diff options
Diffstat (limited to 'meta-security/recipes-security')
22 files changed, 718 insertions, 197 deletions
diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb index e9accb56f..0290cae2e 100644 --- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb @@ -9,8 +9,6 @@ DEPENDS = "virtual/kernel" RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" FILES_${PN} += "/run/lock/subsys/bastille" -inherit module-base - SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ file://AccountPermission.pm \ file://FileContent.pm \ diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index d8cd06f8d..4a99b5af4 100644 --- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -16,6 +16,7 @@ SRC_URI = "\ file://ecryptfs-utils-CVE-2016-6224.patch \ file://0001-avoid-race-condition.patch \ file://ecryptfs.service \ + file://define_musl_sword_type.patch \ " SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd" diff --git a/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch new file mode 100644 index 000000000..3b29be038 --- /dev/null +++ b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch @@ -0,0 +1,15 @@ +Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c +=================================================================== +--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c ++++ ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c +@@ -45,6 +45,10 @@ + #include <values.h> + #include "../include/ecryptfs.h" + ++#ifndef __SWORD_TYPE ++typedef __typeof__( ((struct statfs *)0)->f_type ) __SWORD_TYPE; ++#endif ++ + /* Perhaps a future version of this program will allow these to be configurable + * by the system administrator (or user?) at run time. For now, these are set + * to reasonable values to reduce the burden of input validation. diff --git a/meta-security/recipes-security/images/security-build-image.bb b/meta-security/recipes-security/images/security-build-image.bb deleted file mode 100644 index a8757f980..000000000 --- a/meta-security/recipes-security/images/security-build-image.bb +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "A small image for building meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security \ - os-release" - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-build-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/images/security-client-image.bb b/meta-security/recipes-security/images/security-client-image.bb deleted file mode 100644 index f4ebc697c..000000000 --- a/meta-security/recipes-security/images/security-client-image.bb +++ /dev/null @@ -1,16 +0,0 @@ -DESCRIPTION = "A Client side Security example" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - os-release \ - samhain-client \ - ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-client-image" diff --git a/meta-security/recipes-security/images/security-server-image.bb b/meta-security/recipes-security/images/security-server-image.bb deleted file mode 100644 index 4927e0ee5..000000000 --- a/meta-security/recipes-security/images/security-server-image.bb +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "A Serve side image for Security example " - -IMAGE_FEATURES += "ssh-server-openssh" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - samhain-server \ - os-release " - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-server-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/images/security-test-image.bb b/meta-security/recipes-security/images/security-test-image.bb deleted file mode 100644 index c71d7267d..000000000 --- a/meta-security/recipes-security/images/security-test-image.bb +++ /dev/null @@ -1,33 +0,0 @@ -DESCRIPTION = "A small image for testing meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" - -INSTALL_CLAMAV_CVD = "1" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security-ptest \ - clamav \ - tripwire \ - checksec \ - suricata \ - samhain-standalone \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ - os-release \ - " - - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-test-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/libest/libest_3.2.0.bb b/meta-security/recipes-security/libest/libest_3.2.0.bb new file mode 100644 index 000000000..f993bd65e --- /dev/null +++ b/meta-security/recipes-security/libest/libest_3.2.0.bb @@ -0,0 +1,27 @@ +SUMMARY = "EST is used for secure certificate \ +enrollment and is compatible with Suite B certs (as well as RSA \ +and DSA certificates)" + +LICENSE = "OpenSSL" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885" + +SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b" +SRC_URI = "git://github.com/cisco/libest" + +DEPENDS = "openssl" + +#fatal error: execinfo.h: No such file or directory +DEPENDS_append_libc-musl = " libexecinfo" + +inherit autotools-brokensep + +EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}" + +CFLAGS += "-fcommon" +LDFLAGS_append_libc-musl = " -lexecinfo" + +S = "${WORKDIR}/git" + +PACKAGES = "${PN} ${PN}-dbg ${PN}-dev" + +FILES_${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so" diff --git a/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch new file mode 100644 index 000000000..7d17a038a --- /dev/null +++ b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch @@ -0,0 +1,49 @@ +Backport patch to fix cross compile error for mips: + +| syscalls.h:44:6: error: expected identifier or '(' before numeric constant +| 44 | int mips; +| | ^~~~ + +Upstream-Status: Submitted [https://github.com/seccomp/libseccomp/pull/279/commits/04c519e5] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 04c519e5b1de53592e98307813e5c6db7418f91b Mon Sep 17 00:00:00 2001 +From: Paul Moore <paul@paul-moore.com> +Date: Sun, 2 Aug 2020 09:57:39 -0400 +Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS + targets + +It turns out that the MIPS GCC compiler defines a "mips" cpp macro +which was resulting in build failures on MIPS so we need to +undefine the "mips" macro during build. As this should be safe +to do in all architectures, just add it to the compiler flags by +default. + +This was reported in the following GH issue: +* https://github.com/seccomp/libseccomp/issues/274 + +Reported-by: Rongwei Zhang <pudh4418@gmail.com> +Suggested-by: Rongwei Zhang <pudh4418@gmail.com> +Signed-off-by: Paul Moore <paul@paul-moore.com> +--- + configure.ac | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 40d9dcbb..3e877348 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) + + dnl #### + dnl build flags ++dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it ++dnl for us which wreaks havoc on the build + dnl #### + AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include" +-AM_CFLAGS="-Wall" ++AM_CFLAGS="-Wall -Umips" + AM_LDFLAGS="-Wl,-z -Wl,relro" + AC_SUBST([AM_CPPFLAGS]) + AC_SUBST([AM_CFLAGS]) diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb index 9ca41e650..0cf2d70b8 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb @@ -4,18 +4,23 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427" +DEPENDS += "gperf-native" -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ +SRCREV = "f13f58efc690493fe7aa69f54cb52a118f3769c1" + +SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \ file://run-ptest \ + file://fix-mips-build-failure.patch \ " +COMPATIBLE_HOST_riscv32 = "null" + S = "${WORKDIR}/git" inherit autotools-brokensep pkgconfig ptest PACKAGECONFIG ??= "" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python" +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3" DISABLE_STATIC = "" @@ -40,4 +45,4 @@ do_install_ptest() { FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" -RDEPENDS_${PN}-ptest = "bash" +RDEPENDS_${PN}-ptest = "coreutils bash" diff --git a/meta-security/recipes-security/mfa/python3-privacyidea_3.3.bb b/meta-security/recipes-security/mfa/python3-privacyidea_3.3.bb new file mode 100644 index 000000000..eb6b7eb33 --- /dev/null +++ b/meta-security/recipes-security/mfa/python3-privacyidea_3.3.bb @@ -0,0 +1,40 @@ +SUMMARY = "identity, multifactor authentication (OTP), authorization, audit" +DESCRIPTION = "privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications." + +HOMEPAGE = "http://www.privacyidea.org/" +LICENSE = "AGPL-3.