diff options
Diffstat (limited to 'meta-security')
93 files changed, 500 insertions, 1670 deletions
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 4beac385f..b9a4f254c 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,8 +9,6 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "thud warrior" +LAYERSERIES_COMPAT_security = "warrior" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" - -DEFAULT_TEST_SUITES_pn-security-build-image = " ping ssh ptest" diff --git a/meta-security/files/waf-cross-answers/README b/meta-security/files/waf-cross-answers/README deleted file mode 100644 index dda45c508..000000000 --- a/meta-security/files/waf-cross-answers/README +++ /dev/null @@ -1,3 +0,0 @@ -The files in this directory are cross answers files -used by waf-samba.bbclass, please see waf-samba.bbclass -for details about how they are used. diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-arm.txt b/meta-security/files/waf-cross-answers/cross-answers-arm.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-arm.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i586.txt b/meta-security/files/waf-cross-answers/cross-answers-i586.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-i586.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i686.txt b/meta-security/files/waf-cross-answers/cross-answers-i686.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-i686.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips.txt b/meta-security/files/waf-cross-answers/cross-answers-mips.txt deleted file mode 100644 index 3e239e727..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mips.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt deleted file mode 100644 index 82e694fda..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: OK -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt deleted file mode 100644 index 82e694fda..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: OK -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt deleted file mode 100644 index 3e239e727..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt deleted file mode 100644 index 27b9378a4..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt deleted file mode 100644 index 7fd3092cb..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: (255, "") -Checking if can we convert from IBM850 to UCS-2LE: (255, "") -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py index d0bc645ae..2808df4dc 100644 --- a/meta-security/lib/oeqa/runtime/cases/clamav.py +++ b/meta-security/lib/oeqa/runtime/cases/clamav.py @@ -57,7 +57,7 @@ class ClamavTest(OERuntimeTestCase): 'Status and output:%s and %s' % (status, output)) self.assertEqual(status, 1, msg = msg) - @OETestDepends(['clamav.ClamavTest.test_freshclam_download']) + @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net']) def test_freshclam_check_mirrors(self): status, output = self.target.run('freshclam --list-mirrors') match = re.search('Failures: 0', output) diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md index 5bef76e8d..460794878 100644 --- a/meta-security/meta-integrity/README.md +++ b/meta-security/meta-integrity/README.md @@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: INHERIT += "ima-evm-rootfs" - IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image @@ -96,7 +96,7 @@ for that are included in the layer. This is also how the # In that shell, create the keys. Several options exist: # 1. Self-signed keys. - $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh + $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh # 2. Keys signed by a new CA. # When asked for a PEM passphrase, that will be for the root CA. @@ -104,11 +104,11 @@ for that are included in the layer. This is also how the # only creating new certificates does. Most likely the default # attributes for these certificates need to be adapted; modify # the scripts as needed. - # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh - # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh + # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh + # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh # 3. Keys signed by an existing CA. - # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> + # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> exit When using ``ima-self-signed.sh`` as described above, self-signed keys @@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd changes. To activate policy loading via systemd, place a policy file in `/etc/ima/ima-policy`, for example with: - IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple" + IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass index 8aec388df..d6ade3bf9 100644 --- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -1,7 +1,7 @@ # No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be # set explicitly in a local.conf before activating ima-evm-rootfs. # To use the insecure (because public) example keys, use -# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" # Private key for IMA signing. The default is okay when diff --git a/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/meta-security/meta-integrity/classes/kernel-modsign.bbclass new file mode 100644 index 000000000..09025baa7 --- /dev/null +++ b/meta-security/meta-integrity/classes/kernel-modsign.bbclass @@ -0,0 +1,29 @@ +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be +# set explicitly in a local.conf before activating kernel-modsign. +# To use the insecure (because public) example keys, use +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" + +# Private key for modules signing. The default is okay when +# using the example key directory. +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" + +# Public part of certificates used for modules signing. +# The default is okay when using the example key directory. +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" + +# If this class is enabled, disable stripping signatures from modules +INHIBIT_PACKAGE_STRIP = "1" + +kernel_do_configure_prepend() { + if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then + cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ + > "${B}/modsign_key.pem" + else + bberror "Either modsign key or certificate are invalid" + fi +} + +do_shared_workdir_append() { + cp modsign_key.pem $kerneldir/ +} diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index 2f696cf7c..41989da38 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -13,12 +13,14 @@ BBFILE_PRIORITY_integrity = "6" # Set a variable to get to the top of the metadata location. Needed # for finding scripts (when following the README.md instructions) and # default debug keys (in ima-evm-rootfs.bbclass). -IMA_EVM_BASE := '${LAYERDIR}' +INTEGRITY_BASE := '${LAYERDIR}' # We must not export this path to all shell scripts (as in "export -# IMA_EVM_BASE"), because that causes problems with sstate (becames +# INTEGRITY_BASE"), because that causes problems with sstate (becames # dependent on location of the layer). Exporting it to just the # interactive shell is enough. -OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" +OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" LAYERSERIES_COMPAT_integrity = "warrior" +# ima-evm-utils depends on keyutils from meta-oe +LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem b/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem new file mode 100644 index 000000000..4cac00ae3 --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEWsJjB2pA5Ih6 +EelXvVjwWY1ix1azMciNRNPPQN1AMXF0K/VUkfOYbaPajg1cQYEf9gk3q7OZ5Axk +UY/e5piZORaPcsmj0lV0L+NSlRYydR5M/QxtEz26585FgqRGdAe6umStPmVKdqa2 +d68O4PgQgJJtVuz6ndm+0uNEUDCVLwhkGQSwNB3qBbZAUX9escZ/a8eUiBfMYKaO +k8JRyM+2br9dgpTFg4UfBYexgNSQo8g5TIBGc8KgQiKCuFj1fQEhV5z4RusHthjc +NYXa3RHmdclxyrGeYr5ZRc47HqE1gd5NDR0WeHn4C4YKcfK1rZZz/2+6hfsIRfGx +6cQKk23hAgMBAAECggEAJ0ULiWirPG04SkmYxF5vEiqm1zGMymvTc0VnoxSS60q4 +KQa9mvtRn5OV6JjuXRwQqga30zV4xvdP7yRMxMSTkllThL7tSuE/C+yj5xlABjlc +JQOa35mwh9fibg5xslF0Vkj+55MKCPlv4CBRl4Uwt4QvRMTUwk6dhMeCgmATR1J1 +2/7AipjtfFYreDx7sLbRVvSzUhmZS0iCbNOhtTWPLNW+9YKHTOffKa04HzNtnAXq +OjJ0IRZD/C6LfkBUsnHg2eEiA97QXh/Srsl9nc8DaUK1IXRywEdmYIoNMWMav2Hm +RO8kkU30BqKW+/EO2ZbH2GmkxvwWd0ocBnLC3FRWEQKBgQDu4T8CB3YsOcVjqem4 +iBlaSht/b46YQc7A1SOqZCimehmmXNSxQOkapIG3wlIr5edtXQA+xv09+WrproUB +SjAnqaH6pYeCvbNlY5k344gtYs+Kco2rq5GYa+LumAeX2Sam8F7u4LxvEogCecX7 +e4rnG3lt3AVuuRE7zpCQtaWcJQKBgQDSbUvea9pcYli9pssTl+ijQKkgG9DdaYbA +I5w5bY1TPYZ/Ocysljefv/ssaHFh4DPxE1MQ5JHwZgZRo1EICxxYzGsLjyR/fmjz +1c/NJlTtalCNtLvWaf7b02ag/abnP8neiSpLL5xqHvGo5ikWwgYQD+9HVKGvL3S1 +kI7x/ziADQKBgQCqFbkuMa/jh3LTJp0iZc1fa1qu3vhx0pFq3Zeab9w9xLxUps5O +MwCGltFBzNuDJBwm00wkZrzTjq6gGkHbjD5DT1XkyE13OqjsLQFgOOKyJiPN2Qik +TfHJzC91YMwvQ09xF78QaPXiRBiRYrEkAXACY56PKVS45I6vvcFTN/Ll/QKBgA9m +KDMyuVwhZlUaq6nXaBLqXHYZEwPhARd2g6xANCNvUTRmSnAm3hM2vW7WhdWfzq1J +uL53u6ZYEQZQaVGpXn2xF/RUmVsrKQsPDpH4yCZHrXVxUH20bA4yPkRxy5EIvgEn +EI1IAq5RbWXq0f70W/U49U3HB74GPwg6d/uFreDRAoGAN+v9gMQA6A1vM7LvbYR8 +5CwwyqS/CfI9zKPLn53QstguXC/ObafIYQzVRqGb9lCQgtlmmKw4jMY0B/lDzpcH +zS8rqoyvDj/m7i17NYkqXErJKLRQ0ptXKdLXHlG0u185e7Y5p4O3Z5dk8bACkpHi +hp764y+BtU4qIcVaPsPK4uU= +-----END