From a1a6aefba3ae965f2447b102663b2a6a40aa968a Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 25 Jun 2021 14:23:58 -0500 Subject: meta-security: subtree update:ab239f1497..46f7e7acbe Armin Kuster (18): python3-scapy: update to 2.4.5 lkrg-module: update 0.9.1 packagegroup-core-security: exclude ossec-hids from musl ossec-hids: musl not compatable sssd: update to 2.5.0 busybox: drop as libsecomp is in core linux-%_5.%.bbappend: drop recipe initramfs-framework: fix YCL issue. python3-scapy: drop , now in meta-python packagegroup-core-security: drop python3-scapy meta-hardening/initscripts: missed overide. meta-security: add sanity check meta-security/recipe-kernel: use sanity check linux-yocto-dev: drop bbappend meta-tpm: add layer sanity check meta-tpm/linux-yocto: use sanity support meta-integrity: add sanity check meta-integrity/recipe-kernel: use sanity check Federico Pellegrin (1): aircrack-ng: update to 1.6 Kai Kang (2): sssd: set pid path with /run sssd: add fix-ldblibdir.patch back Ricardo Salveti (1): tpm2-tss: fix usrmerge udev install path Robert P. J. Day (1): Correct "securiyt" typo in maintainers.inc Sekine Shigeki (1): smack: add 3 cves to allowlist Upgrade Helper (2): clamav: upgrade to latest revision opendnssec: upgrade 2.1.8 -> 2.1.9 Yi Zhao (1): libgssglue: update SRC_URI Signed-off-by: Andrew Geissler Change-Id: I3bcabc218b240681d525111d16f963eb9b33c922 --- meta-security/README | 18 +++ meta-security/classes/sanity-meta-security.bbclass | 10 ++ meta-security/conf/distro/include/maintainers.inc | 2 +- meta-security/conf/layer.conf | 4 + .../initscripts/initscripts_1.0.bbappend | 2 +- meta-security/meta-integrity/README.md | 18 ++- .../classes/sanity-meta-integrity.bbclass | 10 ++ meta-security/meta-integrity/conf/layer.conf | 4 + .../recipes-kernel/linux/linux-%.bbappend | 6 +- .../recipes-kernel/linux/linux_ima.inc | 5 + meta-security/meta-tpm/README | 19 +++ .../meta-tpm/classes/sanity-meta-tpm.bbclass | 10 ++ meta-security/meta-tpm/conf/layer.conf | 4 + .../recipes-kernel/linux/linux-yocto_5.%.bbappend | 18 +-- .../recipes-kernel/linux/linux-yocto_tpm.inc | 17 +++ .../recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb | 4 +- .../recipes-core/busybox/busybox/head.cfg | 1 - .../recipes-core/busybox/busybox_%.bbappend | 1 - .../recipes-core/busybox/busybox_libsecomp.inc | 3 - .../initrdscripts/initramfs-framework.inc | 16 +++ .../initrdscripts/initramfs-framework_1.0.bbappend | 17 +-- .../packagegroup/packagegroup-core-security.bb | 4 +- .../recipes-ids/ossec/ossec-hids_3.6.0.bb | 2 + .../recipes-kernel/linux/linux-%_5.%.bbappend | 4 - .../recipes-kernel/linux/linux-yocto-dev.bbappend | 3 - .../recipes-kernel/linux/linux-yocto_5.%.bbappend | 4 +- .../recipes-kernel/linux/linux-yocto_security.inc | 3 + .../recipes-kernel/lkrg/lkrg-module_0.9.0.bb | 33 ------ .../recipes-kernel/lkrg/lkrg-module_0.9.1.bb | 33 ++++++ meta-security/recipes-mac/smack/smack_1.3.1.bb | 5 + .../recipes-scanners/clamav/clamav_0.104.0.bb | 4 +- .../aircrack-ng/aircrack-ng_1.3.bb | 34 ------ .../aircrack-ng/aircrack-ng_1.6.bb | 36 ++++++ .../recipes-security/libgssglue/libgssglue_0.4.bb | 6 +- .../opendnssec/opendnssec_2.1.8.bb | 34 ------ .../opendnssec/opendnssec_2.1.9.bb | 34 ++++++ .../recipes-security/scapy/files/run-ptest | 4 - .../recipes-security/scapy/python3-scapy_2.4.4.bb | 32 ----- ...-use-AC_CHECK_FILE-when-building-manpages.patch | 34 ------ ...01-nss-Collision-with-external-nss-symbol.patch | 78 ------------ ...sing-defines-which-otherwise-are-availabl.patch | 32 ----- .../sssd/files/drop_ntpdate_chk.patch | 28 +++++ .../recipes-security/sssd/files/fix_gid.patch | 27 +++++ .../recipes-security/sssd/files/no_gen.patch | 19 +++ meta-security/recipes-security/sssd/sssd_1.16.5.bb | 128 -------------------- meta-security/recipes-security/sssd/sssd_2.5.0.bb | 131 +++++++++++++++++++++ 46 files changed, 467 insertions(+), 474 deletions(-) create mode 100644 meta-security/classes/sanity-meta-security.bbclass create mode 100644 meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc create mode 100644 meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass create mode 100644 meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc delete mode 100644 meta-security/recipes-core/busybox/busybox/head.cfg delete mode 100644 meta-security/recipes-core/busybox/busybox_%.bbappend delete mode 100644 meta-security/recipes-core/busybox/busybox_libsecomp.inc create mode 100644 meta-security/recipes-core/initrdscripts/initramfs-framework.inc delete mode 100644 meta-security/recipes-kernel/linux/linux-%_5.%.bbappend delete mode 100644 meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend create mode 100644 meta-security/recipes-kernel/linux/linux-yocto_security.inc delete mode 100644 meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb create mode 100644 meta-security/recipes-kernel/lkrg/lkrg-module_0.9.1.bb delete mode 100644 meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb create mode 100644 meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb delete mode 100644 meta-security/recipes-security/opendnssec/opendnssec_2.1.8.bb create mode 100644 meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb delete mode 100644 meta-security/recipes-security/scapy/files/run-ptest delete mode 100644 meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb delete mode 100644 meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch delete mode 100644 meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch delete mode 100644 meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch create mode 100644 meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch create mode 100644 meta-security/recipes-security/sssd/files/fix_gid.patch create mode 100644 meta-security/recipes-security/sssd/files/no_gen.patch delete mode 100644 