diff options
author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-05-16 04:57:59 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-05-16 05:15:53 +0300 |
commit | c342db356d4f451821781eb24eb9f3d39d6c0c5e (patch) | |
tree | 13ee73073b2cee7d49d389aead46dd210c693cae /meta-security | |
parent | 0dd04f33864280128a3d2869833d56fddad804d2 (diff) | |
download | openbmc-c342db356d4f451821781eb24eb9f3d39d6c0c5e.tar.xz |
subtree updates
poky: 4e511f0abc..a015ed7704:
Adrian Bunk (22):
gnutls: upgrade 3.6.5 -> 3.6.7
dhcp: Replace OE specific patch for compatibility with latest bind with upstream patch
Set XZ_COMPRESSION_LEVEL to -9
gcc: Remove Java support variables
Use the best xz compression for the SDK
gnome-doc-utils: Remove stale patch
libxcrypt: Stop adding -std=gnu99 to CPPFLAGS
file: Stop adding -std=c99 to CFLAGS
gnu-efi: Remove support patch for gcc < 4.7
grub: Use -Wno-error instead of doing this on a per-warning basis
socat: upgrade 1.7.3.2 -> 1.7.3.3
bison: upgrade 3.0.4 -> 3.1
mmc-utils: update to the latest upstream code
cogl: upgrade 1.22.2 -> 1.22.4
cogl: remove -Werror=maybe-uninitialized workaround
libxcb: remove workaround patch for a bug that was fixed in gcc 5 in 2015
sysstat: inherit upstream-version-is-even
ccache: upgrade 3.6 -> 3.7.1
lttng-modules: upgrade 2.10.8 -> 2.10.9
iproute2: Remove bogus workaround patch for musl
openssl: Remove openssl10
Remove irda-utils and the irda feature
Alejandro Enedino Hernandez Samaniego (1):
run-postinsts: Fix full execution of scripts at first boot
Alejandro del Castillo (1):
opkg: add ptest
Alex Kiernan (12):
systemd-conf: simplify creation of machine-specific configuration
systemctl-native: Rewrite in Python supporting preset-all and mask
image: call systemctl preset-all for images
uboot-sign: Fix build when UBOOT_DTB_BINARY is empty
patchelf: Upgrade 0.9 -> 0.10
python3: Add ntpath.py to python core
go: Exclude vcs files when installing deps
recipetool: fix unbound variable when fixed SRCREV can't be found
systemd: Default to non-stateless images
systemd-systemctl: Restore support for enable command
systemd: Restore mask and preset targets, fix instance creation
shadow: Backport last change reproducibility
Alexander Kanavin (38):
python3: add a tr-tr locale for test_locale ptest
gobject-introspection: update to 1.60.1
dtc: upgrade 1.4.7 -> 1.5.0
webkitgtk: update to 2.24.0
libdazzle: update to 3.32.1
vala: update to 0.44.3
libdnf: update to 0.28.1
libcomps: upgrade 0.1.10 -> 0.1.11
dnf: upgrade 4.1.0 -> 4.2.2
btrfs-tools: upgrade 4.20.1 -> 4.20.2
meson: update to 0.50.0
libmodulemd: update to 2.2.3
at-spi2-core: fix meson 0.50 build
ffmpeg: update to 4.1.3
python: update to 2.7.16
python: update to 3.7.3
python-numpy: update to 1.16.2
icu: update to 64.1
epiphany: update to 3.32.1.2
python3: add another multilib fix
meson: do not try to substitute the prefix in python supplied paths
python3-pygobject: update to 3.32.0
meson: add missing Upstream-Status and SOB to a patch
acpica: update to 20190405
msmtp: fix upstream version check
python-scons: update to 3.0.5
python-setuptools: update to 41.0.1
python3-mako: update to 1.0.9
python3-pbr: update to 5.1.3
python3-pip: update to 19.0.3
buildhistory: call a dependency parser only on actual dependency lists
gtk-doc.bbclass: unify option setting for meson-based recipes
python3-pycairo: update to 1.18.1
maintainers.inc: take over as perl maintainer
xorg-lib: drop native overrides for REQUIRED_DISTRO_FEATURES
meson: update to 0.50.1
perl: update to 5.28.2
packagegroup-self-hosted: drop epiphany
Alistair Francis (5):
u-boot: Upgrade from 2019.01 to 2019.04
beaglebone-yocto: Update u-boot config to match u-boot 19.04
u-boot: Fix missing Python.h build failure
libsoup: Upgrade from 2.64.2 to 2.66.1
qemu: Upgrade from 3.1.0 to 4.0.0
Andre Rosa (1):
bitbake: utils: Let mkdirhier fail if existing path is not a folder
Andreas Müller (17):
gobject-introspection: auto-enable/-disable gobject-introspection for meson
libmodulemd: use gobject-introspection.bbclass on/off mechanism
gdk-pixbuf: use gobject-introspection.bbclass on/off mechanism
json-glib: use gobject-introspection.bbclass on/off mechanism
libdazzle: use gobject-introspection.bbclass on/off mechanism
clutter-gtk-1.0: use gobject-introspection.bbclass on/off mechanism
pango: use gobject-introspection.bbclass on/off mechanism
at-spi2-core: use gobject-introspection.bbclass on/off mechanism
atk: use gobject-introspection.bbclass on/off mechanism
libsoup-2.4: use gobject-introspection.bbclass on/off mechanism
glib-networking: upgrade 2.58.0 -> 2.60.1
gst-plugins: move 'inherit gobject-introspection' to recipes supporting GI
gstreamer1.0-python: rework gobject-introspection handling
insane.bbclass: Trigger unrecognzed configure option for meson
vte: upgrade 0.52.2 -> 0.56.1
vte: move shell auto scripts into seperate package
qemu: split out vte into seperate PACKAGECONFIG
Andreas Obergschwandtner (1):
uboot-sign: add support for different u-boot configurations
Andrej Valek (2):
dropbear: update to 2019.78
systemd: upgrade to 242
Angus Lees (1):
Revert "wic: Set a miniumum FAT16 volume size."
Anuj Mittal (4):
gcc: fix CVE-2018-18484
gdb: fix CVE-2017-9778
binutils: fix CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077
openssh: fix CVE-2018-20685, CVE-2019-6109, CVE-2019-6111
Armin Kuster (8):
resulttool: add ltp test support
logparser: Add decoding ltp logs
ltp: add runtime test
resulttool: add LTP compliance section
logparser: Add LTP compliance section
ltp_compliance: add new runtime
manual compliance: remove bits done at runtime
nss: cleanup recipe to match OE style
Beniamin Sandu (1):
kernel-devsrc: check for localversion files in the kernel source tree
Breno Leitao (3):
weston-init: Fix tab indentation
weston-init: Add support for non-root start
weston-init: Fix WESTON_USER typo
Bruce Ashfield (8):
linux-yocto/5.0: update to v5.0.5
linux-yocto-rt: update to 5.0.5-rt3
linux-yocto/5.0: update to v5.0.7
linux-yocto/4.19: update to v4.19.34
linux-yocto-rt/4.19: fix merge conflict in lru_drain
linux-yocto/5.0: port RAID configuration tweaks from master
linux-yocto/5.0: integrate TCP timeout / hang fix
linux-yocto/5.0: update TCP patch to mainline version
Changhyeok Bae (2):
iw: upgrade 4.14 -> 5.0.1
iptables: upgrade 1.6.2 -> 1.8.2
Changqing Li (11):
ruby: make ext module fiddle can compile success
ruby: add ptest
cogl: fix compile error caused by -Werror=maybe-uninitialized
systemd: change default locale from C.UTF-8 to C
m4: add ptest support
gettext: add ptest support
waffle: supprt build waffle without x11
piglit: support build piglit without x11
dbus: fix ptest failure
populate_sdk_base: provide options to set sdk type
python3: fix do_install fail for parallel buiild
Chee Yang Lee (1):
wic/bootimg-efi: replace hardcoded volume name with label
Chen Qi (9):
runqemu: do not check return code of tput
busybox: fix ptest failure about 'dc'
base-files: move hostname operations out of issue file settings
webkitgtk: set CVE_PRODUCT
dropbear: set CVE_PRODUCT
libsdl: set CVE_PRODUCT
ghostscript: set CVE_PRODUCT
flac: also add flac to CVE_PRODUCT
squashfs-tools: set CVE_PRODUCT
David Reyna (1):
bitbake: toaster: update to Warrior
Dengke Du (2):
perf: workaround the error cased by maybe-uninitialized warning
linux-yocto_5.0: set devicetree for armv5
Denys Dmytriyenko (1):
weston: upgrade 5.0.0 -> 6.0.0
Douglas Royds (2):
distutils: Run python from the PATH in the -native case as well
distutils: Tidy and simplify for readability
Fabio Berton (1):
mesa: Update 19.0.1 -> 19.0.3
He Zhe (2):
ltp: Fix setrlimit03 call succeeded unexpectedly
systemd: Bump up SRCREV to systemd-stable top to include the fix for shutdown now hang
Hongxu Jia (15):
image_types.bbclass: fix a race between the ubi and ubifs FSTYPES
cpio/tar/native.bbclass: move rmt to sbindir and add a prefix to avoid native clashing
acpica: use update-alternatives for acpidump
apr: upgrade 1.6.5 -> 1.7.0
man-pages: upgrade 4.16 -> 5.01
man-db: upgrade 2.8.4 -> 2.8.5
bash: upgrade 4.4.18 -> 5.0
ncurses: fix incorrect UPSTREAM_CHECK_GITTAGREGEX
gpgme: upgrade 1.12.0 -> 1.13.0
subversion: upgrade 1.11.1 -> 1.12.0
groff: upgrade 1.22.3 -> 1.22.4
libxml2: upgrade 2.9.8 -> 2.9.9
ghostscript: 9.26 -> 9.27
groff: imporve musl support
oeqa/targetcontrol.py: fix qemuparams not work in runqemu with launch_cmd
Jacob Kroon (3):
grub-efi-native: Install grub-editenv
bitbake: knotty: Pretty print task elapsed time
base-passwd: Add kvm group
Jaewon Lee (1):
Adding back wrapper and using OEPYTHON3HOME variable for python3
Jens Rehsack (1):
kernel-module-split.bbclass: support CONFIG_MODULE_COMPRESS=y
Jonas Bonn (3):
systemd: don't build firstboot by default
systemd: do not create machine-id
systemd: create preset files instead of installing in image
Joshua Watt (6):
classes/waf: Set WAFLOCK
resulttool: Load results from URL
resulttool: Add log subcommand
qemux86: Allow higher tunes
bitbake.conf: Account for older versions of bitbake
resulttool: Add option to dump all ptest logs
Kai Kang (5):
msmtp: 1.6.6 -> 1.8.3
cryptodev: fix module loading error
target-sdk-provides-dummy: resolve sstate conflict
bitbake.conf: set NO_RECOMMENDATIONS with weak assignment
webkitgtk: fix compile error for arm64
Kevin Hao (1):
meta-yocto-bsp: Bump to the latest stable kernel for all the BSP
Khem Raj (9):
gcc-cross-canadian: Make baremetal specific code generic
musl: Upgrade to master past 1.1.22
webkitgtk: Fix build with clang
mdadm: Disable Werror
gcc-target: Do not set --with-sysroot and gxx-include-dir paths
systemd: Add -Wno-error=format-overflow to fix build with gcc9
systemd: Backport patch to fix build with gcc9
libgfortan: Package target gcc include directory to fix
gcc-9: Add recipes for gcc 9.1 release
Lei Maohui (2):
dnf: Enable nativesdk
icu: Added armeb support.
