diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-06-19 04:44:24 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-06-19 05:22:02 +0300 |
| commit | 15ae2509e522678e761046cdb8693291c09cf78c (patch) | |
| tree | d05707c63625ea7880e4f15dfd6355e55fb258e5 /meta-security/meta-integrity/recipes-security | |
| parent | c7537e7c9f1306129bc0f793c217c6646191b45e (diff) | |
| download | openbmc-15ae2509e522678e761046cdb8693291c09cf78c.tar.xz | |
subtree updates
meta-openembedded: f3018013ff..3b245e4fe8:
Adrian Bunk (8):
Remove start-stop-daemon
dvb-apps: Remove workaround patch for ancient target compilers
Remove ipsec-tools and umip
gpsd: Switch PACKAGECONFIG[qt] from Qt4 to Qt5
samba: Upgrade 4.8.11 -> 4.8.12
recipes-devtools: Move back from meta-networking to meta-perl
wireless-regdb: Upgrade 2019.03.01 -> 2019.06.03
mcelog: Remove manual RDEPENDS from PN-ptest to PN package
Alejandro del Castillo (1):
apache2: add all extra/*.conf to conffiles
Alistair Francis (1):
python-obd: Uprade from 0.7.0 to 0.7.1
Andreas Müller (1):
python-six: put python2/3 variant together
Andrei Gherzan (2):
modemmanager: Update to 1.10.0
networkmanager: Update to 1.18.0
Ankit Navik (1):
safec: Initial recipe for safe C library
Carlos Rafael Giani (1):
openh264: Fix armv7ve build
Changqing Li (11):
syslog-ng: add rconflict for package syslog-ng-libs
netkit-telnet: add rconflicts
samba/libldb: add rconflicts
php-fpm-apache: fix module path
phoronix-test-suite: upgrade from 8.6.0 -> 8.8.1
python-pygobject: upgrade 3.28.3 -> 3.32.1
rrdtool: upgrade 1.7.1 -> 1.7.2
php: upgrade 7.3.4 -> 7.3.6
xf86-video-ati: upgrade 18.0.1 -> 19.0.1
pavucontrol: upgrade 3.0 -> 4.0
multipath-tools: upgrade 0.8.0 -> 0.8.1
Herman van Hazendonk (1):
Geoclue: Update to 2.5.3
Hongxu Jia (4):
rrdtool: improve reproducibility
crash: do not use unstable github archive tarballs
postgresql: improve reproducibility
net-snmp: split net-snmp-config to package net-snmp-dev
Hongzhi.Song (1):
spice: fix compile errors on 32bit system
Horvath, Chris (1):
lcov: Upgrade 1.11 -> 1.14
James Feist (1):
libgpiod: Enable cxx bindings by default
Kai Kang (16):
xfce4-session: 4.13.1 -> 4.13.2
xfce4-screensaver: add recipe
packagegroup-xfce-extended: add xfce4-screensaver
lxdm: provides fake gdmflexiserver for xfce desktop environment
thunar: 1.8.4 -> 1.8.6
xfdesktop: 4.13.3 -> 4.13.4
xfce4-panel: 4.13.4 -> 4.13.5
thunar-volman: 0.9.1 -> 0.9.2
xfce4-appfinder: 4.13.2 -> 4.13.3
libxfce4util: 4.13.2 -> 4.13.3
xfwm4: 4.13.1 -> 4.13.2
xfconf: 4.13.6 -> 4.13.7
libxfce4ui: 4.13.4 -> 4.13.5
xfce4-power-manager: 1.6.1 -> 1.6.2
xfce4-settings: set default theme Adwaita
lxdm: provides fake gdmflexiserver for xfce desktop environment
Khem Raj (8):
libnfc: Fix build with musl
openocd: Fix build on x86_64
spice,spice-protocol: Uprev to 0.14.0
udisks: Install bash_completion script in OE familiar dir
udisks: Remove bash dependency
python-jsmin,python-pytoml,python-which: Add recipes
mozjs: Upgrade to version 60.x
polkit: Upgrade to 0.116
Liwei Song (1):
turbostat: copy bits.h from kernel to turbostat
Marek Belisko (1):
libsrtp: Fix compilation and add pkgconfig
Martin Jansa (17):
igmpproxy: remove 0001-src-igmpproxy.h-Include-sys-types.h-for-u_short-u_in.patch and _GNU_SOURCE
ne10, libopus: add armv7ve override as well
pidgin: upgrade to 2.13.0
funyahoo-plusplus, icyque, pidgin-sipe, purple-skypeweb: add couple plugins for pidgin
hunspell: use git fetcher instead of github archive
hunspell-dictionaries: import from meta-luneos to make hunspell in meta-oe a bit more useful
ttf-mplus, ttf-vlgothic: add ttf-mplus license
android-tools-conf: import one more improvement for android-gadget-setup from meta-luneos
uriparser: upgrade to 0.9.3
libmikmod: fix SRC_URI
leptonica: fix SRC_URI
libmikmod: upgrade to 3.3.11.1
open-vm-tools: refresh the patches so that they can be easily applied with devtool or git am
open-vm-tools: import gcc9 fixes from fedora
spice: append to CFLAGS instead of +=
cpprest: temporary ignore deprecated-copy and redundant-move errors detected by gcc9
oprofile: drop virtual/kernel dependency and switch back to TUNE_PKGARCH
