From 15ae2509e522678e761046cdb8693291c09cf78c Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Tue, 18 Jun 2019 21:44:24 -0400 Subject: subtree updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit meta-openembedded: f3018013ff..3b245e4fe8: Adrian Bunk (8): Remove start-stop-daemon dvb-apps: Remove workaround patch for ancient target compilers Remove ipsec-tools and umip gpsd: Switch PACKAGECONFIG[qt] from Qt4 to Qt5 samba: Upgrade 4.8.11 -> 4.8.12 recipes-devtools: Move back from meta-networking to meta-perl wireless-regdb: Upgrade 2019.03.01 -> 2019.06.03 mcelog: Remove manual RDEPENDS from PN-ptest to PN package Alejandro del Castillo (1): apache2: add all extra/*.conf to conffiles Alistair Francis (1): python-obd: Uprade from 0.7.0 to 0.7.1 Andreas Müller (1): python-six: put python2/3 variant together Andrei Gherzan (2): modemmanager: Update to 1.10.0 networkmanager: Update to 1.18.0 Ankit Navik (1): safec: Initial recipe for safe C library Carlos Rafael Giani (1): openh264: Fix armv7ve build Changqing Li (11): syslog-ng: add rconflict for package syslog-ng-libs netkit-telnet: add rconflicts samba/libldb: add rconflicts php-fpm-apache: fix module path phoronix-test-suite: upgrade from 8.6.0 -> 8.8.1 python-pygobject: upgrade 3.28.3 -> 3.32.1 rrdtool: upgrade 1.7.1 -> 1.7.2 php: upgrade 7.3.4 -> 7.3.6 xf86-video-ati: upgrade 18.0.1 -> 19.0.1 pavucontrol: upgrade 3.0 -> 4.0 multipath-tools: upgrade 0.8.0 -> 0.8.1 Herman van Hazendonk (1): Geoclue: Update to 2.5.3 Hongxu Jia (4): rrdtool: improve reproducibility crash: do not use unstable github archive tarballs postgresql: improve reproducibility net-snmp: split net-snmp-config to package net-snmp-dev Hongzhi.Song (1): spice: fix compile errors on 32bit system Horvath, Chris (1): lcov: Upgrade 1.11 -> 1.14 James Feist (1): libgpiod: Enable cxx bindings by default Kai Kang (16): xfce4-session: 4.13.1 -> 4.13.2 xfce4-screensaver: add recipe packagegroup-xfce-extended: add xfce4-screensaver lxdm: provides fake gdmflexiserver for xfce desktop environment thunar: 1.8.4 -> 1.8.6 xfdesktop: 4.13.3 -> 4.13.4 xfce4-panel: 4.13.4 -> 4.13.5 thunar-volman: 0.9.1 -> 0.9.2 xfce4-appfinder: 4.13.2 -> 4.13.3 libxfce4util: 4.13.2 -> 4.13.3 xfwm4: 4.13.1 -> 4.13.2 xfconf: 4.13.6 -> 4.13.7 libxfce4ui: 4.13.4 -> 4.13.5 xfce4-power-manager: 1.6.1 -> 1.6.2 xfce4-settings: set default theme Adwaita lxdm: provides fake gdmflexiserver for xfce desktop environment Khem Raj (8): libnfc: Fix build with musl openocd: Fix build on x86_64 spice,spice-protocol: Uprev to 0.14.0 udisks: Install bash_completion script in OE familiar dir udisks: Remove bash dependency python-jsmin,python-pytoml,python-which: Add recipes mozjs: Upgrade to version 60.x polkit: Upgrade to 0.116 Liwei Song (1): turbostat: copy bits.h from kernel to turbostat Marek Belisko (1): libsrtp: Fix compilation and add pkgconfig Martin Jansa (17): igmpproxy: remove 0001-src-igmpproxy.h-Include-sys-types.h-for-u_short-u_in.patch and _GNU_SOURCE ne10, libopus: add armv7ve override as well pidgin: upgrade to 2.13.0 funyahoo-plusplus, icyque, pidgin-sipe, purple-skypeweb: add couple plugins for pidgin hunspell: use git fetcher instead of github archive hunspell-dictionaries: import from meta-luneos to make hunspell in meta-oe a bit more useful ttf-mplus, ttf-vlgothic: add ttf-mplus license android-tools-conf: import one more improvement for android-gadget-setup from meta-luneos uriparser: upgrade to 0.9.3 libmikmod: fix SRC_URI leptonica: fix SRC_URI libmikmod: upgrade to 3.3.11.1 open-vm-tools: refresh the patches so that they can be easily applied with devtool or git am open-vm-tools: import gcc9 fixes from fedora spice: append to CFLAGS instead of += cpprest: temporary ignore deprecated-copy and redundant-move errors detected by gcc9 oprofile: drop virtual/kernel dependency and switch back to TUNE_PKGARCH Mingli Yu (4): mariadb: Upgrade to 10.3.15 kea: Upgrade to 1.5.0 hwloc: Upgrade to 1.11.12 kea: replace -Og with -O Naveen Saini (1): pm-graph: add recipe Oleksandr Kravchuk (12): opensaf: update to 5.19.03 python-ldap: update to 3.2.0 rp-pppoe: update to 3.13 atftp: update to 0.7.2 ipcalc: update to 2.2.3 mtr: update to 0.92 nbd: update to 3.19 mdns: update to 878.200.35 lldpd: update to 1.0.3 libp11: update to 0.4.10 nano: update to 4.2 libspatialite: update to 4.3.0a Ovidiu Panait (1): xfsprogs: Fix host contamination Paolo Valente (1): s-suite: push SRCREV to version 3.4 Pascal Bach (1): rocksdb: 5.18.3 -> 6.0.2 Qi.Chen@windriver.com (2): polkit: fix CVE-2019-6133 .gitignore: add *.pyc and *.pyo Randy MacLeod (1): imagemagick: update from 7.0.8-43 to 7.0.8-47 Robert Joslyn (4): cryptsetup: Add PACKAGECONFIG options lmsensors: Update to 3.5.0 xfce4-session: Add xrdb RDEPENDS xfce4-session: Reformat DEPENDS and RDEPENDS Slater, Joseph (1): php-7: mark two tests as expected to fail Stefan Agner (1): haveged: fix CPU cache size detection Tim Orling (13): libterm-readkey-perl: upgrade 2.37 -> 2.38; fix upstream check; enable ptest libtest-deep-perl: add recipe for v1.128 libcgi-perl: upgrade 4.38 -> 4.43; enable ptest libcrypt-openssl-guess-perl: rename from libcrypt-openssl-guess; enable ptest libcrypt-openssl-rsa-perl: upgrade 0.30 -> 0.31; enable ptest libcrypt-openssl-random-perl: upgrade 0.11 -> 0.15; enable ptest libextutils-installpaths-perl: upgrade 0.011 -> 0.012; enable ptest libexutils-config-perl: enable ptest libhtml-tagset-perl: add recipe for v3.20 libhtml-parser-perl: enable ptest libstrictures-perl: upgrade 2.000003 -> 2.000006; enable ptest libxml-libxml-perl: enable ptest libcapture-tiny-perl: upgrade 0.46 -> 0.48; enable ptest William A. Kennington III via Openembedded-devel (1): cli11: 1.6.2 -> 1.7.1 Yi Zhao (8): python-ldap: add python-pyasn1 and python-pyasn1-modules as runtime dependencies fuse: upgrade 2.9.8 -> 2.9.9 yaffs2-utils: update to latest master xfsprogs: upgrade 4.18.0 -> 5.0.0 fcgi: upgrade 2.4.1+git -> 2.4.2 xdebug: upgrade 2.7.0RC2 -> 2.7.2 phpmyadmin: upgrade 4.8.5 -> 4.9.0.1 openipmi: upgrade 2.0.25 -> 2.0.27 Zang Ruochen (13): python-pywbem: solved the conflict with python3-pywbem python3-pywbem:solved the conflict with python-pywbem python-pbr: upgrade 5.2.0 -> 5.2.1 python-mako: upgrade 1.0.10 -> 1.0.12 python-babel: upgrade 2.6.0 -> 2.7.0 python-cachetools: upgrade 3.1.0 -> 3.1.1 python-cryptography: upgrade 2.6.1 -> 2.7 python-cryptography-vectors: upgrade 2.6.1 -> 2.7 python-cython: upgrade 0.29.7 -> 0.29.10 python-lxml: upgrade 4.3.3 -> 4.3.4 python-psutil: upgrade 5.6.2 -> 5.6.3 python-requests: upgrade 2.21.0 -> 2.22.0 python-urllib3: upgrade 1.25.2 -> 1.25.3 nick83ola (5): nginx: update to version 1.17.0 nginx: update stable version to 1.16.0 nginx: add PACKAGECONFIG[http-auth-request] nginx: fix kill path in nginx systemd unit file uthash: do not use unstable github archive tarballs thstead (1): Upgraded python-pysnmp from version 4.3.5. to 4.4.9. Łukasz Łaguna (1): gsl: update to version 2.5 meta-security: 9f5cc2a7eb..c28b72e91d: Armin Kuster (17): checksec: update to 1.11.1 keyutils: fix library install path checksec: add runtime test meta-integrity: port over from meta-intel-iot-security layer.conf: add