Lei Yang (1):
recipetool: add missed module
Luca Boccassi (1):
systemd: add cgroupv2 PACKAGECONFIG
Mardegan, Alberto (1):
oeqa/core/runner: dump stdout and stderr of each test case
Mariano Lopez (5):
update-alternatives.bbclass: Add function to get metadata
ptest.bbclass: Add feature to populate a binary directory
util-linux: Use PTEST binary directory
busybox: Use PTEST binary directory
ptest.bbclass: Use d.getVar instead of os.environ
Martin Jansa (6):
connman: add PACKAGECONFIG for nfc, fix MACHINE_ARCH signature when l2tp is enabled
icecc.bbclass: stop causing everything to be effectivelly MACHINE_ARCH
glibc: always use bfd linker
opkg: fix ptest packaging when OPKGLIBDIR == libdir
kexec-tools: refresh patches with devtool
perf: make sure that the tools/include/uapi/asm-generic directory exists
Matthias Schiffer (1):
systemd: move "machines" symlinks to systemd-container
Max Kellermann (2):
useradd-staticids: print exception after parse_args() error
initrdscripts: merge multiple "mkdir" calls
Michael Scott (2):
kernel-fitimage: support RISC-V
procps: update legacy sysctl.conf to fix rp_filter sysctl issue
Mikko Rapeli (3):
elfutils: remove Elfutils-Exception and include GPLv2 for shared libraries
oeqa/sdk: use bash to execute SDK test commands
openssh: recommend rng-tools with sshd
Mingli Yu (6):
nettle: fix ptest failure
elfutils: add ptest support
elfutils: fix build failure with musl
gcc-sanitizers: fix -Werror=maybe-uninitialized issue
nettle: fix the Segmentation fault
nettle: fix ptest failure
Nathan Rossi (1):
ccmake.bbclass: Fix up un-escaped quotes in output formatting
Naveen Saini (5):
core-image-rt: make sure that we append to DEPENDS
core-image-rt-sdk: make sure that we append to DEPENDS
bitbake.conf: add git-lfs to HOSTTOOLS_NONFATAL
bitbake: bitbake: fetch2/git: git-lfs check
linux-yocto: update genericx86* SRCREV for 4.19
Oleksandr Kravchuk (52):
iproute2: update to 5.0.0
curl: update to 7.64.1
libxext: update to 1.3.4
x11perf: update to 1.6.1
libxdmcp: update to 1.1.3
libxkbfile: update 1.1.0
libxvmc: update to 1.0.11
libxrandr: update to 1.5.2
connman: update to 1.37
ethtool: update to 5.0
tar: update to 1.32
ffmpeg: update to 4.1.2
librepo: update to 1.9.6
libxmu: update to 1.1.3
libxcrypt: update to 4.4.4
wget: update to 1.20.2
libsecret: 0.18.8
createrepo-c: update to 0.12.2
libinput: update to 1.13.0
cronie: update to 1.5.4
libyaml: update to 0.2.2
fontconfig: update to 2.13.1
makedepend: update to 1.0.6
libdrm: update to 2.4.98
libinput: update to 1.13.1
libnotify: update to 0.7.8
libpng: update to 1.6.37
libcroco: update to 0.6.13
libpsl: update to 0.21.0
git: update to 2.21.0
quota: update to 4.05
gnupg: update to 2.2.15
lz4: update to 1.9.0
orc: update to 0.4.29
help2man-native: update to 1.47.10
cups: update to 2.2.11
pixman: update to 0.38.4
libcap: update to 2.27
ninja: add Upstream-Status and SOB for musl patch
python-numpy: update to 1.16.3
python3-pygobject: update to 3.32.1
wget: update to 1.20.3
libsolv: update to 0.7.4
ell: add recipe
sqlite3: update to 3.28.0
kmscube: update to latest revision
coreutils: update to 8.31
mtools: update to 4.0.23
msmtp: update to 1.8.4
wpa-supplicant: update to 2.8
bitbake.conf: use https instead of http
ell: update to 0.20
Paul Barker (3):
oe.path: Add copyhardlink() helper function
license_image: Use new oe.path.copyhardlink() helper
gdb: Fix aarch64 build with musl
Peter Kjellerstedt (1):
systemd: Use PACKAGECONFIG definition to depend on libnss-myhostname
Randy MacLeod (5):
valgrind: update from 3.14.0 to 3.15.0
valgrind: fix vg_regtest return code
valgrind: update the ptest subdirs list
valgrind: adjust test filters and expected output
valgrind: fix call/cachegrind ptests
Richard Purdie (52):
pseudo: Update to gain key bugfixes
python3: Avoid hanging tests
python3: Fix ptest output parsing
go.bbclass: Remove unused override
goarch.bbclass: Simplify logic
e2fsprogs: Skip slow ptest tests
bitbake: bitbake: Update version to 1.42.0
poky.conf: Bump version for 2.7 warrior release
build-appliance-image: Update to warrior head revision
bitbake: bitbake: Post release version bumnp to 1.43
poky.conf: Post release version bump
build-appliance-image: Update to master head revision
Revert "nettle: fix ptest failure"
core-image-sato-sdk-ptest: Try and keep image below 4GB limit
core-image-sato-ptest-fast: Add 'fast' ptest execution image
core-image-sato-sdk-ptest: Include more ptests in ptest image
core-image-sato-sdk-ptest: Add temporary PROVIDES core-image-sato-ptest
resultool/resultutils: Fix module import error
lttng-tools: Add missing patch Upstream-Status
utils/multiprocess_launch: Improve failing subprocess output
python3: Drop ptest hack
ptest-packagelists: Add m4 and gettext as 'fast' ptests
bitbake: knotty: Implement console 'keepalive' output
bitbake: build: Ensure warning for invalid task dependencies is useful
bitbake: build: Disable warning about dependent tasks for now
oeqa/ssh: Avoid unicode decode exceptions
elfutils: ptest fixes
elfutils: Fix ptest compile failures on musl
bitbake: bitbake: Add initial pass of SPDX license headers to source code
bitbake: bitbake: Drop duplicate license boilerplace text
bitbake: bitbake: Strip old editor directives from file headers
bitbake: HEADER: Drop it
openssh/systemd/python/qemu: Fix patch Upstream-Status
scripts/pybootchart: Fix mixed indentation
scripts/pybootchart: Port to python3
scripts/pybootchart/draw: Clarify some variable names
scripts/pybootchart/draw: Fix some bounding problems
coreutils: Fix patch upstream status field
oeqa: Drop OETestID
meta/lib+scripts: Convert to SPDX license headers
oeqa/core/runner: Handle unexpectedSucesses
oeqa/systemd_boot: Drop OETestID
oeqa/runner: Fix subunit setupClass/setupModule failure handling
oeqa/concurrenttest: Patch subunit module to handle classSetup failures
tcmode-default: Add PREFERRED_VERSION for libgfortran
oeqa/selftest: Automate manual pybootchart tests
openssh: Avoid PROVIDES warning from rng-tools dependency
oeqa/target/ssh: Replace suggogatepass with ignoring errors
core-image-sato-sdk-ptest: Tweak size to stay within 4GB limit
valgrind: Include debugging symbols in ptests
dbus-test: Improve ptest dependencies dependencies
ptest: Add RDEPENDS frpm PN-ptest to PN package
Robert Joslyn (1):
qemu: Add PACKAGECONFIG for snappy
Robert Yang (6):
bitbake: bitbake-diffsigs: Use 4 spaces as indent for recursecb
bitbake: bb: siggen: Make dump_sigfile and compare_sigfiles print uuid4
bitbake: bb: siggen: Print more info when basehash are mis-matched
bitbake: BBHandler: Fix addtask and deltask
bitbake: build.py: check dependendent task for addtask
bitbake: tests/parse.py: Add testcase for addtask and deltask
Ross Burton (14):
lttng-tools: fix Upstream-Status
acpica: upgrade to 20190215
staging: add ${datadir}/gtk-doc/html to the sysroot blacklist
mpg123: port to use libsdl2
meta-poky: remove obsolete DISTRO_FEATURES_LIBC
m4: update patch status
packagegroup-core-full-cmdline: remove zlib
wic: change expand behaviour to match docs
wic: add global debug option
gtk-icon-cache: clean up DEPENDS
patch: add minver and maxver parameters
glib-2.0: fix locale handling
glib-2.0: add missing locales for the tests
glib-2.0: fix last failing ptest
Scott Rifenbark (34):
bitbake: poky.ent: Removed "ECLIPSE" entity variables.
bitbake: bitbake-user-manual: Added section on modifying variables
Makefile: Removed Eclipse support
Documentation: Removed customization.xsl files for Eclipse
mega-manual: Removed two Eclipse figures from tarball list
mega-manual, overview-manual: Added updated index releases figure
poky.ent: Removed Eclipse related variables.
mega-manual: Removed the Eclipse chapters
dev-manual: Removed all references to Eclipse.
overview-manual: Removed all references to Eclipse
profile-manual: Removed all references to Eclipse
ref-manual: Removed all references to Eclipse
sdk-manual: Removed all references to Eclipse
sdk-manual: Removed all references to Eclipse
dev-manual; brief-yoctoprojectqs: Updated checkout branch example
dev-manual: Added reasoning blurb to "Viewing Variables" section.
ref-manual: Inserted Migration 2.7 section.
ref-manual: Added Eclipse removal for migration section.
ref-manual: Added "License Value Corrections to migration.
ref-manual: Added Fedora 29 to the supported distros list.
poky.ent: changed 2.7 release variable date to "May 2019"
ref-manual: Review comments applied to 2.7 migration section.
documentation: Prepared for 2.8 release
bsp-guide: Removed inaccurate "container layer" references.
ref-manual: Updated the "Container Layer" term.
bsp-guide: Updated the "beaglebone-yocto.conf" example.
documentation: Cleaned up "plug-in"/"plugin" terminology.
bsp-guide: Updated the BSP kernel recipe example.
ref-manual: Updated PREFERRED_VERSION variable to use 5.0
bsp-guide: More corrections to the BSP Kernel Recipe example
dev-manual: Added cross-link to "Fetchers" section in BB manual.
bitbake: bitbake-user-manual: Added npm to other fetcher list.
overview-manual: Updated SMC section to link to fetchers
ref-manual: Added "npm" information to the SRC_URI variable.
Stefan Kral (1):
bitbake: build: Add verbnote to shell log commands
Stefan Müller-Klieser (1):
cml1.bbclass: fix undefined behavior
Steven Hung (洪于玉) (1):
kernel.bbclass: convert base_do_unpack_append() to a task
Tom Rini (2):
vim: Rework to not rely on relative directories
vim: Update to 8.1.1240
Wenlin Kang (1):
systemd: install libnss-myhostname.so when myhostname be enabled
Yeoh Ee Peng (1):
resulttool/manualexecution: Refactor and remove duplicate code
Yi Zhao (2):
harfbuzz: update source checksums after upstream replaced the tarball
libyaml: update SRC_URI[md5sum] and SRC_URI[sha256sum]
Ying-Chun Liu (PaulLiu) (1):
uboot-sign: Fix u-boot-nodtb symlinks
Zang Ruochen (10):
libatomic-ops:upgrade 7.6.8 -> 7.6.10
libgpg-error:upgrade 1.35 -> 1.36
libxft:upgrade 2.3.2 -> 2.3.3
libxxf86dga:upgrade 1.1.4 -> 1.1.5
nss:upgrade 3.42.1 -> 3.43
sysprof:upgrade 3.30.2 -> 3.32.0
libtirpc:upgrade 1.0.3 -> 1.1.4
xtrans:upgrade 1.3.5 -> 1.4.0
harfbuzz:upgrade 2.3.1 -> 2.4.0
icu: Upgrade 64.1 -> 64.2
Zheng Ruoqin (1):
sanity: check_perl_modules bug fix
sangeeta jain (1):
resulttool/manualexecution: Enable test case configuration option
meta-openembedded: 4a9deabbc8..1ecd8b4364:
Adrian Bunk (34):
linux-atm: Remove DEPENDS on virtual/kernel and PACKAGE_ARCH
linux-atm: Replace bogus on_exit removal with musl-specific hack
ledmon: Mark as incompatible on musl instead of adding bogus patch
efivars: Drop workaround patch for host gcc < 4.7
sshfs-fuse: upgrade 2.8 -> 2.10
wv: upgrade 1.2.4 -> 1.2.9
caps: Upgrade 0.9.24 -> 0.9.26
dvb-apps: Remove dvb-fe-xc5000c-4.1.30.7.fw
schroedinger: Remove the obsolete DEPENDS on liboil
vlc: Remove workaround and patches for problems fixed upstream
Remove liboil
dnrd: Remove stale files of recipe removed 2 years ago
postfix: Upgrade 3.4.1 -> 3.4.5
pptp-linux: Upgrade 1.9.0 -> 1.10.0
dovecot: Upgrade 2.2.36 -> 2.2.36.3
postgresql: Upgrade 11.2 -> 11.3
rocksdb: Upgrade 5.18.2 -> 5.18.3
cloud9: Remove stale files of recipe removed 2 years ago
fluentbit: Upgrade 0.12.1 -> 0.12.19
libcec: Upgrade 4.0.2 -> 4.0.4
libqb: Upgrade 1.0.3 -> 1.0.5
openwsman: Upgrade 2.6.8 -> 2.6.9
glm: Upgrade 0.9.9.3 -> 0.9.9.5
fvwm: Upgrade 2.6.7 -> 2.6.8
augeas: Upgrade 1.11.0 -> 1.12.0
ccid: Upgrade 1.4.24 -> 1.4.30
daemonize: Upgrade 1.7.7 -> 1.7.8
inotify-tools: Upgrade 3.14 -> 3.20.1
liboop: Upgrade 1.0 -> 1.0.1
ode: Remove stale file of recipe removed 2 years ago
openwbem: Remove stale files of recipe removed 2 years ago
catch2: Upgrade 2.6.1 -> 2.7.2
geos: Upgrade 3.4.2 -> 3.4.3
rdfind: Upgrade 1.3.4 -> 1.4.1
Akshay Bhat (3):
python-urllib3: Set CVE_PRODUCT
python3-pillow: Set CVE_PRODUCT
python-requests: Set CVE_PRODUCT
Alistair Francis (3):
mycroft: Update the systemd service to ensure we are ready to start
mycroft: Bump from 19.2.2 to 19.2.3
python-obd: Add missing RDEPENDS
Andreas Müller (33):
gvfs: remove executable permission from systemd user services
udisks2: upgrade 2.8.1 -> 2.8.2
parole: upgrade 1.0.1 -> 1.0.2
ristretto: upgrade 0.8.3 -> 0.8.4
networkmanager: rework musl build
gvfs: remove systemd user unit executable permission adjustment
fltk: upgrade 1.3.4-2 -> 1.3.5
samba: install bundled libs into seperate packages
samba: rework localstatedir package split
fluidsynth: upgrade 2.0.4 -> 2.0.5
xfce4-vala: auto-detect vala api version
gnome-desktop3: set correct meson gtk doc option
vlc: rework qt PACKAGECONFIG
evince: add patch to fix build with recent gobject-introspection
xfce4-cpufreq-plugin: Fix memory leak and reduce CPU load
packagegroup-meta-networking: replace DISTRO_FEATURE by DISTRO_FEATURES
meta-xfce: add meta-networking to layer depends
gtksourceview4: initial add 4.2.0
gtksourceview-classic-light: extend to gtksourceview4
itstool: rework - it went out too early
fontforge: upgrade 20170731 -> 20190413
exo: upgrade 0.12.4 -> 0.12.5
xfce4-places-plugin: upgrade 1.7.0 -> 1.8.0
xfce4-datetime-plugin: upgrade 0.7.0 -> 0.7.1
xfce4-notifyd: upgrade 0.4.3 -> 0.4.4
desktop-file-utils: remove - a more recent version is in oe-core
libwnck3: upgrade 3.30.0 and move to meson build
xfce4-terminal: add vte-prompt to RRECOMMENDS
xfce4-session: get rid of machine-host
xfce4-session: remove strange entry in FILES_${PN}
libxfce4ui: Add PACKAGECONFIG 'gladeui2' for glade (gtk3) support
glade3: move to to meta-xfce
Remove me as maintainer
Andrej Valek (2):
squid: upgrade squid 3.5.28 -> 4.6
ntp: upgrade 4.2.8p12 -> 4.2.8p13
Ankit Navik (1):
libnfc: Initial recipe for Near Field Communication library.