Mingli Yu (4):
mariadb: Upgrade to 10.3.15
kea: Upgrade to 1.5.0
hwloc: Upgrade to 1.11.12
kea: replace -Og with -O
Naveen Saini (1):
pm-graph: add recipe
Oleksandr Kravchuk (12):
opensaf: update to 5.19.03
python-ldap: update to 3.2.0
rp-pppoe: update to 3.13
atftp: update to 0.7.2
ipcalc: update to 2.2.3
mtr: update to 0.92
nbd: update to 3.19
mdns: update to 878.200.35
lldpd: update to 1.0.3
libp11: update to 0.4.10
nano: update to 4.2
libspatialite: update to 4.3.0a
Ovidiu Panait (1):
xfsprogs: Fix host contamination
Paolo Valente (1):
s-suite: push SRCREV to version 3.4
Pascal Bach (1):
rocksdb: 5.18.3 -> 6.0.2
Qi.Chen@windriver.com (2):
polkit: fix CVE-2019-6133
.gitignore: add *.pyc and *.pyo
Randy MacLeod (1):
imagemagick: update from 7.0.8-43 to 7.0.8-47
Robert Joslyn (4):
cryptsetup: Add PACKAGECONFIG options
lmsensors: Update to 3.5.0
xfce4-session: Add xrdb RDEPENDS
xfce4-session: Reformat DEPENDS and RDEPENDS
Slater, Joseph (1):
php-7: mark two tests as expected to fail
Stefan Agner (1):
haveged: fix CPU cache size detection
Tim Orling (13):
libterm-readkey-perl: upgrade 2.37 -> 2.38; fix upstream check; enable ptest
libtest-deep-perl: add recipe for v1.128
libcgi-perl: upgrade 4.38 -> 4.43; enable ptest
libcrypt-openssl-guess-perl: rename from libcrypt-openssl-guess; enable ptest
libcrypt-openssl-rsa-perl: upgrade 0.30 -> 0.31; enable ptest
libcrypt-openssl-random-perl: upgrade 0.11 -> 0.15; enable ptest
libextutils-installpaths-perl: upgrade 0.011 -> 0.012; enable ptest
libexutils-config-perl: enable ptest
libhtml-tagset-perl: add recipe for v3.20
libhtml-parser-perl: enable ptest
libstrictures-perl: upgrade 2.000003 -> 2.000006; enable ptest
libxml-libxml-perl: enable ptest
libcapture-tiny-perl: upgrade 0.46 -> 0.48; enable ptest
William A. Kennington III via Openembedded-devel (1):
cli11: 1.6.2 -> 1.7.1
Yi Zhao (8):
python-ldap: add python-pyasn1 and python-pyasn1-modules as runtime dependencies
fuse: upgrade 2.9.8 -> 2.9.9
yaffs2-utils: update to latest master
xfsprogs: upgrade 4.18.0 -> 5.0.0
fcgi: upgrade 2.4.1+git -> 2.4.2
xdebug: upgrade 2.7.0RC2 -> 2.7.2
phpmyadmin: upgrade 4.8.5 -> 4.9.0.1
openipmi: upgrade 2.0.25 -> 2.0.27
Zang Ruochen (13):
python-pywbem: solved the conflict with python3-pywbem
python3-pywbem:solved the conflict with python-pywbem
python-pbr: upgrade 5.2.0 -> 5.2.1
python-mako: upgrade 1.0.10 -> 1.0.12
python-babel: upgrade 2.6.0 -> 2.7.0
python-cachetools: upgrade 3.1.0 -> 3.1.1
python-cryptography: upgrade 2.6.1 -> 2.7
python-cryptography-vectors: upgrade 2.6.1 -> 2.7
python-cython: upgrade 0.29.7 -> 0.29.10
python-lxml: upgrade 4.3.3 -> 4.3.4
python-psutil: upgrade 5.6.2 -> 5.6.3
python-requests: upgrade 2.21.0 -> 2.22.0
python-urllib3: upgrade 1.25.2 -> 1.25.3
nick83ola (5):
nginx: update to version 1.17.0
nginx: update stable version to 1.16.0
nginx: add PACKAGECONFIG[http-auth-request]
nginx: fix kill path in nginx systemd unit file
uthash: do not use unstable github archive tarballs
thstead (1):
Upgraded python-pysnmp from version 4.3.5. to 4.4.9.
Łukasz Łaguna (1):
gsl: update to version 2.5
meta-security: 9f5cc2a7eb..c28b72e91d:
Armin Kuster (17):
checksec: update to 1.11.1
keyutils: fix library install path
checksec: add runtime test
meta-integrity: port over from meta-intel-iot-security
layer.conf: add LAYERSERIES_COMPAT
README: update
ima-evm-utils: cleanup and update to tip
ima.cfg: update to 5.0 kernel
linux: update bbappend
base-files: add appending to automount securityfs
ima-policy-hashed: add new recipe
ima_policy_simple: add another sample policy
policy: add ima appraise all policy
data: remove policies
initramfs: clean up to pull in packages.
runtime qa: moderize ima test
image: add image for testing
Changqing Li (1):
samhain: add rconflict for client and server mode
Zang Ruochen (4):
bastille: solved the conflict with perl-module-text-wrap and base-files
python-scapy: Remove redundant sed operations
python-scapy: solved the conflict with python3-scapy
python3-scapy: solved the conflict with python-scapy
leimaohui (1):
python3-fail2ban: Fix build error of xrange.
