diff options
Diffstat (limited to 'meta-security')
49 files changed, 2688 insertions, 39 deletions
diff --git a/meta-security/files/waf-cross-answers/README b/meta-security/files/waf-cross-answers/README new file mode 100644 index 000000000..dda45c508 --- /dev/null +++ b/meta-security/files/waf-cross-answers/README @@ -0,0 +1,3 @@ +The files in this directory are cross answers files +used by waf-samba.bbclass, please see waf-samba.bbclass +for details about how they are used. diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-arm.txt b/meta-security/files/waf-cross-answers/cross-answers-arm.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-arm.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i586.txt b/meta-security/files/waf-cross-answers/cross-answers-i586.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-i586.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i686.txt b/meta-security/files/waf-cross-answers/cross-answers-i686.txt new file mode 100644 index 000000000..a5cd9981a --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-i686.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips.txt b/meta-security/files/waf-cross-answers/cross-answers-mips.txt new file mode 100644 index 000000000..3e239e727 --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mips.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt new file mode 100644 index 000000000..82e694fda --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: OK +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt new file mode 100644 index 000000000..82e694fda --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: OK +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt new file mode 100644 index 000000000..3e239e727 --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "128" +Checking value of _NSIG: "128" +Checking value of SIGRTMAX: "127" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt new file mode 100644 index 000000000..27b9378a4 --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: NO +Checking for -D_FILE_OFFSET_BITS=64: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: NO +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt new file mode 100644 index 000000000..7fd3092cb --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt @@ -0,0 +1,40 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: (255, "") +Checking if can we convert from IBM850 to UCS-2LE: (255, "") +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt new file mode 100644 index 000000000..1023f6aff --- /dev/null +++ b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/lib/oeqa/runtime/cases/apparmor.py b/meta-security/lib/oeqa/runtime/cases/apparmor.py index e2cb316d1..b6a9537e3 100644 --- a/meta-security/lib/oeqa/runtime/cases/apparmor.py +++ b/meta-security/lib/oeqa/runtime/cases/apparmor.py @@ -25,3 +25,22 @@ class ApparmorTest(OERuntimeTestCase): msg = ('aa-status failed. ' 'Status and output:%s and %s' % (status, output)) self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_status']) + def test_apparmor_aa_complain(self): + status, output = self.target.run('aa-complain /etc/apparmor.d/*') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-complain failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_complain']) + def test_apparmor_aa_enforce(self): + status, output = self.target.run('aa-enforce /etc/apparmor.d/*') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-enforce failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py index fc77330dd..d0bc645ae 100644 --- a/meta-security/lib/oeqa/runtime/cases/clamav.py +++ b/meta-security/lib/oeqa/runtime/cases/clamav.py @@ -1,6 +1,7 @@ # Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> # import re +from tempfile import mkstemp from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends @@ -9,6 +10,22 @@ from oeqa.runtime.decorator.package import OEHasPackage class ClamavTest(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.tmp_fd, cls.tmp_path = mkstemp() + with os.fdopen(cls.tmp_fd, 'w') as f: + # use gooled public dns + f.write("nameserver 8.8.8.8") + f.write(os.linesep) + f.write("nameserver 8.8.4.4") + f.write(os.linesep) + f.write("nameserver 127.0.0.1") + f.write(os.linesep) + + @classmethod + def tearDownClass(cls): + os.remove(cls.tmp_path) + @OEHasPackage(['clamav']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_freshclam_help(self): @@ -18,6 +35,19 @@ class ClamavTest(OERuntimeTestCase): self.assertEqual(status, 0, msg = msg) @OETestDepends(['clamav.ClamavTest.test_freshclam_help']) + @OEHasPackage(['openssh-scp', 'dropbear']) + def test_ping_clamav_net(self): + dst = '/etc/resolv.conf' + self.tc.target.run('rm -f %s' % dst) + (status, output) = self.tc.target.copyTo(self.tmp_path, dst) + msg = 'File could not be copied. Output: %s' % output + self.assertEqual(status, 0, msg=msg) + + status, output = self.target.run('ping -c 1 database.clamav.net') + msg = ('ping database.clamav.net failed: output is:\n%s' % output) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net']) def test_freshclam_download(self): status, output = self.target.run('freshclam --show-progress') match = re.search('Database updated', output) diff --git a/meta-security/lib/oeqa/runtime/cases/samhain.py b/meta-security/lib/oeqa/runtime/cases/samhain.py index e4bae7bda..5043a38cc 100644 --- a/meta-security/lib/oeqa/runtime/cases/samhain.py +++ b/meta-security/lib/oeqa/runtime/cases/samhain.py @@ -1,6 +1,7 @@ # Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> # import re +import os from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends @@ -11,10 +12,32 @@ class SamhainTest(OERuntimeTestCase): @OEHasPackage(['samhain-standalone']) @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_samhain_standalone_help(self): + def test_samhain_help(self): + machine = self.td.get('MACHINE', '') + status, output = self.target.run('echo "127.0.0.1 %s.localdomain %s" >> /etc/hosts' % (machine, machine)) + msg = ("samhain can't append hosts. " + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + status, output = self.target.run('samhain --help') - match = re.search('Please report bugs to support@la-samhna.de.', output) + msg = ('samhain command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['samhain.SamhainTest.test_samhain_help']) + def test_samhain_init_db(self): + status, output = self.target.run('samhain -t init') + match = re.search('FAILED: 0 ', output) + if not match: + msg = ('samhain database init had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['samhain.SamhainTest.test_samhain_init_db']) + def test_samhain_db_check(self): + status, output = self.target.run('samhain -t check') + match = re.search('FAILED: 0 ', output) if not match: - msg = ('samhain-standalone command does not work as expected. ' + msg = ('samhain errors found in db. ' 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 1, msg = msg) + self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py new file mode 100644 index 000000000..35e87ef32 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/smack.py @@ -0,0 +1,529 @@ +import unittest +import re +import os +import string +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +MAX_LABEL_LEN = 255 +LABEL = "a" * MAX_LABEL_LEN + +class SmackBasicTest(OERuntimeTestCase): + ''' base smack test ''' + + @classmethod + def setUpClass(cls): + cls.smack_path = "" + cls.current_label = "" + cls.uid = 1000 + + @skipIfNotFeature('smack', + 'Test requires smack to be in DISTRO_FEATURES') + @OEHasPackage(['smack-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_smack_basic(self): + status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'") + self.smack_path = output + status,output = self.target.run("cat /proc/self/attr/current") + self.current_label = output.strip() + +class SmackAccessLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_access_label(self): + ''' Test if chsmack can correctly set a SMACK label ''' + filename = "/tmp/test_access_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack access label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=access=")\S+(?=")', output) + if m is None: + self.fail("Did not find access attribute") + else: + label_retrieved = m .group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) + + +class SmackExecLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_exec_label(self): + '''Test if chsmack can correctly set a SMACK Exec label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack exec label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m= re.search('(?<=execute=")\S+(?=")', output) + if m is None: + self.fail("Did not find execute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackMmapLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_mmap_label(self): + '''Test if chsmack can correctly set a SMACK mmap label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack mmap label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=mmap=")\S+(?=")', output) + if m is None: + self.fail("Did not find mmap attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackTransmutable(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_transmutable(self): + '''Test if chsmack can correctly set a SMACK transmutable mode''' + + directory = "~/test_transmutable" + self.target.run("mkdir -p %s" %directory) + status, output = self.target.run("chsmack -t %s" %directory) + self.assertEqual(status, 0, "Cannot set smack transmutable. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %directory) + self.target.run("rmdir %s" %directory) + m = re.search('(?<=transmute=")\S+(?=")', output) + if m is None: + self.fail("Did not find transmute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + "TRUE", label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackChangeSelfLabelPrivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_privileged_change_self_label(self): + '''Test if privileged process (with CAP_MAC_ADMIN privilege) + can change its label. + ''' + + labelf = "/proc/self/attr/current" + command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) + + status, output = self.target.run( + "notroot.py 0 %s %s" %(self.current_label, command)) + + self.assertIn("PRIVILEGED", output, + "Privilege process did not change label.Output: %s" %output) + +class SmackChangeSelfLabelUnprivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_unprivileged_change_self_label(self): + '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) + cannot change its label''' + + command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL + status, output = self.target.run( + "notroot.py %d %s %s" + %(self.uid, self.current_label, command) + + " 2>&1 | grep 'Operation not permitted'" ) + + self.assertEqual( + status, 0, + "Unprivileged process should not be able to change its label") + + +class SmackChangeFileLabelPrivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_unprivileged_change_file_label(self): + '''Test if unprivileged process cannot change file labels''' + + status, chsmack = self.target.run("which chsmack") + status, touch = self.target.run("which touch") + filename = "/tmp/test_unprivileged_change_file_label" + + self.target.run("touch %s" % filename) + self.target.run("notroot.py %d %s" %(self.uid, self.current_label)) + status, output = self.target.run( + "notroot.py " + + "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + + "| grep 'Operation not permitted'" ) + + self.target.run("rm %s" % filename) + self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename) + +class SmackLoadRule(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_load_smack_rule(self): + '''Test if new smack access rules can be loaded''' + + # old 23 character format requires special spaces formatting + # 12345678901234567890123456789012345678901234567890123 + ruleA="TheOne TheOther rwxat" + ruleB="TheOne TheOther r----" + clean="TheOne TheOther -----" + modeA = "rwxat" + modeB = "r" + + status, output = self.target.run('echo -n "%s" > %s/load' %(ruleA, self.smack_path)) + status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + self.assertEqual(status, 0, "Rule A was not added") + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( mode, modeA, "Mode A was not set correctly; mode: %s" %mode) + + status, output = self.target.run( 'echo -n "%s" > %s/load' %(ruleB, self.smack_path)) + status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( mode, modeB, "Mode B was not set correctly; mode: %s" %mode) + + self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) + + +class SmackOnlycap(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_onlycap(self): + '''Test if smack onlycap label can be set + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh") + self.assertEqual(status, 0, output) + +class SmackNetlabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_netlabel(self): + + test_label="191.191.191.191 TheOne" + expected_label="191.191.191.191/32 TheOne" + + status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( status, 0, "Netlabel /32 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( expected_label, output, "Did not find expected label in output: %s" %output) + + test_label="253.253.253.0/24 TheOther" + status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( status, 0, "Netlabel /24 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( + test_label, output, + "Did not find expected label in output: %s" %output) + +class SmackCipso(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_cipso(self): + '''Test if smack cipso rules can be set''' + # 12345678901234567890123456789012345678901234567890123456 + ruleA="TheOneA 2 0 " + ruleB="TheOneB 3 1 55 " + ruleC="TheOneC 4 2 17 33 " + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label A. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneA'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule A was not set") + self.assertIn(" 2", output, "Rule A was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label B. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneB'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule B was not set") + self.assertIn("/55", output, "Rule B was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path)) + self.assertEqual( + status, 0, + "Could not set cipso label C. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneC'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule C was not set") + self.assertIn("/17,33", output, "Rule C was not set correctly") + +class SmackDirect(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_direct(self): + status, initial_direct = self.target.run( + "cat %s/direct" %self.smack_path) + + test_direct="17" + status, output = self.target.run( + "echo '%s' > %s/direct" %(test_direct, self.smack_path)) + self.assertEqual(status, 0 , + "Could not set smack direct. Output: %s" %output) + status, new_direct = self.target.run("cat %s/direct" %self.smack_path) + # initial label before checking + status, output = self.target.run( + "echo '%s' > %s/direct" %(initial_direct, self.smack_path)) + self.assertEqual( + test_direct, new_direct.strip(), + "Smack direct label does not match.") + + +class SmackAmbient(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_ambient(self): + test_ambient = "test_ambient" + status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(test_ambient, self.smack_path)) + self.assertEqual(status, 0, + "Could not set smack ambient. Output: %s" %output) + + status, output = self.target.run("cat %s/ambient" %self.smack_path) + # Filter '\x00', which is sometimes added to the ambient label + new_ambient = ''.join(filter(lambda x: x in string.printable, output)) + initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient)) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path)) + self.assertEqual( + test_ambient, new_ambient.strip(), + "Ambient label does not match") + + +class SmackloadBinary(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smackload(self): + '''Test if smackload command works''' + rule="testobject testsubject rwx" + + status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule) + status, output = self.target.run("smackload /tmp/rules") + self.assertEqual( status, 0, "Smackload failed to load rule. Output: %s" %output) + + status, output = self.target.run( "cat %s/load | grep '%s'" %(self.smack_path, rule)) + self.assertEqual(status, 0, "Smackload rule was loaded correctly") + + +class SmackcipsoBinary(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smackcipso(self): + '''Test if smackcipso command works''' + # 12345678901234567890123456789012345678901234567890123456 + rule="cipsolabel 2 2 " + + status, output = self.target.run("echo '%s' | smackcipso" %rule) + self.assertEqual( status, 0, "Smackcipso failed to load rule. Output: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep 'cipsolabel'" %self.smack_path) + self.assertEqual(status, 0, "smackcipso rule was loaded correctly") + self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output) + + +class SmackEnforceFileAccess(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_enforce_file_access(self): + '''Test if smack file access is enforced (rwx) + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("sh /usr/sbin/smack_test_file_access.sh") + self.assertEqual(status, 0, output) + + +class SmackEnforceMmap(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_mmap_enforced(self): + '''Test if smack mmap access is enforced''' + raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") + + # 12345678901234567890123456789012345678901234567890123456 + delr1="mmap_label mmap_test_label1 -----" + delr2="mmap_label mmap_test_label2 -----" + delr3="mmap_file_label mmap_test_label1 -----" + delr4="mmap_file_label mmap_test_label2 -----" + + RuleA="mmap_label mmap_test_label1 rw---" + RuleB="mmap_label mmap_test_label2 r--at" + RuleC="mmap_file_label mmap_test_label1 rw---" + RuleD="mmap_file_label mmap_test_label2 rwxat" + + mmap_label="mmap_label" + file_label="mmap_file_label" + test_file = "/usr/sbin/smack_test_mmap" + mmap_exe = "/tmp/mmap_test" + status, echo = self.target.run("which echo") + status, output = self.target.run( + "notroot.py %d %s %s 'test' > %s" \ + %(self.uid, self.current_label, echo, test_file)) + status, output = self.target.run("ls %s" %test_file) + self.assertEqual(status, 0, "Could not create mmap test file") + self.target.run("chsmack -m %s %s" %(file_label, test_file)) + self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) + + # test with no rules with mmap label or exec label as subject + # access should be granted + self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access without rules. Output: %s" %output) + + # add rules that do not match access required + self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with unmatching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with unmatching rules") + + # add rule to match only partially (one way) + self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with partial matching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with partial matching rules") + + # add rule to match fully + self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access with full matching rules." + + "Output: %s" %output) + + +class SmackEnforceTransmutable(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_transmute_dir(self): + '''Test if smack transmute attribute works + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + test_dir = "/tmp/smack_transmute_dir" + label="transmute_label" + status, initial_label = self.target.run("cat /proc/self/attr/current") + + self.target.run("mkdir -p %s" % test_dir) + self.target.run("chsmack -a %s %s" % (label, test_dir)) + self.target.run("chsmack -t %s" % test_dir) + self.target.run("echo -n '%s %s rwxat' | smackload" %(initial_label, label) ) + + self.target.run("touch %s/test" % test_dir) + status, output = self.target.run("chsmack %s/test" % test_dir) + self.assertIn( 'access="%s"' %label, output, + "Did not get expected label. Output: %s" % output) + + +class SmackTcpSockets(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_tcp_sockets(self): + '''Test if smack is enforced on tcp sockets + + whole test takes places on image, depends on tcp_server/tcp_client''' + + status, output = self.target.run("sh /usr/sbin/test_smack_tcp_sockets.sh") + self.assertEqual(status, 0, output) + + +class SmackUdpSockets(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_udp_sockets(self): + '''Test if smack is enforced on udp sockets + + whole test takes places on image, depends on udp_server/udp_client''' + + status, output = self.target.run("sh /usr/sbin/test_smack_udp_sockets.sh") + self.assertEqual(status, 0, output) + + +class SmackFileLabels(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_labels(self): + '''Check for correct Smack labels.''' + expected = ''' +/tmp/ access="*" +/etc/ access="System::Shared" transmute="TRUE" +/etc/passwd access="System::Shared" +/etc/terminfo access="System::Shared" transmute="TRUE" +/etc/skel/ access="System::Shared" transmute="TRUE" +/etc/skel/.profile access="System::Shared" +/var/log/ access="System::Log" transmute="TRUE" +/var/tmp/ access="*" +''' + files = ' '.join([x.split()[0] for x in expected.split('\n') if x]) + files_wildcard = ' '.join([x + '/*' for x in files.split()]) + # Auxiliary information. + status, output = self.target.run( + 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % ( + ' '.join([x.rstrip('/') for x in files.split()]), files, files + ) + ) + msg = "File status:\n" + output + status, output = self.target.run('chsmack %s' % files) + self.assertEqual( + status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg)) + self.longMessage = True + self.maxDiff = None + self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg) diff --git a/meta-security/lib/oeqa/selftest/cases/cvechecker.py b/meta-security/lib/oeqa/selftest/cases/cvechecker.py new file mode 100644 index 000000000..23ca7d222 --- /dev/null +++ b/meta-security/lib/oeqa/selftest/cases/cvechecker.py @@ -0,0 +1,27 @@ +import os +import re + +from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import bitbake, get_bb_var + +class CveCheckerTests(OESelftestTestCase): + def test_cve_checker(self): + image = "core-image-sato" + + deploy_dir = get_bb_var("DEPLOY_DIR_IMAGE") + image_link_name = get_bb_var('IMAGE_LINK_NAME', image) + + manifest_link = os.path.join(deploy_dir, "%s.cve" % image_link_name) + + self.logger.info('CVE_CHECK_MANIFEST = "%s"' % manifest_link) + if (not 'cve-check' in get_bb_var('INHERIT')): + add_cve_check_config = 'INHERIT += "cve-check"' + self.append_config(add_cve_check_config) + self.append_config('CVE_CHECK_MANIFEST = "%s"' % manifest_link) + result = bitbake("-k -c cve_check %s" % image, ignore_status=True) + if (not 'cve-check' in get_bb_var('INHERIT')): + self.remove_config(add_cve_check_config) + + isfile = os.path.isfile(manifest_link) + self.assertEqual(True, isfile, 'Failed to create cve data file : %s' % manifest_link) + diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README index bbc70bbaa..dd662b3d4 100644 --- a/meta-security/meta-tpm/README +++ b/meta-security/meta-tpm/README @@ -2,3 +2,60 @@ meta-tpm layer ============== This layer contains base TPM recipes. + +Dependencies +============ + +This layer depends on: + + URI: git://git.openembedded.org/openembedded-core + branch: master + revision: HEAD + prio: default + + URI: git://git.openembedded.org/meta-openembedded/meta-oe + branch: master + revision: HEAD + prio: default + +Adding the meta-tpm layer to your build +======================================== + +In order to use this layer, you need to make the build system aware of +it. + +Assuming this layer exists at the top-level of your +yocto build tree, you can add it to the build system by adding the +location of the meta-tpm layer to bblayers.conf, along with any +other layers needed. e.g.: + + BBLAYERS ?= " \ + /path/to/oe-core/meta \ + /path/to/meta-openembedded/meta-oe \ + /path/to/layer/meta-tpm \ + + +Maintenance +----------- + +Send pull requests, patches, comments or questions to yocto@yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-security][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +Maintainers: Armin Kuster <akuster808@gmail.com> + + +License +======= + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 15a2befcf..bf9a76ea6 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -12,4 +12,5 @@ LAYERSERIES_COMPAT_tpm-layer = "thud warrior" LAYERDEPENDS_tpm-layer = " \ core \ + openembedded-layer \ " diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg index b5f9bb2a6..ae6cdcdf0 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg +++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg @@ -1,15 +1,9 @@ CONFIG_AUDIT=y -# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_PATH=y -# CONFIG_SECURITY_SELINUX is not set CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -# CONFIG_SECURITY_APPARMOR_DEBUG is not set CONFIG_INTEGRITY_AUDIT=y CONFIG_DEFAULT_SECURITY_APPARMOR=y -# CONFIG_DEFAULT_SECURITY_DAC is not set CONFIG_DEFAULT_SECURITY="apparmor" CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg index 62f465a45..0d5fc645c 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg +++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg @@ -1,8 +1,7 @@ -CONFIG_IP_NF_SECURITY=m -CONFIG_IP6_NF_SECURITY=m -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_SECURITY=y +CONFIG_NETLABEL=y +CONFIG_SECURITY_NETWORK=y +# CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_SMACK=y +CONFIG_SECURITY_SMACK_BRINGUP=y +CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y CONFIG_TMPFS_XATTR=y diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb index 62ed61148..4eaec001e 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" DEPENDS = "bison-native apr gettext-native coreutils-native" SRC_URI = " \ - http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ file://disable_perl_h_check.patch \ file://crosscompile_perl_bindings.patch \ file://apparmor.rc \ @@ -24,8 +24,8 @@ SRC_URI = " \ file://run-ptest \ " -SRC_URI[md5sum] = "2439b35266b5a3a461b0a2dba6e863c3" -SRC_URI[sha256sum] = "844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30" +SRCREV = "af4808b5f6b58946f5c5a4de4b77df5e0eae6ca0" +S = "${WORKDIR}/git" PARALLEL_MAKE = "" diff --git a/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c b/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c new file mode 100644 index 000000000..f358d27b5 --- /dev/null +++ b/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c @@ -0,0 +1,7 @@ +#include <stdio.h> + +int main(int argc, char **argv) +{ + printf("Original test program removed while investigating its license.\n"); + return 1; +} diff --git a/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb b/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb new file mode 100644 index 000000000..9d11509d0 --- /dev/null +++ b/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb @@ -0,0 +1,16 @@ +SUMMARY = "Mmap binary used to test smack mmap attribute" +DESCRIPTION = "Mmap binary used to test smack mmap attribute" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://mmap.c" + +S = "${WORKDIR}" +do_compile() { + ${CC} mmap.c ${LDFLAGS} -o mmap_test +} + +do_install() { + install -d ${D}${bindir} + install -m 0755 mmap_test ${D}${bindir} +} diff --git a/meta-security/recipes-mac/smack/smack-test/notroot.py b/meta-security/recipes-mac/smack/smack-test/notroot.py new file mode 100644 index 000000000..f0eb0b5b9 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test/notroot.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python +# +# Script used for running executables with custom labels, as well as custom uid/gid +# Process label is changed by writing to /proc/self/attr/curent +# +# Script expects user id and group id to exist, and be the same. +# +# From adduser manual: +# """By default, each user in Debian GNU/Linux is given a corresponding group +# with the same name. """ +# +# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..] +# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 +# +# Author: Alexandru Cornea <alexandru.cornea@intel.com> +import os +import sys + +try: + uid = int(sys.argv[1]) + sys.argv.pop(1) + label = sys.argv[1] + sys.argv.pop(1) + open("/proc/self/attr/current", "w").write(label) + path=sys.argv[1] + sys.argv.pop(0) + os.setgid(uid) + os.setuid(uid) + os.execv(path,sys.argv) + +except Exception,e: + print e.message + sys.exit(1) diff --git a/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh new file mode 100644 index 000000000..5a0ce84f2 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +RC=0 +TMP="/tmp" +test_file=$TMP/smack_test_access_file +CAT=`which cat` +ECHO=`which echo` +uid=1000 +initial_label=`cat /proc/self/attr/current` +python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file +chsmack -a "TheOther" $test_file + +# 12345678901234567890123456789012345678901234567890123456 +delrule="TheOne TheOther -----" +rule_ro="TheOne TheOther r----" + +# Remove pre-existent rules for "TheOne TheOther <access>" +echo -n "$delrule" > $SMACK_PATH/load +python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process with different label than the test file and no read access on it can read it" + exit $RC +fi + +# adding read access +echo -n "$rule_ro" > $SMACK_PATH/load +python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process with different label than the test file but with read access on it cannot read it" + exit $RC +fi + +# Remove pre-existent rules for "TheOne TheOther <access>" +echo -n "$delrule" > $SMACK_PATH/load +# changing label of test file to * +# according to SMACK documentation, read access on a * object is always permitted +chsmack -a '*' $test_file +python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process cannot read file with * label" + exit $RC +fi + +# changing subject label to * +# according to SMACK documentation, every access requested by a star labeled subject is rejected +TOUCH=`which touch` +python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 +ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? +if [ $RC -ne 0 ];then + echo "Process with label '*' should not have any access" + exit $RC +fi +exit 0 diff --git a/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh b/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh new file mode 100644 index 000000000..26d9e9d22 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +initial_label=`cat /proc/self/attr/current 2>/dev/null` +modified_label="test_label" + +echo "$modified_label" >/proc/self/attr/current 2>/dev/null + +new_label=`cat /proc/self/attr/current 2>/dev/null` + +if [ "$new_label" != "$modified_label" ]; then + # restore proper label + echo $initial_label >/proc/self/attr/current + echo "Privileged process could not change its label" + exit 1 +fi + +echo "$initial_label" >/proc/self/attr/current 2>/dev/null +exit 0
\ No newline at end of file diff --git a/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh b/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh new file mode 100644 index 000000000..1c4a93ab6 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh @@ -0,0 +1,27 @@ +#!/bin/sh +RC=0 +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'` +test_label="test_label" +onlycap_initial=`cat $SMACK_PATH/onlycap` +smack_initial=`cat /proc/self/attr/current` + +# need to set out label to be the same as onlycap, otherwise we lose our smack privileges +# even if we are root +echo "$test_label" > /proc/self/attr/current + +echo "$test_label" > $SMACK_PATH/onlycap || RC=$? +if [ $RC -ne 0 ]; then + echo "Onlycap label could not be set" + return $RC +fi + +if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then + echo "Onlycap label was not set correctly." + return 1 +fi + +# resetting original onlycap label +echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null + +# resetting our initial's process label +echo "$smack_initial" > /proc/self/attr/current diff --git a/meta-security/recipes-mac/smack/smack-test_1.0.bb b/meta-security/recipes-mac/smack/smack-test_1.0.bb new file mode 100644 index 000000000..7cf8f2e04 --- /dev/null +++ b/meta-security/recipes-mac/smack/smack-test_1.0.bb @@ -0,0 +1,21 @@ +SUMMARY = "Smack test scripts" +DESCRIPTION = "Smack scripts" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = " \ + file://notroot.py \ + file://smack_test_file_access.sh \ + file://test_privileged_change_self_label.sh \ + file://test_smack_onlycap.sh \ +" + +S = "${WORKDIR}" + +do_install() { + install -d ${D}${sbindir} + install -m 0755 notroot.py ${D}${sbindir} + install -m 0755 *.sh ${D}${sbindir} +} + +RDEPENDS_${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test" diff --git a/meta-security/recipes-mac/smack/files/run-ptest b/meta-security/recipes-mac/smack/smack/run-ptest index 049a9b47a..049a9b47a 100644 --- a/meta-security/recipes-mac/smack/files/run-ptest +++ b/meta-security/recipes-mac/smack/smack/run-ptest diff --git a/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch b/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch index 4d677e751..4d677e751 100644 --- a/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch +++ b/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c new file mode 100644 index 000000000..185f97380 --- /dev/null +++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c @@ -0,0 +1,111 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <string.h>
+#include <sys/xattr.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ char message[255] = "hello";
+ struct sockaddr_in server_addr;
+ char* label_in;
+ char* label_out;
+ char* attr_out = "security.SMACK64IPOUT";
+ char* attr_in = "security.SMACK64IPIN";
+ char out[256];
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ struct hostent* host = gethostbyname("localhost");
+
+ if (argc != 4)
+ {
+ perror("Client: Arguments missing, please provide socket labels");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ label_out = argv[3];
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPOUT");
+ return 2;
+ }
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPIN");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Client: Set timeout failed\n");
+ return 2;
+ }
+
+ if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
+ {
+ perror("Client: Connection failure");
+ close(sock);
+ return 1;
+ }
+
+
+ if(write(sock, message, strlen(message)) < 0)
+ {
+ perror("Client: Error sending data\n");
+ close(sock);
+ return 1;
+ }
+ close(sock);
+ return 0;
+}
+
+
+
+
+
+
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c new file mode 100644 index 000000000..9285dc695 --- /dev/null +++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c @@ -0,0 +1,118 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ int clientsock;
+ char message[255];