Armin Kuster (1):
meta-filesystems: drop bitbake from README
Changqing Li (5):
gd: fix compile error caused by -Werror=maybe-uninitialized
apache2: add back patch for set perlbin
php: upgrade 7.3.2 -> 7.3.4
postgresql: fix compile error
php: correct httpd path
Chris Garren (1):
python-cryptography: Move linker flag to .inc
Denys Dmytriyenko (1):
v4l-utils: upgrade 1.16.0 -> 1.16.5
Gianfranco Costamagna (1):
cpprest: update to 2.10.13, drop 32bit build fix upstream
Hains van den Bosch (1):
libcdio: update to version 2.1.0
Hongxu Jia (1):
pmtools: use update-alternatives for acpidump
Hongzhi.Song (1):
lua: upgrade from v5.3.4 to v5.3.5
Ivan Maidanski (1):
bdwgc: upgrade 7.6.12 -> 8.0.4
Johannes Pointner (1):
samba: update to 4.8.11
Kai Kang (3):
gvfs: fix typo libexec
drbd: fix compile errors
drbd-utils: fix file conflict with base-files
Khem Raj (3):
redis: Upgrade to 4.0.14
squid: Link with libatomic on mips/ppc
cpupower: Inherit bash completion class
Leon Anavi (1):
openbox: Add python-shell as a runtime dependency
Liwei Song (1):
ledmon: control hard disk led for RAID arrays
Mark Asselstine (1):
xfconf: fix 'Failed to get connection to xfconfd' during do_rootfs
Martin Jansa (13):
ftgl: add x11 to required DISTRO_FEATURES like freeglut
libforms: add x11 to required DISTRO_FEATURES because of libx11
Revert "ell: remove recipe"
ne10: set NE10_TARGET_ARCH with an override instead of anonymous python
libopus: use armv7a, aarch64 overrides when adding ne10 dependency
esound: fix SRC_URI for multilib
opusfile: fix SRC_URI for multilib
miniupnpd: fix SRC_URI for multilib
zbar: fix SRC_URI for multilib
libvncserver: set PV in the recipe
efivar: prevent native efivar depending on target kernel
libdbi-perl: prevent native libdbi-perl depending on target perl
aufs-util: prevent native aufs-util depending on target kernel
Ming Liu (1):
libmodbus: add documentation PACKAGECONFIG
Mingli Yu (6):
indent: Upgrade to 2.2.12
hostapd: Upgrade to 2.8
hwdata: Upgrade to 0.322
rrdtool: Upgrade to 1.7.1
libdev-checklib-perl: add new recipe
libdbd-mysql-perl: Upgrade to 4.050
Nathan Rossi (1):
fatresize_1.0.2.bb: Add recipe for fatresize command line tool
Nicolas Dechesne (3):
cpupower: remove LIC_FILES_CHKSUM
bpftool: remove LIC_FILES_CHKSUM
cannelloni: move from meta-oe to meta-networking
Oleksandr Kravchuk (38):
smcroute: update to 2.4.4
phytool: update to v2
fwknop: update to 2.6.10
cifs-utils: update to 6.9
keepalived: update to 2.0.15
usbredir: update to 0.8.0
open-isns: update to 0.99
nanomsg: update to 1.1.5
stunnel: update to 5.51
babeld: update to 1.8.4
drbd-utils: update to 9.8.0
drbd: update to 9.0.17-1
macchanger: update to 1.7.0
wolfssl: update to 4.0.0
ell: remove recipe
analyze-suspend: update to 5.3
chrony: update to 3.4
nghttp2: update to 1.38
nano: update to 4.1
networkmanager-openvpn: update to 1.8.10
wpan-tools: update to 0.9
uftp: update to 4.9.9
vblade: add UPSTREAM_CHECK_URI
traceroute: add UPSTREAM_CHECK_URI
nuttcp: update to 8.2.2
nfacct: add UPSTREAM_CHECK_URI
nftables: add UPSTREAM_CHECK_URI
libnetfilter-queue: update to 1.0.3
arno-iptables-firewall: update to 2.0.3
ypbind-mt: update to 2.6
ebtables: add UPSTREAM_CHECK_URI
doxygen: replace ninja 1.9.0 fix with official one
libnetfilter-queue: fix update to 1.0.3
networkd-dispatcher: update to 2.0.1
opensaf: update to 5.19.01
libnetfilter-conntrack: update to 1.0.7
conntrack-tools: update to 1.4.5
openvpn: update to 2.4.7
Paolo Valente (1):
s-suite: push SRCREV to version 3.2
Parthiban Nallathambi (6):
python3-aiohttp: add version 3.5.4
python3-supervisor: add version 4.0.2
python3-websocket-client: add version 0.56.0
python3-tinyrecord: add version 0.1.5
python3-sentry-sdk: add version 0.7.14
python3-raven: add version 6.10.0
Pascal Bach (2):
paho-mqtt-c: 1.2.1 -> 1.3.0
thrift: update to 0.12.0
Pavel Modilaynen (1):
jsoncpp: add native BBCLASSEXTEND
Peter Kjellerstedt (2):
apache2: Correct appending to SYSROOT_PREPROCESS_FUNCS
apache2: Correct packaging of build and doc related files
Philip Balister (1):
sip: Update to 4.19.16.
Qi.Chen@windriver.com (4):
multipath-tools: fix up patch to avoid segfault
netkit-rsh: add tag to CVE patch
ipsec-tools: fix CVE tag in patch
gd: set CVE_PRODUCT
Randy MacLeod (1):
imagemagick: update from 7.0.8-35 to 7.0.8-43
Robert Joslyn (5):
gpm: Fix gpm path in unit file
gpm: Add PID file to systemd unit file
gpm: Generate documentation
gpm: Remove duplicate definition of _GNU_SOURCE
gpm: Recipe cleanup
Sean Nyekjaer (2):
cannelloni: new package, CAN to ethernet proxy
ser2net: upgrade to version 3.5.1
Vincent Prince (1):
mongodb: Fix build with gcc
Wenlin Kang (1):
samba: add PACKAGECONFIG for libunwind
Yi Zhao (7):
python-flask-socketio: move to meta-python directory
apache2: upgrade 2.4.34 -> 2.4.39
apache-websocket: upgrade to latest git rev
netkit-rsh: security fixes
openhpi: fix failure of ptest case ohpi_035
openhpi: update openhpi-fix-testfail-errors.patch
phpmyadmin: upgrade 4.8.3 -> 4.8.5
Zang Ruochen (43):
xlsatoms: upgrade 1.1.2 -> 1.1.3
xrdb: upgrade 1.1.1 -> 1.2.0
xrefresh: upgrade 1.0.5 -> 1.0.6
xsetroot: upgrade 1.1.1 -> 1.1.2
xstdcmap: upgrade 1.0.3 -> 1.0.4
xbitmaps: upgrade 1.1.1 -> 1.1.2
wireshark: upgrade 3.0.0 -> 3.0.1
python-cffi: upgrade 1.11.5 -> 1.12.2
python-attrs: upgrade 18.1.0 -> 19.1.0
python-certifi: upgrade 2018.8.13 -> 2019.3.9
python-beabutifulsoup4: upgrade 4.6.0 -> 4.7.1
python-dateutil: upgrade 2.7.3 -> 2.8.0
python-mako: upgrade 1.0.7 -> 1.0.9
python-msgpack: upgrade 0.6.0 -> 0.6.1
python-paste: upgrade 3.0.6 -> 3.0.8
python-psutil: upgrade 5.4.6 -> 5.6.1
python-py: upgrade 1.6.0 -> 1.8.0
python-pymongo: upgrade 3.7.1 -> 3.7.2
python-pyopenssl: upgrade 18.0.0 -> 19.0.0
python-pytz: upgrade 2018.5 -> 2019.1
python-stevedore: upgrade 1.29.0 -> 1.30.1
python-pbr: upgrade 4.2.0 -> 5.1.3
python-cython: upgrade 0.28.5 -> 0.29.6
python-editor: upgrade 1.0.3 -> 1.0.4
python-jinja2: upgrade 2.10 -> 2.10.1
python-lxml: upgrade 4.3.1 -> 4.3.3
python-alembic: upgrade 1.0.0 -> 1.0.9
python-cffi: upgrade 1.12.2 -> 1.12.3
python-hyperlink: upgrade 18.0.0 -> 19.0.0
python-twisted: upgrade 18.4.0 -> 19.2.0
python-zopeinterface: upgrade 4.5.0 -> 4.6.0
python-decorator: upgrade 4.3.0 -> 4.4.0
python-pip: upgrade 18.0 -> 19.1
python-pyasn1: upgrade 0.4.4 -> 0.4.5
libnet-dns-perl: upgrade 1.19 -> 1.20
python-alembic: upgrade 1.0.9 -> 1.0.10
python-cython: upgrade 0.29.6 -> 0.29.7
python-mock: upgrade 2.0.0 -> 3.0.5
python-pbr: upgrade 5.1.3 -> 5.2.0
python-psutil: upgrade 5.6.1 -> 5.6.2
python-pymongo: upgrade 3.7.2 -> 3.8.0
python-pyperclip: upgrade 1.6.2 -> 1.7.0
python-rfc3987: upgrade 1.3.7 -> 1.3.8
leimaohui (3):
To fix confilict error with python3-pbr.
python-pycodestyle: Fix conflict error with python3-pycodestyle during do_rootfs
mozjs: Make mozjs support arm32BE.
