULL != chunk ? (void **)((char *)chunk + MEM_SIZE_FIELD) : NULL); ++ return (NULL != chunk ? (void **)((char *)chunk + MEM_SIZE_FIELD) : (uintptr_t)NULL); + } + + static void **mem_ptr_to_next_field(void *chunk, void **first_chunk) +@@ -545,9 +557,9 @@ int zbx_mem_create(zbx_mem_info_t **info, zbx_uint64_t size, const char *descr, + + /* allocate shared memory */ + +- if (4 != ZBX_PTR_SIZE && 8 != ZBX_PTR_SIZE) ++ if (4 != ZBX_PTR_SIZE && 8 != ZBX_PTR_SIZE && 16 != ZBX_PTR_SIZE) + { +- *error = zbx_dsprintf(*error, "failed assumption about pointer size (" ZBX_FS_SIZE_T " not in {4, 8})", ++ *error = zbx_dsprintf(*error, "failed assumption about pointer size (" ZBX_FS_SIZE_T " not in {4, 8, 16})", + (zbx_fs_size_t)ZBX_PTR_SIZE); + goto out; + } +@@ -579,7 +591,7 @@ int zbx_mem_create(zbx_mem_info_t **info, zbx_uint64_t size, const char *descr, + + /* allocate zbx_mem_info_t structure, its buckets, and description inside shared memory */ + +- *info = (zbx_mem_info_t *)ALIGN8(base); ++ *info = (zbx_mem_info_t *)ALIGN16(base); + (*info)->shm_id = shm_id; + (*info)->orig_size = size; + size -= (char *)(*info + 1) - (char *)base; +@@ -604,8 +616,8 @@ int zbx_mem_create(zbx_mem_info_t **info, zbx_uint64_t size, const char *descr, + (*info)->allow_oom = allow_oom; + + /* prepare shared memory for further allocation by creating one big chunk */ +- (*info)->lo_bound = ALIGN8(base); +- (*info)->hi_bound = ALIGN8((char *)base + size - 8); ++ (*info)->lo_bound = ALIGN16(base); ++ (*info)->hi_bound = ALIGN16((char *)base + size - 16); + + (*info)->total_size = (zbx_uint64_t)((char *)((*info)->hi_bound) - (char *)((*info)->lo_bound) - + 2 * MEM_SIZE_FIELD); +@@ -613,8 +625,8 @@ int zbx_mem_create(zbx_mem_info_t **info, zbx_uint64_t size, const char *descr, + index = mem_bucket_by_size((*info)->total_size); + (*info)->buckets[index] = (*info)->lo_bound; + mem_set_chunk_size((*info)->buckets[index], (*info)->total_size); +- mem_set_prev_chunk((*info)->buckets[index], NULL); +- mem_set_next_chunk((*info)->buckets[index], NULL); ++ mem_set_prev_chunk((*info)->buckets[index], (void*)(uintptr_t)NULL); ++ mem_set_next_chunk((*info)->buckets[index], (void*)(uintptr_t)NULL); + + (*info)->used_size = 0; + (*info)->free_size = (*info)->total_size; +@@ -776,7 +788,7 @@ void zbx_mem_dump_stats(int level, zbx_mem_info_t *info) + continue; + + zabbix_log(level, "free chunks of size %2s %3d bytes: %8u", i == MEM_BUCKET_COUNT - 1 ? ">=" : "", +- MEM_MIN_BUCKET_SIZE + 8 * i, stats.chunks_num[i]); ++ MEM_MIN_BUCKET_SIZE + 16 * i, stats.chunks_num[i]); + } + + zabbix_log(level, "min chunk size: %10llu bytes", (unsigned long long)stats.min_chunk_size); +@@ -806,14 +818,14 @@ size_t zbx_mem_required_size(int chunks_num, const char *descr, const char *para + /* that we will be able to get ourselves 'chunks_num' pieces of memory with a */ + /* total size of 'size', given that we also have to store 'descr' and 'param'? */ + +- size += 7; /* ensure we allocate enough to 8-align zbx_mem_info_t */ ++ size += 15; /* ensure we allocate enough to 16-align zbx_mem_info_t */ + size += sizeof(zbx_mem_info_t); + size += ZBX_PTR_SIZE - 1; /* ensure we allocate enough to align bucket pointers */ + size += ZBX_PTR_SIZE * MEM_BUCKET_COUNT; + size += strlen(descr) + 1; + size += strlen(param) + 1; +- size += (MEM_SIZE_FIELD - 1) + 8; /* ensure we allocate enough to align the first chunk */ +- size += (MEM_SIZE_FIELD - 1) + 8; /* ensure we allocate enough to align right size field */ ++ size += (MEM_SIZE_FIELD - 1) + 16; /* ensure we allocate enough to align the first chunk */ ++ size += (MEM_SIZE_FIELD - 1) + 16; /* ensure we allocate enough to align right size field */ + + size += (chunks_num - 1) * MEM_SIZE_FIELD * 2; /* each additional chunk requires 16 bytes of overhead */ + size += chunks_num * (MEM_MIN_ALLOC - 1); /* each chunk has size of at least MEM_MIN_ALLOC bytes */ +-- +2.34.1 + diff --git a/recipes-connectivity/zabbix/cheri-patches/0002-duktape-set-shift-to-5-for-CHERI.patch b/recipes-connectivity/zabbix/cheri-patches/0002-duktape-set-shift-to-5-for-CHERI.patch new file mode 100644 index 0000000..8e479aa --- /dev/null +++ b/recipes-connectivity/zabbix/cheri-patches/0002-duktape-set-shift-to-5-for-CHERI.patch @@ -0,0 +1,55 @@ +From 564a236360252558b2ac360e30d5d141b8c8ed1a Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Tue, 28 Nov 2023 10:43:58 +0000 +Subject: [PATCH 2/7] duktape: set shift to 5 for CHERI + +The duk_tval struct is of size 5 now + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + src/libs/zbxembed/duktape.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/libs/zbxembed/duktape.c b/src/libs/zbxembed/duktape.c +index da87cb0..e3b439f 100644 +--- a/src/libs/zbxembed/duktape.c ++++ b/src/libs/zbxembed/duktape.c +@@ -51113,6 +51113,11 @@ duk_heap *duk_heap_alloc(duk_alloc_function alloc_func, + * This will be optimized away in practice; unfortunately a + * warning is generated on some compilers as a result. + */ ++#ifdef __CHERI_PURE_CAPABILITY__ ++ if (sizeof(duk_tval) != 32) { ++ fatal_func(heap_udata, "sizeof(duk_tval) not 32, cannot use DUK_USE_EXEC_REGCONST_OPTIMIZE option"); ++ } ++#else + #if defined(DUK_USE_PACKED_TVAL) + if (sizeof(duk_tval) != 8) { + #else +@@ -51120,6 +51125,7 @@ duk_heap *duk_heap_alloc(duk_alloc_function alloc_func, + #endif + fatal_func(heap_udata, "sizeof(duk_tval) not 8 or 16, cannot use DUK_USE_EXEC_REGCONST_OPTIMIZE option"); + } ++#endif + #endif /* DUK_USE_EXEC_REGCONST_OPTIMIZE */ + + /* +@@ -79960,11 +79966,15 @@ DUK_LOCAL duk_bool_t duk__executor_handle_call(duk_hthread *thr, duk_idx_t idx, + #define DUK__RCBIT_B DUK_BC_REGCONST_B + #define DUK__RCBIT_C DUK_BC_REGCONST_C + #if defined(DUK_USE_EXEC_REGCONST_OPTIMIZE) ++#ifdef __CHERI_PURE_CAPABILITY__ ++#define DUK__TVAL_SHIFT 5 /* sizeof(duk_tval) == 32 */ ++#else + #if defined(DUK_USE_PACKED_TVAL) + #define DUK__TVAL_SHIFT 3 /* sizeof(duk_tval) == 8 */ + #else + #define DUK__TVAL_SHIFT 4 /* sizeof(duk_tval) == 16; not always the case so also asserted for */ + #endif ++#endif + #define DUK__SHIFT_A (DUK_BC_SHIFT_A - DUK__TVAL_SHIFT) + #define DUK__SHIFT_B (DUK_BC_SHIFT_B - DUK__TVAL_SHIFT) + #define DUK__SHIFT_C (DUK_BC_SHIFT_C - DUK__TVAL_SHIFT) +-- +2.34.1 + diff --git a/recipes-connectivity/zabbix/cheri-patches/0003-duktape-add-aling-to-16.patch b/recipes-connectivity/zabbix/cheri-patches/0003-duktape-add-aling-to-16.patch new file mode 100644 index 0000000..0a2169a --- /dev/null +++ b/recipes-connectivity/zabbix/cheri-patches/0003-duktape-add-aling-to-16.patch @@ -0,0 +1,121 @@ +From de0a642da6f8fe57f0174c6e11d3c75152869041 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Tue, 28 Nov 2023 14:02:26 +0000 +Subject: [PATCH 3/7] duktape: add aling to 16 + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + src/libs/zbxembed/duk_config.h | 4 +++- + src/libs/zbxembed/duktape.c | 25 +++++++++++++++++++++++++ + 2 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/src/libs/zbxembed/duk_config.h b/src/libs/zbxembed/duk_config.h +index e172f6a..e336fa7 100644 +--- a/src/libs/zbxembed/duk_config.h ++++ b/src/libs/zbxembed/duk_config.h +@@ -2590,6 +2590,8 @@ typedef struct duk_hthread duk_context; + * compiler/architecture specific. + */ + ++#define DUK_USE_ALIGN_BY 16 ++ + /* If not forced, use safe default for alignment. */ + #if !defined(DUK_USE_ALIGN_BY) + #define DUK_USE_ALIGN_BY 8 +@@ -2969,7 +2971,7 @@ typedef struct duk_hthread duk_context; + #undef DUK_USE_EXEC_PREFER_SIZE + #define DUK_USE_EXEC_REGCONST_OPTIMIZE + #undef DUK_USE_EXEC_TIMEOUT_CHECK +-#undef DUK_USE_EXPLICIT_NULL_INIT ++#define DUK_USE_EXPLICIT_NULL_INIT + #undef DUK_USE_EXTSTR_FREE + #undef DUK_USE_EXTSTR_INTERN_CHECK + #undef DUK_USE_FASTINT +diff --git a/src/libs/zbxembed/duktape.c b/src/libs/zbxembed/duktape.c +index e3b439f..6611a6e 100644 +--- a/src/libs/zbxembed/duktape.c ++++ b/src/libs/zbxembed/duktape.c +@@ -6933,6 +6933,8 @@ DUK_INTERNAL_DECL void duk_hobject_assert_valid(duk_hobject *h); + #define DUK_HOBJECT_E_FLAG_PADDING(e_sz) ((8 - (e_sz)) & 0x07) + #elif (DUK_USE_ALIGN_BY == 1) + #define DUK_HOBJECT_E_FLAG_PADDING(e_sz) 0 ++#elif (DUK_USE_ALIGN_BY == 16) ++#define DUK_HOBJECT_E_FLAG_PADDING(e_sz) ((16 - (e_sz)) & 0xF) + #else + #error invalid DUK_USE_ALIGN_BY + #endif +@@ -7242,6 +7244,8 @@ DUK_INTERNAL_DECL void duk_hobject_assert_valid(duk_hobject *h); + #define DUK_HOBJECT_ALIGN_TARGET 8 + #elif (DUK_USE_ALIGN_BY == 1) + #define DUK_HOBJECT_ALIGN_TARGET 1 ++#elif (DUK_USE_ALIGN_BY == 16) ++#define DUK_HOBJECT_ALIGN_TARGET 16 + #else + #error invalid DUK_USE_ALIGN_BY + #endif +@@ -8793,6 +8797,9 @@ struct duk_hbuffer { + #if (DUK_USE_ALIGN_BY == 8) && defined(DUK_USE_PACK_MSVC_PRAGMA) + #pragma pack(push, 8) + #endif ++#if (DUK_USE_ALIGN_BY == 16) && defined(DUK_USE_PACK_MSVC_PRAGMA) ++#pragma pack(push, 16) ++#endif + struct duk_hbuffer_fixed { + /* A union is used here as a portable struct size / alignment trick: + * by adding a 32-bit or a 64-bit (unused) union member, the size of +@@ -8813,9 +8820,15 @@ struct duk_hbuffer_fixed { + duk_uint32_t dummy_for_align4; + #elif (DUK_USE_ALIGN_BY == 8) + duk_double_t dummy_for_align8_1; ++#elif (DUK_USE_ALIGN_BY == 16) ++ duk_uint8_t dummy_for_align16_1[16]; + #if defined(DUK_USE_64BIT_OPS) ++#if (DUK_USE_ALIGN_BY == 16) ++ duk_uint64_t dummy_for_align16_2[2]; ++#else + duk_uint64_t dummy_for_align8_2; + #endif ++#endif + #elif (DUK_USE_ALIGN_BY == 1) + /* no extra padding */ + #else +@@ -8840,10 +8853,16 @@ struct duk_hbuffer_fixed { + __attribute__((aligned(8))) + #elif (DUK_USE_ALIGN_BY == 8) && defined(DUK_USE_PACK_CLANG_ATTR) + __attribute__((aligned(8))) ++#elif (DUK_USE_ALIGN_BY == 16) && defined(DUK_USE_PACK_GCC_ATTR) ++__attribute__((aligned(16))) ++#elif (DUK_USE_ALIGN_BY == 16) && defined(DUK_USE_PACK_CLANG_ATTR) ++__attribute__((aligned(16))) + #endif + ; + #if (DUK_USE_ALIGN_BY == 8) && defined(DUK_USE_PACK_MSVC_PRAGMA) + #pragma pack(pop) ++#elif (DUK_USE_ALIGN_BY == 16) && defined(DUK_USE_PACK_MSVC_PRAGMA) ++#pragma pack(pop) + #endif + + /* Dynamic buffer with 'curr_alloc' pointing to a dynamic area allocated using +@@ -65392,6 +65411,8 @@ DUK_INTERNAL void duk_hthread_create_builtin_objects(duk_hthread *thr) { + "a8" + #elif (DUK_USE_ALIGN_BY == 1) + "a1" ++#elif (DUK_USE_ALIGN_BY == 16) ++ "a16" + #else + #error invalid DUK_USE_ALIGN_BY + #endif +@@ -93466,6 +93487,10 @@ DUK_LOCAL duk_uint_t duk__selftest_struct_align(void) { + if ((sizeof(duk_hbuffer_fixed) % 8) != 0) { + DUK__FAILED("sizeof(duk_hbuffer_fixed) not aligned to 8"); + } ++#elif (DUK_USE_ALIGN_BY == 16) ++ if ((sizeof(duk_hbuffer_fixed) % 16) != 0) { ++ DUK__FAILED("sizeof(duk_hbuffer_fixed) not aligned to 16"); ++ } + #elif (DUK_USE_ALIGN_BY == 1) + /* no check */ + #else +-- +2.34.1 + diff --git a/recipes-connectivity/zabbix/cheri-patches/0004-embed-use-padding-of-16-not-8-for-alloc.patch b/recipes-connectivity/zabbix/cheri-patches/0004-embed-use-padding-of-16-not-8-for-alloc.patch new file mode 100644 index 0000000..873aa1e --- /dev/null +++ b/recipes-connectivity/zabbix/cheri-patches/0004-embed-use-padding-of-16-not-8-for-alloc.patch @@ -0,0 +1,85 @@ +From 309955f76bf0252ee73ca234d94d0419371d7e83 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Mon, 27 Nov 2023 10:32:37 +0000 +Subject: [PATCH 4/7] embed: use padding of 16 not 8 for allocators + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + src/libs/zbxembed/embed.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/src/libs/zbxembed/embed.c b/src/libs/zbxembed/embed.c +index 0e1b349..23b0d47 100644 +--- a/src/libs/zbxembed/embed.c ++++ b/src/libs/zbxembed/embed.c +@@ -28,8 +28,10 @@ + + #include "duktape.h" + +-#define ZBX_ES_MEMORY_LIMIT (1024 * 1024 * 64) +-#define ZBX_ES_STACK_LIMIT 1000 ++#define ZBX_ES_MEMORY_LIMIT (1024 * 1024 * 128) ++#define ZBX_ES_STACK_LIMIT (1000*2) ++ ++#define ZBX_ES_PAD (16) + + /* maximum number of consequent runtime errors after which it's treated as fatal error */ + #define ZBX_ES_MAX_CONSEQUENT_RT_ERROR 3 +@@ -64,7 +66,7 @@ static void *es_malloc(void *udata, duk_size_t size) + zbx_es_env_t *env = (zbx_es_env_t *)udata; + uint64_t *uptr; + +- if (env->total_alloc + size + 8 > ZBX_ES_MEMORY_LIMIT) ++ if (env->total_alloc + size + ZBX_ES_PAD > ZBX_ES_MEMORY_LIMIT) + { + if (NULL == env->ctx) + env->error = zbx_strdup(env->error, "cannot allocate memory"); +@@ -72,8 +74,8 @@ static void *es_malloc(void *udata, duk_size_t size) + return NULL; + } + +- env->total_alloc += (size + 8); +- uptr = zbx_malloc(NULL, size + 8); ++ env->total_alloc += (size + ZBX_ES_PAD); ++ uptr = zbx_malloc(NULL, size + ZBX_ES_PAD); + *uptr++ = size; + + return uptr; +@@ -88,12 +90,12 @@ static void *es_realloc(void *udata, void *ptr, duk_size_t size) + if (NULL != uptr) + { + --uptr; +- old_size = *uptr + 8; ++ old_size = *uptr + ZBX_ES_PAD; + } + else + old_size = 0; + +- if (env->total_alloc + size + 8 - old_size > ZBX_ES_MEMORY_LIMIT) ++ if (env->total_alloc + size + ZBX_ES_PAD - old_size > ZBX_ES_MEMORY_LIMIT) + { + if (NULL == env->ctx) + env->error = zbx_strdup(env->error, "cannot allocate memory"); +@@ -101,8 +103,8 @@ static void *es_realloc(void *udata, void *ptr, duk_size_t size) + return NULL; + } + +- env->total_alloc += size + 8 - old_size; +- uptr = zbx_realloc(uptr, size + 8); ++ env->total_alloc += size + ZBX_ES_PAD - old_size; ++ uptr = zbx_realloc(uptr, size + ZBX_ES_PAD); + *uptr++ = size; + + return uptr; +@@ -115,7 +117,7 @@ static void es_free(void *udata, void *ptr) + + if (NULL != ptr) + { +- env->total_alloc -= (*(--uptr) + 8); ++ env->total_alloc -= (*(--uptr) + ZBX_ES_PAD); + zbx_free(uptr); + } + } +-- +2.34.1 + diff --git a/recipes-connectivity/zabbix/cheri-patches/0005-embed-fix-alignment-issues.patch b/recipes-connectivity/zabbix/cheri-patches/0005-embed-fix-alignment-issues.patch new file mode 100644 index 0000000..36b8638 --- /dev/null +++ b/recipes-connectivity/zabbix/cheri-patches/0005-embed-fix-alignment-issues.patch @@ -0,0 +1,93 @@ +From f6c3242099c8ee29ed5e9d9bfb0ee65661f5321f Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Tue, 28 Nov 2023 09:50:06 +0000 +Subject: [PATCH 5/7] embed: fix alignment issues + +The zabbix internal embed allocators will take a properly aligned +pointer, cast it to u64 pointer store the allocated size in its +first memory chunk and then use u64 pointer aritchmetic to increment the +pointer. This is then returned as the base address for the allocated heap. + +In CHERI this means that the base adress of the memory area which is then +interpreted as an address of a capability will be misalligned as +mod 16 will not be zero. This can be fixed by using align/up down but +preferably a data object should be created here with [.size, .pdata] + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + src/libs/zbxembed/embed.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/src/libs/zbxembed/embed.c b/src/libs/zbxembed/embed.c +index 23b0d47..f4b3a22 100644 +--- a/src/libs/zbxembed/embed.c ++++ b/src/libs/zbxembed/embed.c +@@ -39,6 +39,22 @@ + #define ZBX_ES_SCRIPT_HEADER "function(value){" + #define ZBX_ES_SCRIPT_FOOTER "\n}" + ++#if __has_builtin(__builtin_align_up) ++#define TYPEALIGN(ALIGNVAL,LEN) \ ++ (__builtin_align_up((LEN), ALIGNVAL)) ++#else ++#define TYPEALIGN(ALIGNVAL,LEN) \ ++ (((uintptr_t) (LEN) + ((ALIGNVAL) - 1)) & ~((uintptr_t) ((ALIGNVAL) - 1))) ++#endif ++ ++#if __has_builtin(__builtin_align_down) ++#define TYPEALIGN_DOWN(ALIGNVAL,LEN) \ ++ (__builtin_align_down((LEN), ALIGNVAL)) ++#else ++#define TYPEALIGN_DOWN(ALIGNVAL,LEN) \ ++ (((uintptr_t) (LEN)) & ~((uintptr_t) ((ALIGNVAL) - 1))) ++#endif ++ + /****************************************************************************** + * * + * Function: es_handle_error * +@@ -78,7 +94,7 @@ static void *es_malloc(void *udata, duk_size_t size) + uptr = zbx_malloc(NULL, size + ZBX_ES_PAD); + *uptr++ = size; + +- return uptr; ++ return TYPEALIGN(16,uptr); + } + + static void *es_realloc(void *udata, void *ptr, duk_size_t size) +@@ -90,7 +106,7 @@ static void *es_realloc(void *udata, void *ptr, duk_size_t size) + if (NULL != uptr) + { + --uptr; +- old_size = *uptr + ZBX_ES_PAD; ++ old_size = *TYPEALIGN_DOWN(16,uptr) + ZBX_ES_PAD; + } + else + old_size = 0; +@@ -104,10 +120,10 @@ static void *es_realloc(void *udata, void *ptr, duk_size_t size) + } + + env->total_alloc += size + ZBX_ES_PAD - old_size; +- uptr = zbx_realloc(uptr, size + ZBX_ES_PAD); ++ uptr = zbx_realloc(TYPEALIGN_DOWN(16,uptr), size + ZBX_ES_PAD); + *uptr++ = size; + +- return uptr; ++ return TYPEALIGN(16, uptr); + } + + static void es_free(void *udata, void *ptr) +@@ -117,8 +133,9 @@ static void es_free(void *udata, void *ptr) + + if (NULL != ptr) + { +- env->total_alloc -= (*(--uptr) + ZBX_ES_PAD); +- zbx_free(uptr); ++ env->total_alloc -= (*(TYPEALIGN_DOWN(16,--uptr)) + ZBX_ES_PAD); ++ void * ptr_aligned = TYPEALIGN_DOWN(16,uptr); ++ zbx_free(ptr_aligned); + } + } + +-- +2.34.1 + diff --git a/recipes-connectivity/zabbix/cheri-patches/0006-duk_config-use-debug-and-self-test.patch b/recipes-connectivity/zabbix/cheri-patches/0006-duk_config-use-debug-and-self-test.patch new file mode 100644 index 0000000..1e3253e --- /dev/null +++ b/recipes-connectivity/zabbix/cheri-patches/0006-duk_config-use-debug-and-self-test.patch @@ -0,0 +1,46 @@ +From ce62aabf204b39cde2dae5e62a7ff0d5cc3236b8 Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Tue, 28 Nov 2023 08:18:20 +0000 +Subject: [PATCH 6/7] duk_config: use debug and self test + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + src/libs/zbxembed/duk_config.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libs/zbxembed/duk_config.h b/src/libs/zbxembed/duk_config.h +index e336fa7..90e6b7a 100644 +--- a/src/libs/zbxembed/duk_config.h ++++ b/src/libs/zbxembed/duk_config.h +@@ -2938,7 +2938,7 @@ typedef struct duk_hthread duk_context; + #undef DUK_USE_DATE_GET_NOW + #undef DUK_USE_DATE_PARSE_STRING + #undef DUK_USE_DATE_PRS_GETDATE +-#undef DUK_USE_DEBUG ++#define DUK_USE_DEBUG + #undef DUK_USE_DEBUGGER_DUMPHEAP + #undef DUK_USE_DEBUGGER_INSPECT + #undef DUK_USE_DEBUGGER_PAUSE_UNCAUGHT +@@ -2946,8 +2946,8 @@ typedef struct duk_hthread duk_context; + #define DUK_USE_DEBUGGER_THROW_NOTIFY + #undef DUK_USE_DEBUGGER_TRANSPORT_TORTURE + #define DUK_USE_DEBUG_BUFSIZE 65536L +-#define DUK_USE_DEBUG_LEVEL 0 +-#undef DUK_USE_DEBUG_WRITE ++#define DUK_USE_DEBUG_LEVEL 1 ++#define DUK_USE_DEBUG_WRITE + #define DUK_USE_DOUBLE_LINKED_HEAP + #define DUK_USE_DUKTAPE_BUILTIN + #define DUK_USE_ENCODING_BUILTINS +@@ -3063,7 +3063,7 @@ typedef struct duk_hthread duk_context; + #define DUK_USE_ROM_PTRCOMP_FIRST 63488L + #undef DUK_USE_ROM_STRINGS + #define DUK_USE_SECTION_B +-#undef DUK_USE_SELF_TESTS ++#define DUK_USE_SELF_TESTS + #define DUK_USE_SHEBANG_COMMENTS + #undef DUK_USE_SHUFFLE_TORTURE + #define DUK_USE_SOURCE_NONBMP +-- +2.34.1 + diff --git a/recipes-connectivity/zabbix/cheri-patches/0007-duktape-fix-stack-reallocation.patch b/recipes-connectivity/zabbix/cheri-patches/0007-duktape-fix-stack-reallocation.patch new file mode 100644 index 0000000..da1d07f --- /dev/null +++ b/recipes-connectivity/zabbix/cheri-patches/0007-duktape-fix-stack-reallocation.patch @@ -0,0 +1,64 @@ +From ca89c8d2ae32f4ecfbcfe5be59acfd6e1ecaf16e Mon Sep 17 00:00:00 2001 +From: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +Date: Tue, 28 Nov 2023 16:37:48 +0000 +Subject: [PATCH 7/7] duk_api_stack: fix stack reallocation + +The ptr_diff is taken between the post reallocation new_valstack pointer +and pre-allocation thr->valstack pointer variables and then added to the +old base pointer. This will not work in CHERI and is also not officialy +supported by the C standard. + +Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk +--- + src/libs/zbxembed/duktape.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/src/libs/zbxembed/duktape.c b/src/libs/zbxembed/duktape.c +index 6611a6e..425bf43 100644 +--- a/src/libs/zbxembed/duktape.c ++++ b/src/libs/zbxembed/duktape.c +@@ -19380,7 +19380,10 @@ DUK_LOCAL DUK_COLD DUK_NOINLINE duk_bool_t duk__resize_valstack(duk_hthread *thr + duk_tval *pre_top; + duk_tval *pre_end; + duk_tval *pre_alloc_end; +- duk_ptrdiff_t ptr_diff; ++ duk_ptrdiff_t diff_bottom; ++ duk_ptrdiff_t diff_top; ++ duk_ptrdiff_t diff_end; ++ duk_ptrdiff_t diff_alloc_end; + duk_tval *new_valstack; + duk_size_t new_alloc_size; + duk_tval *tv_prev_alloc_end; +@@ -19476,16 +19479,23 @@ DUK_LOCAL DUK_COLD DUK_NOINLINE duk_bool_t duk__resize_valstack(duk_hthread *thr + DUK_ASSERT(thr->valstack_alloc_end >= thr->valstack_end); + + /* Write new pointers. Most pointers can be handled as a pointer +- * difference. ++ * difference. + */ +- ptr_diff = (duk_ptrdiff_t) ((duk_uint8_t *) new_valstack - (duk_uint8_t *) thr->valstack); +- tv_prev_alloc_end = (duk_tval *) (void *) ((duk_uint8_t *) thr->valstack_alloc_end + ptr_diff); ++ ++ diff_bottom = (duk_ptrdiff_t) ((duk_uint8_t *) thr->valstack_bottom - (duk_uint8_t *) thr->valstack); ++ diff_top = (duk_ptrdiff_t) ((duk_uint8_t *) thr->valstack_top - (duk_uint8_t *) thr->valstack); ++ diff_end = (duk_ptrdiff_t) ((duk_uint8_t *) thr->valstack_end - (duk_uint8_t *) thr->valstack); ++ diff_alloc_end = (duk_ptrdiff_t) ((duk_uint8_t *) thr->valstack_alloc_end - (duk_uint8_t *) thr->valstack); ++ tv_prev_alloc_end = (duk_tval *) (void *) ((duk_uint8_t *) new_valstack + diff_alloc_end); ++ + thr->valstack = new_valstack; +- thr->valstack_bottom = (duk_tval *) (void *) ((duk_uint8_t *) thr->valstack_bottom + ptr_diff); +- thr->valstack_top = (duk_tval *) (void *) ((duk_uint8_t *) thr->valstack_top + ptr_diff); +- thr->valstack_end = (duk_tval *) (void *) ((duk_uint8_t *) thr->valstack_end + ptr_diff); ++ ++ thr->valstack_bottom = (duk_tval *) (void *) ((duk_uint8_t *) new_valstack + diff_bottom); ++ thr->valstack_top = (duk_tval *) (void *) ((duk_uint8_t *) new_valstack + diff_top); ++ thr->valstack_end = (duk_tval *) (void *) ((duk_uint8_t *) new_valstack + diff_end); + thr->valstack_alloc_end = (duk_tval *) (void *) ((duk_uint8_t *) new_valstack + new_alloc_size); + ++ + /* Assertions: pointer sanity after pointer updates. */ + DUK_ASSERT(thr->valstack_bottom >= thr->valstack); + DUK_ASSERT(thr->valstack_top >= thr->valstack_bottom); +-- +2.34.1 + diff --git a/recipes-connectivity/zabbix/files/COPYING b/recipes-connectivity/zabbix/files/COPYING new file mode 100644 index 0000000..c1002d5 --- /dev/null +++ b/recipes-connectivity/zabbix/files/COPYING @@ -0,0 +1,341 @@ + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) 19yy <name of author> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/recipes-connectivity/zabbix/files/zabbix-agentd-morello.service b/recipes-connectivity/zabbix/files/zabbix-agentd-morello.service new file mode 100644 index 0000000..df38c1a --- /dev/null +++ b/recipes-connectivity/zabbix/files/zabbix-agentd-morello.service @@ -0,0 +1,15 @@ +[Unit] +Description=Zabbix Agent + +[Service] +Environment="CONFFILE=%SYSCONFDIR%/zabbix/zabbix-agentd.conf" +EnvironmentFile=-%SYSCONFDIR%/default/zabbix-agent +Type=forking +Restart=on-failure +KillMode=control-group +ExecStart=/bin/bash -c '%SBINDIR%/zabbix_agentd -c $CONFFILE' +ExecStop=/bin/sh -c '[ -n "$1" ] && kill -s TERM "$1"' -- "$MAINPID" +RestartSec=10s + +[Install] +WantedBy=multi-user.target diff --git a/recipes-connectivity/zabbix/files/zabbix-agentd.conf b/recipes-connectivity/zabbix/files/zabbix-agentd.conf new file mode 100644 index 0000000..52dc1b3 --- /dev/null +++ b/recipes-connectivity/zabbix/files/zabbix-agentd.conf @@ -0,0 +1,536 @@ +# This is a configuration file for Zabbix agent daemon (Unix) +# To get more information about Zabbix, visit http://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_agentd.pid + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile=/tmp/zabbix_agentd.