meta-security: subtree update:066a04425c..787ba6faea

Armin Kuster (10):
      lynis: update to 3.0.0
      security images: Move to recipe-core
      security packagegroups: move to recipes-core
      packagegroup-security-tpm: add more packages for building
      packagegroup-core-security: remove clamav for riscv*
      libsecomp: rv32/rv64 target builds are not supported yet
      packagegroup-core-security: remove libseccomp for riscv*
      libseccomp: update to 2.5.0
      packagegroup-core-security: restore riscv64 for libssecomp
      trousers: Several Security fixes

Charlie Davies (1):
      clamav: add INSTALL_CLAMAV_CVD flag to do_install

Kai Kang (1):
      libseccomp: fix cross compile error for mips

Yi Zhao (1):
      ibmswtpm2: upgrade 1563 -> 1628

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I0341c0d4cd61fb6ef7db6a29f9fc60de3caa822f

6 files changed, 181 insertions, 0 deletions

diff --git a/meta-security/recipes-core/images/security-build-image.bb b/meta-security/recipes-core/images/security-build-image.bb
new file mode 100644
index 000000000..a8757f980
--- /dev/null
+++ b/meta-security/recipes-core/images/security-build-image.bb
@@ -0,0 +1,19 @@
+DESCRIPTION = "A small image for building meta-security packages"
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL = "\
+    packagegroup-base \
+    packagegroup-core-boot \
+    packagegroup-core-security \
+    os-release" 
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-build-image"
+
+IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
diff --git a/meta-security/recipes-core/images/security-client-image.bb b/meta-security/recipes-core/images/security-client-image.bb
new file mode 100644
index 000000000..f4ebc697c
--- /dev/null
+++ b/meta-security/recipes-core/images/security-client-image.bb
@@ -0,0 +1,16 @@
+DESCRIPTION = "A Client side Security example"
+
+IMAGE_INSTALL = "\
+    packagegroup-base \
+    packagegroup-core-boot \
+    os-release \
+    samhain-client \
+    ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}"
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-client-image"
diff --git a/meta-security/recipes-core/images/security-server-image.bb b/meta-security/recipes-core/images/security-server-image.bb
new file mode 100644
index 000000000..4927e0ee5
--- /dev/null
+++ b/meta-security/recipes-core/images/security-server-image.bb
@@ -0,0 +1,19 @@
+DESCRIPTION = "A Serve side image for Security example "
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL = "\
+    packagegroup-base \
+    packagegroup-core-boot \
+    samhain-server \
+    os-release "
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-server-image"
+
+IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb
new file mode 100644
index 000000000..c71d7267d
--- /dev/null
+++ b/meta-security/recipes-core/images/security-test-image.bb
@@ -0,0 +1,33 @@
+DESCRIPTION = "A small image for testing meta-security packages"
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata"
+
+INSTALL_CLAMAV_CVD = "1"
+
+IMAGE_INSTALL = "\
+    packagegroup-base \
+    packagegroup-core-boot \
+    packagegroup-core-security-ptest \
+    clamav \
+    tripwire \
+    checksec \
+    suricata \
+    samhain-standalone \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
+    os-release \
+    " 
+
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-test-image"
+
+IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb
new file mode 100644
index 000000000..cf34ded19
--- /dev/null
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb
@@ -0,0 +1,28 @@
+DESCRIPTION = "Security ptest packagegroup"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit features_check
+
+REQUIRED_DISTRO_FEATURES = "ptest"
+
+PACKAGES = "\
+    ${PN} \
+    "
+
+ALLOW_EMPTY_${PN} = "1"
+
+SUMMARY_${PN} = "Security packages with ptests"
+RDEPENDS_${PN} = " \
+    ptest-runner \
+    samhain-standalone-ptest \
+    keyutils-ptest \
+    libseccomp-ptest \
+    python3-scapy-ptest \
+    suricata-ptest \
+    tripwire-ptest \
+    python3-fail2ban-ptest \
+    ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
+    "
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
new file mode 100644
index 000000000..c6342fdb2
--- /dev/null
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -0,0 +1,66 @@
+DESCRIPTION = "Security packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "\
+    packagegroup-core-security \
+    packagegroup-security-utils \
+    packagegroup-security-scanners \
+    packagegroup-security-ids  \
+    packagegroup-security-mac  \
+    "
+
+RDEPENDS_packagegroup-core-security = "\
+    packagegroup-security-utils \
+    packagegroup-security-scanners \
+    packagegroup-security-ids  \
+    packagegroup-security-mac  \
+    "
+
+SUMMARY_packagegroup-security-utils = "Security utilities"
+RDEPENDS_packagegroup-security-utils = "\
+    checksec \
+    nmap \
+    pinentry \
+    python3-scapy \
+    ding-libs \
+    keyutils \
+    ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \
+    "
+
+SUMMARY_packagegroup-security-scanners = "Security scanners"
+RDEPENDS_packagegroup-security-scanners = "\
+    nikto \
+    checksecurity \
+    ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
+    "
+
+SUMMARY_packagegroup-security-audit = "Security Audit tools "
+RDEPENDS_packagegroup-security-audit = " \
+    buck-security \
+    redhat-security \
+    "
+
+SUMMARY_packagegroup-security-hardening = "Security Hardening tools"
+RDEPENDS_packagegroup-security-hardening = " \
+    bastille \
+    "
+
+SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems"
+RDEPENDS_packagegroup-security-ids = " \
+    tripwire \
+    samhain-standalone \
+    suricata \
+    "
+
+SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
+RDEPENDS_packagegroup-security-mac = " \
+    ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
+    "