PRIVATE KEY----- diff --git a/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt b/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt new file mode 100644 index 000000000..5fa2a9062 --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnjCCAoagAwIBAgIUUqmBj5Q8edHMMTXsoGVGEEKdwV4wDQYJKoZIhvcNAQEL +BQAwZzEqMCgGA1UEAxMhbWV0YS1zZWN1cml0eSBtb2R1bGVzIHNpZ25pbmcga2V5 +MRQwEgYDVQQKEwtleGFtcGxlLmNvbTEjMCEGCSqGSIb3DQEJARYUam9obi5kb2VA +ZXhhbXBsZS5jb20wIBcNMTkwNzI3MjIzOTA3WhgPMjExOTA3MjcyMjM5MTVaMGcx +KjAoBgNVBAMTIW1ldGEtc2VjdXJpdHkgbW9kdWxlcyBzaWduaW5nIGtleTEUMBIG +A1UEChMLZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGpvaG4uZG9lQGV4YW1w +bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFrCYwdqQOSI +ehHpV71Y8FmNYsdWszHIjUTTz0DdQDFxdCv1VJHzmG2j2o4NXEGBH/YJN6uzmeQM +ZFGP3uaYmTkWj3LJo9JVdC/jUpUWMnUeTP0MbRM9uufORYKkRnQHurpkrT5lSnam +tnevDuD4EICSbVbs+p3ZvtLjRFAwlS8IZBkEsDQd6gW2QFF/XrHGf2vHlIgXzGCm +jpPCUcjPtm6/XYKUxYOFHwWHsYDUkKPIOUyARnPCoEIigrhY9X0BIVec+EbrB7YY +3DWF2t0R5nXJccqxnmK+WUXOOx6hNYHeTQ0dFnh5+AuGCnHyta2Wc/9vuoX7CEXx +senECpNt4QIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAw +HQYDVR0OBBYEFDa35X9LnPlrd76inh/cYgeXh6X4MA0GCSqGSIb3DQEBCwUAA4IB +AQBTPTh7zY9BrfZW9Izk9JSZYNigwUDwjrhNBSLr5NKi2A/LmZ0jjdCDkwaCn5io +xrAq5oxPCAkwlzKwY2ootcL3+En4Pq2e5U+n9kRrpDpKKiR5/0S0d9vpgg4eZR0R +kxqE9APCQ5SFU3PgnJ5H5y2SPXzle3bgUsWxNGD81zXFn5clJj4XHvJDWTQ/jG7C +FTQ1o1HXtzda4EmKIzrSU/ayVbpPg5fPEBJjk/hHPT45kfzVZBuxwBLXVbe/YyWi +NTFWCbJwjZwVRKrsQ3HFpYMWvugtcsSHo7vGi06FvUHcS2sUZH5sFn7hulcIGICt +EztTO8Q+yhZujZbmEyJmxqZv +-----END CERTIFICATE----- diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 6ed724df2..e1bc6ffa0 100644 --- a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -17,6 +17,6 @@ inherit core-image export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend index 931854ef8..f9a48cd05 100644 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -1,3 +1,5 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" + +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg deleted file mode 100644 index b3e47ba37..000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ /dev/null @@ -1,18 +0,0 @@ -CONFIG_IMA=y -CONFIG_IMA_MEASURE_PCR_IDX=10 -CONFIG_IMA_NG_TEMPLATE=y -CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" -CONFIG_IMA_DEFAULT_HASH_SHA1=y -CONFIG_IMA_DEFAULT_HASH="sha1" -CONFIG_IMA_APPRAISE=y -CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_TRUSTED_KEYRING=y -CONFIG_SIGNATURE=y -CONFIG_IMA_WRITE_POLICY=y -CONFIG_IMA_READ_POLICY=y -CONFIG_IMA_LOAD_X509=y -CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" - -#CONFIG_INTEGRITY_SIGNATURE=y -#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg deleted file mode 100644 index 9a454257a..000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg +++ /dev/null @@ -1,3 +0,0 @@ -# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set -CONFIG_EVM_LOAD_X509=y -CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch deleted file mode 100644 index 5ccb73d9b..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:08:43 +0300 -Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL - -There is no need to link to full libssl. evmctl uses functions from -libcrypto, so let's link only against that library. - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - configure.ac | 4 +--- - src/Makefile.am | 9 ++++----- - 2 files changed, 5 insertions(+), 8 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 60f3684..32e8d85 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -24,9 +24,7 @@ LT_INIT - # Checks for header files. - AC_HEADER_STDC - --PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) --AC_SUBST(OPENSSL_CFLAGS) --AC_SUBST(OPENSSL_LIBS) -+PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ]) - AC_SUBST(KERNEL_HEADERS) - AC_CHECK_HEADER(unistd.h) - AC_CHECK_HEADERS(openssl/conf.h) -diff --git a/src/Makefile.am b/src/Makefile.am -index d74fc6f..b81281a 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -1,11 +1,11 @@ - lib_LTLIBRARIES = libimaevm.la - - libimaevm_la_SOURCES = libimaevm.c --libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) -+libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) - # current[:revision[:age]] - # result: [current-age].age.revision - libimaevm_la_LDFLAGS = -version-info 0:0:0 --libimaevm_la_LIBADD = $(OPENSSL_LIBS) -+libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) - - include_HEADERS = imaevm.h - -@@ -17,12 +17,11 @@ hash_info.h: Makefile - bin_PROGRAMS = evmctl - - evmctl_SOURCES = evmctl.c --evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) -+evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) - evmctl_LDFLAGS = $(LDFLAGS_READLINE) --evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la -+evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la - - INCLUDES = -I$(top_srcdir) -include config.h - - CLEANFILES = hash_info.h - DISTCLEANFILES = @DISTCLEANFILES@ -- --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch deleted file mode 100644 index 8237274ca..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:17:12 +0300 -Subject: [PATCH 2/4] ima-evm-utils: replace INCLUDES with AM_CPPFLAGS - -Replace INCLUDES variable with AM_CPPFLAGS to stop Automake from warning -about deprecated variable usage. - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - src/Makefile.am | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index b81281a..164e7e4 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -1,7 +1,7 @@ - lib_LTLIBRARIES = libimaevm.la - - libimaevm_la_SOURCES = libimaevm.c --libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) -+libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) - # current[:revision[:age]] - # result: [current-age].age.revision - libimaevm_la_LDFLAGS = -version-info 0:0:0 -@@ -17,11 +17,11 @@ hash_info.h: Makefile - bin_PROGRAMS = evmctl - - evmctl_SOURCES = evmctl.c --evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) -+evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) - evmctl_LDFLAGS = $(LDFLAGS_READLINE) - evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la - --INCLUDES = -I$(top_srcdir) -include config.h -+AM_CPPFLAGS = -I$(top_srcdir) -include config.h - - CLEANFILES = hash_info.h - DISTCLEANFILES = @DISTCLEANFILES@ --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch deleted file mode 100644 index 3d250d2fc..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c587ec307a6259a990bfab727cea7db28dba4c23 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:22:30 +0300 -Subject: [PATCH 3/4] ima-evm-utils: include hash-info.gen into distribution - -Include hash-info.gen into tarball and call it from the sourcedir to fix -out-of-tree build (and thus 'make distcheck'). - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - src/Makefile.am | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 164e7e4..9c037e2 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -11,8 +11,9 @@ include_HEADERS = imaevm.h - - nodist_libimaevm_la_SOURCES = hash_info.h - BUILT_SOURCES = hash_info.h -+EXTRA_DIST = hash_info.gen - hash_info.h: Makefile -- ./hash_info.gen $(KERNEL_HEADERS) >$@ -+ $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@ - - bin_PROGRAMS = evmctl - --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch deleted file mode 100644 index 4ada1a271..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b9f327c5c513ccea9cb56d4bbd50c1f66d629099 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:24:04 +0300 -Subject: [PATCH 4/4] ima-evm-utils: update .gitignore files - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - .gitignore | 1 + - src/.gitignore | 1 + - 2 files changed, 2 insertions(+) - create mode 100644 src/.gitignore - -diff --git a/.gitignore b/.gitignore -index ca7a06e..cb82166 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -45,6 +45,7 @@ cscope.* - ncscope.