poky: 797916f93a..111b7173fe:
Adrian Bunk (25):
nss-myhostname: Stop trying to build for musl
systemd: Some upstreamable musl patches have been upstreamed
libnss-mdns: Stop trying to build for musl
icu: Remove workaround for musl issue fixed upstream 2 years ago
socat: Remove workaround for musl issue now fixed upstream
ofono: Use external ell instead of an internal copy
ofono: Fix another race condition during the build
squashfs-tools: Mark as incompatible with musl
apt: Remove workaround patches for no longer supported host distributions
m4/tar: Remove remove-gets.patch
pinentry: Switch pinentry-qt from Qt4 to Qt5
librsvg: Replace workaround for old host systems with upstream fix
vim: Move PACKAGECONFIG[gtkgui] from GTK 2 to GTK 3
Remove Go 1.11
go: Remove INSANE_SKIP_* textrel that are now handled in go.bbclass
dpkg: Remove workaround patches for no longer supported host distributions
lrzsz: Add implicit declaration fixes from Debian
tcp-wrappers: Add compile warning fixes from Debian
libpam: Upgrade 1.3.0 -> 1.3.1
vte: Fix the license information
gcc: Remove 0006-gcc-disable-MASK_RELAX_PIC_CALLS-bit.patch
openssl: Upgrade 1.1.1b -> 1.1.1c
Remove manual RDEPENDS from PN-ptest to PN package
ref-manual: Remove irda feature
lttng-modules: Upgrade 2.10.9 -> 2.10.10
Adrian Freihofer (3):
qemurunner: fix undefined variable
testimage: consider QB_DEFAULT_FSTYPE
runqemu: QB_FSINFO to support fstype wic images
Alejandro Enedino Hernandez Samaniego (1):
python-numpy: Avoid installing copy of f2py script
Alejandro Hernandez Samaniego (2):
newlib: Upgrade to 3.1.0
newlib: export CC_FOR_TARGET as CC
Alejandro del Castillo (1):
opkg-utils: upgrade to version 0.4.1
Alex Kiernan (2):
kernel-fitimage: uboot-sign: Check UBOOT_DTB_BINARY before adding deps
systemd: Backport OpenSSL BUF_MEM fix
Alexander Kanavin (53):
vim: split the common part into vim.inc
libpcre2: upgrade 10.32 -> 10.33
librepo: upgrade 1.9.6 -> 1.10.2
libmodulemd: upgrade 2.2.3 -> 2.4.0
libmodulemd: fix erroneous linking against v2 library when v1 was requested
createrepo-c: upgrade 0.12.2 -> 0.14.0
libdazzle: upgrade 3.32.1 -> 3.32.2
adwaita-icon-theme: upgrade 3.30.1 -> 3.32.0
bison: upgrade 3.1 -> 3.3.2
atk: upgrade 2.30.0 -> 2.32.0
python3-mako: upgrade 1.0.9 -> 1.0.10
nss: upgrade 3.43 -> 3.44
go: update 1.12.1->1.12.5
systemtap: upgrade 4.0 -> 4.1
gawk: upgrade 4.2.1 -> 5.0.0
alsa-plugins: upgrade 1.1.8 -> 1.1.9
alsa-utils: upgrade 1.1.8 -> 1.1.9
alsa-lib: upgrade 1.1.8 -> 1.1.9
lz4: upgrade 1.9.0 -> 1.9.1
libxcrypt: upgrade 4.4.4 -> 4.4.6
python3-pip: upgrade 19.0.3 -> 19.1.1
pkgconf: upgrade 1.6.0 -> 1.6.1
at-spi2-core: upgrade 2.30.0 -> 2.32.1
at-spi2-atk: upgrade 2.30.0 -> 2.32.0
glib-networking: upgrade 2.60.1 -> 2.60.2
libsoup-2.4: upgrade 2.66.1 -> 2.66.2
x264: upgrade to latest revision
linux-firmware: upgrade to latest revision
python3-pbr: upgrade 5.1.3 -> 5.2.0
bash-completion: upgrade 2.8 -> 2.9
gst-examples: upgrade to 1.16.0
acpica: upgrade 20190405 -> 20190509
freetype: upgrade 2.9.1 -> 2.10.0
usbutils: upgrade 010->012
webkitgtk: update to 2.24.2
epiphany: update to 3.32.2
btrfs-tools: update to 5.1
iproute2: upgrade 5.0.0 -> 5.1.0
chkconfig: do not use unstable github archive tarballs
chkconfig: fix upstream version check
perl: update to 5.30.0
piglit: upgrade to latest revision
ccache: fix upstream version check
Revert "ncurses: fix incorrect UPSTREAM_CHECK_GITTAGREGEX"
sysstat: add UPSTREAM_VERSION_UNKNOWN
python3-pygments: add a recipe
gtk-doc: upgrade 1.29 -> 1.30
libpsl: fix the gtk-doc 1.30 build
source-highlight: remove the recipe
mesa-demos: update to 8.4.0
glib-2.0: udpate 2.58.3 -> 2.60.3
gdk-pixbuf: update 2.38.0 -> 2.38.1
gtk+3: update 3.24.5 -> 3.24.8
Alistair Francis (3):
gdb: Upgrade from 8.2.1 to 8.3
gnu-config: Update to latest SHA
qemu: Backport the arm segfault fix
Andreas Müller (1):
gsettings-desktop-schemas: upgrade 3.28.1 -> 3.32.0
Andrei Gherzan (1):
ca-certificates: Fix openssl runtime dependencies
Anuj Mittal (8):
Revert "image_types: use pigz to create .gz files"
Revert "pigz: pigz is not gzip"
libva: upgrade 2.4.0 -> 2.4.1
ffmpeg: add PACKAGECONFIG for mfx
libpam: fix upstream version check
serf: cleanup recipe
scons: inherit python3native
python3-scons: fix regex replacing python by python3
Bonnans, Laurent (1):
kernel-uboot: compress arm64 kernels
Bruce Ashfield (11):
linux-yocto/5.0: update to v5.0.13
linux-yocto/4.19: update to v4.19.40
linux-yocto/4.19: update to v4.19.44
kernel: package modules.builtin.modinfo
linux-yocto-dev: bump to v5.2-rc
