diff options
Diffstat (limited to 'meta-security')
67 files changed, 1333 insertions, 517 deletions
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index f673ef698..206d7241b 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -1,129 +1,166 @@ -stages: - - build - -.build: - stage: build - image: crops/poky - before_script: +.before-my-script: &before-my-script - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error - export PATH=~/.local/bin:$PATH - wget https://bootstrap.pypa.io/get-pip.py - python3 get-pip.py - python3 -m pip install kas - after_script: + +.after-my-script: &after-my-script - cd $CI_PROJECT_DIR/poky - . ./oe-init-build-env $CI_PROJECT_DIR/build - for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do - send-error-report -y tmp/log/error-report/$x - done - - cd $CI_PROJECT_DIR - - rm -rf build - cache: - paths: - - layers + - rm -fr $CI_PROJECT_DIR/build + +stages: + - base + - parsec + - multi + - musl + - test + +.base: + before_script: + - *before-my-script + stage: base + after_script: + - *after-my-script + +.parsec: + before_script: + - *before-my-script + stage: parsec + after_script: + - *after-my-script + + +.multi: + before_script: + - *before-my-script + stage: multi + after_script: + - *after-my-script + +.musl: + before_script: + - *before-my-script + stage: musl + after_script: + - *after-my-script + +.test: + before_script: + - *before-my-script + stage: test + after_script: + - *after-my-script qemux86: - extends: .build + extends: .base script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image integrity-image-minimal" - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml - - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml -qemux86-64: - extends: .build +qemux86-musl: + extends: .musl + needs: ['qemux86-parsec'] script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml - - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml - - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml -qemuarm: - extends: .build +qemux86-parsec: + extends: .parsec + needs: ['qemux86'] script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml -qemuarm64: - extends: .build +qemux86-test: + extends: .test + needs: ['qemux86'] + allow_failure: true script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml - - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml + - kas build --target security-test-image kas/$CI_JOB_NAME.yml + - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml -qemuppc: - extends: .build +qemux86-64: + extends: .base script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm-image security-tpm2-image integrity-image-minimal" + - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml + - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml -qemumips64: - extends: .build +qemux86-64-parsec: + extends: .parsec + needs: ['qemux86-64'] script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemuriscv64: - extends: .build +qemux86-64-multi: + extends: .multi + needs: ['qemux86-64'] script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemux86-64-tpm: - extends: .build +qemuarm: + extends: .base script: - - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml - - kas build --target security-tpm2-image kas/$CI_JOB_NAME2.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemuarm64-tpm2: - extends: .build +qemuarm-parsec: + extends: .parsec + needs: ['qemuarm'] script: - - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemuarm64-alt: - extends: .build +qemuarm64: + extends: .base script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal" + - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml qemuarm64-multi: - extends: .build + extends: .multi + needs: ['qemuarm64'] script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemumips64-alt: - extends: .build +qemuarm64-musl: + extends: .musl + needs: ['qemuarm64'] script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemumips64-multi: - extends: .build +qemuarm64-parsec: + extends: .parsec + needs: ['qemuarm64'] script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemux86-64-alt: - extends: .build +qemuppc: + extends: .base script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemux86-64-multi: - extends: .build +qemuppc-parsec: + extends: .parsec + needs: ['qemuppc'] script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemux86-musl: - extends: .build +qemumips64: + extends: .base script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemuarm64-musl: - extends: .build +qemumips64-multi: + extends: .multi + needs: ['qemumips64'] script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemux86-test: - extends: .build - allow_failure: true +qemuriscv64: + extends: .base script: - - kas build --target security-test-image kas/$CI_JOB_NAME.yml - - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml - + - kas build --target security-build-image kas/$CI_JOB_NAME.yml diff --git a/meta-security/README b/meta-security/README index eb1536675..4047b86c3 100644 --- a/meta-security/README +++ b/meta-security/README @@ -1,6 +1,24 @@ Meta-security ============= +The bbappend files for some recipes (e.g. linux-yocto) in this layer need +to have 'security' in DISTRO_FEATURES to have effect. +To enable them, add in configuration file the following line. + + DISTRO_FEATURES_append = " security" + +If meta-security is included, but security is not enabled as a +distro feature a warning is printed at parse time: + + You have included the meta-security layer, but + 'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files + and preferred version setting may not take effect. + +If you know what you are doing, this warning can be disabled by setting the following +variable in your configuration: + + SKIP_META_SECURITY_SANITY_CHECK = 1 + This layer provides security tools, hardening tools for Linux kernels and libraries for implementing security mechanisms. diff --git a/meta-security/classes/sanity-meta-security.bbclass b/meta-security/classes/sanity-meta-security.bbclass new file mode 100644 index 000000000..b6c6b9cb5 --- /dev/null +++ b/meta-security/classes/sanity-meta-security.bbclass @@ -0,0 +1,10 @@ +addhandler security_bbappend_distrocheck +security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck" +python security_bbappend_distrocheck() { + skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1" + if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + bb.warn("You have included the meta-security layer, but \ +'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ +and preferred version setting may not take effect. See the meta-security README \ +for details on enabling security support.") +} diff --git a/meta-security/conf/distro/include/maintainers.inc b/meta-security/conf/distro/include/maintainers.inc index 7b82ef749..e02b9037d 100644 --- a/meta-security/conf/distro/include/maintainers.inc +++ b/meta-security/conf/distro/include/maintainers.inc @@ -1,4 +1,4 @@ -# meta-securiyt Maintainers File +# meta-security Maintainers File # # This file contains a list of recipe maintainers. # diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 906e02440..7853d6e8e 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -13,6 +13,10 @@ LAYERSERIES_COMPAT_security = "hardknott" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" +# Sanity check for meta-security layer. +# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check. +INHERIT += "sanity-meta-security" + BBFILES_DYNAMIC += " \ rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \ " diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml index 309acaa03..151452452 100644 --- a/meta-security/kas/kas-security-alt.yml +++ b/meta-security/kas/kas-security-alt.yml @@ -5,4 +5,4 @@ header: local_conf_header: alt: | - DISTRO_FEATURES_append = " apparmor pam smack systemd" + DISTRO_FEATURES_append = " systemd" diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index aa68336e1..c6cc4fc8e 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -51,6 +51,8 @@ local_conf_header: EXTRA_IMAGE_FEATURES ?= "debug-tweaks" PACKAGE_CLASSES = "package_ipk" + DISTRO_FEATURES_append = " pam apparmor smack ima" + MACHINE_FEATURES_append = " tpm tpm2" diskmon: | BB_DISKMON_DIRS = "\ diff --git a/meta-security/kas/qemuarm64-ima.yml b/meta-security/kas/qemuarm64-ima.yml deleted file mode 100644 index b4784729b..000000000 --- a/meta-security/kas/qemuarm64-ima.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " ima" - -machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64-tpm2.yml b/meta-security/kas/qemuarm64-tpm2.yml deleted file mode 100644 index 3a8d8fc0d..000000000 --- a/meta-security/kas/qemuarm64-tpm2.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " tpm2" - -machine: qemuarm64 diff --git a/meta-security/kas/qemumips64-alt.yml b/meta-security/kas/qemumips64-alt.yml index 923c21370..c5d54d4d4 100644 --- a/meta-security/kas/qemumips64-alt.yml +++ b/meta-security/kas/qemumips64-alt.yml @@ -1,10 +1,6 @@ header: version: 8 includes: - - kas-security-base.yml - -local_conf_header: - alt: | - DISTRO_FEATURES_append = " pam systmed" + - kas-security-alt.yml machine: qemumips64 diff --git a/meta-security/kas/qemux86-64-ima.yml b/meta-security/kas/qemux86-64-ima.yml deleted file mode 100644 index e64931c17..000000000 --- a/meta-security/kas/qemux86-64-ima.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " ima" - -machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-tpm.yml b/meta-security/kas/qemux86-64-tpm.yml deleted file mode 100644 index 565b42327..000000000 --- a/meta-security/kas/qemux86-64-tpm.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " tpm" - -machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-tpm2.yml b/meta-security/kas/qemux86-64-tpm2.yml deleted file mode 100644 index a43693ee9..000000000 --- a/meta-security/kas/qemux86-64-tpm2.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " tpm2" - -machine: qemux86-64 diff --git a/meta-security/kas/qemux86-ima.yml b/meta-security/kas/qemux86-ima.yml deleted file mode 100644 index 6528ba620..000000000 --- a/meta-security/kas/qemux86-ima.