diff options
| author | Andrew Geissler <geissonator@yahoo.com> | 2020-05-15 22:16:47 +0300 |
|---|---|---|
| committer | Andrew Geissler <geissonator@yahoo.com> | 2020-05-21 23:43:47 +0300 |
| commit | 1fe918a07084c878d72cf8a7d1707f6598cc438f (patch) | |
| tree | 4c68407364bab78c848876a89613f8075f2954f9 /meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py | |
| parent | c182c62dd929fe69b57a12bc04099fcd09b5d436 (diff) | |
| download | openbmc-1fe918a07084c878d72cf8a7d1707f6598cc438f.tar.xz | |
meta-security: subtree update:b72cc7f87c..95fe86eb98
André Draszik (1):
linux-yocto: update the bbappend to 5.x
Armin Kuster (36):
README: add pull request option
sssd: drop py2 support
python3-fail2ban: update to latest
Apparmor: fix some runtime depends
linux-yocto-dev: remove "+"
checksecurity: fix runtime issues
buck-security: fix rdebends and minor style cleanup
swtpm: fix configure error
ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory
bastille: convert to py3
tpm2-tools: update to 4.1.1
tpm2-tcti-uefi: fix build issue for i386 machine
tpm2-tss: update to 2.3.2
ibmswtpm2: update to 1563
python3-fail2ban: add 2-3 conversion changes
google-authenticator-libpam: install module in pam location
apparmor: update to tip
clamav: add bison-native to depend
meta-security-isafw: import layer from Intel
isafw: fix to work against master
layer.conf: add zeus
README.md: update to new maintainer
clamav-native: missed bison fix
secuirty*-image: remove dead var and minor cleanup
libtpm: fix build issue over pod2man
sssd: python2 not supported
libseccomp: update to 2.4.3
lynis: add missing rdepends
fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog
chkrootkit: add rootkit recipe
clamav: move to recipes-scanners
checksec: move to recipe-scanners
checksecurity: move to recipes-scanners
buck-security: move to recipes-scanners
arpwatch: add new recipe
buck-security: fix runtime issue with missing per module
Bartosz Golaszewski (3):
linux: drop the bbappend for linux v4.x series
classes: provide a class for generating dm-verity meta-data images
dm-verity: add a working example for BeagleBone Black
Haseeb Ashraf (1):
samhain: dnmalloc hash fix for aarch64 and mips64
Jan Luebbe (2):
apparmor: fix wrong executable permission on service file
apparmor: update to 2.13.4
Jonatan Pålsson (10):
README: Add meta-python to list of layer deps
sssd: Add PACKAGECONFIG for python2
sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto
sssd: DEPEND on nss if nothing else is chosen
sssd: Sort PACKAGECONFIG entries
sssd: Add autofs PACKAGECONFIG
sssd: Add sudo PACKAGECONFIG
sssd: Add missing files to SYSTEMD_SERVICE
sssd: Add missing DEPENDS on jansson
sssd: Add infopipe PACKAGECONFIG
Kai Kang (1):
sssd: fix for ldblibdir and systemd etc
Martin Jansa (1):
layer.conf: update LAYERSERIES_COMPAT for dunfell
Mingli Yu (1):
linux-yocto: update the bbappend to 5.x
Pierre-Jean Texier via Lists.Yoctoproject.Org (1):
google-authenticator-libpam: upgrade 1.07 -> 1.08
Yi Zhao (5):
samhain: fix build with new version attr
scap-security-guide: fix xml parsing error when build remediation files
scap-security-guide: pass the correct schema file path to openscap-native
openscap-daemon: add missing runtime dependencies
samhain-server: add volatile file for systemd
Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Diffstat (limited to 'meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py')
| -rw-r--r-- | meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py | 273 |
1 files changed, 273 insertions, 0 deletions
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py new file mode 100644 index 000000000..20e7e26b9 --- /dev/null +++ b/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py @@ -0,0 +1,273 @@ +# +# ISA_la_plugin.py - License analyzer plugin, part of ISA FW +# Functionality is based on similar scripts from Clear linux project +# +# Copyright (c) 2015 - 2016, Intel Corporation +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +import subprocess +import os, sys + +LicenseChecker = None + +flicenses = "/configs/la/licenses" +fapproved_non_osi = "/configs/la/approved-non-osi" +fexceptions = "/configs/la/exceptions" +funwanted = "/configs/la/violations" + + +class ISA_LicenseChecker(): + initialized = False + rpm_present = False + + def __init__(self, ISA_config): + self.logfile = ISA_config.logdir + "/isafw_lalog" + self.unwanted = [] + self.report_name = ISA_config.reportdir + "/la_problems_report_" + \ + ISA_config.machine + "_" + ISA_config.timestamp + self.image_pkg_list = ISA_config.reportdir + "/pkglist" + self.image_pkgs = [] + self.la_plugin_image_whitelist = ISA_config.la_plugin_image_whitelist + self.la_plugin_image_blacklist = ISA_config.la_plugin_image_blacklist + self.initialized = True + with open(self.logfile, 'a') as flog: + flog.write("\nPlugin ISA_LA initialized!\n") + # check that rpm is installed (supporting only rpm packages for now) + DEVNULL = open(os.devnull, 'wb') + rc = subprocess.call(["which", "rpm"], stdout=DEVNULL, stderr=DEVNULL) + DEVNULL.close() + if rc == 0: + self.rpm_present = True + else: + with open(self.logfile, 'a') as flog: + flog.write("rpm tool is missing! Licence info is expected from build system\n") + + def process_package(self, ISA_pkg): + if (self.initialized): + if ISA_pkg.name: + if (not ISA_pkg.licenses): + # need to determine licenses first + # for this we need rpm tool to be present + if (not self.rpm_present): + with open(self.logfile, 'a') as flog: + flog.write("rpm tool is missing and licence info is not provided. Cannot proceed.\n") + return; + if (not ISA_pkg.source_files): + if (not ISA_pkg.path_to_sources): + self.initialized = False + with open(self.logfile, 'a') as flog: + flog.write( + "No path to sources or source file list is provided!") + flog.write( + "\nNot able to determine licenses for package: " + ISA_pkg.name) + return + # need to build list of source files + ISA_pkg.source_files = self.find_files( + ISA_pkg.path_to_sources) + for i in ISA_pkg.source_files: + if (i.endswith(".spec")):# supporting rpm only for now + args = ("rpm", "-q", "--queryformat", + "%{LICENSE} ", "--specfile", i) + try: + popen = subprocess.Popen( + args, stdout=subprocess.PIPE) + popen.wait() + ISA_pkg.licenses = popen.stdout.read().split() + except: + self.initialized = False + with open(self.logfile, 'a') as flog: + flog.write( + "Error in executing rpm query: " + str(sys.exc_info())) + flog.write( + "\nNot able to process package: " + ISA_pkg.name) + return + for l in ISA_pkg.licenses: + if (not self.check_license(l, flicenses) and + not self.check_license(l, fapproved_non_osi) and + not self.check_exceptions(ISA_pkg.name, l, fexceptions)): + # log the package as not following correct license + with open(self.report_name, 'a') as freport: + freport.write(l + "\n") + if (self.check_license(l, funwanted)): + # log the package as having license that should not be + # used + with open(self.report_name + "_unwanted", 'a') as freport: + freport.write(l + "\n") + else: + self.initialized = False + with open(self.logfile, 'a') as flog: + flog.write( + "Mandatory argument package name is not provided!\n") + flog.write("Not performing the call.\n") + else: + with open(self.logfile, 'a') as flog: + flog.write( + "Plugin hasn't initialized! Not performing the call.") + + def process_report(self): + if (self.initialized): + with open(self.logfile, 'a') as flog: + flog.write("Creating report with violating licenses.\n") + self.process_pkg_list() + self.write_report_unwanted() + with open(self.logfile, 'a') as flog: + flog.write("Creating report in XML format.