From a42f773baae90558c4a2e9f207579db7edb830a5 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Mon, 15 Apr 2019 11:39:38 +0800 Subject: apache2: upgrade 2.4.34 -> 2.4.39 * Drop apache2-native recipe. Add native to BBCLASSEXTEND in apache2 recipe. * Refresh patches. Drop CVE-2018-11763.patch and apache-configure_perlbin.patch * Cleanup recipe file. Remove obsolete code. Signed-off-by: Yi Zhao Signed-off-by: Khem Raj [Bug fix only update: Includes CVES: CVE-2018-17189 CVE-2018-17199 CVE-2019-0190 CVE-2019-0220 CVE-2019-0196 CVE-2019-0197 CVE-2019-0215 CVE-2019-0217 CVE-2019-0211 ] Signed-off-by: Armin Kuster Signed-off-by: Armin Kuster --- .../recipes-httpd/apache2/apache2-native_2.4.34.bb | 46 -- ...nfigure-use-pkg-config-for-PCRE-detection.patch | 8 +- ...p-up-the-core-size-limit-if-CoreDumpDirec.patch | 51 ++ ...not-export-apr-apr-util-symbols-when-usin.patch | 34 ++ ...pache2-log-the-SELinux-context-at-startup.patch | 79 ++++ ...-replace-lynx-to-curl-in-apachectl-script.patch | 52 +++ ...x-the-race-issue-of-parallel-installation.patch | 35 ++ ...-apache2-allow-to-disable-selinux-support.patch | 40 ++ ...o-not-use-relative-path-for-gen_test_char.patch | 27 ++ .../apache2/apache2/CVE-2018-11763.patch | 512 --------------------- .../apache2/apache2/apache-configure_perlbin.patch | 27 -- ...onfigure-allow-to-disable-selinux-support.patch | 38 -- .../apache2/apache2/httpd-2.4.1-corelimit.patch | 47 -- .../apache2/apache2/httpd-2.4.1-selinux.patch | 76 --- ...httpd-2.4.3-fix-race-issue-of-dir-install.patch | 33 -- .../apache2/apache2/httpd-2.4.4-export.patch | 30 -- .../replace-lynx-to-curl-in-apachectl-script.patch | 50 -- .../apache2/apache2/server-makefile.patch | 23 - .../recipes-httpd/apache2/apache2_2.4.34.bb | 202 -------- .../recipes-httpd/apache2/apache2_2.4.39.bb | 208 +++++++++ meta-webserver/recipes-httpd/apache2/files/init | 0 21 files changed, 531 insertions(+), 1087 deletions(-) delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2-native_2.4.34.bb create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2018-11763.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/configure-allow-to-disable-selinux-support.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.3-fix-race-issue-of-dir-install.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2_2.4.34.bb create mode 100644 meta-webserver/recipes-httpd/apache2/apache2_2.4.39.bb mode change 100755 => 100644 meta-webserver/recipes-httpd/apache2/files/init diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.34.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.34.bb deleted file mode 100644 index 4cc3845463..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.34.bb +++ /dev/null @@ -1,46 +0,0 @@ -DESCRIPTION = "The Apache HTTP Server is a powerful, efficient, and \ -extensible web server." -SUMMARY = "Apache HTTP Server" -HOMEPAGE = "http://httpd.apache.org/" -DEPENDS = "expat-native pcre-native apr-native apr-util-native" -SECTION = "net" -LICENSE = "Apache-2.0" - -inherit autotools pkgconfig native - -SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ - file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ - file://CVE-2018-11763.patch \ - " - -S = "${WORKDIR}/httpd-${PV}" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=d52d0fd0bc788f068e647116c01ddfcd" -SRC_URI[md5sum] = "818adca52f3be187fe45d6822755be95" -SRC_URI[sha256sum] = "fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0" - -EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ - --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \ - --prefix=${prefix} --datadir=${datadir}/apache2 \ - " - -do_install () { - install -d ${D}${bindir} ${D}${libdir} - cp server/gen_test_char ${D}${bindir} - install -m 755 support/apxs ${D}${bindir}/ - install -m 755 httpd ${D}${bindir}/ - install -d ${D}${datadir}/apache2/build - cp ${S}/build/*.mk ${D}${datadir}/apache2/build - cp build/*.mk ${D}${datadir}/apache2/build - cp ${S}/build/instdso.sh ${D}${datadir}/apache2/build - - install -d ${D}${includedir}/apache2 - cp ${S}/include/* ${D}${includedir}/apache2 - cp include/* ${D}${includedir}/apache2 - cp ${S}/os/unix/os.h ${D}${includedir}/apache2 - cp ${S}/os/unix/unixd.h ${D}${includedir}/apache2 - - cp support/envvars-std ${D}${bindir}/envvars - chmod 755 ${D}${bindir}/envvars -} - diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch b/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch index da38a8cfd7..6c0286457c 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch @@ -1,4 +1,4 @@ -From 419181e242892ded050f5a375a709b9588fb581d Mon Sep 17 00:00:00 2001 +From d2cedfa3394365689a3f7c8cfe8e0dd56b29bed9 Mon Sep 17 00:00:00 2001 From: Koen Kooi Date: Tue, 17 Jun 2014 09:10:57 +0200 Subject: [PATCH] configure: use pkg-config for PCRE detection @@ -6,13 +6,12 @@ Subject: [PATCH] configure: use pkg-config for PCRE detection Upstream-Status: Pending Signed-off-by: Koen Kooi - --- configure.in | 27 +++++---------------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/configure.in b/configure.in -index be7bd25..54dfd0d 100644 +index 9feaceb..dc6ea15 100644 --- a/configure.in +++ b/configure.in @@ -215,28 +215,11 @@ fi @@ -49,3 +48,6 @@ index be7bd25..54dfd0d 100644 APACHE_SUBST(PCRE_LIBS) AC_MSG_NOTICE([]) +-- +2.7.4 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch b/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch new file mode 100644 index 0000000000..85fe6ae4bd --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch @@ -0,0 +1,51 @@ +From 7df207ad4d0dcda2ad36e5642296e0dec7e13647 Mon Sep 17 00:00:00 2001 +From: Paul Eggleton +Date: Tue, 17 Jul 2012 11:27:39 +0100 +Subject: [PATCH] apache2: bump up the core size limit if CoreDumpDirectory + is configured + +Bump up the core size limit if CoreDumpDirectory is +configured. + +Upstream-Status: Pending + +Note: upstreaming was discussed but there are competing desires; + there are portability oddities here too. + +--- + server/core.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/server/core.c b/server/core.c +index eacb54f..7aa841f 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -4965,6 +4965,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte + } + apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper, + apr_pool_cleanup_null); ++ ++#ifdef RLIMIT_CORE ++ if (ap_coredumpdir_configured) { ++ struct rlimit lim; ++ ++ if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) { ++ lim.rlim_cur = lim.rlim_max; ++ if (setrlimit(RLIMIT_CORE, &lim) == 0) { ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ++ "core dump file size limit raised to %lu bytes", ++ lim.rlim_cur); ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL, ++ "core dump file size is zero, setrlimit failed"); ++ } ++ } ++ } ++#endif ++ + return OK; + } + +-- +2.7.4 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch b/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch new file mode 100644 index 0000000000..081a02baa3 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch @@ -0,0 +1,34 @@ +From ddd560024a6d526187fd126f306b59533ca3f7e2 Mon Sep 17 00:00:00 2001 +From: Paul Eggleton +Date: Tue, 17 Jul 2012 11:27:39 +0100 +Subject: [PATCH] apache2: do not export apr/apr-util symbols when using + shared libapr + +There is no need to "suck in" the apr/apr-util symbols when using +a shared libapr{,util}, it just bloats the symbol table; so don't. + +Upstream-Status: Pending + +Note: EXPORT_DIRS change is conditional on using shared apr + +--- + server/Makefile.in | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/server/Makefile.in b/server/Makefile.in +index 1fa3344..f635d76 100644 +--- a/server/Makefile.in ++++ b/server/Makefile.in +@@ -60,9 +60,6 @@ export_files: + ls $$dir/*.h ; \ + done; \ + echo "$(top_srcdir)/server/mpm_fdqueue.h"; \ +- for dir in $(EXPORT_DIRS_APR); do \ +- ls $$dir/ap[ru].h $$dir/ap[ru]_*.h 2>/dev/null; \ +- done; \ + ) | sed -e s,//,/,g | sort -u > $@ + + exports.c: export_files +-- +2.7.4 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch new file mode 100644 index 0000000000..78a04d9af4 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch @@ -0,0 +1,79 @@ +From dfa834ebd449df299f54e98f0fb3a7bb4008fb03 Mon Sep 17 00:00:00 2001 +From: Paul Eggleton +Date: Tue, 17 Jul 2012 11:27:39 +0100 +Subject: [PATCH] Log the SELinux context at startup. + +Log the SELinux context at startup. + +Upstream-Status: Inappropriate [other] + +Note: unlikely to be any interest in this upstream + +--- + configure.in | 5 +++++ + server/core.c | 26 ++++++++++++++++++++++++++ + 2 files changed, 31 insertions(+) + +diff --git a/configure.in b/configure.in +index dc6ea15..caa6f54 100644 +--- a/configure.in ++++ b/configure.in +@@ -466,6 +466,11 @@ getloadavg + dnl confirm that a void pointer is large enough to store a long integer + APACHE_CHECK_VOID_PTR_LEN + ++AC_CHECK_LIB(selinux, is_selinux_enabled, [ ++ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) ++ APR_ADDTO(AP_LIBS, [-lselinux]) ++]) ++ + AC_CACHE_CHECK([for gettid()], ac_cv_gettid, + [AC_TRY_RUN(#define _GNU_SOURCE + #include +diff --git a/server/core.c b/server/core.c +index 7aa841f..79f34db 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -59,6 +59,10 @@ + #include + #endif + ++#ifdef HAVE_SELINUX ++#include ++#endif ++ + /* LimitRequestBody handling */ + #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) +@@ -4984,6 +4988,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte + } + #endif + ++#ifdef HAVE_SELINUX ++ { ++ static int already_warned = 0; ++ int is_enabled = is_selinux_enabled() > 0; ++ ++ if (is_enabled && !already_warned) { ++ security_context_t con; ++ ++ if (getcon(&con) == 0) { ++ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ++ "SELinux policy enabled; " ++ "httpd running as context %s", con); ++ ++ already_warned = 1; ++ ++ freecon(con); ++ } ++ } ++ } ++#endif ++ + return OK; + } + +-- +2.7.4 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch b/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch new file mode 100644 index 0000000000..47320a9ee5 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch @@ -0,0 +1,52 @@ +From 7db1b650bb4b01a5194a34cd7573f915656a595b Mon Sep 17 00:00:00 2001 +From: Yulong Pei +Date: Thu, 1 Sep 2011 01:03:14 +0800 +Subject: [PATCH] replace lynx to curl in apachectl script + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Yulong Pei +--- + support/apachectl.in | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/support/apachectl.in b/support/apachectl.in +index 3281c2e..6ab4ba5 100644 +--- a/support/apachectl.in ++++ b/support/apachectl.in +@@ -52,11 +52,11 @@ fi + # a command that outputs a formatted text version of the HTML at the + # url given on the command line. Designed for lynx, however other + # programs may work. +-LYNX="@LYNX_PATH@ -dump" ++CURL="/usr/bin/curl" + # + # the URL to your server's mod_status status page. If you do not + # have one, then status and fullstatus will not work. +-STATUSURL="http://localhost:@PORT@/server-status" ++STATUSURL="http://localhost:@PORT@/" + # + # Set this variable to a command that increases the maximum + # number of file descriptors allowed per child process. This is +@@ -92,10 +92,16 @@ configtest) + ERROR=$? + ;; + status) +- $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } ' ++ $CURL -s $STATUSURL | grep -o "It works!" ++ if [ $? != 0 ] ; then ++ echo The httpd server does not work! ++ fi + ;; + fullstatus) +- $LYNX $STATUSURL ++ $CURL -s $STATUSURL | grep -o "It works!" ++ if [ $? != 0 ] ; then ++ echo The httpd server does not work! ++ fi + ;; + *) + $HTTPD "$@" +-- +2.7.4 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch b/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch new file mode 100644 index 0000000000..227d04064b --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch @@ -0,0 +1,35 @@ +From 4f4d7d6b88b6e440263ebeb22dfb40c52bb30fd8 Mon Sep 17 00:00:00 2001 +From: Zhenhua Luo +Date: Fri, 25 Jan 2013 18:10:50 +0800 +Subject: [PATCH] apache2: fix the race issue of parallel installation + +Upstream-Status: Pending + +fix following race issue when do parallel install +| mkdir: cannot create directory `/home/mypc/workspace/poky/build_p4080ds_release/tmp/work/ppce500mc-fsl_networking-linux/apache2/2.4.3-r1/image/usr/share/apache2': File exists +... +| mkdir: cannot create directory `/home/mypc/workspace/poky/build_p4080ds_release/tmp/work/ppce500mc-fsl_networking-linux/apache2/2.4.3-r1/image/usr/share/apache2': File exists +| make[1]: *** [install-man] Error 1 +| make[1]: *** Waiting for unfinished jobs.... + +Signed-off-by: Zhenhua Luo +--- + build/mkdir.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/build/mkdir.sh b/build/mkdir.sh +index e2d5bb6..dde5ae0 100755 +--- a/build/mkdir.sh ++++ b/build/mkdir.sh +@@ -39,7 +39,7 @@ for file in ${1+"$@"} ; do + esac + if test ! -d "$pathcomp"; then + echo "mkdir $pathcomp" 1>&2 +- mkdir "$pathcomp" || errstatus=$? ++ mkdir -p "$pathcomp" || errstatus=$? + fi + pathcomp="$pathcomp/" + done +-- +2.7.4 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch b/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch new file mode 100644 index 0000000000..fed6b5010b --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch @@ -0,0 +1,40 @@ +From 964ef2c1af74984602f46e7db938d3b95b148385 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Mon, 1 Dec 2014 02:08:27 -0500 +Subject: [PATCH] apache2: allow to disable selinux support + +Upstream-Status: Pending + +Signed-off-by: Wenzong Fan +--- + configure.in | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/configure.in b/configure.in +index caa6f54..eab2090 100644 +--- a/configure.in ++++ b/configure.in +@@ -466,10 +466,16 @@ getloadavg + dnl confirm that a void pointer is large enough to store a long integer + APACHE_CHECK_VOID_PTR_LEN + +-AC_CHECK_LIB(selinux, is_selinux_enabled, [ +- AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) +- APR_ADDTO(AP_LIBS, [-lselinux]) +-]) ++# SELinux support ++AC_ARG_ENABLE(selinux,APACHE_HELP_STRING(--enable-selinux,Enable SELinux support [default=auto]), ++ [],[enable_selinux=auto]) ++ ++if test x$enable_selinux != xno; then ++ AC_CHECK_LIB(selinux, is_selinux_enabled, [ ++ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) ++ APR_ADDTO(AP_LIBS, [-lselinux]) ++ ]) ++fi + + AC_CACHE_CHECK([for gettid()], ac_cv_gettid, + [AC_TRY_RUN(#define _GNU_SOURCE +-- +2.7.4 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch b/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch new file mode 100644 index 0000000000..82e9e8c35f --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch @@ -0,0 +1,27 @@ +From b62c4cd2295c98b2ebe12641e5f01590bd96ae94 Mon Sep 17 00:00:00 2001 +From: Paul Eggleton +Date: Tue, 17 Jul 2012 11:27:39 +0100 +Subject: [PATCH] apache2: do not use relative path for gen_test_char + +Upstream-Status: Inappropriate [embedded specific] + +--- + server/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/server/Makefile.in b/server/Makefile.in +index f635d76..0d48924 100644 +--- a/server/Makefile.in ++++ b/server/Makefile.in +@@ -29,7 +29,7 @@ gen_test_char: $(gen_test_char_OBJECTS) + $(LINK) $(EXTRA_LDFLAGS) $(gen_test_char_OBJECTS) $(EXTRA_LIBS) + + test_char.h: gen_test_char +- ./gen_test_char > test_char.h ++ gen_test_char > test_char.h + + util.lo: test_char.h + +-- +2.7.4 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2018-11763.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2018-11763.patch deleted file mode 100644 index a2c5b2e02a..