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " ima" - -machine: qemux86 diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml index 7b5f45151..83a5353e7 100644 --- a/meta-security/kas/qemux86-test.yml +++ b/meta-security/kas/qemux86-test.yml @@ -3,9 +3,4 @@ header: includes: - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " apparmor smack pam" - machine: qemux86 diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend index 896b03973..f943cb371 100644 --- a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend +++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend @@ -1,4 +1,4 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS_prepend_harden := "${THISDIR}/files:" SRC_URI_append_harden = " file://mountall.sh" diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md index 5048fba1e..8254b0d94 100644 --- a/meta-security/meta-integrity/README.md +++ b/meta-security/meta-integrity/README.md @@ -1,8 +1,24 @@ This README file contains information on the contents of the integrity layer. -Please see the corresponding sections below for details. +The bbappend files for some recipes (e.g. linux-yocto) in this layer need +to have 'integrity' in DISTRO_FEATURES to have effect. +To enable them, add in configuration file the following line. + + DISTRO_FEATURES_append = " integrity" + +If meta-integrity is included, but integrity is not enabled as a +distro feature a warning is printed at parse time: + + You have included the meta-integritry layer, but + 'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files + and preferred version setting may not take effect. + +If you know what you are doing, this warning can be disabled by setting the following +variable in your configuration: + + SKIP_META_INTEGRITY_SANITY_CHECK = 1 Dependencies ============ diff --git a/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass b/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass new file mode 100644 index 000000000..6ba7e3f26 --- /dev/null +++ b/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass @@ -0,0 +1,10 @@ +addhandler integrity_bbappend_distrocheck +integrity_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck" +python integrity_bbappend_distrocheck() { + skip_check = e.data.getVar('SKIP_META_INTEGRITY_SANITY_CHECK') == "1" + if 'integrity' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + bb.warn("You have included the meta-integrity layer, but \ +'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ +and preferred version setting may not take effect. See the meta-integrity README \ +for details on enabling integrity support.") +} diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index ba028da7e..37776f818 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -26,6 +26,10 @@ LAYERDEPENDS_integrity = "core openembedded-layer" BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity" +# Sanity check for meta-integrity layer. +# Setting SKIP_META_INTEGRITY_SANITY_CHECK to "1" would skip the bbappend files check. +INHERIT += "sanity-meta-integrity" + BBFILES_DYNAMIC += " \ networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ " diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend index f9a48cd05..be60bfeac 100644 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -1,5 +1 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" - -KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" - -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} +require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)} diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc new file mode 100644 index 000000000..f9a48cd05 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -0,0 +1,5 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" + +KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" + +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README index dd662b3d4..59d2ee3ad 100644 --- a/meta-security/meta-tpm/README +++ b/meta-security/meta-tpm/README @@ -1,6 +1,25 @@ meta-tpm layer ============== +The bbappend files for some recipes (e.g. linux-yocto) in this layer need +to have 'tpm' in DISTRO_FEATURES to have effect. +To enable them, add in configuration file the following line. + + DISTRO_FEATURES_append = " tmp" + +If meta-tpm is included, but tpm is not enabled as a +distro feature a warning is printed at parse time: + + You have included the meta-tpm layer, but + 'tpm' has not been enabled in your DISTRO_FEATURES. Some bbappend files + and preferred version setting may not take effect. + +If you know what you are doing, this warning can be disabled by setting the following +variable in your configuration: + + SKIP_META_TPM_SANITY_CHECK = 1 + + This layer contains base TPM recipes. Dependencies diff --git a/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass b/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass new file mode 100644 index 000000000..2f8b52d1b --- /dev/null +++ b/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass @@ -0,0 +1,10 @@ +addhandler tpm_machinecheck +tpm_machinecheck[eventmask] = "bb.event.SanityCheck" +python tpm_machinecheck() { + skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1" + if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + bb.warn("You have included the meta-tpm layer, but \ +'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ +and preferred version setting may not take effect. See the meta-tpm README \ +for details on enabling tpm support.") +} diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 1b766cba2..0b102c533 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -17,6 +17,10 @@ LAYERDEPENDS_tpm-layer = " \ " BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm" +# Sanity check for meta-integrity layer. +# Setting SKIP_META_TPM_SANITY_CHECK to "1" would skip the bbappend files check. +INHERIT += "sanity-meta-tpm" + BBFILES_DYNAMIC += " \ networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ " diff --git a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend index cea8b1b2a..2cf1453a8 100644 --- a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend +++ b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -1,17 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:" - -# Enable tpm in kernel -SRC_URI_append_x86 = " \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ - " - -SRC_URI_append_x86-64 = " \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ - " - -SRC_URI += " \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \ - " +require ${@bb.utils.contains_any('DISTRO_FEATURES', 'tpm', 'linux-yocto_tpm.inc', '', d)} diff --git a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc new file mode 100644 index 000000000..cea8b1b2a --- /dev/null +++ b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc @@ -0,0 +1,17 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:" + +# Enable tpm in kernel +SRC_URI_append_x86 = " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ + " + +SRC_URI_append_x86-64 = " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ + " + +SRC_URI += " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \ + " diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch deleted file mode 100644 index f2938e0e0..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch +++ /dev/null @@ -1,27 +0,0 @@ -Fix strict aliasing issue of gcc10 - -fixes: - -TpmFail.c: In function 'TpmLogFailure': -TpmFail.c:217:23: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing] - 217 | s_failFunction = *(UINT32 *)&function; /* kgold */ - | ^~~~~~~~~~~~~~~~~~~ -cc1: all warnings being treated as errors - -Upstream-Status: Submitted - -Signed-off-by: Jens Rehsack <sno@NetBSD.org> - -Index: src/TpmFail.c -=================================================================== ---- src.orig/TpmFail.c 2020-09-10 15:43:57.085063875 +0200 -+++ src/TpmFail.c 2020-09-10 15:48:35.563302634 +0200 -@@ -214,7 +214,7 @@ - // On a 64-bit machine, this may truncate the address of the string - // of the function name where the error occurred. - #if FAIL_TRACE -- s_failFunction = *(UINT32 *)&function; /* kgold */ -+ memcpy(&s_failFunction, function, sizeof(uint32_t)); /* kgold */ - s_failLine = line; - #else - s_failFunction = 0; diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb index 301980dbe..7ea40a8c0 100644 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb @@ -17,13 +17,11 @@ DEPENDS = "openssl" SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ file://tune-makefile.patch \ - file://fix-wrong-cast.patch \ " -SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c" -SRC_URI[sha256sum] = "dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327" -SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e" -SRC_URI[sha384sum] = "bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d" -SRC_URI[sha512sum] = "007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed" + +SRC_URI[sha256sum] = "55145928ad2b24f34be6a0eacf9fb492e10e0ea919b8428c721fa970e85d6147" + +UPSTREAM_CHECK_REGEX = "libtpm(?P<pver>).tar.gz" S = "${WORKDIR}/src" diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb index 4d9b5540a..ae8974b6c 100644 --- a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb @@ -17,11 +17,13 @@ DEPENDS = "openssl ibmswtpm2" inherit autotools pkgconfig -SRCREV = "3e736f712ba53c8f06e66751f60fae428fd2e20f" +SRCREV = "c4e131e34ec0ed09411aa3bc76f76129ef881573" SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \ file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \ " +UPSTREAM_CHECK_COMMITS = "1" + EXTRA_OECONF = "--disable-tpm-1.2" S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch new file mode 100644 index 000000000..5c91a5ec5 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch @@ -0,0 +1,295 @@ +From 2b74d3df9b3b6932052ace627b21ff1352aa2932 Mon Sep 17 00:00:00 2001 +From: William Roberts <william.c.roberts@intel.com> +Date: Wed, 5 May 2021 13:32:05 -0500 +Subject: [PATCH 1/4] test: fix build for gcc11 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes 0 size regions by ignoring them. The test code intentionally does +bad things. + +test/unit/test_twist.c: In function ‘test_twistbin_aappend_twist_null’: +test/unit/test_twist.c:327:18: error: ‘twistbin_aappend’ accessing 16 bytes in a region of size 0 [-Werror=stringop-overflow=] + 327 | actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: William Roberts <william.c.roberts@intel.com> + +Upstream-Status: Pending +Fix out for merge to offical repo + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + test/unit/test_twist.