[yocto] [meta-security][PATCH 2/2 v3] ecryptfs-utils: add new recipe

Huang, Jie (Jackie) Jackie.Huang at windriver.com
Tue May 23 19:29:12 PDT 2017 

Adding the v3 in the subject.

> -----Original Message-----
> From: yocto-bounces at yoctoproject.org [mailto:yocto-
> bounces at yoctoproject.org] On Behalf Of jackie.huang at windriver.com
> Sent: Wednesday, May 24, 2017 10:23
> To: yocto at yoctoproject.org
> Subject: [yocto] [meta-security][PATCH 2/2] ecryptfs-utils: add new recipe
> 
> From: Jackie Huang <jackie.huang at windriver.com>
> 
> eCryptfs is a stacked cryptographic filesystem that ships
> in Linux kernel versions 2.6.19 and above. This package
> provides the mount helper and supporting libraries to
> perform key management and mount functions.
> 
> Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
> ---
>  .../ecryptfs-utils/ecryptfs-utils_111.bb           | 63 +++++++++++++++++++++
>  .../files/ecryptfs-utils-CVE-2016-6224.patch       | 65 ++++++++++++++++++++++
>  .../ecryptfs-utils/files/ecryptfs.service          |  9 +++
>  3 files changed, 137 insertions(+)
>  create mode 100644 recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
>  create mode 100644 recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-
> 2016-6224.patch
>  create mode 100644 recipes-security/ecryptfs-utils/files/ecryptfs.service
> 
> diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-
> security/ecryptfs-utils/ecryptfs-utils_111.bb
> new file mode 100644
> index 0000000..f55b0c3
> --- /dev/null
> +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
> @@ -0,0 +1,63 @@
> +SUMMARY = "The eCryptfs mount helper and support libraries"
> +DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \
> +    that ships in Linux kernel versions 2.6.19 and above. This \
> +    package provides the mount helper and supporting libraries \
> +    to perform key management and mount functions."
> +HOMEPAGE = "https://launchpad.net/ecryptfs"
> +SECTION = "base"
> +
> +LICENSE = "GPL-2.0"
> +LIC_FILES_CHKSUM =
> "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
> +
> +DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native"
> +
> +SRC_URI = "\
> +
> https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.
> gz \
> +    file://ecryptfs-utils-CVE-2016-6224.patch \
> +    file://ecryptfs.service \
> +    "
> +
> +SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
> +SRC_URI[sha256sum] =
> "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f"
> +
> +inherit autotools pkgconfig systemd
> +
> +SYSTEMD_PACKAGES = "${PN}"
> +SYSTEMD_SERVICE_${PN} = "ecryptfs.service"
> +
> +EXTRA_OECONF = "\
> +    --libdir=${base_libdir} \
> +    --disable-pywrap \
> +    --disable-nls \
> +    "
> +
> +PACKAGECONFIG ??= "nss \
> +    ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
> +    "
> +PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss,"
> +PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl,"
> +PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,"
> +
> +do_configure_prepend() {
> +    export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -
> I${STAGING_INCDIR}/nss3"
> +    export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -
> lsoftokn3 -lnssutil3"
> +    export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
> +    export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
> +}
> +
> +do_install_append() {
> +    chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private
> +    mkdir -p ${D}/${libdir}
> +    mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}
> +    sed -i -e 's:-I${STAGING_INCDIR}::' \
> +           -e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc
> +    sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:"
> ${D}${bindir}/ecryptfs-setup-swap
> +    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
> +        install -D -m 0644 ${WORKDIR}/ecryptfs.service
> ${D}${systemd_system_unitdir}/ecryptfs.service
> +    fi
> +}
> +
> +FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*"
> +
> +RDEPENDS_${PN} += "cryptsetup"
> +RRECOMMENDS_${PN} = "gettext-runtime"
> diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-
> 6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-
> 6224.patch
> new file mode 100644
> index 0000000..4252f97
> --- /dev/null
> +++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
> @@ -0,0 +1,65 @@
> +From 558a513ba3100ea5190de1a24cf1fed663367765 Mon Sep 17 00:00:00
> 2001
> +From: Li Zhou <li.zhou at windriver.com>
> +Date: Mon, 5 Sep 2016 10:28:08 +0800
> +Subject: [PATCH] ecryptfs-utils: CVE-2016-6224
> +
> +src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
> +being automatically enabled by systemd. This bug affected GPT partitioned
> +NVMe/MMC drives and resulted in the swap partition being used without
> +encryption. It also resulted in a usability issue in that users were
> +erroneously prompted to enter a pass-phrase to unlock their swap partition
> +at boot. (LP: #1597154)
> +
> +the patch comes from:
> +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
> +https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
> +
> +Upstream-Status: backport
> +
> +Signed-off-by: Li Zhou <li.zhou at windriver.com>
> +---
> + ChangeLog                     |  9 +++++++++
> + src/utils/ecryptfs-setup-swap | 10 ++++++++--
> + 2 files changed, 17 insertions(+), 2 deletions(-)
> +
> +diff --git a/ChangeLog b/ChangeLog
> +index d255a94..2c9c73e 100644
> +--- a/ChangeLog
> ++++ b/ChangeLog
> +@@ -1,3 +1,12 @@
> ++ecryptfs-utils-112
> ++  [ Jason Gerard DeRose ]
> ++  * src/utils/ecryptfs-setup-swap: Prevent unencrypted swap partitions from
> ++    being automatically enabled by systemd. This bug affected GPT partitioned
> ++    NVMe/MMC drives and resulted in the swap partition being used without
> ++    encryption. It also resulted in a usability issue in that users were
> ++    erroneously prompted to enter a pass-phrase to unlock their swap partition
> ++    at boot. (LP: #1597154)
> ++
> + ecryptfs-utils-74
> +   [ Michal Hlavinka ]
> +   * Changes for RH/Fedora release
> +diff --git a/src/utils/ecryptfs-setup-swap b/src/utils/ecryptfs-setup-swap
> +index 41cf18a..e4785d7 100755
> +--- a/src/utils/ecryptfs-setup-swap
> ++++ b/src/utils/ecryptfs-setup-swap
> +@@ -166,8 +166,14 @@ for swap in $swaps; do
> + 	# If this is a GPT partition, mark it as no-auto mounting, to avoid
> + 	# auto-activating it on boot
> + 	if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ];
> then
> +-		drive="${swap%[0-9]*}"
> +-		partno="${swap#$drive}"
> ++		# Correctly handle NVMe/MMC drives, as well as any similar
> physical
> ++		# block device that follow the "/dev/foo0p1" pattern (LP:
> #1597154)
> ++		if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
> ++			drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
> ++		else
> ++			drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
> ++		fi
> ++		partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
> + 		if [ -b "$drive" ]; then
> + 			if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .*
> GUID:.*\b63\b"; then
> + 				echo "$swap is already marked as no-auto"
> +--
> +1.9.1
> +
> diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs.service b/recipes-
> security/ecryptfs-utils/files/ecryptfs.service
> new file mode 100644
> index 0000000..c23a03a
> --- /dev/null
> +++ b/recipes-security/ecryptfs-utils/files/ecryptfs.service
> @@ -0,0 +1,9 @@
> +[Unit]
> +Description=A userspace daemon that runs as the user perform file operations
> under the eCryptfs mount point
> +After=udev.service
> +
> +[Service]
> +ExecStart=/usr/bin/ecryptfsd -f
> +
> +[Install]
> +WantedBy=multi-user.target
> --
> 2.11.0
> 
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

More information about the yocto mailing list