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2018-11763.patch +++ /dev/null @@ -1,512 +0,0 @@ -From 484aba5048e3457dc1d15189f1910d007b1a4a76 Mon Sep 17 00:00:00 2001 -From: Jim Jagielski -Date: Wed, 12 Sep 2018 20:38:02 +0000 -Subject: [PATCH] Merge r1840010 from trunk: - -On the trunk: - -mod_http2: connection IO event handling reworked. Instead of reacting on - incoming bytes, the state machine now acts on incoming frames that are - affecting it. This reduces state transitions. - - -Submitted by: icing -Reviewed by: icing, ylavic, jim - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1840757 13f79535-47bb-0310-9956-ffa450edef68 -CVE: CVE-2018-11763 -Upstream-Status: Backport [https://github.com/apache/httpd/commit/484aba5048e3457dc1d15189f1910d007b1a4a76] - -Signed-off-by: Mingli Yu ---- - modules/http2/h2_session.c | 238 +++++++++++++++++++++++-------------- - modules/http2/h2_session.h | 7 +- - modules/http2/h2_version.h | 4 +- - 3 files changed, 158 insertions(+), 97 deletions(-) - -diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c -index 805d6774dc..a1b31d2b30 100644 ---- a/modules/http2/h2_session.c -+++ b/modules/http2/h2_session.c -@@ -235,6 +235,7 @@ static int on_data_chunk_recv_cb(nghttp2_session *ngh2, uint8_t flags, - stream = h2_session_stream_get(session, stream_id); - if (stream) { - status = h2_stream_recv_DATA(stream, flags, data, len); -+ dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, "stream data rcvd"); - } - else { - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, APLOGNO(03064) -@@ -317,9 +318,9 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame, - } - - /** -- * nghttp2 session has received a complete frame. Most, it uses -- * for processing of internal state. HEADER and DATA frames however -- * we need to handle ourself. -+ * nghttp2 session has received a complete frame. Most are used by nghttp2 -+ * for processing of internal state. Some, like HEADER and DATA frames, -+ * we need to act on. - */ - static int on_frame_recv_cb(nghttp2_session *ng2s, - const nghttp2_frame *frame, -@@ -378,6 +379,9 @@ static int on_frame_recv_cb(nghttp2_session *ng2s, - "h2_stream(%ld-%d): WINDOW_UPDATE incr=%d", - session->id, (int)frame->hd.stream_id, - frame->window_update.window_size_increment); -+ if (nghttp2_session_want_write(session->ngh2)) { -+ dispatch_event(session, H2_SESSION_EV_FRAME_RCVD, 0, "window update"); -+ } - break; - case NGHTTP2_RST_STREAM: - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, APLOGNO(03067) -@@ -404,6 +408,12 @@ static int on_frame_recv_cb(nghttp2_session *ng2s, - frame->goaway.error_code, NULL); - } - break; -+ case NGHTTP2_SETTINGS: -+ if (APLOGctrace2(session->c)) { -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, session->c, -+ H2_SSSN_MSG(session, "SETTINGS, len=%ld"), (long)frame->hd.length); -+ } -+ break; - default: - if (APLOGctrace2(session->c)) { - char buffer[256]; -@@ -415,7 +425,40 @@ static int on_frame_recv_cb(nghttp2_session *ng2s, - } - break; - } -- return (APR_SUCCESS == rv)? 0 : NGHTTP2_ERR_PROTO; -+ -+ if (session->state == H2_SESSION_ST_IDLE) { -+ /* We received a frame, but session is in state IDLE. That means the frame -+ * did not really progress any of the (possibly) open streams. It was a meta -+ * frame, e.g. SETTINGS/WINDOW_UPDATE/unknown/etc. -+ * Remember: IDLE means we cannot send because either there are no streams open or -+ * all open streams are blocked on exhausted WINDOWs for outgoing data. -+ * The more frames we receive that do not change this, the less interested we -+ * become in serving this connection. This is expressed in increasing "idle_delays". -+ * Eventually, the connection will timeout and we'll close it. */ -+ session->idle_frames = H2MIN(session->idle_frames + 1, session->frames_received); -+ ap_log_cerror( APLOG_MARK, APLOG_TRACE2, 0, session->c, -+ H2_SSSN_MSG(session, "session has %ld idle frames"), -+ (long)session->idle_frames); -+ if (session->idle_frames > 10) { -+ apr_size_t busy_frames = H2MAX(session->frames_received - session->idle_frames, 1); -+ int idle_ratio = (int)(session->idle_frames / busy_frames); -+ if (idle_ratio > 100) { -+ session->idle_delay = apr_time_from_msec(H2MIN(1000, idle_ratio)); -+ } -+ else if (idle_ratio > 10) { -+ session->idle_delay = apr_time_from_msec(10); -+ } -+ else if (idle_ratio > 1) { -+ session->idle_delay = apr_time_from_msec(1); -+ } -+ else { -+ session->idle_delay = 0; -+ } -+ } -+ } -+ -+ if (APR_SUCCESS != rv) return NGHTTP2_ERR_PROTO; -+ return 0; - } - - static int h2_session_continue_data(h2_session *session) { -@@ -1603,23 +1646,57 @@ static void update_child_status(h2_session *session, int status, const char *msg - - static void transit(h2_session *session, const char *action, h2_session_state nstate) - { -+ apr_time_t timeout; -+ int ostate, loglvl; -+ const char *s; -+ - if (session->state != nstate) { -- int loglvl = APLOG_DEBUG; -- if ((session->state == H2_SESSION_ST_BUSY && nstate == H2_SESSION_ST_WAIT) -- || (session->state == H2_SESSION_ST_WAIT && nstate == H2_SESSION_ST_BUSY)){ -+ ostate = session->state; -+ session->state = nstate; -+ -+ loglvl = APLOG_DEBUG; -+ if ((ostate == H2_SESSION_ST_BUSY && nstate == H2_SESSION_ST_WAIT) -+ || (ostate == H2_SESSION_ST_WAIT && nstate == H2_SESSION_ST_BUSY)){ - loglvl = APLOG_TRACE1; - } - ap_log_cerror(APLOG_MARK, loglvl, 0, session->c, - H2_SSSN_LOG(APLOGNO(03078), session, - "transit [%s] -- %s --> [%s]"), -- h2_session_state_str(session->state), action, -+ h2_session_state_str(ostate), action, - h2_session_state_str(nstate)); -- session->state = nstate; -+ - switch (session->state) { - case H2_SESSION_ST_IDLE: -- update_child_status(session, (session->open_streams == 0? -- SERVER_BUSY_KEEPALIVE -- : SERVER_BUSY_READ), "idle"); -+ if (!session->remote.emitted_count) { -+ /* on fresh connections, with async mpm, do not return -+ * to mpm for a second. This gives the first request a better -+ * chance to arrive (und connection leaving IDLE state). -+ * If we return to mpm right away, this connection has the -+ * same chance of being cleaned up by the mpm as connections -+ * that already served requests - not fair. */ -+ session->idle_sync_until = apr_time_now() + apr_time_from_sec(1); -+ s = "timeout"; -+ timeout = H2MAX(session->s->timeout, session->s->keep_alive_timeout); -+ update_child_status(session, SERVER_BUSY_READ, "idle"); -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c, -+ H2_SSSN_LOG("", session, "enter idle, timeout = %d sec"), -+ (int)apr_time_sec(H2MAX(session->s->timeout, session->s->keep_alive_timeout))); -+ } -+ else if (session->open_streams) { -+ s = "timeout"; -+ timeout = session->s->keep_alive_timeout; -+ update_child_status(session, SERVER_BUSY_KEEPALIVE, "idle"); -+ } -+ else { -+ /* normal keepalive setup */ -+ s = "keepalive"; -+ timeout = session->s->keep_alive_timeout; -+ update_child_status(session, SERVER_BUSY_KEEPALIVE, "idle"); -+ } -+ session->idle_until = apr_time_now() + timeout; -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c, -+ H2_SSSN_LOG("", session, "enter idle, %s = %d sec"), -+ s, (int)apr_time_sec(timeout)); - break; - case H2_SESSION_ST_DONE: - update_child_status(session, SERVER_CLOSING, "done"); -@@ -1726,8 +1803,6 @@ static void h2_session_ev_no_io(h2_session *session, int arg, const char *msg) - * This means we only wait for WINDOW_UPDATE from the - * client and can block on READ. */ - transit(session, "no io (flow wait)", H2_SESSION_ST_IDLE); -- session->idle_until = apr_time_now() + session->s->timeout; -- session->keep_sync_until = session->idle_until; - /* Make sure we have flushed all previously written output - * so that the client will react. */ - if (h2_conn_io_flush(&session->io) != APR_SUCCESS) { -@@ -1738,12 +1813,7 @@ static void h2_session_ev_no_io(h2_session *session, int arg, const char *msg) - } - else if (session->local.accepting) { - /* When