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55" + +PYPI_PACKAGE = "privacyIDEA" +SRC_URI[sha256sum] = "55fbdd0fdc8957f7fc5b8900453fd9dc294860bae218e53e7fe394d93f982518" + +inherit pypi setuptools3 + +do_install_append () { + #install ${D}/var/log/privacyidea + + rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests +} + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "--system privacyidea" +USERADD_PARAM_${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \ + --shell /bin/false privacyidea" + +FILES_${PN} += " ${datadir}/etc/privacyidea/* ${datadir}/lib/privacyidea/*" + +RDEPENDS_${PN} += " bash perl freeradius-mysql freeradius-utils" + +RDEPENDS_${PN} += "python3 python3-alembic python3-babel python3-backports-functools-lru-cache python3-bcrypt" +RDEPENDS_${PN} += "python3-beautifulsoup4 python3-cbor2 python3-certifi python3-cffi python3-chardet" +RDEPENDS_${PN} += "python3-click python3-configobj python3-croniter python3-cryptography python3-defusedxml" +RDEPENDS_${PN} += "python3-ecdsa python3-flask python3-flask-babel python3-flask-migrate" +RDEPENDS_${PN} += "python3-flask-script python3-flask-sqlalchemy python3-flask-versioned" +RDEPENDS_${PN} += "python3-future python3-httplib2 python3-huey python3-idna python3-ipaddress" +RDEPENDS_${PN} += "python3-itsdangerous python3-jinja2 python3-ldap python3-lxml python3-mako" +RDEPENDS_${PN} += "python3-markupsafe python3-netaddr python3-oauth2client python3-passlib python3-pillow" +RDEPENDS_${PN} += "python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-pyjwt python3-pymysql" +RDEPENDS_${PN} += "python3-pyopenssl python3-pyrad python3-dateutil python3-editor python3-gnupg" +RDEPENDS_${PN} += "python3-pytz python3-pyyaml python3-qrcode python3-redis python3-requests python3-rsa" +RDEPENDS_${PN} += "python3-six python3-smpplib python3-soupsieve python3-soupsieve " +RDEPENDS_${PN} += "python3-sqlalchemy python3-sqlsoup python3-urllib3 python3-werkzeug" diff --git a/meta-security/recipes-security/opendnssec/files/fix_fprint.patch b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch new file mode 100644 index 000000000..da0bcfe74 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch @@ -0,0 +1,25 @@ +format not a string literal and no format arguments + +missing module_str in call + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +../../../git/enforcer/src/keystate/keystate_ds.c:192:7: error: format not a string literal and no format arguments [-Werror=format-security] +| 192 | ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds); +| | ^~~~~~~~~~~~~~~~~~~~~~~~ + + +Index: git/enforcer/src/keystate/keystate_ds.c +=================================================================== +--- git.orig/enforcer/src/keystate/keystate_ds.c ++++ git/enforcer/src/keystate/keystate_ds.c +@@ -189,7 +189,7 @@ exec_dnskey_by_id(int sockfd, struct dbw + status = 0; + } + else { +- ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds); ++ ods_log_error_and_printf(sockfd, module_str, "Failed to run %s", cp_ds); + status = 7; + } + } diff --git a/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch new file mode 100644 index 000000000..126e197f3 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch @@ -0,0 +1,217 @@ +Configure does not work with OE pkg-config for the ldns option + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: opendnssec-2.1.6/m4/acx_ldns.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_ldns.m4 ++++ opendnssec-2.1.6/m4/acx_ldns.m4 +@@ -1,128 +1,65 @@ +-AC_DEFUN([ACX_LDNS],[ +- AC_ARG_WITH(ldns, +- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- LIBS="$LIBS $LDNS_LIBS" +- +- AC_CHECK_LIB(ldns, ldns_rr_new,,[AC_MSG_ERROR([Can't find ldns library])]) +- LIBS=$tmp_LIBS +- +- AC_MSG_CHECKING([for ldns version]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include <ldns/ldns.h> +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION >= $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([>= $1.$2.$3]) +- ],[ +- AC_MSG_RESULT([< $1.$2.$3]) +- AC_MSG_ERROR([ldns library too old ($1.$2.$3 or later required)]) +- ],[]) +- AC_LANG_POP([C]) ++#serial 11 + +- CPPFLAGS=$tmp_CPPFLAGS +- +- AC_SUBST(LDNS_INCLUDES) +- AC_SUBST(LDNS_LIBS) +-]) +- +- +-AC_DEFUN([ACX_LDNS_NOT],[ +- AC_ARG_WITH(ldns, +- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- +- AC_MSG_CHECKING([for ldns version not $1.$2.$3]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include <ldns/ldns.h> +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION != $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([ok]) +- ],[ +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([ldns version $1.