diff options
| author | jmbills <42755197+jmbills@users.noreply.github.com> | 2019-10-25 19:18:16 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-25 19:18:16 +0300 |
| commit | 0dbb60593ebb5a62190c0e6cff7f1770493303a2 (patch) | |
| tree | 0df2ce67404dbca3ddc4ee063dbfd9ae455be682 /meta-security | |
| parent | 34a3942845ac3264ce27c648ae5486d302c3e6d8 (diff) | |
| parent | cc9cea46d74d280de03c713c8b555153fd811f09 (diff) | |
| download | openbmc-0dbb60593ebb5a62190c0e6cff7f1770493303a2.tar.xz | |
Merge branch 'intel' into intel2
Diffstat (limited to 'meta-security')
126 files changed, 568 insertions, 2064 deletions
diff --git a/meta-security/conf/distro/include/maintainers.inc b/meta-security/conf/distro/include/maintainers.inc index 94b45f288..7b82ef749 100644 --- a/meta-security/conf/distro/include/maintainers.inc +++ b/meta-security/conf/distro/include/maintainers.inc @@ -35,7 +35,6 @@ RECIPE_MAINTAINER_pn-hash-perl = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-isic = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-keyutils = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-libaes-siv = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-libenv-perl = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-libgssglue = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-libhtp = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-libmhash = "Armin Kuster <akuster808@gmail.com>" @@ -56,4 +55,3 @@ RECIPE_MAINTAINER_pn-smack = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-sssd = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-suricata = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-tripwire = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-xmlsec1 = "Armin Kuster <akuster808@gmail.com>" diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 4beac385f..b9a4f254c 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,8 +9,6 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "thud warrior" +LAYERSERIES_COMPAT_security = "warrior" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" - -DEFAULT_TEST_SUITES_pn-security-build-image = " ping ssh ptest" diff --git a/meta-security/files/waf-cross-answers/README b/meta-security/files/waf-cross-answers/README deleted file mode 100644 index dda45c508..000000000 --- a/meta-security/files/waf-cross-answers/README +++ /dev/null @@ -1,3 +0,0 @@ -The files in this directory are cross answers files -used by waf-samba.bbclass, please see waf-samba.bbclass -for details about how they are used. diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-arm.txt b/meta-security/files/waf-cross-answers/cross-answers-arm.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-arm.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i586.txt b/meta-security/files/waf-cross-answers/cross-answers-i586.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-i586.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i686.txt b/meta-security/files/waf-cross-answers/cross-answers-i686.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-i686.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips.txt b/meta-security/files/waf-cross-answers/cross-answers-mips.txt deleted file mode 100644 index 3e239e727..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mips.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt deleted file mode 100644 index 82e694fda..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: OK -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt deleted file mode 100644 index 82e694fda..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: OK -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt deleted file mode 100644 index 3e239e727..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt deleted file mode 100644 index 27b9378a4..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt deleted file mode 100644 index 7fd3092cb..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: (255, "") -Checking if can we convert from IBM850 to UCS-2LE: (255, "") -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py index d0bc645ae..2808df4dc 100644 --- a/meta-security/lib/oeqa/runtime/cases/clamav.py +++ b/meta-security/lib/oeqa/runtime/cases/clamav.py @@ -57,7 +57,7 @@ class ClamavTest(OERuntimeTestCase): 'Status and output:%s and %s' % (status, output)) self.assertEqual(status, 1, msg = msg) - @OETestDepends(['clamav.ClamavTest.test_freshclam_download']) + @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net']) def test_freshclam_check_mirrors(self): status, output = self.target.run('freshclam --list-mirrors') match = re.search('Failures: 0', output) diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md index 5bef76e8d..460794878 100644 --- a/meta-security/meta-integrity/README.md +++ b/meta-security/meta-integrity/README.md @@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: INHERIT += "ima-evm-rootfs" - IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image @@ -96,7 +96,7 @@ for that are included in the layer. This is also how the # In that shell, create the keys. Several options exist: # 1. Self-signed keys. - $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh + $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh # 2. Keys signed by a new CA. # When asked for a PEM passphrase, that will be for the root CA. @@ -104,11 +104,11 @@ for that are included in the layer. This is also how the # only creating new certificates does. Most likely the default # attributes for these certificates need to be adapted; modify # the scripts as needed. - # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh - # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh + # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh + # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh # 3. Keys signed by an existing CA. - # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> + # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> exit When using ``ima-self-signed.sh`` as described above, self-signed keys @@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd changes. To activate policy loading via systemd, place a policy file in `/etc/ima/ima-policy`, for example with: - IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple" + IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass index 8aec388df..d6ade3bf9 100644 --- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -1,7 +1,7 @@ # No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be # set explicitly in a local.conf before activating ima-evm-rootfs. # To use the insecure (because public) example keys, use -# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" # Private key for IMA signing. The default is okay when diff --git a/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/meta-security/meta-integrity/classes/kernel-modsign.bbclass new file mode 100644 index 000000000..09025baa7 --- /dev/null +++ b/meta-security/meta-integrity/classes/kernel-modsign.bbclass @@ -0,0 +1,29 @@ +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be +# set explicitly in a local.conf before activating kernel-modsign. +# To use the insecure (because public) example keys, use +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" + +# Private key for modules signing. The default is okay when +# using the example key directory. +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" + +# Public part of certificates used for modules signing. +# The default is okay when using the example key directory. +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" + +# If this class is enabled, disable stripping signatures from modules +INHIBIT_PACKAGE_STRIP = "1" + +kernel_do_configure_prepend() { + if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then + cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ + > "${B}/modsign_key.pem" + else + bberror "Either modsign key or certificate are invalid" + fi +} + +do_shared_workdir_append() { + cp modsign_key.pem $kerneldir/ +} diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index 2f696cf7c..41989da38 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -13,12 +13,14 @@ BBFILE_PRIORITY_integrity = "6" # Set a variable to get to the top of the metadata location. Needed # for finding scripts (when following the README.md instructions) and # default debug keys (in ima-evm-rootfs.bbclass). -IMA_EVM_BASE := '${LAYERDIR}' +INTEGRITY_BASE := '${LAYERDIR}' # We must not export this path to all shell scripts (as in "export -# IMA_EVM_BASE"), because that causes problems with sstate (becames +# INTEGRITY_BASE"), because that causes problems with sstate (becames # dependent on location of the layer). Exporting it to just the # interactive shell is enough. -OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" +OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" LAYERSERIES_COMPAT_integrity = "warrior" +# ima-evm-utils depends on keyutils from meta-oe +LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem b/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem new file mode 100644 index 000000000..4cac00ae3 --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEWsJjB2pA5Ih6 +EelXvVjwWY1ix1azMciNRNPPQN1AMXF0K/VUkfOYbaPajg1cQYEf9gk3q7OZ5Axk +UY/e5piZORaPcsmj0lV0L+NSlRYydR5M/QxtEz26585FgqRGdAe6umStPmVKdqa2 +d68O4PgQgJJtVuz6ndm+0uNEUDCVLwhkGQSwNB3qBbZAUX9escZ/a8eUiBfMYKaO +k8JRyM+2br9dgpTFg4UfBYexgNSQo8g5TIBGc8KgQiKCuFj1fQEhV5z4RusHthjc +NYXa3RHmdclxyrGeYr5ZRc47HqE1gd5NDR0WeHn4C4YKcfK1rZZz/2+6hfsIRfGx +6cQKk23hAgMBAAECggEAJ0ULiWirPG04SkmYxF5vEiqm1zGMymvTc0VnoxSS60q4 +KQa9mvtRn5OV6JjuXRwQqga30zV4xvdP7yRMxMSTkllThL7tSuE/C+yj5xlABjlc +JQOa35mwh9fibg5xslF0Vkj+55MKCPlv4CBRl4Uwt4QvRMTUwk6dhMeCgmATR1J1 +2/7AipjtfFYreDx7sLbRVvSzUhmZS0iCbNOhtTWPLNW+9YKHTOffKa04HzNtnAXq +OjJ0IRZD/C6LfkBUsnHg2eEiA97QXh/Srsl9nc8DaUK1IXRywEdmYIoNMWMav2Hm +RO8kkU30BqKW+/EO2ZbH2GmkxvwWd0ocBnLC3FRWEQKBgQDu4T8CB3YsOcVjqem4 +iBlaSht/b46YQc7A1SOqZCimehmmXNSxQOkapIG3wlIr5edtXQA+xv09+WrproUB +SjAnqaH6pYeCvbNlY5k344gtYs+Kco2rq5GYa+LumAeX2Sam8F7u4LxvEogCecX7 +e4rnG3lt3AVuuRE7zpCQtaWcJQKBgQDSbUvea9pcYli9pssTl+ijQKkgG9DdaYbA +I5w5bY1TPYZ/Ocysljefv/ssaHFh4DPxE1MQ5JHwZgZRo1EICxxYzGsLjyR/fmjz +1c/NJlTtalCNtLvWaf7b02ag/abnP8neiSpLL5xqHvGo5ikWwgYQD+9HVKGvL3S1 +kI7x/ziADQKBgQCqFbkuMa/jh3LTJp0iZc1fa1qu3vhx0pFq3Zeab9w9xLxUps5O +MwCGltFBzNuDJBwm00wkZrzTjq6gGkHbjD5DT1XkyE13OqjsLQFgOOKyJiPN2Qik +TfHJzC91YMwvQ09xF78QaPXiRBiRYrEkAXACY56PKVS45I6vvcFTN/Ll/QKBgA9m +KDMyuVwhZlUaq6nXaBLqXHYZEwPhARd2g6xANCNvUTRmSnAm3hM2vW7WhdWfzq1J +uL53u6ZYEQZQaVGpXn2xF/RUmVsrKQsPDpH4yCZHrXVxUH20bA4yPkRxy5EIvgEn +EI1IAq5RbWXq0f70W/U49U3HB74GPwg6d/uFreDRAoGAN+v9gMQA6A1vM7LvbYR8 +5CwwyqS/CfI9zKPLn53QstguXC/ObafIYQzVRqGb9lCQgtlmmKw4jMY0B/lDzpcH +zS8rqoyvDj/m7i17NYkqXErJKLRQ0ptXKdLXHlG0u185e7Y5p4O3Z5dk8bACkpHi +hp764y+BtU4qIcVaPsPK4uU= +-----END PRIVATE KEY----- diff --git a/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt b/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt new file mode 100644 index 000000000..5fa2a9062 --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnjCCAoagAwIBAgIUUqmBj5Q8edHMMTXsoGVGEEKdwV4wDQYJKoZIhvcNAQEL +BQAwZzEqMCgGA1UEAxMhbWV0YS1zZWN1cml0eSBtb2R1bGVzIHNpZ25pbmcga2V5 +MRQwEgYDVQQKEwtleGFtcGxlLmNvbTEjMCEGCSqGSIb3DQEJARYUam9obi5kb2VA +ZXhhbXBsZS5jb20wIBcNMTkwNzI3MjIzOTA3WhgPMjExOTA3MjcyMjM5MTVaMGcx +KjAoBgNVBAMTIW1ldGEtc2VjdXJpdHkgbW9kdWxlcyBzaWduaW5nIGtleTEUMBIG +A1UEChMLZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGpvaG4uZG9lQGV4YW1w +bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFrCYwdqQOSI +ehHpV71Y8FmNYsdWszHIjUTTz0DdQDFxdCv1VJHzmG2j2o4NXEGBH/YJN6uzmeQM +ZFGP3uaYmTkWj3LJo9JVdC/jUpUWMnUeTP0MbRM9uufORYKkRnQHurpkrT5lSnam +tnevDuD4EICSbVbs+p3ZvtLjRFAwlS8IZBkEsDQd6gW2QFF/XrHGf2vHlIgXzGCm +jpPCUcjPtm6/XYKUxYOFHwWHsYDUkKPIOUyARnPCoEIigrhY9X0BIVec+EbrB7YY +3DWF2t0R5nXJccqxnmK+WUXOOx6hNYHeTQ0dFnh5+AuGCnHyta2Wc/9vuoX7CEXx +senECpNt4QIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAw +HQYDVR0OBBYEFDa35X9LnPlrd76inh/cYgeXh6X4MA0GCSqGSIb3DQEBCwUAA4IB +AQBTPTh7zY9BrfZW9Izk9JSZYNigwUDwjrhNBSLr5NKi2A/LmZ0jjdCDkwaCn5io +xrAq5oxPCAkwlzKwY2ootcL3+En4Pq2e5U+n9kRrpDpKKiR5/0S0d9vpgg4eZR0R +kxqE9APCQ5SFU3PgnJ5H5y2SPXzle3bgUsWxNGD81zXFn5clJj4XHvJDWTQ/jG7C +FTQ1o1HXtzda4EmKIzrSU/ayVbpPg5fPEBJjk/hHPT45kfzVZBuxwBLXVbe/YyWi +NTFWCbJwjZwVRKrsQ3HFpYMWvugtcsSHo7vGi06FvUHcS2sUZH5sFn7hulcIGICt +EztTO8Q+yhZujZbmEyJmxqZv +-----END CERTIFICATE----- diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 6ed724df2..1a3a30a19 100644 --- a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -17,6 +17,5 @@ inherit core-image export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 6057e8daf..95c853a72 100644 --- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 # This policy file will get installed as /etc/ima/ima-policy. # It is located via the normal file search path, so a .bbappend # to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_hashed" +IMA_POLICY ?