diff options
author | Andrew Geissler <geissonator@yahoo.com> | 2020-10-16 18:14:32 +0300 |
---|---|---|
committer | Andrew Geissler <geissonator@yahoo.com> | 2020-10-16 18:14:41 +0300 |
commit | d1d22e6713c601a72ff7329133cd86f30ac3d6ce (patch) | |
tree | ed4f67876b562f45b5e9ca3b3f6406445af535af /meta-security/recipes-security/opendnssec/files | |
parent | 5c4154ffa5fc7b63c57a909685a06a90a5b9c82c (diff) | |
download | openbmc-d1d22e6713c601a72ff7329133cd86f30ac3d6ce.tar.xz |
meta-security: subtree update:d6baccc068..4c2f7ffd49
Adrian (1):
gitignore added
Armin Kuster (31):
kas: build with ptest. remove apparmor
softHSM: add pkg
packagegroup-core-security: add softHSM
libest: add recipe
packagegroup-core-security: add libest package
opendnssec: add recipe
packagegroup-core-security: add opendnssec to pkg grp
gitlab-ci: allow test to fail
libseccomp: fix ptest failures.
packagegroup-core-security-ptest: remove keyutils-ptest
security-test-image: simplify
packagegroup-core-security-ptest: remove
apparmor: fix build issue with ptest enabled.
security-test-image: tweak to get more tests to runn
apparmor: update to 3.0
packagegroup-core-security: apparmor 3.0 ptest does not build
suricata: fix compiling on gcc10
qemux86-test: add apparmor back
apparmor: fix build for on musl
ecryptfs-utils: fix musl build
libest: fix musl build.
sssd: update to latest ltm 1.16.5
packagegroup-core-security: remove clamav from musl image
suricata: update to 4.1.9
kas: fixup alt configs
gitlab-ci: add qemux86 and qemuarm64 musl builds
tpm2-tss: update to 2.4.3
tpm2-totp: update to 0.2.1
tpm2-abrmd: update to 2.3.3
tpm2-tools: update to 4.3.0
tpm2-pkcs11: update to 1.4.0
Mingli Yu (1):
scap-security-guide: add expat-native to DEPENDS
Naveen Saini (3):
initramfs-framework/dmverity: add retry loop for slow boot devices
wic: add wks.in for intel dm-verity
linux-%/5.x: Add dm-verity fragment as needed
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: If3a721fdd99bb6e35c82cf4e7485f06cebaef905
Diffstat (limited to 'meta-security/recipes-security/opendnssec/files')
3 files changed, 354 insertions, 0 deletions
diff --git a/meta-security/recipes-security/opendnssec/files/fix_fprint.patch b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch new file mode 100644 index 000000000..da0bcfe74 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch @@ -0,0 +1,25 @@ +format not a string literal and no format arguments + +missing module_str in call + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +../../../git/enforcer/src/keystate/keystate_ds.c:192:7: error: format not a string literal and no format arguments [-Werror=format-security] +| 192 | ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds); +| | ^~~~~~~~~~~~~~~~~~~~~~~~ + + +Index: git/enforcer/src/keystate/keystate_ds.c +=================================================================== +--- git.orig/enforcer/src/keystate/keystate_ds.c ++++ git/enforcer/src/keystate/keystate_ds.c +@@ -189,7 +189,7 @@ exec_dnskey_by_id(int sockfd, struct dbw + status = 0; + } + else { +- ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds); ++ ods_log_error_and_printf(sockfd, module_str, "Failed to run %s", cp_ds); + status = 7; + } + } diff --git a/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch new file mode 100644 index 000000000..126e197f3 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch @@ -0,0 +1,217 @@ +Configure does not work with OE pkg-config for the ldns option + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: opendnssec-2.1.6/m4/acx_ldns.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_ldns.m4 ++++ opendnssec-2.1.6/m4/acx_ldns.m4 +@@ -1,128 +1,65 @@ +-AC_DEFUN([ACX_LDNS],[ +- AC_ARG_WITH(ldns, +- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- LIBS="$LIBS $LDNS_LIBS" +- +- AC_CHECK_LIB(ldns, ldns_rr_new,,[AC_MSG_ERROR([Can't find ldns library])]) +- LIBS=$tmp_LIBS +- +- AC_MSG_CHECKING([for ldns version]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include <ldns/ldns.h> +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION >= $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([>= $1.$2.$3]) +- ],[ +- AC_MSG_RESULT([< $1.$2.$3]) +- AC_MSG_ERROR([ldns library too old ($1.$2.$3 or later required)]) +- ],[]) +- AC_LANG_POP([C]) ++#serial 11 + +- CPPFLAGS=$tmp_CPPFLAGS +- +- AC_SUBST(LDNS_INCLUDES) +- AC_SUBST(LDNS_LIBS) +-]) +- +- +-AC_DEFUN([ACX_LDNS_NOT],[ +- AC_ARG_WITH(ldns, +- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- +- AC_MSG_CHECKING([for ldns version not $1.$2.$3]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include <ldns/ldns.h> +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION != $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([ok]) +- ],[ +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([ldns version $1.$2.