meta-raspberrypi: 9ceb84ee9e..7059c37451:
Francesco Giancane (1):
qtbase_%.bbappend: update PACKAGECONFIG name for xkbcommon
Gianluigi Tiesi (1):
psplash: Raise alternatives priority to 200
Martin Jansa (3):
linux_raspberrypi_4.19: Update to 4.19.34
bluez5: apply the same patches and pi-bluetooth dependency for all rpi MACHINEs
userland: use default PACKAGE_ARCH
Paul Barker (3):
linux-raspberrypi: Update 4.14.y kernel
linux-raspberrypi: Switch default back to 4.14.y
linux-raspberrypi 4.9: Drop old version
meta-security: 8a1f54a246..9f5cc2a7eb:
Alexander Kanavin (1):
apparmor: fetch from git
Armin Kuster (15):
clamav runtime: add resolve.conf support
clamav: fix llvm reference version
libldb: add waf-cross-answeres
clamav: runtime fix local routing
clamav: add clamav-cvd package for cvd db
clamav-native: fix new build issue
apparmor: fix fragment for 5.0 kernel
apparmor: add a few more runtime
smack: move patch to smack dir
smack-test: add smack tests from meta-intel-iot-security
samhain: add more tests and fix ret checks
libldb: add earlier version
libseccomp: update to 2.4.1
oe-selftest: add running cve checker
smack: kernel fragment update
Yi Zhao (2):
meta-tpm/conf/layer.conf: update layer dependencies
meta-tpm/README: update
Change-Id: I9e02cb75a779f25fca84395144025410bb609dfa
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-security')
49 files changed, 2688 insertions, 39 deletions
diff --git a/meta-security/files/waf-cross-answers/README b/meta-security/files/waf-cross-answers/README new file mode 100644 index 000000000..dda45c508 --- /dev/null +++ b/meta-security/files/waf-cross-answers/README @@ -0,0 +1,3 @@ +The files in this directory are cross answers files +used by waf-samba.bbclass, please see waf-samba.bbclass +for details about how they are used. diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-arm.txt b/meta-security/files/waf-cross-answers/cross-answers-arm.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-arm.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i586.txt b/meta-security/files/waf-cross-answers/cross-answers-i586.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-i586.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i686.txt b/meta-security/files/waf-cross-answers/cross-answers-i686.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-i686.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips.txt b/meta-security/files/waf-cross-answers/cross-answers-mips.txt new file mode 100644 index 000000000..3e239e727 --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mips.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt new file mode 100644 index 000000000..82e694fda --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: OK +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt new file mode 100644 index 000000000..82e694fda --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: OK +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt new file mode 100644 index 000000000..3e239e727 --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt new file mode 100644 index 000000000..27b9378a4 --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt new file mode 100644 index 000000000..7fd3092cb --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: (255, "") +Checking if can we convert from IBM850 to UCS-2LE: (255, "") +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/lib/oeqa/runtime/cases/apparmor.py b/meta-security/lib/oeqa/runtime/cases/apparmor.py index e2cb316d1..b6a9537e3 100644 --- a/meta-security/lib/oeqa/runtime/cases/apparmor.py +++ b/meta-security/lib/oeqa/runtime/cases/apparmor.py @@ -25,3 +25,22 @@ class ApparmorTest(OERuntimeTestCase): msg = ('aa-status failed. ' 'Status and output:%s and %s' % (status, output)) self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_status']) + def test_apparmor_aa_complain(self): + status, output = self.target.run('aa-complain /etc/apparmor.d/*') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-complain failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_complain']) + def test_apparmor_aa_enforce(self): + status, output = self.target.run('aa-enforce /etc/apparmor.d/*') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-enforce failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py index fc77330dd..d0bc645ae 100644 --- a/meta-security/lib/oeqa/runtime/cases/clamav.py +++ b/meta-security/lib/oeqa/runtime/cases/clamav.py @@ -1,6 +1,7 @@ # Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> # import re +from tempfile import mkstemp from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends @@ -9,6 +10,22 @@ from oeqa.runtime.decorator.package import OEHasPackage class ClamavTest(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.tmp_fd, cls.tmp_path = mkstemp() + with os.fdopen(cls.tmp_fd, 'w') as f: + # use gooled public dns + f.write("nameserver 8.8.8.8") + f.write(os.linesep) + f.write("nameserver 8.8.4.4") + f.write(os.linesep) + f.write("nameserver 127.0.0.1") + f.write(os.linesep) + + @classmethod + def tearDownClass(cls): + os.remove(cls.tmp_path) + @OEHasPackage(['clamav']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_freshclam_help(self): @@ -18,6 +35,19 @@ class ClamavTest(OERuntimeTestCase): self.assertEqual(status, 0, msg = msg) @OETestDepends(['clamav.ClamavTest.test_freshclam_help']) + @OEHasPackage(['openssh-scp', 'dropbear']) + def test_ping_clamav_net(self): + dst = '/etc/resolv.conf' + self.tc.target.run('rm -f %s' % dst) + (status, output) = self.tc.target.copyTo(self.tmp_path, dst) + msg = 'File could not be copied. Output: %s' % output + self.assertEqual(status, 0, msg=msg) + + status, output = self.target.run('ping -c 1 database.clamav.net') + msg = ('ping database.clamav.net failed: output is:\n%s' % output) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net']) def test_freshclam_download(self): status, output = self.target.run('freshclam --show-progress') match = re.search('Database updated', output) diff --git a/meta-security/lib/oeqa/runtime/cases/samhain.py b/meta-security/lib/oeqa/runtime/cases/samhain.py index e4bae7bda..5043a38cc 100644 --- a/meta-security/lib/oeqa/runtime/cases/samhain.py +++ b/meta-security/lib/oeqa/runtime/cases/samhain.py @@ -1,6 +1,7 @@ # Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> # import re +import os from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends @@ -11,10 +12,32 @@ class SamhainTest(OERuntimeTestCase): @OEHasPackage(['samhain-standalone']) @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_samhain_standalone_help(self): + def test_samhain_help(self): + machine = self.td.get('MACHINE', '') + status, output = self.target.run('echo "127.0.0.1 %s.localdomain %s" >> /etc/hosts' % (machine, machine)) + msg = ("samhain can't append hosts. " + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + status, output = self.target.run('samhain --help') - match = re.search('Please report bugs to support@la-samhna.de.', output) + msg = ('samhain command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['samhain.SamhainTest.test_samhain_help']) + def test_samhain_init_db(self): + status, output = self.target.run('samhain -t init') + match = re.search('FAILED: 0 ', output) + if not match: + msg = ('samhain database init had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['samhain.SamhainTest.test_samhain_init_db']) + def test_samhain_db_check(self): + status, output = self.target.run('samhain -t check') + match = re.search('FAILED: 0 ', output) if not match: - msg = ('samhain-standalone command does not work as expected. ' + msg = ('samhain errors found in db. ' 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 1, msg = msg) + self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py new file mode 100644 index 000000000..35e87ef32 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/smack.py @@ -0,0 +1,529 @@ +import unittest +import re +import os +import string +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +MAX_LABEL_LEN = 255 +LABEL = "a" * MAX_LABEL_LEN + +class SmackBasicTest(OERuntimeTestCase): + ''' base smack test ''' + + @classmethod + def setUpClass(cls): + cls.smack_path = "" + cls.current_label = "" + cls.uid = 1000 + + @skipIfNotFeature('smack', + 'Test requires smack to be in DISTRO_FEATURES') + @OEHasPackage(['smack-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_smack_basic(self): + status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'") + self.smack_path = output + status,output = self.target.run("cat /proc/self/attr/current") + self.current_label = output.strip() + +class SmackAccessLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_access_label(self): + ''' Test if chsmack can correctly set a SMACK label ''' + filename = "/tmp/test_access_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack access label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=access=")\S+(?=")', output) + if m is None: + self.fail("Did not find access attribute") + else: + label_retrieved = m .group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) + + +class SmackExecLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_exec_label(self): + '''Test if chsmack can correctly set a SMACK Exec label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack exec label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m= re.search('(?<=execute=")\S+(?=")', output) + if m is None: + self.fail("Did not find execute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackMmapLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_mmap_label(self): + '''Test if chsmack can correctly set a SMACK mmap label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack mmap label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=mmap=")\S+(?=")', output) + if m is None: + self.fail("Did not find mmap attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackTransmutable(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_transmutable(self): + '''Test if chsmack can correctly set a SMACK transmutable mode''' + + directory = "~/test_transmutable" + self.target.run("mkdir -p %s" %directory) + status, output = self.target.run("chsmack -t %s" %directory) + self.assertEqual(status, 0, "Cannot set smack transmutable. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %directory) + self.target.run("rmdir %s" %directory) + m = re.search('(?<=transmute=")\S+(?=")', output) + if m is None: + self.fail("Did not find transmute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + "TRUE", label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackChangeSelfLabelPrivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_privileged_change_self_label(self): + '''Test if privileged process (with CAP_MAC_ADMIN privilege) + can change its label. + ''' + + labelf = "/proc/self/attr/current" + command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) + + status, output = self.target.run( + "notroot.py 0 %s %s" %(self.current_label, command)) + + self.assertIn("PRIVILEGED", output, + "Privilege process did not change label.Output: %s" %output) + +class SmackChangeSelfLabelUnprivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_unprivileged_change_self_label(self): + '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) + cannot change its label''' + + command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL + status, output = self.target.run( + "notroot.py %d %s %s" + %(self.uid, self.current_label, command) + + " 2>&1 | grep 'Operation not permitted'" ) + + self.assertEqual( + status, 0, + "Unprivileged process should not be able to change its label") + + +class SmackChangeFileLabelPrivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_unprivileged_change_file_label(self): + '''Test if unprivileged process cannot change file labels''' + + status, chsmack = self.target.run("which chsmack") + status, touch = self.target.run("which touch") + filename = "/tmp/test_unprivileged_change_file_label" + + self.target.run("touch %s" % filename) + self.target.run("notroot.py %d %s" %(self.uid, self.current_label)) + status, output = self.target.run( + "notroot.py " + + "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + + "| grep 'Operation not permitted'" ) + + self.target.run("rm %s" % filename) + self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename) + +class SmackLoadRule(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_load_smack_rule(self): + '''Test if new smack access rules can be loaded''' + + # old 23 character format requires special spaces formatting + # 12345678901234567890123456789012345678901234567890123 + ruleA="TheOne TheOther rwxat" + ruleB="TheOne TheOther r----" + clean="TheOne TheOther -----" + modeA = "rwxat" + modeB = "r" + + status, output = self.target.run('echo -n "%s" > %s/load' %(ruleA, self.smack_path)) + status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + self.assertEqual(status, 0, "Rule A was not added") + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( mode, modeA, "Mode A was not set correctly; mode: %s" %mode) + + status, output = self.target.run( 'echo -n "%s" > %s/load' %(ruleB, self.smack_path)) + status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( mode, modeB, "Mode B was not set correctly; mode: %s" %mode) + + self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) + + +class SmackOnlycap(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_onlycap(self): + '''Test if smack onlycap label can be set + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh") + self.assertEqual(status, 0, output) + +class SmackNetlabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_netlabel(self): + + test_label="191.191.191.191 TheOne" + expected_label="191.191.191.191/32 TheOne" + + status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( status, 0, "Netlabel /32 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( expected_label, output, "Did not find expected label in output: %s" %output) + + test_label="253.253.253.0/24 TheOther" + status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( status, 0, "Netlabel /24 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( + test_label, output, + "Did not find expected label in output: %s" %output) + +class SmackCipso(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_cipso(self): + '''Test if smack cipso rules can be set''' + # 12345678901234567890123456789012345678901234567890123456 + ruleA="TheOneA 2 0 " + ruleB="TheOneB 3 1 55 " + ruleC="TheOneC 4 2 17 33 " + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label A. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneA'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule A was not set") + self.assertIn(" 2", output, "Rule A was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label B. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneB'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule B was not set") + self.assertIn("/55", output, "Rule B was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path)) + self.assertEqual( + status, 0, + "Could not set cipso label C. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneC'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule C was not set") + self.assertIn("/17,33", output, "Rule C was not set correctly") + +class SmackDirect(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_direct(self): + status, initial_direct = self.target.run( + "cat %s/direct" %self.smack_path) + + test_direct="17" + status, output = self.target.run( + "echo '%s' > %s/direct" %(test_direct, self.smack_path)) + self.assertEqual(status, 0 , + "Could not set smack direct. Output: %s" %output) + status, new_direct = self.target.run("cat %s/direct" %self.smack_path) + # initial label before checking + status, output = self.target.run( + "echo '%s' > %s/direct" %(initial_direct, self.smack_path)) + self.assertEqual( + test_direct, new_direct.strip(), + "Smack direct label does not match.") + + +class SmackAmbient(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_ambient(self): + test_ambient = "test_ambient" + status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(test_ambient, self.smack_path)) + self.assertEqual(status, 0, + "Could not set smack ambient. Output: %s" %output) + + status, output = self.target.run("cat %s/ambient" %self.smack_path) + # Filter '\x00', which is sometimes added to the ambient label + new_ambient = ''.join(filter(lambda x: x in string.printable, output)) + initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient)) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path)) + self.assertEqual( + test_ambient, new_ambient.strip(), + "Ambient label does not match") + + +class SmackloadBinary(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smackload(self): + '''Test if smackload command works''' + rule="testobject testsubject rwx" + + status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule) + status, output = self.target.run("smackload /tmp/rules") + self.assertEqual( status, 0, "Smackload failed to load rule. Output: %s" %output) + + status, output = self.target.run( "cat %s/load | grep '%s'" %(self.smack_path, rule)) + self.assertEqual(status, 0, "Smackload rule was loaded correctly") + + +class SmackcipsoBinary(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smackcipso(self): + '''Test if smackcipso command works''' + # 12345678901234567890123456789012345678901234567890123456 + rule="cipsolabel 2 2 " + + status, output = self.target.run("echo '%s' | smackcipso" %rule) + self.assertEqual( status, 0, "Smackcipso failed to load rule. Output: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep 'cipsolabel'" %self.smack_path) + self.assertEqual(status, 0, "smackcipso rule was loaded correctly") + self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output) + + +class SmackEnforceFileAccess(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_enforce_file_access(self): + '''Test if smack file access is enforced (rwx) + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("sh /usr/sbin/smack_test_file_access.sh") + self.assertEqual(status, 0, output) + + +class SmackEnforceMmap(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_mmap_enforced(self): + '''Test if smack mmap access is enforced''' + raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") + + # 12345678901234567890123456789012345678901234567890123456 + delr1="mmap_label mmap_test_label1 -----" + delr2="mmap_label mmap_test_label2 -----" + delr3="mmap_file_label mmap_test_label1 -----" + delr4="mmap_file_label mmap_test_label2 -----" + + RuleA="mmap_label mmap_test_label1 rw---" + RuleB="mmap_label mmap_test_label2 r--at" + RuleC="mmap_file_label mmap_test_label1 rw---" + RuleD="mmap_file_label mmap_test_label2 rwxat" + + mmap_label="mmap_label" + file_label="mmap_file_label" + test_file = "/usr/sbin/smack_test_mmap" + mmap_exe = "/tmp/mmap_test" + status, echo = self.target.run("which echo") + status, output = self.target.run( + "notroot.py %d %s %s 'test' > %s" \ + %(self.uid, self.current_label, echo, test_file)) + status, output = self.target.run("ls %s" %test_file) + self.assertEqual(status, 0, "Could not create mmap test file") + self.target.run("chsmack -m %s %s" %(file_label, test_file)) + self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) + + # test with no rules with mmap label or exec label as subject + # access should be granted + self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access without rules. Output: %s" %output) + + # add rules that do not match access required + self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with unmatching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with unmatching rules") + + # add rule to match only partially (one way) + self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with partial matching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with partial matching rules") + + # add rule to match fully + self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access with full matching rules." + + "Output: %s" %output) + + +class SmackEnforceTransmutable(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_transmute_dir(self): + '''Test if smack transmute attribute works + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + test_dir = "/tmp/smack_transmute_dir" + label="transmute_label" + status, initial_label = self.target.run("cat /proc/self/attr/current") + + self.target.run("mkdir -p %s" % test_dir) + self.target.run("chsmack -a %s %s" % (label, test_dir)) + self.target.run("chsmack -t %s" % test_dir) + self.target.run("echo -n '%s %s rwxat' | smackload" %(initial_label, label) ) + + self.target.run("touch %s/test" % test_dir) + status, output = self.target.run("chsmack %s/test" % test_dir) + self.assertIn( 'access="%s"' %label, output, + "Did not get expected label. Output: %s" % output) + + +class SmackTcpSockets(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_tcp_sockets(self): + '''Test if smack is enforced on tcp sockets + + whole test takes places on image, depends on tcp_server/tcp_client''' + + status, output = self.target.run("sh /usr/sbin/test_smack_tcp_sockets.sh") + self.assertEqual(status, 0, output) + + +class SmackUdpSockets(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_udp_sockets(self): + '''Test if smack is enforced on udp sockets + + whole test takes places on image, depends on udp_server/udp_client''' + + status, output = self.target.run("sh /usr/sbin/test_smack_udp_sockets.sh") + self.assertEqual(status, 0, output) + + +class SmackFileLabels(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_labels(self): + '''Check for correct Smack labels.''' + expected = ''' +/tmp/ access="*" +/etc/ access="System::Shared" transmute="TRUE" +/etc/passwd access="System::Shared" +/etc/terminfo access="System::Shared" transmute="TRUE" +/etc/skel/ access="System::Shared" transmute="TRUE" +/etc/skel/.profile access="System::Shared" +/var/log/ access="System::Log" transmute="TRUE" +/var/tmp/ access="*" +''' + files = ' '.join([x.split()[0] for x in expected.split('\n') if x]) + files_wildcard = ' '.join([x + '/*' for x in files.split()]) + # Auxiliary information. + status, output = self.target.run( + 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % ( + ' '.join([x.rstrip('/') for x in files.split()]), files, files + ) + ) + msg = "File status:\n" + output + status, output = self.target.run('chsmack %s' % files) + self.assertEqual( + status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg)) + self.longMessage = True + self.maxDiff = None + self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg) diff --git a/meta-security/lib/oeqa/selftest/cases/cvechecker.py b/meta-security/lib/oeqa/selftest/cases/cvechecker.py new file mode 100644 index 000000000..23ca7d222 --- /dev/null +++ b/meta-security/lib/oeqa/selftest/cases/cvechecker.py @@ -0,0 +1,27 @@ +import os +import re + +from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import bitbake, get_bb_var + +class CveCheckerTests(OESelftestTestCase): + def test_cve_checker(self): + image = "core-image-sato" + + deploy_dir = get_bb_var("DEPLOY_DIR_IMAGE") + image_link_name = get_bb_var('IMAGE_LINK_NAME', image) + + manifest_link = os.path.join(deploy_dir, "%s.cve" % image_link_name) + + self.logger.info('CVE_CHECK_MANIFEST = "%s"' % manifest_link) + if (not 'cve-check' in get_bb_var('INHERIT')): + add_cve_check_config = 'INHERIT += "cve-check"' + self.append_config(add_cve_check_config) + self.append_config('CVE_CHECK_MANIFEST = "%s"' % manifest_link) + result = bitbake("-k -c cve_check %s" % image, ignore_status=True) + if (not 'cve-check' in get_bb_var('INHERIT')): + self.remove_config(add_cve_check_config) + + isfile = os.path.isfile(manifest_link) + self.assertEqual(True, isfile, 'Failed to create cve data file : %s' % manifest_link) + diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README index bbc70bbaa..dd662b3d4 100644 --- a/meta-security/meta-tpm/README +++ b/meta-security/meta-tpm/README @@ -2,3 +2,60 @@ meta-tpm layer ============== This layer contains base TPM recipes. + +Dependencies +============ + +This layer depends on: + + URI: git://git.openembedded.org/openembedded-core + branch: master + revision: HEAD + prio: default + + URI: git://git.openembedded.org/meta-openembedded/meta-oe + branch: master + revision: HEAD + prio: default + +Adding the meta-tpm layer to your build +======================================== + +In order to use this layer, you need to make the build system aware of +it. + +Assuming this layer exists at the top-level of your +yocto build tree, you can add it to the build system by adding the +location of the meta-tpm layer to bblayers.conf, along with any +other layers needed. e.g.: + + BBLAYERS ?= " \ + /path/to/oe-core/meta \ + /path/to/meta-openembedded/meta-oe \ + /path/to/layer/meta-tpm \ + + +Maintenance +----------- + +Send pull requests, patches, comments or questions to yocto@yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-security][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +Maintainers: Armin Kuster <akuster808@gmail.com> + + +License +======= + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 15a2befcf..bf9a76ea6 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -12,4 +12,5 @@ LAYERSERIES_COMPAT_tpm-layer = "thud warrior" LAYERDEPENDS_tpm-layer = " \ core \ + openembedded-layer \ " diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg index b5f9bb2a6..ae6cdcdf0 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg +++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg @@ -1,15 +1,9 @@ CONFIG_AUDIT=y -# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_PATH=y -# CONFIG_SECURITY_SELINUX is not set CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -# CONFIG_SECURITY_APPARMOR_DEBUG is not set CONFIG_INTEGRITY_AUDIT=y CONFIG_DEFAULT_SECURITY_APPARMOR=y -# CONFIG_DEFAULT_SECURITY_DAC is not set CONFIG_DEFAULT_SECURITY="apparmor" CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg index 62f465a45..0d5fc645c 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg +++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg @@ -1,8 +1,7 @@ -CONFIG_IP_NF_SECURITY=m -CONFIG_IP6_NF_SECURITY=m -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_SECURITY=y +CONFIG_NETLABEL=y +CONFIG_SECURITY_NETWORK=y +# CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_SMACK=y +CONFIG_SECURITY_SMACK_BRINGUP=y +CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y CONFIG_TMPFS_XATTR=y diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb index 62ed61148..4eaec001e 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" DEPENDS = "bison-native apr gettext-native coreutils-native" SRC_URI = " \ - http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ file://disable_perl_h_check.patch \ file://crosscompile_perl_bindings.patch \ file://apparmor.rc \ @@ -24,8 +24,8 @@ SRC_URI = " \ file://run-ptest \ " -SRC_URI[md5sum] = "2439b35266b5a3a461b0a2dba6e863c3" -SRC_URI[sha256sum] = "844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30" +SRCREV = "af4808b5f6b58946f5c5a4de4b77df5e0eae6ca0" +S = "${WORKDIR}/git" PARALLEL_MAKE = "" diff --git a/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c b/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c new file mode 100644 index 000000000..f358d27b5 --- /dev/null +++ b/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c @@ -0,0 +1,7 @@ +#include <stdio.h> + +int main(int argc, char **argv) +{ + printf("Original test program removed while investigating its license.\n"); + return 1; +} diff --git a/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb b/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb new file mode 100644 index 000000000..9d11509d0 --- /dev/null +++ b/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb @@ -0,0 +1,16 @@ +SUMMARY = "Mmap binary used to test smack mmap attribute" +DESCRIPTION = "Mmap binary used to test smack mmap attribute" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://mmap.c" + +S = "${WORKDIR}" +do_compile() { + ${CC} mmap.c ${LDFLAGS} -o mmap_test +} + +do_install() { + install -d ${D}${bindir} + install -m 0755 mmap_test ${D}${bindir} +} diff --git a/meta-security/recipes-mac/smack/smack-test/notroot.py b/meta-security/recipes-mac/smack/smack-test/notroot.py new file mode 100644 index 000000000..f0eb0b5b9 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test/notroot.