= "ima-policy-hashed" SRC_URI = " file://ima" diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend index 931854ef8..f9a48cd05 100644 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -1,3 +1,5 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" + +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg deleted file mode 100644 index b3e47ba37..000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ /dev/null @@ -1,18 +0,0 @@ -CONFIG_IMA=y -CONFIG_IMA_MEASURE_PCR_IDX=10 -CONFIG_IMA_NG_TEMPLATE=y -CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" -CONFIG_IMA_DEFAULT_HASH_SHA1=y -CONFIG_IMA_DEFAULT_HASH="sha1" -CONFIG_IMA_APPRAISE=y -CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_TRUSTED_KEYRING=y -CONFIG_SIGNATURE=y -CONFIG_IMA_WRITE_POLICY=y -CONFIG_IMA_READ_POLICY=y -CONFIG_IMA_LOAD_X509=y -CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" - -#CONFIG_INTEGRITY_SIGNATURE=y -#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg deleted file mode 100644 index 9a454257a..000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg +++ /dev/null @@ -1,3 +0,0 @@ -# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set -CONFIG_EVM_LOAD_X509=y -CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch deleted file mode 100644 index 5ccb73d9b..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:08:43 +0300 -Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL - -There is no need to link to full libssl. evmctl uses functions from -libcrypto, so let's link only against that library. - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - configure.ac | 4 +--- - src/Makefile.am | 9 ++++----- - 2 files changed, 5 insertions(+), 8 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 60f3684..32e8d85 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -24,9 +24,7 @@ LT_INIT - # Checks for header files. - AC_HEADER_STDC - --PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) --AC_SUBST(OPENSSL_CFLAGS) --AC_SUBST(OPENSSL_LIBS) -+PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ]) - AC_SUBST(KERNEL_HEADERS) - AC_CHECK_HEADER(unistd.h) - AC_CHECK_HEADERS(openssl/conf.h) -diff --git a/src/Makefile.am b/src/Makefile.am -index d74fc6f..b81281a 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -1,11 +1,11 @@ - lib_LTLIBRARIES = libimaevm.la - - libimaevm_la_SOURCES = libimaevm.c --libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) -+libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) - # current[:revision[:age]] - # result: [current-age].age.revision - libimaevm_la_LDFLAGS = -version-info 0:0:0 --libimaevm_la_LIBADD = $(OPENSSL_LIBS) -+libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) - - include_HEADERS = imaevm.h - -@@ -17,12 +17,11 @@ hash_info.h: Makefile - bin_PROGRAMS = evmctl - - evmctl_SOURCES = evmctl.c --evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) -+evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) - evmctl_LDFLAGS = $(LDFLAGS_READLINE) --evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la -+evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la - - INCLUDES = -I$(top_srcdir) -include config.h - - CLEANFILES = hash_info.h - DISTCLEANFILES = @DISTCLEANFILES@ -- --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch deleted file mode 100644 index 8237274ca..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:17:12 +0300 -Subject: [PATCH 2/4] ima-evm-utils: replace INCLUDES with AM_CPPFLAGS - -Replace INCLUDES variable with AM_CPPFLAGS to stop Automake from warning -about deprecated variable usage. - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - src/Makefile.am | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index b81281a..164e7e4 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -1,7 +1,7 @@ - lib_LTLIBRARIES = libimaevm.la - - libimaevm_la_SOURCES = libimaevm.c --libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) -+libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) - # current[:revision[:age]] - # result: [current-age].age.revision - libimaevm_la_LDFLAGS = -version-info 0:0:0 -@@ -17,11 +17,11 @@ hash_info.h: Makefile - bin_PROGRAMS = evmctl - - evmctl_SOURCES = evmctl.c --evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) -+evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) - evmctl_LDFLAGS = $(LDFLAGS_READLINE) - evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la - --INCLUDES = -I$(top_srcdir) -include config.h -+AM_CPPFLAGS = -I$(top_srcdir) -include config.h - - CLEANFILES = hash_info.h - DISTCLEANFILES = @DISTCLEANFILES@ --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch deleted file mode 100644 index 3d250d2fc..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c587ec307a6259a990bfab727cea7db28dba4c23 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:22:30 +0300 -Subject: [PATCH 3/4] ima-evm-utils: include hash-info.gen into distribution - -Include hash-info.gen into tarball and call it from the sourcedir to fix -out-of-tree build (and thus 'make distcheck'). - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - src/Makefile.am | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 164e7e4..9c037e2 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -11,8 +11,9 @@ include_HEADERS = imaevm.h - - nodist_libimaevm_la_SOURCES = hash_info.h - BUILT_SOURCES = hash_info.h -+EXTRA_DIST = hash_info.gen - hash_info.h: Makefile -- ./hash_info.gen $(KERNEL_HEADERS) >$@ -+ $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@ - - bin_PROGRAMS = evmctl - --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch deleted file mode 100644 index 4ada1a271..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b9f327c5c513ccea9cb56d4bbd50c1f66d629099 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:24:04 +0300 -Subject: [PATCH 4/4] ima-evm-utils: update .gitignore files - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - .gitignore | 1 + - src/.gitignore | 1 + - 2 files changed, 2 insertions(+) - create mode 100644 src/.gitignore - -diff --git a/.gitignore b/.gitignore -index ca7a06e..cb82166 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -45,6 +45,7 @@ cscope.* - ncscope.* - - # Generated documentation -+*.1 - *.8 - *.5 - manpage.links -diff --git a/src/.gitignore b/src/.gitignore -new file mode 100644 -index 0000000..38e8e3c ---- /dev/null -+++ b/src/.gitignore -@@ -0,0 +1 @@ -+hash_info.h --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch index c0bdd9b49..ffa65dfb0 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -23,9 +23,9 @@ diff --git a/src/evmctl.c b/src/evmctl.c index c54efbb..23cf54c 100644 --- a/src/evmctl.c +++ b/src/evmctl.c -@@ -56,6 +56,18 @@ - #include <ctype.h> +@@ -57,6 +57,18 @@ #include <termios.h> + #include <assert.h> +/* + * linux/xattr.h might be old to have this. Allow compilation on older diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index 929d85348..92c24c902 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -6,9 +6,9 @@ DEPENDS += "openssl attr keyutils" DEPENDS_class-native += "openssl-native keyutils-native" -PV = "1.0+git${SRCPV}" -SRCREV = "0267fa16990fd0ddcc89984a8e55b27d43e80167" -SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils" +PV = "1.2.1+git${SRCPV}" +SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" +SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y" # Documentation depends on asciidoc, which we do not have, so # do not build documentation. @@ -21,12 +21,6 @@ SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" # Required for xargs with more than one path as argument (better for performance). SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" -SRC_URI += "\ - file://0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch \ - file://0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch \ - file://0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch \ - file://0004-ima-evm-utils-update-.gitignore-files.patch \ -" S = "${WORKDIR}/git" inherit pkgconfig autotools diff --git a/meta-security/meta-security-compliance/README b/meta-security/meta-security-compliance/README index b29c143b7..320f85676 100644 --- a/meta-security/meta-security-compliance/README +++ b/meta-security/meta-security-compliance/README @@ -28,9 +28,9 @@ Maintenance Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH' -Layer Maintainer: Armin Kuster <akuster@mvista.com> +Layer Maintainer: Armin Kuster <akuster808@gmail.com> License diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index d48feb97a..9ccadab8b 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -8,8 +8,6 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "thud warrior" +LAYERSERIES_COMPAT_scanners-layer = "warrior" -LAYERDEPENDS_scanners-layer = " \ - core \ -" +LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb index 3ba82f9e4..21e451794 100644 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" -SRC_URI[md5sum] = "3422cee3b12fc33338fcde003d65e234" -SRC_URI[sha256sum] = "fde6ccf8d6ec0ae1e9c9f4a6d640cddcde4bf7a92f8437d47d16a5477e21bfda" +SRC_URI[md5sum] = "fb527b6976e70a6bcd57036c9cddc242" +SRC_URI[sha256sum] = "3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d" S = "${WORKDIR}/${BPN}" diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb index e84ed30f8..fd53fcba5 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb @@ -30,4 +30,4 @@ do_install () { FILES_${PN} += "${datadir}/oe-scap" -RDEPENDS_${PN} = "openscap" +RDEPENDS_${PN} = "openscap bash" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch b/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch deleted file mode 100644 index 2d70855ab..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch +++ /dev/null @@ -1,36 +0,0 @@ -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -360,25 +360,13 @@ case "${with_crypto}" in - AC_DEFINE([HAVE_NSS3], [1], [Define to 1 if you have 'NSS' library.]) - ;; - gcrypt) -- SAVE_LIBS=$LIBS -- AC_CHECK_LIB([gcrypt], [gcry_check_version], -- [crapi_CFLAGS=`libgcrypt-config --cflags`; -- crapi_LIBS=`libgcrypt-config --libs`; -- crapi_libname="GCrypt";], -- [AC_MSG_ERROR([library 'gcrypt' is required for GCrypt.])], -- []) -- AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'gcrypt' library.]) -- AC_CACHE_CHECK([for GCRYCTL_SET_ENFORCED_FIPS_FLAG], -- [ac_cv_gcryctl_set_enforced_fips_flag], -- [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include<gcrypt.h>], -- [return GCRYCTL_SET_ENFORCED_FIPS_FLAG;])], -- [ac_cv_gcryctl_set_enforced_fips_flag=yes], -- [ac_cv_gcryctl_set_enforced_fips_flag=no])]) -+ PKG_CHECK_MODULES([libgcrypt], [libgcrypt >= 1.7.9],[], -+ AC_MSG_FAILURE([libgcrypt devel support is missing])) - -- if test "${ac_cv_gcryctl_set_enforced_fips_flag}" == "yes"; then -- AC_DEFINE([HAVE_GCRYCTL_SET_ENFORCED_FIPS_FLAG], [1], [Define to 1 if you have 'gcrypt' library with GCRYCTL_SET_ENFORCED_FIPS_FLAG.]) -- fi -- LIBS=$SAVE_LIBS -+ crapi_libname="libgcrypt" -+ crapi_CFLAGS=$libgcrypt_CFLAGS -+ crapi_LIBS=$libgcrypt_LIBS -+ AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'libgcrypt' library.]) - ;; - *) - AC_MSG_ERROR([unknown crypto backend]) diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch b/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch deleted file mode 100644 index ecbe6026f..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -1109,11 +1109,7 @@ AC_ARG_WITH([crypto], - [], - [crypto=gcrypt]) - --if test "x${libexecdir}" = xNONE; then -- probe_dir="/usr/local/libexec/openscap" --else -- EXPAND_DIR(probe_dir,"${libexecdir}/openscap") --fi -+probe_dir="/usr/local/libexec/openscap" - - AC_SUBST(probe_dir) - diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest b/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest deleted file mode 100644 index 454a6a3c9..