$2.$3 is not compatible due to $4]) +- ],[]) +- AC_LANG_POP([C]) +- +- CPPFLAGS=$tmp_CPPFLAGS ++AU_ALIAS([CHECK_LDNS], [ACX_LDNS]) ++AC_DEFUN([ACX_LDNS], [ ++ found=false ++ AC_ARG_WITH([ldns], ++ [AS_HELP_STRING([--with-ldns=DIR], ++ [root of the lnds directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-lnds value]) ++ ;; ++ *) ldnsdirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and lnds has installed a .pc file, ++ # then use that information and don't search ldnsdirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ OPENSSL_LDFLAGS=`$PKG_CONFIG ldns --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ LDNS_LIBS=`$PKG_CONFIG ldns --libs-only-l 2>/dev/null` ++ LDNS_INCLUDES=`$PKG_CONFIG ldns --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi ++ ++ # no such luck; use some default ldnsdirs ++ if ! $found; then ++ ldnsdirs="/usr/local/ldns /usr/lib/ldns /usr/ldns /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ if ! $found; then ++ LDNS_INCLUDES= ++ for ldnsdir in $ldnsdirs; do ++ AC_MSG_CHECKING([for LDNS in $ldnsdir]) ++ if test -f "$ldnsdir/include/ldns/dnssec.h"; then ++ LDNS_INCLUDES="-I$ldnsdir/include" ++ LDNS_LDFLAGS="-L$ldnsdir/lib" ++ LDNS_LIBS="-lldns" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" ++ LIBS="$LDNS_LIBS $LIBS" ++ CPPFLAGS="$LDNS_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST([LDNS_INCLUDES]) ++ AC_SUBST([LDNS_LIBS]) ++ AC_SUBST([LDNS_LDFLAGS]) + ]) +Index: opendnssec-2.1.6/configure.ac +=================================================================== +--- opendnssec-2.1.6.orig/configure.ac ++++ opendnssec-2.1.6/configure.ac +@@ -138,9 +138,7 @@ AC_CHECK_MEMBER([struct sockaddr_un.sun_ + + # common dependencies + ACX_LIBXML2 +-ACX_LDNS(1,6,17) +-ACX_LDNS_NOT(1,6,14, [binary incompatibility, see http://open.nlnetlabs.nl/pipermail/ldns-users/2012-October/000564.html]) +-ACX_LDNS_NOT(1,6,15, [fail to create NSEC3 bitmap for empty non-terminals, see http://www.nlnetlabs.nl/pipermail/ldns-users/2012-November/000565.html]) ++ACX_LDNS(1.6.17) + ACX_PKCS11_MODULES + ACX_RT + ACX_LIBC diff --git a/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch new file mode 100644 index 000000000..b4ed4306d --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch @@ -0,0 +1,112 @@ +configure does not work with OE pkg-config for the libxml2 option + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: opendnssec-2.1.6/m4/acx_libxml2.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_libxml2.m4 ++++ opendnssec-2.1.6/m4/acx_libxml2.m4 +@@ -1,37 +1,67 @@ ++#serial 11 ++AU_ALIAS([CHECK_XML2], [ACX_LIBXML2]) + AC_DEFUN([ACX_LIBXML2],[ +- AC_ARG_WITH(libxml2, +- [AS_HELP_STRING([--with-libxml2=DIR],[look for libxml2 in this dir])], +- [ +- XML2_PATH="$withval" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $XML2_PATH/bin) +- ],[ +- XML2_PATH="/usr/local" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $PATH) +- ]) +- if test -x "$XML2_CONFIG" +- then +- AC_MSG_CHECKING(what are the xml2 includes) +- XML2_INCLUDES="`$XML2_CONFIG --cflags`" +- AC_MSG_RESULT($XML2_INCLUDES) +- +- AC_MSG_CHECKING(what are the xml2 libs) +- XML2_LIBS="`$XML2_CONFIG --libs`" +- AC_MSG_RESULT($XML2_LIBS) +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $XML2_INCLUDES" +- LIBS="$LIBS $XML2_LIBS" +- +- AC_CHECK_LIB(xml2, xmlDocGetRootElement,,[AC_MSG_ERROR([Can't find libxml2 library])]) +- +- CPPFLAGS=$tmp_CPPFLAGS +- LIBS=$tmp_LIBS +- else +- AC_MSG_ERROR([libxml2 required, but not found.]) +- fi ++ found=false ++ AC_ARG_WITH([libxml2], ++ [AS_HELP_STRING([--with-libxml2=DIR], ++ [root of the libxml directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-libxml2 value]) ++ ;; ++ *) xml2dirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and openssl has installed a .pc file, ++ # then use that information and don't search ssldirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ XML2_LDFLAGS=`$PKG_CONFIG libxml-2.0 --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ XML2_LIBS=`$PKG_CONFIG libxml-2.0 --libs-only-l 2>/dev/null` ++ XML2_INCLUDES=`$PKG_CONFIG libxml-2.0 --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi + +- AC_SUBST(XML2_INCLUDES) +- AC_SUBST(XML2_LIBS) ++ # no such luck; use