From: Bruce Ashfield <bruce.ashfi...@gmail.com>
The following systemtap commit:
commit 7615cae790c899bc8a82841c75c8ea9c6fa54df3
Author: Frank Ch. Eigler <f...@redhat.com>
Date: Mon Nov 9 19:18:19 2020 -0500
PR26665: relayfs-on-procfs megapatch
Changes the way that capabilities are checked when compiling
a systemtap probe.
In our cross-build -> on target workflow, this results in a
mismatch between the systemtap configuration capabilities and
the kernel configuration.
The result is a compilation failure since the security
components are protected by two different #ifdef's, and they
can be out of sync. By protecting the include and callsite with
the same #ifdef, we ensure they are in sync and fix our
on target problem.
While this fix is oe-specific, a variant will be proposed
upstream once a deeper analsysis of other options has been
completed.
Signed-off-by: Bruce Ashfield <bruce.ashfi...@gmail.com>
---
...t-include-and-callsite-with-same-con.patch | 44 +++++++++++++++++++
.../systemtap/systemtap_git.inc | 1 +
2 files changed, 45 insertions(+)
create mode 100644
meta/recipes-kernel/systemtap/systemtap/0001-transport-protect-include-and-callsite-with-same-con.patch
diff --git
a/meta/recipes-kernel/systemtap/systemtap/0001-transport-protect-include-and-callsite-with-same-con.patch
b/meta/recipes-kernel/systemtap/systemtap/0001-transport-protect-include-and-callsite-with-same-con.patch
new file mode 100644
index 0000000000..efc79f6c0f
--- /dev/null
+++
b/meta/recipes-kernel/systemtap/systemtap/0001-transport-protect-include-and-callsite-with-same-con.patch
@@ -0,0 +1,44 @@
+From cbf27cd54071f788231e69d96dbaad563f1010d4 Mon Sep 17 00:00:00 2001
+From: Bruce Ashfield <bruce.ashfi...@gmail.com>
+Date: Fri, 18 Dec 2020 13:15:08 -0500
+Subject: [PATCH] transport: protect include and callsite with same conditional
+
+transport.c has the following code block:
+
+ if (!debugfs_p && security_locked_down (LOCKDOWN_DEBUGFS))
+
+Which is protected by the conditional STAPCONF_LOCKDOWN_DEBUGFS.
+
+linux/security.h provides the definition of LOCKDOWN_DEBUGFS, and
+must be included or we have a compilation issue.
+
+The include of security.h is protected by #ifdef CONFIG_SECURITY_LOCKDOWN_LSM,
+which means that in some configurations we can get out of sync with
+the include and the callsite.
+
+If we protect the include and the callsite with the same #ifdef, we can
+be sure that they will be consistent.
+
+Upstream-status: Inappropriate (kernel-devsrc specific)
+
+Signed-off-by: Bruce Ashfield <bruce.ashfi...@gmail.com>
+---
+ runtime/transport/transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/runtime/transport/transport.c b/runtime/transport/transport.c
+index bb4a98bd3..88e20ea28 100644
+--- a/runtime/transport/transport.c
++++ b/runtime/transport/transport.c
+@@ -21,7 +21,7 @@
+ #include <linux/namei.h>
+ #include <linux/delay.h>
+ #include <linux/mutex.h>
+-#ifdef CONFIG_SECURITY_LOCKDOWN_LSM
++#ifdef STAPCONF_LOCKDOWN_DEBUGFS
+ #include <linux/security.h>
+ #endif
+ #include "../uidgid_compatibility.h"
+--
+2.19.1
+
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.inc
b/meta/recipes-kernel/systemtap/systemtap_git.inc
index ae735025b7..016b423847 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.inc
+++ b/meta/recipes-kernel/systemtap/systemtap_git.inc
@@ -7,6 +7,7 @@ SRC_URI = "git://sourceware.org/git/systemtap.git \
file://0001-Do-not-let-configure-write-a-python-location-into-th.patch \
file://0001-Install-python-modules-to-correct-library-dir.patch \
file://0001-staprun-stapbpf-don-t-support-installing-a-non-root.patch \
+
file://0001-transport-protect-include-and-callsite-with-same-con.patch \
"
COMPATIBLE_HOST = '(x86_64|i.86|powerpc|arm|aarch64|microblazeel|mips).*-linux'
--
2.19.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146062):
https://lists.openembedded.org/g/openembedded-core/message/146062
Mute This Topic: https://lists.openembedded.org/mt/79149623/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