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/test/unit/test_twist.c b/test/unit/test_twist.c +index ec66f69f..58d4530a 100644 +--- a/test/unit/test_twist.c ++++ b/test/unit/test_twist.c +@@ -244,15 +244,23 @@ void test_twistbin_create(void **state) { + void test_twistbin_new_overflow_1(void **state) { + (void) state; + ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wpragmas" ++#pragma GCC diagnostic ignored "-Wstringop-overflow" + twist actual = twistbin_new((void *) 0xDEADBEEF, ~0); + assert_null(actual); ++#pragma GCC diagnostic pop + } + + void test_twistbin_new_overflow_2(void **state) { + (void) state; + ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wpragmas" ++#pragma GCC diagnostic ignored "-Wstringop-overflow" + twist actual = twistbin_new((void *) 0xDEADBEEF, ~0 - sizeof(void *)); + assert_null(actual); ++#pragma GCC diagnostic pop + } + + void test_twistbin_new_overflow_3(void **state) { +@@ -318,8 +326,12 @@ void test_twistbin_aappend_twist_null(void **state) { + twist actual = twistbin_aappend(expected, NULL, 42); + assert_ptr_equal((void * )actual, (void * )expected); + ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wpragmas" ++#pragma GCC diagnostic ignored "-Wstringop-overflow" + actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0); + assert_ptr_equal((void * )actual, (void * )expected); ++#pragma GCC diagnostic pop + + twist_free(actual); + } + +From 5bea05613e638375b73e29e5d56a9dabcfd2269d Mon Sep 17 00:00:00 2001 +From: William Roberts <william.c.roberts@intel.com> +Date: Wed, 5 May 2021 11:52:23 -0500 +Subject: [PATCH 2/4] utils: fix stringop-overread in str_padded_copy + +cc1: all warnings being treated as errors +| make: *** [Makefile:1953: src/lib/slot.lo] Error 1 +| make: *** Waiting for unfinished jobs.... +| In file included from src/lib/mutex.h:10, +| from src/lib/session_ctx.h:6, +| from src/lib/digest.h:13, +| from src/lib/tpm.c:28: +| In function 'str_padded_copy', +| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5: +| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source size 5 [-Werror=stringop-overread] +| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len)); +| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +| src/lib/utils.h: In function 'tpm_get_token_info': +| src/lib/tpm.c:739:19: note: source object declared here +| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage +| | ^~~~~~~~~~~~~~ +| cc1: all warnings being treated as errors +| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1 +| WARNING: exit code 1 from a shell command. + +Fixes #676 + +Signed-off-by: William Roberts <william.c.roberts@intel.com> +--- + src/lib/general.c | 8 ++++---- + src/lib/general.h | 2 +- + src/lib/slot.c | 4 ++-- + src/lib/token.c | 4 ++-- + src/lib/tpm.c | 7 +++---- + src/lib/utils.h | 6 ++++-- + 6 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/src/lib/general.c b/src/lib/general.c +index 9b7327c1..eaddaf82 100644 +--- a/src/lib/general.c ++++ b/src/lib/general.c +@@ -19,8 +19,8 @@ + #define VERSION "UNKNOWN" + #endif + +-#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki" +-#define LIBRARY_MANUFACTURER (CK_UTF8CHAR_PTR)"tpm2-software.github.io" ++static const CK_UTF8CHAR LIBRARY_DESCRIPTION[] = "TPM2.0 Cryptoki"; ++static const CK_UTF8CHAR LIBRARY_MANUFACTURER[] = "tpm2-software.github.io"; + + #define CRYPTOKI_VERSION { \ + .major = CRYPTOKI_VERSION_MAJOR, \ +@@ -78,8 +78,8 @@ CK_RV general_get_info(CK_INFO *info) { + + static CK_INFO *_info = NULL; + if (!_info) { +- str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER, sizeof(_info_.manufacturerID)); +- str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION, sizeof(_info_.libraryDescription)); ++ str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER); ++ str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION); + + parse_lib_version(&_info_.libraryVersion.major, + &_info_.libraryVersion.minor); +diff --git a/src/lib/general.h b/src/lib/general.h +index 14a18e46..356c142d 100644 +--- a/src/lib/general.h ++++ b/src/lib/general.h +@@ -10,7 +10,7 @@ + #define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token" + #define TPM2_TOKEN_MANUFACTURER "Intel" + #define TPM2_TOKEN_MODEL "TPM2 PKCS#11" +-#define TPM2_TOKEN_SERIAL_NUMBER "0000000000000000" ++static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000"; + #define TPM2_TOKEN_HW_VERSION { 0, 0 } + #define TPM2_TOKEN_FW_VERSION { 0, 0 } + +diff --git a/src/lib/slot.c b/src/lib/slot.c +index 548d22b5..6db5bb93 100644 +--- a/src/lib/slot.c ++++ b/src/lib/slot.c +@@ -119,8 +119,8 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) { + return CKR_GENERAL_ERROR; + } + +- str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID)); +- str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription)); ++ str_padded_copy(info->manufacturerID, token_info.manufacturerID); ++ str_padded_copy(info->slotDescription, token_info.label); + + info->hardwareVersion = token_info.hardwareVersion; + info->firmwareVersion = token_info.firmwareVersion; +diff --git a/src/lib/token.c b/src/lib/token.c +index 6d7ebd27..c7211296 100644 +--- a/src/lib/token.c ++++ b/src/lib/token.c +@@ -317,8 +317,8 @@ CK_RV token_get_info (token *t, CK_TOKEN_INFO *info) { + } + + // Identification +- str_padded_copy(info->label, t->label, sizeof(info->label)); +- str_padded_copy(info->serialNumber, (unsigned char*) TPM2_TOKEN_SERIAL_NUMBER, sizeof(info->serialNumber)); ++ str_padded_copy(info->label, t->label); ++ str_padded_copy(info->serialNumber, TPM2_TOKEN_SERIAL_NUMBER); + + + // Memory: TODO not sure what memory values should go here, the platform? +diff --git a/src/lib/tpm.c b/src/lib/tpm.c +index 1639df48..7f9f052a 100644 +--- a/src/lib/tpm.c ++++ b/src/lib/tpm.c +@@ -740,15 +740,14 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) { + unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage + UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value); + memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t)); +- str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID)); ++ str_padded_copy(info->manufacturerID, manufacturerID); + + // Map human readable Manufacturer String, if available, + // otherwise 4 byte ID was already padded and will be used. + for (unsigned int i=0; i < ARRAY_LEN(TPM2_MANUFACTURER_MAP); i++){ + if (!strncasecmp((char *)info->manufacturerID, TPM2_MANUFACTURER_MAP[i][0], 4)) { + str_padded_copy(info->manufacturerID, +- (unsigned char *)TPM2_MANUFACTURER_MAP[i][1], +- sizeof(info->manufacturerID)); ++ (unsigned char *)TPM2_MANUFACTURER_MAP[i][1]); + } + } + +@@ -758,7 +757,7 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) { + vendor[1] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_2 - TPM2_PT_FIXED].value); + vendor[2] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_3 - TPM2_PT_FIXED].value); + vendor[3] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_4 - TPM2_PT_FIXED].value); +- str_padded_copy(info->model, (unsigned char*) &vendor, sizeof(info->model)); ++ str_padded_copy(info->model, (unsigned char*) &vendor); + + return CKR_OK; + } +diff --git a/src/lib/utils.h b/src/lib/utils.h +index 81c61fae..cf357464 100644 +--- a/src/lib/utils.h ++++ b/src/lib/utils.h +@@ -39,9 +39,11 @@ + + int str_to_ul(const char *val, size_t *res); + +-static inline void str_padded_copy(CK_UTF8CHAR_PTR dst, const CK_UTF8CHAR_PTR src, size_t dst_len) { ++#define str_padded_copy(dst, src) _str_padded_copy(dst, sizeof(dst), src, strnlen((const char *)src, sizeof(src))) ++static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) { + memset(dst, ' ', dst_len); +- memcpy(dst, src, strnlen((char *)(src), dst_len)); ++ memcpy(dst, src, src_len); ++ LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst); + } + + twist utils_hash_pass(const twist pin, const twist salt); + +From afeae8a3846e06152fafb180077fbad4381a124d Mon Sep 17 00:00:00 2001 +From: William Roberts <william.c.roberts@intel.com> +Date: Wed, 5 May 2021 14:09:27 -0500 +Subject: [PATCH 3/4] general: drop unused macros + +Signed-off-by: William Roberts <william.c.roberts@intel.com> +--- + src/lib/general.h | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/src/lib/general.h b/src/lib/general.h +index 356c142d..b3089554 100644 +--- a/src/lib/general.h ++++ b/src/lib/general.h +@@ -7,17 +7,7 @@ + + #include "pkcs11.h" + +-#define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token" +-#define TPM2_TOKEN_MANUFACTURER "Intel" +-#define TPM2_TOKEN_MODEL "TPM2 PKCS#11" + static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000"; +-#define TPM2_TOKEN_HW_VERSION { 0, 0 } +-#define TPM2_TOKEN_FW_VERSION { 0, 0 } +- +-#define TPM2_SLOT_DESCRIPTION "Intel TPM2.0 Cryptoki" +-#define TPM2_SLOT_MANUFACTURER TPM2_TOKEN_MANUFACTURER +-#define TPM2_SLOT_HW_VERSION TPM2_TOKEN_HW_VERSION +-#define TPM2_SLOT_FW_VERSION TPM2_TOKEN_FW_VERSION + + CK_RV general_init(void *init_args); + CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list); + +From 8b43a99c5ff604d890bdc23fd2fa5f98aa087d83 Mon Sep 17 00:00:00 2001 +From: William Roberts <william.c.roberts@intel.com> +Date: Wed, 5 May 2021 14:11:04 -0500 +Subject: [PATCH 4/4] token: move TPM2_TOKEN_SERIAL_NUMBER local to use + +Signed-off-by: William Roberts <william.c.roberts@intel.com> +--- + src/lib/general.h | 2 -- + src/lib/token.c | 2 ++ + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/lib/general.h b/src/lib/general.h +index b3089554..9afd61ec 100644 +--- a/src/lib/general.h ++++ b/src/lib/general.h +@@ -7,8 +7,6 @@ + + #include "pkcs11.h" + +-static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000"; +- + CK_RV general_init(void *init_args); + CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list); + CK_RV general_get_info(CK_INFO *info); +diff --git a/src/lib/token.c b/src/lib/token.c +index c7211296..63a9a71b 100644 +--- a/src/lib/token.c ++++ b/src/lib/token.c +@@ -20,6 +20,8 @@ + #include "token.h" + #include "utils.h" + ++static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000"; ++ + void pobject_config_free(pobject_config *c) { + + if (c->is_transient) { diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.5.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb index d53d4fa86..63ec18d94 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.5.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb @@ -4,13 +4,15 @@ SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab" -DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml python3-setuptools-native" +DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native" -SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=1.X \ +SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master \ file://bootstrap_fixup.patch \ - file://0001-remove-local-binary-checkes.patch" + file://0001-remove-local-binary-checkes.patch \ + file://677.patch \ + " -SRCREV = "5d583351028eebd470f50ec35db5dcf00533df31" +SRCREV = "c2d53cc1af6b9df13c832715442853b21048c273" S = "${WORKDIR}/git" @@ -26,6 +28,10 @@ do_compile_append() { } do_install_append() { + install -d ${D}${libdir}/pkcs11 + install -d ${D}${datadir}/p11-kit + rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so + cd ${S}/tools export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}" ${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build @@ -33,12 +39,17 @@ do_install_append() { sed -i -e "s:${PYTHON}:${USRBINPATH}/env ${PYTHON_PN}:g" "${D}${bindir}"/tpm2_ptool } -RDEPNDS_${PN} = "tpm2-tools" - PACKAGES =+ "${PN}-tools" -RDEPENDS_${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" FILES_${PN}-tools = "\ ${bindir}/tpm2_ptool \ ${libdir}/${PYTHON_DIR}/* \ -" + " + +FILES_${PN} += "\ + ${libdir}/pkcs11/* \ + ${datadir}/p11-kit/* \ + " + +RDEPNDS_${PN} = "tpm2-tools" +RDEPENDS_${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb index b2486e5be..cc4f191a2 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb @@ -17,7 +17,7 @@ PACKAGECONFIG ??