linux-yocto/5.0: update to v5.0.17
linux-yocto-rt/5.0: update to -rt9
linux-yocto/5.0: update to v5.0.19
linux-yocto-rt/5.0: update to -rt11
linux-yocto/5.0: fix systemtap on arm
linux-yocto: ptest: Add SCSI debug configuration for util-linux
Carlos Rafael Giani (6):
gstreamer1.0-plugins-base: upgrade to version 1.16.0
gstreamer1.0-plugins-good: upgrade to version 1.16.0
gstreamer1.0-plugins-bad: upgrade to version 1.16.0
gstreamer1.0-plugins-ugly: upgrade to version 1.16.0
gstreamer1.0-libav: upgrade to version 1.16.0
gstreamer1.0-vaapi: upgrade to version 1.16.0
Changqing Li (8):
connman: add networkmanager as rconflict
dropbear: add openssh/openssh-sshd as rconflict
busybox-inittab/sysvinit-inittab: add rconflicts
inetutils: fix wrong package name
systemd: add rconflicts
tiny-init: add rconflicts
multilib: add override for image recipe
qemu: fix qemu ptest cannot work
Chee Yang Lee (3):
wic: bootimg-efi: add label source parameter
wic/engine: include .wks.in in wic search and list
wic/plugins: kernel image refer to KERNEL_IMAGETYPE
Chen Qi (5):
libxfont2: set CVE_PRODUCT
systemd: avoid musl specific patches affect glibc systems
util-linux: upgrade to 2.33.2
oescripts.py: avoid error when cairo module is not available
context.py: fix skipping function
Chris Laplante (5):
base.bbclass: Add OE_EXTRA_IMPORTS
bitbake: knotty: allow progress rate for indeterminate bars
bitbake: build: extract progress handler creation logic into its own method
bitbake: build/progress: use context managers for progress handlers
bitbake: build: implement custom progress handlers injected via OE_EXTRA_IMPORTS
David Frey (1):
bluez5: manage udev dependency with PACKAGECONFIG
David Reyna (1):
bitbake: toaster: Fix Thud Bitbake release metadata
Diego Rondini (1):
bluez5: fix obex packaging
Douglas Royds via Openembedded-core (1):
json-c: Backport --disable-werror patch to allow compilation under icecc
Fabio Berton (3):
mesa: Update 19.0.3 -> 19.0.5
mesa: Update 19.0.5 -> 19.0.6
mesa: Update 19.0.6 -> 19.1.0
Filip Jareš (1):
recipes: Fix license "names"/versions.
Haiqing Bai (1):
kernel.bbclass: Make task clean depend on cleaning of make-mod-scripts
He Zhe (1):
lttng-modules: Add git based recipe
Hongxu Jia (5):
grub/grub-efi: fix unrecognized command line option '-pipe-Wno-error' in CFLAGS
lib/oe/reciputils.py: support character `+' in git pv
groff: improve reproducibility
diffutils/run-ptest: support to run at arbitrary path
openssh: fix potential signed overflow in pointer arithmatic
Jaewon Lee (2):
gstreamer1.0-python_1.16.0.bb: Override libpython dir
devicetree.bbclass: Combine stderr into stdout to see actual dtc error
Jean-Marie LEMETAYER (4):
npm: get npm package name from npm pack
npm: fix node and npm default directory conflict
npm: remove some temporary build files
bitbake: bitbake: fetch2/npm: fix npw view parsing
Jiping Ma (1):
dhcp:"dhclient -x eth0" action is not correct.
Joe Slater (1):
slang: modify an array test
Jon Mason (2):
resulttool: modify to be multi-machine
resulttool: Remove prints if no tests occur
Jonathan Rajotte (4):
lttng-tools: prevent test timeout when lttng-modules is not present
lttng-tools: add lttng-modules to ptest dependencies
liburcu: update to 0.11.0
liburcu: update to 0.11.1
Joshua Watt (11):
avahi: Add PACKAGECONFIG for libdns_sd
perl: Preserve attributes when applying cross files
btrfs-tools: Pass DEBUG_MAP_PREFIX flags to Python
bitbake: bitbake: cooker: Rename __depends in all multiconfigs
bitbake: bitbake: Show base multiconfig environment
perl: Set build date to SOURCE_DATE_EPOCH
glibc-locale: DEPEND on virtual/libc
zip: Remove build date to improve reproducibility
classes/package: Sort ELF file list
bash: Replace uninative loader path in ptest
oeqa: Add reproducible build selftest
Kai Kang (3):
systemd-conf: configure wired network with dhcp
qemu/qemu-system-native: depend bison-native
openssl: fix failure of ptest test_shlibload
Kevin Hao (3):
runqemu: Add the support to pass multi ports to tcpserial parameter
oeqa/utils/qemurunner: Set both the threadport&serverport with tcpserial parameter
tune-thunderx: Set the correct PACKAGE_EXTRA_ARCHS_tune-thunderx
Khem Raj (6):
mesa: Fix a case when gbm is enabled but DRIDRIVERS is not defined
ofono: Add TEMP_FAILURE_RETRY optional definition
Revert "musl: Add TEMP_FAILURE_RETRY from glibc"
binutils: Workaround mips assembler crash on target
musl: Upgrade to master tip
gdb: Let gdbserver be empty for riscv64
Lei Maohui (1):
meson.bbclass: Make meson support aarch64_be.