meta-security/recipes-security/sssd/sssd_1.16.5.bb create mode 100644 meta-security/recipes-security/sssd/sssd_2.5.0.bb diff --git a/meta-security/README b/meta-security/README index eb1536675..4047b86c3 100644 --- a/meta-security/README +++ b/meta-security/README @@ -1,6 +1,24 @@ Meta-security ============= +The bbappend files for some recipes (e.g. linux-yocto) in this layer need +to have 'security' in DISTRO_FEATURES to have effect. +To enable them, add in configuration file the following line. + + DISTRO_FEATURES_append = " security" + +If meta-security is included, but security is not enabled as a +distro feature a warning is printed at parse time: + + You have included the meta-security layer, but + 'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files + and preferred version setting may not take effect. + +If you know what you are doing, this warning can be disabled by setting the following +variable in your configuration: + + SKIP_META_SECURITY_SANITY_CHECK = 1 + This layer provides security tools, hardening tools for Linux kernels and libraries for implementing security mechanisms. diff --git a/meta-security/classes/sanity-meta-security.bbclass b/meta-security/classes/sanity-meta-security.bbclass new file mode 100644 index 000000000..b6c6b9cb5 --- /dev/null +++ b/meta-security/classes/sanity-meta-security.bbclass @@ -0,0 +1,10 @@ +addhandler security_bbappend_distrocheck +security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck" +python security_bbappend_distrocheck() { + skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1" + if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + bb.warn("You have included the meta-security layer, but \ +'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ +and preferred version setting may not take effect. See the meta-security README \ +for details on enabling security support.") +} diff --git a/meta-security/conf/distro/include/maintainers.inc b/meta-security/conf/distro/include/maintainers.inc index 7b82ef749..e02b9037d 100644 --- a/meta-security/conf/distro/include/maintainers.inc +++ b/meta-security/conf/distro/include/maintainers.inc @@ -1,4 +1,4 @@ -# meta-securiyt Maintainers File +# meta-security Maintainers File # # This file contains a list of recipe maintainers. # diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 906e02440..7853d6e8e 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -13,6 +13,10 @@ LAYERSERIES_COMPAT_security = "hardknott" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" +# Sanity check for meta-security layer. +# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check. +INHERIT += "sanity-meta-security" + BBFILES_DYNAMIC += " \ rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \ " diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend index 896b03973..f943cb371 100644 --- a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend +++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend @@ -1,4 +1,4 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS_prepend_harden := "${THISDIR}/files:" SRC_URI_append_harden = " file://mountall.sh" diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md index 5048fba1e..8254b0d94 100644 --- a/meta-security/meta-integrity/README.md +++ b/meta-security/meta-integrity/README.md @@ -1,8 +1,24 @@ This README file contains information on the contents of the integrity layer. -Please see the corresponding sections below for details. +The bbappend files for some recipes (e.g. linux-yocto) in this layer need +to have 'integrity' in DISTRO_FEATURES to have effect. +To enable them, add in configuration file the following line. + + DISTRO_FEATURES_append = " integrity" + +If meta-integrity is included, but integrity is not enabled as a +distro feature a warning is printed at parse time: + + You have included the meta-integritry layer, but + 'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files + and preferred version setting may not take effect. + +If you know what you are doing, this warning can be disabled by setting the following +variable in your configuration: + + SKIP_META_INTEGRITY_SANITY_CHECK = 1 Dependencies ============ diff --git a/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass b/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass new file mode 100644 index 000000000..6ba7e3f26 --- /dev/null +++ b/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass @@ -0,0 +1,10 @@ +addhandler integrity_bbappend_distrocheck +integrity_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck" +python integrity_bbappend_distrocheck() { + skip_check = e.data.getVar('SKIP_META_INTEGRITY_SANITY_CHECK') == "1" + if 'integrity' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + bb.warn("You have included the meta-integrity layer, but \ +'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ +and preferred version setting may not take effect. See the meta-integrity README \ +for details on enabling integrity support.") +} diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index ba028da7e..37776f818 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -26,6 +26,10 @@ LAYERDEPENDS_integrity = "core openembedded-layer" BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity" +# Sanity check for meta-integrity layer. +# Setting SKIP_META_INTEGRITY_SANITY_CHECK to "1" would skip the bbappend files check. +INHERIT += "sanity-meta-integrity" + BBFILES_DYNAMIC += " \ networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ " diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend index f9a48cd05..be60bfeac 100644 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -1,5 +1 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" - -KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" - -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} +require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)} diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc new file mode 100644 index 000000000..f9a48cd05 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -0,0 +1,5 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" + +KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" + +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README index dd662b3d4..59d2ee3ad 100644 --- a/meta-security/meta-tpm/README +++ b/meta-security/meta-tpm/README @@ -1,6 +1,25 @@ meta-tpm layer ============== +The bbappend files for some recipes (e.g. linux-yocto) in this layer need +to have 'tpm' in DISTRO_FEATURES to have effect. +To enable them, add in configuration file the following line. + + DISTRO_FEATURES_append = " tmp" + +If meta-tpm is included, but tpm is not enabled as a +distro feature a warning is printed at parse time: + + You have included the meta-tpm layer, but + 'tpm' has not been enabled in your DISTRO_FEATURES. Some bbappend files + and preferred version setting may not take effect. + +If you know what you are doing, this warning can be disabled by setting the following +variable in your configuration: + + SKIP_META_TPM_SANITY_CHECK = 1 + + This layer contains base TPM recipes. Dependencies diff --git a/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass b/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass new file mode 100644 index 000000000..2f8b52d1b --- /dev/null +++ b/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass @@ -0,0 +1,10 @@ +addhandler tpm_machinecheck +tpm_machinecheck[eventmask] = "bb.event.SanityCheck" +python tpm_machinecheck() { + skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1" + if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + bb.warn("You have included the meta-tpm layer, but \ +'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ +and preferred version setting may not take effect. See the meta-tpm README \ +for details on enabling tpm support.") +} diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 1b766cba2..0b102c533 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -17,6 +17,10 @@ LAYERDEPENDS_tpm-layer = " \ " BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm" +# Sanity check for meta-integrity layer. +# Setting SKIP_META_TPM_SANITY_CHECK to "1" would skip the bbappend files check. +INHERIT += "sanity-meta-tpm" + BBFILES_DYNAMIC += " \ networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ " diff --git a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend index cea8b1b2a..2cf1453a8 100644 --- a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend +++ b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -1,17 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:" - -# Enable tpm in kernel -SRC_URI_append_x86 = " \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ - " - -SRC_URI_append_x86-64 = " \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ - " - -SRC_URI += " \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \ - " +require ${@bb.utils.contains_any('DISTRO_FEATURES', 'tpm', 'linux-yocto_tpm.inc', '', d)} diff --git a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc new file mode 100644 index 000000000..cea8b1b2a --- /dev/null +++ b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc @@ -0,0 +1,17 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:" + +# Enable tpm in kernel +SRC_URI_append_x86 = " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ + " + +SRC_URI_append_x86-64 = " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ + " + +SRC_URI += " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \ + " diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb index b2486e5be..cc4f191a2 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb @@ -17,7 +17,7 @@ PACKAGECONFIG ??= "" PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c " -EXTRA_OECONF += "--enable-static --with-udevrulesdir=${base_prefix}/lib/udev/rules.d/" +EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/" EXTRA_OECONF_remove = " --disable-static" @@ -73,6 +73,6 @@ FILES_libtss2-dev = " \ ${libdir}/libtss2*so" FILES_libtss2-staticdev = "${libdir}/libtss*a" -FILES_${PN} = "${libdir}/udev ${base_prefix}/lib/udev" +FILES_${PN} = "${libdir}/udev ${nonarch_base_libdir}/udev" RDEPENDS_libtss2 = "libgcrypt" diff --git a/meta-security/recipes-core/busybox/busybox/head.cfg b/meta-security/recipes-core/busybox/busybox/head.cfg deleted file mode 100644 index 16017ea48..000000000 --- a/meta-security/recipes-core/busybox/busybox/head.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_FEATURE_FANCY_HEAD=y diff --git a/meta-security/recipes-core/busybox/busybox_%.bbappend b/meta-security/recipes-core/busybox/busybox_%.bbappend deleted file mode 100644 index 27a24824d..000000000 --- a/meta-security/recipes-core/busybox/busybox_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'busybox_libsecomp.inc', '', d)} diff --git a/meta-security/recipes-core/busybox/busybox_libsecomp.inc b/meta-security/recipes-core/busybox/busybox_libsecomp.inc deleted file mode 100644 index 4af22ce3e..000000000 --- a/meta-security/recipes-core/busybox/busybox_libsecomp.inc +++ /dev/null @@ -1,3 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:" - -SRC_URI_append = " file://head.cfg" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework.inc b/meta-security/recipes-core/initrdscripts/initramfs-framework.inc new file mode 100644 index 000000000..dad9c967c --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework.inc @@ -0,0 +1,16 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI_append = "\ + file://dmverity \ +" + +do_install_append() { + # dm-verity + install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity +} + +PACKAGES_append = " initramfs-module-dmverity" + +SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support" +RDEPENDS_initramfs-module-dmverity = "${PN}-base" +FILES_initramfs-module-dmverity = "/init.d/80-dmverity" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend index dad9c967c..dc74e017f 100644 --- a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend @@ -1,16 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI_append = "\ - file://dmverity \ -" - -do_install_append() { - # dm-verity - install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity -} - -PACKAGES_append = " initramfs-module-dmverity" - -SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support" -RDEPENDS_initramfs-module-dmverity = "${PN}-base" -FILES_initramfs-module-dmverity = "/init.d/80-dmverity" +require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity', 'initramfs-framework.inc', '', d)} diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index d7349b080..e7b6d9bf3 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -37,7 +37,6 @@ RDEPENDS_packagegroup-security-utils = "\ pinentry \ python3-privacyidea \ python3-fail2ban \ - python3-scapy \ softhsm \ libest \ opendnssec \ @@ -74,6 +73,8 @@ RDEPENDS_packagegroup-security-ids = " \ aide \ " +RDEPENDS_packagegroup-security-ids_remove_libc-musl = "ossec-hids" + SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ @@ -87,7 +88,6 @@ RDEPENDS_packagegroup-meta-security-ptest-packages = "\ ptest-runner \ samhain-standalone-ptest \ libseccomp-ptest \ - python3-scapy-ptest \ suricata-ptest \ python3-fail2ban-ptest \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb index 242bbdbe0..778278b47 100644 --- a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb +++ b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb @@ -161,3 +161,5 @@ USERADD_PARAM_${PN} = "--system --home-dir /var/ossec -g ossec --shell /bin/fals GROUPADD_PARAM_${PN} = "--system ossec" RDEPENDS_${PN} = "openssl bash" + +COMPATIBLE_HOST_libc-musl = "null" diff --git a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend deleted file mode 100644 index 6bc40cd96..000000000 --- a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend +++ /dev/null @@ -1,4 +0,0 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend deleted file mode 100644 index fa536d095..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend +++ /dev/null @@ -1,3 +0,0 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend index fa536d095..1d9054faa 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -1,3 +1 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'security', '${BPN}_security.inc', '', d)} diff --git a/meta-security/recipes-kernel/linux/linux-yocto_security.inc b/meta-security/recipes-kernel/linux/linux-yocto_security.inc new file mode 100644 index 000000000..fa536d095 --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto_security.inc @@ -0,0 +1,3 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb deleted file mode 100644 index dbc195d35..000000000 --- a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb +++ /dev/null @@ -1,33 +0,0 @@ -SUMMARY = "Linux Kernel Runtime Guard" -DESCRIPTION="LKRG performs runtime integrity checking of the Linux \ -kernel and detection of security vulnerability exploits against the kernel." -SECTION = "security" -HOMEPAGE = "https://www.openwall.com/lkrg/" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=d931f44a1f4be309bcdac742d7ed92f9" - -DEPENDS = "virtual/kernel elfutils" - -SRC_URI = "https://www.openwall.com/lkrg/lkrg-${PV}.tar.gz \ - file://makefile_cleanup.patch " - -SRC_URI[sha256sum] = "a997e4d98962c359f3af163bbcfa38a736d2a50bfe35c15065b74cb57f8742bf" - -S = "${WORKDIR}/lkrg-${PV}" - -inherit module kernel-module-split - -MAKE_TARGETS = "modules" - -MODULE_NAME = "p_lkrg" - -module_do_install() { - install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME} - install -m 0644 ${MODULE_NAME}.ko \ - ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko -} - -RPROVIDES_${PN} += "kernel-module-lkrg" - -COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.1.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.1.bb new file mode 100644 index 000000000..287b4e82b --- /dev/null +++ b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.1.bb @@ -0,0 +1,33 @@ +SUMMARY = "Linux Kernel Runtime Guard" +DESCRIPTION="LKRG performs runtime integrity checking of the Linux \ +kernel and detection of security vulnerability exploits against the kernel." +SECTION = "security" +HOMEPAGE = "https://www.openwall.com/lkrg/" +LICENSE = "GPLv2" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=5105ead24b08a32954f34cbaa7112432" + +DEPENDS = "virtual/kernel elfutils" + +SRC_URI = "https://www.openwall.com/lkrg/lkrg-${PV}.tar.gz \ + file://makefile_cleanup.patch " + +SRC_URI[sha256sum] = "cabbee1addbf3ae23a584203831e4bd1b730d22bfd1b3e44883214f220b3babd" + +S = "${WORKDIR}/lkrg-${PV}" + +inherit module kernel-module-split + +MAKE_TARGETS = "modules" + +MODULE_NAME = "p_lkrg" + +module_do_install() { + install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME} + install -m 0644 ${MODULE_NAME}.ko \ + ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko +} + +RPROVIDES_${PN} += "kernel-module-lkrg" + +COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" diff --git a/meta-security/recipes-mac/smack/smack_1.3.1.bb b/meta-security/recipes-mac/smack/smack_1.3.1.bb index b1ea4e9ff..88ae56cde 100644 --- a/meta-security/recipes-mac/smack/smack_1.3.1.bb +++ b/meta-security/recipes-mac/smack/smack_1.3.1.bb @@ -13,6 +13,11 @@ SRC_URI = " \ PV = "1.3.1" +# CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 is valnerble for other product. +CVE_CHECK_WHITELIST += "CVE-2014-0363" +CVE_CHECK_WHITELIST += "CVE-2014-0364" +CVE_CHECK_WHITELIST += "CVE-2016-10027" + inherit autotools update-rc.d pkgconfig ptest inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} inherit features_check diff --git a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb index ce5b0ea4d..4f203095c 100644 --- a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb +++ b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb @@ -8,8 +8,8 @@ DEPENDS = "glibc llvm libtool db openssl zlib curl libxml2 bison pcre2 json-c li LIC_FILES_CHKSUM = "file://COPYING.txt;beginline=2;endline=3;md5=f7029fbbc5898b273d5902896f7bbe17" -# May 2nd -SRCREV = "de0086aa918b79cd22570d0c05977a288b197e23" +# May 15th +SRCREV = "fe96de86bb90c489aa509ee9135f776b7a2a7eb4" SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=dev/0.104 \ file://clamd.conf \ diff --git a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb deleted file mode 100644 index d73922778..000000000 --- a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb +++ /dev/null @@ -1,34 +0,0 @@ -SUMMARY = "Aircrack-ng is a set of tools for auditing wireless networks" -DESCRIPTION = "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools." -SECTION = "security" -LICENSE = "GPL-2.0" - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8" - -DEPENDS = "libnl openssl sqlite3 libpcre libpcap" - -SRC_URI = "http://download.aircrack-ng.org/${BP}.tar.gz" - -SRC_URI[md5sum] = "c7c5b076dee0c25ee580b0f56f455623" -SRC_URI[sha256sum] = "8ae08a7c28741f6ace2769267112053366550e7f746477081188ad38410383ca" - -inherit autotools-brokensep pkgconfig - -PACKAGECONFIG ?= "" -CFLAGS += " -I${S}/src/include" - -OEMAKE_EXTRA = "sqlite=true experimental=true pcre=true \ - prefix=${prefix} \ - " - -do_compile () { - make ${OEMAKE_EXTRA} TOOL_PREFIX=${TARGET_SYS}- -} - -do_install () { - make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install -} - -FILES_${PN} += "/usr/local/" - -RDEPENDS_${PN} = "libpcap" diff --git a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb new file mode 100644 index 000000000..8d3b5311f --- /dev/null +++ b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb @@ -0,0 +1,36 @@ +SUMMARY = "Aircrack-ng is a set of tools for auditing wireless networks" +DESCRIPTION = "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools." +SECTION = "security" +LICENSE = "GPL-2.0" + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8" + +DEPENDS = "libnl openssl sqlite3 libpcre libpcap" + +SRC_URI = "http://download.aircrack-ng.org/${BP}.tar.gz" + +SRC_URI[md5sum] = "22ddc85549b51ed0da0931d01ef215e5" +SRC_URI[sha256sum] = "4f0bfd486efc6ea7229f7fbc54340ff8b2094a0d73e9f617e0a39f878999a247" + +inherit autotools-brokensep pkgconfig + +PACKAGECONFIG ?= "" +CFLAGS += " -I${S}/src/include" + +OEMAKE_EXTRA = "sqlite=true experimental=true pcre=true \ + prefix=${prefix} \ + " + +do_compile () { + make ${OEMAKE_EXTRA} TOOL_PREFIX=${TARGET_SYS}- +} + +do_install () { + make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install +} + +FILES_${PN} += "${libdir}/*.so" +FILES_SOLIBSDEV = "" +INSANE_SKIP_${PN} += "dev-so" + +RDEPENDS_${PN} = "libpcap" diff --git a/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb b/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb index f7859a71c..88c58ed26 100644 --- a/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb +++ b/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb @@ -21,7 +21,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=56871e72a5c475289c0d5e4ba3f2ee3a \ file://src/oid_ops.c;beginline=378;endline=398;md5=e02c165cb8383e950214baca2fbd664b \ " -SRC_URI = "http://www.citi.umich.edu/projects/nfsv4/linux/${BPN}/${BP}.tar.gz \ +SRC_URI = "${DEBIAN_MIRROR}/main/libg/${BPN}/${BPN}_${PV}.orig.tar.bz2 \ file://libgssglue-canon-name.patch \ file://libgssglue-gss-inq-cred.patch \ file://libgssglue-mglueP.patch \ @@ -29,8 +29,8 @@ SRC_URI = "http://www.citi.umich.edu/projects/nfsv4/linux/${BPN}/${BP}.tar.gz \ file://libgssglue-fix-CVE-2011-2709.patch \ " -SRC_URI[md5sum] = "088797f3180702fa54e786496b32e750" -SRC_URI[sha256sum] = "3f791a75502ba723e5e85e41e5e0c711bb89e2716b7c0ec6e74bd1df6739043a" +SRC_URI[md5sum] = "5ce81940965fa68c7635c42dcafcddfe" +SRC_URI[sha256sum] = "bb47b2de78409f461811d0db8595c66e6631a9879c3621a35e4434b104ee52f5" # gssglue can use krb5, spkm3... as gssapi library, configurable RRECOMMENDS_${PN} += "krb5" diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.8.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.8.bb deleted file mode 100644 index cf6bdbdab..000000000 --- a/meta-security/recipes-security/opendnssec/opendnssec_2.1.8.bb +++ /dev/null @@ -1,34 +0,0 @@ -SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones" - -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937" - -DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml " - -SRC_URI = "https://dist.opendnssec.org/source/opendnssec-${PV}.tar.gz \ - file://libxml2_conf.patch \ - file://libdns_conf_fix.patch \ - " - -SRC_URI[sha256sum] = "900a213103ff19a405e446327fbfcea9ec13e405283d87b6ffc24a10d9a268f5" - -inherit autotools pkgconfig perlnative - -EXTRA_OECONF = " --with-libxml2=${STAGING_DIR_HOST}/usr --with-ldns=${STAGING_DIR_HOST}/usr \ - --with-ssl=${STAGING_DIR_HOST}/usr " - -CFLAGS += "-fcommon" - -PACKAGECONFIG ?= "sqlite3" - -PACKAGECONFIG[cunit] = "--with-cunit=${STAGING_DIR_HOST}/usr, --without-cunit," -PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_DIR_HOST}/usr, ,sqlite3, sqlite3" -PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb" -PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline" -PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind" - -do_install_append () { - rm -rf ${D}${localstatedir}/run -} - -RDEPENDS_${PN} = "softhsm" diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb new file mode 100644 index 000000000..2b79609fa --- /dev/null +++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb @@ -0,0 +1,34 @@ +SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937" + +DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml " + +SRC_URI = "https://dist.opendnssec.org/source/opendnssec-${PV}.tar.gz \ + file://libxml2_conf.patch \ + file://libdns_conf_fix.patch \ + " + +SRC_URI[sha256sum] = "6d1d466c8d7f507f3e665f4bfe4d16a68d6bff9d7c2ab65f852e2b2a821c28b5" + +inherit autotools pkgconfig perlnative + +EXTRA_OECONF = " --with-libxml2=${STAGING_DIR_HOST}/usr --with-ldns=${STAGING_DIR_HOST}/usr \ + --with-ssl=${STAGING_DIR_HOST}/usr " + +CFLAGS += "-fcommon" + +PACKAGECONFIG ?