some default ssldirs ++ if ! $found; then ++ xml2dirs="/usr/local/libxml /usr/lib/libxml /usr/libxml /usr/pkg /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ # note that we #include <libxml/tree.h>, so the libxml2 headers have to be in ++ # an 'libxml' subdirectory ++ ++ if ! $found; then ++ XML2_INCLUDES= ++ for xml2dir in $xml2dirs; do ++ AC_MSG_CHECKING([for XML2 in $xml2dir]) ++ if test -f "$xml2dir/include/libxml2/libxml/tree.h"; then ++ XML2_INCLUDES="-I$xml2dir/include/libxml2" ++ XML2_LDFLAGS="-L$xml2dir/lib" ++ XML2_LIBS="-lxml2" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $XML2_LDFLAGS" ++ LIBS="$XML2_LIBS $LIBS" ++ CPPFLAGS="$XML2_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST(XML2_INCLUDES) ++ AC_SUBST(XML2_LIBS) ++ AC_SUBST(XML2_LDFLAGS) + ]) diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb new file mode 100644 index 000000000..5e42ca8f7 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb @@ -0,0 +1,37 @@ +SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937" + +DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml " + +SRC_URI = "git://github.com/opendnssec/opendnssec;branch=develop \ + file://libxml2_conf.patch \ + file://libdns_conf_fix.patch \ + file://fix_fprint.patch \ + " + +SRCREV = "5876bccb38428790e2e9afc806ca68b029879874" + +inherit autotools pkgconfig perlnative + +S = "${WORKDIR}/git" + +EXTRA_OECONF = " --with-libxml2=${STAGING_DIR_HOST}/usr --with-ldns=${STAGING_DIR_HOST}/usr \ + --with-ssl=${STAGING_DIR_HOST}/usr " + +CFLAGS += "-fcommon" + +PACKAGECONFIG ?= "sqlite3" + +PACKAGECONFIG[cunit] = "--with-cunit=${STAGING_DIR_HOST}/usr, --without-cunit," +PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_DIR_HOST}/usr, ,sqlite3, sqlite3" +PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb" +PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline" +PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind" + +do_install_append () { + rm -rf ${D}${localstatedir}/run +} + +RDEPENDS_${PN} = "softhsm" diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb deleted file mode 100644 index 83a9ed83e..000000000 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb +++ /dev/null @@ -1,28 +0,0 @@ -DESCRIPTION = "Security ptest packagegroup" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit features_check - -REQUIRED_DISTRO_FEATURES = "ptest" - -PACKAGES = "\ - ${PN} \ - " - -ALLOW_EMPTY_${PN} = "1" - -SUMMARY_${PN} = "Security packages with ptests" -RDEPENDS_${PN} = " \ - ptest-runner \ - samhain-standalone-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python3-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - " diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb deleted file mode 100644 index e0a9d0534..000000000 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ /dev/null @@ -1,68 +0,0 @@ -DESCRIPTION = "Security packagegroup for Poky" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit packagegroup - -PACKAGES = "\ - packagegroup-core-security \ - packagegroup-security-utils \ - packagegroup-security-scanners \ - packagegroup-security-ids \ - packagegroup-security-mac \ - " - -RDEPENDS_packagegroup-core-security = "\ - packagegroup-security-utils \ - packagegroup-security-scanners \ - packagegroup-security-ids \ - packagegroup-security-mac \ - " - -SUMMARY_packagegroup-security-utils = "Security utilities" -RDEPENDS_packagegroup-security-utils = "\ - checksec \ - nmap \ - pinentry \ - python3-scapy \ - ding-libs \ - keyutils \ - libseccomp \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ - " - -SUMMARY_packagegroup-security-scanners = "Security scanners" -RDEPENDS_packagegroup-security-scanners = "\ - nikto \ - checksecurity \ - clamav \ - clamav-freshclam \ - clamav-cvd \ - " - -SUMMARY_packagegroup-security-audit = "Security Audit tools " -RDEPENDS_packagegroup-security-audit = " \ - buck-security \ - redhat-security \ - " - -SUMMARY_packagegroup-security-hardening = "Security Hardening tools" -RDEPENDS_packagegroup-security-hardening = " \ - bastille \ - " - -SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" -RDEPENDS_packagegroup-security-ids = " \ - tripwire \ - samhain-standalone \ - suricata \ - " - -SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" -RDEPENDS_packagegroup-security-mac = " \ - ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ - " diff --git a/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb b/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb new file mode 100644 index 000000000..74e837aa5 --- /dev/null +++ b/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb @@ -0,0 +1,30 @@ +SUMMARY = "SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface." +HOMEPAGE = "www.opendnssec.org" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210" + +DEPENDS = "sqlite3" + +SRC_URI = "https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz" +SRC_URI[sha256sum] = "61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2" + +inherit autotools pkgconfig siteinfo + +EXTRA_OECONF += " --with-sqlite3=${STAGING_DIR_HOST}/usr" +EXTRA_OECONF += "${@oe.utils.conditional('SITEINFO_BITS', '64', ' --enable-64bit', '', d)}" + +PACKAGECONFIG ?= "pk11 openssl" + +PACKAGECONFIG[npm] = ",--disable-non-paged-memory" +PACKAGECONFIG[ecc] = "--enable-ecc,--disable-ecc" +PACKAGECONFIG[gost] = "--enable-gost,--disable-gost" +PACKAGECONFIG[eddsa] = "--enable-eddsa, --disable-eddsa" +PACKAGECONFIG[fips] = "--enable-fips, --disable-fips" +PACKAGECONFIG[notvisable] = "--disable-visibility" +PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr --with-crypto-backend=openssl, --without-openssl, openssl, openssl" +PACKAGECONFIG[botan] = "--with-botan=${STAGING_DIR_HOST}/usr --with-crypto-backend=botan, --without-botan, botan" +PACKAGECONFIG[migrate] = "--with-migrate" +PACKAGECONFIG[pk11] = "--enable-p11-kit --with-p11-kit==${STAGING_DIR_HOST}/usr, --without-p11-kit, p11-kit, p11-kit" + +RDEPENDS_${PN} = "sqlite3" diff --git a/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch new file mode 100644 index 000000000..b64670c17 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch @@ -0,0 +1,34 @@ +From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= <jonatan.p@gmail.com> +Date: Fri, 21 Aug 2020 14:45:10 +0200 +Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AC_CHECK_FILE does not support cross-compilation, and will only check +the host rootfs. Replace AC_CHECK_FILE with a 'test -f <FILE>' instead, +to allow building manpages when cross-compiling. + +Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289] +Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com> +--- + src/external/docbook.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/external/docbook.m4 b/src/external/docbook.m4 +index deb8632fa..acdc89a68 100644 +--- a/src/external/docbook.m4 ++++ b/src/external/docbook.m4 +@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and + dnl if a particular URI appears in the XML catalog + AC_DEFUN([CHECK_STYLESHEET], + [ +- AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])]) ++ AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])]) + + AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog]) + if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then +-- +2.26.1 + diff --git a/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch new file mode 100644 index 000000000..c319269e9 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch @@ -0,0 +1,78 @@ +From 05c315100a70d3372e891e9a0ea981a875b2ec90 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com> +Date: Thu, 27 Feb 2020 06:50:40 +0100 +Subject: [PATCH] nss: Collision with external nss symbol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +One of our internal static function names started +to collide with external nss symbol. Additional +sss_ suffix was added to avoid the collision. + +This is needed to unblock Fedora Rawhide's +SSSD build. + +Reviewed-by: Pavel Březina <pbrezina@redhat.com> + +Upstream-Status: Backport [https://github.com/SSSD/sssd.git] +Signed-off-by: Hongxu.jia@windriver.com +Signed-off-by: Qi.Chen@windriver.com +--- + src/responder/nss/nss_cmd.