+ socklen_t client_length;
+ struct sockaddr_in server_addr, client_addr;
+ char* label_in;
+ char* attr_in = "security.SMACK64IPIN";
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ if (argc != 3)
+ {
+ perror("Server: Argument missing please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ bzero(message,255);
+
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Server: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
+ {
+ perror("Server: Unable to set attribute ipin 2");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure ");
+ return 2;
+ }
+
+ listen(sock, 1);
+ client_length = sizeof(client_addr);
+
+ clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
+
+ if (clientsock < 0)
+ {
+ perror("Server: Connection failed");
+ close(sock);
+ return 1;
+ }
+
+
+ if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
+ {
+ perror(" Server: Unable to set attribute ipin 2");
+ close(sock);
+ return 2;
+ }
+
+ if(read(clientsock, message, 254) < 0)
+ {
+ perror("Server: Error when reading from socket");
+ close(clientsock);
+ close(sock);
+ return 1;
+ }
+
+
+ close(clientsock);
+ close(sock);
+
+ return 0;
+}
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh b/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh new file mode 100644 index 000000000..ed18f2371 --- /dev/null +++ b/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh @@ -0,0 +1,108 @@ +#!/bin/sh +RC=0 +test_file=/tmp/smack_socket_tcp +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +tcp_server=`which tcp_server` +if [ -z $tcp_server ]; then + if [ -f "/tmp/tcp_server" ]; then + tcp_server="/tmp/tcp_server" + else + echo "tcp_server binary not found" + exit 1 + fi +fi +tcp_client=`which tcp_client` +if [ -z $tcp_client ]; then + if [ -f "/tmp/tcp_client" ]; then + tcp_client="/tmp/tcp_client" + else + echo "tcp_client binary not found" + exit 1 + fi +fi + +# checking access for sockets with different labels +$tcp_server 50016 label1 &>/dev/null & +server_pid=$! +sleep 2 +$tcp_client 50016 label2 label1 &>/dev/null & +client_pid=$! + +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? + +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on tcp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$tcp_server 50017 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50017 label2 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on tcp" + exit 1 +fi + +# checking access for sockets with the same label +$tcp_server 50018 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50018 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on tcp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$tcp_server 50019 \* 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50019 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on tcp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$tcp_server 50020 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50020 label1 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any tcp socket" + exit 1 +fi diff --git a/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb b/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb new file mode 100644 index 000000000..d2b3f6b33 --- /dev/null +++ b/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb @@ -0,0 +1,24 @@ +SUMMARY = "Binary used to test smack tcp sockets" +DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://tcp_server.c \ + file://tcp_client.c \ + file://test_smack_tcp_sockets.sh \ +" + +S = "${WORKDIR}" + +do_compile() { + ${CC} tcp_client.c ${LDFLAGS} -o tcp_client + ${CC} tcp_server.c ${LDFLAGS} -o tcp_server +} + +do_install() { + install -d ${D}${bindir} + install -d ${D}${sbindir} + install -m 0755 tcp_server ${D}${bindir} + install -m 0755 tcp_client ${D}${bindir} + install -m 0755 test_smack_tcp_sockets.sh ${D}${sbindir} +} diff --git a/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh b/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh new file mode 100644 index 000000000..419ab9f91 --- /dev/null +++ b/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh @@ -0,0 +1,107 @@ +#!/bin/sh +RC=0 +test_file="/tmp/smack_socket_udp" +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` + +udp_server=`which udp_server` +if [ -z $udp_server ]; then + if [ -f "/tmp/udp_server" ]; then + udp_server="/tmp/udp_server" + else + echo "udp_server binary not found" + exit 1 + fi +fi +udp_client=`which udp_client` +if [ -z $udp_client ]; then + if [ -f "/tmp/udp_client" ]; then + udp_client="/tmp/udp_client" + else + echo "udp_client binary not found" + exit 1 + fi +fi + +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +# checking access for sockets with different labels +$udp_server 50021 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50021 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on udp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$udp_server 50022 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50022 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on udp" + exit 1 +fi + +# checking access for sockets with the same label +$udp_server 50023 label1 & +server_pid=$! +sleep 1 +$udp_client 50023 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on udp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$udp_server 50024 \* 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50024 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on udp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$udp_server 50025 label1 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50025 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any udp socket" + exit 1 +fi diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c new file mode 100644 index 000000000..4d3afbe6c --- /dev/null +++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c @@ -0,0 +1,75 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ char* message = "hello";
+ int sock, ret;
+ struct sockaddr_in server_addr;
+ struct hostent* host = gethostbyname("localhost");
+ char* label;
+ char* attr = "security.SMACK64IPOUT";
+ int port;
+ if (argc != 3)
+ {
+ perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+ sock = socket(AF_INET, SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
+ {
+ perror("Client: Unable to set attribute ");
+ return 2;
+ }
+
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
+ sizeof(struct sockaddr_in));
+
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Client: Error sending message\n");
+ return 1;
+ }
+
+ return 0;
+}
+
diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c new file mode 100644 index 000000000..cbab71e65 --- /dev/null +++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c @@ -0,0 +1,93 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ int sock,ret;
+ struct sockaddr_in server_addr, client_addr;
+ socklen_t len;
+ char message[5];
+ char* label;
+ char* attr = "security.SMACK64IPIN";
+ int port;
+
+ if(argc != 3)
+ {
+ perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ sock = socket(AF_INET,SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Server: Socket error");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
+ {
+ perror("Server: Unable to set attribute ");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure");
+ return 2;
+ }
+
+ len = sizeof(client_addr);
+ ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
+ &len);
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Server: Error receiving");
+ return 1;
+
+ }
+ return 0;
+}
+
