diff options
author | Andrew Geissler <geissonator@yahoo.com> | 2020-08-21 23:57:21 +0300 |
---|---|---|
committer | Andrew Geissler <geissonator@yahoo.com> | 2020-08-21 23:57:24 +0300 |
commit | b2fe863db1c3690813aab4707203ed8fbcdc7d52 (patch) | |
tree | 27a84d94039171ac770990b7ef9b258e843e3961 /meta-security/recipes-security | |
parent | 9d7e0aa351ef830384ea15f50f9ed0a9cf5ededd (diff) | |
download | openbmc-b2fe863db1c3690813aab4707203ed8fbcdc7d52.tar.xz |
meta-security: subtree update:066a04425c..787ba6faea
Armin Kuster (10):
lynis: update to 3.0.0
security images: Move to recipe-core
security packagegroups: move to recipes-core
packagegroup-security-tpm: add more packages for building
packagegroup-core-security: remove clamav for riscv*
libsecomp: rv32/rv64 target builds are not supported yet
packagegroup-core-security: remove libseccomp for riscv*
libseccomp: update to 2.5.0
packagegroup-core-security: restore riscv64 for libssecomp
trousers: Several Security fixes
Charlie Davies (1):
clamav: add INSTALL_CLAMAV_CVD flag to do_install
Kai Kang (1):
libseccomp: fix cross compile error for mips
Yi Zhao (1):
ibmswtpm2: upgrade 1563 -> 1628
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I0341c0d4cd61fb6ef7db6a29f9fc60de3caa822f
Diffstat (limited to 'meta-security/recipes-security')
-rw-r--r-- | meta-security/recipes-security/images/security-build-image.bb | 19 | ||||
-rw-r--r-- | meta-security/recipes-security/images/security-client-image.bb | 16 | ||||
-rw-r--r-- | meta-security/recipes-security/images/security-server-image.bb | 19 | ||||
-rw-r--r-- | meta-security/recipes-security/images/security-test-image.bb | 33 | ||||
-rw-r--r-- | meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch | 49 | ||||
-rw-r--r-- | meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb (renamed from meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb) | 11 | ||||
-rw-r--r-- | meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb | 28 | ||||
-rw-r--r-- | meta-security/recipes-security/packagegroup/packagegroup-core-security.bb | 68 |
8 files changed, 57 insertions, 186 deletions
diff --git a/meta-security/recipes-security/images/security-build-image.bb b/meta-security/recipes-security/images/security-build-image.bb deleted file mode 100644 index a8757f980..000000000 --- a/meta-security/recipes-security/images/security-build-image.bb +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "A small image for building meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security \ - os-release" - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-build-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/images/security-client-image.bb b/meta-security/recipes-security/images/security-client-image.bb deleted file mode 100644 index f4ebc697c..000000000 --- a/meta-security/recipes-security/images/security-client-image.bb +++ /dev/null @@ -1,16 +0,0 @@ -DESCRIPTION = "A Client side Security example" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - os-release \ - samhain-client \ - ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-client-image" diff --git a/meta-security/recipes-security/images/security-server-image.bb b/meta-security/recipes-security/images/security-server-image.bb deleted file mode 100644 index 4927e0ee5..000000000 --- a/meta-security/recipes-security/images/security-server-image.bb +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "A Serve side image for Security example " - -IMAGE_FEATURES += "ssh-server-openssh" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - samhain-server \ - os-release " - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-server-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/images/security-test-image.bb b/meta-security/recipes-security/images/security-test-image.bb deleted file mode 100644 index c71d7267d..000000000 --- a/meta-security/recipes-security/images/security-test-image.bb +++ /dev/null @@ -1,33 +0,0 @@ -DESCRIPTION = "A small image for testing meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" - -INSTALL_CLAMAV_CVD = "1" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security-ptest \ - clamav \ - tripwire \ - checksec \ - suricata \ - samhain-standalone \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ - os-release \ - " - - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-test-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch new file mode 100644 index 000000000..7d17a038a --- /dev/null +++ b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch @@ -0,0 +1,49 @@ +Backport patch to fix cross compile error for mips: + +| syscalls.h:44:6: error: expected identifier or '(' before numeric constant +| 44 | int mips; +| | ^~~~ + +Upstream-Status: Submitted [https://github.com/seccomp/libseccomp/pull/279/commits/04c519e5] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 04c519e5b1de53592e98307813e5c6db7418f91b Mon Sep 17 00:00:00 2001 +From: Paul Moore <paul@paul-moore.com> +Date: Sun, 2 Aug 2020 09:57:39 -0400 +Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS + targets + +It turns out that the MIPS GCC compiler defines a "mips" cpp macro +which was resulting in build failures on MIPS so we need to +undefine the "mips" macro during build. As this should be safe +to do in all architectures, just add it to the compiler flags by +default. + +This was reported in the following GH issue: +* https://github.com/seccomp/libseccomp/issues/274 + +Reported-by: Rongwei Zhang <pudh4418@gmail.com> +Suggested-by: Rongwei Zhang <pudh4418@gmail.com> +Signed-off-by: Paul Moore <paul@paul-moore.com> +--- + configure.ac | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 40d9dcbb..3e877348 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) + + dnl #### + dnl build flags ++dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it ++dnl for us which wreaks havoc on the build + dnl #### + AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include" +-AM_CFLAGS="-Wall" ++AM_CFLAGS="-Wall -Umips" + AM_LDFLAGS="-Wl,-z -Wl,relro" + AC_SUBST([AM_CPPFLAGS]) + AC_SUBST([AM_CFLAGS]) diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb index 9ca41e650..35365d5b4 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb @@ -4,18 +4,23 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427" +DEPENDS += "gperf-native" -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ +SRCREV = "f13f58efc690493fe7aa69f54cb52a118f3769c1" + +SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \ file://run-ptest \ + file://fix-mips-build-failure.patch \ " +COMPATIBLE_HOST_riscv32 = "null" + S = "${WORKDIR}/git" inherit autotools-brokensep pkgconfig ptest PACKAGECONFIG ??= "" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python" +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3" DISABLE_STATIC = "" diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb deleted file mode 100644 index cf34ded19..000000000 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb +++ /dev/null @@ -1,28 +0,0 @@ -DESCRIPTION = "Security ptest packagegroup" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit features_check - -REQUIRED_DISTRO_FEATURES = "ptest" - -PACKAGES = "\ - ${PN} \ - " - -ALLOW_EMPTY_${PN} = "1" - -SUMMARY_${PN} = "Security packages with ptests" -RDEPENDS_${PN} = " \ - ptest-runner \ - samhain-standalone-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python3-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python3-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - " diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb deleted file mode 100644 index e0a9d0534..000000000 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ /dev/null @@ -1,68 +0,0 @@ -DESCRIPTION = "Security packagegroup for Poky" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit packagegroup - -PACKAGES = "\ - packagegroup-core-security \ - packagegroup-security-utils \ - packagegroup-security-scanners \ - packagegroup-security-ids \ - packagegroup-security-mac \ - " - -RDEPENDS_packagegroup-core-security = "\ - packagegroup-security-utils \ - packagegroup-security-scanners \ - packagegroup-security-ids \ - packagegroup-security-mac \ - " - -SUMMARY_packagegroup-security-utils = "Security utilities" -RDEPENDS_packagegroup-security-utils = "\ - checksec \ - nmap \ - pinentry \ - python3-scapy \ - ding-libs \ - keyutils \ - libseccomp \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ - " - -SUMMARY_packagegroup-security-scanners = "Security scanners" -RDEPENDS_packagegroup-security-scanners = "\ - nikto \ - checksecurity \ - clamav \ - clamav-freshclam \ - clamav-cvd \ - " - -SUMMARY_packagegroup-security-audit = "Security Audit tools " -RDEPENDS_packagegroup-security-audit = " \ - buck-security \ - redhat-security \ - " - -SUMMARY_packagegroup-security-hardening = "Security Hardening tools" -RDEPENDS_packagegroup-security-hardening = " \ - bastille \ - " - -SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" -RDEPENDS_packagegroup-security-ids = " \ - tripwire \ - samhain-standalone \ - suricata \ - " - -SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" -RDEPENDS_packagegroup-security-mac = " \ - ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ - " |