Skip to content

Commit

Permalink
[sqlite3] Upgrade sqlite3 and pseudo
Browse files Browse the repository at this point in the history
  The pseudo upgrade is required because 1.8.2 can't build
  against sqlite3 3.29.0. 3.29.0 gets us the latest CVEs.

  OXT-1629

Signed-off-by: Chris Rogers <rogersc@ainfosec.com>
(cherry picked from commit 9424cc8)
  • Loading branch information
Chris Rogers committed Jul 22, 2019
1 parent 0b0a5bb commit 5ee4131
Show file tree
Hide file tree
Showing 9 changed files with 317 additions and 11 deletions.
44 changes: 44 additions & 0 deletions recipes-devtools/pseudo/files/0001-configure-Prune-PIE-flags.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
From b5545c08e6c674c49aef14b47a56a3e92df4d2a7 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Wed, 17 Feb 2016 07:36:34 +0000
Subject: [pseudo][PATCH] configure: Prune PIE flags

LDFLAGS are not taken from environment and CFLAGS is used for LDFLAGS
however when using security options -fpie and -pie options are coming
as part of ARCH_FLAGS and they get into LDFLAGS of shared objects as
well so we end up with conflicting options -shared -pie, which gold
rejects outright and bfd linker lets the one appearning last in cmdline
take effect. This create quite a unpleasant situation in OE when
security flags are enabled and gold or not-gold options are used
it errors out but errors are not same.

Anyway, with this patch we filter pie options from ARCH_FLAGS
ouright and take control of generating PIC objects

Helps with errors like

| /mnt/oe/build/tmp-glibc/sysroots/x86_64-linux/usr/libexec/x86_64-oe-linux/gcc/x86_64-oe-linux/5.3.0/ld: pseudo_client.o: relocation R_X86_64_PC32 against symbol `pseudo_util_debug_flags' can not be used when making a shared object; recompile with -fPIC
| /mnt/oe/build/tmp-glibc/sysroots/x86_64-linux/usr/libexec/x86_64-oe-linux/gcc/x86_64-oe-linux/5.3.0/ld: final link failed: Bad value
| collect2: error: ld returned 1 exit status
| make: *** [lib/pseudo/lib64/libpseudo.so] Error 1

Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
Upstream-Status: Submitted

configure | 2 ++
1 file changed, 2 insertions(+)

diff --git a/configure b/configure
index e5ef9ce..83b0890 100755
--- a/configure
+++ b/configure
@@ -339,3 +339,5 @@ sed -e '
s,@ARCH@,'"$opt_arch"',g
s,@BITS@,'"$opt_bits"',g
' < Makefile.in > Makefile
+
+sed -i -e 's/\-[f]*pie//g' Makefile
--
1.8.3.1

3 changes: 3 additions & 0 deletions recipes-devtools/pseudo/files/fallback-group
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
root:*:0:
mail:*:8:
nobody:*:99:
3 changes: 3 additions & 0 deletions recipes-devtools/pseudo/files/fallback-passwd
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
root::0:0:root:/home/root:/bin/sh
pseudopasswd:*:1:1:this-is-the-pseudo-passwd:/nonexistent:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
19 changes: 19 additions & 0 deletions recipes-devtools/pseudo/files/moreretries.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
Increase the number of retries in pseudo due to occasional slow
server shutdowns.

Upstream-Status: Pending
RP 2016/2/28

Index: git/pseudo_client.c
===================================================================
--- git.orig/pseudo_client.c
+++ git/pseudo_client.c
@@ -1282,7 +1282,7 @@ pseudo_client_setup(void) {
}
}

-#define PSEUDO_RETRIES 20
+#define PSEUDO_RETRIES 250
static pseudo_msg_t *
pseudo_client_request(pseudo_msg_t *msg, size_t len, const char *path) {
pseudo_msg_t *response = 0;
71 changes: 71 additions & 0 deletions recipes-devtools/pseudo/files/toomanyfiles.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
From b0b25fbc041a148d1de09f5a6503cd95973ec77c Mon Sep 17 00:00:00 2001
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Tue, 25 Apr 2017 15:25:54 +0100
Subject: [PATCH 3/3] pseudo: Handle too many files deadlock

Currently if we max out the maximum number of files, pseudo can deadlock, unable to
accept new connections yet unable to move forward and unblock the other processes
waiting either.

Rather than hang, when this happens, close out inactive connections, allowing us
to accept the new ones. The disconnected clients will simply reconnect. There is
a small risk of data loss here sadly but its better than hanging.