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -cd tests -make -k check diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc index e9589b6bd..afa576a9b 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -1,2 +1,55 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit" +HOME_URL = "https://www.open-scap.org/tools/openscap-base/" +LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" +LICENSE = "LGPL-2.1" + +DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" +DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native perlnative + +PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3" +PACKAGECONFIG[perl] = "-DENABLE_PERL=ON, ,perl, perl" +PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm" +PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt" +PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss" +PACKAGECONFIG[selinux] = ", ,libselinux" + +EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ + -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \ + -DENABLE_OSCAP_UTIL=ON -DENABLE_OSCAP_UTIL_SSH=ON \ + -DENABLE_OSCAP_UTIL_DOCKER=OFF -DENABLE_OSCAP_UTIL_CHROOT=OFF \ + -DENABLE_OSCAP_UTIL_PODMAN=OFF -DENABLE_OSCAP_UTIL_VM=OFF \ + -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \ + -DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS=OFF \ + -DCMAKE_SKIP_INSTALL_RPATH=ON -DCMAKE_SKIP_RPATH=ON \ + " + STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +do_configure_append_class-native () { + sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h +} + +do_install_class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" +do_install_append_class-native () { + oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} + install -d $oscapdir + cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir +} + + +FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" + +RDEPENDS_${PN} += "libxml2 python3-core libgcc bash" + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb deleted file mode 100644 index e2a4fa2e6..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "NIST Certified SCAP 1.2 toolkit" -HOME_URL = "https://www.open-scap.org/tools/openscap-base/" -LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" -LICENSE = "LGPL-2.1" - -DEPENDS = "autoconf-archive pkgconfig gconf procps curl libxml2 rpm \ - libxslt libcap swig swig-native" - -DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" - -SRCREV = "59c234b3e9907480c89dfbd1b466a6bf72a2d2ed" -SRC_URI = "git://github.com/akuster/openscap.git;branch=oe \ - file://crypto_pkgconfig.patch \ - file://run-ptest \ -" - -inherit autotools-brokensep pkgconfig python3native perlnative ptest - -S = "${WORKDIR}/git" - -PACKAGECONFIG ?= "nss3 pcre rpm" -PACKAGECONFIG[pcre] = ",--enable-regex-posix, libpcre" -PACKAGECONFIG[gcrypt] = "--with-crypto=gcrypt,, libgcrypt " -PACKAGECONFIG[nss3] = "--with-crypto=nss3,, nss" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" -PACKAGECONFIG[python3] = "--enable-python3, --disable-python3, python3, python3" -PACKAGECONFIG[perl] = "--enable-perl, --disable-perl, perl, perl" -PACKAGECONFIG[rpm] = " --enable-util-scap-as-rpm, --disable-util-scap-as-rpm, rpm, rpm" - -export LDFLAGS += " -ldl" - -EXTRA_OECONF += "--enable-probes-independent --enable-probes-linux \ - --enable-probes-solaris --enable-probes-unix --disable-util-oscap-docker\ - --enable-util-oscap-ssh --enable-util-oscap --enable-ssp --enable-sce \ -" - -EXTRA_OECONF_class-native += "--disable-probes-independent --enable-probes-linux \ - --disable-probes-solaris --disable-probes-unix \ - --enable-util-oscap \ -" - -do_configure_prepend () { - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/perl/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python3/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python2/Makefile.am - sed -i 's:python2:python:' ${S}/utils/scap-as-rpm -} - - -include openscap.inc - -do_configure_append_class-native () { - sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h -} - -do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" - -do_install_append_class-native () { - oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} - install -d $oscapdir - cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir -} - -TESTDIR = "tests" - -do_compile_ptest() { - sed -i 's:python2:python:' ${S}/${TESTDIR}/nist/test_worker.py - echo 'buildtest-TESTS: $(check)' >> ${TESTDIR}/Makefile - oe_runmake -C ${TESTDIR} buildtest-TESTS -} - -do_install_ptest() { - # install the tests - cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH} -} - -FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" - -RDEPENDS_${PN} += "libxml2 python libgcc" -RDEPENDS_${PN}-ptest = "bash perl python" - -BBCLASSEXTEND = "native" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb new file mode 100644 index 000000000..ad29efdad --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb @@ -0,0 +1,9 @@ +SUMARRY = "NIST Certified SCAP 1.2 toolkit" + +require openscap.inc + +SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc" +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \ +" + +DEFAULT_PREFERENCE = "-1" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb new file mode 100644 index 000000000..963d3dec9 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb @@ -0,0 +1,12 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes" + +include openscap.inc + +SRCREV = "4bbdb46ff651f809d5b38ca08d769790c4bfff90" +SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \ +" + +PV = "1.3.1+git${SRCPV}" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc new file mode 100644 index 000000000..3212310fb --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -0,0 +1,32 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "SCAP content for various platforms" +HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" +LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" +LICENSE = "LGPL-2.1" + +DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native + +STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +OECMAKE_GENERATOR = "Unix Makefiles" + +EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF" + +B = "${S}/build" + +do_configure[depends] += "openscap-native:do_install" + +do_configure_prepend () { + sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt + sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt +} + +FILES_${PN} += "${datadir}/xml" + +RDEPENDS_${PN} = "openscap" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb deleted file mode 100644 index 27d3d869a..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "SCAP content for various platforms" -HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" -LIC_FILES_CHKSUM = "file://LICENSE;md5=236e81befc8154d18c93c848185d7e52" -LICENSE = "LGPL-2.1" - -DEPENDS = "openscap-native" - -SRCREV = "423d9f40021a03abd018bef7818a3a9fe91a083c" -SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe;" - -inherit cmake - -PARALLEL_MAKE = "" - -S = "${WORKDIR}/git" - -STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" - -OECMAKE_GENERATOR = "Unix Makefiles" - -EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FIREFOX:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JRE:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENSUSE:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_OSP7:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL5:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL6:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL7:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEV3:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE11:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE12:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1404:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1604:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_WRLINUX:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_WEBMIN:BOOL=OFF" - -do_configure_prepend () { - sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt - sed -i 's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g' ${S}/cmake/SSGCommon.cmake -} - -do_compile () { - cd ${B} - make openembedded -} - -do_install () { - cd ${B} - make DESTDIR=${D} install -} -FILES_${PN} += "${datadir}/xml" -RDEPNEDS_${PN} = "openscap" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb new file mode 100644 index 000000000..d80ecd7ed --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb @@ -0,0 +1,8 @@ +SUMARRY = "SCAP content for various platforms, upstream version" + +SRCREV = "8cb2d0f351faff5440742258782281164953b0a6" +SRC_URI = "git://github.com/ComplianceAsCode/content.git" + +DEFAULT_PREFERENCE = "-1" + +require scap-security-guide.inc diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb new file mode 100644 index 000000000..d9238c03f --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb @@ -0,0 +1,9 @@ +SUMARRY = "SCAP content for various platforms, OE changes" + +SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed" +SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;" +PV = "0.1.44+git${SRCPV}" + +require scap-security-guide.inc + +EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index bf9a76ea6..cdccc553e 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "thud warrior" +LAYERSERIES_COMPAT_tpm-layer = "warrior" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py index 240a9b3ba..c6f9d9224 100644 --- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py +++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py @@ -16,9 +16,9 @@ class Tpm2Test(OERuntimeTestCase): if expected_endlines: self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines)) - @OEHasPackage(['tpm2.0-tss']) + @OEHasPackage(['tpm2-tss']) @OEHasPackage(['tpm2-abrmd']) - @OEHasPackage(['tpm2.0-tools']) + @OEHasPackage(['tpm2-tools']) @OEHasPackage(['ibmswtpm2']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_tpm2_sim(self): diff --git a/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb b/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb index a337076dc..dbdd309c0 100644 --- a/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb +++ b/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb @@ -1,14 +1,13 @@ -DESCRIPTION = "A small image for building meta-security packages" +DESCRIPTION = "A small image for building a tpm image for testing" IMAGE_FEATURES += "ssh-server-openssh" IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-core-boot \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \ + packagegroup-security-tpm \ os-release \ - ${CORE_IMAGE_EXTRA_INSTALL}" +" IMAGE_LINGUAS ?= " " diff --git a/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb new file mode 100644 index 000000000..7e047d127 --- /dev/null +++ b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "A small image for building a tpm2 image for testing" + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-security-tpm2 \ + os-release \ +" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-tpm2-image" diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 5ded3a2cc..8f5c537b9 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -5,19 +5,19 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda inherit packagegroup -PACKAGES = "packagegroup-security-tpm2" +PACKAGES = "${PN}" SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-tools \ trousers \ + tpm2-tss \ libtss2 \ + libtss2-mu \ libtss2-tcti-device \ libtss2-tcti-mssim \ tpm2-abrmd \ tpm2-pkcs11 \ + ibmswtpm2 \ cryptsetup-tpm-incubator \ " - -RDEPENDS_packagegroup-security-tpm2_append_x86 = " tpm2-tcti-uefi" -RDEPENDS_packagegroup-security-tpm2_append_x86-64 = " tpm2-tcti-uefi" diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb index a88296046..d9863fa4a 100644 --- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb @@ -2,7 +2,7 @@ SUMMARY = "LIBPM - Software TPM Library" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" -SRCREV = "9dc915572b51db0714640ba1ddf8cca9c0f24f05" +SRCREV = "c26e8f7b08b19a69cea9e8f1f1e6639c7951fb01" SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-${PV}" PE = "1" diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.2.0.bb index 42de8b18e..f3a53dd9b 100644 --- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.2.0.bb @@ -9,7 +9,7 @@ DEPENDS = "libtasn1 expect socat glib-2.0 net-tools-native libtpm libtpm-native" # then swtpm_setup needs them at runtime DEPENDS += "tpm-tools-native expect-native socat-native" -SRCREV = "d803d84575ab3e5dac316bf863c7f569a27ea35f" +SRCREV = "39673a0139b0ee14a0109aba50a0635592c672c4" SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-${PV} \ file://fix_fcntl_h.patch \ file://ioctl_h.patch \ diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb index 8b504453f..8385c9403 100644 --- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb @@ -32,7 +32,7 @@ RRECOMMENDS_${PN} = "kernel-module-aes-generic \ kernel-module-xts \ " -RDEPENDS_${PN} += "lvm2" +RDEPENDS_${PN} += "lvm2 libdevmapper" RRECOMMENDS_${PN} += "lvm2-udevrules" RREPLACES_${PN} = "cryptsetup" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.1.