\n") + self.write_report_xml() + + def process_pkg_list(self): + if os.path.isfile (self.image_pkg_list): + img_name = "" + with open(self.image_pkg_list, 'r') as finput: + for line in finput: + line = line.strip() + if not line: + continue + if line.startswith("Packages "): + img_name = line.split()[3] + with open(self.logfile, 'a') as flog: + flog.write("img_name: " + img_name + "\n") + continue + package_info = line.split() + pkg_name = package_info[0] + orig_pkg_name = package_info[2] + if (not self.image_pkgs) or ((pkg_name + " from " + img_name) not in self.image_pkgs): + self.image_pkgs.append(pkg_name + " from " + img_name + " " + orig_pkg_name) + + def write_report_xml(self): + try: + from lxml import etree + except ImportError: + try: + import xml.etree.cElementTree as etree + except ImportError: + import xml.etree.ElementTree as etree + num_tests = 0 + root = etree.Element('testsuite', name='LA_Plugin', tests='2') + if os.path.isfile(self.report_name): + with open(self.report_name, 'r') as f: + class_name = "Non-approved-licenses" + for line in f: + line = line.strip() + if line == "": + continue + if line.startswith("Packages that "): + class_name = "Violating-licenses" + continue + num_tests += 1 + tcase1 = etree.SubElement( + root, 'testcase', classname=class_name, name=line.split(':', 1)[0]) + etree.SubElement( + tcase1, 'failure', message=line, type='violation') + else: + tcase1 = etree.SubElement( + root, 'testcase', classname='ISA_LAChecker', name='none') + num_tests = 1 + root.set('tests', str(num_tests)) + tree = etree.ElementTree(root) + output = self.report_name + '.xml' + try: + tree.write(output, encoding='UTF-8', + pretty_print=True, xml_declaration=True) + except TypeError: + tree.write(output, encoding='UTF-8', xml_declaration=True) + + def write_report_unwanted(self): + if os.path.isfile(self.report_name + "_unwanted"): + with open(self.logfile, 'a') as flog: + flog.write("image_pkgs: " + str(self.image_pkgs) + "\n") + flog.write("self.la_plugin_image_whitelist: " + str(self.la_plugin_image_whitelist) + "\n") + flog.write("self.la_plugin_image_blacklist: " + str(self.la_plugin_image_blacklist) + "\n") + with open(self.report_name, 'a') as fout: + with open(self.report_name + "_unwanted", 'r') as f: + fout.write( + "\n\nPackages that violate mandatory license requirements:\n") + for line in f: + line = line.strip() + pkg_name = line.split(':',1)[0] + if (not self.image_pkgs): + fout.write(line + " from image name not available \n") + continue + for pkg_info in self.image_pkgs: + image_pkg_name = pkg_info.split()[0] + image_name = pkg_info.split()[2] + image_orig_pkg_name = pkg_info.split()[3] + if ((image_pkg_name == pkg_name) or (image_orig_pkg_name == pkg_name)): + if self.la_plugin_image_whitelist and (image_name not in self.la_plugin_image_whitelist): + continue + if self.la_plugin_image_blacklist and (image_name in self.la_plugin_image_blacklist): + continue + fout.write(line + " from image " + image_name) + if (image_pkg_name != image_orig_pkg_name): + fout.write(" binary_pkg_name " + image_pkg_name + "\n") + continue + fout.write("\n") + os.remove(self.report_name + "_unwanted") + + def find_files(self, init_path): + list_of_files = [] + for (dirpath, dirnames, filenames) in os.walk(init_path): + for f in filenames: + list_of_files.append(str(dirpath + "/" + f)[:]) + return list_of_files + + def check_license(self, license, file_path): + with open(os.path.dirname(__file__) + file_path, 'r') as f: + for line in f: + s = line.rstrip() + curr_license = license.split(':',1)[1] + if s == curr_license: + return True + return False + + def check_exceptions(self, pkg_name, license, file_path): + with open(os.path.dirname(__file__) + file_path, 'r') as f: + for line in f: + s = line.rstrip() + curr_license = license.split(':',1)[1] + if s == pkg_name + " " + curr_license: + return True + return False + +# ======== supported callbacks from ISA ============= # + +def init(ISA_config): + global LicenseChecker + LicenseChecker = ISA_LicenseChecker(ISA_config) + + +def getPluginName(): + return "ISA_LicenseChecker" + + +def process_package(ISA_pkg): + global LicenseChecker + return LicenseChecker.process_package(ISA_pkg) + + +def process_report(): + global LicenseChecker + return LicenseChecker.process_report() + +# ==================================================== # |