meta-security: subtree update:2df7dd9fba..3001c3ebfc

Armin Kuster (6):
      meta-security: add layer index callouts
      meta-security-compliance/conf/layer.conf: fix typo
      python3-suricata-update: update to 1.1.1
      libhtp: bugfix only update 0.5.32
      lib/oeqa/runtime: suricata add tests
      suricata: update to 4.1.6

Philip Tricca (1):
      tpm2-abrmd: Port command line options to new version.

Trevor Woerner (1):
      tpm2-abrmd-init.sh: fix for /dev/tpmrmX

Yi Zhao (1):
      libseccomp: upgrade 2.4.1 -> 2.4.2

Change-Id: Ic00ca8ac8ff5d3fbe0b79aa4a42243b197080f14
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

12 files changed, 115 insertions, 16 deletions

diff --git a/meta-security/lib/oeqa/runtime/cases/suricata.py b/meta-security/lib/oeqa/runtime/cases/suricata.py
index 17fc8c508..7f052ecd7 100644
--- a/meta-security/lib/oeqa/runtime/cases/suricata.py
+++ b/meta-security/lib/oeqa/runtime/cases/suricata.py
@@ -1,6 +1,7 @@
 # Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
 #
 import re
+from tempfile import mkstemp
 
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
@@ -9,6 +10,22 @@ from oeqa.runtime.decorator.package import OEHasPackage
 
 class SuricataTest(OERuntimeTestCase):
 
+    @classmethod
+    def setUpClass(cls):
+        cls.tmp_fd, cls.tmp_path = mkstemp()
+        with os.fdopen(cls.tmp_fd, 'w') as f:
+            # use google public dns
+            f.write("nameserver 8.8.8.8")
+            f.write(os.linesep)
+            f.write("nameserver 8.8.4.4")
+            f.write(os.linesep)
+            f.write("nameserver 127.0.0.1")
+            f.write(os.linesep)
+
+    @classmethod
+    def tearDownClass(cls):
+        os.remove(cls.tmp_path)
+
     @OEHasPackage(['suricata'])
     @OETestDepends(['ssh.SSHTest.test_ssh'])
     def test_suricata_help(self):
@@ -18,10 +35,42 @@ class SuricataTest(OERuntimeTestCase):
         self.assertEqual(status, 1, msg = msg)
 
     @OETestDepends(['suricata.SuricataTest.test_suricata_help'])
-    def test_suricata_unittest(self):
-        status, output = self.target.run('suricata -u')
-        match = re.search('FAILED: 0 ', output)
-        if not match:
-            msg = ('suricata unittest had an unexpected failure. '
-               'Status and output:%s and %s' % (status, output))
-            self.assertEqual(status, 0, msg = msg)
+    def test_ping_openinfosecfoundation_org(self):
+        dst = '/etc/resolv.conf'
+        self.tc.target.run('rm -f %s' % dst)
+        (status, output) = self.tc.target.copyTo(self.tmp_path, dst)
+        msg = 'File could not be copied. Output: %s' % output
+        self.assertEqual(status, 0, msg=msg)
+
+        status, output = self.target.run('ping -c 1 openinfosecfoundation.org')
+        msg = ('ping openinfosecfoundation.org failed: output is:\n%s' % output)
+        self.assertEqual(status, 0, msg = msg)
+
+    @OEHasPackage(['python3-suricata-update'])
+    @OETestDepends(['suricata.SuricataTest.test_ping_openinfosecfoundation_org'])
+    def test_suricata_update(self):
+        status, output = self.tc.target.run('suricata-update')
+        msg = ('suricata-update had an unexpected failure. '
+           'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['suricata.SuricataTest.test_suricata_update'])
+    def test_suricata_update_sources_list(self):
+        status, output = self.tc.target.run('suricata-update list-sources')
+        msg = ('suricata-update list-sources had an unexpected failure. '
+           'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources_list'])
+    def test_suricata_update_sources(self):
+        status, output = self.tc.target.run('suricata-update update-sources')
+        msg = ('suricata-update update-sources had an unexpected failure. '
+           'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources'])
+    def test_suricata_update_enable_source(self):
+        status, output = self.tc.target.run('suricata-update enable-source oisf/trafficid')
+        msg = ('suricata-update enable-source oisf/trafficid  had an unexpected failure. '
+           'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
index 962424ccb..bfc9c6ff1 100644
--- a/meta-security/meta-integrity/conf/layer.conf
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -24,3 +24,5 @@ OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
 LAYERSERIES_COMPAT_integrity = "zeus"
 # ima-evm-utils depends on keyutils from meta-oe
 LAYERDEPENDS_integrity = "core openembedded-layer"
+
+BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity"
diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf
index 0e93bd0e8..8572a1fce 100644
--- a/meta-security/meta-security-compliance/conf/layer.conf
+++ b/meta-security/meta-security-compliance/conf/layer.conf
@@ -11,3 +11,5 @@ BBFILE_PRIORITY_scanners-layer = "10"
 LAYERSERIES_COMPAT_scanners-layer = "zeus"
 
 LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
+
+BBLAYERS_LAYERINDEX_NAME_scanners-layer = "meta-security-compliance"
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 3af2d9517..175eba84e 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -14,3 +14,4 @@ LAYERDEPENDS_tpm-layer = " \
     core \
     openembedded-layer \
 "
+BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
index c8dfb7de3..9bb7da972 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
@@ -27,7 +27,7 @@ case "${1}" in
 	start)
 		echo -n "Starting $DESC: "
 
-		if [ ! -e /dev/tpm* ]
+		if [ ! -e /dev/tpm? ]
 		then
 			echo "device driver not loaded, skipping."
 			exit 0
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
index 987978a66..b4b3c2072 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
@@ -1 +1 @@
-DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transient-objects=20 --fail-on-loaded-trans"
+DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transients=20 --flush-all"
diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.31.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb
index 8305f7010..8305f7010 100644
--- a/meta-security/recipes-ids/suricata/libhtp_0.5.31.bb
+++ b/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb
diff --git a/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb b/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
index 63f75e096..0070b5bcf 100644
--- a/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb
+++ b/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
@@ -5,8 +5,8 @@ LICENSE = "GPLv2"
 
 LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
 
-SRCREV = "dcd0f630e13463750efb1593ad3ccae1ae6c27d4"
-SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.0.x'"
+SRCREV = "9630630ffc493ca26299d174ee2066aa1405b2d4"
+SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.1.x'"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc
index 1f4baffcc..3adbcf6d4 100644
--- a/meta-security/recipes-ids/suricata/suricata.inc
+++ b/meta-security/recipes-ids/suricata/suricata.inc
@@ -2,8 +2,8 @@ HOMEPAGE = "http://suricata-ids.org/"
 SECTION = "security Monitor/Admin"
 LICENSE = "GPLv2"
 
-VER = "4.1.5"
+VER = "4.1.6"
 SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
 
-SRC_URI[md5sum] = "0dfd68f6f4314c5c2eed7128112eff3b"
-SRC_URI[sha256sum] = "cee5f6535cd7fe63fddceab62eb3bc66a63fc464466c88ec7a41b7a1331ac74b"
+SRC_URI[md5sum] = "da5de1e8053f05cbd295793210117d34"
+SRC_URI[sha256sum] = "8441ac89016106459ade2112fcde58b3f789e4beb2fd8bfa081ffb75eec75fe0"
diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.5.bb b/meta-security/recipes-ids/suricata/suricata_4.1.6.bb
index b2700d63f..9b7122b9e 100644
--- a/meta-security/recipes-ids/suricata/suricata_4.1.5.bb
+++ b/meta-security/recipes-ids/suricata/suricata_4.1.6.bb
@@ -10,7 +10,6 @@ SRC_URI += " \
     file://suricata.yaml \
     file://suricata.service \
     file://run-ptest \
-    file://0001-af-packet-fix-build-on-recent-Linux-kernels.patch \
     "
 
 inherit autotools-brokensep pkgconfig python3-dir systemd ptest
diff --git a/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
new file mode 100644
index 000000000..a53433fe5
--- /dev/null
+++ b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
@@ -0,0 +1,45 @@
+From 1ecdddb2a5b61cf527d1f238f88a9d129239f87a Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Tue, 5 Nov 2019 15:11:11 -0500
+Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
+
+We recently changed how libseccomp handles syscall numbers that are
+not defined natively, but we missed test #15.
+
+Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+
+Upstream-Status: Backport
+[https://github.com/seccomp/libseccomp/commit/1ecdddb2a5b61cf527d1f238f88a9d129239f87a]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ tests/15-basic-resolver.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
+index 6badef1..0c1eefe 100644
+--- a/tests/15-basic-resolver.c
++++ b/tests/15-basic-resolver.c
+@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
+ 	unsigned int arch;
+ 	char *name = NULL;
+ 
+-	if (seccomp_syscall_resolve_name("open") != __NR_open)
++	if (seccomp_syscall_resolve_name("open") != __SNR_open)
+ 		goto fail;
+-	if (seccomp_syscall_resolve_name("read") != __NR_read)
++	if (seccomp_syscall_resolve_name("read") != __SNR_read)
+ 		goto fail;
+ 	if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
+ 		goto fail;
+ 
+ 	rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
+-	if (rc != __NR_openat)
++	if (rc != __SNR_openat)
+ 		goto fail;
+ 
+ 	while ((arch = arch_list[iter++]) != -1) {
+-- 
+2.17.1
+
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
index 37a79829f..07db82a60 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
@@ -4,9 +4,10 @@ SECTION = "security"
 LICENSE = "LGPL-2.1"
 LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
 
-SRCREV = "fb43972ea1aab24f2a70193fb7445c2674f594e3"
+SRCREV = "1b6cfd1fc0b7499a28c24299a93a80bd18619563"
 
 SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
+           file://0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch \
            file://run-ptest \
 "