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.2.0.bb index a4c66823f..021c96930 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.1.1.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.2.0.bb @@ -12,14 +12,13 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \ libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim" - SRC_URI = "\ git://github.com/tpm2-software/tpm2-abrmd.git \ file://tpm2-abrmd-init.sh \ file://tpm2-abrmd.default \ " -SRCREV = "06d9d433ba27159687255406baa37940db15465b" +SRCREV = "ac2a5a4b5a4e548177ed7a5b74cea23e00fd30b4" S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb index 9031e63e4..218574999 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb @@ -2,7 +2,7 @@ SUMMARY = "A PKCS#11 interface for TPM2 hardware" DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." SECTION = "security/tpm" LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=b748af41ef1300c98e105b3b7ec4ecc1" +LIC_FILES_CHKSUM = "file://LICENSE;md5=93645981214b60a02688745c14f93c95" DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools" @@ -10,7 +10,7 @@ SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git \ file://bootstrap_fixup.patch \ " -SRCREV = "3107d89b406ecd9c007884613733c9a344ef6d39" +SRCREV = "caf20c04651029626466c59d88b36c05cc6ea20b" S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch new file mode 100644 index 000000000..3b54dddf7 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch @@ -0,0 +1,27 @@ +From b74837184cfdefb45e48f3fdc974fc67691fc861 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> +Date: Wed, 3 Jul 2019 19:16:35 +0300 +Subject: [PATCH] configure.ac: stop inserting host directories into compile + path + +Do not insert /usr/lib and /usr/lib64 into library search path. + +Upstream-Status: OE specific +Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: git/configure.ac +=================================================================== +--- git.orig/configure.ac ++++ git/configure.ac +@@ -81,7 +81,7 @@ AC_ARG_WITH([efi-lds], + AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]), + [], + [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"]) +-EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}" ++EXTRA_LDFLAGS="-Wl,--script=${with_efi_lds}" + + # path to object file from gnu-efi + AC_ARG_WITH([efi-crt0], diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 815691dfe..f4918ec02 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -2,17 +2,38 @@ SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment" SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig" +DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ + file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \ " -SRCREV = "131889d12d2c7d8974711d2ebd1032cd32577b7f" +SRCREV = "431c85f45dcdca5da003ed47c6e9814282476938" S = "${WORKDIR}/git" inherit autotools pkgconfig +EFIDIR ?= "/EFI/BOOT" + +do_compile_append() { + oe_runmake example +} + +do_install_append() { + install -d "${D}${EFIDIR}" + install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}" +} + +EFI_ARCH_x86 = "ia32" +EFI_ARCH_x86-64 = "x86_64" + COMPATIBLE_HOST = "(i.86|x86_64).*-linux" -EXTRA_OECONF_append = " --with-efi-includedir=${STAGING_INCDIR}/efi --with-efi-lds=${STAGING_LIBDIR_NATIVE}/" +EXTRA_OECONF_append = "\ + --with-efi-includedir=${STAGING_INCDIR}/efi \ + --with-efi-crt0=${STAGING_LIBDIR_NATIVE}/crt0-efi-${EFI_ARCH}.o \ + --with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \ +" RDEPENDS_${PN} = "gnu-efi" + +FILES_${PN} += "${EFIDIR}" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.2.0.bb index 1f1f5c606..b6f1be0d9 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.2.0.bb @@ -6,7 +6,7 @@ SECTION = "tpm" DEPENDS = "pkgconfig tpm2-tss openssl curl autoconf-archive" -SRCREV = "74ba065e5914bc5d713ca3709d62a5751b097369" +SRCREV = "a17daa948fc67685651bf3b7a589ed341080ddd3" SRC_URI = "git://github.com/tpm2-software/tpm2-tools.git;branch=3.X" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.2.bb new file mode 100644 index 000000000..8a2504d94 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.2.bb @@ -0,0 +1,18 @@ +SUMMARY = "Attest the trustworthiness of a device against a human using time-based one-time passwords" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" + +SECTION = "security/tpm" + +DEPENDS = "autoconf-archive libtss2-dev qrencode" + +PE = "1" + +SRCREV = "15cc8fbc8fe71be9c04c3169ee1f70450d52a51a" +SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.1.x \ + file://litpm2_totp_build_fix.patch " + +inherit autotools-brokensep pkgconfig + +S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb deleted file mode 100644 index bc94ab711..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL." -DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures." - -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" - -SECTION = "security/tpm" - -DEPENDS = "autoconf-archive libtss2-dev qrencode" - -SRCREV = "44fcb6819f79302d5a088b3def648616e3551d4a" -SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git \ - file://litpm2_totp_build_fix.patch " - -inherit autotools-brokensep pkgconfig - -S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb index 36530be2c..8825737ee 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb @@ -8,7 +8,7 @@ SECTION = "security/tpm" DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" -SRCREV = "bef89ec79cbb4c99963b0e336d9184827c545782" +SRCREV = "e1bbabe29377e45282d753a1b103625c420a19cf" SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git" inherit autotools-brokensep pkgconfig systemd diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.1.bb index 78bdeebe0..3e77f71d2 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.1.bb @@ -6,9 +6,9 @@ SECTION = "tpm" DEPENDS = "autoconf-archive-native libgcrypt openssl" -SRCREV = "eb69e13559f20a0b49002a685c6f4a39be9503e2" +SRCREV = "a99e733ba66c359502689a9c42fd5e02ed1dd7d6" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.3.x" inherit autotools-brokensep pkgconfig systemd diff --git a/meta-security/recipes-core/busybox/busybox_%.bbappend b/meta-security/recipes-core/busybox/busybox_%.bbappend index 8bb0706ec..27a24824d 100644 --- a/meta-security/recipes-core/busybox/busybox_%.bbappend +++ b/meta-security/recipes-core/busybox/busybox_%.bbappend @@ -1,3 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://head.cfg" +require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'busybox_libsecomp.inc', '', d)} diff --git a/meta-security/recipes-core/busybox/busybox_libsecomp.inc b/meta-security/recipes-core/busybox/busybox_libsecomp.inc new file mode 100644 index 000000000..4af22ce3e --- /dev/null +++ b/meta-security/recipes-core/busybox/busybox_libsecomp.inc @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:" + +SRC_URI_append = " file://head.cfg" diff --git a/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch b/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch deleted file mode 100644 index 7f80a5c61..000000000 --- a/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Fri, 15 Jan 2016 00:48:58 -0500 -Subject: [PATCH] Enable obfuscating binaries natively. - -Enable obfuscating binaries natively. - -The samhain build process involves an obfuscation step that attempts to -defeat decompilation or other binary analysis techniques which might reveal -secret information that should be known only to the system administrator. -The obfuscation step builds several applications which run on the build host -and then generate target code, which is then built into target binaries. - -This patch creates a basic infrastructure that supports building the -obfuscation binaries natively then cross-compiling the target code by adding -a special configure option. In the absence of this option the old behaviour -is preserved. - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Aws Ismail <aws.ismail@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile.in | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 684e92b..fb090e2 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -54,7 +54,7 @@ selectconfig = @selectconfig@ - top_builddir = . - - INSTALL = @INSTALL@ --INSTALL_PROGRAM = @INSTALL@ -s -m 700 -+INSTALL_PROGRAM = @INSTALL@ -m 700 - INSTALL_SHELL = @INSTALL@ -m 700 - INSTALL_DATA = @INSTALL@ -m 600 - INSTALL_MAN = @INSTALL@ -m 644 -@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip - echo " $(INSTALL_PROGRAM) $$p $$target"; \ - $(INSTALL_PROGRAM) $$p $$target; \ - chmod 0700 $$target; \ -- echo " ./sstrip $$target"; \ -- ./sstrip $$target; \ - else \ - echo " $(INSTALL_SHELL) $$p $$target"; \ - $(INSTALL_SHELL) $$p $$target; \ --- -1.9.1 - diff --git a/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-client.bb index 0f53a8cde..0f53a8cde 100644 --- a/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-client.bb diff --git a/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-server.bb index d304912e7..d304912e7 100644 --- a/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-server.bb diff --git a/meta-security/recipes-ids/samhain/samhain-standalone_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-standalone.bb index 4fed9e9e9..4fed9e9e9 100644 --- a/meta-security/recipes-ids/samhain/samhain-standalone_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-standalone.bb diff --git a/meta-security/recipes-ids/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc index 1b9af39ce..16222ba10 100644 --- a/meta-security/recipes-ids/samhain/samhain.inc +++ b/meta-security/recipes-ids/samhain/samhain.inc @@ -3,9 +3,9 @@ HOMEPAGE = "http://www.la-samhna.de/samhain/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b" +PV = "4.3.3" SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ - file://samhain-cross-compile.patch \ file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \ file://samhain-samhainrc.patch \ file://samhain-samhainrc-fix-files-dirs-path.patch \ @@ -19,8 +19,8 @@ SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ file://samhain.service \ " -SRC_URI[md5sum] = "eae4674164d7c78f5bb39c72b7029c8b" -SRC_URI[sha256sum] = "0582864ef56ab796031e8e611ed66c48adeb3a30ec34e1a8d0088572442035fc" +SRC_URI[md5sum] = "7be46ae7d03f53ba21afafd41cff8926" +SRC_URI[sha256sum] = "33ad4bc3dad4699694553bd9635a6b5827939f965d1f0f05fce0b4e9cdadf21b" UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" diff --git a/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch b/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch new file mode 100644 index 000000000..530568b19 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch @@ -0,0 +1,26 @@ +From b37554e0bc3cf383e6547c5c6a69c6f6849c09e3 Mon Sep 17 00:00:00 2001 +From: Eric Leblond <eric@regit.org> +Date: Wed, 17 Jul 2019 12:35:12 +0200 +Subject: [PATCH] af-packet: fix build on recent Linux kernels + +Upstream-Status: Backport +Signed-off-by: Armin kuster <akuster808@gmail.com> +--- + src/source-af-packet.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: suricata-4.1.5/src/source-af-packet.c +=================================================================== +--- suricata-4.1.5.orig/src/source-af-packet.c ++++ suricata-4.1.5/src/source-af-packet.c +@@ -68,6 +68,10 @@ + #include <linux/sockios.h> + #endif + ++#if HAVE_LINUX_SOCKIOS_H ++#include <linux/sockios.h> ++#endif ++ + #ifdef HAVE_PACKET_EBPF + #include "util-ebpf.h" + #include <bpf/libbpf.h> diff --git a/meta-security/recipes-ids/suricata/files/emerging.rules.tar.gz b/meta-security/recipes-ids/suricata/files/emerging.rules.tar.gz Binary files differdeleted file mode 100644 index aed375474..000000000 --- a/meta-security/recipes-ids/suricata/files/emerging.rules.tar.gz +++ /dev/null diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.29.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.31.bb index 8305f7010..8305f7010 100644 --- a/meta-security/recipes-ids/suricata/libhtp_0.5.29.bb +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.31.bb diff --git a/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb b/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb new file mode 100644 index 000000000..63f75e096 --- /dev/null +++ b/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb @@ -0,0 +1,15 @@ +SUMMARY = "The tool for updating your Suricata rules. " +HOMEPAGE = "http://suricata-ids.org/" +SECTION = "security Monitor/Admin" +LICENSE = "GPLv2" + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +SRCREV = "dcd0f630e13463750efb1593ad3ccae1ae6c27d4" +SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.0.x'" + +S = "${WORKDIR}/git" + +inherit python3native setuptools3 + +RDEPENDS_${PN} = "python3-pyyaml" diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc index 7be403ccb..1f4baffcc 100644 --- a/meta-security/recipes-ids/suricata/suricata.inc +++ b/meta-security/recipes-ids/suricata/suricata.inc @@ -2,8 +2,8 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" -VER = "4.1.3" +VER = "4.1.5" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" -SRC_URI[md5sum] = "35c4a8e6be3910831649a073950195df" -SRC_URI[sha256sum] = "6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0" +SRC_URI[md5sum] = "0dfd68f6f4314c5c2eed7128112eff3b" +SRC_URI[sha256sum] = "cee5f6535cd7fe63fddceab62eb3bc66a63fc464466c88ec7a41b7a1331ac74b" diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.3.bb b/meta-security/recipes-ids/suricata/suricata_4.1.5.bb index d6f5937d1..cda1c870f 100644 --- a/meta-security/recipes-ids/suricata/suricata_4.1.3.bb +++ b/meta-security/recipes-ids/suricata/suricata_4.1.5.bb @@ -4,17 +4,13 @@ require suricata.inc LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" -SRC_URI += "file://emerging.rules.tar.gz;name=rules" - SRC_URI += " \ - file://volatiles.03_suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - " - -SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" -SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" + file://volatiles.03_suricata \ + file://suricata.yaml \ + file://suricata.service \ + file://run-ptest \ + file://0001-af-packet-fix-build-on-recent-Linux-kernels.patch \ + " inherit autotools-brokensep pkgconfig python3-dir systemd ptest diff --git a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend new file mode 100644 index 000000000..76b5df55b --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend @@ -0,0 +1,4 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}" + diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg deleted file mode 100644 index ae6cdcdf0..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg +++ /dev/null @@ -1,9 +0,0 @@ -CONFIG_AUDIT=y -CONFIG_SECURITY_PATH=y -CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_APPARMOR_HASH=y -CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -CONFIG_INTEGRITY_AUDIT=y -CONFIG_DEFAULT_SECURITY_APPARMOR=y -CONFIG_DEFAULT_SECURITY="apparmor" -CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg deleted file mode 100644 index fc3574015..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg deleted file mode 100644 index b5c48454e..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_DEFAULT_SECURITY="smack" -CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg deleted file mode 100644 index 0d5fc645c..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg +++ /dev/null @@ -1,7 +0,0 @@ -CONFIG_NETLABEL=y -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set -CONFIG_SECURITY_SMACK=y -CONFIG_SECURITY_SMACK_BRINGUP=y -CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y -CONFIG_TMPFS_XATTR=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend new file mode 100644 index 000000000..239e30e70 --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend @@ -0,0 +1,2 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" ++KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg deleted file mode 100644 index b5f9bb2a6..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg +++ /dev/null @@ -1,15 +0,0 @@ -CONFIG_AUDIT=y -# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set -CONFIG_SECURITY_PATH=y -# CONFIG_SECURITY_SELINUX is not set -CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_APPARMOR_HASH=y -CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -# CONFIG_SECURITY_APPARMOR_DEBUG is not set -CONFIG_INTEGRITY_AUDIT=y -CONFIG_DEFAULT_SECURITY_APPARMOR=y -# CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_DEFAULT_SECURITY="apparmor" -CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg b/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg deleted file mode 100644 index fc3574015..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 diff --git a/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg b/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg deleted file mode 100644 index b5c48454e..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_DEFAULT_SECURITY="smack" -CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg deleted file mode 100644 index 62f465a45..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg +++ /dev/null @@ -1,8 +0,0 @@ -CONFIG_IP_NF_SECURITY=m -CONFIG_IP6_NF_SECURITY=m -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_SECURITY=y -CONFIG_SECURITY_SMACK=y -CONFIG_TMPFS_XATTR=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend index 321392c0b..39d4e6f50 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -1,11 +1,2 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ -" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ -" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend deleted file mode 100644 index f810e2112..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend +++ /dev/null @@ -1,11 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-5.0:" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ -" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ -" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb index 4eaec001e..2e5d221c3 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -21,10 +21,11 @@ SRC_URI = " \ file://functions \ file://apparmor \ file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ file://run-ptest \ " -SRCREV = "af4808b5f6b58946f5c5a4de4b77df5e0eae6ca0" +SRCREV = "2f9d9ea7e01a115b29858455d3b1b5c6a0bab75c" S = "${WORKDIR}/git" PARALLEL_MAKE = "" @@ -141,6 +142,12 @@ do_install_ptest () { cp -rf ${B}/binutils ${t} } +pkg_postinst_ontarget_${PN} () { +if [ ! -d /etc/apparmor.d/cache ] ; then + mkdir /etc/apparmor.d/cache +fi +} + INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME = "apparmor" INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." @@ -154,7 +161,7 @@ PACKAGES += "mod-${PN}" FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" FILES_mod-${PN} = "${libdir}/apache2/modules/*" -RDEPENDS_${PN} += "bash lsb" -RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" +RDEPENDS_${PN} += "bash" +RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch b/meta-security/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch new file mode 100644 index 000000000..9807be129 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch @@ -0,0 +1,28 @@ +From 9f9cfbf07214ac68a55372a3c2777192765cbeb9 Mon Sep 17 00:00:00 2001 +From: Naveen Saini <naveen.kumar.saini@intel.com> +Date: Fri, 20 Sep 2019 18:53:53 +0800 +Subject: [PATCH] Makefile.am: suppress perllocal.pod + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com> +--- + libraries/libapparmor/swig/perl/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +index 6ae4e30c..be00dc7f 100644 +--- a/libraries/libapparmor/swig/perl/Makefile.am ++++ b/libraries/libapparmor/swig/perl/Makefile.am +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.pm + LibAppArmor.pm: libapparmor_wrap.c + + Makefile.perl: Makefile.PL LibAppArmor.pm +- $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ ++ $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ NO_PERLLOCAL=1 + sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl + sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl + +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/apparmor b/meta-security/recipes-mac/AppArmor/files/apparmor index ac3ab9a4a..604e48d56 100644 --- a/meta-security/recipes-mac/AppArmor/files/apparmor +++ b/meta-security/recipes-mac/AppArmor/files/apparmor @@ -47,7 +47,6 @@ log_end_msg () { } . /lib/apparmor/functions -. /lib/lsb/init-functions usage() { echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" diff --git a/meta-security/recipes-mac/smack/smack_1.3.1.bb b/meta-security/recipes-mac/smack/smack_1.3.1.bb index 246562afe..f32d91ba3 100644 --- a/meta-security/recipes-mac/smack/smack_1.3.1.bb +++ b/meta-security/recipes-mac/smack/smack_1.3.1.bb @@ -48,7 +48,7 @@ INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." FILES_${PN} += "${sysconfdir}/init.d/smack" FILES_${PN}-ptest += "generator" -RDEPENDS_${PN} += "coreutils" +RDEPENDS_${PN} += "coreutils python3-core" RDEPENDS_${PN}-ptest += "make bash bc" BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-perl/perl/libenv-perl_1.04.bb b/meta-security/recipes-perl/perl/libenv-perl_1.04.bb deleted file mode 100644 index dd8e1159e..000000000 --- a/meta-security/recipes-perl/perl/libenv-perl_1.04.bb +++ /dev/null @@ -1,21 +0,0 @@ -SUMMARY = "Perl module that imports environment variables as scalars or arrays" -DESCRIPTION = "Perl maintains environment variables in a special hash named %ENV. \ -For when this access method is inconvenient, the Perl module Env allows environment \ -variables to be treated as scalar or array variables." - -HOMEPAGE = "http://search.cpan.org/~flora/Env/" -SECTION = "libs" -LICENSE = "Artistic-1.0 | GPL-1.0+" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=76c1cbf18db56b3340d91cb947943bd3" - -SRC_URI = "http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/Env-${PV}.tar.gz" - -SRC_URI[md5sum] = "fdba5c0690e66972c96fee112cf5f25c" -SRC_URI[sha256sum] = "d94a3d412df246afdc31a2199cbd8ae915167a3f4684f7b7014ce1200251ebb0" - -S = "${WORKDIR}/Env-${PV}" - -inherit cpan - -BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-security/checksec/checksec_1.11.1.bb b/meta-security/recipes-security/checksec/checksec_2.1.0.bb index 835dffcd8..5c6528e48 100644 --- a/meta-security/recipes-security/checksec/checksec_1.11.1.bb +++ b/meta-security/recipes-security/checksec/checksec_2.1.0.bb @@ -6,7 +6,7 @@ HOMEPAGE="https://github.com/slimm609/checksec.sh" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" -SRCREV = "3c15cb89641c700096fdec0c1904a0cf9b83c5e2" +SRCREV = "04582bad41589ad479ca8b1f0170ed317475b5a5" SRC_URI = "git://github.com/slimm609/checksec.sh" S = "${WORKDIR}/git" diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb index 7d8767e2f..7f0433777 100644 --- a/meta-security/recipes-security/clamav/clamav_0.99.4.bb +++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb @@ -66,14 +66,12 @@ EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}" EXTRA_OECONF_class-target += "--with-user=${UID} --with-group=${GID} --disable-rpath ${EXTRA_OECONF_CLAMAV}" do_configure () { - cd ${S} - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} + ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} install -d ${S}/clamav_db } do_configure_class-native () { - cd ${S} - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} + ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} } diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index 1f780f9e3..e45ee0ba0 100644 --- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -14,6 +14,7 @@ DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native" SRC_URI = "\ https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.gz \ file://ecryptfs-utils-CVE-2016-6224.patch \ + file://0001-avoid-race-condition.patch \ file://ecryptfs.service \ " @@ -30,13 +31,13 @@ EXTRA_OECONF = "\ --disable-pywrap \ --disable-nls \ --with-pamdir=${base_libdir}/security \ + --disable-openssl \ " PACKAGECONFIG ??= "nss \ ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ " PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss," -PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl," PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam," do_configure_prepend() { diff --git a/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch b/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch new file mode 100644 index 000000000..af28d5810 --- /dev/null +++ b/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch @@ -0,0 +1,32 @@ +From ab671b02e3aaf65dd1fd279789ea933b8140fe52 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Tue, 27 Aug 2019 16:08:00 +0800 +Subject: [PATCH] avoid race condition + +The rootsbin directory is self defined. The install-rootsbinPROGRAMS +is actually treated as part of install-data. + +This would avoid race condition which causes install failure. + +Upstream-Status: Pending + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/utils/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/utils/Makefile.am b/src/utils/Makefile.am +index 83cf851..344883a 100644 +--- a/src/utils/Makefile.am ++++ b/src/utils/Makefile.am +@@ -67,6 +67,6 @@ ecryptfs_stat_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la + test_SOURCES = test.c io.c + test_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la + +-install-exec-hook: install-rootsbinPROGRAMS ++install-data-hook: install-rootsbinPROGRAMS + -rm -f "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private" + $(LN_S) "mount.ecryptfs_private" "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private" +-- +2.17.1 + diff --git a/meta-security/recipes-security/images/security-test-image.bb b/meta-security/recipes-security/images/security-test-image.bb new file mode 100644 index 000000000..c71d7267d --- /dev/null +++ b/meta-security/recipes-security/images/security-test-image.bb @@ -0,0 +1,33 @@ +DESCRIPTION = "A small image for testing meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" + +INSTALL_CLAMAV_CVD = "1" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security-ptest \ + clamav \ + tripwire \ + checksec \ + suricata \ + samhain-standalone \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ + os-release \ + " + + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-test-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch b/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch deleted file mode 100644 index 938fe2eb5..000000000 --- a/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch +++ /dev/null @@ -1,28 +0,0 @@ -From b0355cc205543ffd33752874295139d57c4fbc3e Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Tue, 26 Sep 2017 07:59:51 +0000 -Subject: [PATCH] Subject: [PATCH] keyutils: use relative path for link - -The absolute path of the symlink will be invalid -when populated in sysroot, so use relative path instead. - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -{rebased for 1.6] -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: keyutils-1.6/Makefile -=================================================================== ---- keyutils-1.6.orig/Makefile -+++ keyutils-1.6/Makefile -@@ -184,7 +184,7 @@ ifeq ($(NO_SOLIB),0) - $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) - $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) - mkdir -p $(DESTDIR)$(USRLIBDIR) -- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) -+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) - sed \ - -e 's,@VERSION\@,$(VERSION),g' \ - -e 's,@prefix\@,$(PREFIX),g' \ diff --git a/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch b/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch deleted file mode 100644 index acd91c01c..000000000 --- a/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch +++ /dev/null @@ -1,42 +0,0 @@ -fix keyutils test error report - -Upstream-Status: Pending - -"Permission denied" may be the reason of EKEYEXPIRED and EKEYREVOKED. -"Required key not available" may be the reason of EKEYREVOKED. -EXPIRED and REVOKED are 2 status of kernel security keys features. -But the userspace keyutils lib will output the error message, which may -have several reasons. - -Signed-off-by: Han Chao <chan@windriver.com> - -diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh -index bbca00a..739e9d0 100644 ---- a/tests/toolbox.inc.sh -+++ b/tests/toolbox.inc.sh -@@ -227,11 +227,12 @@ function expect_error () - ;; - EKEYEXPIRED) - my_err="Key has expired" -- alt_err="Unknown error 127" -+ alt_err="Permission denied" - ;; - EKEYREVOKED) - my_err="Key has been revoked" -- alt_err="Unknown error 128" -+ alt_err="Permission denied" -+ alt2_err="Required key not available" - ;; - EKEYREJECTED) - my_err="Key has been rejected" -@@ -249,6 +250,9 @@ function expect_error () - elif [ "x$alt_err" != "x" ] && expr "$my_errmsg" : ".*: $alt_err" >&/dev/null - then - : -+ elif [ "x$alt2_err" != "x" ] && expr "$my_errmsg" : ".*: $alt2_err" >&/dev/null -+ then -+ : - elif [ "x$old_err" != "x" ] && expr "$my_errmsg" : ".*: $old_err" >&/dev/null - then - : - diff --git a/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch b/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch deleted file mode 100644 index a4ffd50ce..000000000 --- a/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 49b6321368e4bd3cd233d045cd09004ddd7968b2 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Mon, 15 May 2017 14:52:00 +0800 -Subject: [PATCH] keyutils: fix output format - -keyutils ptest output format is incorrect, according to yocto -Development Manual -(http://www.yoctoproject.org/docs/latest/dev-manual/dev-manual.html#testing-packages-with-ptest) -5.10.6. Testing Packages With ptestThe test generates output in the format used by Automake: -<result>: <testname> -where the result can be PASS, FAIL, or SKIP, and the testname can be any -identifying string. -So we should change the test result format to match yocto ptest rules. - -Upstream-Status: Inappropriate [OE ptest specific] - -Signed-off-by: Li Wang <li.wang@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - tests/runtest.sh | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tests/runtest.sh b/tests/runtest.sh -index b6eaa7c..84263fb 100644 ---- a/tests/runtest.sh -+++ b/tests/runtest.sh -@@ -21,6 +21,11 @@ for i in ${TESTS}; do - echo "### RUNNING TEST $i" - if [[ $AUTOMATED != 0 ]] ; then - bash ./runtest.sh -+ if [ $? != 0 ]; then -+ echo "FAIL: $i" -+ else -+ echo "PASS: $i" -+ fi - else - bash ./runtest.sh || exit 1 - fi --- -2.11.0 - diff --git a/meta-security/recipes-security/keyutils/files/run-ptest b/meta-security/recipes-security/keyutils/files/run-ptest deleted file mode 100755 index 305707f65..000000000 --- a/meta-security/recipes-security/keyutils/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -export AUTOMATED=1 -make -C tests run diff --git a/meta-security/recipes-security/keyutils/keyutils_1.6.bb b/meta-security/recipes-security/keyutils/keyutils_1.6.bb deleted file mode 100644 index 4d3a96f29..000000000 --- a/meta-security/recipes-security/keyutils/keyutils_1.6.bb +++ /dev/null @@ -1,53 +0,0 @@ -SUMMARY = "Linux Key Management Utilities" -DESCRIPTION = "\ - Utilities to control the kernel key management facility and to provide \ - a mechanism by which the kernel call back to userspace to get a key \ - instantiated. \ - " -HOMEPAGE = "http://people.redhat.com/dhowells/keyutils" -SECTION = "base" - -LICENSE = "LGPLv2.1+ & GPLv2.0+" - -LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \ - file://LICENCE.LGPL;md5=7d1cacaa3ea752b72ea5e525df54a21f" - -inherit siteinfo autotools-brokensep ptest - -SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ - file://keyutils-test-fix-output-format.patch \ - file://keyutils-fix-error-report-by-adding-default-message.patch \ - file://run-ptest \ - file://fix_library_install_path.patch \ - " - -SRC_URI[md5sum] = "191987b0ab46bb5b50efd70a6e6ce808" -SRC_URI[sha256sum] = "d3aef20cec0005c0fa6b4be40079885567473185b1a57b629b030e67942c7115" - -EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ - NO_ARLIB=1 \ - BINDIR=${base_bindir} \ - SBINDIR=${base_sbindir} \ - LIBDIR=${libdir} \ - USRLIBDIR=${libdir} \ - INCLUDEDIR=${includedir} \ - BUILDFOR=${SITEINFO_BITS}-bit \ - NO_GLIBC_KEYERR=1 \ - " - -do_install () { - install -d ${D}/${libdir}/pkgconfig - oe_runmake DESTDIR=${D} install -} - -do_install_ptest () { - cp -r ${S}/tests ${D}${PTEST_PATH}/ - sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh -} - - -RDEPENDS_${PN}-ptest += "lsb" -RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils" -RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/recipes-security/libmspack/libmspack_0.10.1.bb b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb index b46159f20..8c288beeb 100644 --- a/meta-security/recipes-security/libmspack/libmspack_0.10.1.bb +++ b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb @@ -6,11 +6,11 @@ DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" -SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.xz" - -SRC_URI[md5sum] = "d894d91eba4d2c6f76695fc9566d5387" -SRC_URI[sha256sum] = "850c57442b850bf1bc0fc4ea8880903ebf2bed063c3c80782ee4626fbcb0e67d" +SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc" +SRC_URI = "git://github.com/kyz/libmspack.git" inherit autotools -S = "${WORKDIR}/${BP}alpha" +S = "${WORKDIR}/git/${BPN}" + +inherit autotools diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb index dba1be574..37a79829f 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb @@ -17,6 +17,8 @@ inherit autotools-brokensep pkgconfig ptest PACKAGECONFIG ??= "" PACKAGECONFIG[python] = "--enable-python, --disable-python, python" +DISABLE_STATIC = "" + do_compile_ptest() { oe_runmake -C tests check-build } diff --git a/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/meta-security/recipes-security/ncrack/ncrack_0.7.bb index 06ba2b6df..ba269657f 100644 --- a/meta-security/recipes-security/ncrack/ncrack_0.7.bb +++ b/meta-security/recipes-security/ncrack/ncrack_0.7.bb @@ -4,9 +4,9 @@ HOMEPAGE = "https://nmap.org/ncrack" SECTION = "security" LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=198fa93d4e80225839e595336f3b5ff0" +LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2" -SRCREV = "3a793a21820708466081825beda9fce857f36cb6" +SRCREV = "dc570e7e3cec1fb176c0168eaedc723084bd0426" SRC_URI = "git://github.com/nmap/ncrack.git" DEPENDS = "openssl zlib" diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb new file mode 100644 index 000000000..39873b850 --- /dev/null +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb @@ -0,0 +1,28 @@ +DESCRIPTION = "Security ptest packagegroup" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit distro_features_check + +REQUIRED_DISTRO_FEATURES = "ptest" + +PACKAGES = "\ + ${PN} \ + " + +ALLOW_EMPTY_${PN} = "1" + +SUMMARY_${PN} = "Security packages with ptests" +RDEPENDS_${PN} = " \ + ptest-runner \ + samhain-standalone-ptest \ + keyutils-ptest \ + libseccomp-ptest \ + python3-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ + " diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index b8ab27df1..e0a9d0534 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -11,8 +11,6 @@ PACKAGES = "\ packagegroup-security-scanners \ packagegroup-security-ids \ packagegroup-security-mac \ - ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -20,8 +18,6 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-scanners \ packagegroup-security-ids \ packagegroup-security-mac \ - ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -29,11 +25,11 @@ RDEPENDS_packagegroup-security-utils = "\ checksec \ nmap \ pinentry \ - python-scapy \ + python3-scapy \ ding-libs \ - xmlsec1 \ keyutils \ libseccomp \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ " @@ -42,6 +38,8 @@ RDEPENDS_packagegroup-security-scanners = "\ nikto \ checksecurity \ clamav \ + clamav-freshclam \ + clamav-cvd \ " SUMMARY_packagegroup-security-audit = "Security Audit tools " @@ -68,18 +66,3 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " - -SUMMARY_packagegroup-security-ptest = "Security packages with ptests" -RDEPENDS_packagegroup-security-ptest = " \ - samhain-standalone-ptest \ - xmlsec1-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - ptest-runner \ - " diff --git a/meta-security/recipes-security/scapy/files/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest index 91b29f907..797d8ecf7 100644 --- a/meta-security/recipes-security/scapy/files/run-ptest +++ b/meta-security/recipes-security/scapy/files/run-ptest @@ -1,4 +1,4 @@ #!/bin/sh -UTscapy -t regression.uts -f text -l -C \ +UTscapy3 -t regression.uts -f text -l -C \ -o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ 2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb deleted file mode 100644 index 982620e0b..000000000 --- a/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb +++ /dev/null @@ -1,11 +0,0 @@ -inherit setuptools -require python-scapy.inc - -SRC_URI += "file://run-ptest" - -RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" - -do_install_append() { - mv ${D}${bindir}/scapy ${D}${bindir}/scapy2 - mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy2 -} diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb deleted file mode 100644 index abcaeeb0b..000000000 --- a/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb +++ /dev/null @@ -1,9 +0,0 @@ -inherit setuptools3 -require python-scapy.inc - -SRC_URI += "file://run-ptest" - -do_install_append() { - mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 - mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 -} diff --git a/meta-security/recipes-security/scapy/python-scapy.inc b/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb index baa69b244..925f188cd 100644 --- a/meta-security/recipes-security/scapy/python-scapy.inc +++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb @@ -3,14 +3,22 @@ DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It i SECTION = "security" LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" S = "${WORKDIR}/git" -SRCREV = "bad14cb1a5aee29f8107fbe8ad008d4645f14da7" -SRC_URI = "git://github.com/secdev/scapy.git" +SRCREV = "3047580162a9407ef05fe981983cacfa698f1159" +SRC_URI = "git://github.com/secdev/scapy.git \ + file://run-ptest" -inherit ptest +S = "${WORKDIR}/git" + +inherit setuptools3 ptest + +do_install_append() { + mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 + mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 +} do_install_ptest() { install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch deleted file mode 100644 index 1cec47fca..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch +++ /dev/null @@ -1,67 +0,0 @@ -From c1c980a95d85bcaf8802524d6148783522b300d7 Mon Sep 17 00:00:00 2001 -From: Yulong Pei <Yulong.pei@windriver.com> -Date: Wed, 21 Jul 2010 22:33:43 +0800 -Subject: [PATCH] change finding path of nss and nspr - -Upstream-Status: Pending - -Signed-off-by: Yulong Pei <Yulong.pei@windriver.com> -Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - configure.ac | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 951b3eb..1fdeb0f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -866,10 +866,10 @@ MOZILLA_MIN_VERSION="1.4" - NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss" - NSPR_PACKAGE=mozilla-nspr - NSS_PACKAGE=mozilla-nss --NSPR_INCLUDE_MARKER="nspr/nspr.h" -+NSPR_INCLUDE_MARKER="nspr.h" - NSPR_LIB_MARKER="libnspr4$shrext" - NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4" --NSS_INCLUDE_MARKER="nss/nss.h" -+NSS_INCLUDE_MARKER="nss3/nss.h" - NSS_LIB_MARKER="libnss3$shrext" - NSS_LIBS_LIST="-lnss3 -lsmime3" - -@@ -898,24 +898,24 @@ fi - dnl Priority 1: User specifies the path to installation - if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" != "zyes" ; then - AC_MSG_CHECKING(for nspr library installation in "$with_nspr" folder) -- if test -f "$with_nspr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/lib/$NSPR_LIB_MARKER" ; then -- NSPR_INCLUDE_PATH="$with_nspr/include" -- NSPR_LIB_PATH="$with_nspr/lib" -+ if test -f "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/${libdir}/$NSPR_LIB_MARKER" ; then -+ NSPR_INCLUDE_PATH="$with_nspr/usr/include" -+ NSPR_LIB_PATH="$with_nspr/${libdir}" - NSPR_FOUND="yes" - AC_MSG_RESULT([yes]) - else -- AC_MSG_ERROR([not found: "$with_nspr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/lib/$NSPR_LIB_MARKER" files don't exist), typo?]) -+ AC_MSG_ERROR([not found: "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/${libdir}/$NSPR_LIB_MARKER" files don't exist), typo?]) - fi - fi - if test "z$NSS_FOUND" = "zno" -a "z$with_nss" != "z" -a "z$with_nss" != "zyes" ; then - AC_MSG_CHECKING(for nss library installation in "$with_nss" folder) -- if test -f "$with_nss/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/lib/$NSS_LIB_MARKER" ; then -- NSS_INCLUDE_PATH="$with_nss/include" -- NSS_LIB_PATH="$with_nss/lib" -+ if test -f "$with_nss/usr/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/${libdir}/$NSS_LIB_MARKER" ; then -+ NSS_INCLUDE_PATH="$with_nss/usr/include/nss3" -+ NSS_LIB_PATH="$with_nss/${libdir}" - NSS_FOUND="yes" - AC_MSG_RESULT([yes]) - else -- AC_MSG_ERROR([not found: "$with_nss/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/lib/$NSS_LIB_MARKER" files don't exist), typo?]) -+ AC_MSG_ERROR([not found: "$with_nss/usr/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/${libdir}/$NSS_LIB_MARKER" files don't exist), typo?]) - fi - fi - --- -2.7.4 - diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch deleted file mode 100644 index af598fe74..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 847dc52f5a50e34ee4d6e3dc2c708711747a58ca Mon Sep 17 00:00:00 2001 -From: Yulong Pei <Yulong.pei@windriver.com> -Date: Thu, 21 Jan 2010 14:11:20 +0800 -Subject: [PATCH] force to use our own libtool - -Upstream-Status: Inappropriate [ OE specific ] - -Signed-off-by: Yulong Pei <Yulong.pei@windriver.com> - ---- - ltmain.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ltmain.sh b/ltmain.sh -index 147d758..a61f16b 100644 ---- a/ltmain.sh -+++ b/ltmain.sh -@@ -6969,7 +6969,7 @@ func_mode_link () - dir=$func_resolve_sysroot_result - # We need an absolute path. - case $dir in -- [\\/]* | [A-Za-z]:[\\/]*) ;; -+ =* | [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - absdir=`cd "$dir" && pwd` - test -z "$absdir" && \ diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch deleted file mode 100644 index d45356924..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 83a1381e1d6bd1b5ec3df6f7c4bc1f4fe4f860b6 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Thu, 15 Jun 2017 14:44:01 +0800 -Subject: [PATCH] xmlsec1: add new recipe - -This enables the building of the examples directory -and it's installed as ptest. - -Upstream-Status: Inappropriate [ OE ptest specific ] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - ---- - examples/Makefile | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/examples/Makefile b/examples/Makefile -index 89b1d61..c1cbcca 100644 ---- a/examples/Makefile -+++ b/examples/Makefile -@@ -8,9 +8,17 @@ PROGRAMS = \ - decrypt1 decrypt2 decrypt3 \ - xmldsigverify - -+ifndef CC - CC = gcc --CFLAGS += -g $(shell xmlsec1-config --cflags) -DUNIX_SOCKETS --LDLIBS += -g $(shell xmlsec1-config --libs) -+endif -+ -+CFLAGS += -I../include -g $(shell PKG_CONFIG_PATH=.. pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS -+LDLIBS += -L../src/.libs -g $(shell PKG_CONFIG_PATH=.. pkg-config --libs xmlsec1 ) -+ -+DESTDIR = /usr/share/xmlsec1 -+install-ptest: -+ if [ ! -d $(DESTDIR) ]; then mkdir -p $(DESTDIR); fi -+ cp * $(DESTDIR) - - all: $(PROGRAMS) - diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest b/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest deleted file mode 100755 index a203c38f2..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/sh - -check_return() { - if [ $? == 0 ]; then - echo -e "PASS: $1\n" - else - echo -e "FAIL: $1\n" - fi -} - -echo "---------------------------------------------------" -echo "Signing a template file..." -./sign1 sign1-tmpl.xml rsakey.pem > sign1-res.xml -./verify1 sign1-res.xml rsapub.pem -check_return sign-tmpl - -echo "---------------------------------------------------" -echo "Signing a dynamicaly created template..." -./sign2 sign2-doc.xml rsakey.pem > sign2-res.xml -./verify1 sign2-res.xml rsapub.pem -check_return sign-dynamic-templ - -echo "---------------------------------------------------" -echo "Signing with X509 certificate..." -./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml -./verify3 sign3-res.xml ca2cert.pem cacert.pem -check_return sign-x509 - -echo "---------------------------------------------------" -echo "Verifying a signature with a single key..." -./verify1 sign1-res.xml rsapub.pem -./verify1 sign2-res.xml rsapub.pem -check_return verify-single-key - -echo "---------------------------------------------------" -echo "Verifying a signature with keys manager..." -./verify2 sign1-res.xml rsapub.pem -./verify2 sign2-res.xml rsapub.pem -check_return verify-keys-manager - -echo "---------------------------------------------------" -echo "Verifying a signature with X509 certificates..." -./verify3 sign3-res.xml ca2cert.pem cacert.pem -check_return verify-x509 - -echo "---------------------------------------------------" -echo "Verifying a signature with additional restrictions..." -./verify4 verify4-res.xml ca2cert.pem cacert.pem -check_return verify-res - -echo "---------------------------------------------------" -echo "Encrypting data with a template file..." -./encrypt1 encrypt1-tmpl.xml deskey.bin > encrypt1-res.xml -./decrypt1 encrypt1-res.xml deskey.bin -check_return encrypt-tmpl - -echo "---------------------------------------------------" -echo "Encrypting data with a dynamicaly created template..." -./encrypt2 encrypt2-doc.xml deskey.bin > encrypt2-res.xml -./decrypt1 encrypt2-res.xml deskey.bin -check_return encrypt-dynamic-tmpl - -echo "---------------------------------------------------" -echo "Encrypting data with a session key..." -./encrypt3 encrypt3-doc.xml rsakey.pem > encrypt3-res.xml -./decrypt3 encrypt3-res.xml -check_return encrypt-session-key - -echo "---------------------------------------------------" -echo "Decrypting data with a single key..." -./decrypt1 encrypt1-res.xml deskey.bin -./decrypt1 encrypt2-res.xml deskey.bin -check_return encrypt-single-key - -echo "---------------------------------------------------" -echo "Decrypting data with keys manager..." -./decrypt2 encrypt1-res.xml deskey.bin -./decrypt2 encrypt2-res.xml deskey.bin -check_return encrypt-keys-manager - -echo "---------------------------------------------------" -echo "Writing a custom keys manager..." -./decrypt3 encrypt1-res.xml -./decrypt3 encrypt2-res.xml -check_return write-keys-manager diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch deleted file mode 100644 index 8b2533ed9..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0c38c6864e7ba8f53a657d87894f24374a6a4932 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Tue, 30 Dec 2014 11:18:17 +0800 -Subject: [PATCH] examples: allow build in separate dir - -Upstream-Status: Inappropriate [ OE specific ] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - ---- - examples/Makefile | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/examples/Makefile b/examples/Makefile -index c1cbcca..3f1bd14 100644 ---- a/examples/Makefile -+++ b/examples/Makefile -@@ -12,8 +12,10 @@ ifndef CC - CC = gcc - endif - --CFLAGS += -I../include -g $(shell PKG_CONFIG_PATH=.. pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS --LDLIBS += -L../src/.libs -g $(shell PKG_CONFIG_PATH=.. pkg-config --libs xmlsec1 ) -+top_srcdir = .. -+top_builddir = .. -+CFLAGS += -I$(top_srcdir)/include -g $(shell PKG_CONFIG_PATH=$(top_srcdir) pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS -+LDLIBS += -L$(top_builddir)/src/.libs -g $(shell PKG_CONFIG_PATH=$(top_srcdir) pkg-config --libs xmlsec1 ) - - DESTDIR = /usr/share/xmlsec1 - install-ptest: diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb deleted file mode 100644 index eac8d6bd4..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb +++ /dev/null @@ -1,64 +0,0 @@ -SUMMARY = "XML Security Library is a C library based on LibXML2" -DESCRIPTION = "\ - XML Security Library is a C library based on \ - LibXML2 and OpenSSL. The library was created with a goal to support major \ - XML security standards "XML Digital Signature" and "XML Encryption". \ - " -HOMEPAGE = "http://www.aleksey.com/xmlsec/" -DEPENDS = "libtool libxml2 libxslt zlib" - -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=352791d62092ea8104f085042de7f4d0" - -SECTION = "libs" - -SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ - file://fix-ltmain.sh.patch \ - file://change-finding-path-of-nss.patch \ - file://makefile-ptest.patch \ - file://xmlsec1-examples-allow-build-in-separate-dir.patch \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "508bee7e4f1b99f2d50aaa7d38ede56e" -SRC_URI[sha256sum] = "97d756bad8e92588e6997d2227797eaa900d05e34a426829b149f65d87118eb6" - -inherit autotools-brokensep ptest pkgconfig - -CFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" -CPPFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" - -PACKAGECONFIG ??