meta-security: subtree update:b72cc7f87c..95fe86eb98

André Draszik (1):
      linux-yocto: update the bbappend to 5.x

Armin Kuster (36):
      README: add pull request option
      sssd: drop py2 support
      python3-fail2ban: update to latest
      Apparmor: fix some runtime depends
      linux-yocto-dev: remove "+"
      checksecurity: fix runtime issues
      buck-security: fix rdebends and minor style cleanup
      swtpm: fix configure error
      ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory
      bastille: convert to py3
      tpm2-tools: update to 4.1.1
      tpm2-tcti-uefi: fix build issue for i386 machine
      tpm2-tss: update to 2.3.2
      ibmswtpm2: update to 1563
      python3-fail2ban: add 2-3 conversion changes
      google-authenticator-libpam: install module in pam location
      apparmor: update to tip
      clamav: add bison-native to depend
      meta-security-isafw: import layer from Intel
      isafw: fix to work against master
      layer.conf: add zeus
      README.md: update to new maintainer
      clamav-native: missed bison fix
      secuirty*-image: remove dead var and minor cleanup
      libtpm: fix build issue over pod2man
      sssd: python2 not supported
      libseccomp: update to 2.4.3
      lynis: add missing rdepends
      fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog
      chkrootkit: add rootkit recipe
      clamav: move to recipes-scanners
      checksec: move to recipe-scanners
      checksecurity: move to recipes-scanners
      buck-security: move to recipes-scanners
      arpwatch: add new recipe
      buck-security: fix runtime issue with missing per module

Bartosz Golaszewski (3):
      linux: drop the bbappend for linux v4.x series
      classes: provide a class for generating dm-verity meta-data images
      dm-verity: add a working example for BeagleBone Black

Haseeb Ashraf (1):
      samhain: dnmalloc hash fix for aarch64 and mips64

Jan Luebbe (2):
      apparmor: fix wrong executable permission on service file
      apparmor: update to 2.13.4

Jonatan Pålsson (10):
      README: Add meta-python to list of layer deps
      sssd: Add PACKAGECONFIG for python2
      sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto
      sssd: DEPEND on nss if nothing else is chosen
      sssd: Sort PACKAGECONFIG entries
      sssd: Add autofs PACKAGECONFIG
      sssd: Add sudo PACKAGECONFIG
      sssd: Add missing files to SYSTEMD_SERVICE
      sssd: Add missing DEPENDS on jansson
      sssd: Add infopipe PACKAGECONFIG

Kai Kang (1):
      sssd: fix for ldblibdir and systemd etc

Martin Jansa (1):
      layer.conf: update LAYERSERIES_COMPAT for dunfell

Mingli Yu (1):
      linux-yocto: update the bbappend to 5.x

Pierre-Jean Texier via Lists.Yoctoproject.Org (1):
      google-authenticator-libpam: upgrade 1.07 -> 1.08

Yi Zhao (5):
      samhain: fix build with new version attr
      scap-security-guide: fix xml parsing error when build remediation files
      scap-security-guide: pass the correct schema file path to openscap-native
      openscap-daemon: add missing runtime dependencies
      samhain-server: add volatile file for systemd

Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>

1 files changed, 158 insertions, 0 deletions

diff --git a/meta-security/meta-security-isafw/lib/isafw/isafw.py b/meta-security/meta-security-isafw/lib/isafw/isafw.py
new file mode 100644
index 000000000..a1a76b8aa
--- /dev/null
+++ b/meta-security/meta-security-isafw/lib/isafw/isafw.py
@@ -0,0 +1,158 @@
+#
+# isafw.py - Main classes for ISA FW
+#
+# Copyright (c) 2015 - 2016, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#    * Redistributions of source code must retain the above copyright notice,
+#      this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above copyright
+#      notice, this list of conditions and the following disclaimer in the
+#      documentation and/or other materials provided with the distribution.
+#    * Neither the name of Intel Corporation nor the names of its contributors
+#      may be used to endorse or promote products derived from this software
+#      without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+from __future__ import absolute_import, print_function
+
+import sys
+import traceback
+try:
+    # absolute import
+    import isafw.isaplugins as isaplugins
+except ImportError:
+    # relative import when installing as separate modules
+    import isaplugins
+try:
+    from bb import error
+except ImportError:
+    error = print
+
+__all__ = [
+    'ISA_package',
+    'ISA_pkg_list',
+    'ISA_kernel',
+    'ISA_filesystem',
+    'ISA_config',
+    'ISA',
+]
+
+# classes for representing objects for ISA plugins
+
+# source package
+
+
+class ISA_package:
+    # pkg name                            (mandatory argument)
+    name = ""
+    # full version                        (mandatory argument)
+    version = ""
+    licenses = []                 # list of licences for all subpackages
+    aliases = []                  # list of alias names for packages if exist
+    source_files = []             # list of strings of source files
+    patch_files = []              # list of patch files to be applied
+    path_to_sources = ""          # path to the source files
+
+# package list
+
+
+class ISA_pkg_list:
+    # image name                            (mandatory argument)
+    img_name = ""
+    # path to the pkg list file             (mandatory argument)
+    path_to_list = ""
+
+# kernel
+
+
+class ISA_kernel:
+    # image name                          (mandatory argument)
+    img_name = ""
+    # path to the kernel config file      (mandatory argument)
+    path_to_config = ""
+
+# filesystem
+
+
+class ISA_filesystem:
+    # image name                          (mandatory argument)
+    img_name = ""
+    type = ""                     # filesystem type
+    # path to the fs location             (mandatory argument)
+    path_to_fs = ""
+
+# configuration of ISAFW
+# if both whitelist and blacklist is empty, all avaliable plugins will be used
+# if whitelist has entries, then only whitelisted plugins will be used from a set of avaliable plugins
+# if blacklist has entries, then the specified plugins won't be used even
+# if avaliable and even if specified in whitelist
+
+
+class ISA_config:
+    plugin_whitelist = ""         # comma separated list of plugins to whitelist
+    plugin_blacklist = ""         # comma separated list of plugins to blacklist
+    cacert = None                 # If set, a CA certificate file that replaces the system default one
+    reportdir = ""                # location of produced reports
+    logdir = ""                   # location of produced logs
+    timestamp = ""                # timestamp of the build provided by build system
+    full_reports = False          # produce full reports for plugins, False by default
+    machine = ""                  # name of machine build is produced for
+    la_plugin_image_whitelist = ""# whitelist of images for violating license checks
+    la_plugin_image_blacklist = ""# blacklist of images for violating license checks
+    arch = ""                     # target architecture
+
+class ISA:
+    def call_plugins(self, methodname, *parameters, **keywords):
+        for name in isaplugins.__all__:
+            plugin = getattr(isaplugins, name)
+            method = getattr(plugin, methodname, None)
+            if not method:
+                # Not having init() is an error, everything else is optional.
+                if methodname == "init":
+                    error("No init() defined for plugin %s.\n"
+                          "Skipping this plugin." %
+                          (methodname, plugin.getPluginName()))
+                continue
+            if self.ISA_config.plugin_whitelist and plugin.getPluginName() not in self.ISA_config.plugin_whitelist:
+                continue
+            if self.ISA_config.plugin_blacklist and plugin.getPluginName() in self.ISA_config.plugin_blacklist:
+                continue
+            try:
+                method(*parameters, **keywords)
+            except:
+                error("Exception in plugin %s %s():\n%s" %
+                      (plugin.getPluginName(),
+                       methodname,
+                       traceback.format_exc()))
+
+    def __init__(self, ISA_config):
+        self.ISA_config = ISA_config
+        self.call_plugins("init", ISA_config)
+
+    def process_package(self, ISA_package):
+        self.call_plugins("process_package", ISA_package)
+
+    def process_pkg_list(self, ISA_pkg_list):
+        self.call_plugins("process_pkg_list", ISA_pkg_list)
+
+    def process_kernel(self, ISA_kernel):
+        self.call_plugins("process_kernel", ISA_kernel)
+
+    def process_filesystem(self, ISA_filesystem):
+        self.call_plugins("process_filesystem", ISA_filesystem)
+
+    def process_report(self):
+        self.call_plugins("process_report")