From 1fe918a07084c878d72cf8a7d1707f6598cc438f Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 15 May 2020 14:16:47 -0500 Subject: meta-security: subtree update:b72cc7f87c..95fe86eb98 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit André Draszik (1): linux-yocto: update the bbappend to 5.x Armin Kuster (36): README: add pull request option sssd: drop py2 support python3-fail2ban: update to latest Apparmor: fix some runtime depends linux-yocto-dev: remove "+" checksecurity: fix runtime issues buck-security: fix rdebends and minor style cleanup swtpm: fix configure error ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory bastille: convert to py3 tpm2-tools: update to 4.1.1 tpm2-tcti-uefi: fix build issue for i386 machine tpm2-tss: update to 2.3.2 ibmswtpm2: update to 1563 python3-fail2ban: add 2-3 conversion changes google-authenticator-libpam: install module in pam location apparmor: update to tip clamav: add bison-native to depend meta-security-isafw: import layer from Intel isafw: fix to work against master layer.conf: add zeus README.md: update to new maintainer clamav-native: missed bison fix secuirty*-image: remove dead var and minor cleanup libtpm: fix build issue over pod2man sssd: python2 not supported libseccomp: update to 2.4.3 lynis: add missing rdepends fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog chkrootkit: add rootkit recipe clamav: move to recipes-scanners checksec: move to recipe-scanners checksecurity: move to recipes-scanners buck-security: move to recipes-scanners arpwatch: add new recipe buck-security: fix runtime issue with missing per module Bartosz Golaszewski (3): linux: drop the bbappend for linux v4.x series classes: provide a class for generating dm-verity meta-data images dm-verity: add a working example for BeagleBone Black Haseeb Ashraf (1): samhain: dnmalloc hash fix for aarch64 and mips64 Jan Luebbe (2): apparmor: fix wrong executable permission on service file apparmor: update to 2.13.4 Jonatan Pålsson (10): README: Add meta-python to list of layer deps sssd: Add PACKAGECONFIG for python2 sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto sssd: DEPEND on nss if nothing else is chosen sssd: Sort PACKAGECONFIG entries sssd: Add autofs PACKAGECONFIG sssd: Add sudo PACKAGECONFIG sssd: Add missing files to SYSTEMD_SERVICE sssd: Add missing DEPENDS on jansson sssd: Add infopipe PACKAGECONFIG Kai Kang (1): sssd: fix for ldblibdir and systemd etc Martin Jansa (1): layer.conf: update LAYERSERIES_COMPAT for dunfell Mingli Yu (1): linux-yocto: update the bbappend to 5.x Pierre-Jean Texier via Lists.Yoctoproject.Org (1): google-authenticator-libpam: upgrade 1.07 -> 1.08 Yi Zhao (5): samhain: fix build with new version attr scap-security-guide: fix xml parsing error when build remediation files scap-security-guide: pass the correct schema file path to openscap-native openscap-daemon: add missing runtime dependencies samhain-server: add volatile file for systemd Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f Signed-off-by: Andrew Geissler --- .../meta-security-isafw/lib/isafw/isafw.py | 158 +++++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 meta-security/meta-security-isafw/lib/isafw/isafw.py (limited to 'meta-security/meta-security-isafw/lib/isafw/isafw.py') diff --git a/meta-security/meta-security-isafw/lib/isafw/isafw.py b/meta-security/meta-security-isafw/lib/isafw/isafw.py new file mode 100644 index 000000000..a1a76b8aa --- /dev/null +++ b/meta-security/meta-security-isafw/lib/isafw/isafw.py @@ -0,0 +1,158 @@ +# +# isafw.py - Main classes for ISA FW +# +# Copyright (c) 2015 - 2016, Intel Corporation +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +from __future__ import absolute_import, print_function + +import sys +import traceback +try: + # absolute import + import isafw.isaplugins as isaplugins +except ImportError: + # relative import when installing as separate modules + import isaplugins +try: + from bb import error +except ImportError: + error = print + +__all__ = [ + 'ISA_package', + 'ISA_pkg_list', + 'ISA_kernel', + 'ISA_filesystem', + 'ISA_config', + 'ISA', +] + +# classes for representing objects for ISA plugins + +# source package + + +class ISA_package: + # pkg name (mandatory argument) + name = "" + # full version (mandatory argument) + version = "" + licenses = [] # list of licences for all subpackages + aliases = [] # list of alias names for packages if exist + source_files = [] # list of strings of source files + patch_files = [] # list of patch files to be applied + path_to_sources = "" # path to the source files + +# package list + + +class ISA_pkg_list: + # image name (mandatory argument) + img_name = "" + # path to the pkg list file (mandatory argument) + path_to_list = "" + +# kernel + + +class ISA_kernel: + # image name (mandatory argument) + img_name = "" + # path to the kernel config file (mandatory argument) + path_to_config = "" + +# filesystem + + +class ISA_filesystem: + # image name (mandatory argument) + img_name = "" + type = "" # filesystem type + # path to the fs location (mandatory argument) + path_to_fs = "" + +# configuration of ISAFW +# if both whitelist and blacklist is empty, all avaliable plugins will be used +# if whitelist has entries, then only whitelisted plugins will be used from a set of avaliable plugins +# if blacklist has entries, then the specified plugins won't be used even +# if avaliable and even if specified in whitelist + + +class ISA_config: + plugin_whitelist = "" # comma separated list of plugins to whitelist + plugin_blacklist = "" # comma separated list of plugins to blacklist + cacert = None # If set, a CA certificate file that replaces the system default one + reportdir = "" # location of produced reports + logdir = "" # location of produced logs + timestamp = "" # timestamp of the build provided by build system + full_reports = False # produce full reports for plugins, False by default + machine = "" # name of machine build is produced for + la_plugin_image_whitelist = ""# whitelist of images for violating license checks + la_plugin_image_blacklist = ""# blacklist of images for violating license checks + arch = "" # target architecture + +class ISA: + def call_plugins(self, methodname, *parameters, **keywords): + for name in isaplugins.__all__: + plugin = getattr(isaplugins, name) + method = getattr(plugin, methodname, None) + if not method: + # Not having init() is an error, everything else is optional. + if methodname == "init": + error("No init() defined for plugin %s.\n" + "Skipping this plugin." % + (methodname, plugin.getPluginName())) + continue + if self.ISA_config.plugin_whitelist and plugin.getPluginName() not in self.ISA_config.plugin_whitelist: + continue + if self.ISA_config.plugin_blacklist and plugin.getPluginName() in self.ISA_config.plugin_blacklist: + continue + try: + method(*parameters, **keywords) + except: + error("Exception in plugin %s %s():\n%s" % + (plugin.getPluginName(), + methodname, + traceback.format_exc())) + + def __init__(self, ISA_config): + self.ISA_config = ISA_config + self.call_plugins("init", ISA_config) + + def process_package(self, ISA_package): + self.call_plugins("process_package", ISA_package) + + def process_pkg_list(self, ISA_pkg_list): + self.call_plugins("process_pkg_list", ISA_pkg_list) + + def process_kernel(self, ISA_kernel): + self.call_plugins("process_kernel", ISA_kernel) + + def process_filesystem(self, ISA_filesystem): + self.call_plugins("process_filesystem", ISA_filesystem) + + def process_report(self): + self.call_plugins("process_report") -- cgit v1.2.3