= "sqlite3" + +PACKAGECONFIG[cunit] = "--with-cunit=${STAGING_DIR_HOST}/usr, --without-cunit," +PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_DIR_HOST}/usr, ,sqlite3, sqlite3" +PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb" +PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline" +PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind" + +do_install_append () { + rm -rf ${D}${localstatedir}/run +} + +RDEPENDS_${PN} = "softhsm" diff --git a/meta-security/recipes-security/scapy/files/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest deleted file mode 100644 index 797d8ecf7..000000000 --- a/meta-security/recipes-security/scapy/files/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -UTscapy3 -t regression.uts -f text -l -C \ - -o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ - 2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb deleted file mode 100644 index 23ddfce64..000000000 --- a/meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb +++ /dev/null @@ -1,32 +0,0 @@ -SUMMARY = "Network scanning and manipulation tool" -DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc." -SECTION = "security" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -S = "${WORKDIR}/git" - -SRCREV = "95ba5b8504152a1f820bbe679ccf03668cb5118f" -SRC_URI = "git://github.com/secdev/scapy.git \ - file://run-ptest" - -S = "${WORKDIR}/git" - -UPSTREAM_CHECK_COMMITS = "1" - -inherit setuptools3 ptest - -do_install_append() { - mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 - mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 -} - -do_install_ptest() { - install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} - sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest -} - -RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ - ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ - ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch deleted file mode 100644 index b64670c17..000000000 --- a/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= -Date: Fri, 21 Aug 2020 14:45:10 +0200 -Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -AC_CHECK_FILE does not support cross-compilation, and will only check -the host rootfs. Replace AC_CHECK_FILE with a 'test -f ' instead, -to allow building manpages when cross-compiling. - -Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289] -Signed-off-by: Jonatan Pålsson ---- - src/external/docbook.m4 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/external/docbook.m4 b/src/external/docbook.m4 -index deb8632fa..acdc89a68 100644 ---- a/src/external/docbook.m4 -+++ b/src/external/docbook.m4 -@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and - dnl if a particular URI appears in the XML catalog - AC_DEFUN([CHECK_STYLESHEET], - [ -- AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])]) -+ AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])]) - - AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog]) - if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then --- -2.26.1 - diff --git a/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch deleted file mode 100644 index c319269e9..000000000 --- a/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 05c315100a70d3372e891e9a0ea981a875b2ec90 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Thu, 27 Feb 2020 06:50:40 +0100 -Subject: [PATCH] nss: Collision with external nss symbol -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -One of our internal static function names started -to collide with external nss symbol. Additional -sss_ suffix was added to avoid the collision. - -This is needed to unblock Fedora Rawhide's -SSSD build. - -Reviewed-by: Pavel Březina - -Upstream-Status: Backport [https://github.com/SSSD/sssd.git] -Signed-off-by: Hongxu.jia@windriver.com -Signed-off-by: Qi.Chen@windriver.com ---- - src/responder/nss/nss_cmd.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c -index 25e663ed5..a4d4cfc0b 100644 ---- a/src/responder/nss/nss_cmd.c -+++ b/src/responder/nss/nss_cmd.c -@@ -728,11 +728,13 @@ done: - talloc_free(cmd_ctx); - } - --static void nss_setnetgrent_done(struct tevent_req *subreq); -+static void sss_nss_setnetgrent_done(struct tevent_req *subreq); - --static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, -- enum cache_req_type type, -- nss_protocol_fill_packet_fn fill_fn) -+/* This function's name started to collide with external nss symbol, -+ * so it has additional sss_* prefix unlike other functions here. */ -+static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, -+ enum cache_req_type type, -+ nss_protocol_fill_packet_fn fill_fn) - { - struct nss_ctx *nss_ctx; - struct nss_state_ctx *state_ctx; -@@ -774,7 +776,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, - goto done; - } - -- tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx); -+ tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx); - - ret = EOK; - -@@ -787,7 +789,7 @@ done: - return EOK; - } - --static void nss_setnetgrent_done(struct tevent_req *subreq) -+static void sss_nss_setnetgrent_done(struct tevent_req *subreq) - { - struct nss_cmd_ctx *cmd_ctx; - errno_t ret; -@@ -1037,8 +1039,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx) - - static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) - { -- return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, -- nss_protocol_fill_setnetgrent); -+ return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, -+ nss_protocol_fill_setnetgrent); - } - - static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx) --- -2.21.0 - diff --git a/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch deleted file mode 100644 index 1a2233209..000000000 --- a/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 37a0999e5a9f54e1c61a02a7fbab6fcd04738b3c Mon Sep 17 00:00:00 2001 -From: Armin Kuster -Date: Thu, 8 Oct 2020 05:54:13 -0700 -Subject: [PATCH] Provide missing defines which otherwise are available on - glibc system headers - -Signed-off-by: Armin Kuster - -Upsteam-Status: Pending - ---- - src/util/util.h | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/util/util.h b/src/util/util.h -index 8a754dbfd..6e55b4bdc 100644 ---- a/src/util/util.h -+++ b/src/util/util.h -@@ -76,6 +76,10 @@ - #define MAX(a, b) (((a) > (b)) ? (a) : (b)) - #endif - -+#ifndef ALLPERMS -+# define ALLPERMS (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)/* 07777 */ -+#endif -+ - #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS - - #define SSSD_SERVER_OPTS(uid, gid) \ --- -2.17.1 - diff --git a/meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch b/meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch new file mode 100644 index 000000000..338af5d36 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch @@ -0,0 +1,28 @@ +nsupdate path is needed for various exec call +but don't run natvie tests on it. + + +Upstream-Status: Inappropriate [OE specific] +Signed-off-by: Armin Kuster + +Index: sssd-2.5.0/src/external/nsupdate.m4 +=================================================================== +--- sssd-2.5.0.orig/src/external/nsupdate.m4 ++++ sssd-2.5.0/src/external/nsupdate.m4 +@@ -3,16 +3,4 @@ AC_MSG_CHECKING(for executable nsupdate) + if test -x "$NSUPDATE"; then + AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate]) + AC_MSG_RESULT(yes) +- +- AC_MSG_CHECKING(for nsupdate 'realm' support') +- if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then +- AC_MSG_RESULT([yes]) +- else +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([nsupdate does not support 'realm']) +- fi +- +-else +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([nsupdate is not available]) + fi diff --git a/meta-security/recipes-security/sssd/files/fix_gid.patch b/meta-security/recipes-security/sssd/files/fix_gid.patch new file mode 100644 index 000000000..9b481ccb9 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/fix_gid.patch @@ -0,0 +1,27 @@ +from ../sssd-2.5.0/src/util/sss_pam_data.c:27: +| ../sssd-2.5.0/src/util/debug.h:88:44: error: unknown type name 'uid_t'; did you mean 'uint_t'? +| 88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid); +| | ^~~~~ +| | uint_t +| ../sssd-2.5.0/src/util/debug.h:88:55: error: unknown type name 'gid_t' +| 88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid); +| | ^~~~~ +| make[2]: *** [Makefile:22529: src/util/libsss_iface_la-sss_pam_data.lo] Error 1 +| make[2]: *** Waiting for unfinished jobs.... + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +Index: sssd-2.5.0/src/util/debug.h +=================================================================== +--- sssd-2.5.0.orig/src/util/debug.h ++++ sssd-2.5.0/src/util/debug.h +@@ -24,6 +24,8 @@ + #include "config.h" + + #include ++#include ++#include + #include + + #include "util/util_errors.h" diff --git a/meta-security/recipes-security/sssd/files/no_gen.patch b/meta-security/recipes-security/sssd/files/no_gen.patch new file mode 100644 index 000000000..5c8377704 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/no_gen.patch @@ -0,0 +1,19 @@ +don't run generate-sbus-code + +Upstream-Status: Inappropriate [OE Specific] + +Signed-off-by: Armin Kuster + +Index: sssd-2.5.0/Makefile.am +=================================================================== +--- sssd-2.5.0.orig/Makefile.am ++++ sssd-2.5.0/Makefile.am +@@ -1033,8 +1033,6 @@ generate-sbus-code: + + .PHONY: generate-sbus-code + +-BUILT_SOURCES += generate-sbus-code +- + EXTRA_DIST += \ + sbus_generate.sh.in \ + src/sbus/codegen/dbus.xml \ diff --git a/meta-security/recipes-security/sssd/sssd_1.16.5.bb b/meta-security/recipes-security/sssd/sssd_1.16.5.bb deleted file mode 100644 index 9784ec77d..000000000 --- a/meta-security/recipes-security/sssd/sssd_1.16.5.bb +++ /dev/null @@ -1,128 +0,0 @@ -SUMMARY = "system security services daemon" -DESCRIPTION = "SSSD is a system security services daemon" -HOMEPAGE = "https://pagure.io/SSSD/sssd/" -SECTION = "base" -LICENSE = "GPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" - -DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" - -DEPENDS_append_libc-musl = " musl-nscd" - -# If no crypto has been selected, default to DEPEND on nss, since that's what -# sssd will pick if no active choice is made during configure -DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ - bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" - -SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ - file://sssd.conf \ - file://volatiles.99_sssd \ - file://fix-ldblibdir.patch \ - file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ - file://0001-nss-Collision-with-external-nss-symbol.patch \ - file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \ - " - -SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0" - -inherit autotools pkgconfig gettext python3-dir features_check systemd - -REQUIRED_DISTRO_FEATURES = "pam" - -SSSD_UID ?= "root" -SSSD_GID ?= "root" - -CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ - " - -PACKAGECONFIG ?="nss nscd autofs sudo infopipe" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" -PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" -PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" -PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " -PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," -PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" -PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" -PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " -PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " -PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" - -EXTRA_OECONF += " \ - --disable-cifs-idmap-plugin \ - --without-nfsv4-idmapd-plugin \ - --without-ipa-getkeytab \ - --without-python2-bindings \ - --enable-pammoddir=${base_libdir}/security \ - --without-python2-bindings \ - --without-secrets \ - --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ -" - -do_configure_prepend() { - mkdir -p ${AUTOTOOLS_AUXDIR}/build - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ - - # libresove has host path, remove it - sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 -} - -do_install () { - oe_runmake install DESTDIR="${D}" - rmdir --ignore-fail-on-non-empty "${D}/${bindir}" - install -d ${D}/${sysconfdir}/${BPN} - install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} - install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf - fi - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - - rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* -} - -pkg_postinst_ontarget_${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi - chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf -} - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" - -INITSCRIPT_NAME = "sssd" -INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = " \ - ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ - sssd-nss.service \ - sssd-nss.socket \ - sssd-pam-priv.socket \ - sssd-pam.service \ - sssd-pam.socket \ - sssd.service \ -" -SYSTEMD_AUTO_ENABLE = "disable" - -FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" - -# The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" - -RDEPENDS_${PN} = "bind dbus libldb libpam" diff --git a/meta-security/recipes-security/sssd/sssd_2.5.0.bb b/meta-security/recipes-security/sssd/sssd_2.5.0.bb new file mode 100644 index 000000000..84b7b0e46 --- /dev/null +++ b/meta-security/recipes-security/sssd/sssd_2.5.0.bb @@ -0,0 +1,131 @@ +SUMMARY = "system security services daemon" +DESCRIPTION = "SSSD is a system security services daemon" +HOMEPAGE = "https://pagure.io/SSSD/sssd/" +SECTION = "base" +LICENSE = "GPLv3+" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" + +DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" +DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit" + +DEPENDS_append_libc-musl = " musl-nscd" + +# If no crypto has been selected, default to DEPEND on nss, since that's what +# sssd will pick if no active choice is made during configure +DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ + bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" + +SRC_URI = "https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz \ + file://sssd.conf \ + file://volatiles.99_sssd \ + file://no_gen.patch \ + file://fix_gid.patch \ + file://drop_ntpdate_chk.patch \ + file://fix-ldblibdir.patch \ + " +SRC_URI[sha256sum] = "afa62d7d8d23fca3aba093abe4ec0d14e7d9346c5b28ceb7c2c624bed98caa06" + +inherit autotools pkgconfig gettext python3-dir features_check systemd + +REQUIRED_DISTRO_FEATURES = "pam" + +SSSD_UID ?= "root" +SSSD_GID ?= "root" + +CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ + ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ + " + +PACKAGECONFIG ?="nss nscd autofs sudo infopipe" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" +PACKAGECONFIG[crypto] = ", , libcrypto" +PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" +PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" +PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" +PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " +PACKAGECONFIG[nss] = ", ,nss," +PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" +PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " +PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " +PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" + +EXTRA_OECONF += " \ + --disable-cifs-idmap-plugin \ + --without-nfsv4-idmapd-plugin \ + --without-ipa-getkeytab \ + --without-python2-bindings \ + --enable-pammoddir=${base_libdir}/security \ + --without-python2-bindings \ + --without-secrets \ + --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ + --with-pid-path=/run \ +" + +do_configure_prepend() { + mkdir -p ${AUTOTOOLS_AUXDIR}/build + cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ + + # libresove has host path, remove it + sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 +} + +do_compile_prepend () { + echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h +} +do_install () { + oe_runmake install DESTDIR="${D}" + rmdir --ignore-fail-on-non-empty "${D}/${bindir}" + install -d ${D}/${sysconfdir}/${BPN} + install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} + install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf + fi + + # Remove /run as it is created on startup + rm -rf ${D}/run + + rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* +} + +pkg_postinst_ontarget_${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi + chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf +} + +CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" + +INITSCRIPT_NAME = "sssd" +INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." +SYSTEMD_SERVICE_${PN} = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ + sssd-nss.service \ + sssd-nss.socket \ + sssd-pam-priv.socket \ + sssd-pam.service \ + sssd-pam.socket \ + sssd.service \ +" +SYSTEMD_AUTO_ENABLE = "disable" + +FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss*.so" +FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" + +# The package contains symlinks that trip up insane +INSANE_SKIP_${PN} = "dev-so" + +RDEPENDS_${PN} = "bind bind-utils dbus libldb libpam" -- cgit v1.2.3