= "" PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c " -EXTRA_OECONF += "--enable-static --with-udevrulesdir=${base_prefix}/lib/udev/rules.d/" +EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/" EXTRA_OECONF_remove = " --disable-static" @@ -73,6 +73,6 @@ FILES_libtss2-dev = " \ ${libdir}/libtss2*so" FILES_libtss2-staticdev = "${libdir}/libtss*a" -FILES_${PN} = "${libdir}/udev ${base_prefix}/lib/udev" +FILES_${PN} = "${libdir}/udev ${nonarch_base_libdir}/udev" RDEPENDS_libtss2 = "libgcrypt" diff --git a/meta-security/recipes-core/busybox/busybox/head.cfg b/meta-security/recipes-core/busybox/busybox/head.cfg deleted file mode 100644 index 16017ea48..000000000 --- a/meta-security/recipes-core/busybox/busybox/head.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_FEATURE_FANCY_HEAD=y diff --git a/meta-security/recipes-core/busybox/busybox_%.bbappend b/meta-security/recipes-core/busybox/busybox_%.bbappend deleted file mode 100644 index 27a24824d..000000000 --- a/meta-security/recipes-core/busybox/busybox_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'busybox_libsecomp.inc', '', d)} diff --git a/meta-security/recipes-core/busybox/busybox_libsecomp.inc b/meta-security/recipes-core/busybox/busybox_libsecomp.inc deleted file mode 100644 index 4af22ce3e..000000000 --- a/meta-security/recipes-core/busybox/busybox_libsecomp.inc +++ /dev/null @@ -1,3 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:" - -SRC_URI_append = " file://head.cfg" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework.inc b/meta-security/recipes-core/initrdscripts/initramfs-framework.inc new file mode 100644 index 000000000..dad9c967c --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework.inc @@ -0,0 +1,16 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI_append = "\ + file://dmverity \ +" + +do_install_append() { + # dm-verity + install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity +} + +PACKAGES_append = " initramfs-module-dmverity" + +SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support" +RDEPENDS_initramfs-module-dmverity = "${PN}-base" +FILES_initramfs-module-dmverity = "/init.d/80-dmverity" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend index dad9c967c..dc74e017f 100644 --- a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend @@ -1,16 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI_append = "\ - file://dmverity \ -" - -do_install_append() { - # dm-verity - install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity -} - -PACKAGES_append = " initramfs-module-dmverity" - -SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support" -RDEPENDS_initramfs-module-dmverity = "${PN}-base" -FILES_initramfs-module-dmverity = "/init.d/80-dmverity" +require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity', 'initramfs-framework.inc', '', d)} diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index 9ac0d2c25..e7b6d9bf3 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -37,7 +37,6 @@ RDEPENDS_packagegroup-security-utils = "\ pinentry \ python3-privacyidea \ python3-fail2ban \ - python3-scapy \ softhsm \ libest \ opendnssec \ @@ -51,9 +50,9 @@ RDEPENDS_packagegroup-security-scanners = "\ isic \ nikto \ checksecurity \ - ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam",d)} \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \ " -RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam" +RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-daemon clamav-freshclam" SUMMARY_packagegroup-security-audit = "Security Audit tools " RDEPENDS_packagegroup-security-audit = " \ @@ -68,11 +67,14 @@ RDEPENDS_packagegroup-security-hardening = " \ SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" RDEPENDS_packagegroup-security-ids = " \ - tripwire \ samhain-standalone \ ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \ + ossec-hids \ + aide \ " +RDEPENDS_packagegroup-security-ids_remove_libc-musl = "ossec-hids" + SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ @@ -80,13 +82,13 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " +RDEPENDS_packagegroup-security-mac_remove_mipsarch = "apparmor" + RDEPENDS_packagegroup-meta-security-ptest-packages = "\ ptest-runner \ samhain-standalone-ptest \ libseccomp-ptest \ - python3-scapy-ptest \ suricata-ptest \ - tripwire-ptest \ python3-fail2ban-ptest \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ " diff --git a/meta-security/recipes-ids/aide/aide/aide.conf b/meta-security/recipes-ids/aide/aide/aide.conf new file mode 100644 index 000000000..2c99e0752 --- /dev/null +++ b/meta-security/recipes-ids/aide/aide/aide.conf @@ -0,0 +1,94 @@ +# Example configuration file for AIDE. + +@@define DBDIR /usr/lib/aide +@@define LOGDIR /usr/lib/aide/logs + +# The location of the database to be read. +database_in=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +log_level=warning + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs + +# You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane, with multiple hashes +# NORMAL = R+rmd160+sha256+whirlpool +NORMAL = FIPSR+sha512 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only +PERMS = p+i+u+g+acl+selinux + +# Logfile are special, in that they often change +LOG = > + +# Just do sha256 and sha512 hashes +LSPP = FIPSR+sha512 + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 + +# Next decide what directories/files you want in the database. + +# Check only permissions, inode, user and group for /etc, but +# cover some important files closely. +/bin NORMAL +/sbin NORMAL +/lib NORMAL diff --git a/meta-security/recipes-ids/aide/aide_0.17.3.bb b/meta-security/recipes-ids/aide/aide_0.17.3.bb new file mode 100644 index 000000000..522cd85fe --- /dev/null +++ b/meta-security/recipes-ids/aide/aide_0.17.3.bb @@ -0,0 +1,41 @@ +SUMMARY = "Advanced Intrusion Detection Environment" +HOMEPAGE = "https://aide.github.io" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" +LICENSE = "GPL-2.0" + +DEPENDS = "bison-native libpcre" + +SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \ + file://aide.conf" + +SRC_URI[sha256sum] = "a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8" + +inherit autotools pkgconfig + +PACKAGECONFIG ??=" mhash zlib e2fsattrs \ + ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \ + " +PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux, libselinux" +PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib " +PACKAGECONFIG[xattr] = "--with-xattr, --without-xattr, attr, attr" +PACKAGECONFIG[curl] = "--with-curl, --without-curl, curl, libcurl" +PACKAGECONFIG[audit] = "--with-audit, --without-audit," +PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt" +PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash" +PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs" + +do_install_append () { + install -d ${D}${libdir}/${PN}/logs + install -d ${D}${sysconfdir} + install ${WORKDIR}/aide.conf ${D}${sysconfdir}/ +} + +CONF_FILE = "${sysconfdir}/aide.conf" + +FILES_${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf" + +pkg_postinst_ontarget_${PN} () { + /usr/bin/aide -i +} +RDPENDS_${PN} = "bison, libpcre" diff --git a/meta-security/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch b/meta-security/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch new file mode 100644 index 000000000..08e018f25 --- /dev/null +++ b/meta-security/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch @@ -0,0 +1,37 @@ +From b948d36a8ca8e04794381f0f6eba29daf7e3fd01 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Wed, 21 Apr 2021 00:56:53 +0000 +Subject: [PATCH 1/2] Makefile: drop running scrips @ install + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> +--- + src/Makefile | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/Makefile b/src/Makefile +index 06a7094c..dfb8cb58 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -409,7 +409,6 @@ install-hybrid: install-server-generic + install-server: install-server-generic + + install-common: build +- ./init/adduser.sh ${OSSEC_USER} ${OSSEC_USER_MAIL} ${OSSEC_USER_REM} ${OSSEC_GROUP} ${PREFIX} + $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/ + $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs + $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/ossec.log +@@ -485,9 +484,6 @@ endif + $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/var + $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/var/run + +- ./init/fw-check.sh execute +- +- + + install-server-generic: install-common + $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/active-responses.log +-- +2.25.1 + diff --git a/meta-security/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch b/meta-security/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch new file mode 100644 index 000000000..d5e3403d8 --- /dev/null +++ b/meta-security/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch @@ -0,0 +1,251 @@ +From d9ec907881b72d42b4918f7cfb46516ce8e77772 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Sat, 24 Apr 2021 23:07:29 +0000 +Subject: [PATCH 2/2] Makefile: don't set uid/gid + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> +--- + src/Makefile | 166 +++++++++++++++++++++++++-------------------------- + 1 file changed, 83 insertions(+), 83 deletions(-) + +diff --git a/src/Makefile b/src/Makefile +index dfb8cb58..a4d69ef6 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -21,7 +21,7 @@ OSSEC_USER?=ossec + OSSEC_USER_MAIL?=ossecm + OSSEC_USER_REM?=ossecr + +-INSTALL_CMD?=install -m $(1) -o $(2) -g $(3) ++INSTALL_CMD?=install -m $(1) + INSTALL_LOCALTIME?=yes + INSTALL_RESOLVCONF?