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. +# +# Mandatory: no +# Default: +# DenyKey=system.run[*] + +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no + +### Option: LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# LogRemoteCommands=0 + +##### Passive checks related + +### Option: Server +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. +# Incoming connections will be accepted only from the hosts listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: yes, if StartAgents is not explicitly set to 0 +# Default: +# Server= + +Server=127.0.0.1 + +### Option: ListenPort +# Agent will listen on this port for connections from the server. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10050 + +### Option: ListenIP +# List of comma delimited IP addresses that the agent should listen on. +# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: StartAgents +# Number of pre-forked instances of zabbix_agentd that process passive checks. +# If set to 0, disables passive checks and the agent will not listen on any TCP port. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartAgents=3 + +##### Active checks related + +### Option: ServerActive +# Zabbix server/proxy address or cluster configuration to get active checks from. +# Server/proxy address is IP address or DNS name and optional port separated by colon. +# Cluster configuration is one or more server addresses separated by semicolon. +# Multiple Zabbix servers/clusters and Zabbix proxies can be specified, separated by comma. +# More than one Zabbix proxy should not be specified from each Zabbix server/cluster. +# If Zabbix proxy is specified then Zabbix server/cluster for that proxy should not be specified. +# Multiple comma-delimited addresses can be provided to use several independent Zabbix servers in parallel. Spaces are allowed. +# If port is not specified, default port is used. +# IPv6 addresses must be enclosed in square brackets if port for that host is specified. +# If port is not specified, square brackets for IPv6 addresses are optional. +# If this parameter is not specified, active checks are disabled. +# Example for Zabbix proxy: +# ServerActive=127.0.0.1:10051 +# Example for multiple servers: +# ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# Example for high availability: +# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051;zabbix.cluster.node3 +# Example for high availability with two clusters and one server: +# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051,zabbix.cluster2.node1;zabbix.cluster2.node2,zabbix.domain +# +# Mandatory: no +# Default: +# ServerActive= +# ServerActive=127.0.0.1 + +### Option: Hostname +# List of comma delimited unique, case sensitive hostnames. +# Required for active checks and must match hostnames as configured on the server. +# Value is acquired from HostnameItem if undefined. +# +# Mandatory: no +# Default: +# Hostname= + +# Hostname=localhost + +### Option: HostnameItem +# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. +# Does not support UserParameters or aliases. +# +# Mandatory: no +# Default: +# HostnameItem=system.hostname + +### Option: HostMetadata +# Optional parameter that defines host metadata. +# Host metadata is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostMetadataItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostMetadata= + +### Option: HostMetadataItem +# Optional parameter that defines an item used for getting host metadata. +# Host metadata is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostMetadata is not defined. +# +# Mandatory: no +# Default: +# HostMetadataItem= + +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + +### Option: RefreshActiveChecks +# How often list of active checks is refreshed, in seconds. +# +# Mandatory: no +# Range: 60-3600 +# Default: +# RefreshActiveChecks=120 + +### Option: BufferSend +# Do not keep data longer than N seconds in buffer. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# BufferSend=5 + +### Option: BufferSize +# Maximum number of values in a memory buffer. The agent will send +# all collected data to Zabbix Server or Proxy if the buffer is full. +# +# Mandatory: no +# Range: 2-65535 +# Default: +# BufferSize=100 + +### Option: MaxLinesPerSecond +# Maximum number of new lines the agent will send per second to Zabbix Server +# or Proxy processing 'log' and 'logrt' active checks. +# The provided value will be overridden by the parameter 'maxlines', +# provided in 'log' or 'logrt' item keys. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# MaxLinesPerSecond=20 + +############ ADVANCED PARAMETERS ################# + +### Option: Alias +# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. +# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. +# Different Alias keys may reference the same item key. +# For example, to retrieve the ID of user 'zabbix': +# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] +# Now shorthand key zabbix.userid may be used to retrieve data. +# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. +# +# Mandatory: no +# Range: +# Default: + +### Option: Timeout +# Spend no more than Timeout seconds on processing +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +### Option: AllowRoot +# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +User=%ZABBIX_USER_NAME% + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +# Include=/usr/local/etc/zabbix_agentd.userparams.conf +# Include=/usr/local/etc/zabbix_agentd.conf.d/ +# Include=/usr/local/etc/zabbix_agentd.conf.d/*.conf + +####### USER-DEFINED MONITORED PARAMETERS ####### + +### Option: UnsafeUserParameters +# Allow all characters to be passed in arguments to user-defined parameters. +# The following characters are not allowed: +# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ +# Additionally, newline characters are not allowed. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Range: 0-1 +# Default: +# UnsafeUserParameters=0 + +### Option: UserParameter +# User-defined parameter to monitor. There can be several user-defined parameters. +# Format: UserParameter=<key>,<shell command> +# See 'zabbix_agentd' directory for examples. +# +# Mandatory: no +# Default: +# UserParameter= + +### Option: UserParameterDir +# Directory to execute UserParameter commands from. Only one entry is allowed. +# When executing UserParameter commands the agent will change the working directory to the one +# specified in the UserParameterDir option. +# This way UserParameter commands can be specified using the relative ./ prefix. +# +# Mandatory: no +# Default: +# UserParameterDir= + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of agent modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_agentd --help". +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at agent startup. Modules are used to extend functionality of the agent. +# Formats: +# LoadModule=<module.so> +# LoadModule=<path/module.so> +# LoadModule=</abs_path/module.so> +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the agent should connect to server or proxy. Used for active checks. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSConnect=unencrypted + +### Option: TLSAccept +# What incoming connections to accept. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSAccept=unencrypted + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSServerCertIssuer +# Allowed server certificate issuer. +# +# Mandatory: no +# Default: +# TLSServerCertIssuer= + +### Option: TLSServerCertSubject +# Allowed server certificate subject. +# +# Mandatory: no +# Default: +# TLSServerCertSubject= + +### Option: TLSCertFile +# Full pathname of a file containing the agent certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the agent private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= + +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKIdentity= + +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= diff --git a/recipes-connectivity/zabbix/files/zabbix-proxy.conf b/recipes-connectivity/zabbix/files/zabbix-proxy.conf new file mode 100644 index 0000000..b5bc0d5 --- /dev/null +++ b/recipes-connectivity/zabbix/files/zabbix-proxy.conf @@ -0,0 +1,1461 @@ +# This is a configuration file for Zabbix agent daemon (Unix) +# To get more information about Zabbix, visit http://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: PidFile +# Name of PID file.# This is a configuration file for Zabbix proxy daemon +# To get more information about Zabbix, visit http://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: ProxyMode +# Proxy operating mode. +# 0 - proxy in the active mode +# 1 - proxy in the passive mode +# +# Mandatory: no +# Default: +ProxyMode=0 + +### Option: Server +# If ProxyMode is set to active mode: +# IP address or DNS name (address:port) or cluster (address:port;address2:port) of Zabbix server to get configuration data from and send data to. +# If port is not specified, default port is used. +# Cluster nodes need to be separated by semicolon. +# If ProxyMode is set to passive mode: +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix server. +# Incoming connections will be accepted only from the addresses listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: yes +# Default: +# Server= + +Server=%ZABBIX_SERVER_IPS% + +### Option: Hostname +# Unique, case sensitive Proxy name. Make sure the Proxy name is known to the server! +# Value is acquired from HostnameItem if undefined. +# +# Mandatory: no +# Default: +# Hostname= + +### Option: HostnameItem +# Item used for generating Hostname if it is undefined. +# Ignored if Hostname is defined. +# +# Mandatory: no +# Default: +# HostnameItem=system.hostname + +### Option: ListenPort +# Listen port for trapper. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10051 +ListenPort=161 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile=/tmp/zabbix_proxy.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 + +### Option: EnableRemoteCommands +# Whether remote commands from Zabbix server are allowed. +# 0 - not allowed +# 1 - allowed +# +# Mandatory: no +# Default: +# EnableRemoteCommands=0 + +### Option: LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# LogRemoteCommands=0 + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_proxy.pid + +### Option: SocketDir +# IPC socket directory. +# Directory to store IPC sockets used by internal Zabbix services. +# +# Mandatory: no +# Default: +# SocketDir=/tmp + +### Option: DBHost +# Database host name. +# If set to localhost, socket is used for MySQL. +# If set to empty string, socket is used for PostgreSQL. +# If set to empty string, the Net Service Name connection method is used to connect to Oracle database; also see +# the TNS_ADMIN environment variable to specify the directory where the tnsnames.ora file is located. +# +# Mandatory: no +# Default: + +### Option: DBName +# Database name. +# For SQLite3 path to database file must be provided. DBUser and DBPassword are ignored. +# If the Net Service Name connection method is used to connect to Oracle database, specify the service name from +# the tnsnames.ora file or set to empty string; also see the TWO_TASK environment variable if DBName is set to +# empty string. +# Warning: do not attempt to use the same database Zabbix server is using. +# +# Mandatory: yes +# Default: +# DBName= + +DBName=%DB_ZABBIX_NAME%_proxy + +### Option: DBSchema +# Schema name. Used for PostgreSQL. +# +# Mandatory: no +# Default: +DBSchema= + +### Option: DBUser +# Database user. Ignored for SQLite. +# +# Default: +# DBUser= + +DBUser=%DB_ZABBIX_USER_PROXY% + +### Option: DBPassword +# Database password. Ignored for SQLite. +# Comment this line if no password is used. +# +# Mandatory: no +# Default: +# DBPassword= +DBPassword=%DB_ZABBIX_PASSWORD% + +### Option: DBSocket +# Path to MySQL socket. +# +# Mandatory: no +# Default: +# DBSocket= + +# Option: DBPort +# Database port when not using local socket. Ignored for SQLite. +# If the Net Service Name connection method is used to connect to Oracle database, the port number from the +# tnsnames.ora file will be used. The port number set here will be ignored. +# +# Mandatory: no +# Default: +# DBPort= + +### Option: AllowUnsupportedDBVersions +# Allow proxy to work with unsupported database versions. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowUnsupportedDBVersions=0 + +######### PROXY SPECIFIC PARAMETERS ############# + +### Option: ProxyLocalBuffer +# Proxy will keep data locally for N hours, even if the data have already been synced with the server. +# This parameter may be used if local data will be used by third party applications. +# +# Mandatory: no +# Range: 0-720 +# Default: +# ProxyLocalBuffer=0 + +### Option: ProxyOfflineBuffer +# Proxy will keep data for N hours in case if no connectivity with Zabbix Server. +# Older data will be lost. +# +# Mandatory: no +# Range: 1-720 +# Default: +# ProxyOfflineBuffer=1 + +### Option: HeartbeatFrequency +# Frequency of heartbeat messages in seconds. +# Used for monitoring availability of Proxy on server side. +# 0 - heartbeat messages disabled. +# For a proxy in the passive mode this parameter will be ignored. +# +# Mandatory: no +# Range: 0-3600 +# Default: +# HeartbeatFrequency=60 + +### Option: ConfigFrequency +# How often proxy retrieves configuration data from Zabbix Server in seconds. +# For a proxy in the passive mode this parameter will be ignored. +# +# Mandatory: no +# Range: 1-3600*24*7 +# Default: +# ConfigFrequency=3600 + +### Option: DataSenderFrequency +# Proxy will send collected data to the Server every N seconds. +# For a proxy in the passive mode this parameter will be ignored. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# DataSenderFrequency=1 + +############ ADVANCED PARAMETERS ################ + +### Option: StartPollers +# Number of pre-forked instances of pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollers=5 + +### Option: StartIPMIPollers +# Number of pre-forked instances of IPMI pollers. +# The IPMI manager process is automatically started when at least one IPMI poller is started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartIPMIPollers=0 + +### Option: StartPreprocessors +# Number of pre-forked instances of preprocessing workers. +# The preprocessing manager process is automatically started when preprocessor worker is started. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# StartPreprocessors=3 + +### Option: StartPollersUnreachable +# Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). +# At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers +# are started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollersUnreachable=1 + +### Option: StartHistoryPollers +# Number of pre-forked instances of history pollers. +# Only required for internal checks. +# A database connection is required for each history poller instance. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHistoryPollers=1 + +### Option: StartTrappers +# Number of pre-forked instances of trappers. +# Trappers accept incoming connections from Zabbix sender and active agents. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartTrappers=5 + +### Option: StartPingers +# Number of pre-forked instances of ICMP pingers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPingers=1 + +### Option: StartDiscoverers +# Number of pre-forked instances of discoverers. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartDiscoverers=1 + +### Option: StartHTTPPollers +# Number of pre-forked instances of HTTP pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHTTPPollers=1 + +### Option: JavaGateway +# IP address (or hostname) of Zabbix Java gateway. +# Only required if Java pollers are started. +# +# Mandatory: no +# Default: +# JavaGateway= + +### Option: JavaGatewayPort +# Port that Zabbix Java gateway listens on. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# JavaGatewayPort=10052 + +### Option: StartJavaPollers +# Number of pre-forked instances of Java pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartJavaPollers=0 + +### Option: StartVMwareCollectors +# Number of pre-forked vmware collector instances. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartVMwareCollectors=0 + +### Option: VMwareFrequency +# How often Zabbix will connect to VMware service to obtain a new data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwareFrequency=60 + +### Option: VMwarePerfFrequency +# How often Zabbix will connect to VMware service to obtain performance data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwarePerfFrequency=60 + +### Option: VMwareCacheSize +# Size of VMware cache, in bytes. +# Shared memory size for storing VMware data. +# Only used if VMware collectors are started. +# +# Mandatory: no +# Range: 256K-2G +# Default: +# VMwareCacheSize=8M + +### Option: VMwareTimeout +# Specifies how many seconds vmware collector waits for response from VMware service. +# +# Mandatory: no +# Range: 1-300 +# Default: +# VMwareTimeout=10 + +### Option: SNMPTrapperFile +# Temporary file used for passing data from SNMP trap daemon to the proxy. +# Must be the same as in zabbix_trap_receiver.pl or SNMPTT configuration file. +# +# Mandatory: no +# Default: +SNMPTrapperFile=/tmp/zabbix_traps.tmp + +### Option: StartSNMPTrapper +# If 1, SNMP trapper process is started. +# +# Mandatory: no +# Range: 0-1 +# Default: +StartSNMPTrapper=1 + +### Option: ListenIP +# List of comma delimited IP addresses that the trapper should listen on. +# Trapper will listen on all network interfaces if this parameter is missing. +# +# Mandatory: no +# Default: + +### Option: HousekeepingFrequency +# How often Zabbix will perform housekeeping procedure (in hours). +# Housekeeping is removing outdated information from the database. +# To prevent Housekeeper from being overloaded, no more than 4 times HousekeepingFrequency +# hours of outdated information are deleted in one housekeeping cycle. +# To lower load on proxy startup housekeeping is postponed for 30 minutes after proxy start. +# With HousekeepingFrequency=0 the housekeeper can be only executed using the runtime control option. +# In this case the period of outdated information deleted in one housekeeping cycle is 4 times the +# period since the last housekeeping cycle, but not less than 4 hours and not greater than 4 days. +# +# Mandatory: no +# Range: 0-24 +# Default: +# HousekeepingFrequency=1 + +### Option: CacheSize +# Size of configuration cache, in bytes. +# Shared memory size, for storing hosts and items data. +# +# Mandatory: no +# Range: 128K-64G +# Default: +# CacheSize=8M + +### Option: StartDBSyncers +# Number of pre-forked instances of DB Syncers. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartDBSyncers=4 + +### Option: HistoryCacheSize +# Size of history cache, in bytes. +# Shared memory size for storing history data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# HistoryCacheSize=16M + +### Option: HistoryIndexCacheSize +# Size of history index cache, in bytes. +# Shared memory size for indexing history cache. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# HistoryIndexCacheSize=4M + +### Option: Timeout +# Specifies how long we wait for agent, SNMP device or external check (in seconds). +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +Timeout=4 + +### Option: TrapperTimeout +# Specifies how many seconds trapper may spend processing new data. +# +# Mandatory: no +# Range: 1-300 +# Default: +# TrapperTimeout=300 + +### Option: UnreachablePeriod +# After how many seconds of unreachability treat a host as unavailable. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachablePeriod=45 + +### Option: UnavailableDelay +# How often host is checked for availability during the unavailability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnavailableDelay=60 + +### Option: UnreachableDelay +# How often host is checked for availability during the unreachability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachableDelay=15 + +## Option: StartODBCPollers +# Number of pre-forked ODBC poller instances. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartODBCPollers=1 + +### Option: ExternalScripts +# Full path to location of external scripts. +# Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". +# +# Mandatory: no +# Default: +# ExternalScripts=${datadir}/zabbix/externalscripts + +### Option: FpingLocation +# Location of fping. +# Make sure that fping binary has root ownership and SUID flag set. +# +# Mandatory: no +# Default: +# FpingLocation=/usr/sbin/fping + +### Option: Fping6Location +# Location of fping6. +# Make sure that fping6 binary has root ownership and SUID flag set. +# Make empty if your fping utility is capable to process IPv6 addresses. +# +# Mandatory: no +# Default: +# Fping6Location=/usr/sbin/fping6 + +### Option: SSHKeyLocation +# Location of public and private keys for SSH checks and actions. +# +# Mandatory: no +# Default: +# SSHKeyLocation= + +### Option: LogSlowQueries +# How long a database query may take before being logged (in milliseconds). +# Only works if DebugLevel set to 3 or 4. +# 0 - don't log slow queries. +# +# Mandatory: no +# Range: 1-3600000 +# Default: +# LogSlowQueries=0 + +LogSlowQueries=3000 + +### Option: TmpDir +# Temporary directory. +# +# Mandatory: no +# Default: +TmpDir=/tmp + +### Option: AllowRoot +# Allow the proxy to run as 'root'. If disabled and the proxy is started by 'root', the proxy +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +# User=zabbix + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +# Include=/usr/local/etc/zabbix_proxy.general.conf +# Include=/usr/local/etc/zabbix_proxy.conf.d/ +# Include=/usr/local/etc/zabbix_proxy.conf.d/*.conf + +### Option: SSLCertLocation +# Location of SSL client certificates. +# This parameter is used only in web monitoring. +# Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". +# +# Mandatory: no +# Default: +# SSLCertLocation=${datadir}/zabbix/ssl/certs + +### Option: SSLKeyLocation +# Location of private keys for SSL client certificates. +# This parameter is used only in web monitoring. +# Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". +# +# Mandatory: no +# Default: +# SSLKeyLocation=${datadir}/zabbix/ssl/keys + +### Option: SSLCALocation +# Location of certificate authority (CA) files for SSL server certificate verification. +# If not set, system-wide directory will be used. +# This parameter is used in web monitoring, HTTP agent items and for communication with Vault. +# +# Mandatory: no +# Default: +# SSLCALocation= + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of proxy modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at proxy startup. Modules are used to extend functionality of the proxy. +# Formats: +# LoadModule=<module.so> +# LoadModule=<path/module.so> +# LoadModule=</abs_path/module.so> +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +### Option: StatsAllowedIP +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of external Zabbix instances. +# Stats request will be accepted only from the addresses listed here. If this parameter is not set no stats requests +# will be accepted. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: StatsAllowedIP=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: no +# Default: +# StatsAllowedIP= +StatsAllowedIP=%STATS_ALLOWED_IPS% + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the proxy should connect to Zabbix server. Used for an active proxy, ignored on a passive proxy. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSConnect=unencrypted + +### Option: TLSAccept +# What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSAccept=unencrypted + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSServerCertIssuer +# Allowed server certificate issuer. +# +# Mandatory: no +# Default: +# TLSServerCertIssuer= + +### Option: TLSServerCertSubject +# Allowed server certificate subject. +# +# Mandatory: no +# Default: +# TLSServerCertSubject= + +### Option: TLSCertFile +# Full pathname of a file containing the proxy certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the proxy private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= + +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKIdentity= + +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +### Option: DBTLSConnect +# Setting this option enforces to use TLS connection to database. +# required - connect using TLS +# verify_ca - connect using TLS and verify certificate +# verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost +# matches its certificate +# On MySQL starting from 5.7.11 and PostgreSQL following values are supported: "required", "verify_ca" and +# "verify_full". +# On MariaDB starting from version 10.2.6 "required" and "verify_full" values are supported. +# Default is not to set any option and behavior depends on database configuration +# +# Mandatory: no +# Default: +# DBTLSConnect= + +### Option: DBTLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for database certificate verification. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# (yes, if DBTLSConnect set to one of: verify_ca, verify_full) +# Default: +# DBTLSCAFile= + +### Option: DBTLSCertFile +# Full pathname of file containing Zabbix proxy certificate for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSCertFile= + +### Option: DBTLSKeyFile +# Full pathname of file containing the private key for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSKeyFile= + +### Option: DBTLSCipher +# The list of encryption ciphers that Zabbix proxy permits for TLS protocols up through TLSv1.2 +# Supported only for MySQL +# +# Mandatory no +# Default: +# DBTLSCipher= + +### Option: DBTLSCipher13 +# The list of encryption ciphersuites that Zabbix proxy permits for TLSv1.3 protocol +# Supported only for MySQL, starting from version 8.0.16 +# +# Mandatory no +# Default: +# DBTLSCipher13= + +### Option: VaultToken +# Vault authentication token that should have been generated exclusively for Zabbix proxy with read only permission to path +# specified in optional VaultDBPath configuration parameter. +# It is an error if VaultToken and VAULT_TOKEN environment variable are defined at the same time. +# +# Mandatory: no +# Default: +# VaultToken= + +### Option: VaultURL +# Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified. +# +# Mandatory: no +# Default: +# VaultURL=https://127.0.0.1:8200 + +### Option: VaultDBPath +# Vault path from where credentials for database will be retrieved by keys 'password' and 'username'. +# Example: secret/zabbix/database +# This option can only be used if DBUser and DBPassword are not specified. +# +# Mandatory: no +# Default: +# VaultDBPath= + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= + +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_agentd.pid +PidFile=/tmp/zabbix_proxy.pid + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile=/tmp/zabbix_proxy.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +# DebugLevel=3 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any +# number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any +# number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. +# +# Mandatory: no +# Default: +# DenyKey=system.run[*] + +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no + +### Option: LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# LogRemoteCommands=0 + + +##### Passive checks related ##### Passive checks related ##### Passive checks related ##### Passive checks related ##### Passive checks related ##### Passive checks related ##### Passive checks related ##### Passive checks related ##### Passive checks related ##### Passive checks related ##### Passive checks related ##### Passive checks related ##### Passive checks related + +### Option: Server +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. +# Incoming connections will be accepted only from the hosts listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: yes, if StartAgents is not explicitly set to 0 +# Default: +# Server= + +Server=%ZABBIX_SERVER_IPS% + +### Option: ListenPort +# Agent will listen on this port for connections from the server. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10050 + +### Option: ListenIP +# List of comma delimited IP addresses that the agent should listen on. +# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: StartAgents +# Number of pre-forked instances of zabbix_agentd that process passive checks. +# If set to 0, disables passive checks and the agent will not listen on any TCP port. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartAgents=3 + +##### Active checks related + +### Option: ServerActive +# Zabbix server/proxy address or cluster configuration to get active checks from. +# Server/proxy address is IP address or DNS name and optional port separated by colon. +# Cluster configuration is one or more server addresses separated by semicolon. +# Multiple Zabbix servers/clusters and Zabbix proxies can be specified, separated by comma. +# More than one Zabbix proxy should not be specified from each Zabbix server/cluster. +# If Zabbix proxy is specified then Zabbix server/cluster for that proxy should not be specified. +# Multiple comma-delimited addresses can be provided to use several independent Zabbix servers in parallel. Spaces are allowed. +# If port is not specified, default port is used. +# IPv6 addresses must be enclosed in square brackets if port for that host is specified. +# If port is not specified, square brackets for IPv6 addresses are optional. +# If this parameter is not specified, active checks are disabled. +# Example for Zabbix proxy: +# ServerActive=127.0.0.1:10051 +# Example for multiple servers: +# ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# Example for high availability: +# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051;zabbix.cluster.node3 +# Example for high availability with two clusters and one server: +# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051,zabbix.cluster2.node1;zabbix.cluster2.node2,zabbix.domain +# +# Mandatory: no +# Default: +# ServerActive= +# ServerActive=127.0.0.1 + +### Option: Hostname +# List of comma delimited unique, case sensitive hostnames. +# Required for active checks and must match hostnames as configured on the server. +# Value is acquired from HostnameItem if undefined. +# +# Mandatory: no +# Default: +# Hostname= + +# Hostname=localhost + +### Option: HostnameItem +# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. +# Does not support UserParameters or aliases. +# +# Mandatory: no +# Default: +# HostnameItem=system.hostname + +### Option: HostMetadata +# Optional parameter that defines host metadata. +# Host metadata is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostMetadataItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostMetadata= + +### Option: HostMetadataItem +# Optional parameter that defines an item used for getting host metadata. +# Host metadata is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostMetadata is not defined. +# +# Mandatory: no +# Default: +# HostMetadataItem= + +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + +### Option: RefreshActiveChecks +# How often list of active checks is refreshed, in seconds. +# +# Mandatory: no +# Range: 60-3600 +# Default: +# RefreshActiveChecks=120 + +### Option: BufferSend +# Do not keep data longer than N seconds in buffer. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# BufferSend=5 + +### Option: BufferSize +# Maximum number of values in a memory buffer. The agent will send +# all collected data to Zabbix Server or Proxy if the buffer is full. +# +# Mandatory: no +# Range: 2-65535 +# Default: +# BufferSize=100 + +### Option: MaxLinesPerSecond +# Maximum number of new lines the agent will send per second to Zabbix Server +# or Proxy processing 'log' and 'logrt' active checks. +# The provided value will be overridden by the parameter 'maxlines', +# provided in 'log' or 'logrt' item keys. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# MaxLinesPerSecond=20 + +############ ADVANCED PARAMETERS ################# + +### Option: Alias +# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. +# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. +# Different Alias keys may reference the same item key. +# For example, to retrieve the ID of user 'zabbix': +# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] +# Now shorthand key zabbix.userid may be used to retrieve data. +# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. +# +# Mandatory: no +# Range: +# Default: + +### Option: Timeout +# Spend no more than Timeout seconds on processing +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +### Option: AllowRoot +# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +User=%ZABBIX_USER_NAME% + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +# Include=/usr/local/etc/zabbix_agentd.userparams.conf +# Include=/usr/local/etc/zabbix_agentd.conf.d/ +# Include=/usr/local/etc/zabbix_agentd.conf.d/*.conf + +####### USER-DEFINED MONITORED PARAMETERS ####### + +### Option: UnsafeUserParameters +# Allow all characters to be passed in arguments to user-defined parameters. +# The following characters are not allowed: +# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ +# Additionally, newline characters are not allowed. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Range: 0-1 +# Default: +# UnsafeUserParameters=0 + +### Option: UserParameter +# User-defined parameter to monitor. There can be several user-defined parameters. +# Format: UserParameter=<key>,<shell command> +# See 'zabbix_agentd' directory for examples. +# +# Mandatory: no +# Default: +# UserParameter= + +### Option: UserParameterDir +# Directory to execute UserParameter commands from. Only one entry is allowed. +# When executing UserParameter commands the agent will change the working directory to the one +# specified in the UserParameterDir option. +# This way UserParameter commands can be specified using the relative ./ prefix. +# +# Mandatory: no +# Default: +# UserParameterDir= + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of agent modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_agentd --help". +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at agent startup. Modules are used to extend functionality of the agent. +# Formats: +# LoadModule=<module.so> +# LoadModule=<path/module.so> +# LoadModule=</abs_path/module.so> +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSConnect +# How the agent should connect to server or proxy. Used for active checks. +# Only one value can be specified: +# unencrypted - connect without encryption +# psk - connect using TLS and a pre-shared key +# cert - connect using TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSConnect=unencrypted + +### Option: TLSAccept +# What incoming connections to accept. +# Multiple values can be specified, separated by comma: +# unencrypted - accept connections without encryption +# psk - accept connections secured with TLS and a pre-shared key +# cert - accept connections secured with TLS and a certificate +# +# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) +# Default: +# TLSAccept=unencrypted + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSServerCertIssuer +# Allowed server certificate issuer. +# +# Mandatory: no +# Default: +# TLSServerCertIssuer= + +### Option: TLSServerCertSubject +# Allowed server certificate subject. +# +# Mandatory: no +# Default: +# TLSServerCertSubject= + +### Option: TLSCertFile +# Full pathname of a file containing the agent certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the agent private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= + +### Option: TLSPSKIdentity +# Unique, case sensitive string used to identify the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKIdentity= + +### Option: TLSPSKFile +# Full pathname of a file containing the pre-shared key. +# +# Mandatory: no +# Default: +# TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= diff --git a/recipes-connectivity/zabbix/files/zabbix-proxy.service b/recipes-connectivity/zabbix/files/zabbix-proxy.service new file mode 100644 index 0000000..7dd77b6 --- /dev/null +++ b/recipes-connectivity/zabbix/files/zabbix-proxy.service @@ -0,0 +1,15 @@ +[Unit] +Description=Zabbix Proxy + +[Service] +Environment="CONFFILE=%ZABBIX_PROXY_CONF%" +EnvironmentFile=-%SYSCONFDIR%/default/zabbix-proxy +Type=forking +Restart=on-failure +KillMode=control-group +ExecStart=%SBINDIR%/zabbix_proxy -c $CONFFILE +ExecStop=/bin/sh -c '[ -n "$1" ] && kill -s TERM "$1"' -- "$MAINPID" +RestartSec=10s + +[Install] +WantedBy=multi-user.target diff --git a/recipes-connectivity/zabbix/files/zabbix-server-morello.service b/recipes-connectivity/zabbix/files/zabbix-server-morello.service new file mode 100644 index 0000000..3327b4b --- /dev/null +++ b/recipes-connectivity/zabbix/files/zabbix-server-morello.service @@ -0,0 +1,20 @@ +[Unit] +Description=Zabbix Server +Wants=postgresql.service +After=postgresql.service +After=postgresql-init.service +After=php-fpm.service + +[Service] +Environment="CONFFILE=%SYSCONFDIR%/zabbix/zabbix-server.conf" +Environment="DB_ZABBIX_USER_SERVER=%DB_ZABBIX_USER_SERVER%" +Environment="DB_ZABBIX_PASSWORD=%DB_ZABBIX_PASSWORD%" +EnvironmentFile=-%SYSCONFDIR%/default/zabbix-server +Type=forking +KillMode=control-group +ExecStart=/bin/bash -c '%SBINDIR%/zabbix_server -c ${CONFFILE}' +ExecStop=/bin/sh -c '[ -n "$1" ] && kill -s TERM "$1"' -- "$MAINPID" +RestartSec=10s + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/recipes-connectivity/zabbix/files/zabbix-server.conf b/recipes-connectivity/zabbix/files/zabbix-server.conf new file mode 100644 index 0000000..390fe6f --- /dev/null +++ b/recipes-connectivity/zabbix/files/zabbix-server.conf @@ -0,0 +1,990 @@ +# This is a configuration file for Zabbix server daemon +# To get more information about Zabbix, visit http://www.zabbix.com + +############ GENERAL PARAMETERS ################# + +### Option: ListenPort +# Listen port for trapper. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# ListenPort=10051 + +### Option: SourceIP +# Source IP address for outgoing connections. +# +# Mandatory: no +# Default: +# SourceIP= + +### Option: LogType +# Specifies where log messages are written to: +# system - syslog +# file - file specified with LogFile parameter +# console - standard output +# +# Mandatory: no +# Default: +# LogType=file + +### Option: LogFile +# Log file name for LogType 'file' parameter. +# +# Mandatory: yes, if LogType is set to file, otherwise no +# Default: +# LogFile= + +LogFile=/tmp/zabbix_server.log + +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Mandatory: no +# Range: 0-1024 +# Default: +# LogFileSize=1 + +### Option: DebugLevel +# Specifies debug level: +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) +# +# Mandatory: no +# Range: 0-5 +# Default: +DebugLevel=5 + +### Option: PidFile +# Name of PID file. +# +# Mandatory: no +# Default: +# PidFile=/tmp/zabbix_server.pid + +### Option: SocketDir +# IPC socket directory. +# Directory to store IPC sockets used by internal Zabbix services. +# +# Mandatory: no +# Default: +# SocketDir=/tmp +SocketDir=%ZABBIX_SOCKET_DIR% + +### Option: DBHost +# Database host name. +# If set to localhost, socket is used for MySQL. +# If set to empty string, socket is used for PostgreSQL. +# If set to empty string, the Net Service Name connection method is used to connect to Oracle database; also see +# the TNS_ADMIN environment variable to specify the directory where the tnsnames.ora file is located. +# +# Mandatory: no +# Default: +# DBHost=localhost + +### Option: DBName +# Database name. +# If the Net Service Name connection method is used to connect to Oracle database, specify the service name from +# the tnsnames.ora file or set to empty string; also see the TWO_TASK environment variable if DBName is set to +# empty string. +# +# Mandatory: yes +# Default: +# DBName= + +DBName=%DB_ZABBIX_NAME% + +### Option: DBSchema +# Schema name. Used for PostgreSQL. +# +# Mandatory: no +# Default: +# DBSchema= + +### Option: DBUser +# Database user. +# +# Mandatory: no +# Default: +# DBUser= + +DBUser=%DB_ZABBIX_USER_SERVER% + +### Option: DBPassword +# Database password. +# Comment this line if no password is used. +# +# Mandatory: no +# Default: +# DBPassword= + +DBPassword=%DB_ZABBIX_PASSWORD% + +### Option: DBSocket +# Path to MySQL socket. +# +# Mandatory: no +# Default: +# DBSocket= + +### Option: DBPort +# Database port when not using local socket. +# If the Net Service Name connection method is used to connect to Oracle database, the port number from the +# tnsnames.ora file will be used. The port number set here will be ignored. +# +# Mandatory: no +# Range: 1024-65535 +# Default: +# DBPort= + +### Option: AllowUnsupportedDBVersions +# Allow server to work with unsupported database versions. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowUnsupportedDBVersions=0 + +### Option: HistoryStorageURL +# History storage HTTP[S] URL. +# +# Mandatory: no +# Default: +# HistoryStorageURL= + +### Option: HistoryStorageTypes +# Comma separated list of value types to be sent to the history storage. +# +# Mandatory: no +# Default: +# HistoryStorageTypes=uint,dbl,str,log,text + +### Option: HistoryStorageDateIndex +# Enable preprocessing of history values in history storage to store values in different indices based on date. +# 0 - disable +# 1 - enable +# +# Mandatory: no +# Default: +# HistoryStorageDateIndex=0 + +### Option: ExportDir +# Directory for real time export of events, history and trends in newline delimited JSON format. +# If set, enables real time export. +# +# Mandatory: no +# Default: +# ExportDir= + +### Option: ExportFileSize +# Maximum size per export file in bytes. +# Only used for rotation if ExportDir is set. +# +# Mandatory: no +# Range: 1M-1G +# Default: +# ExportFileSize=1G + +### Option: ExportType +# List of comma delimited types of real time export - allows to control export entities by their +# type (events, history, trends) individually. +# Valid only if ExportDir is set. +# +# Mandatory: no +# Default: +# ExportType=events,history,trends + +############ ADVANCED PARAMETERS ################ + +### Option: StartPollers +# Number of pre-forked instances of pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollers=5 + +### Option: StartIPMIPollers +# Number of pre-forked instances of IPMI pollers. +# The IPMI manager process is automatically started when at least one IPMI poller is started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartIPMIPollers=0 + +### Option: StartPreprocessors +# Number of pre-forked instances of preprocessing workers. +# The preprocessing manager process is automatically started when preprocessor worker is started. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# StartPreprocessors=3 + +### Option: StartPollersUnreachable +# Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). +# At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers +# are started. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPollersUnreachable=1 + +### Option: StartHistoryPollers +# Number of pre-forked instances of history pollers. +# Only required for calculated and internal checks. +# A database connection is required for each history poller instance. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHistoryPollers=5 + +### Option: StartTrappers +# Number of pre-forked instances of trappers. +# Trappers accept incoming connections from Zabbix sender, active agents and active proxies. +# At least one trapper process must be running to display server availability and view queue +# in the frontend. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartTrappers=5 + +### Option: StartPingers +# Number of pre-forked instances of ICMP pingers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartPingers=1 + +### Option: StartDiscoverers +# Number of pre-forked instances of discoverers. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartDiscoverers=1 + +### Option: StartHTTPPollers +# Number of pre-forked instances of HTTP pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHTTPPollers=1 + +### Option: StartTimers +# Number of pre-forked instances of timers. +# Timers process maintenance periods. +# Only the first timer process handles host maintenance updates. Problem suppression updates are shared +# between all timers. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# StartTimers=1 + +### Option: StartEscalators +# Number of pre-forked instances of escalators. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartEscalators=1 + +### Option: StartAlerters +# Number of pre-forked instances of alerters. +# Alerters send the notifications created by action operations. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartAlerters=3 + +### Option: JavaGateway +# IP address (or hostname) of Zabbix Java gateway. +# Only required if Java pollers are started. +# +# Mandatory: no +# Default: +# JavaGateway= + +### Option: JavaGatewayPort +# Port that Zabbix Java gateway listens on. +# +# Mandatory: no +# Range: 1024-32767 +# Default: +# JavaGatewayPort=10052 + +### Option: StartJavaPollers +# Number of pre-forked instances of Java pollers. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartJavaPollers=0 + +### Option: StartVMwareCollectors +# Number of pre-forked vmware collector instances. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartVMwareCollectors=0 + +### Option: VMwareFrequency +# How often Zabbix will connect to VMware service to obtain a new data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwareFrequency=60 + +### Option: VMwarePerfFrequency +# How often Zabbix will connect to VMware service to obtain performance data. +# +# Mandatory: no +# Range: 10-86400 +# Default: +# VMwarePerfFrequency=60 + +### Option: VMwareCacheSize +# Size of VMware cache, in bytes. +# Shared memory size for storing VMware data. +# Only used if VMware collectors are started. +# +# Mandatory: no +# Range: 256K-2G +# Default: +# VMwareCacheSize=8M + +### Option: VMwareTimeout +# Specifies how many seconds vmware collector waits for response from VMware service. +# +# Mandatory: no +# Range: 1-300 +# Default: +# VMwareTimeout=10 + +### Option: SNMPTrapperFile +# Temporary file used for passing data from SNMP trap daemon to the server. +# Must be the same as in zabbix_trap_receiver.pl or SNMPTT configuration file. +# +# Mandatory: no +# Default: +# SNMPTrapperFile=/tmp/zabbix_traps.tmp +SNMPTrapperFile=/tmp/zabbix_traps.tmp + +### Option: StartSNMPTrapper +# If 1, SNMP trapper process is started. +# +# Mandatory: no +# Range: 0-1 +# Default: +StartSNMPTrapper=0 + +### Option: ListenIP +# List of comma delimited IP addresses that the trapper should listen on. +# Trapper will listen on all network interfaces if this parameter is missing. +# +# Mandatory: no +# Default: +# ListenIP=0.0.0.0 + +### Option: HousekeepingFrequency +# How often Zabbix will perform housekeeping procedure (in hours). +# Housekeeping is removing outdated information from the database. +# To prevent Housekeeper from being overloaded, no more than 4 times HousekeepingFrequency +# hours of outdated information are deleted in one housekeeping cycle, for each item. +# To lower load on server startup housekeeping is postponed for 30 minutes after server start. +# With HousekeepingFrequency=0 the housekeeper can be only executed using the runtime control option. +# In this case the period of outdated information deleted in one housekeeping cycle is 4 times the +# period since the last housekeeping cycle, but not less than 4 hours and not greater than 4 days. +# +# Mandatory: no +# Range: 0-24 +# Default: +# HousekeepingFrequency=1 + +### Option: MaxHousekeeperDelete +# The table "housekeeper" contains "tasks" for housekeeping procedure in the format: +# [housekeeperid], [tablename], [field], [value]. +# No more than 'MaxHousekeeperDelete' rows (corresponding to [tablename], [field], [value]) +# will be deleted per one task in one housekeeping cycle. +# If set to 0 then no limit is used at all. In this case you must know what you are doing! +# +# Mandatory: no +# Range: 0-1000000 +# Default: +# MaxHousekeeperDelete=5000 + +### Option: CacheSize +# Size of configuration cache, in bytes. +# Shared memory size for storing host, item and trigger data. +# +# Mandatory: no +# Range: 128K-64G +# Default: +# CacheSize=32M + +### Option: CacheUpdateFrequency +# How often Zabbix will perform update of configuration cache, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# CacheUpdateFrequency=60 + +### Option: StartDBSyncers +# Number of pre-forked instances of DB Syncers. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartDBSyncers=4 + +### Option: HistoryCacheSize +# Size of history cache, in bytes. +# Shared memory size for storing history data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# HistoryCacheSize=16M + +### Option: HistoryIndexCacheSize +# Size of history index cache, in bytes. +# Shared memory size for indexing history cache. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# HistoryIndexCacheSize=4M + +### Option: TrendCacheSize +# Size of trend write cache, in bytes. +# Shared memory size for storing trends data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# TrendCacheSize=4M + +### Option: TrendFunctionCacheSize +# Size of trend function cache, in bytes. +# Shared memory size for caching calculated trend function data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# TrendFunctionCacheSize=4M + +### Option: ValueCacheSize +# Size of history value cache, in bytes. +# Shared memory size for caching item history data requests. +# Setting to 0 disables value cache. +# +# Mandatory: no +# Range: 0,128K-64G +# Default: +# ValueCacheSize=8M + +### Option: Timeout +# Specifies how long we wait for agent, SNMP device or external check (in seconds). +# +# Mandatory: no +# Range: 1-30 +# Default: +# Timeout=3 + +Timeout=4 + +### Option: TrapperTimeout +# Specifies how many seconds trapper may spend processing new data. +# +# Mandatory: no +# Range: 1-300 +# Default: +# TrapperTimeout=300 + +### Option: UnreachablePeriod +# After how many seconds of unreachability treat a host as unavailable. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachablePeriod=45 + +### Option: UnavailableDelay +# How often host is checked for availability during the unavailability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnavailableDelay=60 + +### Option: UnreachableDelay +# How often host is checked for availability during the unreachability period, in seconds. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# UnreachableDelay=15 + +### Option: AlertScriptsPath +# Full path to location of custom alert scripts. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# AlertScriptsPath=${datadir}/zabbix/alertscripts + +### Option: ExternalScripts +# Full path to location of external scripts. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# ExternalScripts=${datadir}/zabbix/externalscripts + +### Option: FpingLocation +# Location of fping. +# Make sure that fping binary has root ownership and SUID flag set. +# +# Mandatory: no +# Default: +# FpingLocation=/usr/sbin/fping + +### Option: Fping6Location +# Location of fping6. +# Make sure that fping6 binary has root ownership and SUID flag set. +# Make empty if your fping utility is capable to process IPv6 addresses. +# +# Mandatory: no +# Default: +# Fping6Location=/usr/sbin/fping6 + +### Option: SSHKeyLocation +# Location of public and private keys for SSH checks and actions. +# +# Mandatory: no +# Default: +# SSHKeyLocation= + +### Option: LogSlowQueries +# How long a database query may take before being logged (in milliseconds). +# Only works if DebugLevel set to 3, 4 or 5. +# 0 - don't log slow queries. +# +# Mandatory: no +# Range: 1-3600000 +# Default: +# LogSlowQueries=0 + +LogSlowQueries=3000 + +### Option: TmpDir +# Temporary directory. +# +# Mandatory: no +# Default: +# TmpDir=/tmp + +### Option: StartProxyPollers +# Number of pre-forked instances of pollers for passive proxies. +# +# Mandatory: no +# Range: 0-250 +# Default: +# StartProxyPollers=1 + +### Option: ProxyConfigFrequency +# How often Zabbix Server sends configuration data to a Zabbix Proxy in seconds. +# This parameter is used only for proxies in the passive mode. +# +# Mandatory: no +# Range: 1-3600*24*7 +# Default: +# ProxyConfigFrequency=3600 + +### Option: ProxyDataFrequency +# How often Zabbix Server requests history data from a Zabbix Proxy in seconds. +# This parameter is used only for proxies in the passive mode. +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ProxyDataFrequency=1 + +### Option: StartLLDProcessors +# Number of pre-forked instances of low level discovery processors. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartLLDProcessors=2 + +### Option: AllowRoot +# Allow the server to run as 'root'. If disabled and the server is started by 'root', the server +# will try to switch to the user specified by the User configuration option instead. +# Has no effect if started under a regular user. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowRoot=0 + +### Option: User +# Drop privileges to a specific, existing user on the system. +# Only has effect if run as 'root' and AllowRoot is disabled. +# +# Mandatory: no +# Default: +# User=zabbix + +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. +# +# Mandatory: no +# Default: +# Include= + +# Include=/usr/local/etc/zabbix_server.general.conf +# Include=/usr/local/etc/zabbix_server.conf.d/ +# Include=/usr/local/etc/zabbix_server.conf.d/*.conf + +### Option: SSLCertLocation +# Location of SSL client certificates. +# This parameter is used only in web monitoring. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# SSLCertLocation=${datadir}/zabbix/ssl/certs + +### Option: SSLKeyLocation +# Location of private keys for SSL client certificates. +# This parameter is used only in web monitoring. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# SSLKeyLocation=${datadir}/zabbix/ssl/keys + +### Option: SSLCALocation +# Override the location of certificate authority (CA) files for SSL server certificate verification. +# If not set, system-wide directory will be used. +# This parameter is used in web monitoring, SMTP authentication, HTTP agent items and for communication with Vault. +# +# Mandatory: no +# Default: +# SSLCALocation= + +### Option: StatsAllowedIP +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of external Zabbix instances. +# Stats request will be accepted only from the addresses listed here. If this parameter is not set no stats requests +# will be accepted. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: StatsAllowedIP=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: no +# Default: +# StatsAllowedIP= +StatsAllowedIP=127.0.0.1 + +####### LOADABLE MODULES ####### + +### Option: LoadModulePath +# Full path to location of server modules. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". +# +# Mandatory: no +# Default: +# LoadModulePath=${libdir}/modules + +### Option: LoadModule +# Module to load at server startup. Modules are used to extend functionality of the server. +# Formats: +# LoadModule=<module.so> +# LoadModule=<path/module.so> +# LoadModule=</abs_path/module.so> +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. +# It is allowed to include multiple LoadModule parameters. +# +# Mandatory: no +# Default: +# LoadModule= + +####### TLS-RELATED PARAMETERS ####### + +### Option: TLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for +# peer certificate verification. +# +# Mandatory: no +# Default: +# TLSCAFile= + +### Option: TLSCRLFile +# Full pathname of a file containing revoked certificates. +# +# Mandatory: no +# Default: +# TLSCRLFile= + +### Option: TLSCertFile +# Full pathname of a file containing the server certificate or certificate chain. +# +# Mandatory: no +# Default: +# TLSCertFile= + +### Option: TLSKeyFile +# Full pathname of a file containing the server private key. +# +# Mandatory: no +# Default: +# TLSKeyFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +### Option: DBTLSConnect +# Setting this option enforces to use TLS connection to database. +# required - connect using TLS +# verify_ca - connect using TLS and verify certificate +# verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost +# matches its certificate +# On MySQL starting from 5.7.11 and PostgreSQL following values are supported: "required", "verify_ca" and +# "verify_full". +# On MariaDB starting from version 10.2.6 "required" and "verify_full" values are supported. +# Default is not to set any option and behavior depends on database configuration +# +# Mandatory: no +# Default: +# DBTLSConnect= + +### Option: DBTLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for database certificate verification. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# (yes, if DBTLSConnect set to one of: verify_ca, verify_full) +# Default: +# DBTLSCAFile= + +### Option: DBTLSCertFile +# Full pathname of file containing Zabbix server certificate for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSCertFile= + +### Option: DBTLSKeyFile +# Full pathname of file containing the private key for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSKeyFile= + +### Option: DBTLSCipher +# The list of encryption ciphers that Zabbix server permits for TLS protocols up through TLSv1.2 +# Supported only for MySQL +# +# Mandatory no +# Default: +# DBTLSCipher= + +### Option: DBTLSCipher13 +# The list of encryption ciphersuites that Zabbix server permits for TLSv1.3 protocol +# Supported only for MySQL, starting from version 8.0.16 +# +# Mandatory no +# Default: +# DBTLSCipher13= + +### Option: VaultToken +# Vault authentication token that should have been generated exclusively for Zabbix server with read only permission +# to paths specified in Vault macros and read only permission to path specified in optional VaultDBPath +# configuration parameter. +# It is an error if VaultToken and VAULT_TOKEN environment variable are defined at the same time. +# +# Mandatory: no +# Default: +# VaultToken= + +### Option: VaultURL +# Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified. +# +# Mandatory: no +# Default: +# VaultURL=https://127.0.0.1:8200 + +### Option: VaultDBPath +# Vault path from where credentials for database will be retrieved by keys 'password' and 'username'. +# Example: secret/zabbix/database +# This option can only be used if DBUser and DBPassword are not specified. +# +# Mandatory: no +# Default: +# VaultDBPath= + +### Option: StartReportWriters +# Number of pre-forked report writer instances. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartReportWriters=0 + +### Option: WebServiceURL +# URL to Zabbix web service, used to perform web related tasks. +# Example: http://localhost:10053/report +# +# Mandatory: no +# Default: +# WebServiceURL= + +### Option: ServiceManagerSyncFrequency +# How often Zabbix will synchronize configuration of a service manager (in seconds). +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ServiceManagerSyncFrequency=60 + +### Option: ProblemHousekeepingFrequency +# How often Zabbix will delete problems for deleted triggers (in seconds). +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ProblemHousekeepingFrequency=60 + +## Option: StartODBCPollers +# Number of pre-forked ODBC poller instances. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartODBCPollers=1 + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= + + +####### High availability cluster parameters ####### + +## Option: HANodeName +# The high availability cluster node name. +# When empty, server is working in standalone mode; a node with empty name is registered with address for the frontend to connect to. +# +# Mandatory: no +# Default: +# HANodeName= + +## Option: NodeAddress +# IP or hostname with optional port to specify how frontend should connect to the server. +# Format: <address>[:<port>] +# +# If IP or hostname is not set, then ListenIP value will be used. In case ListenIP is not set, localhost will be used. +# If port is not set, then ListenPort value will be used. In case ListenPort is not set, 10051 will be used. +# This option can be overridden by address specified in frontend configuration. +# +# Mandatory: no +# Default: +# NodeAddress=localhost:10051 diff --git a/recipes-connectivity/zabbix/files/zabbix.conf.php b/recipes-connectivity/zabbix/files/zabbix.conf.php new file mode 100644 index 0000000..4442d3f --- /dev/null +++ b/recipes-connectivity/zabbix/files/zabbix.conf.php @@ -0,0 +1,59 @@ +<?php +// Zabbix GUI configuration file. + +$DB['TYPE'] = 'POSTGRESQL'; +$DB['SERVER'] = 'localhost'; +$DB['PORT'] = '0'; +$DB['DATABASE'] = 'zabbix'; +$DB['USER'] = 'zabbix'; +$DB['PASSWORD'] = 'zabbix'; + +// Schema name. Used for PostgreSQL. +$DB['SCHEMA'] = ''; + +// Used for TLS connection. +$DB['ENCRYPTION'] = true; +$DB['KEY_FILE'] = ''; +$DB['CERT_FILE'] = ''; +$DB['CA_FILE'] = ''; +$DB['VERIFY_HOST'] = false; +$DB['CIPHER_LIST'] = ''; + +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT'] = ''; +$DB['VAULT_URL'] = ''; +$DB['VAULT_DB_PATH'] = ''; +$DB['VAULT_TOKEN'] = ''; +$DB['VAULT_CERT_FILE'] = ''; +$DB['VAULT_KEY_FILE'] = ''; +// Uncomment to bypass local caching of credentials. +// $DB['VAULT_CACHE'] = true; + +// Use IEEE754 compatible value range for 64-bit Numeric (float) history values. +// This option is enabled by default for new Zabbix installations. +// For upgraded installations, please read database upgrade notes before enabling this option. +$DB['DOUBLE_IEEE754'] = true; + +// Uncomment and set to desired values to override Zabbix hostname/IP and port. +// $ZBX_SERVER = ''; +// $ZBX_SERVER_PORT = ''; + +$ZBX_SERVER_NAME = 'myzabbix'; + +$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; + +// Uncomment this block only if you are using Elasticsearch. +// Elasticsearch url (can be string if same url is used for all types). +//$HISTORY['url'] = [ +// 'uint' => 'http://localhost:9200', +// 'text' => 'http://localhost:9200' +//]; +// Value types stored in Elasticsearch. +//$HISTORY['types'] = ['uint', 'text']; + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +//$SSO['SP_KEY'] = 'conf/certs/sp.key'; +//$SSO['SP_CERT'] = 'conf/certs/sp.crt'; +//$SSO['IDP_CERT'] = 'conf/certs/idp.crt'; +//$SSO['SETTINGS'] = []; diff --git a/recipes-connectivity/zabbix/zabbix-agentd-morello_5.0.38.bb b/recipes-connectivity/zabbix/zabbix-agentd-morello_5.0.38.bb new file mode 100644 index 0000000..b7084e2 --- /dev/null +++ b/recipes-connectivity/zabbix/zabbix-agentd-morello_5.0.38.bb @@ -0,0 +1,52 @@ +inherit perlnative autotools-brokensep pure-cap-kheaders pkgconfig systemd useradd +inherit purecap-sysroot purecap-useradd + +require zabbix-morello.inc + +SRC_URI += " \ + file://zabbix-agentd-morello.service \ + file://zabbix-agentd.conf \ + " + +# Seperate user for agent for security reasons. If the user is shared the agent +# will have full access to the server's DB. +USERADD_PACKAGES += " \ + ${PN} \ +" + +EXTRA_OECONF += "--enable-agent" + +GROUPADD_PARAM:${PN} = "-r ${DB_ZABBIX_USER_AGENT} " +USERADD_PARAM:${PN} = "-r -g ${DB_ZABBIX_USER_AGENT} -d /var/lib/${DB_ZABBIX_USER_AGENT} \ + -s /sbin/nologin -c "Zabbix Monitoring System" ${DB_ZABBIX_USER_AGENT} \ +" +RPROVIDES:${PN} += "zabbix-agentd" + +BPN_ZABBIX = "zabbix-agentd" + +do_install:append() { + + install -d ${D}${systemd_system_unitdir} ${D}${sysconfdir} + install -m 0644 ${WORKDIR}/${BPN}.service ${D}${systemd_system_unitdir}/${BPN_ZABBIX}.service + + sed -i -e 's#%SBINDIR%#${sbindir}#g' ${D}${systemd_system_unitdir}/${BPN_ZABBIX}.service + sed -i -e 's#%SYSCONFDIR%#${sysconfdir}#g' ${D}${systemd_system_unitdir}/${BPN_ZABBIX}.service + + install -d ${D}${sysconfdir}/zabbix/${BPN_ZABBIX}.conf.d/ + install -m 0644 ${WORKDIR}/${BPN_ZABBIX}.conf ${D}${sysconfdir}/zabbix/ + + sed -i -e 's#%DB_ZABBIX_USER_AGENT%#${DB_ZABBIX_USER_AGENT}#g' ${D}${systemd_system_unitdir}/${BPN_ZABBIX}.service + sed -i -e 's#%DB_ZABBIX_USER_AGENT%#${DB_ZABBIX_USER_AGENT}#g' ${D}${sysconfdir}/zabbix/${BPN_ZABBIX}.conf + sed -i -e 's#%ZABBIX_USER_NAME%#${DB_ZABBIX_USER_AGENT}#g' ${D}${sysconfdir}/zabbix/${BPN_ZABBIX}.conf + +} + +do_install:append() { + ${OBJDUMP} -D ${D}${sbindir}/zabbix_agentd > ${D}${PURECAP_DEBUGDIR}/zabbix_agentd.dump + ${READELF} -a ${D}${sbindir}/zabbix_agentd > ${D}${PURECAP_DEBUGDIR}/zabbix_agentd.readelf +} + +FILES:${PN} += " ${libdir} \ + ${systemd_system_unitdir}/${BPN_ZABBIX}.service \ + " +FILES:${PN}-dbg += "${datadir}" \ No newline at end of file diff --git a/recipes-connectivity/zabbix/zabbix-frontend_5.0.38.bb b/recipes-connectivity/zabbix/zabbix-frontend_5.0.38.bb new file mode 100644 index 0000000..7395799 --- /dev/null +++ b/recipes-connectivity/zabbix/zabbix-frontend_5.0.38.bb @@ -0,0 +1,24 @@ +require zabbix-morello.inc + +SRC_URI:append = " \ + file://zabbix.conf.php \ +" + +SYSTEMD_SERVICE:${PN} = "" + +DEPENDS = "" +RDEPENDS:${PN} += "bash" + +do_compile[noexec] = "1" +do_configure[noexec] = "1" + +do_install() { + + ZABBIX_WWW_LOC=${D}${datadir}/zabbix + install -d ${ZABBIX_WWW_LOC} + cp -r ${S}/ui/* ${ZABBIX_WWW_LOC}/ + + install -m 0644 ${WORKDIR}/zabbix.conf.php ${ZABBIX_WWW_LOC}/conf/ +} + +FILES:${PN} += "${datadir}/zabbix" \ No newline at end of file diff --git a/recipes-connectivity/zabbix/zabbix-morello.inc b/recipes-connectivity/zabbix/zabbix-morello.inc new file mode 100644 index 0000000..71fa5e3 --- /dev/null +++ b/recipes-connectivity/zabbix/zabbix-morello.inc @@ -0,0 +1,103 @@ +SUMMARY = "Open-source monitoring solution for your IT infrastructure" + +MORELLO_SRC = "meta-openembedded/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb" + +DESCRIPTION = "\ +ZABBIX is software that monitors numerous parameters of a network and the \ +health and integrity of servers. ZABBIX uses a flexible notification \ +mechanism that allows users to configure e-mail based alerts for virtually \ +any event. This allows a fast reaction to server problems. ZABBIX offers \ +excellent reporting and data visualisation features based on the stored \ +data. This makes ZABBIX ideal for capacity planning. \ +\ +ZABBIX supports both polling and trapping. All ZABBIX reports and \ +statistics, as well as configuration parameters are accessed through a \ +web-based front end. A web-based front end ensures that the status of \ +your network and the health of your servers can be assessed from any \ +location. Properly configured, ZABBIX can play an important role in \ +monitoring IT infrastructure. This is equally true for small \ +organisations with a few servers and for large companies with a \ +multitude of servers." +HOMEPAGE = "http://www.zabbix.com/" +SECTION = "Applications/Internet" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://COPYING;md5=300e938ad303147fede2294ed78fe02e" + +FILESEXTRAPATHS:prepend := "${THISDIR}/cheri-patches:" +TOOLCHAIN = "${MORELLO_TOOLCHAIN}" + +PV = "5.0.38" +PNPV = "zabbix-${PV}" +SRC_URI = " \ + https://cdn.zabbix.com/zabbix/sources/stable/5.0/%24%7BPNPV%7D.tar.gz \ + " + +SRC_URI += "file://0000-sysinfo-fix-build-with-musl-libc.patch \ + file://0000-net-fix-provenance-error.patch \ + file://0001-memalloc-align-and-work-with-16-not-8.patch \ + file://0002-duktape-set-shift-to-5-for-CHERI.patch \ + file://0003-duktape-add-aling-to-16.patch \ + file://0004-embed-use-padding-of-16-not-8-for-alloc.patch \ + file://0005-embed-fix-alignment-issues.patch \ + file://0006-duk_config-use-debug-and-self-test.patch \ + file://0007-duktape-fix-stack-reallocation.patch \ + " + +S = "${WORKDIR}/zabbix-${PV}" + +SRC_URI[md5sum] = "0d314f8626cf5e914204c7e0c4f9ca78" +SRC_URI[sha256sum] = "765c36aa0fc9dbf27f9eab06ccfe4e71023264d398d361b1dae0a3c1fe4c1a26" + +DEPENDS += "postgresql-morello zlib-morello net-snmp-morello openldap-morello libpcre-morello libevent-morello" +DEPENDS += "curl-morello" + +RDEPENDS:${PN} = " \ + logrotate \ + " + + +PACKAGECONFIG:append = " net-snmp libevent ldap zlib libpthread iconv curl libpcre openssl" + +PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_EXECPREFIXDIR},--without-openssl,openssl-morello" +PACKAGECONFIG[net-snmp] = "--with-net-snmp=${STAGING_BINDIR}/net-snmp-config,--without-net-snmp,net-snmp-morello" +PACKAGECONFIG[libevent] = "--with-libevent=${STAGING_EXECPREFIXDIR},--without-libevent,libevent-morello" +PACKAGECONFIG[ldap] = "--with-ldap=${STAGING_EXECPREFIXDIR},--without-ldap,openldap-morello" +PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_EXECPREFIXDIR},--without-zlib,zlib-morello" +PACKAGECONFIG[libpthread] = "--with-libpthread=${STAGING_EXECPREFIXDIR},--without-libpthread," +PACKAGECONFIG[libpcre] = "--with-libpcre=${STAGING_EXECPREFIXDIR},--without-libpcre,libpcre-morello" +PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_BINDIR}/curl-config, --without-libcurl, curl-morello" +PACKAGECONFIG[iconv] = "--with-iconv=${STAGING_EXECPREFIXDIR},--without-iconv,virtual/libiconv" + +EXTRA_OECONF = " \ + --disable-option-checking \ + --enable-dependency-tracking \ + --enable-ipv6 \ + --disable-static \ + --with-postgresql=${STAGING_BINDIR}/pgconfig/pg_config \ + --prefix=${prefix} \ + --libdir=${libdir} \ +" + +CFLAGS:append = " -I${S}/include" +LDFLAGS += "-pthread -lnetsnmp" + +# Lost interest in these errors for now, too many to handle +CC:remove:toolchain-llvm-morello:class-target = "-Werror=format" + +KERNEL_VERSION = "6.5" + +ZABBIX_IP_ADDR = "127.0.0.1" + +do_configure:prepend() { + export KERNEL_VERSION="${KERNEL_VERSION}" +} + +do_install:append() { + rm -f ${D}${bindir}/.debug + rm -f ${D}${bindir}/.debug/zabbix_sender + rm -f ${D}${bindir}/.debug/zabbix_get + rm -f ${D}${sbindir}/.debug + rm -f ${D}${sbindir}/.debug/zabbix_agentd +} + +SYSROOT_DIRS:remove = "${datadir}" \ No newline at end of file diff --git a/recipes-connectivity/zabbix/zabbix-proxy-morello_5.0.38.bb b/recipes-connectivity/zabbix/zabbix-proxy-morello_5.0.38.bb new file mode 100644 index 0000000..a5867e0 --- /dev/null +++ b/recipes-connectivity/zabbix/zabbix-proxy-morello_5.0.38.bb @@ -0,0 +1,65 @@ +inherit perlnative autotools-brokensep pure-cap-kheaders pkgconfig systemd useradd +inherit purecap-sysroot purecap-useradd + +require zabbix-morello.inc + +SRC_URI:append = " \ + file://zabbix-proxy.conf \ + file://zabbix-proxy.service \ +" + +# Seperate user for agent for security reasons. If the user is shared the agent +# will have full access to the server's DB. +USERADD_PACKAGES += " \ + ${PN} \ +" + +EXTRA_OECONF += "--enable-proxy" + +USERADD_PARAM:${PN} = "-r -g ${DB_ZABBIX_USER_SERVER} -d ${localstatedir}/lib/${DB_ZABBIX_USER_SERVER} \ + -s /sbin/nologin -c 'Zabbix Monitoring System' ${DB_ZABBIX_USER_SERVER} \ +" +GROUPADD_PARAM:${PN} = "-r ${DB_ZABBIX_USER_SERVER}" + +RPROVIDES:${PN} += "zabbix-proxy" + +BPN_ZABBIX = "zabbix-proxy" + +SYSTEMD_AUTO_ENABLE:${PN} = "enable" +SYSTEMD_SERVICE:${PN} = "zabbix-proxy.service" + +do_install:append() { + + install -d ${D}${systemd_system_unitdir} + install -d ${D}${sbindir} + install -d ${D}${sysconfdir} + + SERVICE_FILE="${D}${systemd_system_unitdir}/${BPN_ZABBIX}.service" + install -m 0644 ${WORKDIR}/${BPN_ZABBIX}.service ${SERVICE_FILE} + sed -i -e 's#%SBINDIR%#${sbindir}#g' ${SERVICE_FILE} + sed -i -e 's#%SYSCONFDIR%#${sbindir}#g' ${SERVICE_FILE} + sed -i -e 's#%ZABBIX_PROXY_CONF%#${sysconfdir}/zabbix-proxy.conf#g' ${SERVICE_FILE} + + # N.B. For release use Access Tokens or similiar + sed -i -e 's#%DB_ZABBIX_USER_SERVER%#Admin#g' ${SERVICE_FILE} + sed -i -e 's#%DB_ZABBIX_PASSWORD%#${DB_ZABBIX_PASSWORD}#g' ${SERVICE_FILE} + + ZABBIX_CONF_DIR="${D}${sysconfdir}/zabbix/" + install -d ${ZABBIX_CONF_DIR} + install -m 0644 ${WORKDIR}/${BPN_ZABBIX}.conf ${ZABBIX_CONF_DIR} + + sed -i -e 's#%DB_ZABBIX_NAME%#${DB_ZABBIX_NAME}#g' ${ZABBIX_CONF_DIR}/${BPN_ZABBIX}.conf + sed -i -e 's#%DB_ZABBIX_USER_PROXY%#${DB_ZABBIX_USER_PROXY}#g' ${ZABBIX_CONF_DIR}/${BPN_ZABBIX}.conf + sed -i -e 's#%DB_ZABBIX_PASSWORD%#${DB_ZABBIX_PASSWORD}#g' ${ZABBIX_CONF_DIR}/${BPN_ZABBIX}.conf + sed -i -e 's#%ZABBIX_SERVER_IPS%#${ZABBIX_IP_ADDR}#g' ${ZABBIX_CONF_DIR}/${BPN_ZABBIX}.conf + sed -i -e 's#%STATS_ALLOWED_IPS%#${ZABBIX_IP_ADDR}#g' ${ZABBIX_CONF_DIR}/${BPN_ZABBIX}.conf + + sed -i -e 's#%ZABBIX_SOCKET_DIR%#/tmp/#g' ${ZABBIX_CONF_DIR}/${BPN_ZABBIX}.conf + +} + + +FILES:${PN} += "${libdir} \ + ${systemd_system_unitdir}/${BPN_ZABBIX}.service \ + " +FILES:${PN}-dbg += "${datadir}" \ No newline at end of file diff --git a/recipes-connectivity/zabbix/zabbix-server-morello_5.0.38.bb b/recipes-connectivity/zabbix/zabbix-server-morello_5.0.38.bb new file mode 100644 index 0000000..941fad6 --- /dev/null +++ b/recipes-connectivity/zabbix/zabbix-server-morello_5.0.38.bb @@ -0,0 +1,71 @@ +inherit perlnative autotools-brokensep pure-cap-kheaders pkgconfig systemd useradd +inherit purecap-sysroot purecap-useradd + +require zabbix-morello.inc + +SRC_URI:append = " \ + file://zabbix-server.conf \ + file://zabbix-server-morello.service \ +" + +# Seperate user for agent for security reasons. If the user is shared the agent +# will have full access to the server's DB. +USERADD_PACKAGES += " \ + ${PN} \ +" + +EXTRA_OECONF += "--enable-server" + +USERADD_PARAM:${PN} = "-r -g ${DB_ZABBIX_USER_SERVER} -d ${localstatedir}/lib/${DB_ZABBIX_USER_SERVER} \ + -s /sbin/nologin -c 'Zabbix Monitoring System' ${DB_ZABBIX_USER_SERVER} \ +" +GROUPADD_PARAM:${PN} = "-r ${DB_ZABBIX_USER_SERVER}" + +RPROVIDES:${PN} += "zabbix-server" +RDEPENDS:${PN} += " busybox bash " + +BPN_ZABBIX = "zabbix-server" + +SYSTEMD_AUTO_ENABLE:${PN} = "enable" +SYSTEMD_SERVICE:${PN} = "zabbix-server.service" + + +do_install:append() { + + install -d ${D}${systemd_system_unitdir} ${D}${sysconfdir} + install -m 0644 ${WORKDIR}/${BPN}.service ${D}${systemd_system_unitdir}/${BPN_ZABBIX}.service + + sed -i -e 's#%SBINDIR%#${sbindir}#g' ${D}${systemd_system_unitdir}/${BPN_ZABBIX}.service + sed -i -e 's#%SYSCONFDIR%#${sysconfdir}#g' ${D}${systemd_system_unitdir}/${BPN_ZABBIX}.service + + sed -i -e 's#%DB_ZABBIX_USER_SERVER%#Admin#g' ${D}${systemd_system_unitdir}/${BPN_ZABBIX}.service + sed -i -e 's#%DB_ZABBIX_PASSWORD%#${DB_ZABBIX_PASSWORD}#g' ${D}${systemd_system_unitdir}/${BPN_ZABBIX}.service + + install -d ${D}${sysconfdir}/zabbix/${BPN_ZABBIX}.conf.d/ + install -m 0644 ${WORKDIR}/${BPN_ZABBIX}.conf ${D}${sysconfdir}/zabbix/ + + install -d ${D}${sysconfdir}/zabbix/schema + + sed -i -e 's#%DB_ZABBIX_NAME%#${DB_ZABBIX_NAME}#g' ${D}${sysconfdir}/zabbix/${BPN_ZABBIX}.conf + sed -i -e 's#%DB_ZABBIX_USER_SERVER%#${DB_ZABBIX_USER_SERVER}#g' ${D}${sysconfdir}/zabbix/${BPN_ZABBIX}.conf + sed -i -e 's#%DB_ZABBIX_PASSWORD%#${DB_ZABBIX_PASSWORD}#g' ${D}${sysconfdir}/zabbix/${BPN_ZABBIX}.conf + + sed -i -e 's#%ZABBIX_SOCKET_DIR%#/tmp/#g' ${D}${sysconfdir}/zabbix/${BPN_ZABBIX}.conf + + ZABBIX_SCHEMA_LOC=${D}${sysconfdir}/zabbix/schema + + install -d ${ZABBIX_SCHEMA_LOC} + install -m 0644 ${S}/database/postgresql/schema.sql ${ZABBIX_SCHEMA_LOC} + install -m 0644 ${S}/database/postgresql/images.sql ${ZABBIX_SCHEMA_LOC} + install -m 0644 ${S}/database/postgresql/data.sql ${ZABBIX_SCHEMA_LOC} +} + +do_install:append() { + ${OBJDUMP} -D ${D}${sbindir}/zabbix_server > ${D}${PURECAP_DEBUGDIR}/zabbix_server.dump + ${READELF} -a ${D}${sbindir}/zabbix_server > ${D}${PURECAP_DEBUGDIR}/zabbix_server.readelf +} + +FILES:${PN} += " ${libdir} \ + ${systemd_system_unitdir}/${BPN_ZABBIX}.service \ + " +FILES:${PN}-dbg += "${datadir}" \ No newline at end of file

Signed-off-by: Pawel Zalewski pzalewski@thegoodpenguin.co.uk --- recipes-support/curl/curl-morello_7.82.0.bb | 116 +++++ ...0001-openssl-fix-CN-check-error-code.patch | 38 ++ .../curl/files/CVE-2022-22576.patch | 145 ++++++ .../curl/files/CVE-2022-27774-1.patch | 45 ++ .../curl/files/CVE-2022-27774-2.patch | 80 +++ .../curl/files/CVE-2022-27774-3.patch | 83 ++++ .../curl/files/CVE-2022-27774-4.patch | 35 ++ .../curl/files/CVE-2022-27775.patch | 37 ++ .../curl/files/CVE-2022-27776.patch | 115 +++++ .../curl/files/CVE-2022-27779.patch | 42 ++ .../curl/files/CVE-2022-27780.patch | 33 ++ .../curl/files/CVE-2022-27781.patch | 43 ++ .../curl/files/CVE-2022-27782-1.patch | 458 ++++++++++++++++++ .../curl/files/CVE-2022-27782-2.patch | 71 +++ .../curl/files/CVE-2022-30115.patch | 82 ++++ .../curl/files/CVE-2022-32205.patch | 174 +++++++ .../curl/files/CVE-2022-32206.patch | 51 ++ .../curl/files/CVE-2022-32207.patch | 283 +++++++++++ .../curl/files/CVE-2022-32208.patch | 67 +++ .../curl/files/CVE-2022-32221.patch | 28 ++ .../curl/files/CVE-2022-35252.patch | 72 +++ .../curl/files/CVE-2022-42915.patch | 53 ++ .../curl/files/CVE-2022-42916.patch | 136 ++++++ .../curl/files/CVE-2022-43551.patch | 35 ++ .../curl/files/CVE-2022-43552.patch | 80 +++ .../curl/files/CVE-2023-23914_5-1.patch | 280 +++++++++++ .../curl/files/CVE-2023-23914_5-2.patch | 23 + .../curl/files/CVE-2023-23914_5-3.patch | 45 ++ .../curl/files/CVE-2023-23914_5-4.patch | 48 ++ .../curl/files/CVE-2023-23914_5-5.patch | 118 +++++ 30 files changed, 2916 insertions(+) create mode 100644 recipes-support/curl/curl-morello_7.82.0.bb create mode 100644 recipes-support/curl/files/0001-openssl-fix-CN-check-error-code.patch create mode 100644 recipes-support/curl/files/CVE-2022-22576.patch create mode 100644 recipes-support/curl/files/CVE-2022-27774-1.patch create mode 100644 recipes-support/curl/files/CVE-2022-27774-2.patch create mode 100644 recipes-support/curl/files/CVE-2022-27774-3.patch create mode 100644 recipes-support/curl/files/CVE-2022-27774-4.patch create mode 100644 recipes-support/curl/files/CVE-2022-27775.patch create mode 100644 recipes-support/curl/files/CVE-2022-27776.patch create mode 100644 recipes-support/curl/files/CVE-2022-27779.patch create mode 100644 recipes-support/curl/files/CVE-2022-27780.patch create mode 100644 recipes-support/curl/files/CVE-2022-27781.patch create mode 100644 recipes-support/curl/files/CVE-2022-27782-1.patch create mode 100644 recipes-support/curl/files/CVE-2022-27782-2.patch create mode 100644 recipes-support/curl/files/CVE-2022-30115.patch create mode 100644 recipes-support/curl/files/CVE-2022-32205.patch create mode 100644 recipes-support/curl/files/CVE-2022-32206.patch create mode 100644 recipes-support/curl/files/CVE-2022-32207.patch create mode 100644 recipes-support/curl/files/CVE-2022-32208.patch create mode 100644 recipes-support/curl/files/CVE-2022-32221.patch create mode 100644 recipes-support/curl/files/CVE-2022-35252.patch create mode 100644 recipes-support/curl/files/CVE-2022-42915.patch create mode 100644 recipes-support/curl/files/CVE-2022-42916.patch create mode 100644 recipes-support/curl/files/CVE-2022-43551.patch create mode 100644 recipes-support/curl/files/CVE-2022-43552.patch create mode 100644 recipes-support/curl/files/CVE-2023-23914_5-1.patch create mode 100644 recipes-support/curl/files/CVE-2023-23914_5-2.patch create mode 100644 recipes-support/curl/files/CVE-2023-23914_5-3.patch create mode 100644 recipes-support/curl/files/CVE-2023-23914_5-4.patch create mode 100644 recipes-support/curl/files/CVE-2023-23914_5-5.patch

diff --git a/recipes-support/curl/curl-morello_7.82.0.bb b/recipes-support/curl/curl-morello_7.82.0.bb new file mode 100644 index 0000000..fd1dd59 --- /dev/null +++ b/recipes-support/curl/curl-morello_7.82.0.bb @@ -0,0 +1,116 @@ +inherit autotools pkgconfig binconfig multilib_header +inherit purecap-sysroot + +MORELLO_SRC = "poky/meta/recipes-support/curl/curl_7.82.0.bb" + +SUMMARY = "Command line tool and library for client-side URL transfers" +DESCRIPTION = "It uses URL syntax to transfer data to and from servers. \ +curl is a widely used because of its ability to be flexible and complete \ +complex tasks. For example, you can use curl for things like user authentication, \ +HTTP post, SSL connections, proxy support, FTP uploads, and more!" +HOMEPAGE = "https://curl.se/" +BUGTRACKER = "https://github.com/curl/curl/issues" +SECTION = "console/network" +LICENSE = "curl" +LIC_FILES_CHKSUM = "file://COPYING;md5=190c514872597083303371684954f238" + +TOOLCHAIN = "${MORELLO_TOOLCHAIN}" + +SRC_URI = "https://curl.se/download/curl-%24%7BPV%7D.tar.xz \ + file://CVE-2022-22576.patch \ + file://CVE-2022-27775.patch \ + file://CVE-2022-27776.patch \ + file://CVE-2022-27774-1.patch \ + file://CVE-2022-27774-2.patch \ + file://CVE-2022-27774-3.patch \ + file://CVE-2022-27774-4.patch \ + file://CVE-2022-30115.patch \ + file://CVE-2022-27780.patch \ + file://CVE-2022-27781.patch \ + file://CVE-2022-27779.patch \ + file://CVE-2022-27782-1.patch \ + file://CVE-2022-27782-2.patch \ + file://0001-openssl-fix-CN-check-error-code.patch \ + file://CVE-2022-32205.patch \ + file://CVE-2022-32206.patch \ + file://CVE-2022-32207.patch \ + file://CVE-2022-32208.patch \ + file://CVE-2022-35252.patch \ + file://CVE-2022-32221.patch \ + file://CVE-2022-42916.patch \ + file://CVE-2022-42915.patch \ + file://CVE-2022-43551.patch \ + file://CVE-2022-43552.patch \ + file://CVE-2023-23914_5-1.patch \ + file://CVE-2023-23914_5-2.patch \ + file://CVE-2023-23914_5-3.patch \ + file://CVE-2023-23914_5-4.patch \ + file://CVE-2023-23914_5-5.patch \ + " +SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" + +S = "${WORKDIR}/curl-${PV}" + +# Curl has used many names over the years... +CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" + +# Entropy source for random PACKAGECONFIG option +RANDOM ?= "/dev/urandom" + +PACKAGECONFIG = "openssl proxy random verbose zlib" + +DEPENDS += "openssl-morello zlib-morello openldap-morello libidn2-morello" + +# 'ares' and 'threaded-resolver' are mutually exclusive +# PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli" +PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual" +PACKAGECONFIG[dict] = "--enable-dict,--disable-dict," +PACKAGECONFIG[imap] = "--enable-imap,--disable-imap," +PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2-morello" +PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap-morello" +PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps,openldap-morello" +PACKAGECONFIG[mqtt] = "--enable-mqtt,--disable-mqtt," +PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl-morello" +PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3," +PACKAGECONFIG[proxy] = "--enable-proxy,--disable-proxy," +PACKAGECONFIG[random] = "--with-random=${RANDOM},--without-random" +PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp," +PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose" +PACKAGECONFIG[zlib] = "--with-zlib,--without-zlib,zlib-morello" + +EXTRA_OECONF = " \ + --disable-manual \ + --enable-threaded-resolver \ + --disable-libcurl-option \ + --disable-ntlm-wb \ + --enable-crypto-auth \ + --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ + --without-libpsl \ + --enable-debug \ + --enable-optimize \ + --disable-curldebug \ +" + +do_install:append:class-target() { + # cleanup buildpaths from curl-config + sed -i \ + -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \ + -e 's,--with-libtool-sysroot=${STAGING_DIR_TARGET},,g' \ + -e 's|${DEBUG_PREFIX_MAP}||g' \ + -e 's|${@" ".join(d.getVar("DEBUG_PREFIX_MAP").split())}||g' \ + ${D}${bindir}/curl-config +} + +do_install:append() { + ${READELF_COMMAND} ${D}${libdir}/libcurl.so > ${D}${PURECAP_DEBUGDIR}/libcurl.so.readelf +} + +PACKAGES =+ "lib${BPN}" + +FILES:lib${BPN} = "${libdir}/lib*.so.*" +RRECOMMENDS:lib${BPN} += "ca-certificates" + +FILES:${PN} += "${datadir}/zsh" + +SYSROOT_DIRS += "${bindir}" \ No newline at end of file diff --git a/recipes-support/curl/files/0001-openssl-fix-CN-check-error-code.patch b/recipes-support/curl/files/0001-openssl-fix-CN-check-error-code.patch new file mode 100644 index 0000000..c0a2355 --- /dev/null +++ b/recipes-support/curl/files/0001-openssl-fix-CN-check-error-code.patch @@ -0,0 +1,38 @@ +From 0677924c6ec7e0d68964553fb760f6d407242c54 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Tue, 8 Mar 2022 13:38:13 +0100 +Subject: [PATCH] openssl: fix CN check error code + +Due to a missing 'else' this returns error too easily. + +Regressed in: d15692ebb + +Reported-by: Kristoffer Gleditsch +Fixes #8559 +Closes #8560 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/911714d617c106ed5d553bf003e34ec94ab6a136] + +Signed-off-by: Jose Quaresma jose.quaresma@foundries.io + +--- + lib/vtls/openssl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 616a510..1bafe96 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, + memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen); + peer_CN[peerlen] = '\0'; + } +- result = CURLE_OUT_OF_MEMORY; ++ else ++ result = CURLE_OUT_OF_MEMORY; + } + } + else /* not a UTF8 name */ +-- +2.34.1 + diff --git a/recipes-support/curl/files/CVE-2022-22576.patch b/recipes-support/curl/files/CVE-2022-22576.patch new file mode 100644 index 0000000..469cf22 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-22576.patch @@ -0,0 +1,145 @@ +From 371264697a70e8ed3da678aefbe20940759485fa Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat patrick@monnerat.net +Date: Mon, 25 Apr 2022 11:44:05 +0200 +Subject: [PATCH] url: check sasl additional parameters for connection reuse. + +Also move static function safecmp() as non-static Curl_safecmp() since +its purpose is needed at several places. + +Bug: https://curl.se/docs/CVE-2022-22576.html + +CVE-2022-22576 + +Closes #8746 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/strcase.c | 10 ++++++++++ + lib/strcase.h | 2 ++ + lib/url.c | 13 ++++++++++++- + lib/urldata.h | 1 + + lib/vtls/vtls.c | 21 ++++++--------------- + 5 files changed, 31 insertions(+), 16 deletions(-) + +diff --git a/lib/strcase.c b/lib/strcase.c +index dd46ca1..692a3f1 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) + } while(*src++ && --n); + } + ++/* Compare case-sensitive NUL-terminated strings, taking care of possible ++ * null pointers. Return true if arguments match. ++ */ ++bool Curl_safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ return !a && !b; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index b628656..382b80a 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in); + void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + ++bool Curl_safecmp(char *a, char *b); ++ + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index adef2cd..94e3406 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn) + Curl_safefree(conn->passwd); + Curl_safefree(conn->sasl_authzid); + Curl_safefree(conn->options); ++ Curl_safefree(conn->oauth_bearer); + Curl_dyn_free(&conn->trailer); + Curl_safefree(conn->host.rawalloc); /* host name buffer */ + Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ +@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data, + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ strcmp(needle->passwd, check->passwd) || ++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || ++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data, + } + } + ++ if(data->set.str[STRING_BEARER]) { ++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); ++ if(!conn->oauth_bearer) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto out; ++ } ++ } ++ + #ifdef USE_UNIX_SOCKETS + if(data->set.str[STRING_UNIX_SOCKET_PATH]) { + conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); +diff --git a/lib/urldata.h b/lib/urldata.h +index cc8a600..03da59a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -984,6 +984,7 @@ struct connectdata { + char *passwd; /* password string, allocated */ + char *options; /* options string, allocated */ + char *sasl_authzid; /* authorisation identity string, allocated */ ++ char *oauth_bearer; /* OAUTH2 bearer, allocated */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 03b85ba..a40ac06 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + +-static bool safecmp(char *a, char *b) +-{ +- if(a && b) +- return !strcmp(a, b); +- else if(!a && !b) +- return TRUE; /* match */ +- return FALSE; /* no match */ +-} +- + + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, +@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + blobcmp(data->cert_blob, needle->cert_blob) && + blobcmp(data->ca_info_blob, needle->ca_info_blob) && + blobcmp(data->issuercert_blob, needle->issuercert_blob) && +- safecmp(data->CApath, needle->CApath) && +- safecmp(data->CAfile, needle->CAfile) && +- safecmp(data->issuercert, needle->issuercert) && +- safecmp(data->clientcert, needle->clientcert) && +- safecmp(data->random_file, needle->random_file) && +- safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->CApath, needle->CApath) && ++ Curl_safecmp(data->CAfile, needle->CAfile) && ++ Curl_safecmp(data->issuercert, needle->issuercert) && ++ Curl_safecmp(data->clientcert, needle->clientcert) && ++ Curl_safecmp(data->random_file, needle->random_file) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && diff --git a/recipes-support/curl/files/CVE-2022-27774-1.patch b/recipes-support/curl/files/CVE-2022-27774-1.patch new file mode 100644 index 0000000..f24003f --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27774-1.patch @@ -0,0 +1,45 @@ +From f489d50ca5fd8b6a3a622e2521e2ca52787a6608 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] connect: store "conn_remote_port" in the info struct + +To make it available after the connection ended. + +Prerequisite for the patches that address CVE-2022-27774. + +Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/connect.c | 1 + + lib/urldata.h | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/connect.c b/lib/connect.c +index 64f9511..7518807 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, + data->info.conn_scheme = conn->handler->scheme; + data->info.conn_protocol = conn->handler->protocol; + data->info.conn_primary_port = conn->port; ++ data->info.conn_remote_port = conn->remote_port; + data->info.conn_local_port = local_port; + } + +diff --git a/lib/urldata.h b/lib/urldata.h +index f92052a..5218f76 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1160,7 +1160,11 @@ struct PureInfo { + reused, in the connection cache. */ + + char conn_primary_ip[MAX_IPADR_LEN]; +- int conn_primary_port; ++ int conn_primary_port; /* this is the destination port to the connection, ++ which might have been a proxy */ ++ int conn_remote_port; /* this is the "remote port", which is the port ++ number of the used URL, independent of proxy or ++ not */ + char conn_local_ip[MAX_IPADR_LEN]; + int conn_local_port; + const char *conn_scheme; diff --git a/recipes-support/curl/files/CVE-2022-27774-2.patch b/recipes-support/curl/files/CVE-2022-27774-2.patch new file mode 100644 index 0000000..9739634 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27774-2.patch @@ -0,0 +1,80 @@ +From 50aebd6ea20956513e9b7d7c776830b54d9c8ff6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] transfer: redirects to other protocols or ports clear auth + +... unless explicitly permitted. + +Bug: https://curl.se/docs/CVE-2022-27774.html +Reported-by: Harry Sintonen +Closes #8748 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 48 insertions(+), 1 deletion(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 1f8019b..752fe14 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + else { +- + uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); + if(uc) + return Curl_uc_to_curlcode(uc); ++ ++ /* Clear auth if this redirects to a different port number or protocol, ++ unless permitted */ ++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { ++ char *portnum; ++ int port; ++ bool clear = FALSE; ++ ++ if(data->set.use_port && data->state.allow_port) ++ /* a custom port is used */ ++ port = (int)data->set.use_port; ++ else { ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ port = atoi(portnum); ++ free(portnum); ++ } ++ if(port != data->info.conn_remote_port) { ++ infof(data, "Clear auth, redirects to port from %u to %u", ++ data->info.conn_remote_port, port); ++ clear = TRUE; ++ } ++ else { ++ char *scheme; ++ const struct Curl_handler *p; ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ ++ p = Curl_builtin_scheme(scheme); ++ if(p && (p->protocol != data->info.conn_protocol)) { ++ infof(data, "Clear auth, redirects scheme from %s to %s", ++ data->info.conn_scheme, scheme); ++ clear = TRUE; ++ } ++ free(scheme); ++ } ++ if(clear) { ++ Curl_safefree(data->state.aptr.user); ++ Curl_safefree(data->state.aptr.passwd); ++ } ++ } + } + + if(type == FOLLOW_FAKE) { diff --git a/recipes-support/curl/files/CVE-2022-27774-3.patch b/recipes-support/curl/files/CVE-2022-27774-3.patch new file mode 100644 index 0000000..e4e8c29 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27774-3.patch @@ -0,0 +1,83 @@ +From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 25 Apr 2022 17:59:15 +0200 +Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either + +Follow-up to 620ea21410030 + +Reported-by: Harry Sintonen +Closes #8751 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/http.c | 10 +++++----- + lib/http.h | 6 ++++++ + lib/vtls/openssl.c | 3 ++- + 3 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 0791dcf..4433824 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, + } + + /* +- * allow_auth_to_host() tells if autentication, cookies or other "sensitive +- * data" can (still) be sent to this host. ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. + */ +-static bool allow_auth_to_host(struct Curl_easy *data) ++bool Curl_allow_auth_to_host(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || +@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, + + /* To prevent the user+password to get sent to other than the original host + due to a location-follow */ +- if(allow_auth_to_host(data) ++ if(Curl_allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC + || conn->bits.netrc + #endif +@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- !allow_auth_to_host(data)) ++ !Curl_allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +diff --git a/lib/http.h b/lib/http.h +index 07e963d..9000bae 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data, + bool proxytunnel); /* TRUE if this is the request setting + up the proxy tunnel */ + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data); ++ + #endif /* HEADER_CURL_HTTP_H */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 616a510..e8633f4 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + + #ifdef USE_OPENSSL_SRP +- if(ssl_authtype == CURL_TLSAUTH_SRP) { ++ if((ssl_authtype == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + char * const ssl_username = SSL_SET_OPTION(username); + + infof(data, "Using TLS-SRP username: %s", ssl_username); diff --git a/recipes-support/curl/files/CVE-2022-27774-4.patch b/recipes-support/curl/files/CVE-2022-27774-4.patch new file mode 100644 index 0000000..a642336 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27774-4.patch @@ -0,0 +1,35 @@ +From 56a145d6ca031841610daeebde99fbde0f8fcf21 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Tue, 26 Apr 2022 07:46:19 +0200 +Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects + +Follow-up to 620ea21410030 and 139a54ed0a172a + +Reported-by: Harry Sintonen +Closes #8752 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/vtls/gtls.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 5749376..fe45b3a 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -437,11 +437,11 @@ gtls_connect_step1(struct Curl_easy *data, + } + + #ifdef HAVE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); + +- rc = gnutls_srp_allocate_client_credentials( +- &backend->srp_client_cred); ++ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_allocate_client_cred() failed: %s", + gnutls_strerror(rc)); diff --git a/recipes-support/curl/files/CVE-2022-27775.patch b/recipes-support/curl/files/CVE-2022-27775.patch new file mode 100644 index 0000000..666a906 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27775.patch @@ -0,0 +1,37 @@ +From eef2b165c39245857b1663e9153e7c4b4b519a4c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 25 Apr 2022 11:48:00 +0200 +Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey + +Make connections to two separate IPv6 zone ids create separate +connections. + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27775.html +Closes #8747 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/conncache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/conncache.c b/lib/conncache.c +index cd5756a..9b9f683 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf, + /* report back which name we used */ + *hostp = hostname; + +- /* put the number first so that the hostname gets cut off if too long */ +- msnprintf(buf, len, "%ld%s", port, hostname); ++ /* put the numbers first so that the hostname gets cut off if too long */ ++#ifdef ENABLE_IPV6 ++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); ++#else ++ msnprintf(buf, len, "%ld/%s", port, hostname); ++#endif + Curl_strntolower(buf, buf, len); + } + diff --git a/recipes-support/curl/files/CVE-2022-27776.patch b/recipes-support/curl/files/CVE-2022-27776.patch new file mode 100644 index 0000000..2feee45 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27776.patch @@ -0,0 +1,115 @@ +From f6eba3638f9b25adfe85f3570f9a0fb2ceb09c2b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 25 Apr 2022 13:05:40 +0200 +Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port + +CVE-2022-27776 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27776.html +Closes #8749 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/http.c | 34 ++++++++++++++++++++++------------ + lib/urldata.h | 16 +++++++++------- + 2 files changed, 31 insertions(+), 19 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 799d4fb..0791dcf 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, + return CURLE_OK; + } + ++/* ++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive ++ * data" can (still) be sent to this host. ++ */ ++static bool allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication +@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, + with it */ + authproxy->done = TRUE; + +- /* To prevent the user+password to get sent to other than the original +- host due to a location-follow, we do some weirdo checks here */ +- if(!data->state.this_is_a_follow || ++ /* To prevent the user+password to get sent to other than the original host ++ due to a location-follow */ ++ if(allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC +- conn->bits.netrc || ++ || conn->bits.netrc + #endif +- !data->state.first_host || +- data->set.allow_auth_to_other_hosts || +- strcasecompare(data->state.first_host, conn->host.name)) { ++ ) + result = output_auth_headers(data, conn, authhost, request, path, FALSE); +- } + else + authhost->done = TRUE; + +@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- (data->state.this_is_a_follow && +- data->state.first_host && +- !data->set.allow_auth_to_other_hosts && +- !strcasecompare(data->state.first_host, conn->host.name))) ++ !allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + return CURLE_OUT_OF_MEMORY; + + data->state.first_remote_port = conn->remote_port; ++ data->state.first_remote_protocol = conn->handler->protocol; + } + Curl_safefree(data->state.aptr.host); + +diff --git a/lib/urldata.h b/lib/urldata.h +index 03da59a..f92052a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1329,14 +1329,16 @@ struct UrlState { + char *ulbuf; /* allocated upload buffer or NULL */ + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ +- char *first_host; /* host name of the first (not followed) request. +- if set, this should be the host name that we will +- sent authorization to, no else. Used to make Location: +- following not keep sending user+password... This is +- strdup() data. +- */ ++ ++ /* host name, port number and protocol of the first (not followed) request. ++ if set, this should be the host name that we will sent authorization to, ++ no else. Used to make Location: following not keep sending user+password. ++ This is strdup()ed data. */ ++ char *first_host; ++ int first_remote_port; ++ unsigned int first_remote_protocol; ++ + int retrycount; /* number of retries on a new connection */ +- int first_remote_port; /* remote port of the first (not followed) request */ + struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ + long sessionage; /* number of the most recent session */ + struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ diff --git a/recipes-support/curl/files/CVE-2022-27779.patch b/recipes-support/curl/files/CVE-2022-27779.patch new file mode 100644 index 0000000..235be90 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27779.patch @@ -0,0 +1,42 @@ +From 33dac5777fe5f9c8d2d7d340144b1685cd511d11 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 9 May 2022 16:47:06 +0200 +Subject: [PATCH] cookies: make bad_domain() not consider a trailing dot fine + +The check for a dot in the domain must not consider a single trailing +dot to be fine, as then TLD + trailing dot is fine and curl will accept +setting cookies for it. + +CVE-2022-27779 + +Reported-by: Axel Chong +Bug: https://curl.se/docs/CVE-2022-27779.html +Closes #8820 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/cookie.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index d418efa..1b8c8f9 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) + /* Make sure domain contains a dot or is localhost. */ + static bool bad_domain(const char *domain) + { +- return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); ++ if(strcasecompare(domain, "localhost")) ++ return FALSE; ++ else { ++ /* there must be a dot present, but that dot must not be a trailing dot */ ++ char *dot = strchr(domain, '.'); ++ if(dot) ++ return dot[1] ? FALSE : TRUE; ++ } ++ return TRUE; + } + + /* diff --git a/recipes-support/curl/files/CVE-2022-27780.patch b/recipes-support/curl/files/CVE-2022-27780.patch new file mode 100644 index 0000000..8820af3 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27780.patch @@ -0,0 +1,33 @@ +From 304b7acf73712fa501119b1ca0724f71f3074fe7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 9 May 2022 08:19:38 +0200 +Subject: [PATCH] urlapi: reject percent-decoding host name into separator + bytes + +CVE-2022-27780 + +Reported-by: Axel Chong +Bug: https://curl.se/docs/CVE-2022-27780.html +Closes #8826 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/urlapi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/urlapi.c b/lib/urlapi.c +index ff00ee4..00222fc 100644 +--- a/lib/urlapi.c ++++ b/lib/urlapi.c +@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) + #endif + } + else { +- /* letters from the second string is not ok */ +- len = strcspn(hostname, " \r\n"); ++ /* letters from the second string are not ok */ ++ len = strcspn(hostname, " \r\n\t/:#?!@"); + if(hlen != len) + /* hostname with bad content */ + return CURLUE_BAD_HOSTNAME; diff --git a/recipes-support/curl/files/CVE-2022-27781.patch b/recipes-support/curl/files/CVE-2022-27781.patch new file mode 100644 index 0000000..52f39a0 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27781.patch @@ -0,0 +1,43 @@ +From 5bb5b2a901db4c6441fc451f21408be2a9463058 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 9 May 2022 10:07:15 +0200 +Subject: [PATCH] nss: return error if seemingly stuck in a cert loop + +CVE-2022-27781 + +Reported-by: Florian Kohnhäuser +Bug: https://curl.se/docs/CVE-2022-27781.html +Closes #8822 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/vtls/nss.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 558e3be..52f2060 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, + PR_Free(common_name); + } + ++/* A number of certs that will never occur in a real server handshake */ ++#define TOO_MANY_CERTS 300 ++ + static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) + { + CURLcode result = CURLE_OK; +@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) + cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); + while(cert2) { + i++; ++ if(i >= TOO_MANY_CERTS) { ++ CERT_DestroyCertificate(cert2); ++ failf(data, "certificate loop"); ++ return CURLE_SSL_CERTPROBLEM; ++ } + if(cert2->isRoot) { + CERT_DestroyCertificate(cert2); + break; diff --git a/recipes-support/curl/files/CVE-2022-27782-1.patch b/recipes-support/curl/files/CVE-2022-27782-1.patch new file mode 100644 index 0000000..ce2599b --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27782-1.patch @@ -0,0 +1,458 @@ +From acee9eb38639b35af9047521d71333423657de0d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH] tls: check more TLS details for connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/setopt.c | 29 +++++++++++++++++------------ + lib/url.c | 23 ++++++++++++++++------- + lib/urldata.h | 13 +++++++------ + lib/vtls/gtls.c | 32 +++++++++++++++++--------------- + lib/vtls/mbedtls.c | 2 +- + lib/vtls/nss.c | 6 +++--- + lib/vtls/openssl.c | 10 +++++----- + lib/vtls/vtls.c | 21 +++++++++++++++++++++ + 8 files changed, 87 insertions(+), 49 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 8e1bf12..7aa6fdb 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to ++ SRP */ + break; + #endif + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + #endif + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #endif + #endif +diff --git a/lib/url.c b/lib/url.c +index 94e3406..5ebf5e2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + set->ssl.primary.verifypeer = TRUE; + set->ssl.primary.verifyhost = TRUE; + #ifdef USE_TLS_SRP +- set->ssl.authtype = CURL_TLSAUTH_NONE; ++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; + conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; + conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; ++ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #ifndef CURL_DISABLE_PROXY + conn->proxy_ssl_config.verifystatus = + data->set.proxy_ssl.primary.verifystatus; + conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; + conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; ++ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #endif + conn->ip_version = data->set.ipver; + conn->bits.connect_only = data->set.connect_only; +@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.primary.issuercert_blob = + data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; +- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; ++ data->set.proxy_ssl.primary.CRLfile = ++ data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; ++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; + data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; ++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; ++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + #ifndef CURL_DISABLE_PROXY +- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; ++ data->set.proxy_ssl.primary.username = ++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; ++ data->set.proxy_ssl.primary.password = ++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; +diff --git a/lib/urldata.h b/lib/urldata.h +index 5218f76..e006495 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -253,10 +253,17 @@ struct ssl_primary_config { + char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; ++ char *CRLfile; /* CRL to check certificate revocation */ + struct curl_blob *cert_blob; + struct curl_blob *ca_info_blob; + struct curl_blob *issuercert_blob; ++#ifdef USE_TLS_SRP ++ char *username; /* TLS username (for, e.g., SRP) */ ++ char *password; /* TLS password (for, e.g., SRP) */ ++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ ++#endif + char *curves; /* list of curves to use */ ++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -266,7 +273,6 @@ struct ssl_primary_config { + struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ +- char *CRLfile; /* CRL to check certificate revocation */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert_type; /* format for certificate (default: PEM)*/ +@@ -274,11 +280,6 @@ struct ssl_config_data { + struct curl_blob *key_blob; + char *key_type; /* format for private key (default: PEM) */ + char *key_passwd; /* plain text private key password */ +-#ifdef USE_TLS_SRP +- char *username; /* TLS username (for, e.g., SRP) */ +- char *password; /* TLS password (for, e.g., SRP) */ +- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +-#endif + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); + BIT(enable_beast); /* allow this flaw for interoperability's sake*/ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index fe45b3a..3c31782 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -437,9 +437,10 @@ gtls_connect_step1(struct Curl_easy *data, + } + + #ifdef HAVE_GNUTLS_SRP +- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); ++ infof(data, "Using TLS-SRP username: %s", ++ SSL_SET_OPTION(primary.username)); + + rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -449,8 +450,8 @@ gtls_connect_step1(struct Curl_easy *data, + } + + rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, +- SSL_SET_OPTION(username), +- SSL_SET_OPTION(password)); ++ SSL_SET_OPTION(primary.username), ++ SSL_SET_OPTION(primary.password)); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_set_client_cred() failed: %s", + gnutls_strerror(rc)); +@@ -507,19 +508,19 @@ gtls_connect_step1(struct Curl_easy *data, + } + #endif + +- if(SSL_SET_OPTION(CRLfile)) { ++ if(SSL_SET_OPTION(primary.CRLfile)) { + /* set the CRL list file */ + rc = gnutls_certificate_set_x509_crl_file(backend->cred, +- SSL_SET_OPTION(CRLfile), ++ SSL_SET_OPTION(primary.CRLfile), + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + failf(data, "error reading crl file %s (%s)", +- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); ++ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); + return CURLE_SSL_CRL_BADFILE; + } + else + infof(data, "found %d CRL in %s", +- rc, SSL_SET_OPTION(CRLfile)); ++ rc, SSL_SET_OPTION(primary.CRLfile)); + } + + /* Initialize TLS session as a client */ +@@ -590,7 +591,7 @@ gtls_connect_step1(struct Curl_easy *data, + #ifdef HAVE_GNUTLS_SRP + /* Only add SRP to the cipher list if SRP is requested. Otherwise + * GnuTLS will disable TLS 1.3 support. */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + size_t len = strlen(prioritylist); + + char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); +@@ -685,7 +686,7 @@ gtls_connect_step1(struct Curl_easy *data, + + #ifdef HAVE_GNUTLS_SRP + /* put the credentials to the current session */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, + backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -867,8 +868,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { + #ifdef HAVE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) + && !SSL_CONN_CONFIG(verifypeer) + && gnutls_cipher_get(session)) { + /* no peer cert, but auth is ok if we have SRP user and cipher and no +@@ -926,7 +927,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + failf(data, "server certificate verification failed. CAfile: %s " + "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): + "none", +- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); ++ SSL_SET_OPTION(primary.CRLfile) ? ++ SSL_SET_OPTION(primary.CRLfile) : "none"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else +@@ -1556,8 +1558,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, + gnutls_certificate_free_credentials(backend->cred); + + #ifdef HAVE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL) ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL) + gnutls_srp_free_client_credentials(backend->srp_client_cred); + #endif + +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index b9fd26a..bd4ad8f 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + const char * const hostname = SSL_HOST_NAME(); + #ifndef CURL_DISABLE_VERBOSE_STRINGS + const long int port = SSL_HOST_PORT(); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 52f2060..959e23e 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2035,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, + } + } + +- if(SSL_SET_OPTION(CRLfile)) { +- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); ++ if(SSL_SET_OPTION(primary.CRLfile)) { ++ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); + if(rv) { + result = rv; + goto error; + } +- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); ++ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); + } + + if(SSL_SET_OPTION(primary.clientcert)) { +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index e8633f4..d98bbcb 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2632,7 +2632,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + const long int ssl_version = SSL_CONN_CONFIG(version); + #ifdef USE_OPENSSL_SRP +- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); ++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); + #endif + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +@@ -2643,7 +2643,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + char error_buffer[256]; + struct ssl_backend_data *backend = connssl->backend; + bool imported_native_ca = false; +@@ -2895,15 +2895,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #ifdef USE_OPENSSL_SRP + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- char * const ssl_username = SSL_SET_OPTION(username); +- ++ char * const ssl_username = SSL_SET_OPTION(primary.username); ++ char * const ssl_password = SSL_SET_OPTION(primary.password); + infof(data, "Using TLS-SRP username: %s", ssl_username); + + if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { ++ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index a40ac06..e2d3438 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + { + if((data->version == needle->version) && + (data->version_max == needle->version_max) && ++ (data->ssl_options == needle->ssl_options) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ Curl_safecmp(data->username, needle->username) && ++ Curl_safecmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++ dest->ssl_options = source->ssl_options; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_BLOB(cert_blob); + CLONE_BLOB(ca_info_blob); +@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); + CLONE_STRING(curves); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + Curl_safefree(sslc->ca_info_blob); + Curl_safefree(sslc->issuercert_blob); + Curl_safefree(sslc->curves); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL diff --git a/recipes-support/curl/files/CVE-2022-27782-2.patch b/recipes-support/curl/files/CVE-2022-27782-2.patch new file mode 100644 index 0000000..74fa7f8 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-27782-2.patch @@ -0,0 +1,71 @@ +From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH] url: check SSH config match on connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/url.c | 11 +++++++++++ + lib/vssh/ssh.h | 6 +++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 5ebf5e2..c713e54 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data) + } + } + ++static bool ssh_config_matches(struct connectdata *one, ++ struct connectdata *two) ++{ ++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && ++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); ++} + /* + * Given one filled in connection struct (named needle), this function should + * detect if there already is one that has all the significant details +@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + ++ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY + || !needle->bits.httpproxy || needle->bits.tunnel_proxy +diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h +index 7972081..30d82e5 100644 +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * ___|___/|_| ______| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, daniel@haxx.se, et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, daniel@haxx.se, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -131,8 +131,8 @@ struct ssh_conn { + + /* common */ + const char *passphrase; /* pass-phrase to use */ +- char *rsa_pub; /* path name */ +- char *rsa; /* path name */ ++ char *rsa_pub; /* strdup'ed public key file */ ++ char *rsa; /* strdup'ed private key file */ + bool authed; /* the connection has been authenticated fine */ + bool acceptfail; /* used by the SFTP_QUOTE (continue if + quote command fails) */ diff --git a/recipes-support/curl/files/CVE-2022-30115.patch b/recipes-support/curl/files/CVE-2022-30115.patch new file mode 100644 index 0000000..96839cf --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-30115.patch @@ -0,0 +1,82 @@ +From 8313ef3f507b5bdc54e985cae71aa9df00609d55 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 9 May 2022 08:13:55 +0200 +Subject: [PATCH] hsts: ignore trailing dots when comparing hosts names + +CVE-2022-30115 + +Reported-by: Axel Chong +Bug: https://curl.se/docs/CVE-2022-30115.html +Closes #8821 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/fae6fea209a2d4db1582f608bd8cc8000721733a] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/hsts.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index 03fcc9e..b9fa6f7 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h, + curl_off_t expires) + { + struct stsentry *sts = hsts_entry(); ++ char *duphost; ++ size_t hlen; + if(!sts) + return CURLE_OUT_OF_MEMORY; + +- sts->expires = expires; +- sts->includeSubDomains = subdomains; +- sts->host = strdup(hostname); +- if(!sts->host) { ++ duphost = strdup(hostname); ++ if(!duphost) { + free(sts); + return CURLE_OUT_OF_MEMORY; + } ++ ++ hlen = strlen(duphost); ++ if(duphost[hlen - 1] == '.') ++ /* strip off trailing any dot */ ++ duphost[--hlen] = 0; ++ ++ sts->host = duphost; ++ sts->expires = expires; ++ sts->includeSubDomains = subdomains; + Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node); + return CURLE_OK; + } +@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, + bool subdomain) + { + if(h) { ++ char buffer[MAX_HSTS_HOSTLEN + 1]; + time_t now = time(NULL); + size_t hlen = strlen(hostname); + struct Curl_llist_element *e; + struct Curl_llist_element *n; ++ ++ if((hlen > MAX_HSTS_HOSTLEN) || !hlen) ++ return NULL; ++ memcpy(buffer, hostname, hlen); ++ if(hostname[hlen-1] == '.') ++ /* remove the trailing dot */ ++ --hlen; ++ buffer[hlen] = 0; ++ hostname = buffer; ++ + for(e = h->list.head; e; e = n) { + struct stsentry *sts = e->ptr; + n = e->next; +@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h) + CURLSTScode sc; + DEBUGASSERT(h); + do { +- char buffer[257]; ++ char buffer[MAX_HSTS_HOSTLEN + 1]; + struct curl_hstsentry e; + e.name = buffer; + e.namelen = sizeof(buffer)-1; diff --git a/recipes-support/curl/files/CVE-2022-32205.patch b/recipes-support/curl/files/CVE-2022-32205.patch new file mode 100644 index 0000000..165fd8a --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-32205.patch @@ -0,0 +1,174 @@ +From a91c22a072cbb32e296f1efba3502f1b7775dfaf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Sun, 26 Jun 2022 11:00:48 +0200 +Subject: [PATCH] cookie: apply limits + +- Send no more than 150 cookies per request +- Cap the max length used for a cookie: header to 8K +- Cap the max number of received Set-Cookie: headers to 50 + +Bug: https://curl.se/docs/CVE-2022-32205.html +CVE-2022-32205 +Reported-by: Harry Sintonen +Closes #9048 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/48d7064a49148f0394] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/cookie.c | 14 ++++++++++++-- + lib/cookie.h | 21 +++++++++++++++++++-- + lib/http.c | 13 +++++++++++-- + lib/urldata.h | 1 + + 4 files changed, 43 insertions(+), 6 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 1b8c8f9..8a6aa1a 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -477,6 +477,10 @@ Curl_cookie_add(struct Curl_easy *data, + (void)data; + #endif + ++ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ ++ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) ++ return NULL; ++ + /* First, alloc and init a new struct for it */ + co = calloc(1, sizeof(struct Cookie)); + if(!co) +@@ -816,7 +820,7 @@ Curl_cookie_add(struct Curl_easy *data, + freecookie(co); + return NULL; + } +- ++ data->req.setcookies++; + } + else { + /* +@@ -1354,7 +1358,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) + * + * It shall only return cookies that haven't expired. + */ +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, + const char *host, const char *path, + bool secure) + { +@@ -1409,6 +1414,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, + mainco = newco; + + matches++; ++ if(matches >= MAX_COOKIE_SEND_AMOUNT) { ++ infof(data, "Included max number of cookies (%u) in request!", ++ matches); ++ break; ++ } + } + else + goto fail; +diff --git a/lib/cookie.h b/lib/cookie.h +index 0ffe08e..7411980 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -81,10 +81,26 @@ struct CookieInfo { + */ + #define MAX_COOKIE_LINE 5000 + +-/* This is the maximum length of a cookie name or content we deal with: */ ++/* Maximum length of an incoming cookie name or content we deal with. Longer ++ cookies are ignored. */ + #define MAX_NAME 4096 + #define MAX_NAME_TXT "4095" + ++/* Maximum size for an outgoing cookie line libcurl will use in an http ++ request. This is the default maximum length used in some versions of Apache ++ httpd. */ ++#define MAX_COOKIE_HEADER_LEN 8190 ++ ++/* Maximum number of cookies libcurl will send in a single request, even if ++ there might be more cookies that match. One reason to cap the number is to ++ keep the maximum HTTP request within the maximum allowed size. */ ++#define MAX_COOKIE_SEND_AMOUNT 150 ++ ++/* Maximum number of Set-Cookie: lines accepted in a single response. If more ++ such header lines are received, they are ignored. This value must be less ++ than 256 since an unsigned char is used to count. */ ++#define MAX_SET_COOKIE_AMOUNT 50 ++ + struct Curl_easy; + /* + * Add a cookie to the internal list of cookies. The domain and path arguments +@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, + const char *domain, const char *path, + bool secure); + +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, const char *host, + const char *path, bool secure); + void Curl_cookie_freelist(struct Cookie *cookies); + void Curl_cookie_clearall(struct CookieInfo *cookies); +diff --git a/lib/http.c b/lib/http.c +index 4433824..2c8b0c4 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2709,12 +2709,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + } + + #if !defined(CURL_DISABLE_COOKIES) ++ + CURLcode Curl_http_cookies(struct Curl_easy *data, + struct connectdata *conn, + struct dynbuf *r) + { + CURLcode result = CURLE_OK; + char *addcookies = NULL; ++ bool linecap = FALSE; + if(data->set.str[STRING_COOKIE] && + !Curl_checkheaders(data, STRCONST("Cookie"))) + addcookies = data->set.str[STRING_COOKIE]; +@@ -2732,7 +2734,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + !strcmp(host, "127.0.0.1") || + !strcmp(host, "[::1]") ? TRUE : FALSE; + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); +- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, ++ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, + secure_context); + Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); + } +@@ -2746,6 +2748,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + if(result) + break; + } ++ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= ++ MAX_COOKIE_HEADER_LEN) { ++ infof(data, "Restricted outgoing cookies due to header size, " ++ "'%s' not sent", co->name); ++ linecap = TRUE; ++ break; ++ } + result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", + co->name, co->value); + if(result) +@@ -2756,7 +2765,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + } + Curl_cookie_freelist(store); + } +- if(addcookies && !result) { ++ if(addcookies && !result && !linecap) { + if(!count) + result = Curl_dyn_addn(r, STRCONST("Cookie: ")); + if(!result) { +diff --git a/lib/urldata.h b/lib/urldata.h +index e006495..54faf7d 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -707,6 +707,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++ unsigned char setcookies; + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding diff --git a/recipes-support/curl/files/CVE-2022-32206.patch b/recipes-support/curl/files/CVE-2022-32206.patch new file mode 100644 index 0000000..25f5b27 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-32206.patch @@ -0,0 +1,51 @@ +From e12531340b03d242d3f892aa8797faf12b56dddf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 16 May 2022 16:28:13 +0200 +Subject: [PATCH] content_encoding: return error on too many compression steps + +The max allowed steps is arbitrarily set to 5. + +Bug: https://curl.se/docs/CVE-2022-32206.html +CVE-2022-32206 +Reported-by: Harry Sintonen +Closes #9049 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/content_encoding.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c03637a..6f994b3 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name, + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; ++ int counter = 0; + + do { + const char *name; +@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(++counter >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to %u content encodings", ++ counter); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(data, encoding, k->writer_stack); + if(!writer) diff --git a/recipes-support/curl/files/CVE-2022-32207.patch b/recipes-support/curl/files/CVE-2022-32207.patch new file mode 100644 index 0000000..bc16b62 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-32207.patch @@ -0,0 +1,283 @@ +From 759088694e2ba68ddc5ffe042b071dadad6ff675 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files + +Bug: https://curl.se/docs/CVE-2022-32207.html +CVE-2022-32207 +Reported-by: Harry Sintonen +Closes #9050 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + CMakeLists.txt | 1 + + configure.ac | 1 + + lib/Makefile.inc | 2 + + lib/cookie.c | 19 ++----- + lib/curl_config.h.cmake | 3 ++ + lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++ + lib/fopen.h | 30 +++++++++++ + 7 files changed, 154 insertions(+), 15 deletions(-) + create mode 100644 lib/fopen.c + create mode 100644 lib/fopen.h + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index b77de6d..a0bfaad 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET) + set(CMAKE_REQUIRED_LIBRARIES socket) + endif() + ++check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD) + check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME) + check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET) + check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT) +diff --git a/configure.ac b/configure.ac +index d431870..7433bb9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se + + + AC_CHECK_FUNCS([fnmatch \ ++ fchmod \ + geteuid \ + getpass_r \ + getppid \ +diff --git a/lib/Makefile.inc b/lib/Makefile.inc +index e8f110f..5139b03 100644 +--- a/lib/Makefile.inc ++++ b/lib/Makefile.inc +@@ -133,6 +133,7 @@ LIB_CFILES = \ + escape.c \ + file.c \ + fileinfo.c \ ++ fopen.c \ + formdata.c \ + ftp.c \ + ftplistparser.c \ +@@ -263,6 +264,7 @@ LIB_HFILES = \ + escape.h \ + file.h \ + fileinfo.h \ ++ fopen.h \ + formdata.h \ + ftp.h \ + ftplistparser.h \ +diff --git a/lib/cookie.c b/lib/cookie.c +index 8a6aa1a..cb0c03b 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -96,8 +96,8 @@ Example set of cookies: + #include "curl_get_line.h" + #include "curl_memrchr.h" + #include "parsedate.h" +-#include "rand.h" + #include "rename.h" ++#include "fopen.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data, + use_stdout = TRUE; + } + else { +- unsigned char randsuffix[9]; +- +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return 2; +- +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) { +- error = CURLE_WRITE_ERROR; ++ error = Curl_fopen(data, filename, &out, &tempstore); ++ if(error) + goto error; +- } + } + + fputs("# Netscape HTTP Cookie File\n" +@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data, + if(!use_stdout) { + fclose(out); + out = NULL; +- if(Curl_rename(tempstore, filename)) { ++ if(tempstore && Curl_rename(tempstore, filename)) { + unlink(tempstore); + error = CURLE_WRITE_ERROR; + goto error; +diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake +index d2a0f43..c254359 100644 +--- a/lib/curl_config.h.cmake ++++ b/lib/curl_config.h.cmake +@@ -157,6 +157,9 @@ + /* Define to 1 if you have the <assert.h> header file. */ + #cmakedefine HAVE_ASSERT_H 1 + ++/* Define to 1 if you have the `fchmod' function. */ ++#cmakedefine HAVE_FCHMOD 1 ++ + /* Define to 1 if you have the `basename' function. */ + #cmakedefine HAVE_BASENAME 1 + +diff --git a/lib/fopen.c b/lib/fopen.c +new file mode 100644 +index 0000000..ad3691b +--- /dev/null ++++ b/lib/fopen.c +@@ -0,0 +1,113 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ | | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * ___|___/|_| ______| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, daniel@haxx.se, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ ++ !defined(CURL_DISABLE_HSTS) ++ ++#ifdef HAVE_FCNTL_H ++#include <fcntl.h> ++#endif ++ ++#include "urldata.h" ++#include "rand.h" ++#include "fopen.h" ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" ++#include "memdebug.h" ++ ++/* ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed ++ * to the final name when completed. If there is an existing file using this ++ * name at the time of the open, this function will clone the mode from that ++ * file. if 'tempname' is non-NULL, it needs a rename after the file is ++ * written. ++ */ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname) ++{ ++ CURLcode result = CURLE_WRITE_ERROR; ++ unsigned char randsuffix[9]; ++ char *tempstore = NULL; ++ struct_stat sb; ++ int fd = -1; ++ *tempname = NULL; ++ ++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ /* a non-regular file, fallback to direct fopen() */ ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(*fh) ++ return CURLE_OK; ++ goto fail; ++ } ++ ++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ if(result) ++ goto fail; ++ ++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ if(!tempstore) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto fail; ++ } ++ ++ result = CURLE_WRITE_ERROR; ++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); ++ if(fd == -1) ++ goto fail; ++ ++#ifdef HAVE_FCHMOD ++ { ++ struct_stat nsb; ++ if((fstat(fd, &nsb) != -1) && ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { ++ /* if the user and group are the same, clone the original mode */ ++ if(fchmod(fd, sb.st_mode) == -1) ++ goto fail; ++ } ++ } ++#endif ++ ++ *fh = fdopen(fd, FOPEN_WRITETEXT); ++ if(!*fh) ++ goto fail; ++ ++ *tempname = tempstore; ++ return CURLE_OK; ++ ++fail: ++ if(fd != -1) { ++ close(fd); ++ unlink(tempstore); ++ } ++ ++ free(tempstore); ++ ++ *tempname = NULL; ++ return result; ++} ++ ++#endif /* ! disabled */ +diff --git a/lib/fopen.h b/lib/fopen.h +new file mode 100644 +index 0000000..289e55f +--- /dev/null ++++ b/lib/fopen.h +@@ -0,0 +1,30 @@ ++#ifndef HEADER_CURL_FOPEN_H ++#define HEADER_CURL_FOPEN_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ | | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * ___|___/|_| ______| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, daniel@haxx.se, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname); ++ ++#endif diff --git a/recipes-support/curl/files/CVE-2022-32208.patch b/recipes-support/curl/files/CVE-2022-32208.patch new file mode 100644 index 0000000..9a4e398 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-32208.patch @@ -0,0 +1,67 @@ +From fd2ffddec315c029e923e6e6f2c049809d01a5fc Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +Bug: https://curl.se/docs/CVE-2022-32208.html +CVE-2022-32208 +Reported-by: Harry Sintonen +Closes #9051 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7] +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/krb5.