From 79a9b58170c3452b5cb7ad33746f9cef16c012db Mon Sep 17 00:00:00 2001
From: Huang Xin <xajhuang@163.com>
Date: Tue, 28 Jun 2022 08:20:28 -0700
Subject: [PATCH] 1. add strace tools. 2. add libcap to change network caps. 3.
 add avs user input rights

---
 ..._NAME_CAPS-is-defined-when-it-is-use.patch | 32 +++++++
 ...-Raise-the-size-of-arrays-containing.patch | 34 ++++++++
 ...-tests-do-not-run-target-executables.patch | 30 +++++++
 .../recipes-support/libcap/libcap_2.64.bb     | 83 +++++++++++++++++++
 .../images/mtk-image-aud-8516.bb              |  1 +
 .../recipes-core/base-files/base-files/group  |  2 +-
 6 files changed, 181 insertions(+), 1 deletion(-)
 create mode 100644 meta/meta-mediatek-aud/recipes-support/libcap/files/0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch
 create mode 100644 meta/meta-mediatek-aud/recipes-support/libcap/files/0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch
 create mode 100644 meta/meta-mediatek-aud/recipes-support/libcap/files/0002-tests-do-not-run-target-executables.patch
 create mode 100644 meta/meta-mediatek-aud/recipes-support/libcap/libcap_2.64.bb