* - - # Generated documentation -+*.1 - *.8 - *.5 - manpage.links -diff --git a/src/.gitignore b/src/.gitignore -new file mode 100644 -index 0000000..38e8e3c ---- /dev/null -+++ b/src/.gitignore -@@ -0,0 +1 @@ -+hash_info.h --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch index c0bdd9b49..ffa65dfb0 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -23,9 +23,9 @@ diff --git a/src/evmctl.c b/src/evmctl.c index c54efbb..23cf54c 100644 --- a/src/evmctl.c +++ b/src/evmctl.c -@@ -56,6 +56,18 @@ - #include <ctype.h> +@@ -57,6 +57,18 @@ #include <termios.h> + #include <assert.h> +/* + * linux/xattr.h might be old to have this. Allow compilation on older diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index 929d85348..92c24c902 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -6,9 +6,9 @@ DEPENDS += "openssl attr keyutils" DEPENDS_class-native += "openssl-native keyutils-native" -PV = "1.0+git${SRCPV}" -SRCREV = "0267fa16990fd0ddcc89984a8e55b27d43e80167" -SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils" +PV = "1.2.1+git${SRCPV}" +SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" +SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y" # Documentation depends on asciidoc, which we do not have, so # do not build documentation. @@ -21,12 +21,6 @@ SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" # Required for xargs with more than one path as argument (better for performance). SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" -SRC_URI += "\ - file://0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch \ - file://0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch \ - file://0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch \ - file://0004-ima-evm-utils-update-.gitignore-files.patch \ -" S = "${WORKDIR}/git" inherit pkgconfig autotools diff --git a/meta-security/meta-security-compliance/README b/meta-security/meta-security-compliance/README index b29c143b7..320f85676 100644 --- a/meta-security/meta-security-compliance/README +++ b/meta-security/meta-security-compliance/README @@ -28,9 +28,9 @@ Maintenance Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH' -Layer Maintainer: Armin Kuster <akuster@mvista.com> +Layer Maintainer: Armin Kuster <akuster808@gmail.com> License diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index d48feb97a..9ccadab8b 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -8,8 +8,6 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "thud warrior" +LAYERSERIES_COMPAT_scanners-layer = "warrior" -LAYERDEPENDS_scanners-layer = " \ - core \ -" +LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb index 3ba82f9e4..21e451794 100644 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" -SRC_URI[md5sum] = "3422cee3b12fc33338fcde003d65e234" -SRC_URI[sha256sum] = "fde6ccf8d6ec0ae1e9c9f4a6d640cddcde4bf7a92f8437d47d16a5477e21bfda" +SRC_URI[md5sum] = "fb527b6976e70a6bcd57036c9cddc242" +SRC_URI[sha256sum] = "3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d" S = "${WORKDIR}/${BPN}" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch b/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch deleted file mode 100644 index 2d70855ab..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch +++ /dev/null @@ -1,36 +0,0 @@ -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -360,25 +360,13 @@ case "${with_crypto}" in - AC_DEFINE([HAVE_NSS3], [1], [Define to 1 if you have 'NSS' library.]) - ;; - gcrypt) -- SAVE_LIBS=$LIBS -- AC_CHECK_LIB([gcrypt], [gcry_check_version], -- [crapi_CFLAGS=`libgcrypt-config --cflags`; -- crapi_LIBS=`libgcrypt-config --libs`; -- crapi_libname="GCrypt";], -- [AC_MSG_ERROR([library 'gcrypt' is required for GCrypt.])], -- []) -- AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'gcrypt' library.]) -- AC_CACHE_CHECK([for GCRYCTL_SET_ENFORCED_FIPS_FLAG], -- [ac_cv_gcryctl_set_enforced_fips_flag], -- [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include<gcrypt.h>], -- [return GCRYCTL_SET_ENFORCED_FIPS_FLAG;])], -- [ac_cv_gcryctl_set_enforced_fips_flag=yes], -- [ac_cv_gcryctl_set_enforced_fips_flag=no])]) -+ PKG_CHECK_MODULES([libgcrypt], [libgcrypt >= 1.7.9],[], -+ AC_MSG_FAILURE([libgcrypt devel support is missing])) - -- if test "${ac_cv_gcryctl_set_enforced_fips_flag}" == "yes"; then -- AC_DEFINE([HAVE_GCRYCTL_SET_ENFORCED_FIPS_FLAG], [1], [Define to 1 if you have 'gcrypt' library with GCRYCTL_SET_ENFORCED_FIPS_FLAG.]) -- fi -- LIBS=$SAVE_LIBS -+ crapi_libname="libgcrypt" -+ crapi_CFLAGS=$libgcrypt_CFLAGS -+ crapi_LIBS=$libgcrypt_LIBS -+ AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'libgcrypt' library.]) - ;; - *) - AC_MSG_ERROR([unknown crypto backend]) diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch b/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch deleted file mode 100644 index ecbe6026f..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -1109,11 +1109,7 @@ AC_ARG_WITH([crypto], - [], - [crypto=gcrypt]) - --if test "x${libexecdir}" = xNONE; then -- probe_dir="/usr/local/libexec/openscap" --else -- EXPAND_DIR(probe_dir,"${libexecdir}/openscap") --fi -+probe_dir="/usr/local/libexec/openscap" - - AC_SUBST(probe_dir) - diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest b/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest deleted file mode 100644 index 454a6a3c9..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -cd tests -make -k check diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc index e9589b6bd..53309e8ad 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -1,2 +1,55 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit" +HOME_URL = "https://www.open-scap.org/tools/openscap-base/" +LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" +LICENSE = "LGPL-2.1" + +DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" +DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native perlnative + +PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3" +PACKAGECONFIG[perl] = "-DENABLE_PERL=ON, ,perl, perl" +PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm" +PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt" +PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss" +PACKAGECONFIG[selinux] = ", ,libselinux" + +EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ + -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \ + -DENABLE_OSCAP_UTIL=ON -DENABLE_OSCAP_UTIL_SSH=ON \ + -DENABLE_OSCAP_UTIL_DOCKER=OFF -DENABLE_OSCAP_UTIL_CHROOT=OFF \ + -DENABLE_OSCAP_UTIL_PODMAN=OFF -DENABLE_OSCAP_UTIL_VM=OFF \ + -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \ + -DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS=OFF \ + -DCMAKE_SKIP_INSTALL_RPATH=ON -DCMAKE_SKIP_RPATH=ON \ + " + STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +do_configure_append_class-native () { + sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h +} + +do_clean[cleandirs] += "${STAGING_OSCAP_BUILDDIR}" + +do_install_append_class-native () { + oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} + install -d $oscapdir + cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir +} + +FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" + +RDEPENDS_${PN} += "libxml2 python3 libgcc" + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb deleted file mode 100644 index e2a4fa2e6..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "NIST Certified SCAP 1.2 toolkit" -HOME_URL = "https://www.open-scap.org/tools/openscap-base/" -LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" -LICENSE = "LGPL-2.1" - -DEPENDS = "autoconf-archive pkgconfig gconf procps curl libxml2 rpm \ - libxslt libcap swig swig-native" - -DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" - -SRCREV = "59c234b3e9907480c89dfbd1b466a6bf72a2d2ed" -SRC_URI = "git://github.com/akuster/openscap.git;branch=oe \ - file://crypto_pkgconfig.patch \ - file://run-ptest \ -" - -inherit autotools-brokensep pkgconfig python3native perlnative ptest - -S = "${WORKDIR}/git" - -PACKAGECONFIG ?= "nss3 pcre rpm" -PACKAGECONFIG[pcre] = ",--enable-regex-posix, libpcre" -PACKAGECONFIG[gcrypt] = "--with-crypto=gcrypt,, libgcrypt " -PACKAGECONFIG[nss3] = "--with-crypto=nss3,, nss" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" -PACKAGECONFIG[python3] = "--enable-python3, --disable-python3, python3, python3" -PACKAGECONFIG[perl] = "--enable-perl, --disable-perl, perl, perl" -PACKAGECONFIG[rpm] = " --enable-util-scap-as-rpm, --disable-util-scap-as-rpm, rpm, rpm" - -export LDFLAGS += " -ldl" - -EXTRA_OECONF += "--enable-probes-independent --enable-probes-linux \ - --enable-probes-solaris --enable-probes-unix --disable-util-oscap-docker\ - --enable-util-oscap-ssh --enable-util-oscap --enable-ssp --enable-sce \ -" - -EXTRA_OECONF_class-native += "--disable-probes-independent --enable-probes-linux \ - --disable-probes-solaris --disable-probes-unix \ - --enable-util-oscap \ -" - -do_configure_prepend () { - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/perl/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python3/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python2/Makefile.am - sed -i 's:python2:python:' ${S}/utils/scap-as-rpm -} - - -include openscap.inc - -do_configure_append_class-native () { - sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h -} - -do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" - -do_install_append_class-native () { - oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} - install -d $oscapdir - cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir -} - -TESTDIR = "tests" - -do_compile_ptest() { - sed -i 's:python2:python:' ${S}/${TESTDIR}/nist/test_worker.py - echo 'buildtest-TESTS: $(check)' >> ${TESTDIR}/Makefile - oe_runmake -C ${TESTDIR} buildtest-TESTS -} - -do_install_ptest() { - # install the tests - cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH} -} - -FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" - -RDEPENDS_${PN} += "libxml2 python libgcc" -RDEPENDS_${PN}-ptest = "bash perl python" - -BBCLASSEXTEND = "native" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb new file mode 100644 index 000000000..ad29efdad --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb @@ -0,0 +1,9 @@ +SUMARRY = "NIST Certified SCAP 1.2 toolkit" + +require openscap.inc + +SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc" +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \ +" + +DEFAULT_PREFERENCE = "-1" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb new file mode 100644 index 000000000..963d3dec9 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb @@ -0,0 +1,12 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes" + +include openscap.inc + +SRCREV = "4bbdb46ff651f809d5b38ca08d769790c4bfff90" +SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \ +" + +PV = "1.3.1+git${SRCPV}" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc new file mode 100644 index 000000000..341721a06 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -0,0 +1,31 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "SCAP content for various platforms" +HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" +LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" +LICENSE = "LGPL-2.1" + +DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" +RDEPENDS_${PN} = "openscap" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native + +#PARALLEL_MAKE = "" + +STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +OECMAKE_GENERATOR = "Unix Makefiles" + +EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF" + +B = "${S}/build" + +do_configure_prepend () { + sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt + sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt +} + +FILES_${PN} += "${datadir}/xml" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb deleted file mode 100644 index 27d3d869a..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "SCAP content for various platforms" -HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" -LIC_FILES_CHKSUM = "file://LICENSE;md5=236e81befc8154d18c93c848185d7e52" -LICENSE = "LGPL-2.1" - -DEPENDS = "openscap-native" - -SRCREV = "423d9f40021a03abd018bef7818a3a9fe91a083c" -SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe;" - -inherit cmake - -PARALLEL_MAKE = "" - -S = "${WORKDIR}/git" - -STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" - -OECMAKE_GENERATOR = "Unix Makefiles" - -EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FIREFOX:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JRE:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENSUSE:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_OSP7:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL5:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL6:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL7:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEV3:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE11:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE12:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1404:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1604:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_WRLINUX:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_WEBMIN:BOOL=OFF" - -do_configure_prepend () { - sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt - sed -i 's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g' ${S}/cmake/SSGCommon.cmake -} - -do_compile () { - cd ${B} - make openembedded -} - -do_install () { - cd ${B} - make DESTDIR=${D} install -} -FILES_${PN} += "${datadir}/xml" -RDEPNEDS_${PN} = "openscap" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb new file mode 100644 index 000000000..d80ecd7ed --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb @@ -0,0 +1,8 @@ +SUMARRY = "SCAP content for various platforms, upstream version" + +SRCREV = "8cb2d0f351faff5440742258782281164953b0a6" +SRC_URI = "git://github.com/ComplianceAsCode/content.git" + +DEFAULT_PREFERENCE = "-1" + +require scap-security-guide.inc diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb new file mode 100644 index 000000000..d9238c03f --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb @@ -0,0 +1,9 @@ +SUMARRY = "SCAP content for various platforms, OE changes" + +SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed" +SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;" +PV = "0.1.44+git${SRCPV}" + +require scap-security-guide.inc + +EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index bf9a76ea6..cdccc553e 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "thud warrior" +LAYERSERIES_COMPAT_tpm-layer = "warrior" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py index 240a9b3ba..c6f9d9224 100644 --- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py +++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py @@ -16,9 +16,9 @@ class Tpm2Test(OERuntimeTestCase): if expected_endlines: self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines)) - @OEHasPackage(['tpm2.0-tss']) + @OEHasPackage(['tpm2-tss']) @OEHasPackage(['tpm2-abrmd']) - @OEHasPackage(['tpm2.0-tools']) + @OEHasPackage(['tpm2-tools']) @OEHasPackage(['ibmswtpm2']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_tpm2_sim(self): diff --git a/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb b/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb index a337076dc..dbdd309c0 100644 --- a/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb +++ b/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb @@ -1,14 +1,13 @@ -DESCRIPTION = "A small image for building meta-security packages" +DESCRIPTION = "A small image for building a tpm image for testing" IMAGE_FEATURES += "ssh-server-openssh" IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-core-boot \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \ + packagegroup-security-tpm \ os-release \ - ${CORE_IMAGE_EXTRA_INSTALL}" +" IMAGE_LINGUAS ?= " " diff --git a/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb new file mode 100644 index 000000000..7e047d127 --- /dev/null +++ b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "A small image for building a tpm2 image for testing" + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-security-tpm2 \ + os-release \ +" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-tpm2-image" diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 5ded3a2cc..8f5c537b9 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -5,19 +5,19 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda inherit packagegroup -PACKAGES = "packagegroup-security-tpm2" +PACKAGES = "${PN}" SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-tools \ trousers \ + tpm2-tss \ libtss2 \ + libtss2-mu \ libtss2-tcti-device \ libtss2-tcti-mssim \ tpm2-abrmd \ tpm2-pkcs11 \ + ibmswtpm2 \ cryptsetup-tpm-incubator \ " - -RDEPENDS_packagegroup-security-tpm2_append_x86 = " tpm2-tcti-uefi" -RDEPENDS_packagegroup-security-tpm2_append_x86-64 = " tpm2-tcti-uefi" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb index 9031e63e4..222bb6d0e 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb @@ -2,7 +2,7 @@ SUMMARY = "A PKCS#11 interface for TPM2 hardware" DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." SECTION = "security/tpm" LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=b748af41ef1300c98e105b3b7ec4ecc1" +LIC_FILES_CHKSUM = "file://LICENSE;md5=93645981214b60a02688745c14f93c95" DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools" @@ -10,7 +10,7 @@ SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git \ file://bootstrap_fixup.patch \ " -SRCREV = "3107d89b406ecd9c007884613733c9a344ef6d39" +SRCREV = "9eed9df823a960da481327468a73d477241befdb" S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch new file mode 100644 index 000000000..3b54dddf7 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch @@ -0,0 +1,27 @@ +From b74837184cfdefb45e48f3fdc974fc67691fc861 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> +Date: Wed, 3 Jul 2019 19:16:35 +0300 +Subject: [PATCH] configure.ac: stop inserting host directories into compile + path + +Do not insert /usr/lib and /usr/lib64 into library search path. + +Upstream-Status: OE specific +Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: git/configure.ac +=================================================================== +--- git.orig/configure.ac ++++ git/configure.ac +@@ -81,7 +81,7 @@ AC_ARG_WITH([efi-lds], + AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]), + [], + [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"]) +-EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}" ++EXTRA_LDFLAGS="-Wl,--script=${with_efi_lds}" + + # path to object file from gnu-efi + AC_ARG_WITH([efi-crt0], diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 815691dfe..e822e2974 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -2,17 +2,38 @@ SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment" SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig" +DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ + file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \ " -SRCREV = "131889d12d2c7d8974711d2ebd1032cd32577b7f" +SRCREV = "7baf1eebfeb56a896bdd5d677fb24377d619eb9d" S = "${WORKDIR}/git" inherit autotools pkgconfig +EFIDIR ?= "/EFI/BOOT" + +do_compile_append() { + oe_runmake example +} + +do_install_append() { + install -d "${D}${EFIDIR}" + install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}" +} + +EFI_ARCH_x86 = "ia32" +EFI_ARCH_x86-64 = "x86_64" + COMPATIBLE_HOST = "(i.86|x86_64).