we have no streams, but accept new, switch to idle */ -- apr_time_t now = apr_time_now(); - transit(session, "no io (keepalive)", H2_SESSION_ST_IDLE); -- session->idle_until = (session->remote.emitted_count? -- session->s->keep_alive_timeout : -- session->s->timeout) + now; -- session->keep_sync_until = now + apr_time_from_sec(1); - } - else { - /* We are no longer accepting new streams and there are -@@ -1758,12 +1828,25 @@ static void h2_session_ev_no_io(h2_session *session, int arg, const char *msg) - } - } - --static void h2_session_ev_data_read(h2_session *session, int arg, const char *msg) -+static void h2_session_ev_frame_rcvd(h2_session *session, int arg, const char *msg) -+{ -+ switch (session->state) { -+ case H2_SESSION_ST_IDLE: -+ case H2_SESSION_ST_WAIT: -+ transit(session, "frame received", H2_SESSION_ST_BUSY); -+ break; -+ default: -+ /* nop */ -+ break; -+ } -+} -+ -+static void h2_session_ev_stream_change(h2_session *session, int arg, const char *msg) - { - switch (session->state) { - case H2_SESSION_ST_IDLE: - case H2_SESSION_ST_WAIT: -- transit(session, "data read", H2_SESSION_ST_BUSY); -+ transit(session, "stream change", H2_SESSION_ST_BUSY); - break; - default: - /* nop */ -@@ -1803,16 +1886,6 @@ static void h2_session_ev_pre_close(h2_session *session, int arg, const char *ms - static void ev_stream_open(h2_session *session, h2_stream *stream) - { - h2_iq_append(session->in_process, stream->id); -- switch (session->state) { -- case H2_SESSION_ST_IDLE: -- if (session->open_streams == 1) { -- /* enter timeout, since we have a stream again */ -- session->idle_until = (session->s->timeout + apr_time_now()); -- } -- break; -- default: -- break; -- } - } - - static void ev_stream_closed(h2_session *session, h2_stream *stream) -@@ -1825,11 +1898,6 @@ static void ev_stream_closed(h2_session *session, h2_stream *stream) - } - switch (session->state) { - case H2_SESSION_ST_IDLE: -- if (session->open_streams == 0) { -- /* enter keepalive timeout, since we no longer have streams */ -- session->idle_until = (session->s->keep_alive_timeout -- + apr_time_now()); -- } - break; - default: - break; -@@ -1887,6 +1955,7 @@ static void on_stream_state_enter(void *ctx, h2_stream *stream) - default: - break; - } -+ dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, "stream state change"); - } - - static void on_stream_event(void *ctx, h2_stream *stream, -@@ -1945,8 +2014,8 @@ static void dispatch_event(h2_session *session, h2_session_event_t ev, - case H2_SESSION_EV_NO_IO: - h2_session_ev_no_io(session, arg, msg); - break; -- case H2_SESSION_EV_DATA_READ: -- h2_session_ev_data_read(session, arg, msg); -+ case H2_SESSION_EV_FRAME_RCVD: -+ h2_session_ev_frame_rcvd(session, arg, msg); - break; - case H2_SESSION_EV_NGH2_DONE: - h2_session_ev_ngh2_done(session, arg, msg); -@@ -1957,6 +2026,9 @@ static void dispatch_event(h2_session *session, h2_session_event_t ev, - case H2_SESSION_EV_PRE_CLOSE: - h2_session_ev_pre_close(session, arg, msg); - break; -+ case H2_SESSION_EV_STREAM_CHANGE: -+ h2_session_ev_stream_change(session, arg, msg); -+ break; - default: - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c, - H2_SSSN_MSG(session, "unknown event %d"), ev); -@@ -1990,13 +2062,15 @@ apr_status_t h2_session_process(h2_session *session, int async) - apr_status_t status = APR_SUCCESS; - conn_rec *c = session->c; - int rv, mpm_state, trace = APLOGctrace3(c); -- -+ apr_time_t now; -+ - if (trace) { - ap_log_cerror( APLOG_MARK, APLOG_TRACE3, status, c, - H2_SSSN_MSG(session, "process start, async=%d"), async); - } - - while (session->state != H2_SESSION_ST_DONE) { -+ now = apr_time_now(); - session->have_read = session->have_written = 0; - - if (session->local.accepting -@@ -2034,39 +2108,42 @@ apr_status_t h2_session_process(h2_session *session, int async) - break; - - case H2_SESSION_ST_IDLE: -- /* We trust our connection into the default timeout/keepalive -- * handling of the core filters/mpm iff: -- * - keep_sync_until is not set -- * - we have an async mpm -- * - we have no open streams to process -- * - we are not sitting on a Upgrade: request -- * - we already have seen at least one request -- */ -- if (!session->keep_sync_until && async && !session->open_streams -- && !session->r && session->remote.emitted_count) { -+ if (session->idle_until && (apr_time_now() + session->idle_delay) > session->idle_until) { -+ ap_log_cerror( APLOG_MARK, APLOG_TRACE1, status, c, -+ H2_SSSN_MSG(session, "idle, timeout reached, closing")); -+ if (session->idle_delay) { -+ apr_table_setn(session->c->notes, "short-lingering-close", "1"); -+ } -+ dispatch_event(session, H2_SESSION_EV_CONN_TIMEOUT, 0, "timeout"); -+ goto out; -+ } -+ -+ if (session->idle_delay) { -+ /* we are less interested in spending time on this connection */ -+ ap_log_cerror( APLOG_MARK, APLOG_TRACE2, status, c, -+ H2_SSSN_MSG(session, "session is idle (%ld ms), idle wait %ld sec left"), -+ (long)apr_time_as_msec(session->idle_delay), -+ (long)apr_time_sec(session->idle_until - now)); -+ apr_sleep(session->idle_delay); -+ session->idle_delay = 0; -+ } -+ -+ h2_conn_io_flush(&session->io); -+ if (async && !session->r && (now > session->idle_sync_until)) { - if (trace) { - ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c, - H2_SSSN_MSG(session, - "nonblock read, %d streams open"), - session->open_streams); - } -- h2_conn_io_flush(&session->io); - status = h2_session_read(session, 0); - - if (status == APR_SUCCESS) { - session->have_read = 1; -- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL); - } -- else if (APR_STATUS_IS_EAGAIN(status) -- || APR_STATUS_IS_TIMEUP(status)) { -- if (apr_time_now() > session->idle_until) { -- dispatch_event(session, -- H2_SESSION_EV_CONN_TIMEOUT, 0, NULL); -- } -- else { -- status = APR_EAGAIN; -- goto out; -- } -+ else if (APR_STATUS_IS_EAGAIN(status) || APR_STATUS_IS_TIMEUP(status)) { -+ status = APR_EAGAIN; -+ goto out; - } - else { - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, c, -@@ -2078,7 +2155,6 @@ apr_status_t h2_session_process(h2_session *session, int async) - } - else { - /* make certain, we send everything before we idle */ -- h2_conn_io_flush(&session->io); - if (trace) { - ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c, - H2_SSSN_MSG(session, -@@ -2090,7 +2166,6 @@ apr_status_t h2_session_process(h2_session *session, int async) - */ - status = h2_mplx_idle(session->mplx); - if (status == APR_EAGAIN) { -- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL); - break; - } - else if (status != APR_SUCCESS) { -@@ -2101,33 +2176,11 @@ apr_status_t h2_session_process(h2_session *session, int async) - status = h2_session_read(session, 1); - if (status == APR_SUCCESS) { - session->have_read = 1; -- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL); - } - else if (status == APR_EAGAIN) { - /* nothing to read */ - } - else if (APR_STATUS_IS_TIMEUP(status)) { -- apr_time_t now = apr_time_now(); -- if (now > session->keep_sync_until) { -- /* if we are on an async mpm, now is the time that -- * we may dare to pass control to it. */ -- session->keep_sync_until = 0; -- } -- if (now > session->idle_until) { -- if (trace) { -- ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c, -- H2_SSSN_MSG(session, -- "keepalive timeout")); -- } -- dispatch_event(session, -- H2_SESSION_EV_CONN_TIMEOUT, 0, "timeout"); -- } -- else if (trace) { -- ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c, -- H2_SSSN_MSG(session, -- "keepalive, %f sec left"), -- (session->idle_until - now) / 1000000.0f); -- } - /* continue reading handling */ - } - else if (APR_STATUS_IS_ECONNABORTED(status) -@@ -2145,6 +2198,18 @@ apr_status_t h2_session_process(h2_session *session, int async) - dispatch_event(session, H2_SESSION_EV_CONN_ERROR, 0, "error"); - } - } -+ if (nghttp2_session_want_write(session->ngh2)) { -+ ap_update_child_status(session->c->sbh, SERVER_BUSY_WRITE, NULL); -+ status = h2_session_send(session); -+ if (status == APR_SUCCESS) { -+ status = h2_conn_io_flush(&session->io); -+ } -+ if (status != APR_SUCCESS) { -+ dispatch_event(session, H2_SESSION_EV_CONN_ERROR, -+ H2_ERR_INTERNAL_ERROR, "writing"); -+ break; -+ } -+ } - break; - - case H2_SESSION_ST_BUSY: -@@ -2154,7 +2219,6 @@ apr_status_t h2_session_process(h2_session *session, int async) - status = h2_session_read(session, 0); - if (status == APR_SUCCESS) { - session->have_read = 1; -- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL); - } - else if (status == APR_EAGAIN) { - /* nothing to read */ -@@ -2218,7 +2282,7 @@ apr_status_t h2_session_process(h2_session *session, int async) - session->iowait); - if (status == APR_SUCCESS) { - session->wait_us = 0; -- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL); -+ dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, NULL); - } - else if (APR_STATUS_IS_TIMEUP(status)) { - /* go back to checking all inputs again */ -diff --git a/modules/http2/h2_session.h b/modules/http2/h2_session.h -index 486938b009..df2a862445 100644 ---- a/modules/http2/h2_session.h -+++ b/modules/http2/h2_session.h -@@ -66,10 +66,11 @@ typedef enum { - H2_SESSION_EV_PROTO_ERROR, /* protocol error */ - H2_SESSION_EV_CONN_TIMEOUT, /* connection timeout */ - H2_SESSION_EV_NO_IO, /* nothing has been read or written */ -- H2_SESSION_EV_DATA_READ, /* connection data has been read */ -+ H2_SESSION_EV_FRAME_RCVD, /* a frame has been received */ - H2_SESSION_EV_NGH2_DONE, /* nghttp2 wants neither read nor write anything */ - H2_SESSION_EV_MPM_STOPPING, /* the process is stopping */ - H2_SESSION_EV_PRE_CLOSE, /* connection will close after this */ -+ H2_SESSION_EV_STREAM_CHANGE, /* a stream (state/input/output) changed */ - } h2_session_event_t; - - typedef struct h2_session { -@@ -118,7 +119,9 @@ typedef struct h2_session { - apr_size_t max_stream_mem; /* max buffer memory for a single stream */ - - apr_time_t idle_until; /* Time we shut down due to sheer boredom */ -- apr_time_t keep_sync_until; /* Time we sync wait until passing to async mpm */ -+ apr_time_t idle_sync_until; /* Time we sync wait until keepalive handling kicks in */ -+ apr_size_t idle_frames; /* number of rcvd frames that kept session in idle state */ -+ apr_interval_time_t idle_delay; /* Time we delay processing rcvd frames in idle state */ - - apr_bucket_brigade *bbtmp; /* brigade for keeping temporary data */ - struct apr_thread_cond_t *iowait; /* our cond when trywaiting for data */ -diff --git a/modules/http2/h2_version.h b/modules/http2/h2_version.h -index 5c53abd575..2ac718fc0f 100644 ---- a/modules/http2/h2_version.h -+++ b/modules/http2/h2_version.h -@@ -27,7 +27,7 @@ - * @macro - * Version number of the http2 module as c string - */ --#define MOD_HTTP2_VERSION "1.10.20" -+#define MOD_HTTP2_VERSION "1.11.0" - - /** - * @macro -@@ -35,7 +35,7 @@ - * release. This is a 24 bit number with 8 bits for major number, 8 bits - * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. - */ --#define MOD_HTTP2_VERSION_NUM 0x010a14 -+#define MOD_HTTP2_VERSION_NUM 0x010b00 - - - #endif /* mod_h2_h2_version_h */ --- -2.17.1 - diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch deleted file mode 100644 index a2bc6e02c9..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 5412077c398dec74321388fe6e593a44c4c80de6 Mon Sep 17 00:00:00 2001 -From: echo -Date: Tue, 28 Apr 2009 03:11:06 +0000 -Subject: [PATCH] Fix perl install directory to /usr/bin - -Upstream-Status: Inappropriate [configuration] - ---- - configure.in | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/configure.in b/configure.in -index d828512..be7bd25 100644 ---- a/configure.in -+++ b/configure.in -@@ -855,10 +855,7 @@ AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", - AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "${rel_sysconfdir}/mime.types", - [Location of the MIME types config file, relative to the Apache root directory]) - --perlbin=`$ac_aux_dir/PrintPath perl` --if test "x$perlbin" = "x"; then -- perlbin="/replace/with/path/to/perl/interpreter" --fi -+perlbin='/usr/bin/perl' - AC_SUBST(perlbin) - - dnl If we are running on BSD/OS, we need to use the BSD .include syntax. diff --git a/meta-webserver/recipes-httpd/apache2/apache2/configure-allow-to-disable-selinux-support.patch b/meta-webserver/recipes-httpd/apache2/apache2/configure-allow-to-disable-selinux-support.patch deleted file mode 100644 index a6ccfb6a87..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/configure-allow-to-disable-selinux-support.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 166cbc02f72d13d5e7bf08ac2351c0f07e1ff4b9 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Mon, 1 Dec 2014 02:08:27 -0500 -Subject: [PATCH] apache2: allow to disable selinux support - -Upstream-Status: Pending - -Signed-off-by: Wenzong Fan - ---- - configure.in | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/configure.in b/configure.in -index 54dfd0d..377e062 100644 ---- a/configure.in -+++ b/configure.in -@@ -466,10 +466,16 @@ getloadavg - dnl confirm that a void pointer is large enough to store a long integer - APACHE_CHECK_VOID_PTR_LEN - --AC_CHECK_LIB(selinux, is_selinux_enabled, [ -- AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) -- APR_ADDTO(AP_LIBS, [-lselinux]) --]) -+# SELinux support -+AC_ARG_ENABLE(selinux,APACHE_HELP_STRING(--enable-selinux,Enable SELinux support [default=auto]), -+ [],[enable_selinux=auto]) -+ -+if test x$enable_selinux != xno; then -+ AC_CHECK_LIB(selinux, is_selinux_enabled, [ -+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) -+ APR_ADDTO(AP_LIBS, [-lselinux]) -+ ]) -+fi - - AC_CACHE_CHECK([for gettid()], ac_cv_gettid, - [AC_TRY_RUN(#define _GNU_SOURCE diff --git a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch deleted file mode 100644 index ae4ff0c5ec..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 55ebb07cc57854cbfb372c3a688365039b809bc8 Mon Sep 17 00:00:00 2001 -From: Paul Eggleton -Date: Tue, 17 Jul 2012 11:27:39 +0100 -Subject: [PATCH] apache2: add from OE-Classic, update to version 2.4.2 and fix - -Bump up the core size limit if CoreDumpDirectory is -configured. - -Upstream-Status: Pending - -Note: upstreaming was discussed but there are competing desires; - there are portability oddities here too. - ---- - server/core.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/server/core.c b/server/core.c -index 4af0816..4fd2b9f 100644 ---- a/server/core.c -+++ b/server/core.c -@@ -4940,6 +4940,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte - } - apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper, - apr_pool_cleanup_null); -+ -+#ifdef RLIMIT_CORE -+ if (ap_coredumpdir_configured) { -+ struct rlimit lim; -+ -+ if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) { -+ lim.rlim_cur = lim.rlim_max; -+ if (setrlimit(RLIMIT_CORE, &lim) == 0) { -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, -+ "core dump file size limit raised to %lu bytes", -+ lim.rlim_cur); -+ } else { -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL, -+ "core dump file size is zero, setrlimit failed"); -+ } -+ } -+ } -+#endif -+ - return OK; - } - diff --git a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch deleted file mode 100644 index 015034c75f..