diff --git a/meta/meta-mediatek-aud/recipes-support/libcap/files/0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch b/meta/meta-mediatek-aud/recipes-support/libcap/files/0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch
new file mode 100644
index 000000000..05c771ac1
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/libcap/files/0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch
@@ -0,0 +1,32 @@
+Ensure the XATTR_NAME_CAPS is defined when it is used
+
+Upstream-Status: Pending
+
+VFS_CAP_U32 can not ensure that XATTR_NAME_CAPS is defined, and failed to build
+libcap-native in old release, like CentOS release 6.7 (Final), with the blow
+error:
+     cap_file.c: In function ‘cap_get_fd’:
+     cap_file.c:199: error: ‘XATTR_NAME_CAPS’ undeclared (first use in this function)
+     cap_file.c:199: error: (Each undeclared identifier is reported only once
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ libcap/cap_file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libcap/cap_file.c b/libcap/cap_file.c
+index 40756ea..e27ca80 100644
+--- a/libcap/cap_file.c
++++ b/libcap/cap_file.c
+@@ -25,7 +25,7 @@ extern int fremovexattr(int, const char *);
+ 
+ #include "libcap.h"
+ 
+-#ifdef VFS_CAP_U32
++#if defined (VFS_CAP_U32) && defined (XATTR_NAME_CAPS)
+ 
+ #if VFS_CAP_U32 != __CAP_BLKS
+ # error VFS representation of capabilities is not the same size as kernel
+-- 
+2.8.1
+
diff --git a/meta/meta-mediatek-aud/recipes-support/libcap/files/0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch b/meta/meta-mediatek-aud/recipes-support/libcap/files/0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch
new file mode 100644
index 000000000..9884fb564
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/libcap/files/0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch
@@ -0,0 +1,34 @@
+From fc60e000169618a4adced845b9462d36ced1efdd Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Thu, 14 Oct 2021 15:57:36 +0800
+Subject: [PATCH] nativesdk-libcap: Raise the size of arrays containing dl
+ paths
+
+This patch puts the dynamic loader path in the binaries, SYSTEM_DIRS strings
+and lengths as well as ld.so.cache path in the dynamic loader to specific
+sections in memory. The sections that contain paths have been allocated a 4096
+byte section, which is the maximum path length in linux. This will allow the
+relocating script to parse the ELF binary, detect the section and easily replace
+the strings in a certain path.
+
+Upstream-Status: Inappropriate [SDK specific]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
+---
+ libcap/execable.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libcap/execable.h b/libcap/execable.h
+index fee17b4..5bb0c55 100644
+--- a/libcap/execable.h
++++ b/libcap/execable.h
+@@ -23,7 +23,7 @@
+ #endif
+ #define __EXECABLE_H
+ 
+-const char __execable_dl_loader[] __attribute((section(".interp"))) =
++const char __execable_dl_loader[4096] __attribute((section(".interp"))) =
+     SHARED_LOADER ;
+ 
+ static void __execable_parse_args(int *argc_p, char ***argv_p)
diff --git a/meta/meta-mediatek-aud/recipes-support/libcap/files/0002-tests-do-not-run-target-executables.patch b/meta/meta-mediatek-aud/recipes-support/libcap/files/0002-tests-do-not-run-target-executables.patch
new file mode 100644
index 000000000..20346cf2f
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/libcap/files/0002-tests-do-not-run-target-executables.patch
@@ -0,0 +1,30 @@
+From 10212b6d4e8843feffbeab5336342d97f3a46bb2 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Fri, 20 Dec 2019 16:54:05 +0100
+Subject: [PATCH] tests: do not run target executables
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+
+---
+ tests/Makefile | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tests/Makefile b/tests/Makefile
+index ecb7d1b..8950c73 100644
+--- a/tests/Makefile
++++ b/tests/Makefile
+@@ -61,13 +61,11 @@ endif
+ 
+ # unprivileged
+ run_psx_test: psx_test
+-	./psx_test
+ 
+ psx_test: psx_test.c $(DEPS)
+ 	$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< -o $@ $(LINKEXTRA) $(LIBPSXLIB)
+ 
+ run_libcap_psx_test: libcap_psx_test
+-	./libcap_psx_test
+ 
+ libcap_psx_test: libcap_psx_test.c $(DEPS)
+ 	$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) $(LIBPSXLIB)
diff --git a/meta/meta-mediatek-aud/recipes-support/libcap/libcap_2.64.bb b/meta/meta-mediatek-aud/recipes-support/libcap/libcap_2.64.bb
new file mode 100644
index 000000000..2b22fce85
--- /dev/null
+++ b/meta/meta-mediatek-aud/recipes-support/libcap/libcap_2.64.bb
@@ -0,0 +1,83 @@
+SUMMARY = "Library for getting/setting POSIX.1e capabilities"
+DESCRIPTION = "A library providing the API to access POSIX capabilities. \
+These allow giving various kinds of specific privileges to individual \
+users, without giving them full root permissions."
+HOMEPAGE = "http://sites.google.com/site/fullycapable/"
+# no specific GPL version required
+LICENSE = "BSD-3-Clause | GPL-2.0-only"
+LIC_FILES_CHKSUM_PAM = "file://pam_cap/License;md5=0ad4c9c052b9719ee4fce1bfc7c7dee4"
+LIC_FILES_CHKSUM = "\
+    file://License;md5=e2370ba375efe9e1a095c26d37e483b8 \
+    ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${LIC_FILES_CHKSUM_PAM}', '', d)} \
+"
+
+DEPENDS = "hostperl-runtime-native gperf-native"
+
+SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${PV}.tar.xz \
+           file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \
+           file://0002-tests-do-not-run-target-executables.patch \
+		   file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \
+           "
+SRC_URI[sha256sum] = "c8465e1f0b068d5fc06199231135ccac7adb56d662b1de93589252e8cd071e13"
+
+UPSTREAM_CHECK_URI = "https://www.kernel.org/pub/linux/libs/security/linux-privs/${BPN}2/"
+
+# inherit lib_package
+
+PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}"
+PACKAGECONFIG_class-native ??= ""
+
+PACKAGECONFIG[pam] = "PAM_CAP=yes,PAM_CAP=no,libpam"
+
+EXTRA_OEMAKE = " \
+  INDENT=  \
+  lib='${baselib}' \
+  RAISE_SETFCAP=no \
+  DYNAMIC=yes \
+  USE_GPERF=yes \
+"
+
+EXTRA_OEMAKE_append_class-target = " SYSTEM_HEADERS=${STAGING_INCDIR}"
+
+do_compile() {
+	unset CFLAGS BUILD_CFLAGS
+	oe_runmake \
+		${PACKAGECONFIG_CONFARGS} \
+		AR="${AR}" \
+		CC="${CC}" \
+		RANLIB="${RANLIB}" \
+                OBJCOPY="${OBJCOPY}" \
+		COPTS="${CFLAGS}" \
+		BUILD_COPTS="${BUILD_CFLAGS}"
+}
+
+do_install() {
+	oe_runmake install \
+		${PACKAGECONFIG_CONFARGS} \
+		DESTDIR="${D}" \
+		prefix="${prefix}" \
+		SBINDIR="${sbindir}"
+}
+
+do_install_append() {
+	# Move the library to base_libdir
+	install -d ${D}${base_libdir}
+	install -d ${D}${sbindir}
+
+	install -m 0755 ${B}/progs/setcap ${D}${sbindir}/setcap
+
+	if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then
+		mv ${D}${libdir}/libcap* ${D}${base_libdir}
+                if [ -d ${D}${libdir}/security ]; then
+			mv ${D}${libdir}/security ${D}${base_libdir}
+		fi
+	fi
+}
+
+FILES_${PN}-dev += "${base_libdir}/*.so"
+
+# pam files
+FILES_${PN} = "${base_libdir}/security/*.so"
+FILES_${PN} += "${sbindir}/* /lib64/* /usr/lib64/*" 
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/meta-mediatek-mt8516/recipes-audio/images/mtk-image-aud-8516.bb b/meta/meta-mediatek-mt8516/recipes-audio/images/mtk-image-aud-8516.bb
index 3273c37c4..2d03847c2 100755
--- a/meta/meta-mediatek-mt8516/recipes-audio/images/mtk-image-aud-8516.bb
+++ b/meta/meta-mediatek-mt8516/recipes-audio/images/mtk-image-aud-8516.bb
@@ -81,6 +81,7 @@ IMAGE_INSTALL_append = " \
     json-c \
     libev	\
     iptables \
+    strace \
 "
 
 install_proc() {
diff --git a/meta/poky/meta/recipes-core/base-files/base-files/group b/meta/poky/meta/recipes-core/base-files/base-files/group
index 5bb5bad9f..9509e244b 100644
--- a/meta/poky/meta/recipes-core/base-files/base-files/group
+++ b/meta/poky/meta/recipes-core/base-files/base-files/group
@@ -12,7 +12,7 @@ uucp:x:10:
 man:x:12:
 proxy:x:13:
 kmem:x:15:
-input:x:19:
+input:x:19:avs
 dialout:x:20:
 fax:x:21:
 voice:x:22: