diff options
Diffstat (limited to 'meta-security/recipes-core')
10 files changed, 261 insertions, 69 deletions
diff --git a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb index f9ea3762d..187aeaee2 100644 --- a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb +++ b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb @@ -1,26 +1,34 @@ DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper." -# We want a clean, minimal image. -IMAGE_FEATURES = "" +inherit core-image PACKAGE_INSTALL = " \ - initramfs-dm-verity \ base-files \ + base-passwd \ busybox \ - util-linux-mount \ - udev \ cryptsetup \ + initramfs-module-dmverity \ + initramfs-module-udev \ lvm2-udevrules \ + udev \ + util-linux-mount \ " +# We want a clean, minimal image. +IMAGE_FEATURES = "" +IMAGE_LINGUAS = "" + # Can we somehow inspect reverse dependencies to avoid these variables? -do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" +do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" -IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" +# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE +do_image[nostamp] = "1" -inherit core-image +IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" deploy_verity_hash() { - install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env + install -D -m 0644 \ + ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \ + ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env } -ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;" +IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;" diff --git a/meta-security/recipes-core/images/security-build-image.bb b/meta-security/recipes-core/images/security-build-image.bb new file mode 100644 index 000000000..a8757f980 --- /dev/null +++ b/meta-security/recipes-core/images/security-build-image.bb @@ -0,0 +1,19 @@ +DESCRIPTION = "A small image for building meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security \ + os-release" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-build-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-core/images/security-client-image.bb b/meta-security/recipes-core/images/security-client-image.bb new file mode 100644 index 000000000..f4ebc697c --- /dev/null +++ b/meta-security/recipes-core/images/security-client-image.bb @@ -0,0 +1,16 @@ +DESCRIPTION = "A Client side Security example" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + os-release \ + samhain-client \ + ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-client-image" diff --git a/meta-security/recipes-core/images/security-server-image.bb b/meta-security/recipes-core/images/security-server-image.bb new file mode 100644 index 000000000..4927e0ee5 --- /dev/null +++ b/meta-security/recipes-core/images/security-server-image.bb @@ -0,0 +1,19 @@ +DESCRIPTION = "A Serve side image for Security example " + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + samhain-server \ + os-release " + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-server-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb new file mode 100644 index 000000000..54d89787f --- /dev/null +++ b/meta-security/recipes-core/images/security-test-image.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "A small image for testing meta-security packages" + +require security-build-image.bb + +IMAGE_FEATURES += "ssh-server-openssh" + +TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" + +INSTALL_CLAMAV_CVD = "1" + +IMAGE_OVERHEAD_FACTOR = "1.0" +IMAGE_ROOTFS_EXTRA_SPACE = "1124288" + +# ptests need more memory than standard to avoid the OOM killer +# also lttng-tools needs /tmp that has at least 1G +QB_MEM = "-m 2048" + +PTEST_EXPECT_FAILURE = "1" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb deleted file mode 100644 index b61495655..000000000 --- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb +++ /dev/null @@ -1,13 +0,0 @@ -SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -SRC_URI = "file://init-dm-verity.sh" - -do_install() { - install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init - install -d ${D}/dev - mknod -m 622 ${D}/dev/console c 5 1 -} - -FILES_${PN} = "/init /dev/console" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh deleted file mode 100644 index 307d2c74b..000000000 --- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh - -PATH=/sbin:/bin:/usr/sbin:/usr/bin -RDEV="" -ROOT_DIR="/new_root" - -mkdir -p /proc -mkdir -p /sys -mkdir -p /run -mkdir -p /tmp -mount -t proc proc /proc -mount -t sysfs sysfs /sys -mount -t devtmpfs none /dev - -udevd --daemon -udevadm trigger --type=subsystems --action=add -udevadm trigger --type=devices --action=add -udevadm settle --timeout=10 - -for PARAM in $(cat /proc/cmdline); do - case $PARAM in - root=*) - RDEV=${PARAM#root=} - ;; - esac -done - -if ! [ -b $RDEV ]; then - echo "Missing root command line argument!" - exit 1 -fi - -case $RDEV in - UUID=*) - RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=}) - ;; -esac - -. /usr/share/dm-verity.env - -echo "Mounting $RDEV over dm-verity as the root filesystem" - -veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH -mkdir -p $ROOT_DIR -mount -o ro /dev/mapper/rootfs $ROOT_DIR -exec switch_root $ROOT_DIR /sbin/init diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity new file mode 100644 index 000000000..888052ccd --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity @@ -0,0 +1,63 @@ +#!/bin/sh + +dmverity_enabled() { + return 0 +} + +dmverity_run() { + DATA_SIZE="__not_set__" + ROOT_HASH="__not_set__" + + . /usr/share/misc/dm-verity.env + + C=0 + delay=${bootparam_rootdelay:-1} + timeout=${bootparam_roottimeout:-5} + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + while [ ! -b "${RDEV}" ]; do + if [ $(( $C * $delay )) -gt $timeout ]; then + fatal "Root device resolution failed" + exit 1 + fi + + case "${bootparam_root}" in + ID=*) + RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" + ;; + LABEL=*) + RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" + ;; + PARTLABEL=*) + RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" + ;; + PARTUUID=*) + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + ;; + PATH=*) + RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" + ;; + UUID=*) + RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" + ;; + *) + RDEV="${bootparam_root}" + esac + debug "Sleeping for $delay second(s) to wait root to settle..." + sleep $delay + C=$(( $C + 1 )) + + done + + veritysetup \ + --data-block-size=1024 \ + --hash-offset=${DATA_SIZE} \ + create rootfs \ + ${RDEV} \ + ${RDEV} \ + ${ROOT_HASH} + + mount \ + -o ro \ + /dev/mapper/rootfs \ + ${ROOTFS_DIR} || exit 2 +} diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend new file mode 100644 index 000000000..dad9c967c --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend @@ -0,0 +1,16 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI_append = "\ + file://dmverity \ +" + +do_install_append() { + # dm-verity + install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity +} + +PACKAGES_append = " initramfs-module-dmverity" + +SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support" +RDEPENDS_initramfs-module-dmverity = "${PN}-base" +FILES_initramfs-module-dmverity = "/init.d/80-dmverity" diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb new file mode 100644 index 000000000..0a4452eea --- /dev/null +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -0,0 +1,92 @@ +DESCRIPTION = "Security packagegroup for Poky" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit packagegroup + +PACKAGES = "\ + packagegroup-core-security \ + packagegroup-security-utils \ + packagegroup-security-scanners \ + packagegroup-security-audit \ + packagegroup-security-hardening \ + packagegroup-security-ids \ + packagegroup-security-mac \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ + " + +RDEPENDS_packagegroup-core-security = "\ + packagegroup-security-utils \ + packagegroup-security-scanners \ + packagegroup-security-audit \ + packagegroup-security-hardening \ + packagegroup-security-ids \ + packagegroup-security-mac \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ + " + +SUMMARY_packagegroup-security-utils = "Security utilities" +RDEPENDS_packagegroup-security-utils = "\ + checksec \ + ding-libs \ + ecryptfs-utils \ + fscryptctl \ + keyutils \ + nmap \ + pinentry \ + python3-privacyidea \ + python3-fail2ban \ + python3-scapy \ + softhsm \ + libest \ + opendnssec \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ + " + +SUMMARY_packagegroup-security-scanners = "Security scanners" +RDEPENDS_packagegroup-security-scanners = "\ + isic \ + nikto \ + checksecurity \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \ + " +RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam clamav-cvd" + +SUMMARY_packagegroup-security-audit = "Security Audit tools " +RDEPENDS_packagegroup-security-audit = " \ + buck-security \ + redhat-security \ + " + +SUMMARY_packagegroup-security-hardening = "Security Hardening tools" +RDEPENDS_packagegroup-security-hardening = " \ + bastille \ + " + +SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" +RDEPENDS_packagegroup-security-ids = " \ + tripwire \ + samhain-standalone \ + ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \ + " + +SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" +RDEPENDS_packagegroup-security-mac = " \ + ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ + " + +RDEPENDS_packagegroup-meta-security-ptest-packages = "\ + ptest-runner \ + samhain-standalone-ptest \ + libseccomp-ptest \ + python3-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python3-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ +" |