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python +# +# Script used for running executables with custom labels, as well as custom uid/gid +# Process label is changed by writing to /proc/self/attr/curent +# +# Script expects user id and group id to exist, and be the same. +# +# From adduser manual: +# """By default, each user in Debian GNU/Linux is given a corresponding group +# with the same name. """ +# +# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..] +# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 +# +# Author: Alexandru Cornea <alexandru.cornea@intel.com> +import os +import sys + +try: + uid = int(sys.argv[1]) + sys.argv.pop(1) + label = sys.argv[1] + sys.argv.pop(1) + open("/proc/self/attr/current", "w").write(label) + path=sys.argv[1] + sys.argv.pop(0) + os.setgid(uid) + os.setuid(uid) + os.execv(path,sys.argv) + +except Exception,e: + print e.message + sys.exit(1) diff --git a/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh new file mode 100644 index 000000000..5a0ce84f2 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +RC=0 +TMP="/tmp" +test_file=$TMP/smack_test_access_file +CAT=`which cat` +ECHO=`which echo` +uid=1000 +initial_label=`cat /proc/self/attr/current` +python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file +chsmack -a "TheOther" $test_file + +# 12345678901234567890123456789012345678901234567890123456 +delrule="TheOne TheOther -----" +rule_ro="TheOne TheOther r----" + +# Remove pre-existent rules for "TheOne TheOther <access>" +echo -n "$delrule" > $SMACK_PATH/load +python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process with different label than the test file and no read access on it can read it" + exit $RC +fi + +# adding read access +echo -n "$rule_ro" > $SMACK_PATH/load +python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process with different label than the test file but with read access on it cannot read it" + exit $RC +fi + +# Remove pre-existent rules for "TheOne TheOther <access>" +echo -n "$delrule" > $SMACK_PATH/load +# changing label of test file to * +# according to SMACK documentation, read access on a * object is always permitted +chsmack -a '*' $test_file +python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process cannot read file with * label" + exit $RC +fi + +# changing subject label to * +# according to SMACK documentation, every access requested by a star labeled subject is rejected +TOUCH=`which touch` +python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 +ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? +if [ $RC -ne 0 ];then + echo "Process with label '*' should not have any access" + exit $RC +fi +exit 0 diff --git a/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh b/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh new file mode 100644 index 000000000..26d9e9d22 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +initial_label=`cat /proc/self/attr/current 2>/dev/null` +modified_label="test_label" + +echo "$modified_label" >/proc/self/attr/current 2>/dev/null + +new_label=`cat /proc/self/attr/current 2>/dev/null` + +if [ "$new_label" != "$modified_label" ]; then + # restore proper label + echo $initial_label >/proc/self/attr/current + echo "Privileged process could not change its label" + exit 1 +fi + +echo "$initial_label" >/proc/self/attr/current 2>/dev/null +exit 0
\ No newline at end of file diff --git a/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh b/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh new file mode 100644 index 000000000..1c4a93ab6 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh @@ -0,0 +1,27 @@ +#!/bin/sh +RC=0 +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'` +test_label="test_label" +onlycap_initial=`cat $SMACK_PATH/onlycap` +smack_initial=`cat /proc/self/attr/current` + +# need to set out label to be the same as onlycap, otherwise we lose our smack privileges +# even if we are root +echo "$test_label" > /proc/self/attr/current + +echo "$test_label" > $SMACK_PATH/onlycap || RC=$? +if [ $RC -ne 0 ]; then + echo "Onlycap label could not be set" + return $RC +fi + +if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then + echo "Onlycap label was not set correctly." + return 1 +fi + +# resetting original onlycap label +echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null + +# resetting our initial's process label +echo "$smack_initial" > /proc/self/attr/current diff --git a/meta-security/recipes-mac/smack/smack-test_1.0.bb b/meta-security/recipes-mac/smack/smack-test_1.0.bb new file mode 100644 index 000000000..7cf8f2e04 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test_1.0.bb @@ -0,0 +1,21 @@ +SUMMARY = "Smack test scripts" +DESCRIPTION = "Smack scripts" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = " \ + file://notroot.py \ + file://smack_test_file_access.sh \ + file://test_privileged_change_self_label.sh \ + file://test_smack_onlycap.sh \ +" + +S = "${WORKDIR}" + +do_install() { + install -d ${D}${sbindir} + install -m 0755 notroot.py ${D}${sbindir} + install -m 0755 *.sh ${D}${sbindir} +} + +RDEPENDS_${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test" diff --git a/meta-security/recipes-mac/smack/files/run-ptest b/meta-security/recipes-mac/smack/smack/run-ptest index 049a9b47a..049a9b47a 100644 --- a/meta-security/recipes-mac/smack/files/run-ptest +++ b/meta-security/recipes-mac/smack/smack/run-ptest diff --git a/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch b/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch index 4d677e751..4d677e751 100644 --- a/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch +++ b/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c new file mode 100644 index 000000000..185f97380 --- /dev/null +++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c @@ -0,0 +1,111 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <string.h>
+#include <sys/xattr.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ char message[255] = "hello";
+ struct sockaddr_in server_addr;
+ char* label_in;
+ char* label_out;
+ char* attr_out = "security.SMACK64IPOUT";
+ char* attr_in = "security.SMACK64IPIN";
+ char out[256];
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ struct hostent* host = gethostbyname("localhost");
+
+ if (argc != 4)
+ {
+ perror("Client: Arguments missing, please provide socket labels");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ label_out = argv[3];
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPOUT");
+ return 2;
+ }
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPIN");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Client: Set timeout failed\n");
+ return 2;
+ }
+
+ if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
+ {
+ perror("Client: Connection failure");
+ close(sock);
+ return 1;
+ }
+
+
+ if(write(sock, message, strlen(message)) < 0)
+ {
+ perror("Client: Error sending data\n");
+ close(sock);
+ return 1;
+ }
+ close(sock);
+ return 0;
+}
+
+
+
+
+
+
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c new file mode 100644 index 000000000..9285dc695 --- /dev/null +++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c @@ -0,0 +1,118 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ int clientsock;
+ char message[255];
+ socklen_t client_length;
+ struct sockaddr_in server_addr, client_addr;
+ char* label_in;
+ char* attr_in = "security.SMACK64IPIN";
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ if (argc != 3)
+ {
+ perror("Server: Argument missing please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ bzero(message,255);
+
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Server: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
+ {
+ perror("Server: Unable to set attribute ipin 2");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure ");
+ return 2;
+ }
+
+ listen(sock, 1);
+ client_length = sizeof(client_addr);
+
+ clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
+
+ if (clientsock < 0)
+ {
+ perror("Server: Connection failed");
+ close(sock);
+ return 1;
+ }
+
+
+ if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
+ {
+ perror(" Server: Unable to set attribute ipin 2");
+ close(sock);
+ return 2;
+ }
+
+ if(read(clientsock, message, 254) < 0)
+ {
+ perror("Server: Error when reading from socket");
+ close(clientsock);
+ close(sock);
+ return 1;
+ }
+
+
+ close(clientsock);
+ close(sock);
+
+ return 0;
+}
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh b/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh new file mode 100644 index 000000000..ed18f2371 --- /dev/null +++ b/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh @@ -0,0 +1,108 @@ +#!/bin/sh +RC=0 +test_file=/tmp/smack_socket_tcp +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +tcp_server=`which tcp_server` +if [ -z $tcp_server ]; then + if [ -f "/tmp/tcp_server" ]; then + tcp_server="/tmp/tcp_server" + else + echo "tcp_server binary not found" + exit 1 + fi +fi +tcp_client=`which tcp_client` +if [ -z $tcp_client ]; then + if [ -f "/tmp/tcp_client" ]; then + tcp_client="/tmp/tcp_client" + else + echo "tcp_client binary not found" + exit 1 + fi +fi + +# checking access for sockets with different labels +$tcp_server 50016 label1 &>/dev/null & +server_pid=$! +sleep 2 +$tcp_client 50016 label2 label1 &>/dev/null & +client_pid=$! + +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? + +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on tcp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$tcp_server 50017 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50017 label2 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on tcp" + exit 1 +fi + +# checking access for sockets with the same label +$tcp_server 50018 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50018 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on tcp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$tcp_server 50019 \* 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50019 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on tcp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$tcp_server 50020 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50020 label1 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any tcp socket" + exit 1 +fi diff --git a/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb b/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb new file mode 100644 index 000000000..d2b3f6b33 --- /dev/null +++ b/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb @@ -0,0 +1,24 @@ +SUMMARY = "Binary used to test smack tcp sockets" +DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://tcp_server.c \ + file://tcp_client.c \ + file://test_smack_tcp_sockets.sh \ +" + +S = "${WORKDIR}" + +do_compile() { + ${CC} tcp_client.c ${LDFLAGS} -o tcp_client + ${CC} tcp_server.c ${LDFLAGS} -o tcp_server +} + +do_install() { + install -d ${D}${bindir} + install -d ${D}${sbindir} + install -m 0755 tcp_server ${D}${bindir} + install -m 0755 tcp_client ${D}${bindir} + install -m 0755 test_smack_tcp_sockets.sh ${D}${sbindir} +} diff --git a/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh b/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh new file mode 100644 index 000000000..419ab9f91 --- /dev/null +++ b/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh @@ -0,0 +1,107 @@ +#!/bin/sh +RC=0 +test_file="/tmp/smack_socket_udp" +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` + +udp_server=`which udp_server` +if [ -z $udp_server ]; then + if [ -f "/tmp/udp_server" ]; then + udp_server="/tmp/udp_server" + else + echo "udp_server binary not found" + exit 1 + fi +fi +udp_client=`which udp_client` +if [ -z $udp_client ]; then + if [ -f "/tmp/udp_client" ]; then + udp_client="/tmp/udp_client" + else + echo "udp_client binary not found" + exit 1 + fi +fi + +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +# checking access for sockets with different labels +$udp_server 50021 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50021 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on udp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$udp_server 50022 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50022 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on udp" + exit 1 +fi + +# checking access for sockets with the same label +$udp_server 50023 label1 & +server_pid=$! +sleep 1 +$udp_client 50023 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on udp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$udp_server 50024 \* 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50024 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on udp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$udp_server 50025 label1 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50025 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any udp socket" + exit 1 +fi diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c new file mode 100644 index 000000000..4d3afbe6c --- /dev/null +++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c @@ -0,0 +1,75 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ char* message = "hello";
+ int sock, ret;
+ struct sockaddr_in server_addr;
+ struct hostent* host = gethostbyname("localhost");
+ char* label;
+ char* attr = "security.SMACK64IPOUT";
+ int port;
+ if (argc != 3)
+ {
+ perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+ sock = socket(AF_INET, SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
+ {
+ perror("Client: Unable to set attribute ");
+ return 2;
+ }
+
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
+ sizeof(struct sockaddr_in));
+
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Client: Error sending message\n");
+ return 1;
+ }
+
+ return 0;
+}
+
diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c new file mode 100644 index 000000000..cbab71e65 --- /dev/null +++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c @@ -0,0 +1,93 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ int sock,ret;
