From patchwork Thu Nov 13 20:54:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Jansa X-Patchwork-Id: 74470 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A32E1CD98E2 for ; Thu, 13 Nov 2025 20:54:43 +0000 (UTC) Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3165.1763067278726154575 for ; Thu, 13 Nov 2025 12:54:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=CFv95kSA; spf=pass (domain: gmail.com, ip: 209.85.218.42, mailfrom: martin.jansa@gmail.com) Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-b728a43e410so199874066b.1 for ; Thu, 13 Nov 2025 12:54:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763067277; x=1763672077; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ls0p1i7HzqamS2Ki4ICfjzYIY+d8mOFB5ftEOfXAWGA=; b=CFv95kSA/vpEHmdw+qiJQb2nDKJ0s1hTKMkOxvJzWsKrVINv70Z+m+JDeznN49lboa EFQhY95okG0VcjB7GgIHI/KoqcDYKIWpnKRkbv/Nl0fVo69DO3wTU3ye4vjRV4BikvuY SSe9H1aQ1MguWStnkIl/qbuDflnySEFosdTjA9Mu0wYklsnSOwyyiCAL99Dw5XTEvifp XdQP53gUdDP0wmnqiTVoUjj6JcUz6CKek6X55u4JALBkzb0+STL1dqOU5RMoyOeBqdgu oUa8/eNA14gNh46uT9W4L4HvI7UhNonz9kPmS2cgOtrHw5I1rPdoNDrZTRnBexBxhpR7 krNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763067277; x=1763672077; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ls0p1i7HzqamS2Ki4ICfjzYIY+d8mOFB5ftEOfXAWGA=; b=kFU/kVq3F50fJGjKL0Tg8uO5QCXD8xq1MKiE4fY3wStsPKJrs3slk+UZSk6DR5Yl7J pAfjhZke9pcycVP3bwm8CiZSPwruHfr2/JE7cqtQ9chT6WK4CTDBO0LsB0s1GZPJcmHE ZEz5/gZYgt+cD5yQuJnVPlsVpfaKFcyKD1van5wCSBkFCdDcLyaxXXllncE9YGS86JGt I3OFjE/j1tRtfUeofeXymRqtaH/VRcF9G/aG4YYHVcgm/T0wMZilXGuWYp2bw655k/5n Oaik/szMUeLN2DqthEF19JVWgi/sp7SO2/vfuZCx2AWf7YBu+sxN/l6MkN1RrV4k1uz8 EIQA== X-Gm-Message-State: AOJu0YxhumGrSnknixNAh8p+l4c0jMEdtoRxiyQjfQJftSOc3BB3j8RF tSfPwNXsLCFDz5VSFi+VGhuGWgUKEr34wH0wXmICHhgAD9FkET8DOaHOtGVlag== X-Gm-Gg: ASbGncvlZH+ZpgHLY0BiyS9navbvcU+F2wU6G+KGgfyFAc7qqrDUdUkqjuD6st55nVJ nW5lsTDHn9YWu8NESDjMgRWstJv+t1WTFXa4FrRg72MVOn3o5N30zMGRq/2cKlVjZcfggkp93U2 to+TX9adbrNdyeQ1qr3MeZqWYKDIfk7axOylqHJtEll/HfDi6cL0B7MpgyPN1ZVn1itwmOfEoDa UHZnyf7aog0X1MCz8eNdzohmfOJw4Ai+lzBYtGwjCFfi3qDYD5ZpJJcuHPNZRh6dKKb4LltC5zn +8Ia0J8cMVMxcN1s0CIdX+qvIvbkDU0yUlSXKJ1soDLvNttavm/ke1crRdWI7OoIhNwSqsL/Ipi UuFqEExOKF1Llcv4zeUdrUv7jXWgpYLj7E7oztaNdiqJVVJQim7+nuqGhx/bzzYEeyFKbXbpjxw XFjcLseo6XN2ntUw== X-Google-Smtp-Source: AGHT+IFFmcr97JUhHn1O38+URMfC5NmjVpZ9+3kNwqmbaEFn34ONPpEHdUpL4VH5FXAjbJjXD1xWEQ== X-Received: by 2002:a17:907:2d92:b0:b73:51f3:a801 with SMTP id a640c23a62f3a-b7367bc52bamr57579866b.47.1763067276830; Thu, 13 Nov 2025 12:54:36 -0800 (PST) Received: from localhost ([109.238.218.228]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b734fa81331sm239112166b.9.2025.11.13.12.54.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Nov 2025 12:54:36 -0800 (PST) From: martin.jansa@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Martin Jansa Subject: [meta-python][PATCH 1/2] python3-checksec-py, python3-pylddwrap, python3-icontract: add recipes Date: Thu, 13 Nov 2025 21:54:30 +0100 Message-ID: <20251113205431.3489223-1-martin.jansa@gmail.com> X-Mailer: git-send-email 2.51.2 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 13 Nov 2025 20:54:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121658 From: Martin Jansa they were sent for meta-security long time ago in 2021: https://lists.yoctoproject.org/g/yocto/message/54470 but never merged there, now there are lief, docopt, rich, asttokens already in meta-python and checksec-py depends on lief version, e.g. https://github.com/Wenzel/checksec.py/commit/976d530867756d1393189708aa98308b07b1f3b2 