diff --git a/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb b/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb new file mode 100644 index 000000000..9193f8989 --- /dev/null +++ b/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb @@ -0,0 +1,23 @@ +SUMMARY = "Binary used to test smack udp sockets" +DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://udp_server.c \ + file://udp_client.c \ + file://test_smack_udp_sockets.sh \ +" + +S = "${WORKDIR}" +do_compile() { + ${CC} udp_client.c ${LDFLAGS} -o udp_client + ${CC} udp_server.c ${LDFLAGS} -o udp_server +} + +do_install() { + install -d ${D}${bindir} + install -d ${D}${sbindir} + install -m 0755 udp_server ${D}${bindir} + install -m 0755 udp_client ${D}${bindir} + install -m 0755 test_smack_udp_sockets.sh ${D}${sbindir} +} diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb index 6219d9ed2..7d8767e2f 100644 --- a/meta-security/recipes-security/clamav/clamav_0.99.4.bb +++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb @@ -4,8 +4,9 @@ HOMEPAGE = "http://www.clamav.net/index.html" SECTION = "security" LICENSE = "LGPL-2.1" -DEPENDS = "libtool db libmspack chrpath-replacement-native" - +DEPENDS = "libtool db libmspack openssl zlib llvm chrpath-replacement-native clamav-native" +DEPENDS_class-native = "db-native openssl-native zlib-native" + LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092" SRCREV = "b66e5e27b48c0a07494f9df9b809ed933cede047" @@ -15,6 +16,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.99 \ file://freshclam.conf \ file://volatiles.03_clamav \ file://${BPN}.service \ + file://freshclam-native.conf \ " S = "${WORKDIR}/git" @@ -28,42 +30,54 @@ inherit autotools-brokensep pkgconfig useradd systemd UID = "clamav" GID = "clamav" +INSTALL_CLAMAV_CVD ?= "1" # Clamav has a built llvm version 2 but does not build with gcc 6.x, # disable the internal one. This is a known issue # If you want LLVM support, use the one in core -PACKAGECONFIG ?= "ncurses openssl bz2 zlib llvm" -PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" +CLAMAV_USR_DIR = "${STAGING_DIR_NATIVE}/usr" +CLAMAV_USR_DIR_class-target = "${STAGING_DIR_HOST}/usr" -PACKAGECONFIG[llvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm8.0" +PACKAGECONFIG_class-target ?= "ncurses bz2" +PACKAGECONFIG_class-target += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" +PACKAGECONFIG_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre" -PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2," +PACKAGECONFIG[xml] = "--with-xml=${CLAMAV_USR_DIR}, --disable-xml, libxml2," PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json," PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR}, --without-libcurl, curl," PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6" -PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr, --without-openssl, openssl, openssl" -PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr --disable-zlib-vcheck , --without-zlib, zlib, " -PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${STAGING_LIBDIR}/.., --without-libbz2-prefix, " -PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${STAGING_LIBDIR}/.., --without-libncurses-prefix, ncurses, " +PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --without-libbz2-prefix, " +PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, " PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, " -EXTRA_OECONF += " --with-user=${UID} --with-group=${GID} \ - --without-libcheck-prefix --disable-unrar \ +EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \ + --with-system-llvm --with-llvm-linking=dynamic --disable-llvm \ --disable-mempool \ --program-prefix="" \ --disable-yara \ - --disable-rpath \ + --disable-xml \ + --with-openssl=${CLAMAV_USR_DIR} \ + --with-zlib=${CLAMAV_USR_DIR} --disable-zlib-vcheck \ " +EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}" +EXTRA_OECONF_class-target += "--with-user=${UID} --with-group=${GID} --disable-rpath ${EXTRA_OECONF_CLAMAV}" + do_configure () { cd ${S} ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} + install -d ${S}/clamav_db +} + +do_configure_class-native () { + cd ${S} + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} } -do_compile_append() { + +do_compile_append_class-target() { # brute force removing RPATH chrpath -d ${B}/libclamav/.libs/libclamav.so.${SO_VER} chrpath -d ${B}/sigtool/.libs/sigtool @@ -72,9 +86,14 @@ do_compile_append() { chrpath -d ${B}/clamconf/.libs/clamconf chrpath -d ${B}/clamd/.libs/clamd chrpath -d ${B}/freshclam/.libs/freshclam + + if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then + bbnote "CLAMAV creating cvd" + ${STAGING_BINDIR_NATIVE}/freshclam --datadir=${S}/clamav_db --config=${WORKDIR}/freshclam-native.conf + fi } -do_install_append() { +do_install_append_class-target () { install -d ${D}/${sysconfdir} install -d ${D}/${localstatedir}/lib/clamav install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles @@ -84,6 +103,7 @@ do_install_append() { install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc rm ${D}/${libdir}/libclamav.so + install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service fi @@ -93,11 +113,12 @@ pkg_postinst_ontarget_${PN} () { if [ -e /etc/init.d/populate-volatile.sh ] ; then ${sysconfdir}/init.d/populate-volatile.sh update fi - chown ${UID}:${GID} ${localstatedir}/lib/clamav + mkdir -p ${localstatedir}/lib/clamav + chown -R ${UID}:${GID} ${localstatedir}/lib/clamav } -PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \ +PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \ ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev" FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \ @@ -140,6 +161,8 @@ FILES_${PN}-doc = "${mandir}/man/* \ ${datadir}/man/* \ ${docdir}/* " +FILES_${PN}-cvd = "${localstatedir}/lib/clamav/*.cvd ${localstatedir}/lib/clamav/*.dat" + USERADD_PACKAGES = "${PN}" GROUPADD_PARAM_${PN} = "--system ${UID}" USERADD_PARAM_${PN} = "--system -g ${GID} --home-dir \ @@ -151,4 +174,7 @@ RREPLACES_${PN} += "${PN}-systemd" RCONFLICTS_${PN} += "${PN}-systemd" SYSTEMD_SERVICE_${PN} = "${BPN}.service" -RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav" +RDEPENDS_${PN} = "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav" +RDEPENDS_${PN}_class-native = "" + +BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-security/clamav/files/freshclam-native.conf b/meta-security/recipes-security/clamav/files/freshclam-native.conf new file mode 100644 index 000000000..aaa8cf464 --- /dev/null +++ b/meta-security/recipes-security/clamav/files/freshclam-native.conf @@ -0,0 +1,224 @@ +# Path to the database directory. +# WARNING: It must match clamd.conf's directive! +# Default: hardcoded (depends on installation options) +#DatabaseDirectory /var/lib/clamav + +# Path to the log file (make sure it has proper permissions) +# Default: disabled +#UpdateLogFile /var/log/clamav/freshclam.log + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, +# log rotation (the LogRotate option) will always be enabled. +# Default: 1M +LogFileMaxSize 2M + +# Log time with each message. +# Default: no +LogTime yes + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Use system logger (can work together with UpdateLogFile). +# Default: no +#LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# This option allows you to save the process identifier of the daemon +# Default: disabled +#PidFile /var/run/freshclam.pid + +# By default when started freshclam drops privileges and switches to the +# "clamav" user. This directive allows you to change the database owner. +# Default: clamav (may depend on installation options) +DatabaseOwner clamav + +# Initialize supplementary group access (freshclam must be started by root). +# Default: no +#AllowSupplementaryGroups yes + +# Use DNS to verify virus database version. Freshclam uses DNS TXT records +# to verify database and software versions. With this directive you can change +# the database verification domain. +# WARNING: Do not touch it unless you're configuring freshclam to use your +# own database verification domain. +# Default: current.cvd.clamav.net +#DNSDatabaseInfo current.cvd.clamav.net + +# Uncomment the following line and replace XY with your country +# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. +# You can use db.XY.ipv6.clamav.net for IPv6 connections. +#DatabaseMirror db.XY.clamav.net + +# database.clamav.net is a round-robin record which points to our most +# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is +# not working. DO NOT TOUCH the following line unless you know what you +# are doing. +DatabaseMirror database.clamav.net + +# How many attempts to make before giving up. +# Default: 3 (per mirror) +#MaxAttempts 5 + +# With this option you can control scripted updates. It's highly recommended +# to keep it enabled. +# Default: yes +#ScriptedUpdates yes + +# By default freshclam will keep the local databases (.cld) uncompressed to +# make their handling faster. With this option you can enable the compression; +# the change will take effect with the next database update. +# Default: no +#CompressLocalDatabase no + +# With this option you can provide custom sources (http:// or file://) for +# database files. This option can be used multiple times. +# Default: no custom URLs +#DatabaseCustomURL http://myserver.com/mysigs.ndb +#DatabaseCustomURL file:///mnt/nfs/local.hdb + +# This option allows you to easily point freshclam to private mirrors. +# If PrivateMirror is set, freshclam does not attempt to use DNS +# to determine whether its databases are out-of-date, instead it will +# use the If-Modified-Since request or directly check the headers of the +# remote database files. For each database, freshclam first attempts +# to download the CLD file. If that fails, it tries to download the +# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo +# and ScriptedUpdates. It can be used multiple times to provide +# fall-back mirrors. +# Default: disabled +#PrivateMirror mirror1.mynetwork.com +#PrivateMirror mirror2.mynetwork.com + +# Number of database checks per day. +# Default: 12 (every two hours) +#Checks 24 + +# Proxy settings +# Default: disabled +#HTTPProxyServer myproxy.com +#HTTPProxyPort 1234 +#HTTPProxyUsername myusername +#HTTPProxyPassword mypass + +# If your servers are behind a firewall/proxy which applies User-Agent +# filtering you can use this option to force the use of a different +# User-Agent header. +# Default: clamav/version_number +#HTTPUserAgent SomeUserAgentIdString + +# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for +# multi-homed systems. +# Default: Use OS'es default outgoing IP address. +#LocalIPAddress aaa.bbb.ccc.ddd + +# Send the RELOAD command to clamd. +# Default: no +#NotifyClamd /path/to/clamd.conf + +# Run command after successful database update. +# Default: disabled +#OnUpdateExecute command + +# Run command when database update process fails. +# Default: disabled +#OnErrorExecute command + +# Run command when freshclam reports outdated version. +# In the command string %v will be replaced by the new version number. +# Default: disabled +#OnOutdatedExecute command + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Timeout in seconds when connecting to database server. +# Default: 30 +#ConnectTimeout 60 + +# Timeout in seconds when reading from database server. +# Default: 30 +#ReceiveTimeout 60 + +# With this option enabled, freshclam will attempt to load new +# databases into memory to make sure they are properly handled +# by libclamav before replacing the old ones. +# Default: yes +#TestDatabases yes + +# When enabled freshclam will submit statistics to the ClamAV Project about +# the latest virus detections in your environment. The ClamAV maintainers +# will then use this data to determine what types of malware are the most +# detected in the field and in what geographic area they are. +# Freshclam will connect to clamd in order to get recent statistics. +# Default: no +#SubmitDetectionStats /path/to/clamd.conf + +# Country of origin of malware/detection statistics (for statistical +# purposes only). The statistics collector at ClamAV.net will look up +# your IP address to determine the geographical origin of the malware +# reported by your installation. If this installation is mainly used to +# scan data which comes from a different location, please enable this +# option and enter a two-letter code (see http://www.iana.org/domains/root/db/) +# of the country of origin. +# Default: disabled +#DetectionStatsCountry country-code + +# This option enables support for our "Personal Statistics" service. +# When this option is enabled, the information on malware detected by +# your clamd installation is made available to you through our website. +# To get your HostID, log on http://www.stats.clamav.net and add a new +# host to your host list. Once you have the HostID, uncomment this option +# and paste the HostID here. As soon as your freshclam starts submitting +# information to our stats collecting service, you will be able to view +# the statistics of this clamd installation by logging into +# http://www.stats.clamav.net with the same credentials you used to +# generate the HostID. For more information refer to: +# http://www.clamav.net/documentation.html#cctts +# This feature requires SubmitDetectionStats to be enabled. +# Default: disabled +#DetectionStatsHostID unique-id + +# This option enables support for Google Safe Browsing. When activated for +# the first time, freshclam will download a new database file (safebrowsing.cvd) +# which will be automatically loaded by clamd and clamscan during the next +# reload, provided that the heuristic phishing detection is turned on. This +# database includes information about websites that may be phishing sites or +# possible sources of malware. When using this option, it's mandatory to run +# freshclam at least every 30 minutes. +# Freshclam uses the ClamAV's mirror infrastructure to distribute the +# database and its updates but all the contents are provided under Google's +# terms of use. See http://www.google.com/transparencyreport/safebrowsing +# and http://www.clamav.net/documentation.html#safebrowsing +# for more information. +# Default: disabled +#SafeBrowsing yes + +# This option enables downloading of bytecode.cvd, which includes additional +# detection mechanisms and improvements to the ClamAV engine. +# Default: enabled +#Bytecode yes + +# Download an additional 3rd party signature database distributed through +# the ClamAV mirrors. +# This option can be used multiple times. +#ExtraDatabase dbname1 +#ExtraDatabase dbname2 diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb index 41ffd625c..dba1be574 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb @@ -4,7 +4,7 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "4d64011741375bb1a4ba7d71905ca37b97885083" +SRCREV = "fb43972ea1aab24f2a70193fb7445c2674f594e3" SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ file://run-ptest \ diff --git a/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch new file mode 100644 index 000000000..8ab094fa7 --- /dev/null +++ b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch @@ -0,0 +1,13 @@ +--- a/wscript 2015-11-18 12:43:33.000000000 +0100 ++++ b/wscript 2015-11-18 12:46:25.000000000 +0100 +@@ -58,9 +58,7 @@ + if conf.env.standalone_ldb: + conf.CHECK_XSLTPROC_MANPAGES() + +- # we need this for the ldap backend +- if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'): +- conf.env.ENABLE_LDAP_BACKEND = True ++ conf.env.ENABLE_LDAP_BACKEND = False + + # we don't want any libraries or modules to rely on runtime + # resolution of symbols diff --git a/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch new file mode 100755 index 000000000..fdd312c0a --- /dev/null +++ b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch @@ -0,0 +1,58 @@ +Some modules such as dynamic library maybe cann't be imported while cross compile, +we just check whether does the module exist. + +Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com> + +Index: ldb-1.1.26/buildtools/wafsamba/samba_bundled.py +=================================================================== +--- ldb-1.1.26.orig/buildtools/wafsamba/samba_bundled.py ++++ ldb-1.1.26/buildtools/wafsamba/samba_bundled.py +@@ -2,6 +2,7 @@ + + import sys + import Build, Options, Logs ++import imp, os + from Configure import conf + from samba_utils import TO_LIST + +@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li + # versions + minversion = minimum_library_version(conf, libname, minversion) + +- try: +- m = __import__(modulename) +- except ImportError: +- found = False +- else: ++ # Find module in PYTHONPATH ++ stuff = imp.find_module(modulename, [os.environ["PYTHONPATH"]]) ++ if stuff: + try: +- version = m.__version__ +- except AttributeError: ++ m = imp.load_module(modulename, stuff[0], stuff[1], stuff[2]) ++ except ImportError: + found = False ++ ++ if conf.env.CROSS_COMPILE: ++ # Some modules such as dynamic library maybe cann't be imported ++ # while cross compile, we just check whether the module exist ++ Logs.warn('Cross module[%s] has been found, but can not be loaded.' % (stuff[1])) ++ found = True + else: +- found = tuplize_version(version) >= tuplize_version(minversion) ++ try: ++ version = m.__version__ ++ except AttributeError: ++ found = False ++ else: ++ found = tuplize_version(version) >= tuplize_version(minversion) ++ finally: ++ if stuff[0]: ++ stuff[0].close() ++ else: ++ found = False ++ + if not found and not conf.LIB_MAY_BE_BUNDLED(libname): + Logs.error('ERROR: Python module %s of version %s not found, and bundling disabled' % (libname, minversion)) + sys.exit(1) diff --git a/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch new file mode 100644 index 000000000..ffe253b63 --- /dev/null +++ b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch @@ -0,0 +1,193 @@ +From a4da3ab4d76013aaa731d43d52ccca1ebd37c395 Mon Sep 17 00:00:00 2001 +From: Jackie Huang <jackie.huang@windriver.com> +Date: Wed, 21 Sep 2016 10:06:39 +0800 +Subject: [PATCH 1/1] ldb: Add configure options for packages + +Add configure options for the following packages: + - acl + - attr + - libaio + - libbsd + - libcap + - valgrind + +Upstream-Status: Inappropriate [oe deterministic build specific] + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + lib/replace/system/wscript_configure | 6 ++- + lib/replace/wscript | 94 +++++++++++++++++++++++++++--------- + wscript | 7 +++ + 3 files changed, 83 insertions(+), 24 deletions(-) + +diff --git a/lib/replace/system/wscript_configure b/lib/replace/system/wscript_configure +index 2035474..10f9ae7 100644 +--- a/lib/replace/system/wscript_configure ++++ b/lib/replace/system/wscript_configure +@@ -1,6 +1,10 @@ + #!