= "gnutls libgcrypt nss openssl des" -PACKAGECONFIG[gnutls] = ",,gnutls" -PACKAGECONFIG[libgcrypt] = ",,libgcrypt" -PACKAGECONFIG[nss] = "--with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../..,,nss nspr" -PACKAGECONFIG[openssl] = ",,openssl" -PACKAGECONFIG[des] = ",--disable-des,," - -# these can be dynamically loaded with xmlSecCryptoDLLoadLibrary() -FILES_SOLIBSDEV = "${libdir}/libxmlsec1.so" -FILES_${PN} += "${libdir}/libxmlsec1-*.so" -INSANE_SKIP_${PN} = "dev-so" - -FILES_${PN}-dev += "${libdir}/xmlsec1Conf.sh" -FILES_${PN}-dbg += "${PTEST_PATH}/.debug/*" - -RDEPENDS_${PN}-ptest += "${PN}-dev" -INSANE_SKIP_${PN}-ptest += "dev-deps" - -PTEST_EXTRA_ARGS = "top_srcdir=${S} top_builddir=${B}" - -do_compile_ptest () { - oe_runmake -C ${S}/examples ${PTEST_EXTRA_ARGS} all -} - -do_install_append() { - for i in ${bindir}/xmlsec1-config ${libdir}/xmlsec1Conf.sh \ - ${libdir}/pkgconfig/xmlsec1-openssl.pc; do - sed -i -e "s@${RECIPE_SYSROOT}@@g" ${D}$i - done -} - -do_install_ptest () { - oe_runmake -C ${S}/examples DESTDIR=${D}${PTEST_PATH} ${PTEST_EXTRA_ARGS} install-ptest -} diff --git a/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch deleted file mode 100644 index 8ab094fa7..000000000 --- a/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/wscript 2015-11-18 12:43:33.000000000 +0100 -+++ b/wscript 2015-11-18 12:46:25.000000000 +0100 -@@ -58,9 +58,7 @@ - if conf.env.standalone_ldb: - conf.CHECK_XSLTPROC_MANPAGES() - -- # we need this for the ldap backend -- if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'): -- conf.env.ENABLE_LDAP_BACKEND = True -+ conf.env.ENABLE_LDAP_BACKEND = False - - # we don't want any libraries or modules to rely on runtime - # resolution of symbols diff --git a/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch deleted file mode 100755 index fdd312c0a..000000000 --- a/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch +++ /dev/null @@ -1,58 +0,0 @@ -Some modules such as dynamic library maybe cann't be imported while cross compile, -we just check whether does the module exist. - -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com> - -Index: ldb-1.1.26/buildtools/wafsamba/samba_bundled.py -=================================================================== ---- ldb-1.1.26.orig/buildtools/wafsamba/samba_bundled.py -+++ ldb-1.1.26/buildtools/wafsamba/samba_bundled.py -@@ -2,6 +2,7 @@ - - import sys - import Build, Options, Logs -+import imp, os - from Configure import conf - from samba_utils import TO_LIST - -@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li - # versions - minversion = minimum_library_version(conf, libname, minversion) - -- try: -- m = __import__(modulename) -- except ImportError: -- found = False -- else: -+ # Find module in PYTHONPATH -+ stuff = imp.find_module(modulename, [os.environ["PYTHONPATH"]]) -+ if stuff: - try: -- version = m.__version__ -- except AttributeError: -+ m = imp.load_module(modulename, stuff[0], stuff[1], stuff[2]) -+ except ImportError: - found = False -+ -+ if conf.env.CROSS_COMPILE: -+ # Some modules such as dynamic library maybe cann't be imported -+ # while cross compile, we just check whether the module exist -+ Logs.warn('Cross module[%s] has been found, but can not be loaded.' % (stuff[1])) -+ found = True - else: -- found = tuplize_version(version) >= tuplize_version(minversion) -+ try: -+ version = m.__version__ -+ except AttributeError: -+ found = False -+ else: -+ found = tuplize_version(version) >= tuplize_version(minversion) -+ finally: -+ if stuff[0]: -+ stuff[0].close() -+ else: -+ found = False -+ - if not found and not conf.LIB_MAY_BE_BUNDLED(libname): - Logs.error('ERROR: Python module %s of version %s not found, and bundling disabled' % (libname, minversion)) - sys.exit(1) diff --git a/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch deleted file mode 100644 index ffe253b63..000000000 --- a/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch +++ /dev/null @@ -1,193 +0,0 @@ -From a4da3ab4d76013aaa731d43d52ccca1ebd37c395 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Wed, 21 Sep 2016 10:06:39 +0800 -Subject: [PATCH 1/1] ldb: Add configure options for packages - -Add configure options for the following packages: - - acl - - attr - - libaio - - libbsd - - libcap - - valgrind - -Upstream-Status: Inappropriate [oe deterministic build specific] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - lib/replace/system/wscript_configure | 6 ++- - lib/replace/wscript | 94 +++++++++++++++++++++++++++--------- - wscript | 7 +++ - 3 files changed, 83 insertions(+), 24 deletions(-) - -diff --git a/lib/replace/system/wscript_configure b/lib/replace/system/wscript_configure -index 2035474..10f9ae7 100644 ---- a/lib/replace/system/wscript_configure -+++ b/lib/replace/system/wscript_configure -@@ -1,6 +1,10 @@ - #!/usr/bin/env python - --conf.CHECK_HEADERS('sys/capability.h') -+import Options -+ -+if Options.options.enable_libcap: -+ conf.CHECK_HEADERS('sys/capability.h') -+ - conf.CHECK_FUNCS('getpwnam_r getpwuid_r getpwent_r') - - # solaris varients of getXXent_r -diff --git a/lib/replace/wscript b/lib/replace/wscript -index 2f94d49..68b2d3a 100644 ---- a/lib/replace/wscript -+++ b/lib/replace/wscript -@@ -23,6 +23,41 @@ def set_options(opt): - opt.PRIVATE_EXTENSION_DEFAULT('') - opt.RECURSE('buildtools/wafsamba') - -+ opt.add_option('--with-acl', -+ help=("Enable use of acl"), -+ action="store_true", dest='enable_acl') -+ opt.add_option('--without-acl', -+ help=("Disable use of acl"), -+ action="store_false", dest='enable_acl', default=False) -+ -+ opt.add_option('--with-attr', -+ help=("Enable use of attr"), -+ action="store_true", dest='enable_attr') -+ opt.add_option('--without-attr', -+ help=("Disable use of attr"), -+ action="store_false", dest='enable_attr', default=False) -+ -+ opt.add_option('--with-libaio', -+ help=("Enable use of libaio"), -+ action="store_true", dest='enable_libaio') -+ opt.add_option('--without-libaio', -+ help=("Disable use of libaio"), -+ action="store_false", dest='enable_libaio', default=False) -+ -+ opt.add_option('--with-libbsd', -+ help=("Enable use of libbsd"), -+ action="store_true", dest='enable_libbsd') -+ opt.add_option('--without-libbsd', -+ help=("Disable use of libbsd"), -+ action="store_false", dest='enable_libbsd', default=False) -+ -+ opt.add_option('--with-libcap', -+ help=("Enable use of libcap"), -+ action="store_true", dest='enable_libcap') -+ opt.add_option('--without-libcap', -+ help=("Disable use of libcap"), -+ action="store_false", dest='enable_libcap', default=False) -+ - @Utils.run_once - def configure(conf): - conf.RECURSE('buildtools/wafsamba') -@@ -32,12 +67,25 @@ def configure(conf): - conf.DEFINE('HAVE_LIBREPLACE', 1) - conf.DEFINE('LIBREPLACE_NETWORK_CHECKS', 1) - -- conf.CHECK_HEADERS('linux/types.h crypt.h locale.h acl/libacl.h compat.h') -- conf.CHECK_HEADERS('acl/libacl.h attr/xattr.h compat.h ctype.h dustat.h') -+ conf.CHECK_HEADERS('linux/types.h crypt.h locale.h compat.h') -+ conf.CHECK_HEADERS('compat.h ctype.h dustat.h') - conf.CHECK_HEADERS('fcntl.h fnmatch.h glob.h history.h krb5.h langinfo.h') -- conf.CHECK_HEADERS('libaio.h locale.h ndir.h pwd.h') -- conf.CHECK_HEADERS('shadow.h sys/acl.h') -- conf.CHECK_HEADERS('sys/attributes.h attr/attributes.h sys/capability.h sys/dir.h sys/epoll.h') -+ conf.CHECK_HEADERS('locale.h ndir.h pwd.h') -+ conf.CHECK_HEADERS('shadow.h') -+ conf.CHECK_HEADERS('sys/attributes.h sys/dir.h sys/epoll.h') -+ -+ if Options.options.enable_acl: -+ conf.CHECK_HEADERS('acl/libacl.h sys/acl.h') -+ -+ if Options.options.enable_attr: -+ conf.CHECK_HEADERS('attr/attributes.h attr/xattr.h') -+ -+ if Options.options.enable_libaio: -+ conf.CHECK_HEADERS('libaio.h') -+ -+ if Options.options.enable_libcap: -+ conf.CHECK_HEADERS('sys/capability.h') -+ - conf.CHECK_HEADERS('port.h') - conf.CHECK_HEADERS('sys/fcntl.h sys/filio.h sys/filsys.h sys/fs/s5param.h sys/fs/vx/quota.h') - conf.CHECK_HEADERS('sys/id.h sys/ioctl.h sys/ipc.h sys/mman.h sys/mode.h sys/ndir.h sys/priv.h') -@@ -73,7 +121,9 @@ def configure(conf): - - conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H') - -- conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') -+ if Options.options.enable_valgrind: -+ conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') -+ - conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h') - conf.CHECK_HEADERS('sys/extattr.h sys/ea.h sys/proplist.h sys/cdefs.h') - conf.CHECK_HEADERS('utmp.h utmpx.h lastlog.h') -@@ -266,22 +316,20 @@ def configure(conf): - - conf.CHECK_FUNCS('prctl dirname basename') - -- strlcpy_in_bsd = False -- -- # libbsd on some platforms provides strlcpy and strlcat -- if not conf.CHECK_FUNCS('strlcpy strlcat'): -- if conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', -- checklibc=True): -- strlcpy_in_bsd = True -- if not conf.CHECK_FUNCS('getpeereid'): -- conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') -- if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): -- conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') -- if not conf.CHECK_FUNCS('setproctitle_init'): -- conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') -- -- if not conf.CHECK_FUNCS('closefrom'): -- conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') -+ if Options.options.enable_libbsd: -+ # libbsd on some platforms provides strlcpy and strlcat -+ if not conf.CHECK_FUNCS('strlcpy strlcat'): -+ conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', -+ checklibc=True) -+ if not conf.CHECK_FUNCS('getpeereid'): -+ conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') -+ if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): -+ conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') -+ if not conf.CHECK_FUNCS('setproctitle_init'): -+ conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') -+ -+ if not conf.CHECK_FUNCS('closefrom'): -+ conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') - - conf.CHECK_CODE(''' - struct ucred cred; -@@ -632,7 +680,7 @@ removeea setea - # look for a method of finding the list of network interfaces - for method in ['HAVE_IFACE_GETIFADDRS', 'HAVE_IFACE_AIX', 'HAVE_IFACE_IFCONF', 'HAVE_IFACE_IFREQ']: - bsd_for_strlcpy = '' -- if strlcpy_in_bsd: -+ if Options.options.enable_libbsd: - bsd_for_strlcpy = ' bsd' - if conf.CHECK_CODE(''' - #define %s 1 -diff --git a/wscript b/wscript -index 8ae5be3..a178cc4 100644 ---- a/wscript -+++ b/wscript -@@ -31,6 +31,13 @@ def set_options(opt): - opt.RECURSE('lib/replace') - opt.tool_options('python') # options for disabling pyc or pyo compilation - -+ opt.add_option('--with-valgrind', -+ help=("enable use of valgrind"), -+ action="store_true", dest='enable_valgrind') -+ opt.add_option('--without-valgrind', -+ help=("disable use of valgrind"), -+ action="store_false", dest='enable_valgrind', default=False) -+ - def configure(conf): - conf.RECURSE('lib/tdb') - conf.RECURSE('lib/tevent') --- -2.16.2 - diff --git a/meta-security/recipes-support/libldb/libldb_1.3.1.bb b/meta-security/recipes-support/libldb/libldb_1.3.1.bb deleted file mode 100644 index c644b20b0..000000000 --- a/meta-security/recipes-support/libldb/libldb_1.3.1.bb +++ /dev/null @@ -1,64 +0,0 @@ -SUMMARY = "Hierarchical, reference counted memory pool system with destructors" -HOMEPAGE = "http://ldb.samba.org" -SECTION = "libs" -LICENSE = "LGPL-3.0+ & LGPL-2.1+ & GPL-3.0+" - -DEPENDS += "libtdb libtalloc libtevent popt" -RDEPENDS_pyldb += "python" - -SRC_URI = "http://samba.org/ftp/ldb/ldb-${PV}.tar.gz \ - file://do-not-import-target-module-while-cross-compile.patch \ - file://options-1.3.1.patch \ - " - -PACKAGECONFIG ??= "\ - ${@bb.utils.filter('DISTRO_FEATURES', 'acl', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)} \ -" -PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl" -PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" -PACKAGECONFIG[ldap] = ",,openldap" -PACKAGECONFIG[libaio] = "--with-libaio,--without-libaio,libaio" -PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd" -PACKAGECONFIG[libcap] = "--with-libcap,--without-libcap,libcap" -PACKAGECONFIG[valgrind] = "--with-valgrind,--without-valgrind,valgrind" - -SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'ldap', '', 'file://avoid-openldap-unless-wanted.patch', d)}" - -LIC_FILES_CHKSUM = "file://pyldb.h;endline=24;md5=dfbd238cecad76957f7f860fbe9adade \ - file://man/ldb.3.xml;beginline=261;endline=262;md5=137f9fd61040c1505d1aa1019663fd08 \ - file://tools/ldbdump.c;endline=19;md5=a7d4fc5d1f75676b49df491575a86a42" - -SRC_URI[md5sum] = "e5233f202bca27f6ce8474fb8ae65983" -SRC_URI[sha256sum] = "b19f2c9f55ae0f46aa5ebaea0bf1a47ec1ac135e1d78af0f6318cf50bf62cbd2" - -CROSS_METHOD="exec" -inherit waf-samba - -S = "${WORKDIR}/ldb-${PV}" - -EXTRA_OECONF += "--disable-rpath \ - --disable-rpath-install \ - --bundled-libraries=cmocka \ - --builtin-libraries=replace \ - --with-modulesdir=${libdir}/ldb/modules \ - --with-privatelibdir=${libdir}/ldb \ - --with-libiconv=${STAGING_DIR_HOST}${prefix}\ - " - -PACKAGES =+ "pyldb pyldb-dbg pyldb-dev" - -NOAUTOPACKAGEDEBUG = "1" - -FILES_${PN} += "${libdir}/ldb/*" -FILES_${PN}-dbg += "${bindir}/.debug/* \ - ${libdir}/.debug/* \ - ${libdir}/ldb/.debug/* \ - ${libdir}/ldb/modules/ldb/.debug/*" - -FILES_pyldb = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \ - ${libdir}/libpyldb-util.so.* \ - " -FILES_pyldb-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug \ - ${libdir}/.debug/libpyldb-util.so.*" -FILES_pyldb-dev = "${libdir}/libpyldb-util.so" |