+ struct sockaddr_in server_addr, client_addr;
+ socklen_t len;
+ char message[5];
+ char* label;
+ char* attr = "security.SMACK64IPIN";
+ int port;
+
+ if(argc != 3)
+ {
+ perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ sock = socket(AF_INET,SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Server: Socket error");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
+ {
+ perror("Server: Unable to set attribute ");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure");
+ return 2;
+ }
+
+ len = sizeof(client_addr);
+ ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
+ &len);
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Server: Error receiving");
+ return 1;
+
+ }
+ return 0;
+}
+
diff --git a/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb b/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb new file mode 100644 index 000000000..9193f8989 --- /dev/null +++ b/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb @@ -0,0 +1,23 @@ +SUMMARY = "Binary used to test smack udp sockets" +DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://udp_server.c \ + file://udp_client.c \ + file://test_smack_udp_sockets.sh \ +" + +S = "${WORKDIR}" +do_compile() { + ${CC} udp_client.c ${LDFLAGS} -o udp_client + ${CC} udp_server.c ${LDFLAGS} -o udp_server +} + +do_install() { + install -d ${D}${bindir} + install -d ${D}${sbindir} + install -m 0755 udp_server ${D}${bindir} + install -m 0755 udp_client ${D}${bindir} + install -m 0755 test_smack_udp_sockets.sh ${D}${sbindir} +} diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb index 6219d9ed2..7d8767e2f 100644 --- a/meta-security/recipes-security/clamav/clamav_0.99.4.bb +++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb @@ -4,8 +4,9 @@ HOMEPAGE = "http://www.clamav.net/index.html" SECTION = "security" LICENSE = "LGPL-2.1" -DEPENDS = "libtool db libmspack chrpath-replacement-native" - +DEPENDS = "libtool db libmspack openssl zlib llvm chrpath-replacement-native clamav-native" +DEPENDS_class-native = "db-native openssl-native zlib-native" + LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092" SRCREV = "b66e5e27b48c0a07494f9df9b809ed933cede047" @@ -15,6 +16,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.99 \ file://freshclam.conf \ file://volatiles.03_clamav \ file://${BPN}.service \ + file://freshclam-native.conf \ " S = "${WORKDIR}/git" @@ -28,42 +30,54 @@ inherit autotools-brokensep pkgconfig useradd systemd UID = "clamav" GID = "clamav" +INSTALL_CLAMAV_CVD ?= "1" # Clamav has a built llvm version 2 but does not build with gcc 6.x, # disable the internal one. This is a known issue # If you want LLVM support, use the one in core -PACKAGECONFIG ?= "ncurses openssl bz2 zlib llvm" -PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" +CLAMAV_USR_DIR = "${STAGING_DIR_NATIVE}/usr" +CLAMAV_USR_DIR_class-target = "${STAGING_DIR_HOST}/usr" -PACKAGECONFIG[llvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm8.0" +PACKAGECONFIG_class-target ?= "ncurses bz2" +PACKAGECONFIG_class-target += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" +PACKAGECONFIG_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre" -PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2," +PACKAGECONFIG[xml] = "--with-xml=${CLAMAV_USR_DIR}, --disable-xml, libxml2," PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json," PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR}, --without-libcurl, curl," PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6" -PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr, --without-openssl, openssl, openssl" -PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr --disable-zlib-vcheck , --without-zlib, zlib, " -PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${STAGING_LIBDIR}/.., --without-libbz2-prefix, " -PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${STAGING_LIBDIR}/.., --without-libncurses-prefix, ncurses, " +PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --without-libbz2-prefix, " +PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, " PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, " -EXTRA_OECONF += " --with-user=${UID} --with-group=${GID} \ - --without-libcheck-prefix --disable-unrar \ +EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \ + --with-system-llvm --with-llvm-linking=dynamic --disable-llvm \ --disable-mempool \ --program-prefix="" \ --disable-yara \ - --disable-rpath \ + --disable-xml \ + --with-openssl=${CLAMAV_USR_DIR} \ + --with-zlib=${CLAMAV_USR_DIR} --disable-zlib-vcheck \ " +EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}" +EXTRA_OECONF_class-target += "--with-user=${UID} --with-group=${GID} --disable-rpath ${EXTRA_OECONF_CLAMAV}" + do_configure () { cd ${S} ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} + install -d ${S}/clamav_db +} + +do_configure_class-native () { + cd ${S} + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} } -do_compile_append() { + +do_compile_append_class-target() { # brute force removing RPATH chrpath -d ${B}/libclamav/.libs/libclamav.so.${SO_VER} chrpath -d ${B}/sigtool/.libs/sigtool @@ -72,9 +86,14 @@ do_compile_append() { chrpath -d ${B}/clamconf/.libs/clamconf chrpath -d ${B}/clamd/.libs/clamd chrpath -d ${B}/freshclam/.libs/freshclam + + if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then + bbnote "CLAMAV creating cvd" + ${STAGING_BINDIR_NATIVE}/freshclam --datadir=${S}/clamav_db --config=${WORKDIR}/freshclam-native.conf + fi } -do_install_append() { +do_install_append_class-target () { install -d ${D}/${sysconfdir} install -d ${D}/${localstatedir}/lib/clamav install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles @@ -84,6 +103,7 @@ do_install_append() { install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc rm ${D}/${libdir}/libclamav.so + install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service fi @@ -93,11 +113,12 @@ pkg_postinst_ontarget_${PN} () { if [ -e /etc/init.d/populate-volatile.sh ] ; then ${sysconfdir}/init.d/populate-volatile.sh update fi - chown ${UID}:${GID} ${localstatedir}/lib/clamav + mkdir -p ${localstatedir}/lib/clamav + chown -R ${UID}:${GID} ${localstatedir}/lib/clamav } -PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \ +PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \ ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev" FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \ @@ -140,6 +161,8 @@ FILES_${PN}-doc = "${mandir}/man/* \ ${datadir}/man/* \ ${docdir}/* " +FILES_${PN}-cvd = "${localstatedir}/lib/clamav/*.cvd ${localstatedir}/lib/clamav/*.dat" + USERADD_PACKAGES = "${PN}" GROUPADD_PARAM_${PN} = "--system ${UID}" USERADD_PARAM_${PN} = "--system -g ${GID} --home-dir \ @@ -151,4 +174,7 @@ RREPLACES_${PN} += "${PN}-systemd" RCONFLICTS_${PN} += "${PN}-systemd" SYSTEMD_SERVICE_${PN} = "${BPN}.service" -RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav" +RDEPENDS_${PN} = "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav" +RDEPENDS_${PN}_class-native = "" + +BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-security/clamav/files/freshclam-native.conf b/meta-security/recipes-security/clamav/files/freshclam-native.conf new file mode 100644 index 000000000..aaa8cf464 --- /dev/null +++ b/meta-security/recipes-security/clamav/files/freshclam-native.conf @@ -0,0 +1,224 @@ +# Path to the database directory. +# WARNING: It must match clamd.conf's directive! +# Default: hardcoded (depends on installation options) +#DatabaseDirectory /var/lib/clamav + +# Path to the log file (make sure it has proper permissions) +# Default: disabled +#UpdateLogFile /var/log/clamav/freshclam.log + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, +# log rotation (the LogRotate option) will always be enabled. +# Default: 1M +LogFileMaxSize 2M + +# Log time with each message. +# Default: no +LogTime yes + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Use system logger (can work together with UpdateLogFile). +# Default: no +#LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# This option allows you to save the process identifier of the daemon +# Default: disabled +#PidFile /var/run/freshclam.pid + +# By default when started freshclam drops privileges and switches to the +# "clamav" user. This directive allows you to change the database owner. +# Default: clamav (may depend on installation options) +DatabaseOwner clamav + +# Initialize supplementary group access (freshclam must be started by root). +# Default: no +#AllowSupplementaryGroups yes + +# Use DNS to verify virus database version. Freshclam uses DNS TXT records +# to verify database and software versions. With this directive you can change +# the database verification domain. +# WARNING: Do not touch it unless you're configuring freshclam to use your +# own database verification domain. +# Default: current.cvd.clamav.net +#DNSDatabaseInfo current.cvd.clamav.net + +# Uncomment the following line and replace XY with your country +# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. +# You can use db.XY.ipv6.clamav.net for IPv6 connections. +#DatabaseMirror db.XY.clamav.net + +# database.clamav.net is a round-robin record which points to our most +# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is +# not working. DO NOT TOUCH the following line unless you know what you +# are doing. +DatabaseMirror database.clamav.net + +# How many attempts to make before giving up. +# Default: 3 (per mirror) +#MaxAttempts 5 + +# With this option you can control scripted updates. It's highly recommended +# to keep it enabled. +# Default: yes +#ScriptedUpdates yes + +# By default freshclam will keep the local databases (.cld) uncompressed to +# make their handling faster. With this option you can enable the compression; +# the change will take effect with the next database update. +# Default: no +#CompressLocalDatabase no + +# With this option you can provide custom sources (http:// or file://) for +# database files. This option can be used multiple times. +# Default: no custom URLs +#DatabaseCustomURL http://myserver.com/mysigs.ndb +#DatabaseCustomURL file:///mnt/nfs/local.hdb + +# This option allows you to easily point freshclam to private mirrors. +# If PrivateMirror is set, freshclam does not attempt to use DNS +# to determine whether its databases are out-of-date, instead it will +# use the If-Modified-Since request or directly check the headers of the +# remote database files. For each database, freshclam first attempts +# to download the CLD file. If that fails, it tries to download the +# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo +# and ScriptedUpdates. It can be used multiple times to provide +# fall-back mirrors. +# Default: disabled +#PrivateMirror mirror1.mynetwork.com +#PrivateMirror mirror2.mynetwork.com + +# Number of database checks per day. +# Default: 12 (every two hours) +#Checks 24 + +# Proxy settings +# Default: disabled +#HTTPProxyServer myproxy.com +#HTTPProxyPort 1234 +#HTTPProxyUsername myusername +#HTTPProxyPassword mypass + +# If your servers are behind a firewall/proxy which applies User-Agent +# filtering you can use this option to force the use of a different +# User-Agent header. +# Default: clamav/version_number +#HTTPUserAgent SomeUserAgentIdString + +# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for +# multi-homed systems. +# Default: Use OS'es default outgoing IP address. +#LocalIPAddress aaa.bbb.ccc.ddd + +# Send the RELOAD command to clamd. +# Default: no +#NotifyClamd /path/to/clamd.conf + +# Run command after successful database update. +# Default: disabled +#OnUpdateExecute command + +# Run command when database update process fails. +# Default: disabled +#OnErrorExecute command + +# Run command when freshclam reports outdated version. +# In the command string %v will be replaced by the new version number. +# Default: disabled +#OnOutdatedExecute command + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Timeout in seconds when connecting to database server. +# Default: 30 +#ConnectTimeout 60 + +# Timeout in seconds when reading from database server. +# Default: 30 +#ReceiveTimeout 60 + +# With this option enabled, freshclam will attempt to load new +# databases into memory to make sure they are properly handled +# by libclamav before replacing the old ones. +# Default: yes +#TestDatabases yes + +# When enabled freshclam will submit statistics to the ClamAV Project about +# the latest virus detections in your environment. The ClamAV maintainers +# will then use this data to determine what types of malware are the most +# detected in the field and in what geographic area they are. +# Freshclam will connect to clamd in order to get recent statistics. +# Default: no +#SubmitDetectionStats /path/to/clamd.conf + +# Country of origin of malware/detection statistics (for statistical +# purposes only). The statistics collector at ClamAV.net will look up +# your IP address to determine the geographical origin of the malware +# reported by your installation. If this installation is mainly used to +# scan data which comes from a different location, please enable this +# option and enter a two-letter code (see http://www.iana.org/domains/root/db/) +# of the country of origin. +# Default: disabled +#DetectionStatsCountry country-code + +# This option enables support for our "Personal Statistics" service. +# When this option is enabled, the information on malware detected by +# your clamd installation is made available to you through our website. +# To get your HostID, log on http://www.stats.clamav.net and add a new +# host to your host list. Once you have the HostID, uncomment this option +# and paste the HostID here. As soon as your freshclam starts submitting +# information to our stats collecting service, you will be able to view +# the statistics of this clamd installation by logging into +# http://www.stats.clamav.net with the same credentials you used to +# generate the HostID. For more information refer to: +# http://www.clamav.net/documentation.html#cctts +# This feature requires SubmitDetectionStats to