=yes + +@@ -397,10 +397,10 @@ endif + install: install-${TARGET} + + install-agent: install-common +- $(call INSTALL_CMD,0550,root,0) ossec-agentd ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) agent-auth ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-agentd ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) agent-auth ${PREFIX}/bin + +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/rids ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/rids + + install-local: install-server-generic + +@@ -409,129 +409,129 @@ install-hybrid: install-server-generic + install-server: install-server-generic + + install-common: build +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/ +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs +- $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/ossec.log +- +- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-logcollector ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-syscheckd ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-execd ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) manage_agents ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ../contrib/util.sh ${PREFIX}/bin/ +- $(call INSTALL_CMD,0550,root,0) ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/ ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs ++ $(call INSTALL_CMD,0660) /dev/null ${PREFIX}/logs/ossec.log ++ ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-logcollector ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-syscheckd ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-execd ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) manage_agents ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ../contrib/util.sh ${PREFIX}/bin/ ++ $(call INSTALL_CMD,0550) ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control + + ifeq (${LUA_ENABLE},yes) +- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua +- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua/native +- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua/compiled +- $(call INSTALL_CMD,0550,root,0) ${EXTERNAL_LUA}src/ossec-lua ${PREFIX}/bin/ +- $(call INSTALL_CMD,0550,root,0) ${EXTERNAL_LUA}src/ossec-luac ${PREFIX}/bin/ ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/lua ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/lua/native ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/lua/compiled ++ $(call INSTALL_CMD,0550) ${EXTERNAL_LUA}src/ossec-lua ${PREFIX}/bin/ ++ $(call INSTALL_CMD,0550) ${EXTERNAL_LUA}src/ossec-luac ${PREFIX}/bin/ + endif + +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/queue +- $(call INSTALL_CMD,0770,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/alerts +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/ossec +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/syscheck +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/diff ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/queue ++ $(call INSTALL_CMD,0770) -d ${PREFIX}/queue/alerts ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/ossec ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/syscheck ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/diff + +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/etc ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/etc + ifeq (${INSTALL_LOCALTIME},yes) +- $(call INSTALL_CMD,0440,root,${OSSEC_GROUP}) /etc/localtime ${PREFIX}/etc ++ $(call INSTALL_CMD,0440) /etc/localtime ${PREFIX}/etc + endif + ifeq (${INSTALL_RESOLVCONF},yes) +- $(call INSTALL_CMD,0440,root,${OSSEC_GROUP}) /etc/resolv.conf ${PREFIX}/etc ++ $(call INSTALL_CMD,0440) /etc/resolv.conf ${PREFIX}/etc + endif + +- $(call INSTALL_CMD,1550,root,${OSSEC_GROUP}) -d ${PREFIX}/tmp ++ $(call INSTALL_CMD,1550) -d ${PREFIX}/tmp + + ifneq (,$(wildcard /etc/TIMEZONE)) +- $(call INSTALL_CMD,440,root,${OSSEC_GROUP}) /etc/TIMEZONE ${PREFIX}/etc/ ++ $(call INSTALL_CMD,440) /etc/TIMEZONE ${PREFIX}/etc/ + endif + # Solaris Needs some extra files + ifeq (${uname_S},SunOS) +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/usr/share/lib/zoneinfo/ ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/usr/share/lib/zoneinfo/ + cp -r /usr/share/lib/zoneinfo/* ${PREFIX}/usr/share/lib/zoneinfo/ + endif +- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/internal_options.conf ${PREFIX}/etc/ ++ $(call INSTALL_CMD,0640) -b ../etc/internal_options.conf ${PREFIX}/etc/ + ifeq (,$(wildcard ${PREFIX}/etc/local_internal_options.conf)) +- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf ++ $(call INSTALL_CMD,0640) ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf + endif + ifeq (,$(wildcard ${PREFIX}/etc/client.keys)) +- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) /dev/null ${PREFIX}/etc/client.keys ++ $(call INSTALL_CMD,0640) /dev/null ${PREFIX}/etc/client.keys + endif + ifeq (,$(wildcard ${PREFIX}/etc/ossec.conf)) + ifneq (,$(wildcard ../etc/ossec.mc)) +- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/ossec.mc ${PREFIX}/etc/ossec.conf ++ $(call INSTALL_CMD,0640) ../etc/ossec.mc ${PREFIX}/etc/ossec.conf + else +- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf ++ $(call INSTALL_CMD,0640) ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf + endif + endif + +- $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/etc/shared +- $(call INSTALL_CMD,0640,${OSSEC_USER},${OSSEC_GROUP}) rootcheck/db/*.txt ${PREFIX}/etc/shared/ ++ $(call INSTALL_CMD,0770) -d ${PREFIX}/etc/shared ++ $(call INSTALL_CMD,0640) rootcheck/db/*.txt ${PREFIX}/etc/shared/ + +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/active-response +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/active-response/bin +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/agentless +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) agentlessd/scripts/* ${PREFIX}/agentless/ ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/active-response ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/active-response/bin ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/agentless ++ $(call INSTALL_CMD,0550) agentlessd/scripts/* ${PREFIX}/agentless/ + +- $(call INSTALL_CMD,0700,root,${OSSEC_GROUP}) -d ${PREFIX}/.ssh ++ $(call INSTALL_CMD,0700) -d ${PREFIX}/.ssh + +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) ../active-response/*.sh ${PREFIX}/active-response/bin/ +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/ ++ $(call INSTALL_CMD,0550) ../active-response/*.sh ${PREFIX}/active-response/bin/ ++ $(call INSTALL_CMD,0550) ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/ + +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/var +- $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/var/run ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/var ++ $(call INSTALL_CMD,0770) -d ${PREFIX}/var/run + + + install-server-generic: install-common +- $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/active-responses.log +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/archives +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/alerts +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/firewall +- +- $(call INSTALL_CMD,0550,root,0) ossec-agentlessd ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-analysisd ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-monitord ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-reportd ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-maild ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-remoted ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-logtest ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-csyslogd ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-authd ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-dbd ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) ossec-makelists ${PREFIX}/bin +- $(call INSTALL_CMD,0550,root,0) verify-agent-conf ${PREFIX}/bin/ +- $(call INSTALL_CMD,0550,root,0) clear_stats ${PREFIX}/bin/ +- $(call INSTALL_CMD,0550,root,0) list_agents ${PREFIX}/bin/ +- $(call INSTALL_CMD,0550,root,0) ossec-regex ${PREFIX}/bin/ +- $(call INSTALL_CMD,0550,root,0) syscheck_update ${PREFIX}/bin/ +- $(call INSTALL_CMD,0550,root,0) agent_control ${PREFIX}/bin/ +- $(call INSTALL_CMD,0550,root,0) syscheck_control ${PREFIX}/bin/ +- $(call INSTALL_CMD,0550,root,0) rootcheck_control ${PREFIX}/bin/ +- +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/stats +- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/rules ++ $(call INSTALL_CMD,0660) /dev/null ${PREFIX}/logs/active-responses.log ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs/archives ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs/alerts ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs/firewall ++ ++ $(call INSTALL_CMD,0550) ossec-agentlessd ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-analysisd ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-monitord ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-reportd ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-maild ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-remoted ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-logtest ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-csyslogd ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-authd ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-dbd ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) ossec-makelists ${PREFIX}/bin ++ $(call INSTALL_CMD,0550) verify-agent-conf ${PREFIX}/bin/ ++ $(call INSTALL_CMD,0550) clear_stats ${PREFIX}/bin/ ++ $(call INSTALL_CMD,0550) list_agents ${PREFIX}/bin/ ++ $(call INSTALL_CMD,0550) ossec-regex ${PREFIX}/bin/ ++ $(call INSTALL_CMD,0550) syscheck_update ${PREFIX}/bin/ ++ $(call INSTALL_CMD,0550) agent_control ${PREFIX}/bin/ ++ $(call INSTALL_CMD,0550) syscheck_control ${PREFIX}/bin/ ++ $(call INSTALL_CMD,0550) rootcheck_control ${PREFIX}/bin/ ++ ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/stats ++ $(call INSTALL_CMD,0550) -d ${PREFIX}/rules + ifneq (,$(wildcard ${PREFIX}/rules/local_rules.xml)) + cp ${PREFIX}/rules/local_rules.xml ${PREFIX}/rules/local_rules.xml.installbackup +- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/rules/*.xml ${PREFIX}/rules +- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml ++ $(call INSTALL_CMD,0640) -b ../etc/rules/*.xml ${PREFIX}/rules ++ $(call INSTALL_CMD,0640) ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml + rm ${PREFIX}/rules/local_rules.xml.installbackup + else +- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/rules/*.xml ${PREFIX}/rules ++ $(call INSTALL_CMD,0640) -b ../etc/rules/*.xml ${PREFIX}/rules + endif + +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/fts ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/fts + +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/rootcheck ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/rootcheck + +- $(call INSTALL_CMD,0750,${OSSEC_USER_REM},${OSSEC_GROUP}) -d ${PREFIX}/queue/agent-info +- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/agentless ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/agent-info ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/agentless + +- $(call INSTALL_CMD,0750,${OSSEC_USER_REM},${OSSEC_GROUP}) -d ${PREFIX}/queue/rids ++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/rids + +- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/decoder.xml ${PREFIX}/etc/ ++ $(call INSTALL_CMD,0640) ../etc/decoder.xml ${PREFIX}/etc/ + + rm -f ${PREFIX}/etc/shared/merged.mg + +-- +2.25.1 + diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb new file mode 100644 index 000000000..778278b47 --- /dev/null +++ b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb @@ -0,0 +1,165 @@ +SUMMARY = "A full platform to monitor and control your systems" +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=d625d1520b5e38faefb81cf9772badc9" + + +DEPENDS = "openssl libpcre2 zlib libevent" +SRC_URI = "git://github.com/ossec/ossec-hids;branch=master \ + file://0001-Makefile-drop-running-scrips-install.patch \ + file://0002-Makefile-don-t-set-uid-gid.patch \ + " + +SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2" + +UPSTREAM_CHECK_COMMITS = "1" + +inherit autotools-brokensep useradd + +S = "${WORKDIR}/git" + +OSSEC_UID ?