*-linux" -EXTRA_OECONF_append = " --with-efi-includedir=${STAGING_INCDIR}/efi --with-efi-lds=${STAGING_LIBDIR_NATIVE}/" +EXTRA_OECONF_append = "\ + --with-efi-includedir=${STAGING_INCDIR}/efi \ + --with-efi-crt0=${STAGING_LIBDIR_NATIVE}/crt0-efi-${EFI_ARCH}.o \ + --with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \ +" RDEPENDS_${PN} = "gnu-efi" + +FILES_${PN} += "${EFIDIR}" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.2.0.bb index 1f1f5c606..b6f1be0d9 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.2.0.bb @@ -6,7 +6,7 @@ SECTION = "tpm" DEPENDS = "pkgconfig tpm2-tss openssl curl autoconf-archive" -SRCREV = "74ba065e5914bc5d713ca3709d62a5751b097369" +SRCREV = "a17daa948fc67685651bf3b7a589ed341080ddd3" SRC_URI = "git://github.com/tpm2-software/tpm2-tools.git;branch=3.X" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb new file mode 100644 index 000000000..d47b7560d --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb @@ -0,0 +1,18 @@ +SUMMARY = "Attest the trustworthiness of a device against a human using time-based one-time passwords" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" + +SECTION = "security/tpm" + +DEPENDS = "autoconf-archive libtss2-dev qrencode" + +PE = "1" + +SRCREV = "2807a509a9da383e14dc0f759e71fd676db04ab1" +SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.1.x \ + file://litpm2_totp_build_fix.patch " + +inherit autotools-brokensep pkgconfig + +S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb deleted file mode 100644 index bc94ab711..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL." -DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures." - -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" - -SECTION = "security/tpm" - -DEPENDS = "autoconf-archive libtss2-dev qrencode" - -SRCREV = "44fcb6819f79302d5a088b3def648616e3551d4a" -SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git \ - file://litpm2_totp_build_fix.patch " - -inherit autotools-brokensep pkgconfig - -S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.0.bb index 36530be2c..0a8d54f62 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.0.bb @@ -8,7 +8,7 @@ SECTION = "security/tpm" DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" -SRCREV = "bef89ec79cbb4c99963b0e336d9184827c545782" +SRCREV = "a81d44a8610e28e5987af64f8aae16e4a2d09eaa" SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git" inherit autotools-brokensep pkgconfig systemd diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch new file mode 100644 index 000000000..86b2cb6dd --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch @@ -0,0 +1,84 @@ +From ec08ab41495ac40641475707c46e844503ada5b3 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabonas@gmx.de> +Date: Mon, 7 Jan 2019 22:15:06 +0100 +Subject: [PATCH] build: update for ax_code_coverage.m4 version 2019.01.06 + +@CODE_COVERAGE_RULES@ doesn't exist any more and needs to be replaced. +Also includes a compatibility switch for older versions of the file. + +Signed-off-by: Jonas Witschel <diabonas@gmx.de> +--- + .gitignore | 1 + + .travis.yml | 10 +++++----- + Makefile.am | 6 ++++++ + configure.ac | 3 +++ + 4 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/.gitignore b/.gitignore +index 7c6a7b62e6c1..aa1a7efdff71 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -26,6 +26,7 @@ + AUTHORS + tags + aclocal.m4 ++aminclude_static.am + autom4te.cache/ + [Bb]uild/ + [Dd]ebug/ +diff --git a/.travis.yml b/.travis.yml +index 55f88e22999b..a668e2953dc2 100644 +--- a/.travis.yml ++++ b/.travis.yml +@@ -44,11 +44,11 @@ addons: + + install: + # Autoconf archive +- - wget https://download.01.org/tpm2/autoconf-archive-2017.09.28.tar.xz +- - sha256sum autoconf-archive-2017.09.28.tar.xz | grep -q 5c9fb5845b38b28982a3ef12836f76b35f46799ef4a2e46b48e2bd3c6182fa01 || travis_terminate 1 +- - tar xJf autoconf-archive-2017.09.28.tar.xz +- - cp autoconf-archive-2017.09.28/m4/ax_code_coverage.m4 m4/ +- - cp autoconf-archive-2017.09.28/m4/ax_prog_doxygen.m4 m4/ ++ - wget http://ftpmirror.gnu.org/autoconf-archive/autoconf-archive-2019.01.06.tar.xz ++ - sha256sum autoconf-archive-2019.01.06.tar.xz | grep -q 17195c833098da79de5778ee90948f4c5d90ed1a0cf8391b4ab348e2ec511e3f || travis_terminate 1 ++ - tar xJf autoconf-archive-2019.01.06.tar.xz ++ - cp autoconf-archive-2019.01.06/m4/ax_code_coverage.m4 m4/ ++ - cp autoconf-archive-2019.01.06/m4/ax_prog_doxygen.m4 m4/ + # IBM-TPM + - wget https://download.01.org/tpm2/ibmtpm974.tar.gz + # OpenSSL 1.0.2 +diff --git a/Makefile.am b/Makefile.am +index 1b792d89a392..8e62e9c77c7d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -19,7 +19,13 @@ noinst_PROGRAMS = + + ### Add ax_* rules ### + # ax_code_coverage ++if AUTOCONF_CODE_COVERAGE_2019_01_06 ++include $(top_srcdir)/aminclude_static.am ++clean-local: code-coverage-clean ++dist-clean-local: code-coverage-dist-clean ++else + @CODE_COVERAGE_RULES@ ++endif + + # ax_doxygen + @DX_RULES@ +diff --git a/configure.ac b/configure.ac +index 6c7b0fd96399..22b79c50c015 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -312,6 +312,9 @@ AS_IF([test "x$enable_doxygen_doc" != xno], + [ERROR_IF_NO_PROG([doxygen])]) + + AX_CODE_COVERAGE ++m4_ifdef([_AX_CODE_COVERAGE_RULES], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [true])], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [false])]) + + AC_OUTPUT + +-- +2.20.1 + diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb index 78bdeebe0..ffbd3f4e4 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb @@ -6,9 +6,10 @@ SECTION = "tpm" DEPENDS = "autoconf-archive-native libgcrypt openssl" -SRCREV = "eb69e13559f20a0b49002a685c6f4a39be9503e2" +SRCREV = "36b1539c82bf675265d6f6a6cd808a189b6971f4" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x \ + file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch" inherit autotools-brokensep pkgconfig systemd diff --git a/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch b/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch deleted file mode 100644 index 7f80a5c61..000000000 --- a/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Fri, 15 Jan 2016 00:48:58 -0500 -Subject: [PATCH] Enable obfuscating binaries natively. - -Enable obfuscating binaries natively. - -The samhain build process involves an obfuscation step that attempts to -defeat decompilation or other binary analysis techniques which might reveal -secret information that should be known only to the system administrator. -The obfuscation step builds several applications which run on the build host -and then generate target code, which is then built into target binaries. - -This patch creates a basic infrastructure that supports building the -obfuscation binaries natively then cross-compiling the target code by adding -a special configure option. In the absence of this option the old behaviour -is preserved. - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Aws Ismail <aws.ismail@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile.in | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 684e92b..fb090e2 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -54,7 +54,7 @@ selectconfig = @selectconfig@ - top_builddir = . - - INSTALL = @INSTALL@ --INSTALL_PROGRAM = @INSTALL@ -s -m 700 -+INSTALL_PROGRAM = @INSTALL@ -m 700 - INSTALL_SHELL = @INSTALL@ -m 700 - INSTALL_DATA = @INSTALL@ -m 600 - INSTALL_MAN = @INSTALL@ -m 644 -@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip - echo " $(INSTALL_PROGRAM) $$p $$target"; \ - $(INSTALL_PROGRAM) $$p $$target; \ - chmod 0700 $$target; \ -- echo " ./sstrip $$target"; \ -- ./sstrip $$target; \ - else \ - echo " $(INSTALL_SHELL) $$p $$target"; \ - $(INSTALL_SHELL) $$p $$target; \ --- -1.9.1 - diff --git a/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-client.bb index 0f53a8cde..0f53a8cde 100644 --- a/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-client.bb diff --git a/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-server.bb index d304912e7..d304912e7 100644 --- a/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-server.bb diff --git a/meta-security/recipes-ids/samhain/samhain-standalone_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-standalone.bb index 4fed9e9e9..4fed9e9e9 100644 --- a/meta-security/recipes-ids/samhain/samhain-standalone_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-standalone.bb diff --git a/meta-security/recipes-ids/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc index 1b9af39ce..16222ba10 100644 --- a/meta-security/recipes-ids/samhain/samhain.inc +++ b/meta-security/recipes-ids/samhain/samhain.inc @@ -3,9 +3,9 @@ HOMEPAGE = "http://www.la-samhna.de/samhain/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b" +PV = "4.3.3" SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ - file://samhain-cross-compile.patch \ file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \ file://samhain-samhainrc.patch \ file://samhain-samhainrc-fix-files-dirs-path.patch \ @@ -19,8 +19,8 @@ SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ file://samhain.service \ " -SRC_URI[md5sum] = "eae4674164d7c78f5bb39c72b7029c8b" -SRC_URI[sha256sum] = "0582864ef56ab796031e8e611ed66c48adeb3a30ec34e1a8d0088572442035fc" +SRC_URI[md5sum] = "7be46ae7d03f53ba21afafd41cff8926" +SRC_URI[sha256sum] = "33ad4bc3dad4699694553bd9635a6b5827939f965d1f0f05fce0b4e9cdadf21b" UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" diff --git a/meta-security/recipes-kernel/linux/linux-stable_5.2.bbappend b/meta-security/recipes-kernel/linux/linux-stable_5.2.bbappend new file mode 100644 index 000000000..76b5df55b --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-stable_5.2.bbappend @@ -0,0 +1,4 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}" + diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg deleted file mode 100644 index ae6cdcdf0..