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 33c0f2d88ccfe02777f183eb785bb2b891aff168 Mon Sep 17 00:00:00 2001 -From: Paul Eggleton -Date: Tue, 17 Jul 2012 11:27:39 +0100 -Subject: [PATCH] Log the SELinux context at startup. - -Log the SELinux context at startup. - -Upstream-Status: Inappropriate [other] - -Note: unlikely to be any interest in this upstream - ---- - configure.in | 5 +++++ - server/core.c | 26 ++++++++++++++++++++++++++ - 2 files changed, 31 insertions(+) - -diff --git a/configure.in b/configure.in -index 761e836..d828512 100644 ---- a/configure.in -+++ b/configure.in -@@ -483,6 +483,11 @@ getloadavg - dnl confirm that a void pointer is large enough to store a long integer - APACHE_CHECK_VOID_PTR_LEN - -+AC_CHECK_LIB(selinux, is_selinux_enabled, [ -+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) -+ APR_ADDTO(AP_LIBS, [-lselinux]) -+]) -+ - AC_CACHE_CHECK([for gettid()], ac_cv_gettid, - [AC_TRY_RUN(#define _GNU_SOURCE - #include -diff --git a/server/core.c b/server/core.c -index 4fd2b9f..c61304a 100644 ---- a/server/core.c -+++ b/server/core.c -@@ -59,6 +59,10 @@ - #include - #endif - -+#ifdef HAVE_SELINUX -+#include -+#endif -+ - /* LimitRequestBody handling */ - #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -4959,6 +4963,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte - } - #endif - -+#ifdef HAVE_SELINUX -+ { -+ static int already_warned = 0; -+ int is_enabled = is_selinux_enabled() > 0; -+ -+ if (is_enabled && !already_warned) { -+ security_context_t con; -+ -+ if (getcon(&con) == 0) { -+ -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, -+ "SELinux policy enabled; " -+ "httpd running as context %s", con); -+ -+ already_warned = 1; -+ -+ freecon(con); -+ } -+ } -+ } -+#endif -+ - return OK; - } - diff --git a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.3-fix-race-issue-of-dir-install.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.3-fix-race-issue-of-dir-install.patch deleted file mode 100644 index 2262e9f878..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.3-fix-race-issue-of-dir-install.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 3b079a9df7582e305246fd805837d87a2c4ef534 Mon Sep 17 00:00:00 2001 -From: Zhenhua Luo -Date: Fri, 25 Jan 2013 18:10:50 +0800 -Subject: [PATCH] apache2: fix the race issue of parallel installation - -Upstream-Status: Pending - -fix following race issue when do parallel install -| mkdir: cannot create directory `/home/mypc/workspace/poky/build_p4080ds_release/tmp/work/ppce500mc-fsl_networking-linux/apache2/2.4.3-r1/image/usr/share/apache2': File exists -... -| mkdir: cannot create directory `/home/mypc/workspace/poky/build_p4080ds_release/tmp/work/ppce500mc-fsl_networking-linux/apache2/2.4.3-r1/image/usr/share/apache2': File exists -| make[1]: *** [install-man] Error 1 -| make[1]: *** Waiting for unfinished jobs.... - -Signed-off-by: Zhenhua Luo - ---- - build/mkdir.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/build/mkdir.sh b/build/mkdir.sh -index e2d5bb6..dde5ae0 100755 ---- a/build/mkdir.sh -+++ b/build/mkdir.sh -@@ -39,7 +39,7 @@ for file in ${1+"$@"} ; do - esac - if test ! -d "$pathcomp"; then - echo "mkdir $pathcomp" 1>&2 -- mkdir "$pathcomp" || errstatus=$? -+ mkdir -p "$pathcomp" || errstatus=$? - fi - pathcomp="$pathcomp/" - done diff --git a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch deleted file mode 100644 index 843226c0cf..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch +++ /dev/null @@ -1,30 +0,0 @@ -From a5627edbcc88cd50caaa42ca051ac7ed3d870172 Mon Sep 17 00:00:00 2001 -From: Paul Eggleton -Date: Tue, 17 Jul 2012 11:27:39 +0100 -Subject: [PATCH] apache2: add from OE-Classic, update to version 2.4.2 and fix - -There is no need to "suck in" the apr/apr-util symbols when using -a shared libapr{,util}, it just bloats the symbol table; so don't. - -Upstream-Status: Pending - -Note: EXPORT_DIRS change is conditional on using shared apr - ---- - server/Makefile.in | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/server/Makefile.in b/server/Makefile.in -index cb11684..0d48924 100644 ---- a/server/Makefile.in -+++ b/server/Makefile.in -@@ -60,9 +60,6 @@ export_files: - ls $$dir/*.h ; \ - done; \ - echo "$(top_srcdir)/server/mpm_fdqueue.h"; \ -- for dir in $(EXPORT_DIRS_APR); do \ -- ls $$dir/ap[ru].h $$dir/ap[ru]_*.h 2>/dev/null; \ -- done; \ - ) | sed -e s,//,/,g | sort -u > $@ - - exports.c: export_files diff --git a/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch b/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch deleted file mode 100644 index 020f1d7979..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 94a9e2241ea27e75babbfdeb38043b13049e23b0 Mon Sep 17 00:00:00 2001 -From: Yulong Pei -Date: Thu, 1 Sep 2011 01:03:14 +0800 -Subject: [PATCH] replace lynx to curl in apachectl script - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Yulong Pei - ---- - support/apachectl.in | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/support/apachectl.in b/support/apachectl.in -index 3281c2e..6ab4ba5 100644 ---- a/support/apachectl.in -+++ b/support/apachectl.in -@@ -52,11 +52,11 @@ fi - # a command that outputs a formatted text version of the HTML at the - # url given on the command line. Designed for lynx, however other - # programs may work. --LYNX="@LYNX_PATH@ -dump" -+CURL="/usr/bin/curl" - # - # the URL to your server's mod_status status page. If you do not - # have one, then status and fullstatus will not work. --STATUSURL="http://localhost:@PORT@/server-status" -+STATUSURL="http://localhost:@PORT@/" - # - # Set this variable to a command that increases the maximum - # number of file descriptors allowed per child process. This is -@@ -92,10 +92,16 @@ configtest) - ERROR=$? - ;; - status) -- $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } ' -+ $CURL -s $STATUSURL | grep -o "It works!" -+ if [ $? != 0 ] ; then -+ echo The httpd server does not work! -+ fi - ;; - fullstatus) -- $LYNX $STATUSURL -+ $CURL -s $STATUSURL | grep -o "It works!" -+ if [ $? != 0 ] ; then -+ echo The httpd server does not work! -+ fi - ;; - *) - $HTTPD "$@" diff --git a/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch b/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch deleted file mode 100644 index 5476d4f328..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch +++ /dev/null @@ -1,23 +0,0 @@ -From aa02bbfd8f16871db5563a95fa94dd170964949f Mon Sep 17 00:00:00 2001 -From: Paul Eggleton -Date: Tue, 17 Jul 2012 11:27:39 +0100 - -Upstream-Status: Inappropriate [embedded specific] - ---- - server/Makefile.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/server/Makefile.in b/server/Makefile.in -index 1fa3344..cb11684 100644 ---- a/server/Makefile.in -+++ b/server/Makefile.in -@@ -29,7 +29,7 @@ gen_test_char: $(gen_test_char_OBJECTS) - $(LINK) $(EXTRA_LDFLAGS) $(gen_test_char_OBJECTS) $(EXTRA_LIBS) - - test_char.h: gen_test_char -- ./gen_test_char > test_char.h -+ gen_test_char > test_char.h - - util.lo: test_char.h - diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.34.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.34.bb deleted file mode 100644 index 80c8b20d09..