$3 is not compatible due to $4]) +- ],[]) +- AC_LANG_POP([C]) +- +- CPPFLAGS=$tmp_CPPFLAGS ++AU_ALIAS([CHECK_LDNS], [ACX_LDNS]) ++AC_DEFUN([ACX_LDNS], [ ++ found=false ++ AC_ARG_WITH([ldns], ++ [AS_HELP_STRING([--with-ldns=DIR], ++ [root of the lnds directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-lnds value]) ++ ;; ++ *) ldnsdirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and lnds has installed a .pc file, ++ # then use that information and don't search ldnsdirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ OPENSSL_LDFLAGS=`$PKG_CONFIG ldns --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ LDNS_LIBS=`$PKG_CONFIG ldns --libs-only-l 2>/dev/null` ++ LDNS_INCLUDES=`$PKG_CONFIG ldns --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi ++ ++ # no such luck; use some default ldnsdirs ++ if ! $found; then ++ ldnsdirs="/usr/local/ldns /usr/lib/ldns /usr/ldns /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ if ! $found; then ++ LDNS_INCLUDES= ++ for ldnsdir in $ldnsdirs; do ++ AC_MSG_CHECKING([for LDNS in $ldnsdir]) ++ if test -f "$ldnsdir/include/ldns/dnssec.h"; then ++ LDNS_INCLUDES="-I$ldnsdir/include" ++ LDNS_LDFLAGS="-L$ldnsdir/lib" ++ LDNS_LIBS="-lldns" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" ++ LIBS="$LDNS_LIBS $LIBS" ++ CPPFLAGS="$LDNS_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST([LDNS_INCLUDES]) ++ AC_SUBST([LDNS_LIBS]) ++ AC_SUBST([LDNS_LDFLAGS]) + ]) +Index: opendnssec-2.1.6/configure.ac +=================================================================== +--- opendnssec-2.1.6.orig/configure.ac ++++ opendnssec-2.1.6/configure.ac +@@ -138,9 +138,7 @@ AC_CHECK_MEMBER([struct sockaddr_un.sun_ + + # common dependencies + ACX_LIBXML2 +-ACX_LDNS(1,6,17) +-ACX_LDNS_NOT(1,6,14, [binary incompatibility, see http://open.nlnetlabs.nl/pipermail/ldns-users/2012-October/000564.html]) +-ACX_LDNS_NOT(1,6,15, [fail to create NSEC3 bitmap for empty non-terminals, see http://www.nlnetlabs.nl/pipermail/ldns-users/2012-November/000565.html]) ++ACX_LDNS(1.6.17) + ACX_PKCS11_MODULES + ACX_RT + ACX_LIBC diff --git a/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch new file mode 100644 index 000000000..b4ed4306d --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch @@ -0,0 +1,112 @@ +configure does not work with OE pkg-config for the libxml2 option + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: opendnssec-2.1.6/m4/acx_libxml2.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_libxml2.m4 ++++ opendnssec-2.1.6/m4/acx_libxml2.m4 +@@ -1,37 +1,67 @@ ++#serial 11 ++AU_ALIAS([CHECK_XML2], [ACX_LIBXML2]) + AC_DEFUN([ACX_LIBXML2],[ +- AC_ARG_WITH(libxml2, +- [AS_HELP_STRING([--with-libxml2=DIR],[look for libxml2 in this dir])], +- [ +- XML2_PATH="$withval" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $XML2_PATH/bin) +- ],[ +- XML2_PATH="/usr/local" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $PATH) +- ]) +- if test -x "$XML2_CONFIG" +- then +- AC_MSG_CHECKING(what are the xml2 includes) +- XML2_INCLUDES="`$XML2_CONFIG --cflags`" +- AC_MSG_RESULT($XML2_INCLUDES) +- +- AC_MSG_CHECKING(what are the xml2 libs) +- XML2_LIBS="`$XML2_CONFIG --libs`" +- AC_MSG_RESULT($XML2_LIBS) +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $XML2_INCLUDES" +- LIBS="$LIBS $XML2_LIBS" +- +- AC_CHECK_LIB(xml2, xmlDocGetRootElement,,[AC_MSG_ERROR([Can't find libxml2 library])]) +- +- CPPFLAGS=$tmp_CPPFLAGS +- LIBS=$tmp_LIBS +- else +- AC_MSG_ERROR([libxml2 required, but not found.]) +- fi ++ found=false ++ AC_ARG_WITH([libxml2], ++ [AS_HELP_STRING([--with-libxml2=DIR], ++ [root of the libxml directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-libxml2 value]) ++ ;; ++ *) xml2dirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and openssl has installed a .pc file, ++ # then use that information and don't search ssldirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ XML2_LDFLAGS=`$PKG_CONFIG libxml-2.0 --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ XML2_LIBS=`$PKG_CONFIG libxml-2.0 --libs-only-l 2>/dev/null` ++ XML2_INCLUDES=`$PKG_CONFIG libxml-2.0 --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi + +- AC_SUBST(XML2_INCLUDES) +- AC_SUBST(XML2_LIBS) ++ # no such luck; use some default ssldirs ++ if ! $found; then ++ xml2dirs="/usr/local/libxml /usr/lib/libxml /usr/libxml /usr/pkg /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ # note that we #include <libxml/tree.h>, so the libxml2 headers have to be in ++ # an 'libxml' subdirectory ++ ++ if ! $found; then ++ XML2_INCLUDES= ++ for xml2dir in $xml2dirs; do ++ AC_MSG_CHECKING([for XML2 in $xml2dir]) ++ if test -f "$xml2dir/include/libxml2/libxml/tree.h"; then ++ XML2_INCLUDES="-I$xml2dir/include/libxml2" ++ XML2_LDFLAGS="-L$xml2dir/lib" ++ XML2_LIBS="-lxml2" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $XML2_LDFLAGS" ++ LIBS="$XML2_LIBS $LIBS" ++ CPPFLAGS="$XML2_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST(XML2_INCLUDES) ++ AC_SUBST(XML2_LIBS) ++ AC_SUBST(XML2_LDFLAGS) + ]) |