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5.c b/lib/krb5.c +index 787137c..6f9e1f7 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len, + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn, + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn, + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } diff --git a/recipes-support/curl/files/CVE-2022-32221.patch b/recipes-support/curl/files/CVE-2022-32221.patch new file mode 100644 index 0000000..b78b2ce --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-32221.patch @@ -0,0 +1,28 @@ +From a64e3e59938abd7d667e4470a18072a24d7e9de9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Thu, 15 Sep 2022 09:22:45 +0200 +Subject: [PATCH] setopt: when POST is set, reset the 'upload' field + +Reported-by: RobBotic1 on github +Fixes #9507 +Closes #9511 + +CVE: CVE-2022-32221 +Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9] +Signed-off-by: Bhabu Bindu bhabu.bindu@kpit.com +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 03c4efdbf1e58..7289a4e78bdd0 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -700,6 +700,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: diff --git a/recipes-support/curl/files/CVE-2022-35252.patch b/recipes-support/curl/files/CVE-2022-35252.patch new file mode 100644 index 0000000..7b6f81b --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-35252.patch @@ -0,0 +1,72 @@ +From 62c09239ac4e08239c8e363b06901fc80637d8c7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb] + +Signed-off-by: Robert Joslyn robert.joslyn@redrectangle.org +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index cb0c03b..e0470a1 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -438,6 +438,30 @@ static bool bad_domain(const char *domain) + return TRUE; + } + ++/* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ + /* + * Curl_cookie_add + * +@@ -590,6 +614,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* +-- +2.35.1 + diff --git a/recipes-support/curl/files/CVE-2022-42915.patch b/recipes-support/curl/files/CVE-2022-42915.patch new file mode 100644 index 0000000..0f37a80 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-42915.patch @@ -0,0 +1,53 @@ +From 55e1875729f9d9fc7315cec611bffbd2c817ad89 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Thu, 6 Oct 2022 14:13:36 +0200 +Subject: [PATCH] http_proxy: restore the protocol pointer on error + +Reported-by: Trail of Bits + +Closes #9790 + +CVE: CVE-2022-42915 +Upstream-Status: Backport [https://github.com/curl/curl/commit/55e1875729f9d9fc7315cec611bffbd2c817ad89] +Signed-off-by: Bhabu Bindu bhabu.bindu@kpit.com +--- + lib/http_proxy.c | 6 ++---- + lib/url.c | 9 --------- + 2 files changed, 2 insertions(+), 13 deletions(-) + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index 1f87f6c62aa40..cc20b3a801941 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data) + Curl_dyn_free(&s->rcvbuf); + Curl_dyn_free(&s->req); + +- /* restore the protocol pointer, if not already done */ +- if(s->prot_save) +- data->req.p.http = s->prot_save; +- s->prot_save = NULL; ++ /* restore the protocol pointer */ ++ data->req.p.http = s->prot_save; + data->info.httpcode = 0; /* clear it as it might've been used for the + proxy */ + data->req.ignorebody = FALSE; +diff --git a/lib/url.c b/lib/url.c +index 690c53c81a3c1..be5ffca2d8b20 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -751,15 +751,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) + DEBUGASSERT(data); + infof(data, "Closing connection %ld", conn->connection_id); + +-#ifndef USE_HYPER +- if(conn->connect_state && conn->connect_state->prot_save) { +- /* If this was closed with a CONNECT in progress, cleanup this temporary +- struct arrangement */ +- data->req.p.http = NULL; +- Curl_safefree(conn->connect_state->prot_save); +- } +-#endif +- + /* possible left-overs from the async name resolvers */ + Curl_resolver_cancel(data); diff --git a/recipes-support/curl/files/CVE-2022-42916.patch b/recipes-support/curl/files/CVE-2022-42916.patch new file mode 100644 index 0000000..fbc5922 --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-42916.patch @@ -0,0 +1,136 @@ +From 53bcf55b4538067e6dc36242168866becb987bb7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Wed, 12 Oct 2022 10:47:59 +0200 +Subject: [PATCH] url: use IDN decoded names for HSTS checks + +Reported-by: Hiroki Kurosawa + +Closes #9791 + +CVE: CVE-2022-42916 +Upstream-Status: Backport [https://github.com/curl/curl/commit/53bcf55b4538067e6dc36242168866becb987bb7] +Signed-off-by: Bhabu Bindu bhabu.bindu@kpit.com +Comments: Refreshed hunk +--- + lib/url.c | 91 ++++++++++++++++++++++++++++--------------------------- + 1 file changed, 47 insertions(+), 44 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index a3be56bced9de..690c53c81a3c1 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2012,10 +2012,56 @@ + if(!strcasecompare("file", data->state.up.scheme)) + return CURLE_OUT_OF_MEMORY; + } ++ hostname = data->state.up.hostname; ++ ++ if(hostname && hostname[0] == '[') { ++ /* This looks like an IPv6 address literal. See if there is an address ++ scope. */ ++ size_t hlen; ++ conn->bits.ipv6_ip = TRUE; ++ /* cut off the brackets! */ ++ hostname++; ++ hlen = strlen(hostname); ++ hostname[hlen - 1] = 0; ++ ++ zonefrom_url(uh, data, conn); ++ } ++ ++ /* make sure the connect struct gets its own copy of the host name */ ++ conn->host.rawalloc = strdup(hostname ? hostname : ""); ++ if(!conn->host.rawalloc) ++ return CURLE_OUT_OF_MEMORY; ++ conn->host.name = conn->host.rawalloc; ++ ++ /************************************************************* ++ * IDN-convert the hostnames ++ *************************************************************/ ++ result = Curl_idnconvert_hostname(data, &conn->host); ++ if(result) ++ return result; ++ if(conn->bits.conn_to_host) { ++ result = Curl_idnconvert_hostname(data, &conn->conn_to_host); ++ if(result) ++ return result; ++ } ++#ifndef CURL_DISABLE_PROXY ++ if(conn->bits.httpproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); ++ if(result) ++ return result; ++ } ++ if(conn->bits.socksproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); ++ if(result) ++ return result; ++ } ++#endif + + #ifndef CURL_DISABLE_HSTS ++ /* HSTS upgrade */ + if(data->hsts && strcasecompare("http", data->state.up.scheme)) { +- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { ++ /* This MUST use the IDN decoded name */ ++ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { + char *url; + Curl_safefree(data->state.up.scheme); + uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); +@@ -2145,26 +2191,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + + (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); + +- hostname = data->state.up.hostname; +- if(hostname && hostname[0] == '[') { +- /* This looks like an IPv6 address literal. See if there is an address +- scope. */ +- size_t hlen; +- conn->bits.ipv6_ip = TRUE; +- /* cut off the brackets! */ +- hostname++; +- hlen = strlen(hostname); +- hostname[hlen - 1] = 0; +- +- zonefrom_url(uh, data, conn); +- } +- +- /* make sure the connect struct gets its own copy of the host name */ +- conn->host.rawalloc = strdup(hostname ? hostname : ""); +- if(!conn->host.rawalloc) +- return CURLE_OUT_OF_MEMORY; +- conn->host.name = conn->host.rawalloc; +- + #ifdef ENABLE_IPV6 + if(data->set.scope_id) + /* Override any scope that was set above. */ +@@ -3713,29 +3739,6 @@ static CURLcode create_conn(struct Curl_easy *data, + if(result) + goto out; + +- /************************************************************* +- * IDN-convert the hostnames +- *************************************************************/ +- result = Curl_idnconvert_hostname(data, &conn->host); +- if(result) +- goto out; +- if(conn->bits.conn_to_host) { +- result = Curl_idnconvert_hostname(data, &conn->conn_to_host); +- if(result) +- goto out; +- } +-#ifndef CURL_DISABLE_PROXY +- if(conn->bits.httpproxy) { +- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); +- if(result) +- goto out; +- } +- if(conn->bits.socksproxy) { +- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); +- if(result) +- goto out; +- } +-#endif + + /************************************************************* + * Check whether the host and the "connect to host" are equal. diff --git a/recipes-support/curl/files/CVE-2022-43551.patch b/recipes-support/curl/files/CVE-2022-43551.patch new file mode 100644 index 0000000..e1ec7bf --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-43551.patch @@ -0,0 +1,35 @@ +From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 19 Dec 2022 08:36:55 +0100 +Subject: [PATCH] http: use the IDN decoded name in HSTS checks + +Otherwise it stores the info HSTS into the persistent cache for the IDN +name which will not match when the HSTS status is later checked for +using the decoded name. + +Reported-by: Hiroki Kurosawa + +Closes #10111 + +CVE: CVE-2022-43551 +Upstream-Status: Backport [https://github.com/curl/curl/commit/9e71901634e276dd050481c4320f046bebb1bc28] +Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com +Comments: Hunk refresh to remove patch-fuzz warning + +--- + lib/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 85528a2218eee..a784745a8d505 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3652,7 +3652,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && + (conn->handler->flags & PROTOPT_SSL)) { + CURLcode check = +- Curl_hsts_parse(data->hsts, data->state.up.hostname, ++ Curl_hsts_parse(data->hsts, conn->host.name, + headp + strlen("Strict-Transport-Security:")); + if(check) + infof(data, "Illegal STS header skipped"); diff --git a/recipes-support/curl/files/CVE-2022-43552.patch b/recipes-support/curl/files/CVE-2022-43552.patch new file mode 100644 index 0000000..dfe6d8c --- /dev/null +++ b/recipes-support/curl/files/CVE-2022-43552.patch @@ -0,0 +1,80 @@ +From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +CVE: CVE-2022-43552 +Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2] +Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com + +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 2cfe041dff072..48d5a2fe006d5 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -58,8 +58,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -101,7 +99,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -936,14 +934,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 24d3f1efb14c8..22bc81e755222 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + diff --git a/recipes-support/curl/files/CVE-2023-23914_5-1.patch b/recipes-support/curl/files/CVE-2023-23914_5-1.patch new file mode 100644 index 0000000..d357cee --- /dev/null +++ b/recipes-support/curl/files/CVE-2023-23914_5-1.patch @@ -0,0 +1,280 @@ +From 076a2f629119222aeeb50f5a03bf9f9052fabb9a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Tue, 27 Dec 2022 11:50:20 +0100 +Subject: [PATCH] share: add sharing of HSTS cache among handles + +Closes #10138 + +CVE: CVE-2023-23914 CVE-2023-23915 +Upstream-Status: Backport [https://github.com/curl/curl/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a] +Comment: Refreshed hunk from hsts.c and urldata.h +Signed-off-by: Pawan Badganchi Pawan.Badganchi@kpit.com +Signed-off-by: Mingli Yu mingli.yu@windriver.com +--- + include/curl/curl.h | 1 + + lib/hsts.c | 15 +++++++++ + lib/hsts.h | 2 ++ + lib/setopt.c | 48 ++++++++++++++++++++++++----- + lib/share.c | 32 +++++++++++++++++-- + lib/share.h | 6 +++- + lib/transfer.c | 3 ++ + lib/url.c | 6 +++- + lib/urldata.h | 2 ++ + 9 files changed, 109 insertions(+), 11 deletions(-) + +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -2953,6 +2953,7 @@ typedef enum { + CURL_LOCK_DATA_SSL_SESSION, + CURL_LOCK_DATA_CONNECT, + CURL_LOCK_DATA_PSL, ++ CURL_LOCK_DATA_HSTS, + CURL_LOCK_DATA_LAST + } curl_lock_data; + +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -37,6 +37,7 @@ + #include "parsedate.h" + #include "rand.h" + #include "rename.h" ++#include "share.h" + #include "strtoofft.h" + + /* The last 3 #include files should be in this order */ +@@ -561,4 +562,18 @@ + return CURLE_OK; + } + ++void Curl_hsts_loadfiles(struct Curl_easy *data) ++{ ++ struct curl_slist *l = data->set.hstslist; ++ if(l) { ++ Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE); ++ ++ while(l) { ++ (void)Curl_hsts_loadfile(data, data->hsts, l->data); ++ l = l->next; ++ } ++ Curl_share_unlock(data, CURL_LOCK_DATA_HSTS); ++ } ++} ++ + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ +--- a/lib/hsts.h ++++ b/lib/hsts.h +@@ -59,9 +59,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_ + struct hsts *h, const char *file); + CURLcode Curl_hsts_loadcb(struct Curl_easy *data, + struct hsts *h); ++void Curl_hsts_loadfiles(struct Curl_easy *data); + #else + #define Curl_hsts_cleanup(x) + #define Curl_hsts_loadcb(x,y) CURLE_OK + #define Curl_hsts_save(x,y,z) ++#define Curl_hsts_loadfiles(x) + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ + #endif /* HEADER_CURL_HSTS_H */ +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2260,9 +2260,14 @@ CURLcode Curl_vsetopt(struct Curl_easy * + data->cookies = NULL; + #endif + ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts == data->hsts) ++ data->hsts = NULL; ++#endif ++#ifdef USE_SSL + if(data->share->sslsession == data->state.session) + data->state.session = NULL; +- ++#endif + #ifdef USE_LIBPSL + if(data->psl == &data->share->psl) + data->psl = data->multi? &data->multi->psl: NULL; +@@ -2296,10 +2301,19 @@ CURLcode Curl_vsetopt(struct Curl_easy * + data->cookies = data->share->cookies; + } + #endif /* CURL_DISABLE_HTTP */ ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts) { ++ /* first free the private one if any */ ++ Curl_hsts_cleanup(&data->hsts); ++ data->hsts = data->share->hsts; ++ } ++#endif /* CURL_DISABLE_HTTP */ ++#ifdef USE_SSL + if(data->share->sslsession) { + data->set.general_ssl.max_ssl_sessions = data->share->max_ssl_sessions; + data->state.session = data->share->sslsession; + } ++#endif + #ifdef USE_LIBPSL + if(data->share->specifier & (1 << CURL_LOCK_DATA_PSL)) + data->psl = &data->share->psl; +@@ -3049,19 +3063,39 @@ CURLcode Curl_vsetopt(struct Curl_easy * + case CURLOPT_HSTSWRITEDATA: + data->set.hsts_write_userp = va_arg(param, void *); + break; +- case CURLOPT_HSTS: ++ case CURLOPT_HSTS: { ++ struct curl_slist *h; + if(!data->hsts) { + data->hsts = Curl_hsts_init(); + if(!data->hsts) + return CURLE_OUT_OF_MEMORY; + } + argptr = va_arg(param, char *); +- result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); +- if(result) +- return result; +- if(argptr) +- (void)Curl_hsts_loadfile(data, data->hsts, argptr); ++ if(argptr) { ++ result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); ++ if(result) ++ return result; ++ /* this needs to build a list of file names to read from, so that it can ++ read them later, as we might get a shared HSTS handle to load them ++ into */ ++ h = curl_slist_append(data->set.hstslist, argptr); ++ if(!h) { ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ return CURLE_OUT_OF_MEMORY; ++ } ++ data->set.hstslist = h; /* store the list for later use */ ++ } ++ else { ++ /* clear the list of HSTS files */ ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ if(!data->share || !data->share->hsts) ++ /* throw away the HSTS cache unless shared */ ++ Curl_hsts_cleanup(&data->hsts); ++ } + break; ++ } + case CURLOPT_HSTS_CTRL: + arg = va_arg(param, long); + if(arg & CURLHSTS_ENABLE) { +--- a/lib/share.c ++++ b/lib/share.c +@@ -29,9 +29,11 @@ + #include "share.h" + #include "psl.h" + #include "vtls/vtls.h" +-#include "curl_memory.h" ++#include "hsts.h" + +-/* The last #include file should be: */ ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" + #include "memdebug.h" + + struct Curl_share * +@@ -89,6 +91,18 @@ curl_share_setopt(struct Curl_share *sha + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(!share->hsts) { ++ share->hsts = Curl_hsts_init(); ++ if(!share->hsts) ++ res = CURLSHE_NOMEM; ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + if(!share->sslsession) { +@@ -141,6 +155,16 @@ curl_share_setopt(struct Curl_share *sha + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(share->hsts) { ++ Curl_hsts_cleanup(&share->hsts); ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + Curl_safefree(share->sslsession); +@@ -207,6 +231,10 @@ curl_share_cleanup(struct Curl_share *sh + Curl_cookie_cleanup(share->cookies); + #endif + ++#ifndef CURL_DISABLE_HSTS ++ Curl_hsts_cleanup(&share->hsts); ++#endif ++ + #ifdef USE_SSL + if(share->sslsession) { + size_t i; +--- a/lib/share.h ++++ b/lib/share.h +@@ -59,10 +59,14 @@ struct Curl_share { + #ifdef USE_LIBPSL + struct PslCache psl; + #endif +- ++#ifndef CURL_DISABLE_HSTS ++ struct hsts *hsts; ++#endif ++#ifdef USE_SSL + struct Curl_ssl_session *sslsession; + size_t max_ssl_sessions; + long sessionage; ++#endif + }; + + CURLSHcode Curl_share_lock(struct Curl_easy *, curl_lock_data, +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1398,6 +1398,9 @@ CURLcode Curl_pretransfer(struct Curl_ea + if(data->state.resolve) + result = Curl_loadhostpairs(data); + ++ /* If there is a list of hsts files to read */ ++ Curl_hsts_loadfiles(data); ++ + if(!result) { + /* Allow data->set.use_port to set which port to use. This needs to be + * disabled for example when we follow Location: headers to URLs using +--- a/lib/url.c ++++ b/lib/url.c +@@ -434,7 +434,11 @@ CURLcode Curl_close(struct Curl_easy **d + Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]); + Curl_altsvc_cleanup(&data->asi); + Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]); +- Curl_hsts_cleanup(&data->hsts); ++#ifndef CURL_DISABLE_HSTS ++ if(!data->share || !data->share->hsts) ++ Curl_hsts_cleanup(&data->hsts); ++ curl_slist_free_all(data->set.hstslist); /* clean up list */ ++#endif + #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) + Curl_http_auth_cleanup_digest(data); + #endif +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1670,6 +1670,8 @@ + + void *seek_client; /* pointer to pass to the seek callback */ + #ifndef CURL_DISABLE_HSTS ++ struct curl_slist *hstslist; /* list of HSTS files set by ++ curl_easy_setopt(HSTS) calls */ + curl_hstsread_callback hsts_read; + void *hsts_read_userp; + curl_hstswrite_callback hsts_write; diff --git a/recipes-support/curl/files/CVE-2023-23914_5-2.patch b/recipes-support/curl/files/CVE-2023-23914_5-2.patch new file mode 100644 index 0000000..668972c --- /dev/null +++ b/recipes-support/curl/files/CVE-2023-23914_5-2.patch @@ -0,0 +1,23 @@ +From 0bf8b796a0ea98395b390c7807187982215f5c11 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] tool_operate: share HSTS between handles + +CVE: CVE-2023-23914 CVE-2023-23915 +Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/ca17cfed2df001356cfe2841f166...] +Signed-off-by: Pawan Badganchi Pawan.Badganchi@kpit.com +Signed-off-by: Mingli Yu mingli.yu@windriver.com +--- + src/tool_operate.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -2722,6 +2722,7 @@ CURLcode operate(struct GlobalConfig *gl + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION); + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT); + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL); ++ curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS); + + /* Get the required arguments for each operation */ + do { diff --git a/recipes-support/curl/files/CVE-2023-23914_5-3.patch b/recipes-support/curl/files/CVE-2023-23914_5-3.patch new file mode 100644 index 0000000..4422b26 --- /dev/null +++ b/recipes-support/curl/files/CVE-2023-23914_5-3.patch @@ -0,0 +1,45 @@ +From ca02a77f05bd5cef20618c8f741aa48b7be0a648 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] hsts: handle adding the same host name again + +It will then use the largest expire time of the two entries. + +CVE: CVE-2023-23914 CVE-2023-23915 +Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/e077b30a42272d964d76e5b815a0...] +Signed-off-by: Pawan Badganchi Pawan.Badganchi@kpit.com +Signed-off-by: Mingli Yu mingli.yu@windriver.com +--- + lib/hsts.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index 339237be1c621..8d6723ee587d2 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -426,14 +426,23 @@ static CURLcode hsts_add(struct hsts *h, char *line) + if(2 == rc) { + time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) : + TIME_T_MAX; +- CURLcode result; ++ CURLcode result = CURLE_OK; + char *p = host; + bool subdomain = FALSE; ++ struct stsentry *e; + if(p[0] == '.') { + p++; + subdomain = TRUE; + } +- result = hsts_create(h, p, subdomain, expires); ++ /* only add it if not already present */ ++ e = Curl_hsts(h, p, subdomain); ++ if(!e) ++ result = hsts_create(h, p, subdomain, expires); ++ else { ++ /* the same host name, use the largest expire time */ ++ if(expires > e->expires) ++ e->expires = expires; ++ } + if(result) + return result; + } diff --git a/recipes-support/curl/files/CVE-2023-23914_5-4.patch b/recipes-support/curl/files/CVE-2023-23914_5-4.patch new file mode 100644 index 0000000..865b3f9 --- /dev/null +++ b/recipes-support/curl/files/CVE-2023-23914_5-4.patch @@ -0,0 +1,48 @@ +From dc0725244a3163f1e2d5f51165db3a1a430f3ba0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] runtests: support crlf="yes" for verify/proxy + +CVE: CVE-2023-23914 CVE-2023-23915 +Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/fd7e1a557e414dd803c9225e37a2...] +Comment: Refreshed hunk from FILEFORMAT.md +Signed-off-by: Pawan Badganchi Pawan.Badganchi@kpit.com +Signed-off-by: Mingli Yu mingli.yu@windriver.com +--- + tests/FILEFORMAT.md | 4 ++-- + tests/runtests.pl | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -540,14 +540,14 @@ + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `<protocol [nonewline="yes"]>` ++### `<protocol [nonewline="yes"][crlf="yes"]>` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually + sent by the client The `<strip>` and `<strippart>` rules are applied before + comparisons are made. + +-### `<proxy [nonewline="yes"]>` ++### `<proxy [nonewline="yes"][crlf="yes"]>` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy + server is used), if 'nonewline' is set, we will cut off the trailing newline +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -4744,6 +4744,11 @@ sub singletest { + } + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) { ++ map subNewlines(0, $_), @protstrip; ++ } ++ + $res = compare($testnum, $testname, "proxy", @out, @protstrip); + if($res) { + return $errorreturncode; diff --git a/recipes-support/curl/files/CVE-2023-23914_5-5.patch b/recipes-support/curl/files/CVE-2023-23914_5-5.patch new file mode 100644 index 0000000..1a363f0 --- /dev/null +++ b/recipes-support/curl/files/CVE-2023-23914_5-5.patch @@ -0,0 +1,118 @@ +From ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg daniel@haxx.se +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] test446: verify hsts with two URLs + +CVE: CVE-2023-23914 CVE-2023-23915 +Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/7e89dfd463597701dd1defcad7be...] +Comment: Refreshed hunk from Makefile.inc +Signed-off-by: Pawan Badganchi Pawan.Badganchi@kpit.com +Signed-off-by: Mingli Yu mingli.yu@windriver.com +--- + tests/data/Makefile.inc | 2 +- + tests/data/test446 | 84 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 85 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test446 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 3a6356bd122bc..fe1bb1c74c2ab 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -72,6 +72,7 @@ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ ++test446 \ + test490 test491 test492 test493 test494 \ + \ + test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +diff --git a/tests/data/test446 b/tests/data/test446 +new file mode 100644 +index 0000000000000..0e2dfdcfe33b6 +--- /dev/null ++++ b/tests/data/test446 +@@ -0,0 +1,84 @@ ++<?xml version="1.0" encoding="ISO-8859-1"?> ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP proxy ++HSTS ++trailing-dot ++</keywords> ++</info> ++ ++<reply> ++ ++# we use this as response to a CONNECT ++<connect nocheck="yes"> ++HTTP/1.1 200 OK ++ ++</connect> ++<data crlf="yes"> ++HTTP/1.1 200 OK ++Content-Length: 6 ++Strict-Transport-Security: max-age=604800 ++ ++-foo- ++</data> ++<data2 crlf="yes"> ++HTTP/1.1 200 OK ++Content-Length: 6 ++Strict-Transport-Security: max-age=6048000 ++ ++-baa- ++</data2> ++</reply> ++ ++<client> ++<server> ++https ++http-proxy ++</server> ++<features> ++HSTS ++proxy ++https ++debug ++</features> ++<setenv> ++CURL_HSTS_HTTP=yes ++CURL_TIME=2000000000 ++</setenv> ++ ++<name> ++HSTS with two URLs ++</name> ++<command> ++-x http://%HOSTIP:%PROXYPORT --hsts log/hsts%TESTNUMBER http://this.hsts.example./%TESTNUMBER http://another.example.com/%TESTNUMBER0002 ++</command> ++</client> ++ ++<verify> ++# we let it CONNECT to the server to confirm HSTS but deny from there ++<proxy crlf="yes"> ++GET http://this.hsts.example./%TESTNUMBER HTTP/1.1 ++Host: this.hsts.example. ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://another.example.com/%TESTNUMBER0002 HTTP/1.1 ++Host: another.example.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++</proxy> ++ ++<file name="log/hsts%TESTNUMBER" mode="text"> ++# Your HSTS cache. https://curl.se/docs/hsts.html ++# This file was generated by libcurl! Edit at your own risk. ++this.hsts.example "20330525 03:33:20" ++another.example.com "20330727 03:33:20" ++</file> ++ ++</verify> ++</testcase>