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.34.bb +++ /dev/null @@ -1,202 +0,0 @@ -DESCRIPTION = "The Apache HTTP Server is a powerful, efficient, and \ -extensible web server." -SUMMARY = "Apache HTTP Server" -HOMEPAGE = "http://httpd.apache.org/" -DEPENDS = "libtool-native apache2-native openssl expat pcre apr apr-util" -SECTION = "net" -LICENSE = "Apache-2.0" - -SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ - file://server-makefile.patch \ - file://httpd-2.4.1-corelimit.patch \ - file://httpd-2.4.4-export.patch \ - file://httpd-2.4.1-selinux.patch \ - file://apache-configure_perlbin.patch \ - file://replace-lynx-to-curl-in-apachectl-script.patch \ - file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \ - file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ - file://configure-allow-to-disable-selinux-support.patch \ - file://CVE-2018-11763.patch \ - file://init \ - file://apache2-volatile.conf \ - file://apache2.service \ - file://volatiles.04_apache2 \ - " - -LIC_FILES_CHKSUM = "file://LICENSE;md5=d52d0fd0bc788f068e647116c01ddfcd" -SRC_URI[md5sum] = "818adca52f3be187fe45d6822755be95" -SRC_URI[sha256sum] = "fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0" - -S = "${WORKDIR}/httpd-${PV}" - -inherit autotools update-rc.d pkgconfig systemd update-alternatives - -CVE_PRODUCT = "http_server" - -ALTERNATIVE_${PN}-doc = "htpasswd.1" -ALTERNATIVE_LINK_NAME[htpasswd.1] = "${mandir}/man1/htpasswd.1" - -SYSTEMD_SERVICE_${PN} = "apache2.service" -SYSTEMD_AUTO_ENABLE_${PN} = "disable" - -SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice" - -CFLAGS_append = " -DPATH_MAX=4096" -CFLAGS_prepend = "-I${STAGING_INCDIR}/openssl " -EXTRA_OECONF = "--enable-ssl \ - --with-ssl=${STAGING_LIBDIR}/.. \ - --with-expat=${STAGING_LIBDIR}/.. \ - --with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ - --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \ - --enable-info \ - --enable-rewrite \ - --with-dbm=sdbm \ - --with-berkeley-db=no \ - --localstatedir=/var/${BPN} \ - --with-gdbm=no \ - --with-ndbm=no \ - --includedir=${includedir}/${BPN} \ - --datadir=${datadir}/${BPN} \ - --sysconfdir=${sysconfdir}/${BPN} \ - --libexecdir=${libdir}/${BPN}/modules \ - ap_cv_void_ptr_lt_long=no \ - --enable-mpms-shared \ - ac_cv_have_threadsafe_pollset=no \ - --enable-layout=Debian \ - --prefix=${base_prefix}/" - -PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux" -PACKAGECONFIG[openldap] = "--enable-ldap --enable-authnz-ldap,--disable-ldap --disable-authnz-ldap,openldap" -PACKAGECONFIG[zlib] = "--enable-deflate --with-z=${STAGING_LIBDIR},,zlib,zlib" - -do_configure_prepend() { - sed -i -e 's:$''{prefix}/usr/lib/cgi-bin:$''{libdir}/cgi-bin:g' ${S}/config.layout -} - -do_install_append() { - install -d ${D}/${sysconfdir}/init.d - cat ${WORKDIR}/init | \ - sed -e 's,/usr/sbin/,${sbindir}/,g' \ - -e 's,/usr/bin/,${bindir}/,g' \ - -e 's,/usr/lib,${libdir}/,g' \ - -e 's,/etc/,${sysconfdir}/,g' \ - -e 's,/usr/,${prefix}/,g' > ${D}/${sysconfdir}/init.d/${BPN} - chmod 755 ${D}/${sysconfdir}/init.d/${BPN} - # remove the goofy original files... - rm -rf ${D}/${sysconfdir}/${BPN}/original - # Expat should be found in the staging area via DEPENDS... - rm -f ${D}/${libdir}/libexpat.* - - install -d ${D}${sysconfdir}/${BPN}/conf.d - install -d ${D}${sysconfdir}/${BPN}/modules.d - - # Ensure configuration file pulls in conf.d and modules.d - printf "\nIncludeOptional ${sysconfdir}/${BPN}/conf.d/*.conf" >> ${D}/${sysconfdir}/${BPN}/httpd.conf - printf "\nIncludeOptional ${sysconfdir}/${BPN}/modules.d/*.load" >> ${D}/${sysconfdir}/${BPN}/httpd.conf - printf "\nIncludeOptional ${sysconfdir}/${BPN}/modules.d/*.conf\n\n" >> ${D}/${sysconfdir}/${BPN}/httpd.conf - # match with that is in init script - printf "\nPidFile /run/httpd.pid" >> ${D}/${sysconfdir}/${BPN}/httpd.conf - # Set 'ServerName' to fix error messages when restart apache service - sed -i 's/^#ServerName www.example.com/ServerName localhost/' ${D}/${sysconfdir}/${BPN}/httpd.conf - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d/ - install -m 0644 ${WORKDIR}/apache2-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ - elif ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.04_apache2 ${D}${sysconfdir}/default/volatiles/04_apache2 - fi - - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/apache2.service ${D}${systemd_unitdir}/system - sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/apache2.service - sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' ${D}${systemd_unitdir}/system/apache2.service - - chown -R root:root ${D} -} - -do_install_append_class-target() { - sed -i -e 's,${STAGING_DIR_HOST},,g' \ - -e 's,APU_INCLUDEDIR = .*,APU_INCLUDEDIR = ,g' \ - -e 's,APU_CONFIG = .*,APU_CONFIG = ,g' ${D}${datadir}/apache2/build/config_vars.mk - - sed -i -e 's,${STAGING_DIR_HOST},,g' \ - -e 's,".*/configure","configure",g' ${D}${datadir}/apache2/build/config.nice - rm -rf ${D}${localstatedir}/run -} - -SYSROOT_PREPROCESS_FUNCS += "apache_sysroot_preprocess" - -apache_sysroot_preprocess () { - install -d ${SYSROOT_DESTDIR}${bindir_crossscripts}/ - install -m 755 ${D}${bindir}/apxs ${SYSROOT_DESTDIR}${bindir_crossscripts}/ - install -d ${SYSROOT_DESTDIR}${sbindir}/ - install -m 755 ${D}${sbindir}/apachectl ${SYSROOT_DESTDIR}${sbindir}/ - sed -i 's!my $installbuilddir = .*!my $installbuilddir = "${STAGING_DIR_HOST}/${datadir}/${BPN}/build";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs - sed -i 's!my $libtool = .*!my $libtool = "${STAGING_BINDIR_CROSS}/${HOST_SYS}-libtool";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs - - sed -i 's!^APR_CONFIG = .*!APR_CONFIG = ${STAGING_BINDIR_CROSS}/apr-1-config!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk - sed -i 's!^APU_CONFIG = .*!APU_CONFIG = ${STAGING_BINDIR_CROSS}/apu-1-config!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk - sed -i 's!^includedir = .*!includedir = ${STAGING_INCDIR}/apache2!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk - sed -i 's!^CFLAGS = -I[^ ]*!CFLAGS = -I${STAGING_INCDIR}/openssl!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk - sed -i 's!^EXTRA_LDFLAGS = .*!EXTRA_LDFLAGS = -L${STAGING_LIBDIR}!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk - sed -i 's!^EXTRA_INCLUDES = .*!EXTRA_INCLUDES = -I$(includedir) -I. -I${STAGING_INCDIR}!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk - sed -i 's!--sysroot=[^ ]*!--sysroot=${STAGING_DIR_HOST}!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk -} - -# -# implications - used by update-rc.d scripts -# -INITSCRIPT_NAME = "apache2" -INITSCRIPT_PARAMS = "defaults 91 20" -LEAD_SONAME = "libapr-1.so.0" - -PACKAGES = "${PN}-scripts ${PN}-doc ${PN}-dev ${PN}-dbg ${PN}" - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/httpd.conf \ - ${sysconfdir}/${BPN}/magic \ - ${sysconfdir}/${BPN}/mime.types \ - ${sysconfdir}/init.d/${BPN} " - -# we override here rather than append so that .so links are -# included in the runtime package rather than here (-dev) -# and to get build, icons, error into the -dev package -FILES_${PN}-dev = "${datadir}/${BPN}/build \ - ${datadir}/${BPN}/icons \ - ${datadir}/${BPN}/error \ - ${bindir}/apr-config ${bindir}/apu-config \ - ${libdir}/apr*.exp \ - ${includedir}/${BPN} \ - ${libdir}/*.la \ - ${libdir}/*.a \ - ${bindir}/apxs \ - " - - -# manual to manual -FILES_${PN}-doc += " ${datadir}/${BPN}/manual" - -FILES_${PN}-scripts += "${bindir}/dbmmanage" - -# -# override this too - here is the default, less datadir -# -FILES_${PN} = "${bindir} ${sbindir} ${libexecdir} ${libdir}/lib*.so.* ${sysconfdir} \ - ${sharedstatedir} ${localstatedir} /bin /sbin /lib/*.so* \ - ${libdir}/${BPN}" - -# we want htdocs and cgi-bin to go with the binary -FILES_${PN} += "${datadir}/${BPN}/htdocs ${datadir}/${BPN}/cgi-bin" - -#make sure the lone .so links also get wrapped in the base package -FILES_${PN} += "${libdir}/lib*.so ${libdir}/pkgconfig/*" - -FILES_${PN}-dbg += "${libdir}/${BPN}/modules/.debug" - -RDEPENDS_${PN} += "openssl libgcc" -RDEPENDS_${PN}-scripts += "perl ${PN}" -RDEPENDS_${PN}-dev = "perl" - -FILES_${PN} += "${libdir}/cgi-bin" -FILES_${PN} += "${datadir}/${BPN}/" diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.39.