be enabled. +# Default: disabled +#DetectionStatsHostID unique-id + +# This option enables support for Google Safe Browsing. When activated for +# the first time, freshclam will download a new database file (safebrowsing.cvd) +# which will be automatically loaded by clamd and clamscan during the next +# reload, provided that the heuristic phishing detection is turned on. This +# database includes information about websites that may be phishing sites or +# possible sources of malware. When using this option, it's mandatory to run +# freshclam at least every 30 minutes. +# Freshclam uses the ClamAV's mirror infrastructure to distribute the +# database and its updates but all the contents are provided under Google's +# terms of use. See http://www.google.com/transparencyreport/safebrowsing +# and http://www.clamav.net/documentation.html#safebrowsing +# for more information. +# Default: disabled +#SafeBrowsing yes + +# This option enables downloading of bytecode.cvd, which includes additional +# detection mechanisms and improvements to the ClamAV engine. +# Default: enabled +#Bytecode yes + +# Download an additional 3rd party signature database distributed through +# the ClamAV mirrors. +# This option can be used multiple times. +#ExtraDatabase dbname1 +#ExtraDatabase dbname2 diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb index 41ffd625c..dba1be574 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb @@ -4,7 +4,7 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "4d64011741375bb1a4ba7d71905ca37b97885083" +SRCREV = "fb43972ea1aab24f2a70193fb7445c2674f594e3" SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ file://run-ptest \ diff --git a/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch new file mode 100644 index 000000000..8ab094fa7 --- /dev/null +++ b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch @@ -0,0 +1,13 @@ +--- a/wscript 2015-11-18 12:43:33.000000000 +0100 ++++ b/wscript 2015-11-18 12:46:25.000000000 +0100 +@@ -58,9 +58,7 @@ + if conf.env.standalone_ldb: + conf.CHECK_XSLTPROC_MANPAGES() + +- # we need this for the ldap backend +- if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'): +- conf.env.ENABLE_LDAP_BACKEND = True ++ conf.env.ENABLE_LDAP_BACKEND = False + + # we don't want any libraries or modules to rely on runtime + # resolution of symbols diff --git a/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch new file mode 100755 index 000000000..fdd312c0a --- /dev/null +++ b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch @@ -0,0 +1,58 @@ +Some modules such as dynamic library maybe cann't be imported while cross compile, +we just check whether does the module exist. + +Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com> + +Index: ldb-1.1.26/buildtools/wafsamba/samba_bundled.py +=================================================================== +--- ldb-1.1.26.orig/buildtools/wafsamba/samba_bundled.py ++++ ldb-1.1.26/buildtools/wafsamba/samba_bundled.py +@@ -2,6 +2,7 @@ + + import sys + import Build, Options, Logs ++import imp, os + from Configure import conf + from samba_utils import TO_LIST + +@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li + # versions + minversion = minimum_library_version(conf, libname, minversion) + +- try: +- m = __import__(modulename) +- except ImportError: +- found = False +- else: ++ # Find module in PYTHONPATH ++ stuff = imp.find_module(modulename, [os.environ["PYTHONPATH"]]) ++ if stuff: + try: +- version = m.__version__ +- except AttributeError: ++ m = imp.load_module(modulename, stuff[0], stuff[1], stuff[2]) ++ except ImportError: + found = False ++ ++ if conf.env.CROSS_COMPILE: ++ # Some modules such as dynamic library maybe cann't be imported ++ # while cross compile, we just check whether the module exist ++ Logs.warn('Cross module[%s] has been found, but can not be loaded.' % (stuff[1])) ++ found = True + else: +- found = tuplize_version(version) >= tuplize_version(minversion) ++ try: ++ version = m.__version__ ++ except AttributeError: ++ found = False ++ else: ++ found = tuplize_version(version) >= tuplize_version(minversion) ++ finally: ++ if stuff[0]: ++ stuff[0].close() ++ else: ++ found = False ++ + if not found and not conf.LIB_MAY_BE_BUNDLED(libname): + Logs.error('ERROR: Python module %s of version %s not found, and bundling disabled' % (libname, minversion)) + sys.exit(1) diff --git a/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch new file mode 100644 index 000000000..ffe253b63 --- /dev/null +++ b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch @@ -0,0 +1,193 @@ +From a4da3ab4d76013aaa731d43d52ccca1ebd37c395 Mon Sep 17 00:00:00 2001 +From: Jackie Huang <jackie.huang@windriver.com> +Date: Wed, 21 Sep 2016 10:06:39 +0800 +Subject: [PATCH 1/1] ldb: Add configure options for packages + +Add configure options for the following packages: + - acl + - attr + - libaio + - libbsd + - libcap + - valgrind + +Upstream-Status: Inappropriate [oe deterministic build specific] + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + lib/replace/system/wscript_configure | 6 ++- + lib/replace/wscript | 94 +++++++++++++++++++++++++++--------- + wscript | 7 +++ + 3 files changed, 83 insertions(+), 24 deletions(-) + +diff --git a/lib/replace/system/wscript_configure b/lib/replace/system/wscript_configure +index 2035474..10f9ae7 100644 +--- a/lib/replace/system/wscript_configure ++++ b/lib/replace/system/wscript_configure +@@ -1,6 +1,10 @@ + #!/usr/bin/env python + +-conf.CHECK_HEADERS('sys/capability.h') ++import Options ++ ++if Options.options.enable_libcap: ++ conf.CHECK_HEADERS('sys/capability.h') ++ + conf.CHECK_FUNCS('getpwnam_r getpwuid_r getpwent_r') + + # solaris varients of getXXent_r +diff --git a/lib/replace/wscript b/lib/replace/wscript +index 2f94d49..68b2d3a 100644 +--- a/lib/replace/wscript ++++ b/lib/replace/wscript +@@ -23,6 +23,41 @@ def set_options(opt): + opt.PRIVATE_EXTENSION_DEFAULT('') + opt.RECURSE('buildtools/wafsamba') + ++ opt.add_option('--with-acl', ++ help=("Enable use of acl"), ++ action="store_true", dest='enable_acl') ++ opt.add_option('--without-acl', ++ help=("Disable use of acl"), ++ action="store_false", dest='enable_acl', default=False) ++ ++ opt.add_option('--with-attr', ++ help=("Enable use of attr"), ++ action="store_true", dest='enable_attr') ++ opt.add_option('--without-attr', ++ help=("Disable use of attr"), ++ action="store_false", dest='enable_attr', default=False) ++ ++ opt.add_option('--with-libaio', ++ help=("Enable use of libaio"), ++ action="store_true", dest='enable_libaio') ++ opt.add_option('--without-libaio', ++ help=("Disable use of libaio"), ++ action="store_false", dest='enable_libaio', default=False) ++ ++ opt.add_option('--with-libbsd', ++ help=("Enable use of libbsd"), ++ action="store_true", dest='enable_libbsd') ++ opt.add_option('--without-libbsd', ++ help=("Disable use of libbsd"), ++ action="store_false", dest='enable_libbsd', default=False) ++ ++ opt.add_option('--with-libcap', ++ help=("Enable use of libcap"), ++ action="store_true", dest='enable_libcap') ++ opt.add_option('--without-libcap', ++ help=("Disable use of libcap"), ++ action="store_false", dest='enable_libcap', default=False) ++ + @Utils.run_once + def configure(conf): + conf.RECURSE('buildtools/wafsamba') +@@ -32,12 +67,25 @@ def configure(conf): + conf.DEFINE('HAVE_LIBREPLACE', 1) + conf.DEFINE('LIBREPLACE_NETWORK_CHECKS', 1) + +- conf.CHECK_HEADERS('linux/types.h crypt.h locale.h acl/libacl.h compat.h') +- conf.CHECK_HEADERS('acl/libacl.h attr/xattr.h compat.h ctype.h dustat.h') ++ conf.CHECK_HEADERS('linux/types.h crypt.h locale.h compat.h') ++ conf.CHECK_HEADERS('compat.h ctype.h dustat.h') + conf.CHECK_HEADERS('fcntl.h fnmatch.h glob.h history.h krb5.h langinfo.h') +- conf.CHECK_HEADERS('libaio.h locale.h ndir.h pwd.h') +- conf.CHECK_HEADERS('shadow.h sys/acl.h') +- conf.CHECK_HEADERS('sys/attributes.h attr/attributes.h sys/capability.h sys/dir.h sys/epoll.h') ++ conf.CHECK_HEADERS('locale.h ndir.h pwd.h') ++ conf.CHECK_HEADERS('shadow.h') ++ conf.CHECK_HEADERS('sys/attributes.h sys/dir.h sys/epoll.h') ++ ++ if Options.options.enable_acl: ++ conf.CHECK_HEADERS('acl/libacl.h sys/acl.h') ++ ++ if Options.options.enable_attr: ++ conf.CHECK_HEADERS('attr/attributes.h attr/xattr.h') ++ ++ if Options.options.enable_libaio: ++ conf.CHECK_HEADERS('libaio.h') ++ ++ if Options.options.enable_libcap: ++ conf.CHECK_HEADERS('sys/capability.h') ++ + conf.CHECK_HEADERS('port.h') + conf.CHECK_HEADERS('sys/fcntl.h sys/filio.h sys/filsys.h sys/fs/s5param.h sys/fs/vx/quota.h') + conf.CHECK_HEADERS('sys/id.h sys/ioctl.h sys/ipc.h sys/mman.h sys/mode.h sys/ndir.h sys/priv.h') +@@ -73,7 +121,9 @@ def configure(conf): + + conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H') + +- conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') ++ if Options.options.enable_valgrind: ++ conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') ++ + conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h') + conf.CHECK_HEADERS('sys/extattr.h sys/ea.h sys/proplist.h sys/cdefs.h') + conf.CHECK_HEADERS('utmp.h utmpx.h lastlog.h') +@@ -266,22 +316,20 @@ def configure(conf): + + conf.CHECK_FUNCS('prctl dirname basename') + +- strlcpy_in_bsd = False +- +- # libbsd on some platforms provides strlcpy and strlcat +- if not conf.CHECK_FUNCS('strlcpy strlcat'): +- if conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', +- checklibc=True): +- strlcpy_in_bsd = True +- if not conf.CHECK_FUNCS('getpeereid'): +- conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') +- if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): +- conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') +- if not conf.CHECK_FUNCS('setproctitle_init'): +- conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') +- +- if not conf.CHECK_FUNCS('closefrom'): +- conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') ++ if Options.options.enable_libbsd: ++ # libbsd on some platforms provides strlcpy and strlcat ++ if not conf.CHECK_FUNCS('strlcpy strlcat'): ++ conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', ++ checklibc=True) ++ if not conf.CHECK_FUNCS('getpeereid'): ++ conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') ++ if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): ++ conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') ++ if not conf.CHECK_FUNCS('setproctitle_init'): ++ conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') ++ ++ if not conf.CHECK_FUNCS('closefrom'): ++ conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') + + conf.CHECK_CODE(''' + struct ucred cred; +@@ -632,7 +680,7 @@ removeea setea + # look for a method of finding the list of network interfaces + for method in ['HAVE_IFACE_GETIFADDRS', 'HAVE_IFACE_AIX', 'HAVE_IFACE_IFCONF', 'HAVE_IFACE_IFREQ']: + bsd_for_strlcpy = '' +- if strlcpy_in_bsd: ++ if Options.options.enable_libbsd: + bsd_for_strlcpy = ' bsd' + if conf.CHECK_CODE(''' + #define %s 1 +diff --git a/wscript b/wscript +index 8ae5be3..a178cc4 100644 +--- a/wscript ++++ b/wscript +@@ -31,6 +31,13 @@ def set_options(opt): + opt.RECURSE('lib/replace') + opt.tool_options('python') # options for disabling pyc or pyo compilation + ++ opt.add_option('--with-valgrind', ++ help=("enable use of valgrind"), ++ action="store_true", dest='enable_valgrind') ++ opt.add_option('--without-valgrind', ++ help=("disable use of valgrind"), ++ action="store_false", dest='enable_valgrind', default=False) ++ + def configure(conf): + conf.RECURSE('lib/tdb') + conf.RECURSE('lib/tevent') +-- +2.16.2 + diff --git a/meta-security/recipes-support/libldb/libldb_1.3.1.bb b/meta-security/recipes-support/libldb/libldb_1.3.1.bb new file mode 100644 index 000000000..c644b20b0 --- /dev/null +++ b/meta-security/recipes-support/libldb/libldb_1.3.1.bb @@ -0,0 +1,64 @@ +SUMMARY = "Hierarchical, reference counted memory pool system with destructors" +HOMEPAGE = "http://ldb.samba.org" +SECTION = "libs" +LICENSE = "LGPL-3.0+ & LGPL-2.1+ & GPL-3.0+" + +DEPENDS += "libtdb libtalloc libtevent popt" +RDEPENDS_pyldb += "python" + +SRC_URI = "http://samba.org/ftp/ldb/ldb-${PV}.tar.gz \ + file://do-not-import-target-module-while-cross-compile.patch \ + file://options-1.3.1.patch \ + " + +PACKAGECONFIG ??= "\ + ${@bb.utils.filter('DISTRO_FEATURES', 'acl', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)} \ +" +PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl" +PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" +PACKAGECONFIG[ldap] = ",,openldap" +PACKAGECONFIG[libaio] = "--with-libaio,--without-libaio,libaio" +PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd" +PACKAGECONFIG[libcap] = "--with-libcap,--without-libcap,libcap" +PACKAGECONFIG[valgrind] = "--with-valgrind,--without-valgrind,valgrind" + +SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'ldap', '', 'file://avoid-openldap-unless-wanted.patch', d)}" + +LIC_FILES_CHKSUM = "file://pyldb.h;endline=24;md5=dfbd238cecad76957f7f860fbe9adade \ + file://man/ldb.3.xml;beginline=261;endline=262;md5=137f9fd61040c1505d1aa1019663fd08 \ + file://tools/ldbdump.c;endline=19;md5=a7d4fc5d1f75676b49df491575a86a42" + +SRC_URI[md5sum] = "e5233f202bca27f6ce8474fb8ae65983" +SRC_URI[sha256sum] = "b19f2c9f55ae0f46aa5ebaea0bf1a47ec1ac135e1d78af0f6318cf50bf62cbd2" + +CROSS_METHOD="exec" +inherit waf-samba + +S = "${WORKDIR}/ldb-${PV}" + +EXTRA_OECONF += "--disable-rpath \ + --disable-rpath-install \ + --bundled-libraries=cmocka \ + --builtin-libraries=replace \ + --with-modulesdir=${libdir}/ldb/modules \ + --with-privatelibdir=${libdir}/ldb \ + --with-libiconv=${STAGING_DIR_HOST}${prefix}\ + " + +PACKAGES =+ "pyldb pyldb-dbg pyldb-dev" + +NOAUTOPACKAGEDEBUG = "1" + +FILES_${PN} += "${libdir}/ldb/*" +FILES_${PN}-dbg += "${bindir}/.debug/* \ + ${libdir}/.debug/* \ + ${libdir}/ldb/.debug/* \ + ${libdir}/ldb/modules/ldb/.debug/*" + +FILES_pyldb = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \ + ${libdir}/libpyldb-util.so.* \ + " +FILES_pyldb-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug \ + ${libdir}/.debug/libpyldb-util.so.*" +FILES_pyldb-dev = "${libdir}/libpyldb-util.so" |