systemtap: fix on target build for 4.4 and 5.10+

The following systemtap commit:

    commit 7615cae790c899bc8a82841c75c8ea9c6fa54df3
    Author: Frank Ch. Eigler <fche@redhat.com>
    Date:   Mon Nov 9 19:18:19 2020 -0500

        PR26665: relayfs-on-procfs megapatch

Changes the way that capabilities are checked when compiling
a systemtap probe.

In our cross-build -> on target workflow, this results in a
mismatch between the systemtap configuration capabilities and
the kernel configuration.

The result is a compilation failure since the security
components are protected by two different #ifdef's, and they
can be out of sync. By protecting the include and callsite with
the same #ifdef, we ensure they are in sync and fix our
on target problem.

While this fix is oe-specific, a variant will be proposed
upstream once a deeper analsysis of other options has been
completed.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

2 files changed, 45 insertions, 0 deletions

diff --git a/meta/recipes-kernel/systemtap/systemtap/0001-transport-protect-include-and-callsite-with-same-con.patch b/meta/recipes-kernel/systemtap/systemtap/0001-transport-protect-include-and-callsite-with-same-con.patch
new file mode 100644
index 0000000000..efc79f6c0f
--- /dev/null
+++ b/meta/recipes-kernel/systemtap/systemtap/0001-transport-protect-include-and-callsite-with-same-con.patch
@@ -0,0 +1,44 @@
+From cbf27cd54071f788231e69d96dbaad563f1010d4 Mon Sep 17 00:00:00 2001
+From: Bruce Ashfield <bruce.ashfield@gmail.com>
+Date: Fri, 18 Dec 2020 13:15:08 -0500
+Subject: [PATCH] transport: protect include and callsite with same conditional
+
+transport.c has the following code block:
+
+  if (!debugfs_p && security_locked_down (LOCKDOWN_DEBUGFS))
+
+Which is protected by the conditional STAPCONF_LOCKDOWN_DEBUGFS.
+
+linux/security.h provides the definition of LOCKDOWN_DEBUGFS, and
+must be included or we have a compilation issue.
+
+The include of security.h is protected by #ifdef CONFIG_SECURITY_LOCKDOWN_LSM,
+which means that in some configurations we can get out of sync with
+the include and the callsite.
+
+If we protect the include and the callsite with the same #ifdef, we can
+be sure that they will be consistent.
+
+Upstream-status: Inappropriate (kernel-devsrc specific)
+
+Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
+---
+ runtime/transport/transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/runtime/transport/transport.c b/runtime/transport/transport.c
+index bb4a98bd3..88e20ea28 100644
+--- a/runtime/transport/transport.c
++++ b/runtime/transport/transport.c
+@@ -21,7 +21,7 @@
+ #include <linux/namei.h>
+ #include <linux/delay.h>
+ #include <linux/mutex.h>
+-#ifdef CONFIG_SECURITY_LOCKDOWN_LSM
++#ifdef STAPCONF_LOCKDOWN_DEBUGFS
+ #include <linux/security.h>
+ #endif
+ #include "../uidgid_compatibility.h"
+-- 
+2.19.1
+
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.inc b/meta/recipes-kernel/systemtap/systemtap_git.inc
index ae735025b7..016b423847 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.inc
+++ b/meta/recipes-kernel/systemtap/systemtap_git.inc
@@ -7,6 +7,7 @@ SRC_URI = "git://sourceware.org/git/systemtap.git \
            file://0001-Do-not-let-configure-write-a-python-location-into-th.patch \
            file://0001-Install-python-modules-to-correct-library-dir.patch \
            file://0001-staprun-stapbpf-don-t-support-installing-a-non-root.patch \
+           file://0001-transport-protect-include-and-callsite-with-same-con.patch \
            "
 
 COMPATIBLE_HOST = '(x86_64|i.86|powerpc|arm|aarch64|microblazeel|mips).*-linux'