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.39.bb new file mode 100644 index 0000000000..d58ccb8f29 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.39.bb @@ -0,0 +1,208 @@ +DESCRIPTION = "The Apache HTTP Server is a powerful, efficient, and \ +extensible web server." +SUMMARY = "Apache HTTP Server" +HOMEPAGE = "http://httpd.apache.org/" +SECTION = "net" +LICENSE = "Apache-2.0" + +SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ + file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ + file://0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch \ + file://0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch \ + file://0004-apache2-log-the-SELinux-context-at-startup.patch \ + file://0005-replace-lynx-to-curl-in-apachectl-script.patch \ + file://0006-apache2-fix-the-race-issue-of-parallel-installation.patch \ + file://0007-apache2-allow-to-disable-selinux-support.patch \ + " + +SRC_URI_append_class-target = " \ + file://0008-apache2-do-not-use-relative-path-for-gen_test_char.patch \ + file://init \ + file://apache2-volatile.conf \ + file://apache2.service \ + file://volatiles.04_apache2 \ + " + +LIC_FILES_CHKSUM = "file://LICENSE;md5=d52d0fd0bc788f068e647116c01ddfcd" +SRC_URI[md5sum] = "930e217ba2d71e708a3f1521ecae7ec0" +SRC_URI[sha256sum] = "b4ca9d05773aa59b54d66cd8f4744b945289f084d3be17d7981d1783a5decfa2" + +S = "${WORKDIR}/httpd-${PV}" + +inherit autotools update-rc.d pkgconfig systemd update-alternatives + +DEPENDS = "openssl expat pcre apr apr-util apache2-native " + +CVE_PRODUCT = "http_server" + +SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice" + +PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux" +PACKAGECONFIG[openldap] = "--enable-ldap --enable-authnz-ldap,--disable-ldap --disable-authnz-ldap,openldap" +PACKAGECONFIG[zlib] = "--enable-deflate,,zlib,zlib" + +CFLAGS_append = " -DPATH_MAX=4096" + +EXTRA_OECONF_class-target = "\ + --enable-layout=Debian \ + --prefix=${base_prefix} \ + --exec_prefix=${exec_prefix} \ + --includedir=${includedir}/${BPN} \ + --sysconfdir=${sysconfdir}/${BPN} \ + --datadir=${datadir}/${BPN} \ + --libdir=${libdir} \ + --libexecdir=${libdir}/${BPN}/modules \ + --localstatedir=${localstatedir} \ + --enable-ssl \ + --with-dbm=sdbm \ + --with-gdbm=no \ + --with-ndbm=no \ + --with-berkeley-db=no \ + --enable-info \ + --enable-rewrite \ + --enable-mpms-shared \ + ap_cv_void_ptr_lt_long=no \ + ac_cv_have_threadsafe_pollset=no \ + " + +EXTRA_OECONF_class-native = "\ + --prefix=${prefix} \ + --includedir=${includedir}/${BPN} \ + --sysconfdir=${sysconfdir}/${BPN} \ + --datadir=${datadir}/${BPN} \ + --libdir=${libdir} \ + --libexecdir=${libdir}/${BPN}/modules \ + --localstatedir=${localstatedir} \ + " + +do_configure_prepend() { + sed -i -e 's:$''{prefix}/usr/lib/cgi-bin:$''{libdir}/cgi-bin:g' ${S}/config.layout +} + +do_install_append_class-target() { + install -d ${D}/${sysconfdir}/init.d + + cat ${WORKDIR}/init | \ + sed -e 's,/usr/sbin/,${sbindir}/,g' \ + -e 's,/usr/bin/,${bindir}/,g' \ + -e 's,/usr/lib/,${libdir}/,g' \ + -e 's,/etc/,${sysconfdir}/,g' \ + -e 's,/usr/,${prefix}/,g' > ${D}/${sysconfdir}/init.d/${BPN} + + chmod 755 ${D}/${sysconfdir}/init.d/${BPN} + + # Remove the goofy original files... + rm -rf ${D}/${sysconfdir}/${BPN}/original + + install -d ${D}${sysconfdir}/${BPN}/conf.d + install -d ${D}${sysconfdir}/${BPN}/modules.d + + # Ensure configuration file pulls in conf.d and modules.d + printf "\nIncludeOptional ${sysconfdir}/${BPN}/conf.d/*.conf" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + printf "\nIncludeOptional ${sysconfdir}/${BPN}/modules.d/*.load" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + printf "\nIncludeOptional ${sysconfdir}/${BPN}/modules.d/*.conf\n\n" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + + # Match with that is in init script + printf "\nPidFile /run/httpd.pid" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + + # Set 'ServerName' to fix error messages when restart apache service + sed -i 's/^#ServerName www.example.com/ServerName localhost/' ${D}/${sysconfdir}/${BPN}/httpd.conf + + sed -i 's/^ServerRoot/#ServerRoot/' ${D}/${sysconfdir}/${BPN}/httpd.conf + + sed -i -e 's,${STAGING_DIR_TARGET},,g' \ + -e 's,${DEBUG_PREFIX_MAP},,g' \ + -e 's,-fdebug-prefix-map[^ ]*,,g; s,-fmacro-prefix-map[^ ]*,,g' \ + -e 's,${HOSTTOOLS_DIR}/,,g' \ + -e 's,APU_INCLUDEDIR = .*,APU_INCLUDEDIR = ,g' \ + -e 's,APU_CONFIG = .*,APU_CONFIG = ,g' ${D}${datadir}/apache2/build/config_vars.mk + + sed -i -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \ + -e 's,${DEBUG_PREFIX_MAP},,g' \ + -e 's,${RECIPE_SYSROOT},,g' \ + -e 's,-fdebug-prefix-map[^ ]*,,g; s,-fmacro-prefix-map[^ ]*,,g' \ + -e 's,APU_INCLUDEDIR = .*,APU_INCLUDEDIR = ,g' \ + -e 's,".*/configure","configure",g' ${D}${datadir}/apache2/build/config.nice + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d/ + install -m 0644 ${WORKDIR}/apache2-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ + + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/apache2.service ${D}${systemd_unitdir}/system + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/apache2.service + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' ${D}${systemd_unitdir}/system/apache2.service + elif ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/volatiles.04_apache2 ${D}${sysconfdir}/default/volatiles/04_apache2 + fi + + rm -rf ${D}${localstatedir} + chown -R root:root ${D} +} + +do_install_append_class-native() { + install -d ${D}${bindir} ${D}${libdir} + install -m 755 server/gen_test_char ${D}${bindir} +} + +SYSROOT_PREPROCESS_FUNCS_append_class-target = "apache_sysroot_preprocess" + +apache_sysroot_preprocess() { + install -d ${SYSROOT_DESTDIR}${bindir_crossscripts} + install -m 755 ${D}${bindir}/apxs ${SYSROOT_DESTDIR}${bindir_crossscripts} + install -d ${SYSROOT_DESTDIR}${sbindir} + install -m 755 ${D}${sbindir}/apachectl ${SYSROOT_DESTDIR}${sbindir} + sed -i 's!my $installbuilddir = .*!my $installbuilddir = "${STAGING_DIR_HOST}/${datadir}/${BPN}/build";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs + sed -i 's!my $libtool = .*!my $libtool = "${STAGING_BINDIR_CROSS}/${HOST_SYS}-libtool";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs + + sed -i 's!^APR_CONFIG = .*!APR_CONFIG = ${STAGING_BINDIR_CROSS}/apr-1-config!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^APU_CONFIG = .*!APU_CONFIG = ${STAGING_BINDIR_CROSS}/apu-1-config!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^includedir = .*!includedir = ${STAGING_INCDIR}/apache2!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^CFLAGS = -I[^ ]*!CFLAGS = -I${STAGING_INCDIR}/openssl!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^EXTRA_LDFLAGS = .*!EXTRA_LDFLAGS = -L${STAGING_LIBDIR}!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^EXTRA_INCLUDES = .*!EXTRA_INCLUDES = -I$(includedir) -I. -I${STAGING_INCDIR}!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!--sysroot=[^ ]*!--sysroot=${STAGING_DIR_HOST}!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk +} + +# Implications - used by update-rc.d scripts +INITSCRIPT_NAME = "apache2" +INITSCRIPT_PARAMS = "defaults 91 20" + +SYSTEMD_SERVICE_${PN} = "apache2.service" +SYSTEMD_AUTO_ENABLE_${PN} = "enable" + +ALTERNATIVE_${PN}-doc = "htpasswd.1" +ALTERNATIVE_LINK_NAME[htpasswd.1] = "${mandir}/man1/htpasswd.1" + +PACKAGES = "${PN}-scripts ${PN}-doc ${PN}-dev ${PN}-dbg ${PN}" + +CONFFILES_${PN} = "${sysconfdir}/${BPN}/httpd.conf \ + ${sysconfdir}/${BPN}/magic \ + ${sysconfdir}/${BPN}/mime.types" + +# We override here rather than append so that .so links are +# included in the runtime package rather than here (-dev) +# and to get icons, error into the -dev package +FILES_${PN}-dev = "${datadir}/${BPN}/icons \ + ${datadir}/${BPN}/error \ + ${includedir}/${BPN} \ + " + +FILES_${PN}-scripts += "${bindir}/dbmmanage" + +# Override this too - here is the default, less datadir +FILES_${PN} = "${bindir} ${sbindir} ${libexecdir} ${libdir} \ + ${sysconfdir} ${libdir}/${BPN}" + +# We want htdocs and cgi-bin to go with the binary +FILES_${PN} += "${datadir}/${BPN}/ ${libdir}/cgi-bin" + +FILES_${PN}-dbg += "${libdir}/${BPN}/modules/.debug" + +RDEPENDS_${PN} += "openssl libgcc" +RDEPENDS_${PN}-scripts += "perl ${PN}" +RDEPENDS_${PN}-dev = "perl" + +BBCLASSEXTEND = "native" diff --git a/meta-webserver/recipes-httpd/apache2/files/init b/meta-webserver/recipes-httpd/apache2/files/init old mode 100755 new mode 100644 -- cgit 1.2.3-korg