LAYERSERIES_COMPAT README: update ima-evm-utils: cleanup and update to tip ima.cfg: update to 5.0 kernel linux: update bbappend base-files: add appending to automount securityfs ima-policy-hashed: add new recipe ima_policy_simple: add another sample policy policy: add ima appraise all policy data: remove policies initramfs: clean up to pull in packages. runtime qa: moderize ima test image: add image for testing Changqing Li (1): samhain: add rconflict for client and server mode Zang Ruochen (4): bastille: solved the conflict with perl-module-text-wrap and base-files python-scapy: Remove redundant sed operations python-scapy: solved the conflict with python3-scapy python3-scapy: solved the conflict with python-scapy leimaohui (1): python3-fail2ban: Fix build error of xrange. poky: 797916f93a..111b7173fe: Adrian Bunk (25): nss-myhostname: Stop trying to build for musl systemd: Some upstreamable musl patches have been upstreamed libnss-mdns: Stop trying to build for musl icu: Remove workaround for musl issue fixed upstream 2 years ago socat: Remove workaround for musl issue now fixed upstream ofono: Use external ell instead of an internal copy ofono: Fix another race condition during the build squashfs-tools: Mark as incompatible with musl apt: Remove workaround patches for no longer supported host distributions m4/tar: Remove remove-gets.patch pinentry: Switch pinentry-qt from Qt4 to Qt5 librsvg: Replace workaround for old host systems with upstream fix vim: Move PACKAGECONFIG[gtkgui] from GTK 2 to GTK 3 Remove Go 1.11 go: Remove INSANE_SKIP_* textrel that are now handled in go.bbclass dpkg: Remove workaround patches for no longer supported host distributions lrzsz: Add implicit declaration fixes from Debian tcp-wrappers: Add compile warning fixes from Debian libpam: Upgrade 1.3.0 -> 1.3.1 vte: Fix the license information gcc: Remove 0006-gcc-disable-MASK_RELAX_PIC_CALLS-bit.patch openssl: Upgrade 1.1.1b -> 1.1.1c Remove manual RDEPENDS from PN-ptest to PN package ref-manual: Remove irda feature lttng-modules: Upgrade 2.10.9 -> 2.10.10 Adrian Freihofer (3): qemurunner: fix undefined variable testimage: consider QB_DEFAULT_FSTYPE runqemu: QB_FSINFO to support fstype wic images Alejandro Enedino Hernandez Samaniego (1): python-numpy: Avoid installing copy of f2py script Alejandro Hernandez Samaniego (2): newlib: Upgrade to 3.1.0 newlib: export CC_FOR_TARGET as CC Alejandro del Castillo (1): opkg-utils: upgrade to version 0.4.1 Alex Kiernan (2): kernel-fitimage: uboot-sign: Check UBOOT_DTB_BINARY before adding deps systemd: Backport OpenSSL BUF_MEM fix Alexander Kanavin (53): vim: split the common part into vim.inc libpcre2: upgrade 10.32 -> 10.33 librepo: upgrade 1.9.6 -> 1.10.2 libmodulemd: upgrade 2.2.3 -> 2.4.0 libmodulemd: fix erroneous linking against v2 library when v1 was requested createrepo-c: upgrade 0.12.2 -> 0.14.0 libdazzle: upgrade 3.32.1 -> 3.32.2 adwaita-icon-theme: upgrade 3.30.1 -> 3.32.0 bison: upgrade 3.1 -> 3.3.2 atk: upgrade 2.30.0 -> 2.32.0 python3-mako: upgrade 1.0.9 -> 1.0.10 nss: upgrade 3.43 -> 3.44 go: update 1.12.1->1.12.5 systemtap: upgrade 4.0 -> 4.1 gawk: upgrade 4.2.1 -> 5.0.0 alsa-plugins: upgrade 1.1.8 -> 1.1.9 alsa-utils: upgrade 1.1.8 -> 1.1.9 alsa-lib: upgrade 1.1.8 -> 1.1.9 lz4: upgrade 1.9.0 -> 1.9.1 libxcrypt: upgrade 4.4.4 -> 4.4.6 python3-pip: upgrade 19.0.3 -> 19.1.1 pkgconf: upgrade 1.6.0 -> 1.6.1 at-spi2-core: upgrade 2.30.0 -> 2.32.1 at-spi2-atk: upgrade 2.30.0 -> 2.32.0 glib-networking: upgrade 2.60.1 -> 2.60.2 libsoup-2.4: upgrade 2.66.1 -> 2.66.2 x264: upgrade to latest revision linux-firmware: upgrade to latest revision python3-pbr: upgrade 5.1.3 -> 5.2.0 bash-completion: upgrade 2.8 -> 2.9 gst-examples: upgrade to 1.16.0 acpica: upgrade 20190405 -> 20190509 freetype: upgrade 2.9.1 -> 2.10.0 usbutils: upgrade 010->012 webkitgtk: update to 2.24.2 epiphany: update to 3.32.2 btrfs-tools: update to 5.1 iproute2: upgrade 5.0.0 -> 5.1.0 chkconfig: do not use unstable github archive tarballs chkconfig: fix upstream version check perl: update to 5.30.0 piglit: upgrade to latest revision ccache: fix upstream version check Revert "ncurses: fix incorrect UPSTREAM_CHECK_GITTAGREGEX" sysstat: add UPSTREAM_VERSION_UNKNOWN python3-pygments: add a recipe gtk-doc: upgrade 1.29 -> 1.30 libpsl: fix the gtk-doc 1.30 build source-highlight: remove the recipe mesa-demos: update to 8.4.0 glib-2.0: udpate 2.58.3 -> 2.60.3 gdk-pixbuf: update 2.38.0 -> 2.38.1 gtk+3: update 3.24.5 -> 3.24.8 Alistair Francis (3): gdb: Upgrade from 8.2.1 to 8.3 gnu-config: Update to latest SHA qemu: Backport the arm segfault fix Andreas Müller (1): gsettings-desktop-schemas: upgrade 3.28.1 -> 3.32.0 Andrei Gherzan (1): ca-certificates: Fix openssl runtime dependencies Anuj Mittal (8): Revert "image_types: use pigz to create .gz files" Revert "pigz: pigz is not gzip" libva: upgrade 2.4.0 -> 2.4.1 ffmpeg: add PACKAGECONFIG for mfx libpam: fix upstream version check serf: cleanup recipe scons: inherit python3native python3-scons: fix regex replacing python by python3 Bonnans, Laurent (1): kernel-uboot: compress arm64 kernels Bruce Ashfield (11): linux-yocto/5.0: update to v5.0.13 linux-yocto/4.19: update to v4.19.40 linux-yocto/4.19: update to v4.19.44 kernel: package modules.builtin.modinfo linux-yocto-dev: bump to v5.2-rc linux-yocto/5.0: update to v5.0.17 linux-yocto-rt/5.0: update to -rt9 linux-yocto/5.0: update to v5.0.19 linux-yocto-rt/5.0: update to -rt11 linux-yocto/5.0: fix systemtap on arm linux-yocto: ptest: Add SCSI debug configuration for util-linux Carlos Rafael Giani (6): gstreamer1.0-plugins-base: upgrade to version 1.16.0 gstreamer1.0-plugins-good: upgrade to version 1.16.0 gstreamer1.0-plugins-bad: upgrade to version 1.16.0 gstreamer1.0-plugins-ugly: upgrade to version 1.16.0 gstreamer1.0-libav: upgrade to version 1.16.0 gstreamer1.0-vaapi: upgrade to version 1.16.0 Changqing Li (8): connman: add networkmanager as rconflict dropbear: add openssh/openssh-sshd as rconflict busybox-inittab/sysvinit-inittab: add rconflicts inetutils: fix wrong package name systemd: add rconflicts tiny-init: add rconflicts multilib: add override for image recipe qemu: fix qemu ptest cannot work Chee Yang Lee (3): wic: bootimg-efi: add label source parameter wic/engine: include .wks.in in wic search and list wic/plugins: kernel image refer to KERNEL_IMAGETYPE Chen Qi (5): libxfont2: set CVE_PRODUCT systemd: avoid musl specific patches affect glibc systems util-linux: upgrade to 2.33.2 oescripts.py: avoid error when cairo module is not available context.py: fix skipping function Chris Laplante (5): base.bbclass: Add OE_EXTRA_IMPORTS bitbake: knotty: allow progress rate for indeterminate bars bitbake: build: extract progress handler creation logic into its own method bitbake: build/progress: use context managers for progress handlers bitbake: build: implement custom progress handlers injected via OE_EXTRA_IMPORTS David Frey (1): bluez5: manage udev dependency with PACKAGECONFIG David Reyna (1): bitbake: toaster: Fix Thud Bitbake release metadata Diego Rondini (1): bluez5: fix obex packaging Douglas Royds via Openembedded-core (1): json-c: Backport --disable-werror patch