summaryrefslogtreecommitdiff
path: root/meta-security/recipes-core
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security/recipes-core')
-rw-r--r--meta-security/recipes-core/images/security-test-image.bb31
-rw-r--r--meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity64
-rw-r--r--meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb28
-rw-r--r--meta-security/recipes-core/packagegroup/packagegroup-core-security.bb17
4 files changed, 62 insertions, 78 deletions
diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb
index c71d7267d..54d89787f 100644
--- a/meta-security/recipes-core/images/security-test-image.bb
+++ b/meta-security/recipes-core/images/security-test-image.bb
@@ -1,33 +1,18 @@
DESCRIPTION = "A small image for testing meta-security packages"
+require security-build-image.bb
+
IMAGE_FEATURES += "ssh-server-openssh"
TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata"
INSTALL_CLAMAV_CVD = "1"
-IMAGE_INSTALL = "\
- packagegroup-base \
- packagegroup-core-boot \
- packagegroup-core-security-ptest \
- clamav \
- tripwire \
- checksec \
- suricata \
- samhain-standalone \
- ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
- os-release \
- "
-
-
-IMAGE_LINGUAS ?= " "
-
-LICENSE = "MIT"
-
-inherit core-image
+IMAGE_OVERHEAD_FACTOR = "1.0"
+IMAGE_ROOTFS_EXTRA_SPACE = "1124288"
-export IMAGE_BASENAME = "security-test-image"
+# ptests need more memory than standard to avoid the OOM killer
+# also lttng-tools needs /tmp that has at least 1G
+QB_MEM = "-m 2048"
-IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
+PTEST_EXPECT_FAILURE = "1"
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
index bb07aab58..888052ccd 100644
--- a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
+++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -10,33 +10,43 @@ dmverity_run() {
. /usr/share/misc/dm-verity.env
- case "${bootparam_root}" in
- ID=*)
- RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
- ;;
- LABEL=*)
- RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
- ;;
- PARTLABEL=*)
- RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
- ;;
- PARTUUID=*)
- RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
- ;;
- PATH=*)
- RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
- ;;
- UUID=*)
- RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
- ;;
- *)
- RDEV="${bootparam_root}"
- esac
-
- if ! [ -b "${RDEV}" ]; then
- echo "Root device resolution failed"
- exit 1
- fi
+ C=0
+ delay=${bootparam_rootdelay:-1}
+ timeout=${bootparam_roottimeout:-5}
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+ while [ ! -b "${RDEV}" ]; do
+ if [ $(( $C * $delay )) -gt $timeout ]; then
+ fatal "Root device resolution failed"
+ exit 1
+ fi
+
+ case "${bootparam_root}" in
+ ID=*)
+ RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+ ;;
+ LABEL=*)
+ RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+ ;;
+ PARTLABEL=*)
+ RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+ ;;
+ PARTUUID=*)
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+ ;;
+ PATH=*)
+ RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+ ;;
+ UUID=*)
+ RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+ ;;
+ *)
+ RDEV="${bootparam_root}"
+ esac
+ debug "Sleeping for $delay second(s) to wait root to settle..."
+ sleep $delay
+ C=$(( $C + 1 ))
+
+ done
veritysetup \
--data-block-size=1024 \
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb
deleted file mode 100644
index cf34ded19..000000000
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb
+++ /dev/null
@@ -1,28 +0,0 @@
-DESCRIPTION = "Security ptest packagegroup"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
- file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-
-inherit features_check
-
-REQUIRED_DISTRO_FEATURES = "ptest"
-
-PACKAGES = "\
- ${PN} \
- "
-
-ALLOW_EMPTY_${PN} = "1"
-
-SUMMARY_${PN} = "Security packages with ptests"
-RDEPENDS_${PN} = " \
- ptest-runner \
- samhain-standalone-ptest \
- keyutils-ptest \
- libseccomp-ptest \
- python3-scapy-ptest \
- suricata-ptest \
- tripwire-ptest \
- python3-fail2ban-ptest \
- ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
- "
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index 1d0180052..0a4452eea 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -13,6 +13,7 @@ PACKAGES = "\
packagegroup-security-hardening \
packagegroup-security-ids \
packagegroup-security-mac \
+ ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
"
RDEPENDS_packagegroup-core-security = "\
@@ -22,6 +23,7 @@ RDEPENDS_packagegroup-core-security = "\
packagegroup-security-hardening \
packagegroup-security-ids \
packagegroup-security-mac \
+ ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
"
SUMMARY_packagegroup-security-utils = "Security utilities"
@@ -36,6 +38,9 @@ RDEPENDS_packagegroup-security-utils = "\
python3-privacyidea \
python3-fail2ban \
python3-scapy \
+ softhsm \
+ libest \
+ opendnssec \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
@@ -48,6 +53,7 @@ RDEPENDS_packagegroup-security-scanners = "\
checksecurity \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
"
+RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam clamav-cvd"
SUMMARY_packagegroup-security-audit = "Security Audit tools "
RDEPENDS_packagegroup-security-audit = " \
@@ -73,3 +79,14 @@ RDEPENDS_packagegroup-security-mac = " \
${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
"
+
+RDEPENDS_packagegroup-meta-security-ptest-packages = "\
+ ptest-runner \
+ samhain-standalone-ptest \
+ libseccomp-ptest \
+ python3-scapy-ptest \
+ suricata-ptest \
+ tripwire-ptest \
+ python3-fail2ban-ptest \
+ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
+"
generated by cgit v1.2.3 (git 2.39.0) at 2024-06-30 07:28:39 +0300