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg +++ /dev/null @@ -1,9 +0,0 @@ -CONFIG_AUDIT=y -CONFIG_SECURITY_PATH=y -CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_APPARMOR_HASH=y -CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -CONFIG_INTEGRITY_AUDIT=y -CONFIG_DEFAULT_SECURITY_APPARMOR=y -CONFIG_DEFAULT_SECURITY="apparmor" -CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg deleted file mode 100644 index fc3574015..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg deleted file mode 100644 index b5c48454e..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_DEFAULT_SECURITY="smack" -CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg deleted file mode 100644 index 0d5fc645c..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg +++ /dev/null @@ -1,7 +0,0 @@ -CONFIG_NETLABEL=y -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set -CONFIG_SECURITY_SMACK=y -CONFIG_SECURITY_SMACK_BRINGUP=y -CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y -CONFIG_TMPFS_XATTR=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend new file mode 100644 index 000000000..239e30e70 --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend @@ -0,0 +1,2 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" ++KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg deleted file mode 100644 index b5f9bb2a6..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg +++ /dev/null @@ -1,15 +0,0 @@ -CONFIG_AUDIT=y -# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set -CONFIG_SECURITY_PATH=y -# CONFIG_SECURITY_SELINUX is not set -CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_APPARMOR_HASH=y -CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -# CONFIG_SECURITY_APPARMOR_DEBUG is not set -CONFIG_INTEGRITY_AUDIT=y -CONFIG_DEFAULT_SECURITY_APPARMOR=y -# CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_DEFAULT_SECURITY="apparmor" -CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg b/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg deleted file mode 100644 index fc3574015..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 diff --git a/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg b/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg deleted file mode 100644 index b5c48454e..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_DEFAULT_SECURITY="smack" -CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg deleted file mode 100644 index 62f465a45..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg +++ /dev/null @@ -1,8 +0,0 @@ -CONFIG_IP_NF_SECURITY=m -CONFIG_IP6_NF_SECURITY=m -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_SECURITY=y -CONFIG_SECURITY_SMACK=y -CONFIG_TMPFS_XATTR=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend index 321392c0b..39d4e6f50 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -1,11 +1,2 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ -" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ -" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend deleted file mode 100644 index f810e2112..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend +++ /dev/null @@ -1,11 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-5.0:" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ -" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ -" diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb index 7d8767e2f..7f0433777 100644 --- a/meta-security/recipes-security/clamav/clamav_0.99.4.bb +++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb @@ -66,14 +66,12 @@ EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}" EXTRA_OECONF_class-target += "--with-user=${UID} --with-group=${GID} --disable-rpath ${EXTRA_OECONF_CLAMAV}" do_configure () { - cd ${S} - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} + ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} install -d ${S}/clamav_db } do_configure_class-native () { - cd ${S} - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} + ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} } diff --git a/meta-security/recipes-security/images/security-test-image.bb b/meta-security/recipes-security/images/security-test-image.bb new file mode 100644 index 000000000..c71d7267d --- /dev/null +++ b/meta-security/recipes-security/images/security-test-image.bb @@ -0,0 +1,33 @@ +DESCRIPTION = "A small image for testing meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" + +INSTALL_CLAMAV_CVD = "1" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security-ptest \ + clamav \ + tripwire \ + checksec \ + suricata \ + samhain-standalone \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ + os-release \ + " + + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-test-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch b/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch deleted file mode 100644 index 938fe2eb5..000000000 --- a/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch +++ /dev/null @@ -1,28 +0,0 @@ -From b0355cc205543ffd33752874295139d57c4fbc3e Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Tue, 26 Sep 2017 07:59:51 +0000 -Subject: [PATCH] Subject: [PATCH] keyutils: use relative path for link - -The absolute path of the symlink will be invalid -when populated in sysroot, so use relative path instead. - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -{rebased for 1.6] -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: keyutils-1.6/Makefile -=================================================================== ---- keyutils-1.6.orig/Makefile -+++ keyutils-1.6/Makefile -@@ -184,7 +184,7 @@ ifeq ($(NO_SOLIB),0) - $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) - $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) - mkdir -p $(DESTDIR)$(USRLIBDIR) -- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) -+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) - sed \ - -e 's,@VERSION\@,$(VERSION),g' \ - -e 's,@prefix\@,$(PREFIX),g' \ diff --git a/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch b/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch deleted file mode 100644 index acd91c01c..000000000 --- a/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch +++ /dev/null @@ -1,42 +0,0 @@ -fix keyutils test error report - -Upstream-Status: Pending - -"Permission denied" may be the reason of EKEYEXPIRED and EKEYREVOKED. -"Required key not available" may be the reason of EKEYREVOKED. -EXPIRED and REVOKED are 2 status of kernel security keys features. -But the userspace keyutils lib will output the error message, which may -have several reasons. - -Signed-off-by: Han Chao <chan@windriver.com> - -diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh -index bbca00a..739e9d0 100644 ---- a/tests/toolbox.inc.sh -+++ b/tests/toolbox.inc.sh -@@ -227,11 +227,12 @@ function expect_error () - ;; - EKEYEXPIRED) - my_err="Key has expired" -- alt_err="Unknown error 127" -+ alt_err="Permission denied" - ;; - EKEYREVOKED) - my_err="Key has been revoked" -- alt_err="Unknown error 128" -+ alt_err="Permission denied" -+ alt2_err="Required key not available" - ;; - EKEYREJECTED) - my_err="Key has been rejected" -@@ -249,6 +250,9 @@ function expect_error () - elif [ "x$alt_err" != "x" ] && expr "$my_errmsg" : ".*: $alt_err" >&/dev/null - then - : -+ elif [ "x$alt2_err" != "x" ] && expr "$my_errmsg" : ".*: $alt2_err" >&/dev/null -+ then -+ : - elif [ "x$old_err" != "x" ] && expr "$my_errmsg" : ".