to allow compilation under icecc Fabio Berton (3): mesa: Update 19.0.3 -> 19.0.5 mesa: Update 19.0.5 -> 19.0.6 mesa: Update 19.0.6 -> 19.1.0 Filip Jareš (1): recipes: Fix license "names"/versions. Haiqing Bai (1): kernel.bbclass: Make task clean depend on cleaning of make-mod-scripts He Zhe (1): lttng-modules: Add git based recipe Hongxu Jia (5): grub/grub-efi: fix unrecognized command line option '-pipe-Wno-error' in CFLAGS lib/oe/reciputils.py: support character `+' in git pv groff: improve reproducibility diffutils/run-ptest: support to run at arbitrary path openssh: fix potential signed overflow in pointer arithmatic Jaewon Lee (2): gstreamer1.0-python_1.16.0.bb: Override libpython dir devicetree.bbclass: Combine stderr into stdout to see actual dtc error Jean-Marie LEMETAYER (4): npm: get npm package name from npm pack npm: fix node and npm default directory conflict npm: remove some temporary build files bitbake: bitbake: fetch2/npm: fix npw view parsing Jiping Ma (1): dhcp:"dhclient -x eth0" action is not correct. Joe Slater (1): slang: modify an array test Jon Mason (2): resulttool: modify to be multi-machine resulttool: Remove prints if no tests occur Jonathan Rajotte (4): lttng-tools: prevent test timeout when lttng-modules is not present lttng-tools: add lttng-modules to ptest dependencies liburcu: update to 0.11.0 liburcu: update to 0.11.1 Joshua Watt (11): avahi: Add PACKAGECONFIG for libdns_sd perl: Preserve attributes when applying cross files btrfs-tools: Pass DEBUG_MAP_PREFIX flags to Python bitbake: bitbake: cooker: Rename __depends in all multiconfigs bitbake: bitbake: Show base multiconfig environment perl: Set build date to SOURCE_DATE_EPOCH glibc-locale: DEPEND on virtual/libc zip: Remove build date to improve reproducibility classes/package: Sort ELF file list bash: Replace uninative loader path in ptest oeqa: Add reproducible build selftest Kai Kang (3): systemd-conf: configure wired network with dhcp qemu/qemu-system-native: depend bison-native openssl: fix failure of ptest test_shlibload Kevin Hao (3): runqemu: Add the support to pass multi ports to tcpserial parameter oeqa/utils/qemurunner: Set both the threadport&serverport with tcpserial parameter tune-thunderx: Set the correct PACKAGE_EXTRA_ARCHS_tune-thunderx Khem Raj (6): mesa: Fix a case when gbm is enabled but DRIDRIVERS is not defined ofono: Add TEMP_FAILURE_RETRY optional definition Revert "musl: Add TEMP_FAILURE_RETRY from glibc" binutils: Workaround mips assembler crash on target musl: Upgrade to master tip gdb: Let gdbserver be empty for riscv64 Lei Maohui (1): meson.bbclass: Make meson support aarch64_be. Luca Boccassi (2): python*-setuptools: add separate packages for pkg_resources module mdadm: use ${systemd_unitdir} rather than /lib/systemd Maciej Pijanowski (1): recipetool: add python3 support Mariano López (3): util-linux: Add missing ptest dependencies util-linux: Stop udevd to run ptests linux-yocto: Add scsi_debug module when ptest is in DISTRO_FEATURES Mark Hatle (1): bitbake: svn.py: Stop SVN from directly pulling from an external layer w/o fetcher Martin Jansa (5): python: add a fix for CVE-2019-9948 and CVE-2019-9636 glib-networking: add PACKAGECONFIG for openssl bc: use u-a for bc as well opkg-utils: fix opkg-list-fields script pigz: install pigz, unpigz, pigzcat in native and nativesdk builds again Matthias Schiffer (1): bitbake: fetch2: runfetchcmd(): unset _PYTHON_SYSCONFIGDATA_NAME Matthias Schoepfer via Openembedded-core (1): python3: fix build on softfloat mips Michael Ho (1): base.bbclass: add named SRCREVs to the sstate