is needed to fixcompatibility with newer lief currently in meta-python Signed-off-by: Martin Jansa --- ...1-main-Add-option-to-ignore-symlinks.patch | 81 +++++++++++++++++++ .../python/python3-checksec-py_0.7.5.bb | 23 ++++++ .../python/python3-icontract_2.6.6.bb | 14 ++++ .../python/python3-pylddwrap_1.2.2.bb | 26 ++++++ 4 files changed, 144 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch create mode 100644 meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb create mode 100644 meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb create mode 100644 meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb diff --git a/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch new file mode 100644 index 0000000000..3a99ba33e3 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch @@ -0,0 +1,81 @@ +From b540967b87394d855c26375ac5a9a7265f265053 Mon Sep 17 00:00:00 2001 +From: Maximilian Blenk +Date: Fri, 2 Jul 2021 14:42:25 +0200 +Subject: [PATCH] main: Add option to ignore symlinks + +When analyzing a complete rootfs (which might not be the rootfs of the +analyzing system) symlinks within that rootfs might be broken. In +particular absolute symlinks. However, if by chance such a symlink +currently points to a valid binary in your system, this binary pointed +to is analyzed. This commit adds the possibility to ignore symlinks to +files (symlinks to dirs are already ignored by default). This allows to +solve the issue described above, and if the whole rootfs is analyzed +there shouldn't be a loss of information (because all the binaries will +be analyzed anyway). Additionally, this also saves some time when +performing the analysis. + +Upstream-Status: Submitted [https://github.com/Wenzel/checksec.py/pull/106] +--- + checksec/__main__.py | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/checksec/__main__.py b/checksec/__main__.py +index a14862f..931d850 100644 +--- a/checksec/__main__.py ++++ b/checksec/__main__.py +@@ -8,6 +8,7 @@ Options: + -w WORKERS --workers=WORKERS Specify the number of process pool workers [default: 4] + -j --json Display results as JSON + -s LIBC --set-libc=LIBC Specify LIBC library to use to check for fortify scores (ELF) ++ -i --ignore-symlinks Ignore symlinks to files + -d --debug Enable debug output + -h --help Display this message + """ +@@ -27,18 +28,18 @@ from .pe import PEChecksecData, PESecurity, is_pe + from .utils import lief_set_logging + + +-def walk_filepath_list(filepath_list: List[Path], recursive: bool = False) -> Iterator[Path]: ++def walk_filepath_list(filepath_list: List[Path], recursive: bool = False, ignore_symlinks: bool = False) -> Iterator[Path]: + for path in filepath_list: + if path.is_dir() and not path.is_symlink(): + try: + if recursive: + for f in os.scandir(path): +- yield from walk_filepath_list([Path(f)], recursive) ++ yield from walk_filepath_list([Path(f)], recursive, ignore_symlinks) + else: + yield from (Path(f) for f in os.scandir(path)) + except OSError: + continue +- elif path.is_file(): ++ elif path.is_file() and (not ignore_symlinks or not path.is_symlink()): + yield path + + +@@ -75,6 +76,7 @@ def main(args): + json = args["--json"] + recursive = args["--recursive"] + libc_path = args["--set-libc"] ++ ignore_symlinks = args["--ignore-symlinks"] + + # logging + formatter = "%(asctime)s %(levelname)s:%(name)s:%(message)s" +@@ -110,7 +112,7 @@ def main(args): + # we need to consume the iterator once to get the total + # for the progress bar + check_output.enumerating_tasks_start() +- count = sum(1 for i in walk_filepath_list(filepath_list, recursive)) ++ count = sum(1 for i in walk_filepath_list(filepath_list, recursive, ignore_symlinks)) + check_output.enumerating_tasks_stop(count) + with ProcessPoolExecutor( + max_workers=workers, initializer=worker_initializer, initargs=(libc_path,) +@@ -119,7 +121,7 @@ def main(args): + check_output.processing_tasks_start() + future_to_checksec = { + pool.submit(checksec_file, filepath): filepath +- for filepath in walk_filepath_list(filepath_list, recursive) ++ for filepath in walk_filepath_list(filepath_list, recursive, ignore_symlinks) + } + for future in as_completed(future_to_checksec): + filepath = future_to_checksec[future] diff --git a/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb b/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb new file mode 100644 index 0000000000..82ef304849 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb @@ -0,0 +1,23 @@ +SUMMARY = "Recipe to embedded the Python PiP Package checksec_py" +HOMEPAGE = "https://pypi.org/project/checksec_py" +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://LICENSE;md5=1ebbd3e34237af26da5dc08a4e440464" + +PR = "r0" + +inherit pypi python_poetry_core +PYPI_PACKAGE = "checksec_py" +SRC_URI[sha256sum] = "892854f95d17a76d8f45a5c0cc597b9f1bebced3fffb9c7205d0baaf5eace886" + +SRC_URI += " \ + file://0001-main-Add-option-to-ignore-symlinks.patch \ +" + +RDEPENDS:${PN} += " \ + python3-docopt \ + python3-lief \ + python3-pylddwrap \ + python3-rich \ +" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb b/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb new file mode 100644 index 0000000000..5075a1a6a1 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb @@ -0,0 +1,14 @@ +SUMMARY = "Recipe to embedded the Python PiP Package icontract" +HOMEPAGE = "https://pypi.org/project/icontract" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1d4a9b1f6b84bedf7a38843931e0dd57" + +PR = "r0" + +inherit pypi setuptools3 +PYPI_PACKAGE = "icontract" +SRC_URI[sha256sum] = "c1fd55c7709ef18a2ee64313fe863be2668b53060828fcca3525051160c92691" + +RDEPENDS:${PN} += "python3-asttokens" + +BBCLASSEXTEND = "native" diff --git a/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb b/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb new file mode 100644 index 0000000000..045ccb9f1e --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb @@ -0,0 +1,26 @@ +SUMMARY = "Recipe to embedded the Python PiP Package pylddwrap" +HOMEPAGE = "https://pypi.org/project/pylddwrap" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE;md5=48fd6c978d39a38b3a04f45a1456d0fa" + +inherit pypi setuptools3 +PYPI_PACKAGE = "pylddwrap" +SRC_URI[sha256sum] = "a70437fea7bca647c0e98161e1006ef49970267999c571b499760f1c43c6ba10" + +PR = "r0" + +RDEPENDS:${PN} += "python3-icontract" + +BBCLASSEXTEND = "native" + +do_install:append() { + # similarly to https://gitlab.com/akuster/meta-security/-/commit/0fd8e0f8cae612010bafecbff77ed9bb6f647a2d#4e154e295e639fd6c298ca644c75291eb99e0a57_0_16 + # but delete it from prefix and delete requirements.txt as well. + # ERROR: QA Issue: python3-pylddwrap: Files/directories were installed but not shipped in any package: + # /usr/README.rst + # /usr/requirements.txt + # /usr/LICENSE + # Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install. + # python3-pylddwrap: 3 installed and not shipped files. [installed-vs-shipped] + rm -f ${D}${prefix}/README.rst ${D}${prefix}/requirements.txt ${D}${prefix}/LICENSE +}