= "ossec" +OSSEC_RUID ?= "ossecr" +OSSEC_GID ?= "ossec" +OSSEC_EMAIL ?= "ossecm" + +do_configure[noexec] = "1" + +do_compile() { + cd ${S}/src + make PREFIX=${prefix} TARGET=local USE_SYSTEMD=No build +} + +do_install(){ + install -d ${D}${sysconfdir} + install -d ${D}/var/ossec/${sysconfdir} + + cd ${S}/src + make TARGET=local PREFIX=${D}/var/ossec install + + echo "DIRECTORY=\"/var/ossec\"" > ${D}/${sysconfdir}/ossec-init.conf + echo "VERSION=\"${PV}\"" >> ${D}/${sysconfdir}/ossec-init.conf + echo "DATE=\"`date`\"" >> ${D}/${sysconfdir}/ossec-init.conf + echo "TYPE=\"local\"" >> ${D}/${sysconfdir}/ossec-init.conf + chmod 600 ${D}/${sysconfdir}/ossec-init.conf + install -m 640 ${D}/${sysconfdir}/ossec-init.conf ${D}/var/ossec/${sysconfdir}/ossec-init.conf +} + +pkg_postinst_ontarget_${PN} () { + DIR="/var/ossec" + + usermod -g ossec -G ossec -a root + + # Default for all directories + chmod -R 550 ${DIR} + chown -R root:${OSSEC_GID} ${DIR} + + # To the ossec queue (default for agentd to read) + chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/ossec + chmod -R 770 ${DIR}/queue/ossec + + # For the logging user + chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs + chmod -R 750 ${DIR}/logs + chmod -R 775 ${DIR}/queue/rids + touch ${DIR}/logs/ossec.log + chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs/ossec.log + chmod 664 ${DIR}/logs/ossec.log + + chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/diff + chmod -R 750 ${DIR}/queue/diff + chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 || true + + # For the etc dir + chmod 550 ${DIR}/etc + chown -R root:${OSSEC_GID} ${DIR}/etc + if [ -f /etc/localtime ]; then + cp -pL /etc/localtime ${DIR}/etc/; + chmod 555 ${DIR}/etc/localtime + chown root:${OSSEC_GID} ${DIR}/etc/localtime + fi + + if [ -f /etc/TIMEZONE ]; then + cp -p /etc/TIMEZONE ${DIR}/etc/; + chmod 555 ${DIR}/etc/TIMEZONE + fi + + # More files + chown root:${OSSEC_GID} ${DIR}/etc/internal_options.conf + chown root:${OSSEC_GID} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true + chown root:${OSSEC_GID} ${DIR}/etc/client.keys >/dev/null 2>&1 || true + chown root:${OSSEC_GID} ${DIR}/agentless/* + chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/.ssh + chown root:${OSSEC_GID} ${DIR}/etc/shared/* + + chmod 550 ${DIR}/etc + chmod 440 ${DIR}/etc/internal_options.conf + chmod 660 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true + chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1 || true + chmod 550 ${DIR}/agentless/* + chmod 700 ${DIR}/.ssh + chmod 770 ${DIR}/etc/shared + chmod 660 ${DIR}/etc/shared/* + + # For the /var/run + chmod 770 ${DIR}/var/run + chown root:${OSSEC_GID} ${DIR}/var/run + + # For util.sh + chown root:${OSSEC_GID} ${DIR}/bin/util.sh + chmod +x ${DIR}/bin/util.sh + + # For binaries and active response + chmod 755 ${DIR}/active-response/bin/* + chown root:${OSSEC_GID} ${DIR}/active-response/bin/* + chown root:${OSSEC_GID} ${DIR}/bin/* + chmod 550 ${DIR}/bin/* + + # For ossec.conf + chown root:${OSSEC_GID} ${DIR}/etc/ossec.conf + chmod 660 ${DIR}/etc/ossec.conf + + # Debconf + . /usr/share/debconf/confmodule + db_input high ossec-hids-agent/server-ip || true + db_go + + db_get ossec-hids-agent/server-ip + SERVER_IP=$RET + + sed -i "s/<server-ip>[^<]\+<\/server-ip>/<server-ip>${SERVER_IP}<\/server-ip>/" ${DIR}/etc/ossec.conf + db_stop + + # ossec-init.conf + if [ -e ${DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then + if [ -e /etc/ossec-init.conf ]; then + rm -f /etc/ossec-init.conf + fi + ln -s ${DIR}/etc/ossec-init.conf /etc/ossec-init.conf + fi + + # init.d/ossec file + if [ -x ${DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then + if [ -e /etc/init.d/ossec ]; then + rm -f /etc/init.d/ossec + fi + ln -s ${DIR}/etc/init.d/ossec /etc/init.d/ossec + fi + + # Service + if [ -x /etc/init.d/ossec ]; then + update-rc.d -f ossec defaults + fi + + # Delete tmp directory + if [ -d ${OSSEC_HIDS_TMP_DIR} ]; then + rm -r ${OSSEC_HIDS_TMP_DIR} + fi +} + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM_${PN} = "--system --home-dir /var/ossec -g ossec --shell /bin/false ossec" +GROUPADD_PARAM_${PN} = "--system ossec" + +RDEPENDS_${PN} = "openssl bash" + +COMPATIBLE_HOST_libc-musl = "null" diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.10.bb b/meta-security/recipes-ids/suricata/suricata_4.1.10.bb index 3f7beaacf..bf088433a 100644 --- a/meta-security/recipes-ids/suricata/suricata_4.1.10.bb +++ b/meta-security/recipes-ids/suricata/suricata_4.1.10.bb @@ -12,6 +12,8 @@ SRC_URI += " \ file://run-ptest \ " +UPSTREAM_CHECK_URI = "www.openinfosecfoundation.org/download" + inherit autotools-brokensep pkgconfig python3-dir systemd ptest CFLAGS += "-D_DEFAULT_SOURCE -fcommon" diff --git a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb index 4f50bff73..36e5d00b7 100644 --- a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb +++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb @@ -73,3 +73,5 @@ FILES_${PN}-ptest += "${PTEST_PATH}/tests " RDEPENDS_${PN} += " perl nano msmtp cronie" RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules " + +PNBLACKLIST[tripwire] ?= "Upsteram project appears to be abondoned, fails to build with gcc11" diff --git a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend deleted file mode 100644 index 6bc40cd96..000000000 --- a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend +++ /dev/null @@ -1,4 +0,0 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend index fa536d095..1d9054faa 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -1,3 +1 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'security', '${BPN}_security.inc', '', d)} diff --git a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_security.inc index fa536d095..fa536d095 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto_security.inc diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.1.bb index dbc195d35..287b4e82b 100644 --- a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb +++ b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.1.bb @@ -5,14 +5,14 @@ SECTION = "security" HOMEPAGE = "https://www.openwall.com/lkrg/" LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://LICENSE;md5=d931f44a1f4be309bcdac742d7ed92f9" +LIC_FILES_CHKSUM = "file://LICENSE;md5=5105ead24b08a32954f34cbaa7112432" DEPENDS = "virtual/kernel elfutils" SRC_URI = "https://www.openwall.com/lkrg/lkrg-${PV}.tar.gz \ file://makefile_cleanup.patch " -SRC_URI[sha256sum] = "a997e4d98962c359f3af163bbcfa38a736d2a50bfe35c15065b74cb57f8742bf" +SRC_URI[sha256sum] = "cabbee1addbf3ae23a584203831e4bd1b730d22bfd1b3e44883214f220b3babd" S = "${WORKDIR}/lkrg-${PV}" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb index 015205d49..d9c3e4d83 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb @@ -177,8 +177,9 @@ SYSTEMD_AUTO_ENABLE ?= "enable" PACKAGES += "mod-${PN}" -FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" +FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages" FILES_mod-${PN} = "${libdir}/apache2/modules/*" +FILES_${PN}-dbg += "/lib/security/" DEPENDS_append_libc-musl = " fts " RDEPENDS_${PN}_libc-musl += "musl-utils" diff --git a/meta-security/recipes-mac/smack/smack_1.3.1.bb b/meta-security/recipes-mac/smack/smack_1.3.1.bb index b1ea4e9ff..88ae56cde 100644 --- a/meta-security/recipes-mac/smack/smack_1.3.1.bb +++ b/meta-security/recipes-mac/smack/smack_1.3.1.bb @@ -13,6 +13,11 @@ SRC_URI = " \ PV = "1.3.1" +# CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 is valnerble for other product. +CVE_CHECK_WHITELIST += "CVE-2014-0363" +CVE_CHECK_WHITELIST += "CVE-2014-0364" +CVE_CHECK_WHITELIST += "CVE-2016-10027" + inherit autotools update-rc.d pkgconfig ptest inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} inherit features_check diff --git a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb index 36e498dfb..4f203095c 100644 --- a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb +++ b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb @@ -8,16 +8,17 @@ DEPENDS = "glibc llvm libtool db openssl zlib curl libxml2 bison pcre2 json-c li LIC_FILES_CHKSUM = "file://COPYING.txt;beginline=2;endline=3;md5=f7029fbbc5898b273d5902896f7bbe17" -SRCREV = "5553a5e206ceae5d920368baee7d403f823bcb6f" +# May 15th +SRCREV = "fe96de86bb90c489aa509ee9135f776b7a2a7eb4" SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=dev/0.104 \ file://clamd.conf \ file://freshclam.conf \ file://volatiles.03_clamav \ file://tmpfiles.clamav \ - file://${BPN}.service \ file://headers_fixup.patch \ file://oe_cmake_fixup.patch \ + file://fix_systemd_socket.patch \ " S = "${WORKDIR}/git" @@ -28,6 +29,8 @@ BINCONFIG = "${bindir}/clamav-config" inherit cmake chrpath pkgconfig useradd systemd multilib_header multilib_script +UPSTREAM_CHECK_COMMITS = "1" + CLAMAV_UID ?= "clamav" CLAMAV_GID ?