hash Mike Crowe (1): cmake: Avoid passing empty prefix to os.path.relpath Mingli Yu (3): elfutils: fix ptest failures dbus: Upgrade to 1.12.16 dbus-test: Upgrade 1.12.16 Nicola Lunghi (3): connman: fix segfault with musl >v1.1.21 rng-tools: recipe cleanup rng-tools: harmonise systemd and sysvinit Oleksandr Kravchuk (6): ethtool: update to 5.1 file: update to 5.37 p11-kit: update to 0.23.16.1 popt: fix SRC_URI selftest/devtool: fix URI to MarkupSafe package bitbake: cooker: list all nonexistent bblayer directories Oliver Stäbler (1): packagegroup-core-full-cmdline: Make nfs-utils/rpcbind optional Peter Kjellerstedt (3): texinfo-dummy-native: A little clean up of template.py texinfo-dummy-native: Rewrite template.py to use argparse package.bbclass: Clean up writing of runtime pkgdata files Philippe Normand (9): gstreamer1.0: upgrade to version 1.16.0 gstreamer1.0-omx: upgrade to version 1.16.0 gstreamer1.0-rtsp-server: upgrade to version 1.16.0 gstreamer1.0-python: upgrade to version 1.16.0 gst-validate: upgrade to version 1.16.0 cmake: Use compiler launcher variable when ccache is enabled at-spi2: Make X11 support truly optional gnutls: Use ca-certificates as default trust store file gnutls: Use the sysconfdir variable for the ca-certificates path Quentin Schulz (2): meta: license: fix non-SPDX license being removed from INCOMPATIBLE_LICENSE selftests: add tests for INCOMPATIBLE_LICENSE Randy MacLeod (6): valgrind: Make ptest timestamps copasetic valgrind: add 'file' to ptest depends util-linux: add setpriv utility libcap-ng: split into libcap-ng/libcap-ng-python ptest-runner: enable child procs as session leader bash: use setpriv, sed.sed to run ptests Richard Purdie (46): perl-rdepends: Add missing module dependencies bash: Fix bash-ptest dependencies openssh: Add sudo dependency for ptest libpcre: Add make dependency for ptest m4: Add coreutils and diffutils dependency for ptest perl/modules: Add various missing ptest perl module dependencies layer.conf: Whitelist lttng-tools->lttng-modules dependency tcmode-default: Make gcc9 the default lttng-tools: Fix patch Upstream-Status mesa: Fix patch Upstream-Status uninative-tarball: Fix file generation after class changes populate_sdk_base: Use highest compression level for xz uninative-tarball: Use xz compression and SDK_ARCHIVE_CMD strace: Tweak ptest disk space management ptest-packagelists: Add mdadm util-linux: Fix ptest dependencies mdadm: Add missing ptest dependency yocto-uninative: Update to 2.5 release uninative: Switch from bz2 to xz bitbake: main: Fix error message typo qemuarm64: Add QB_CPU_KVM to allow kvm acceleration runqemu: Add support for kvm on aarch64 useradd: Fix build architecture corruption of sstate artefacts useradd: Ensure do_populate_sysroot has dependency on useradd variables beaglebone-yocto: Add missing wic image u-boot deploy dependency quilt: Add patch depends for quilt-ptest libtest-needs-perl: Fix ptest dependencies libtimedate-perl: Fix ptest dependencies perl: Add missing perl module dependency liburi-perl: Fix module ptest dependencies libconvert-aan1-perl: Fix module and ptest dependencies libxml-sax-perl: Fix module ptest dependencies libxml-perl: Fix module and ptest dependencies e2fsprogs: Fix missing ptest dependencies glib-2.0: ptest fixes openssh: Add missing ptest dependency on coreutils gpg_sign/selftest: Fix secmem parameter handling gawk: ptest fixes openssh: Document skipped test dependency multiconfig: Adapt to bitbake switch 'multiconfig' -> 'mc' bitbake: multiconfig: Switch from 'multiconfig' -> 'mc' bitbake: cooker: Add compability