Bump buildroot to 2020.11-rc1 (#985)

* Update buildroot-patches for 2020.11-rc1 buildroot

* Update buildroot to 2020.11-rc1

Signed-off-by: Stefan Agner <stefan@agner.ch>

* Don't rely on sfdisk --list-free output

The --list-free (-F) argument does not allow machine readable mode. And
it seems that the output format changes over time (different spacing,
using size postfixes instead of raw blocks).

Use sfdisk json output and calculate free partition space ourselfs. This
works for 2.35 and 2.36 and is more robust since we rely on output which
is meant for scripts to parse.

* Migrate defconfigs for Buildroot 2020.11-rc1

In particular, rename BR2_TARGET_UBOOT_BOOT_SCRIPT(_SOURCE) to
BR2_PACKAGE_HOST_UBOOT_TOOLS_BOOT_SCRIPT(_SOURCE).

* Rebase/remove systemd patches for systemd 246

* Drop apparmor/libapparmor from buildroot-external

* hassos-persists: use /run as directory for lockfiles

The U-Boot tools use /var/lock by default which is not created any more
by systemd by default (it is under tmpfiles legacy.conf, which we no
longer install).

* Disable systemd-update-done.service

The service is not suited for pure read-only systems. In particular the
service needs to be able to write a file in /etc and /var. Remove the
service. Note: This is a static service and cannot be removed using
systemd-preset.

* Disable apparmor.service for now

The service loads all default profiles. Some might actually cause
problems. E.g. the profile for ping seems not to match our setup for
/etc/resolv.conf:
[85503.634653] audit: type=1400 audit(1605286002.684:236): apparmor="DENIED" operation="open" profile="ping" name="/run/resolv.conf" pid=27585 comm="ping" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

buildroot/package/libnids/0001-libpcap-use-pkg-config.patch

@@ -0,0 +1,48 @@
+configure.in: use pkg-config for libpcap detection
+
+The detection of libpcap was based in ${prefix}, which doesn't make
+sense in a cross-compilation context and can cause host leakage into
+the target build.
+
+So instead, let's use pkg-config to detect libpcap, since it is anyway
+already use in this configure.in to detect libglib.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+
+Index: b/configure.in
+===================================================================
+--- a/configure.in
++++ b/configure.in
+@@ -75,25 +75,13 @@
+      fi
+      ;;
+   esac ],
+-[ if test -f ${prefix}/include/pcap.h; then
+-     PCAP_CFLAGS="-I${prefix}/include"
+-     PCAPLIB="-L${exec_prefix}/lib -lpcap"
+-  elif test -f /usr/include/pcap/pcap.h; then
+-     PCAP_CFLAGS="-I/usr/include/pcap"
+-     PCAPLIB="-lpcap"
+-  else
+-	TMP=$LIBS
+-	LIBS="-lpcap $LIBS"
+-	AC_TRY_LINK([#include <pcap.h>], pcap_open_offline("",""),
+-	LIBPCAP_FOUND=1,LIBPCAP_FOUND=0)
+-	LIBS=$TMP
+-	if test $LIBPCAP_FOUND = 1 ; then
+-		PCAPLIB="-lpcap"
+-	else
+-		AC_ERROR(libpcap not found)
+-	fi
+-  fi
+-  AC_MSG_RESULT(yes) ]
++[
++    PKG_PROG_PKG_CONFIG
++    PKG_CHECK_MODULES(LIBPCAP, libpcap)
++    AC_MSG_RESULT(yes)
++    PCAP_CFLAGS=${LIBPCAP_CFLAGS}
++    PCAPLIB=${LIBPCAP_LIBS}
++]
+ )
+ AC_SUBST(PCAP_CFLAGS)
+ AC_SUBST(PCAPLIB)

buildroot/package/libnids/Config.in

@@ -0,0 +1,14 @@
+config BR2_PACKAGE_LIBNIDS
+	bool "libnids"
+	select BR2_PACKAGE_LIBPCAP
+	help
+	  Libnids is an implementation of an E-component of Network
+	  Intrusion Detection System.
+
+	  libnids watches all local network traffic, and provides
+	  convenient information on them to perform further analysis.
+
+	  Libnids offers IP defragmentation, TCP stream assembly, TCP
+	  port scan detection.
+
+	  http://libnids.sourceforge.net/

buildroot/package/libnids/libnids.hash

@@ -0,0 +1,3 @@
+# Locally calculated
+sha256 314b4793e0902fbf1fdb7fb659af37a3c1306ed1aad5d1c84de6c931b351d359  libnids-1.24.tar.gz
+sha256 91df39d1816bfb17a4dda2d3d2c83b1f6f2d38d53e53e41e8f97ad5ac46a0cad  COPYING

buildroot/package/libnids/libnids.mk

@@ -0,0 +1,46 @@
+################################################################################
+#
+# libnids
+#
+################################################################################
+
+LIBNIDS_VERSION = 1.24
+LIBNIDS_SITE = https://sourceforge.net/projects/libnids/files/libnids/$(LIBNIDS_VERSION)
+LIBNIDS_LICENSE = GPL-2.0
+LIBNIDS_LICENSE_FILES = COPYING
+LIBNIDS_INSTALL_STAGING = YES
+LIBNIDS_DEPENDENCIES = host-pkgconf libpcap
+LIBNIDS_AUTORECONF = YES
+
+# CVE-2010-0751 was fixed in libnids v1.24 but the NVD database is not
+# aware of the fix, ignore it until this is updated
+LIBNIDS_IGNORE_CVES += CVE-2010-0751
+
+# disable libnet if not available
+# Tests in configure.in expect --with-libnet=$build_dir
+# not an installation patch like in our context.
+# We use with-libnet=yes to skip the unusual paths tests.
+# But 'LNETLIB' gets left out, so we need to define it ourselves.
+ifeq ($(BR2_PACKAGE_LIBNET),y)
+LIBNIDS_DEPENDENCIES += libnet
+LIBNIDS_CONF_OPTS += --enable-libnet --with-libnet=yes LNETLIB=-lnet
+else
+LIBNIDS_CONF_OPTS += --disable-libnet
+endif
+
+# disable libglib2 if not available
+# The test in configure.in is flawed: passing --enable-libglib would also
+# disable it. Only when neither is passed will the autodetection test be
+# executed.
+ifeq ($(BR2_PACKAGE_LIBGLIB2),y)
+LIBNIDS_DEPENDENCIES += libglib2
+else
+LIBNIDS_CONF_OPTS += --disable-libglib
+endif
+
+# hand-written Makefile.in, not using automake, needs a custom
+# variable for the installation path.
+LIBNIDS_INSTALL_STAGING_OPTS = install_prefix=$(STAGING_DIR) install
+LIBNIDS_INSTALL_TARGET_OPTS = install_prefix=$(TARGET_DIR) install
+
+$(eval $(autotools-package))