= "clamav" @@ -67,31 +70,29 @@ do_install_append () { rm ${D}/${libdir}/libmspack.so if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then - install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service install -d ${D}${sysconfdir}/tmpfiles.d install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf fi oe_multilib_header clamav-types.h } -pkg_postinst_ontarget_${PN} () { - if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf - elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update +pkg_postinst_${PN} () { + if [ -z "$D" ]; then + if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav fi - mkdir -p ${localstatedir}/lib/clamav - chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav } - -PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \ - ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev" +PACKAGES += "${PN}-daemon ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav" FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit ${sbindir}/clamonacc \ ${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \ ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit* \ - ${docdir}/clamav/* ${libdir}/libmspack* " + ${docdir}/clamav/*" FILES_${PN}-clamdscan = " ${bindir}/clamdscan \ ${docdir}/clamdscan/* \ @@ -103,11 +104,11 @@ FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \ ${mandir}/man5/clamd* ${mandir}/man8/clamd* \ ${sysconfdir}/clamd.conf* \ /usr/etc/clamd.conf* \ - ${systemd_unitdir}/system/clamav-daemon/* \ + ${systemd_system_unitdir}/clamav-daemon/* \ ${docdir}/clamav-daemon/* ${sysconfdir}/clamav-daemon \ ${sysconfdir}/logcheck/ignore.d.server/clamav-daemon \ - ${systemd_unitdir}/system/clamav-daemon.service \ - ${systemd_unitdir}/system/clamav-clamonacc.service \ + ${systemd_system_unitdir}/clamav-daemon.service \ + ${systemd_system_unitdir}/clamav-clamonacc.service \ " FILES_${PN}-freshclam = "${bindir}/freshclam \ @@ -118,7 +119,7 @@ FILES_${PN}-freshclam = "${bindir}/freshclam \ ${localstatedir}/lib/clamav \ ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \ ${mandir}/man5/freshclam.conf.* \ - ${systemd_unitdir}/system/clamav-freshclam.service" + ${systemd_system_unitdir}/clamav-freshclam.service" FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \ ${libdir}/pkgconfig/*.pc \ @@ -128,7 +129,8 @@ FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \ FILES_${PN}-staticdev = "${libdir}/*.a" FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so* \ - ${libdir}/libfreshclam.so* ${docdir}/libclamav/* " + ${libdir}/libfreshclam.so* ${docdir}/libclamav/* \ + ${libdir}/libmspack* " FILES_${PN}-doc = "${mandir}/man/* \ ${datadir}/man/* \ @@ -137,12 +139,15 @@ FILES_${PN}-doc = "${mandir}/man/* \ USERADD_PACKAGES = "${PN}" GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}" USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir \ - ${localstatedir}/spool/${BPN} \ - --no-create-home --shell /bin/false ${BPN}" + ${localstatedir}/lib/${BPN} \ + --no-create-home --shell /sbin/nologin ${BPN}" RPROVIDES_${PN} += "${PN}-systemd" RREPLACES_${PN} += "${PN}-systemd" RCONFLICTS_${PN} += "${PN}-systemd" -SYSTEMD_SERVICE_${PN} = "${BPN}.service" +SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-freshclam" +SYSTEMD_SERVICE_${PN}-daemon = "clamav-daemon.service" +SYSTEMD_SERVICE_${PN}-freshclam = "clamav-freshclam.service" RDEPENDS_${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" +RDEPENDS_${PN}-daemon = "clamav" diff --git a/meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch b/meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch new file mode 100644 index 000000000..3e9abe236 --- /dev/null +++ b/meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch @@ -0,0 +1,25 @@ +clamd not installing clamav-daemon.socket + +Fixes: +__main__.SystemdUnitNotFoundError: (PosixPath('../security-build-image/1.0-r0/rootfs'), 'clamav-daemon.socket') +%post(clamav-daemon-0.104.0-r0.core2_64): waitpid(3587571) rc 3587571 status 100 +warning: %post(clamav-daemon-0.104.0-r0.core2_64) scriptlet failed, exit status 1 + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/clamd/CMakeLists.txt +=================================================================== +--- git.orig/clamd/CMakeLists.txt ++++ git/clamd/CMakeLists.txt +@@ -54,4 +54,10 @@ if(SYSTEMD_FOUND) + install( + FILES ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.service + DESTINATION ${SYSTEMD_UNIT_DIR}) ++ configure_file( ++ ${CMAKE_CURRENT_SOURCE_DIR}/clamav-daemon.socket.in ++ ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.socket @ONLY) ++ install( ++ FILES ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.socket ++ DESTINATION ${SYSTEMD_UNIT_DIR}) + endif() diff --git a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb index d73922778..8d3b5311f 100644 --- a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb +++ b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb @@ -9,8 +9,8 @@ DEPENDS = "libnl openssl sqlite3 libpcre libpcap" SRC_URI = "http://download.aircrack-ng.org/${BP}.tar.gz" -SRC_URI[md5sum] = "c7c5b076dee0c25ee580b0f56f455623" -SRC_URI[sha256sum] = "8ae08a7c28741f6ace2769267112053366550e7f746477081188ad38410383ca" +SRC_URI[md5sum] = "22ddc85549b51ed0da0931d01ef215e5" +SRC_URI[sha256sum] = "4f0bfd486efc6ea7229f7fbc54340ff8b2094a0d73e9f617e0a39f878999a247" inherit autotools-brokensep pkgconfig @@ -29,6 +29,8 @@ do_install () { make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install } -FILES_${PN} += "/usr/local/" +FILES_${PN} += "${libdir}/*.so" +FILES_SOLIBSDEV = "" +INSANE_SKIP_${PN} += "dev-so" RDEPENDS_${PN} = "libpcap" diff --git a/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb b/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb index f7859a71c..88c58ed26 100644 --- a/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb +++ b/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb @@ -21,7 +21,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=56871e72a5c475289c0d5e4ba3f2ee3a \ file://src/oid_ops.c;beginline=378;endline=398;md5=e02c165cb8383e950214baca2fbd664b \ " -SRC_URI = "http://www.citi.umich.edu/projects/nfsv4/linux/${BPN}/${BP}.tar.gz \ +SRC_URI = "${DEBIAN_MIRROR}/main/libg/${BPN}/${BPN}_${PV}.orig.tar.bz2 \ file://libgssglue-canon-name.patch \ file://libgssglue-gss-inq-cred.patch \ file://libgssglue-mglueP.patch \ @@ -29,8 +29,8 @@ SRC_URI = "http://www.citi.umich.edu/projects/nfsv4/linux/${BPN}/${BP}.tar.gz \ file://libgssglue-fix-CVE-2011-2709.patch \ " -SRC_URI[md5sum] = "088797f3180702fa54e786496b32e750" -SRC_URI[sha256sum] = "3f791a75502ba723e5e85e41e5e0c711bb89e2716b7c0ec6e74bd1df6739043a" +SRC_URI[md5sum] = "5ce81940965fa68c7635c42dcafcddfe" +SRC_URI[sha256sum] = "bb47b2de78409f461811d0db8595c66e6631a9879c3621a35e4434b104ee52f5" # gssglue can use krb5, spkm3... as gssapi library, configurable RRECOMMENDS_${PN} += "krb5" diff --git a/meta-security/recipes-security/libseccomp/files/run-ptest b/meta-security/recipes-security/libseccomp/files/run-ptest deleted file mode 100644 index 54b4a63cd..000000000 --- a/meta-security/recipes-security/libseccomp/files/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -cd tests -./regression -a diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.5.1.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.1.bb deleted file mode 100644 index 40ac1a890..000000000 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.5.1.bb +++ /dev/null @@ -1,47 +0,0 @@ -SUMMARY = "interface to seccomp filtering mechanism" -DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp." -SECTION = "security" -LICENSE = "LGPL-2.1" -LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" - -DEPENDS += "gperf-native" - -SRCREV = "4bf70431a339a2886ab8c82e9a45378f30c6e6c7" - -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \ - file://run-ptest \ - " - -COMPATIBLE_HOST_riscv32 = "null" - -S = "${WORKDIR}/git" - -inherit autotools-brokensep pkgconfig ptest - -PACKAGECONFIG ??= "" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python3" - -DISABLE_STATIC = "" - -do_compile_ptest() { - oe_runmake -C tests check-build -} - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests - install -d ${D}${PTEST_PATH}/tools - for file in $(find tests/* -executable -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests - done - for file in $(find tests/*.tests -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests - done - for file in $(find tools/* -executable -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools - done -} - -FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" -FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" - -RDEPENDS_${PN}-ptest = "coreutils bash" diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.8.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb index cf6bdbdab..2b79609fa 100644 --- a/meta-security/recipes-security/opendnssec/opendnssec_2.1.8.bb +++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb @@ -10,7 +10,7 @@ SRC_URI = "https://dist.opendnssec.org/source/opendnssec-${PV}.tar.gz \ file://libdns_conf_fix.patch \ " -SRC_URI[sha256sum] = "900a213103ff19a405e446327fbfcea9ec13e405283d87b6ffc24a10d9a268f5" +SRC_URI[sha256sum] = "6d1d466c8d7f507f3e665f4bfe4d16a68d6bff9d7c2ab65f852e2b2a821c28b5" inherit autotools pkgconfig perlnative diff --git a/meta-security/recipes-security/scapy/files/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest deleted file mode 100644 index 797d8ecf7..000000000 --- a/meta-security/recipes-security/scapy/files/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -UTscapy3 -t regression.uts -f text -l -C \ - -o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ - 2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb deleted file mode 100644 index 8d81ed15d..000000000 --- a/meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb +++ /dev/null @@ -1,30 +0,0 @@ -SUMMARY = "Network scanning and manipulation tool" -DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc." -SECTION = "security" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -S = "${WORKDIR}/git" - -SRCREV = "95ba5b8504152a1f820bbe679ccf03668cb5118f" -SRC_URI = "git://github.com/secdev/scapy.git \ - file://run-ptest" - -S = "${WORKDIR}/git" - -inherit setuptools3 ptest - -do_install_append() { - mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 - mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 -} - -do_install_ptest() { - install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} - sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest -} - -RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ - ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ - ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch deleted file mode 100644 index b64670c17..000000000 --- a/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= <jonatan.p@gmail.com> -Date: Fri, 21 Aug 2020 14:45:10 +0200 -Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -AC_CHECK_FILE does not support cross-compilation, and will only check -the host rootfs. Replace AC_CHECK_FILE with a 'test -f <FILE>' instead, -to allow building manpages when cross-compiling. - -Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289] -Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com> ---- - src/external/docbook.m4 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/external/docbook.m4 b/src/external/docbook.m4 -index deb8632fa..acdc89a68 100644 ---- a/src/external/docbook.m4 -+++ b/src/external/docbook.m4 -@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and - dnl if a particular URI appears in the XML catalog - AC_DEFUN([CHECK_STYLESHEET], - [ -- AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])]) -+ AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])]) - - AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog]) - if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then --- -2.26.1 - diff --git a/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch deleted file mode 100644 index c319269e9..000000000 --- a/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 05c315100a70d3372e891e9a0ea981a875b2ec90 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com> -Date: Thu, 27 Feb 2020 06:50:40 +0100 -Subject: [PATCH] nss: Collision with external nss symbol -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -One of our internal static function names started -to collide with external nss symbol. Additional -sss_ suffix was added to avoid the collision. - -This is needed to unblock Fedora Rawhide's -SSSD build. - -Reviewed-by: Pavel Březina <pbrezina@redhat.com> - -Upstream-Status: Backport [https://github.com/SSSD/sssd.git] -Signed-off-by: Hongxu.jia@windriver.com -Signed-off-by: Qi.Chen@windriver.com ---- - src/responder/nss/nss_cmd.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c -index 25e663ed5..a4d4cfc0b 100644 ---- a/src/responder/nss/nss_cmd.c -+++ b/src/responder/nss/nss_cmd.c -@@ -728,11 +728,13 @@ done: - talloc_free(cmd_ctx); - } - --static void nss_setnetgrent_done(struct tevent_req *subreq); -+static void sss_nss_setnetgrent_done(struct tevent_req *subreq); - --static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, -- enum cache_req_type type, -- nss_protocol_fill_packet_fn fill_fn) -+/* This function's name started to collide with external nss symbol, -+ * so it has additional sss_* prefix unlike other functions here. */ -+static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, -+ enum cache_req_type type, -+ nss_protocol_fill_packet_fn fill_fn) - { - struct nss_ctx *nss_ctx; - struct nss_state_ctx *state_ctx; -@@ -774,7 +776,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, - goto done; - } - -- tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx); -+ tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx); - - ret = EOK; - -@@ -787,7 +789,7 @@ done: - return EOK; - } - --static void nss_setnetgrent_done(struct tevent_req *subreq) -+static void sss_nss_setnetgrent_done(struct tevent_req *subreq) - { - struct nss_cmd_ctx *cmd_ctx; - errno_t ret; -@@ -1037,8 +1039,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx) - - static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) - { -- return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, -- nss_protocol_fill_setnetgrent); -+ return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, -+ nss_protocol_fill_setnetgrent); - } - - static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx) --- -2.21.0 - diff --git a/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch deleted file mode 100644 index 1a2233209..000000000 --- a/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 37a0999e5a9f54e1c61a02a7fbab6fcd04738b3c Mon Sep 17 00:00:00 2001 -From: Armin Kuster <akuster808@gmail.com> -Date: Thu, 8 Oct 2020 05:54:13 -0700 -Subject: [PATCH] Provide missing defines which otherwise are available on - glibc system headers - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Upsteam-Status: Pending - ---- - src/util/util.h | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/util/util.h b/src/util/util.h -index 8a754dbfd..6e55b4bdc 100644 ---- a/src/util/util.h -+++ b/src/util/util.h -@@ -76,6 +76,10 @@ - #define MAX(a, b) (((a) > (b)) ? (a) : (b)) - #endif - -+#ifndef ALLPERMS -+# define ALLPERMS (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)/* 07777 */ -+#endif -+ - #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS - - #define SSSD_SERVER_OPTS(uid, gid) \ --- -2.17.1 - diff --git a/meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch b/meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch new file mode 100644 index 000000000..338af5d36 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch @@ -0,0 +1,28 @@ +nsupdate path is needed for various exec call +but don't run natvie tests on it. + + +Upstream-Status: Inappropriate [OE specific] +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: sssd-2.5.0/src/external/nsupdate.m4 +=================================================================== +--- sssd-2.5.0.orig/src/external/nsupdate.m4 ++++ sssd-2.5.0/src/external/nsupdate.m4 +@@ -3,16 +3,4 @@ AC_MSG_CHECKING(for executable nsupdate) + if test -x "$NSUPDATE"; then + AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate]) + AC_MSG_RESULT(yes) +- +- AC_MSG_CHECKING(for nsupdate 'realm' support') +- if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then +- AC_MSG_RESULT([yes]) +- else +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([nsupdate does not support 'realm']) +- fi +- +-else +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([nsupdate is not available]) + fi diff --git a/meta-security/recipes-security/sssd/files/fix_gid.patch b/meta-security/recipes-security/sssd/files/fix_gid.patch new file mode 100644 index 000000000..9b481ccb9 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/fix_gid.patch @@ -0,0 +1,27 @@ +from ../sssd-2.5.0/src/util/sss_pam_data.c:27: +| ../sssd-2.5.0/src/util/debug.h:88:44: error: unknown type name 'uid_t'; did you mean 'uint_t'? +| 88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid); +| | ^~~~~ +| | uint_t +| ../sssd-2.5.0/src/util/debug.h:88:55: error: unknown type name 'gid_t' +| 88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid); +| | ^~~~~ +| make[2]: *** [Makefile:22529: src/util/libsss_iface_la-sss_pam_data.lo] Error 1 +| make[2]: *** Waiting for unfinished jobs.... + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: sssd-2.5.0/src/util/debug.h +=================================================================== +--- sssd-2.5.0.orig/src/util/debug.h ++++ sssd-2.5.0/src/util/debug.h +@@ -24,6 +24,8 @@ + #include "config.h" + + #include <stdio.h> ++#include <unistd.h> ++#include <sys/types.h> + #include <stdbool.h> + + #include "util/util_errors.h" diff --git a/meta-security/recipes-security/sssd/files/no_gen.patch b/meta-security/recipes-security/sssd/files/no_gen.patch new file mode 100644 index 000000000..5c8377704 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/no_gen.patch @@ -0,0 +1,19 @@ +don't run generate-sbus-code + +Upstream-Status: Inappropriate [OE Specific] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: sssd-2.5.0/Makefile.am +=================================================================== +--- sssd-2.5.0.orig/Makefile.am ++++ sssd-2.5.0/Makefile.am +@@ -1033,8 +1033,6 @@ generate-sbus-code: + + .PHONY: generate-sbus-code + +-BUILT_SOURCES += generate-sbus-code +- + EXTRA_DIST += \ + sbus_generate.sh.in \ + src/sbus/codegen/dbus.xml \ diff --git a/meta-security/recipes-security/sssd/sssd_1.16.5.bb b/meta-security/recipes-security/sssd/sssd_2.5.0.bb index 9784ec77d..84b7b0e46 100644 --- a/meta-security/recipes-security/sssd/sssd_1.16.5.bb +++ b/meta-security/recipes-security/sssd/sssd_2.5.0.bb @@ -5,8 +5,8 @@ SECTION = "base" LICENSE = "GPLv3+" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" -DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" +DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" +DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit" DEPENDS_append_libc-musl = " musl-nscd" @@ -15,16 +15,15 @@ DEPENDS_append_libc-musl = " musl-nscd" DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" -SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ +SRC_URI = "https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz \ file://sssd.conf \ file://volatiles.99_sssd \ + file://no_gen.patch \ + file://fix_gid.patch \ + file://drop_ntpdate_chk.patch \ file://fix-ldblibdir.patch \ - file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ - file://0001-nss-Collision-with-external-nss-symbol.patch \ - file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \ " - -SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0" +SRC_URI[sha256sum] = "afa62d7d8d23fca3aba093abe4ec0d14e7d9346c5b28ceb7c2c624bed98caa06" inherit autotools pkgconfig gettext python3-dir features_check systemd @@ -34,7 +33,7 @@ SSSD_UID ?= "root" SSSD_GID ?= "root" CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ + ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ " PACKAGECONFIG ?="nss nscd autofs sudo infopipe" @@ -42,13 +41,13 @@ PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" -PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" +PACKAGECONFIG[crypto] = ", , libcrypto" PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " -PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," +PACKAGECONFIG[nss] = ", ,nss," PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" @@ -65,6 +64,7 @@ EXTRA_OECONF += " \ --without-python2-bindings \ --without-secrets \ --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ + --with-pid-path=/run \ " do_configure_prepend() { @@ -75,6 +75,9 @@ do_configure_prepend() { sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 } +do_compile_prepend () { + echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h +} do_install () { oe_runmake install DESTDIR="${D}" rmdir --ignore-fail-on-non-empty "${D}/${bindir}" @@ -87,8 +90,8 @@ do_install () { echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf fi - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run + # Remove /run as it is created on startup + rm -rf ${D}/run rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* } @@ -119,10 +122,10 @@ SYSTEMD_SERVICE_${PN} = " \ " SYSTEMD_AUTO_ENABLE = "disable" -FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" +FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss*.so" FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" # The package contains symlinks that trip up insane INSANE_SKIP_${PN} = "dev-so" -RDEPENDS_${PN} = "bind dbus libldb libpam" +RDEPENDS_${PN} = "bind bind-utils dbus libldb libpam" |