RP
2017/4/25

Upstream-Status: Submitted [Peter is aware of the issue]

---
pseudo_server.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/pseudo_server.c b/pseudo_server.c
index dac3258..15a3e8f 100644
--- a/pseudo_server.c
+++ b/pseudo_server.c
@@ -802,6 +802,7 @@ pseudo_server_loop(void) {
struct sigaction eat_usr2 = {
.sa_handler = set_do_list_clients
};
+ int hitmaxfiles;

clients = malloc(16 * sizeof(*clients));

@@ -820,6 +821,7 @@ pseudo_server_loop(void) {
active_clients = 1;
max_clients = 16;
highest_client = 0;
+ hitmaxfiles = 0;

pseudo_debug(PDBGF_SERVER, "server loop started.\n");
if (listen_fd < 0) {
@@ -878,10 +880,15 @@ pseudo_server_loop(void) {
} else {
serve_client(i);
}
+ } else if (hitmaxfiles) {
+ /* Only close one per loop iteration in the interests of caution */
+ close_client(i);
+ hitmaxfiles = 0;
}
if (die_forcefully)
break;
}
+ hitmaxfiles = 0;
if (!die_forcefully &&
(FD_ISSET(clients[0].fd, &events) ||
FD_ISSET(clients[0].fd, &reads))) {
@@ -903,6 +910,9 @@ pseudo_server_loop(void) {
*/
pseudo_server_timeout = DEFAULT_PSEUDO_SERVER_TIMEOUT;
die_peacefully = 0;
+ } else if (errno == EMFILE) {
+ hitmaxfiles = 1;
+ pseudo_debug(PDBGF_SERVER, "Hit max open files, dropping a client.\n");
}
}
pseudo_debug(PDBGF_SERVER, "server loop complete [%d clients left]\n", active_clients);
--
2.15.1

155 changes: 155 additions & 0 deletions recipes-devtools/pseudo/pseudo.inc
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
# Note: Due to the bitbake wrapper script, making changes to pseudo can be
# difficult. To work around the current version of the wrapper use:
# BBFETCH2=True PSEUDO_BUILD=1 ../bitbake/bin/bitbake pseudo-native [-c CMD]

SUMMARY = "Pseudo gives fake root capabilities to a normal user"
HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/pseudo"
LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
SECTION = "base"
LICENSE = "LGPL2.1"
DEPENDS = "sqlite3 attr"

FILES_${PN} = "${prefix}/lib/pseudo/lib*/libpseudo.so ${bindir}/* ${localstatedir}/pseudo ${prefix}/var/pseudo"
INSANE_SKIP_${PN} += "libdir"
INSANE_SKIP_${PN}-dbg += "libdir"

PROVIDES += "virtual/fakeroot"

MAKEOPTS = ""

inherit siteinfo pkgconfig

do_configure () {
:
}

NO32LIBS ??= "1"
NO32LIBS_class-nativesdk = "1"

PSEUDO_EXTRA_OPTS ?= "--enable-force-async --without-passwd-fallback --enable-epoll --enable-xattr"

# Compile for the local machine arch...
do_compile () {
SQLITE_LDADD='$(SQLITE)/$(SQLITE_LIB)/libsqlite3.a'
for sqlite_link_opt in $(pkg-config sqlite3 --libs --static)
do
case "$sqlite_link_opt" in
-lsqlite3)
;;
-l*)
SQLITE_LDADD="${SQLITE_LDADD} ${sqlite_link_opt}"
;;
*)
;;
esac
done
if [ "${SITEINFO_BITS}" = "64" ]; then
${S}/configure ${PSEUDO_EXTRA_OPTS} --prefix=${prefix} --libdir=${prefix}/lib/pseudo/lib${SITEINFO_BITS} --with-sqlite-lib=${baselib} --with-sqlite=${STAGING_DIR_TARGET}${exec_prefix} --cflags="${CFLAGS}" --bits=${SITEINFO_BITS} --with-static-sqlite="$SQLITE_LDADD" --without-rpath
else
${S}/configure ${PSEUDO_EXTRA_OPTS} --prefix=${prefix} --libdir=${prefix}/lib/pseudo/lib --with-sqlite-lib=${baselib} --with-sqlite=${STAGING_DIR_TARGET}${exec_prefix} --cflags="${CFLAGS}" --bits=${SITEINFO_BITS} --with-static-sqlite="$SQLITE_LDADD" --without-rpath
fi
oe_runmake ${MAKEOPTS}
}
do_compile[vardepsexclude] = "SITEINFO_BITS"