*: $old_err" >&/dev/null - then - : - diff --git a/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch b/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch deleted file mode 100644 index a4ffd50ce..000000000 --- a/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 49b6321368e4bd3cd233d045cd09004ddd7968b2 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Mon, 15 May 2017 14:52:00 +0800 -Subject: [PATCH] keyutils: fix output format - -keyutils ptest output format is incorrect, according to yocto -Development Manual -(http://www.yoctoproject.org/docs/latest/dev-manual/dev-manual.html#testing-packages-with-ptest) -5.10.6. Testing Packages With ptestThe test generates output in the format used by Automake: -<result>: <testname> -where the result can be PASS, FAIL, or SKIP, and the testname can be any -identifying string. -So we should change the test result format to match yocto ptest rules. - -Upstream-Status: Inappropriate [OE ptest specific] - -Signed-off-by: Li Wang <li.wang@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - tests/runtest.sh | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tests/runtest.sh b/tests/runtest.sh -index b6eaa7c..84263fb 100644 ---- a/tests/runtest.sh -+++ b/tests/runtest.sh -@@ -21,6 +21,11 @@ for i in ${TESTS}; do - echo "### RUNNING TEST $i" - if [[ $AUTOMATED != 0 ]] ; then - bash ./runtest.sh -+ if [ $? != 0 ]; then -+ echo "FAIL: $i" -+ else -+ echo "PASS: $i" -+ fi - else - bash ./runtest.sh || exit 1 - fi --- -2.11.0 - diff --git a/meta-security/recipes-security/keyutils/files/run-ptest b/meta-security/recipes-security/keyutils/files/run-ptest deleted file mode 100755 index 305707f65..000000000 --- a/meta-security/recipes-security/keyutils/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -export AUTOMATED=1 -make -C tests run diff --git a/meta-security/recipes-security/keyutils/keyutils_1.6.bb b/meta-security/recipes-security/keyutils/keyutils_1.6.bb deleted file mode 100644 index 4d3a96f29..000000000 --- a/meta-security/recipes-security/keyutils/keyutils_1.6.bb +++ /dev/null @@ -1,53 +0,0 @@ -SUMMARY = "Linux Key Management Utilities" -DESCRIPTION = "\ - Utilities to control the kernel key management facility and to provide \ - a mechanism by which the kernel call back to userspace to get a key \ - instantiated. \ - " -HOMEPAGE = "http://people.redhat.com/dhowells/keyutils" -SECTION = "base" - -LICENSE = "LGPLv2.1+ & GPLv2.0+" - -LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \ - file://LICENCE.LGPL;md5=7d1cacaa3ea752b72ea5e525df54a21f" - -inherit siteinfo autotools-brokensep ptest - -SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ - file://keyutils-test-fix-output-format.patch \ - file://keyutils-fix-error-report-by-adding-default-message.patch \ - file://run-ptest \ - file://fix_library_install_path.patch \ - " - -SRC_URI[md5sum] = "191987b0ab46bb5b50efd70a6e6ce808" -SRC_URI[sha256sum] = "d3aef20cec0005c0fa6b4be40079885567473185b1a57b629b030e67942c7115" - -EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ - NO_ARLIB=1 \ - BINDIR=${base_bindir} \ - SBINDIR=${base_sbindir} \ - LIBDIR=${libdir} \ - USRLIBDIR=${libdir} \ - INCLUDEDIR=${includedir} \ - BUILDFOR=${SITEINFO_BITS}-bit \ - NO_GLIBC_KEYERR=1 \ - " - -do_install () { - install -d ${D}/${libdir}/pkgconfig - oe_runmake DESTDIR=${D} install -} - -do_install_ptest () { - cp -r ${S}/tests ${D}${PTEST_PATH}/ - sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh -} - - -RDEPENDS_${PN}-ptest += "lsb" -RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils" -RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/recipes-security/libmspack/libmspack_0.10.1.bb b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb index b46159f20..8c288beeb 100644 --- a/meta-security/recipes-security/libmspack/libmspack_0.10.1.bb +++ b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb @@ -6,11 +6,11 @@ DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" -SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.xz" - -SRC_URI[md5sum] = "d894d91eba4d2c6f76695fc9566d5387" -SRC_URI[sha256sum] = "850c57442b850bf1bc0fc4ea8880903ebf2bed063c3c80782ee4626fbcb0e67d" +SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc" +SRC_URI = "git://github.com/kyz/libmspack.git" inherit autotools -S = "${WORKDIR}/${BP}alpha" +S = "${WORKDIR}/git/${BPN}" + +inherit autotools diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb new file mode 100644 index 000000000..493488918 --- /dev/null +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb @@ -0,0 +1,25 @@ +DESCRIPTION = "Security ptest packagegroup" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +PACKAGES = "\ + ${PN} \ + " + +ALLOW_EMPTY_${PN} = "1" + +SUMMARY_${PN} = "Security packages with ptests" +RDEPENDS_${PN} = " \ + ptest-runner \ + samhain-standalone-ptest \ + xmlsec1-ptest \ + keyutils-ptest \ + libseccomp-ptest \ + python-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ + " diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index b8ab27df1..9165eef9f 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -12,7 +12,6 @@ PACKAGES = "\ packagegroup-security-ids \ packagegroup-security-mac \ ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -21,7 +20,6 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-ids \ packagegroup-security-mac \ ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -34,6 +32,7 @@ RDEPENDS_packagegroup-security-utils = "\ xmlsec1 \ keyutils \ libseccomp \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ " @@ -42,6 +41,8 @@ RDEPENDS_packagegroup-security-scanners = "\ nikto \ checksecurity \ clamav \ + clamav-freshclam \ + clamav-cvd \ " SUMMARY_packagegroup-security-audit = "Security Audit tools " @@ -68,18 +69,3 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " - -SUMMARY_packagegroup-security-ptest = "Security packages with ptests" -RDEPENDS_packagegroup-security-ptest = " \ - samhain-standalone-ptest \ - xmlsec1-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - ptest-runner \ - " diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.28.bb index eac8d6bd4..0a4c56aa0 100644 --- a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb +++ b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.28.bb @@ -20,8 +20,8 @@ SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ file://run-ptest \ " -SRC_URI[md5sum] = "508bee7e4f1b99f2d50aaa7d38ede56e" -SRC_URI[sha256sum] = "97d756bad8e92588e6997d2227797eaa900d05e34a426829b149f65d87118eb6" +SRC_URI[md5sum] = "69b8d95c009a404462e19f335e650241" +SRC_URI[sha256sum] = "13eec4811ea30e3f0e16a734d1dbf7f9d246a71d540b48d143a07b489f6222d4" inherit autotools-brokensep ptest pkgconfig diff --git a/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch deleted file mode 100644 index 8ab094fa7..000000000 --- a/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/wscript 2015-11-18 12:43:33.000000000 +0100 -+++ b/wscript 2015-11-18 12:46:25.000000000 +0100 -@@ -58,9 +58,7 @@ - if conf.env.standalone_ldb: - conf.CHECK_XSLTPROC_MANPAGES() - -- # we need this for the ldap backend -- if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'): -- conf.env.ENABLE_LDAP_BACKEND = True -+ conf.env.ENABLE_LDAP_BACKEND = False - - # we don't want any libraries or modules to rely on runtime - # resolution of symbols diff --git a/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch deleted file mode 100755 index fdd312c0a..000000000 --- a/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch +++ /dev/null @@ -1,58 +0,0 @@ -Some modules such as dynamic library maybe cann't be imported while cross compile, -we just check whether does the module exist. - -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com> - -Index: ldb-1.1.26/buildtools/wafsamba/samba_bundled.py -=================================================================== ---- ldb-1.1.26.orig/buildtools/wafsamba/samba_bundled.py -+++ ldb-1.1.26/buildtools/wafsamba/samba_bundled.py -@@ -2,6 +2,7 @@ - - import sys - import Build, Options, Logs -+import imp, os - from Configure import conf - from samba_utils import TO_LIST - -@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li - # versions - minversion = minimum_library_version(conf, libname, minversion) - -- try: -- m = __import__(modulename) -- except ImportError: -- found = False -- else: -+ # Find module in PYTHONPATH -+ stuff = imp.find_module(modulename, [os.environ["PYTHONPATH"]]) -+ if stuff: - try: -- version = m.__version__ -- except AttributeError: -+ m = imp.load_module(modulename, stuff[0], stuff[1], stuff[2]) -+ except ImportError: - found = False -+ -+ if conf.env.CROSS_COMPILE: -+ # Some modules such as dynamic library maybe cann't be imported -+ # while cross compile, we just check whether the module exist -+ Logs.warn('Cross module[%s] has been found, but can not be loaded.' % (stuff[1])) -+ found = True - else: -- found = tuplize_version(version) >= tuplize_version(minversion) -+ try: -+ version = m.__version__ -+ except AttributeError: -+ found = False -+ else: -+ found = tuplize_version(version) >= tuplize_version(minversion) -+ finally: -+ if stuff[0]: -+ stuff[0].close() -+ else: -+ found = False -+ - if not found and not conf.LIB_MAY_BE_BUNDLED(libname): - Logs.error('ERROR: Python module %s of version %s not found, and bundling disabled' % (libname, minversion)) - sys.exit(1) diff --git a/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch deleted file mode 100644 index ffe253b63..000000000 --- a/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch +++ /dev/null @@ -1,193 +0,0 @@ -From a4da3ab4d76013aaa731d43d52ccca1ebd37c395 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Wed, 21 Sep 2016 10:06:39 +0800 -Subject: [PATCH 1/1] ldb: Add configure options for packages - -Add configure options for the following packages: - - acl - - attr - - libaio - - libbsd - - libcap - - valgrind - -Upstream-Status: Inappropriate [oe deterministic build specific] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - lib/replace/system/wscript_configure | 6 ++- - lib/replace/wscript | 94 +++++++++++++++++++++++++++--------- - wscript | 7 +++ - 3 files changed, 83 insertions(+), 24 deletions(-) - -diff --git a/lib/replace/system/wscript_configure b/lib/replace/system/wscript_configure -index 2035474..10f9ae7 100644 ---- a/lib/replace/system/wscript_configure -+++ b/lib/replace/system/wscript_configure -@@ -1,6 +1,10 @@ - #!