Luca Boccassi (2):
python*-setuptools: add separate packages for pkg_resources module
mdadm: use ${systemd_unitdir} rather than /lib/systemd
Maciej Pijanowski (1):
recipetool: add python3 support
Mariano López (3):
util-linux: Add missing ptest dependencies
util-linux: Stop udevd to run ptests
linux-yocto: Add scsi_debug module when ptest is in DISTRO_FEATURES
Mark Hatle (1):
bitbake: svn.py: Stop SVN from directly pulling from an external layer w/o fetcher
Martin Jansa (5):
python: add a fix for CVE-2019-9948 and CVE-2019-9636
glib-networking: add PACKAGECONFIG for openssl
bc: use u-a for bc as well
opkg-utils: fix opkg-list-fields script
pigz: install pigz, unpigz, pigzcat in native and nativesdk builds again
Matthias Schiffer (1):
bitbake: fetch2: runfetchcmd(): unset _PYTHON_SYSCONFIGDATA_NAME
Matthias Schoepfer via Openembedded-core (1):
python3: fix build on softfloat mips
Michael Ho (1):
base.bbclass: add named SRCREVs to the sstate hash
Mike Crowe (1):
cmake: Avoid passing empty prefix to os.path.relpath
Mingli Yu (3):
elfutils: fix ptest failures
dbus: Upgrade to 1.12.16
dbus-test: Upgrade 1.12.16
Nicola Lunghi (3):
connman: fix segfault with musl >v1.1.21
rng-tools: recipe cleanup
rng-tools: harmonise systemd and sysvinit
Oleksandr Kravchuk (6):
ethtool: update to 5.1
file: update to 5.37
p11-kit: update to 0.23.16.1
popt: fix SRC_URI
selftest/devtool: fix URI to MarkupSafe package
bitbake: cooker: list all nonexistent bblayer directories
Oliver Stäbler (1):
packagegroup-core-full-cmdline: Make nfs-utils/rpcbind optional
Peter Kjellerstedt (3):
texinfo-dummy-native: A little clean up of template.py
texinfo-dummy-native: Rewrite template.py to use argparse
package.bbclass: Clean up writing of runtime pkgdata files
Philippe Normand (9):
gstreamer1.0: upgrade to version 1.16.0
gstreamer1.0-omx: upgrade to version 1.16.0
gstreamer1.0-rtsp-server: upgrade to version 1.16.0
gstreamer1.0-python: upgrade to version 1.16.0
gst-validate: upgrade to version 1.16.0
cmake: Use compiler launcher variable when ccache is enabled
at-spi2: Make X11 support truly optional
gnutls: Use ca-certificates as default trust store file
gnutls: Use the sysconfdir variable for the ca-certificates path
Quentin Schulz (2):
meta: license: fix non-SPDX license being removed from INCOMPATIBLE_LICENSE
selftests: add tests for INCOMPATIBLE_LICENSE
Randy MacLeod (6):
valgrind: Make ptest timestamps copasetic
valgrind: add 'file' to ptest depends
util-linux: add setpriv utility
libcap-ng: split into libcap-ng/libcap-ng-python
ptest-runner: enable child procs as session leader
bash: use setpriv, sed.sed to run ptests
Richard Purdie (46):
perl-rdepends: Add missing module dependencies
bash: Fix bash-ptest dependencies
openssh: Add sudo dependency for ptest
libpcre: Add make dependency for ptest
m4: Add coreutils and diffutils dependency for ptest
perl/modules: Add various missing ptest perl module dependencies
layer.conf: Whitelist lttng-tools->lttng-modules dependency
tcmode-default: Make gcc9 the default
lttng-tools: Fix patch Upstream-Status
mesa: Fix patch Upstream-Status
uninative-tarball: Fix file generation after class changes
populate_sdk_base: Use highest compression level for xz
uninative-tarball: Use xz compression and SDK_ARCHIVE_CMD
strace: Tweak ptest disk space management
ptest-packagelists: Add mdadm
util-linux: Fix ptest dependencies
mdadm: Add missing ptest dependency
yocto-uninative: Update to 2.5 release
uninative: Switch from bz2 to xz
bitbake: main: Fix error message typo
qemuarm64: Add QB_CPU_KVM to allow kvm acceleration
runqemu: Add support for kvm on aarch64
useradd: Fix build architecture corruption of sstate artefacts
useradd: Ensure do_populate_sysroot has dependency on useradd variables
beaglebone-yocto: Add missing wic image u-boot deploy dependency
quilt: Add patch depends for quilt-ptest
libtest-needs-perl: Fix ptest dependencies
libtimedate-perl: Fix ptest dependencies
perl: Add missing perl module dependency
liburi-perl: Fix module ptest dependencies
libconvert-aan1-perl: Fix module and ptest dependencies
libxml-sax-perl: Fix module ptest dependencies
libxml-perl: Fix module and ptest dependencies
e2fsprogs: Fix missing ptest dependencies
glib-2.0: ptest fixes
openssh: Add missing ptest dependency on coreutils
gpg_sign/selftest: Fix secmem parameter handling
gawk: ptest fixes
openssh: Document skipped test dependency
multiconfig: Adapt to bitbake switch 'multiconfig' -> 'mc'
bitbake: multiconfig: Switch from 'multiconfig' -> 'mc'
bitbake: cooker: Add compability handling for multiconfig: prefix migration
build-appliance-image: Update to master head revision
bitbake: cooker: Ensure mcdeps are processed even if only one multiconfig
perl: Fix setgroup call regression from 5.30
perl: Move perl-sanity -> perl
Ross Burton (13):
insane: add sanity checks to SRC_URI
libidn2: upgrade to 2.2.0
local.conf.sample: change default MACHINE to qemux86-64
libical: tidy up Perl finding
wic/filemap: handle FIGETBSZ failing
libxslt: add comment saying when a workaround can be removed
parted: swap patches for the commits that landed upstream
parted: drop patch for linux <2.6.20 support
python-nose: python3-nose should be default
bluez: fix test case failures with GCC 9
efivar: add
efibootmgr: add
gstreamer1.0-libav: disable API documentation
Sakib Sajal (4):
bash: add iso8859-1 gconv RDEPENDS needed by bash-ptest.
