diff options
Diffstat (limited to 'meta-security/recipes-core')
4 files changed, 62 insertions, 78 deletions
diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb index c71d7267d..54d89787f 100644 --- a/meta-security/recipes-core/images/security-test-image.bb +++ b/meta-security/recipes-core/images/security-test-image.bb @@ -1,33 +1,18 @@ DESCRIPTION = "A small image for testing meta-security packages" +require security-build-image.bb + IMAGE_FEATURES += "ssh-server-openssh" TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" INSTALL_CLAMAV_CVD = "1" -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security-ptest \ - clamav \ - tripwire \ - checksec \ - suricata \ - samhain-standalone \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ - os-release \ - " - - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image +IMAGE_OVERHEAD_FACTOR = "1.0" +IMAGE_ROOTFS_EXTRA_SPACE = "1124288" -export IMAGE_BASENAME = "security-test-image" +# ptests need more memory than standard to avoid the OOM killer +# also lttng-tools needs /tmp that has at least 1G +QB_MEM = "-m 2048" -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" +PTEST_EXPECT_FAILURE = "1" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity index bb07aab58..888052ccd 100644 --- a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity @@ -10,33 +10,43 @@ dmverity_run() { . /usr/share/misc/dm-verity.env - case "${bootparam_root}" in - ID=*) - RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" - ;; - LABEL=*) - RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" - ;; - PARTLABEL=*) - RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" - ;; - PARTUUID=*) - RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" - ;; - PATH=*) - RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" - ;; - UUID=*) - RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" - ;; - *) - RDEV="${bootparam_root}" - esac - - if ! [ -b "${RDEV}" ]; then - echo "Root device resolution failed" - exit 1 - fi + C=0 + delay=${bootparam_rootdelay:-1} + timeout=${bootparam_roottimeout:-5} + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + while [ ! -b "${RDEV}" ]; do + if [ $(( $C * $delay )) -gt $timeout ]; then + fatal "Root device resolution failed" + exit 1 + fi + + case "${bootparam_root}" in + ID=*) + RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" + ;; + LABEL=*) + RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" + ;; + PARTLABEL=*) + RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" + ;; + PARTUUID=*) + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + ;; + PATH=*) + RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" + ;; + UUID=*) + RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" + ;; + *) + RDEV="${bootparam_root}" + esac + debug "Sleeping for $delay second(s) to wait root to settle..." + sleep $delay + C=$(( $C + 1 )) + + done veritysetup \ --data-block-size=1024 \ diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb deleted file mode 100644 index cf34ded19..000000000 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb +++ /dev/null @@ -1,28 +0,0 @@ -DESCRIPTION = "Security ptest packagegroup" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit features_check - -REQUIRED_DISTRO_FEATURES = "ptest" - -PACKAGES = "\ - ${PN} \ - " - -ALLOW_EMPTY_${PN} = "1" - -SUMMARY_${PN} = "Security packages with ptests" -RDEPENDS_${PN} = " \ - ptest-runner \ - samhain-standalone-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python3-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python3-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - " diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index 1d0180052..0a4452eea 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -13,6 +13,7 @@ PACKAGES = "\ packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -22,6 +23,7 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -36,6 +38,9 @@ RDEPENDS_packagegroup-security-utils = "\ python3-privacyidea \ python3-fail2ban \ python3-scapy \ + softhsm \ + libest \ + opendnssec \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ @@ -48,6 +53,7 @@ RDEPENDS_packagegroup-security-scanners = "\ checksecurity \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \ " +RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam clamav-cvd" SUMMARY_packagegroup-security-audit = "Security Audit tools " RDEPENDS_packagegroup-security-audit = " \ @@ -73,3 +79,14 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " + +RDEPENDS_packagegroup-meta-security-ptest-packages = "\ + ptest-runner \ + samhain-standalone-ptest \ + libseccomp-ptest \ + python3-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python3-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ +" |