/usr/bin/env python - --conf.CHECK_HEADERS('sys/capability.h') -+import Options -+ -+if Options.options.enable_libcap: -+ conf.CHECK_HEADERS('sys/capability.h') -+ - conf.CHECK_FUNCS('getpwnam_r getpwuid_r getpwent_r') - - # solaris varients of getXXent_r -diff --git a/lib/replace/wscript b/lib/replace/wscript -index 2f94d49..68b2d3a 100644 ---- a/lib/replace/wscript -+++ b/lib/replace/wscript -@@ -23,6 +23,41 @@ def set_options(opt): - opt.PRIVATE_EXTENSION_DEFAULT('') - opt.RECURSE('buildtools/wafsamba') - -+ opt.add_option('--with-acl', -+ help=("Enable use of acl"), -+ action="store_true", dest='enable_acl') -+ opt.add_option('--without-acl', -+ help=("Disable use of acl"), -+ action="store_false", dest='enable_acl', default=False) -+ -+ opt.add_option('--with-attr', -+ help=("Enable use of attr"), -+ action="store_true", dest='enable_attr') -+ opt.add_option('--without-attr', -+ help=("Disable use of attr"), -+ action="store_false", dest='enable_attr', default=False) -+ -+ opt.add_option('--with-libaio', -+ help=("Enable use of libaio"), -+ action="store_true", dest='enable_libaio') -+ opt.add_option('--without-libaio', -+ help=("Disable use of libaio"), -+ action="store_false", dest='enable_libaio', default=False) -+ -+ opt.add_option('--with-libbsd', -+ help=("Enable use of libbsd"), -+ action="store_true", dest='enable_libbsd') -+ opt.add_option('--without-libbsd', -+ help=("Disable use of libbsd"), -+ action="store_false", dest='enable_libbsd', default=False) -+ -+ opt.add_option('--with-libcap', -+ help=("Enable use of libcap"), -+ action="store_true", dest='enable_libcap') -+ opt.add_option('--without-libcap', -+ help=("Disable use of libcap"), -+ action="store_false", dest='enable_libcap', default=False) -+ - @Utils.run_once - def configure(conf): - conf.RECURSE('buildtools/wafsamba') -@@ -32,12 +67,25 @@ def configure(conf): - conf.DEFINE('HAVE_LIBREPLACE', 1) - conf.DEFINE('LIBREPLACE_NETWORK_CHECKS', 1) - -- conf.CHECK_HEADERS('linux/types.h crypt.h locale.h acl/libacl.h compat.h') -- conf.CHECK_HEADERS('acl/libacl.h attr/xattr.h compat.h ctype.h dustat.h') -+ conf.CHECK_HEADERS('linux/types.h crypt.h locale.h compat.h') -+ conf.CHECK_HEADERS('compat.h ctype.h dustat.h') - conf.CHECK_HEADERS('fcntl.h fnmatch.h glob.h history.h krb5.h langinfo.h') -- conf.CHECK_HEADERS('libaio.h locale.h ndir.h pwd.h') -- conf.CHECK_HEADERS('shadow.h sys/acl.h') -- conf.CHECK_HEADERS('sys/attributes.h attr/attributes.h sys/capability.h sys/dir.h sys/epoll.h') -+ conf.CHECK_HEADERS('locale.h ndir.h pwd.h') -+ conf.CHECK_HEADERS('shadow.h') -+ conf.CHECK_HEADERS('sys/attributes.h sys/dir.h sys/epoll.h') -+ -+ if Options.options.enable_acl: -+ conf.CHECK_HEADERS('acl/libacl.h sys/acl.h') -+ -+ if Options.options.enable_attr: -+ conf.CHECK_HEADERS('attr/attributes.h attr/xattr.h') -+ -+ if Options.options.enable_libaio: -+ conf.CHECK_HEADERS('libaio.h') -+ -+ if Options.options.enable_libcap: -+ conf.CHECK_HEADERS('sys/capability.h') -+ - conf.CHECK_HEADERS('port.h') - conf.CHECK_HEADERS('sys/fcntl.h sys/filio.h sys/filsys.h sys/fs/s5param.h sys/fs/vx/quota.h') - conf.CHECK_HEADERS('sys/id.h sys/ioctl.h sys/ipc.h sys/mman.h sys/mode.h sys/ndir.h sys/priv.h') -@@ -73,7 +121,9 @@ def configure(conf): - - conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H') - -- conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') -+ if Options.options.enable_valgrind: -+ conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') -+ - conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h') - conf.CHECK_HEADERS('sys/extattr.h sys/ea.h sys/proplist.h sys/cdefs.h') - conf.CHECK_HEADERS('utmp.h utmpx.h lastlog.h') -@@ -266,22 +316,20 @@ def configure(conf): - - conf.CHECK_FUNCS('prctl dirname basename') - -- strlcpy_in_bsd = False -- -- # libbsd on some platforms provides strlcpy and strlcat -- if not conf.CHECK_FUNCS('strlcpy strlcat'): -- if conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', -- checklibc=True): -- strlcpy_in_bsd = True -- if not conf.CHECK_FUNCS('getpeereid'): -- conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') -- if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): -- conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') -- if not conf.CHECK_FUNCS('setproctitle_init'): -- conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') -- -- if not conf.CHECK_FUNCS('closefrom'): -- conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') -+ if Options.options.enable_libbsd: -+ # libbsd on some platforms provides strlcpy and strlcat -+ if not conf.CHECK_FUNCS('strlcpy strlcat'): -+ conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', -+ checklibc=True) -+ if not conf.CHECK_FUNCS('getpeereid'): -+ conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') -+ if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): -+ conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') -+ if not conf.CHECK_FUNCS('setproctitle_init'): -+ conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') -+ -+ if not conf.CHECK_FUNCS('closefrom'): -+ conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') - - conf.CHECK_CODE(''' - struct ucred cred; -@@ -632,7 +680,7 @@ removeea setea - # look for a method of finding the list of network interfaces - for method in ['HAVE_IFACE_GETIFADDRS', 'HAVE_IFACE_AIX', 'HAVE_IFACE_IFCONF', 'HAVE_IFACE_IFREQ']: - bsd_for_strlcpy = '' -- if strlcpy_in_bsd: -+ if Options.options.enable_libbsd: - bsd_for_strlcpy = ' bsd' - if conf.CHECK_CODE(''' - #define %s 1 -diff --git a/wscript b/wscript -index 8ae5be3..a178cc4 100644 ---- a/wscript -+++ b/wscript -@@ -31,6 +31,13 @@ def set_options(opt): - opt.RECURSE('lib/replace') - opt.tool_options('python') # options for disabling pyc or pyo compilation - -+ opt.add_option('--with-valgrind', -+ help=("enable use of valgrind"), -+ action="store_true", dest='enable_valgrind') -+ opt.add_option('--without-valgrind', -+ help=("disable use of valgrind"), -+ action="store_false", dest='enable_valgrind', default=False) -+ - def configure(conf): - conf.RECURSE('lib/tdb') - conf.RECURSE('lib/tevent') --- -2.16.2 - diff --git a/meta-security/recipes-support/libldb/libldb_1.3.1.bb b/meta-security/recipes-support/libldb/libldb_1.3.1.bb deleted file mode 100644 index c644b20b0..000000000 --- a/meta-security/recipes-support/libldb/libldb_1.3.1.bb +++ /dev/null @@ -1,64 +0,0 @@ -SUMMARY = "Hierarchical, reference counted memory pool system with destructors" -HOMEPAGE = "http://ldb.samba.org" -SECTION = "libs" -LICENSE = "LGPL-3.0+ & LGPL-2.1+ & GPL-3.0+" - -DEPENDS += "libtdb libtalloc libtevent popt" -RDEPENDS_pyldb += "python" - -SRC_URI = "http://samba.org/ftp/ldb/ldb-${PV}.tar.gz \ - file://do-not-import-target-module-while-cross-compile.patch \ - file://options-1.3.1.patch \ - " - -PACKAGECONFIG ??= "\ - ${@bb.utils.filter('DISTRO_FEATURES', 'acl', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)} \ -" -PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl" -PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" -PACKAGECONFIG[ldap] = ",,openldap" -PACKAGECONFIG[libaio] = "--with-libaio,--without-libaio,libaio" -PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd" -PACKAGECONFIG[libcap] = "--with-libcap,--without-libcap,libcap" -PACKAGECONFIG[valgrind] = "--with-valgrind,--without-valgrind,valgrind" - -SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'ldap', '', 'file://avoid-openldap-unless-wanted.patch', d)}" - -LIC_FILES_CHKSUM = "file://pyldb.h;endline=24;md5=dfbd238cecad76957f7f860fbe9adade \ - file://man/ldb.3.xml;beginline=261;endline=262;md5=137f9fd61040c1505d1aa1019663fd08 \ - file://tools/ldbdump.c;endline=19;md5=a7d4fc5d1f75676b49df491575a86a42" - -SRC_URI[md5sum] = "e5233f202bca27f6ce8474fb8ae65983" -SRC_URI[sha256sum] = "b19f2c9f55ae0f46aa5ebaea0bf1a47ec1ac135e1d78af0f6318cf50bf62cbd2" - -CROSS_METHOD="exec" -inherit waf-samba - -S = "${WORKDIR}/ldb-${PV}" - -EXTRA_OECONF += "--disable-rpath \ - --disable-rpath-install \ - --bundled-libraries=cmocka \ - --builtin-libraries=replace \ - --with-modulesdir=${libdir}/ldb/modules \ - --with-privatelibdir=${libdir}/ldb \ - --with-libiconv=${STAGING_DIR_HOST}${prefix}\ - " - -PACKAGES =+ "pyldb pyldb-dbg pyldb-dev" - -NOAUTOPACKAGEDEBUG = "1" - -FILES_${PN} += "${libdir}/ldb/*" -FILES_${PN}-dbg += "${bindir}/.debug/* \ - ${libdir}/.debug/* \ - ${libdir}/ldb/.debug/* \ - ${libdir}/ldb/modules/ldb/.debug/*" - -FILES_pyldb = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \ - ${libdir}/libpyldb-util.so.* \ - " -FILES_pyldb-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug \ - ${libdir}/.debug/libpyldb-util.so.*" -FILES_pyldb-dev = "${libdir}/libpyldb-util.so" |