bash: add big5hkscs gconv RDEPENDS needed by bash-ptest.
bash: run bash ptest as non-root user
ptest-runner: update SRCREV to latest HEAD on ptest-runner2 repo
Scott Rifenbark (17):
sdk-manual: Added link to BB manual fetcher section.
ref-manual: Updated "do_fetch" to have a link to "Fetchers"
dev-manual, ref-manual: removed "distrodata" class
ref-manual: Removed bugzilla.bbclass
ref-manual: Removed "distutils-tools" class.
ref-manual: Udated devtool help output examples.
ref-manual: New section "Checking Upgrade Status of a Recipe"
dev-manual: Added check-upgrade-status blurb to upgrading recipes
ref-manual: do_checkpkg - added link to checking upgrade status
ref-manual: Updates to check-recipe-upgrade devtool command
ref-manual: Grammar correction
dev-manual: Added new section for creating NPM packages
Makefile: Updated to support new NPM package creation section
dev-manual: Updated the "Working with Packages" list
ref-manual: Updated "npm.bbclass" section.
overview-manual: Updated SCM section
dev-manual: Fixed grammar issue.
Tim Orling (8):
libxml-parser-perl: fix ptest dependencies
perl-rdepends.txt: improve dependencies for perl module ptests
perl: install Config_git.pl
perl-rdepends.txt: fix perl-module-data-dumper dependencies
python3-scons-{native}: add recipe for v3.0.5
scons.bbclass: use python3-scons
serf: switch to python3-scons-native
oeqa/runtime: add simple test for scons
Tom Rini (2):
vim: Rework things so vim adds features not vim-tiny removes
vim: Update to 8.1.1518 to fix CVE-2019-12735
Yeoh Ee Peng (3):
resulttool/resultutils: Enable add extra configurations to results
resulttool/store: Enable add EXECUTED_BY config to results
resulttool/merge: Enable control TESTSERIES and extra configurations
Zang Ruochen (3):
openssh: Upgrade 7.9p1 -> 8.0p1
dbus: Upgrade 1.12.12 -> 1.12.14
dbus-test: Upgrade 1.12.12 -> 1.12.14
Zhixiong Chi (2):
gcc: reduce the variables in symtab
gcc: CVE-2018-12886
sangeeta jain (1):
resulttool/manualexecution: Enable creation of test case configuration
meta-raspberrypi: 7059c37451..40283f583b:
Andrei Gherzan (1):
gstreamer1.0-omx: Forward port bbappend and patches to v1.16.x
Khem Raj (4):
linux-raspberrypi_4.19.bb: Update to 4.19.44
rpi-default-versions: Switch defaults to 4.19
userland: Update to 20190501
firmware: Update 20190220 -> 20190517
malus-brandywine (1):
sdcard_image-rpi : minor bug in use of FATPAYLOAD
Change-Id: Idab4e8c2666bc776d0b47988a32dcb9f04885aff
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-security/meta-integrity/recipes-security')
14 files changed, 545 insertions, 0 deletions
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch new file mode 100644 index 000000000..5ccb73d9b --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch @@ -0,0 +1,65 @@ +From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:08:43 +0300 +Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL + +There is no need to link to full libssl. evmctl uses functions from +libcrypto, so let's link only against that library. + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + configure.ac | 4 +--- + src/Makefile.am | 9 ++++----- + 2 files changed, 5 insertions(+), 8 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 60f3684..32e8d85 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -24,9 +24,7 @@ LT_INIT + # Checks for header files. + AC_HEADER_STDC + +-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) +-AC_SUBST(OPENSSL_CFLAGS) +-AC_SUBST(OPENSSL_LIBS) ++PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ]) + AC_SUBST(KERNEL_HEADERS) + AC_CHECK_HEADER(unistd.h) + AC_CHECK_HEADERS(openssl/conf.h) +diff --git a/src/Makefile.am b/src/Makefile.am +index d74fc6f..b81281a 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,11 +1,11 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) ++libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +-libimaevm_la_LIBADD = $(OPENSSL_LIBS) ++libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) + + include_HEADERS = imaevm.h + +@@ -17,12 +17,11 @@ hash_info.h: Makefile + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) ++evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) +-evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la ++evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la + + INCLUDES = -I$(top_srcdir) -include config.h + + CLEANFILES = hash_info.h + DISTCLEANFILES = @DISTCLEANFILES@ +- +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch new file mode 100644 index 000000000..8237274ca --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch @@ -0,0 +1,43 @@ +From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:17:12 +0300 +Subject: [PATCH 2/4] ima-evm-utils: replace INCLUDES with AM_CPPFLAGS + +Replace INCLUDES variable with AM_CPPFLAGS to stop Automake from warning +about deprecated variable usage. + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + src/Makefile.am | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index b81281a..164e7e4 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,7 +1,7 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) ++libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +@@ -17,11 +17,11 @@ hash_info.h: Makefile + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) ++evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) + evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la + +-INCLUDES = -I$(top_srcdir) -include config.h ++AM_CPPFLAGS = -I$(top_srcdir) -include config.h + + CLEANFILES = hash_info.h + DISTCLEANFILES = @DISTCLEANFILES@ +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch new file mode 100644 index 000000000..3d250d2fc --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch @@ -0,0 +1,31 @@ +From c587ec307a6259a990bfab727cea7db28dba4c23 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:22:30 +0300 +Subject: [PATCH 3/4] ima-evm-utils: include hash-info.gen into distribution + +Include hash-info.gen into tarball and call it from the sourcedir to fix +out-of-tree build (and thus 'make distcheck'). + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + src/Makefile.am | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 164e7e4..9c037e2 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -11,8 +11,9 @@ include_HEADERS = imaevm.h + + nodist_libimaevm_la_SOURCES = hash_info.h + BUILT_SOURCES = hash_info.h ++EXTRA_DIST = hash_info.gen + hash_info.h: Makefile +- ./hash_info.gen $(KERNEL_HEADERS) >$@ ++ $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@ + + bin_PROGRAMS = evmctl + +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch new file mode 100644 index 000000000..4ada1a271 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch @@ -0,0 +1,34 @@ +From b9f327c5c513ccea9cb56d4bbd50c1f66d629099 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:24:04 +0300 +Subject: [PATCH 4/4] ima-evm-utils: update .gitignore files + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + .gitignore | 1 + + src/.gitignore | 1 + + 2 files changed, 2 insertions(+) + create mode 100644 src/.gitignore + +diff --git a/.gitignore b/.gitignore +index ca7a06e..cb82166 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -45,6 +45,7 @@ cscope.* + ncscope.* + + # Generated documentation ++*.1 + *.8 + *.5 + manpage.links +diff --git a/src/.gitignore b/src/.gitignore +new file mode 100644 +index 0000000..38e8e3c +--- /dev/null ++++ b/src/.gitignore +@@ -0,0 +1 @@ ++hash_info.h +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch new file mode 100644 index 000000000..35c316270 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch @@ -0,0 +1,68 @@ +From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Fri, 30 Sep 2016 10:22:16 +0200 +Subject: [PATCH] command line: apply operation to all paths + +Previously, invocations like "evmctl ima_hash foo bar" silently +ignored all parameters after the first path name ("foo" in this +example). + +Now evmctl iterates over all specified paths. It aborts with an +error as soon as the selected operation fails for a path. + +Supporting more than one parameter is useful in combination with +"find" and "xargs" because it is noticably faster than invoking +evmutil separately for each file, in particular when run under pseudo +(a fakeroot environment used by the OpenEmbedded build system). + +This complements the recursive mode and can be used when more control +over file selection is needed. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + src/evmctl.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 23cf54c..2072034 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type) + static int do_cmd(struct command *cmd, find_cb_t func) + { + char *path = g_argv[optind++]; +- int err, dts = REG_MASK; /* only regular files by default */ ++ int err = 0, dts = REG_MASK; /* only regular files by default */ + + if (!path) { + log_err("Parameters missing\n"); +@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func) + return -1; + } + +- if (recursive) { +- if (search_type) { +- dts = get_file_type(path, search_type); +- if (dts < 0) +- return dts; ++ while (path && !err) { ++ if (recursive) { ++ if (search_type) { ++ dts = get_file_type(path, search_type); ++ if (dts < 0) ++ return dts; ++ } ++ err = find(path, dts, func); ++ } else { ++ err = func(path); + } +- err = find(path, dts, func); +- } else { +- err = func(path); ++ path = g_argv[optind++]; + } + + return err; +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch new file mode 100644 index 000000000..75076f52f --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch @@ -0,0 +1,50 @@ +From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 13 May 2015 03:41:02 -0700 +Subject: [PATCH] Makefile.am: disable man page creation + +Depends on asciidoc, which is not available. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + Makefile.am | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 06ebf59..4ddd52c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,5 +1,5 @@ + SUBDIRS = src +-dist_man_MANS = evmctl.1 ++# dist_man_MANS = evmctl.1 + + doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh + EXTRA_DIST = autogen.sh $(doc_DATA) +@@ -39,4 +39,21 @@ rmman: + + doc: evmctl.1.html rmman evmctl.1 + ++# requires asciidoc, xslproc, docbook-xsl ++# FIXME Disabled until docbook-xsl is unavaliable on tizen.org ++#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl ++# ++#evmctl.1.html: README ++# @asciidoc -o $@ $< ++# ++#evmctl.1: ++# asciidoc -d manpage -b docbook -o evmctl.1.xsl README ++# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl ++# rm -f evmctl.1.xsl ++# ++#rmman: ++# rm -f evmctl.1 ++# ++#doc: evmctl.1.html rmman evmctl.1 ++ + .PHONY: $(tarname) +-- +1.8.4.5 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch new file mode 100644 index 000000000..c0bdd9b49 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -0,0 +1,47 @@ +From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 17 Jun 2015 14:28:18 +0200 +Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines + +Compilation on older Linux distros (like Ubuntu 12.04) fails +because linux/xattr.h does not yet have the IMA defines. Compiling +there makes sense when only the tools are needed, for example when +signing an image in cross-compile mode. + +To support this, add fallbacks for the two defines which are needed. +Their value is part of the Linux ABI and thus fixed. + +Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + +--- + src/evmctl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/evmctl.c b/src/evmctl.c +index c54efbb..23cf54c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -56,6 +56,18 @@ + #include <ctype.h> + #include <termios.h> + ++/* ++ * linux/xattr.h might be old to have this. Allow compilation on older ++ * Linux distros (like Ubuntu 12.04) by falling back to our own ++ * definition. ++ */ ++#ifndef XATTR_IMA_SUFFIX ++# define XATTR_IMA_SUFFIX "ima" ++#endif ++#ifndef XATTR_NAME_IMA ++# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX ++#endif ++ + #include <openssl/sha.h> + #include <openssl/pem.h> + #include <openssl/hmac.h> +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb new file mode 100644 index 000000000..929d85348 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -0,0 +1,41 @@ +DESCRIPTION = "IMA/EVM control utility" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS += "openssl attr keyutils" + +DEPENDS_class-native += "openssl-native keyutils-native" + +PV = "1.0+git${SRCPV}" +SRCREV = "0267fa16990fd0ddcc89984a8e55b27d43e80167" +SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils" + +# Documentation depends on asciidoc, which we do not have, so +# do not build documentation. +SRC_URI += "file://disable-doc-creation.patch" + +# Workaround for upstream incompatibility with older Linux distros. +# Relevant for us when compiling ima-evm-utils-native. +SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" + +# Required for xargs with more than one path as argument (better for performance). +SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" + +SRC_URI += "\ + file://0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch \ + file://0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch \ + file://0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch \ + file://0004-ima-evm-utils-update-.gitignore-files.patch \ +" +S = "${WORKDIR}/git" + +inherit pkgconfig autotools + +EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" + +# blkid is called by evmctl when creating evm checksums. +# This is less useful when signing files on the build host, +# so disable it when compiling on the host. +RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all new file mode 100644 index 000000000..36e71a7d6 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -0,0 +1,29 @@ +# +# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) +# +# Do not measure anything, but appraise everything +# +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 + +appraise diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb new file mode 100644 index 000000000..b58d3fed9 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple appraise policy " +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_appraise_all" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed new file mode 100644 index 000000000..7f89c8d98 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -0,0 +1,77 @@ +# With this policy, all files on regular partitions are +# appraised. Files with signed IMA hash and normal hash are +# accepted. Signed files cannot be modified while hashed files can be +# (which will also update the hash). However, signed files can +# be deleted, so in practice it is still possible to replace them +# with a modified version. +# +# Without EVM, this is obviously not very secure, so this policy is +# just an example and/or basis for further improvements. For that +# purpose, some comments show what could be added to make the policy +# more secure. +# +# With EVM the situation might be different because access +# to the EVM key can be restricted. +# +# Files which are appraised are also measured. This allows +# debugging whether a file is in policy by looking at +# /sys/kernel/security/ima/ascii_runtime_measurements + +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +dont_measure fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +dont_measure fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +dont_measure fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +dont_measure fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +dont_measure fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +dont_measure fsmagic=0x6e736673 +# SMACK_MAGIC +dont_appraise fsmagic=0x43415d53 +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC +dont_appraise fsmagic=0x27e0eb +dont_measure fsmagic=0x27e0eb +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 +dont_measure fsmagic=0xde5e81e4 + +# Special partition, no checking done. +# dont_measure fsuuid=a11234... +# dont_appraise fsuuid=a11243... + +# Special immutable group. +# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 + +# All executables must be signed - too strict, we need to +# allow installing executables on the device. +# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC +# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC + +# Default rule. Would be needed also when other rules were added that +# determine what to do in case of reading (mask=MAY_READ or +# mask=MAY_EXEC) because otherwise writing does not update the file +# hash. +appraise +measure diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb new file mode 100644 index 000000000..3352daa03 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -0,0 +1,20 @@ +SUMMARY = "IMA sample hash policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" + +SRC_URI = " \ + file://${IMA_POLICY} \ +" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple b/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple new file mode 100644 index 000000000..38ca8f53d --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple @@ -0,0 +1,4 @@ +# Very simple policy demonstrating the systemd policy loading bug +# (policy with one line works, two lines don't). +dont_appraise fsmagic=0x9fa0 +dont_appraise fsmagic=0x62656572 diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb new file mode 100644 index 000000000..17132aa22 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_simple" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" |