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c +index 25e663ed5..a4d4cfc0b 100644 +--- a/src/responder/nss/nss_cmd.c ++++ b/src/responder/nss/nss_cmd.c +@@ -728,11 +728,13 @@ done: + talloc_free(cmd_ctx); + } + +-static void nss_setnetgrent_done(struct tevent_req *subreq); ++static void sss_nss_setnetgrent_done(struct tevent_req *subreq); + +-static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, +- enum cache_req_type type, +- nss_protocol_fill_packet_fn fill_fn) ++/* This function's name started to collide with external nss symbol, ++ * so it has additional sss_* prefix unlike other functions here. */ ++static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, ++ enum cache_req_type type, ++ nss_protocol_fill_packet_fn fill_fn) + { + struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; +@@ -774,7 +776,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, + goto done; + } + +- tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx); ++ tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx); + + ret = EOK; + +@@ -787,7 +789,7 @@ done: + return EOK; + } + +-static void nss_setnetgrent_done(struct tevent_req *subreq) ++static void sss_nss_setnetgrent_done(struct tevent_req *subreq) + { + struct nss_cmd_ctx *cmd_ctx; + errno_t ret; +@@ -1037,8 +1039,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx) + + static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) + { +- return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, +- nss_protocol_fill_setnetgrent); ++ return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, ++ nss_protocol_fill_setnetgrent); + } + + static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx) +-- +2.21.0 + diff --git a/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch new file mode 100644 index 000000000..1a2233209 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch @@ -0,0 +1,32 @@ +From 37a0999e5a9f54e1c61a02a7fbab6fcd04738b3c Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Thu, 8 Oct 2020 05:54:13 -0700 +Subject: [PATCH] Provide missing defines which otherwise are available on + glibc system headers + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Upsteam-Status: Pending + +--- + src/util/util.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/util/util.h b/src/util/util.h +index 8a754dbfd..6e55b4bdc 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -76,6 +76,10 @@ + #define MAX(a, b) (((a) > (b)) ? (a) : (b)) + #endif + ++#ifndef ALLPERMS ++# define ALLPERMS (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)/* 07777 */ ++#endif ++ + #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS + + #define SSSD_SERVER_OPTS(uid, gid) \ +-- +2.17.1 + diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.5.bb index 7ea1586bd..9784ec77d 100644 --- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb +++ b/meta-security/recipes-security/sssd/sssd_1.16.5.bb @@ -6,7 +6,9 @@ LICENSE = "GPLv3+" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" +DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" + +DEPENDS_append_libc-musl = " musl-nscd" # If no crypto has been selected, default to DEPEND on nss, since that's what # sssd will pick if no active choice is made during configure @@ -17,10 +19,12 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ file://sssd.conf \ file://volatiles.99_sssd \ file://fix-ldblibdir.patch \ + file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ + file://0001-nss-Collision-with-external-nss-symbol.patch \ + file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \ " -SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" -SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959" +SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0" inherit autotools pkgconfig gettext python3-dir features_check systemd @@ -39,10 +43,9 @@ PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson" -PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" +PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," @@ -60,6 +63,8 @@ EXTRA_OECONF += " \ --without-python2-bindings \ --enable-pammoddir=${base_libdir}/security \ --without-python2-bindings \ + --without-secrets \ + --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ " do_configure_prepend() { @@ -85,6 +90,7 @@ do_install () { # Remove /var/run as it is created on startup rm -rf ${D}${localstatedir}/run + rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* } pkg_postinst_ontarget_${PN} () { @@ -109,8 +115,6 @@ SYSTEMD_SERVICE_${PN} = " \ sssd-pam-priv.socket \ sssd-pam.service \ sssd-pam.socket \ - sssd-secrets.service \ - sssd-secrets.socket \ sssd.service \ " SYSTEMD_AUTO_ENABLE = "disable" |