/usr/bin/env python + +-conf.CHECK_HEADERS('sys/capability.h') ++import Options ++ ++if Options.options.enable_libcap: ++ conf.CHECK_HEADERS('sys/capability.h') ++ + conf.CHECK_FUNCS('getpwnam_r getpwuid_r getpwent_r') + + # solaris varients of getXXent_r +diff --git a/lib/replace/wscript b/lib/replace/wscript +index 2f94d49..68b2d3a 100644 +--- a/lib/replace/wscript ++++ b/lib/replace/wscript +@@ -23,6 +23,41 @@ def set_options(opt): + opt.PRIVATE_EXTENSION_DEFAULT('') + opt.RECURSE('buildtools/wafsamba') + ++ opt.add_option('--with-acl', ++ help=("Enable use of acl"), ++ action="store_true", dest='enable_acl') ++ opt.add_option('--without-acl', ++ help=("Disable use of acl"), ++ action="store_false", dest='enable_acl', default=False) ++ ++ opt.add_option('--with-attr', ++ help=("Enable use of attr"), ++ action="store_true", dest='enable_attr') ++ opt.add_option('--without-attr', ++ help=("Disable use of attr"), ++ action="store_false", dest='enable_attr', default=False) ++ ++ opt.add_option('--with-libaio', ++ help=("Enable use of libaio"), ++ action="store_true", dest='enable_libaio') ++ opt.add_option('--without-libaio', ++ help=("Disable use of libaio"), ++ action="store_false", dest='enable_libaio', default=False) ++ ++ opt.add_option('--with-libbsd', ++ help=("Enable use of libbsd"), ++ action="store_true", dest='enable_libbsd') ++ opt.add_option('--without-libbsd', ++ help=("Disable use of libbsd"), ++ action="store_false", dest='enable_libbsd', default=False) ++ ++ opt.add_option('--with-libcap', ++ help=("Enable use of libcap"), ++ action="store_true", dest='enable_libcap') ++ opt.add_option('--without-libcap', ++ help=("Disable use of libcap"), ++ action="store_false", dest='enable_libcap', default=False) ++ + @Utils.run_once + def configure(conf): + conf.RECURSE('buildtools/wafsamba') +@@ -32,12 +67,25 @@ def configure(conf): + conf.DEFINE('HAVE_LIBREPLACE', 1) + conf.DEFINE('LIBREPLACE_NETWORK_CHECKS', 1) + +- conf.CHECK_HEADERS('linux/types.h crypt.h locale.h acl/libacl.h compat.h') +- conf.CHECK_HEADERS('acl/libacl.h attr/xattr.h compat.h ctype.h dustat.h') ++ conf.CHECK_HEADERS('linux/types.h crypt.h locale.h compat.h') ++ conf.CHECK_HEADERS('compat.h ctype.h dustat.h') + conf.CHECK_HEADERS('fcntl.h fnmatch.h glob.h history.h krb5.h langinfo.h') +- conf.CHECK_HEADERS('libaio.h locale.h ndir.h pwd.h') +- conf.CHECK_HEADERS('shadow.h sys/acl.h') +- conf.CHECK_HEADERS('sys/attributes.h attr/attributes.h sys/capability.h sys/dir.h sys/epoll.h') ++ conf.CHECK_HEADERS('locale.h ndir.h pwd.h') ++ conf.CHECK_HEADERS('shadow.h') ++ conf.CHECK_HEADERS('sys/attributes.h sys/dir.h sys/epoll.h') ++ ++ if Options.options.enable_acl: ++ conf.CHECK_HEADERS('acl/libacl.h sys/acl.h') ++ ++ if Options.options.enable_attr: ++ conf.CHECK_HEADERS('attr/attributes.h attr/xattr.h') ++ ++ if Options.options.enable_libaio: ++ conf.CHECK_HEADERS('libaio.h') ++ ++ if Options.options.enable_libcap: ++ conf.CHECK_HEADERS('sys/capability.h') ++ + conf.CHECK_HEADERS('port.h') + conf.CHECK_HEADERS('sys/fcntl.h sys/filio.h sys/filsys.h sys/fs/s5param.h sys/fs/vx/quota.h') + conf.CHECK_HEADERS('sys/id.h sys/ioctl.h sys/ipc.h sys/mman.h sys/mode.h sys/ndir.h sys/priv.h') +@@ -73,7 +121,9 @@ def configure(conf): + + conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H') + +- conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') ++ if Options.options.enable_valgrind: ++ conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') ++ + conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h') + conf.CHECK_HEADERS('sys/extattr.h sys/ea.h sys/proplist.h sys/cdefs.h') + conf.CHECK_HEADERS('utmp.h utmpx.h lastlog.h') +@@ -266,22 +316,20 @@ def configure(conf): + + conf.CHECK_FUNCS('prctl dirname basename') + +- strlcpy_in_bsd = False +- +- # libbsd on some platforms provides strlcpy and strlcat +- if not conf.CHECK_FUNCS('strlcpy strlcat'): +- if conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', +- checklibc=True): +- strlcpy_in_bsd = True +- if not conf.CHECK_FUNCS('getpeereid'): +- conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') +- if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): +- conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') +- if not conf.CHECK_FUNCS('setproctitle_init'): +- conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') +- +- if not conf.CHECK_FUNCS('closefrom'): +- conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') ++ if Options.options.enable_libbsd: ++ # libbsd on some platforms provides strlcpy and strlcat ++ if not conf.CHECK_FUNCS('strlcpy strlcat'): ++ conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', ++ checklibc=True) ++ if not conf.CHECK_FUNCS('getpeereid'): ++ conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') ++ if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): ++ conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') ++ if not conf.CHECK_FUNCS('setproctitle_init'): ++ conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') ++ ++ if not conf.CHECK_FUNCS('closefrom'): ++ conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') + + conf.CHECK_CODE(''' + struct ucred cred; +@@ -632,7 +680,7 @@ removeea setea + # look for a method of finding the list of network interfaces + for method in ['HAVE_IFACE_GETIFADDRS', 'HAVE_IFACE_AIX', 'HAVE_IFACE_IFCONF', 'HAVE_IFACE_IFREQ']: + bsd_for_strlcpy = '' +- if strlcpy_in_bsd: ++ if Options.options.enable_libbsd: + bsd_for_strlcpy = ' bsd' + if conf.CHECK_CODE(''' + #define %s 1 +diff --git a/wscript b/wscript +index 8ae5be3..a178cc4 100644 +--- a/wscript ++++ b/wscript +@@ -31,6 +31,13 @@ def set_options(opt): + opt.RECURSE('lib/replace') + opt.tool_options('python') # options for disabling pyc or pyo compilation + ++ opt.add_option('--with-valgrind', ++ help=("enable use of valgrind"), ++ action="store_true", dest='enable_valgrind') ++ opt.add_option('--without-valgrind', ++ help=("disable use of valgrind"), ++ action="store_false", dest='enable_valgrind', default=False) ++ + def configure(conf): + conf.RECURSE('lib/tdb') + conf.RECURSE('lib/tevent') +-- +2.16.2 + diff --git a/meta-security/recipes-support/libldb/libldb_1.3.1.bb b/meta-security/recipes-support/libldb/libldb_1.3.1.bb new file mode 100644 index 000000000..c644b20b0 --- /dev/null +++ b/meta-security/recipes-support/libldb/libldb_1.3.1.bb @@ -0,0 +1,64 @@ +SUMMARY = "Hierarchical, reference counted memory pool system with destructors" +HOMEPAGE = "http://ldb.samba.org" +SECTION = "libs" +LICENSE = "LGPL-3.0+ & LGPL-2.1+ & GPL-3.0+" + +DEPENDS += "libtdb libtalloc libtevent popt" +RDEPENDS_pyldb += "python" + +SRC_URI = "http://samba.org/ftp/ldb/ldb-${PV}.tar.gz \ + file://do-not-import-target-module-while-cross-compile.patch \ + file://options-1.3.1.patch \ + " + +PACKAGECONFIG ??= "\ + ${@bb.utils.filter('DISTRO_FEATURES', 'acl', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)} \ +" +PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl" +PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" +PACKAGECONFIG[ldap] = ",,openldap" +PACKAGECONFIG[libaio] = "--with-libaio,--without-libaio,libaio" +PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd" +PACKAGECONFIG[libcap] = "--with-libcap,--without-libcap,libcap" +PACKAGECONFIG[valgrind] = "--with-valgrind,--without-valgrind,valgrind" + +SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'ldap', '', 'file://avoid-openldap-unless-wanted.patch', d)}" + +LIC_FILES_CHKSUM = "file://pyldb.h;endline=24;md5=dfbd238cecad76957f7f860fbe9adade \ + file://man/ldb.3.xml;beginline=261;endline=262;md5=137f9fd61040c1505d1aa1019663fd08 \ + file://tools/ldbdump.c;endline=19;md5=a7d4fc5d1f75676b49df491575a86a42" + +SRC_URI[md5sum] = "e5233f202bca27f6ce8474fb8ae65983" +SRC_URI[sha256sum] = "b19f2c9f55ae0f46aa5ebaea0bf1a47ec1ac135e1d78af0f6318cf50bf62cbd2" + +CROSS_METHOD="exec" +inherit waf-samba + +S = "${WORKDIR}/ldb-${PV}" + +EXTRA_OECONF += "--disable-rpath \ + --disable-rpath-install \ + --bundled-libraries=cmocka \ + --builtin-libraries=replace \ + --with-modulesdir=${libdir}/ldb/modules \ + --with-privatelibdir=${libdir}/ldb \ + --with-libiconv=${STAGING_DIR_HOST}${prefix}\ + " + +PACKAGES =+ "pyldb pyldb-dbg pyldb-dev" + +NOAUTOPACKAGEDEBUG = "1" + +FILES_${PN} += "${libdir}/ldb/*" +FILES_${PN}-dbg += "${bindir}/.debug/* \ + ${libdir}/.debug/* \ + ${libdir}/ldb/.debug/* \ + ${libdir}/ldb/modules/ldb/.debug/*" + +FILES_pyldb = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \ + ${libdir}/libpyldb-util.so.* \ + " +FILES_pyldb-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug \ + ${libdir}/.debug/libpyldb-util.so.*" +FILES_pyldb-dev = "${libdir}/libpyldb-util.so" |