maybe_make32() {
# We probably don't need to build 32-bit binaries.
make32=false
if [ "${SITEINFO_BITS}" = "64" ]; then
case "${NO32LIBS}" in
0) make32=true
;;
1) make32=false
;;
*) # If unset, build 32-bit if we think we can.
if [ -e "/usr/include/gnu/stubs-32.h" ]; then
make32=true
fi
;;
esac
fi
if $make32; then
if ! [ -e "/usr/include/gnu/stubs-32.h" ]; then
warn_32bit_missing
else
bbnote "Attempting to build 32-bit libpseudo.so for ${PN}."
fi
else
bbnote "Building/installing only 64-bit libpseudo.so for ${PN}."
bbnote "If you need to run 32-bit executables, ensure that NO32LIBS is set to 0."
fi
}
maybe_make32[vardepsexclude] = "SITEINFO_BITS"

warn_32bit_missing() {
bbwarn "Can't find stubs-32.h, but usually need it to build 32-bit libpseudo."
bbwarn "If the build fails, install 32-bit developer packages."
bbwarn "If you are using 32-bit binaries, the 32-bit libpseudo is NOT optional."
}

# Two below are the same
# If necessary compile for the alternative machine arch. This is only
# necessary in a native build.
do_compile_prepend_class-native () {
maybe_make32
if $make32; then
# We need the 32-bit libpseudo on a 64-bit machine...
# Note that this is not well-tested outside of x86/x86_64.

# if we're being rebuilt due to a dependency change, we need to make sure
# everything is clean before we configure and build -- if we haven't previously
# built this will fail and be ignored.
make ${MAKEOPTS} distclean || :

./configure ${PSEUDO_EXTRA_OPTS} --prefix=${prefix} --libdir=${prefix}/lib/pseudo/lib --with-sqlite-lib=${baselib} --with-sqlite=${STAGING_DIR_TARGET}${exec_prefix} --bits=32 --without-rpath
save_traps=$(trap)
trap 'warn_32bit_missing' 0
oe_runmake ${MAKEOPTS} libpseudo
eval "$save_traps"
# prevent it from removing the lib, but remove everything else
make 'LIB=foo' ${MAKEOPTS} distclean
fi
}

do_compile_prepend_class-nativesdk () {
maybe_make32
if $make32; then
# We need the 32-bit libpseudo on a 64-bit machine.
# Note that this is not well-tested outside of x86/x86_64.
./configure ${PSEUDO_EXTRA_OPTS} --prefix=${prefix} --libdir=${prefix}/lib/pseudo/lib --with-sqlite-lib=${baselib} --with-sqlite=${STAGING_DIR_TARGET}${exec_prefix} --bits=32 --without-rpath
oe_runmake ${MAKEOPTS} libpseudo
# prevent it from removing the lib, but remove everything else
make 'LIB=foo' ${MAKEOPTS} distclean
fi
}

do_install () {
oe_runmake 'DESTDIR=${D}' ${MAKEOPTS} 'LIB=lib/pseudo/lib$(MARK64)' install
}

do_install_append_class-native () {
install -d ${D}${sysconfdir}
# The fallback files should never be modified
install -m 444 ${WORKDIR}/fallback-passwd ${D}${sysconfdir}/passwd
install -m 444 ${WORKDIR}/fallback-group ${D}${sysconfdir}/group

# Two native/nativesdk entries below are the same
# If necessary install for the alternative machine arch. This is only
# necessary in a native build.
maybe_make32
if $make32; then
mkdir -p ${D}${prefix}/lib/pseudo/lib
cp lib/pseudo/lib/libpseudo.so ${D}${prefix}/lib/pseudo/lib/.
fi
}

do_install_append_class-nativesdk () {
maybe_make32
if $make32; then
mkdir -p ${D}${prefix}/lib/pseudo/lib
cp lib/pseudo/lib/libpseudo.so ${D}${prefix}/lib/pseudo/lib/.
fi
chrpath -d ${D}${prefix}/lib/pseudo/lib*/libpseudo.so
}

BBCLASSEXTEND = "native nativesdk"
14 changes: 14 additions & 0 deletions recipes-devtools/pseudo/pseudo_git.bb
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
require pseudo.inc

SRC_URI = "git://git.yoctoproject.org/pseudo \
file://0001-configure-Prune-PIE-flags.patch \
file://fallback-passwd \
file://fallback-group \
file://moreretries.patch \
file://toomanyfiles.patch \
"

SRCREV = "3fa7c853e0bcd6fe23f7524c2a3c9e3af90901c3"
S = "${WORKDIR}/git"
PV = "1.9.0+git${SRCPV}"

11 changes: 0 additions & 11 deletions recipes-support/sqlite/sqlite3_3.20.0.bb

This file was deleted.

8 changes: 8 additions & 0 deletions recipes-support/sqlite/sqlite3_3.29.0.bb
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
require recipes-support/sqlite/sqlite3.inc

LICENSE = "PD"
LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66"

SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz"
SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc"
SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b"

0 comments on commit 5ee4131

Please sign in to comment.