handling for multiconfig: prefix migration build-appliance-image: Update to master head revision bitbake: cooker: Ensure mcdeps are processed even if only one multiconfig perl: Fix setgroup call regression from 5.30 perl: Move perl-sanity -> perl Ross Burton (13): insane: add sanity checks to SRC_URI libidn2: upgrade to 2.2.0 local.conf.sample: change default MACHINE to qemux86-64 libical: tidy up Perl finding wic/filemap: handle FIGETBSZ failing libxslt: add comment saying when a workaround can be removed parted: swap patches for the commits that landed upstream parted: drop patch for linux <2.6.20 support python-nose: python3-nose should be default bluez: fix test case failures with GCC 9 efivar: add efibootmgr: add gstreamer1.0-libav: disable API documentation Sakib Sajal (4): bash: add iso8859-1 gconv RDEPENDS needed by bash-ptest. bash: add big5hkscs gconv RDEPENDS needed by bash-ptest. bash: run bash ptest as non-root user ptest-runner: update SRCREV to latest HEAD on ptest-runner2 repo Scott Rifenbark (17): sdk-manual: Added link to BB manual fetcher section. ref-manual: Updated "do_fetch" to have a link to "Fetchers" dev-manual, ref-manual: removed "distrodata" class ref-manual: Removed bugzilla.bbclass ref-manual: Removed "distutils-tools" class. ref-manual: Udated devtool help output examples. ref-manual: New section "Checking Upgrade Status of a Recipe" dev-manual: Added check-upgrade-status blurb to upgrading recipes ref-manual: do_checkpkg - added link to checking upgrade status ref-manual: Updates to check-recipe-upgrade devtool command ref-manual: Grammar correction dev-manual: Added new section for creating NPM packages Makefile: Updated to support new NPM package creation section dev-manual: Updated the "Working with Packages" list ref-manual: Updated "npm.bbclass" section. overview-manual: Updated SCM section dev-manual: Fixed grammar issue. Tim Orling (8): libxml-parser-perl: fix ptest dependencies perl-rdepends.txt: improve dependencies for perl module ptests perl: install Config_git.pl perl-rdepends.txt: fix perl-module-data-dumper dependencies python3-scons-{native}: add recipe for v3.0.5 scons.bbclass: use python3-scons serf: switch to python3-scons-native oeqa/runtime: add simple test for scons Tom Rini (2): vim: Rework things so vim adds features not vim-tiny removes vim: Update to 8.1.1518 to fix CVE-2019-12735 Yeoh Ee Peng (3): resulttool/resultutils: Enable add extra configurations to results resulttool/store: Enable add EXECUTED_BY config to results resulttool/merge: Enable control TESTSERIES and extra configurations Zang Ruochen (3): openssh: Upgrade 7.9p1 -> 8.0p1 dbus: Upgrade 1.12.12 -> 1.12.14 dbus-test: Upgrade 1.12.12 -> 1.12.14 Zhixiong Chi (2): gcc: reduce the variables in symtab gcc: CVE-2018-12886 sangeeta jain (1): resulttool/manualexecution: Enable creation of test case configuration meta-raspberrypi: 7059c37451..40283f583b: Andrei Gherzan (1): gstreamer1.0-omx: Forward port bbappend and patches to v1.16.x Khem Raj (4): linux-raspberrypi_4.19.bb: Update to 4.19.44 rpi-default-versions: Switch defaults to 4.19 userland: Update to 20190501 firmware: Update 20190220 -> 20190517 malus-brandywine (1): sdcard_image-rpi : minor bug in use of FATPAYLOAD Change-Id: Idab4e8c2666bc776d0b47988a32dcb9f04885aff Signed-off-by: Brad Bishop --- meta-security/lib/oeqa/runtime/cases/checksec.py | 33 +++ meta-security/meta-integrity/README.md | 250 +++++++++++++++++++++ .../meta-integrity/classes/ima-evm-rootfs.bbclass | 92 ++++++++ meta-security/meta-integrity/conf/layer.conf | 24 ++ .../meta-integrity/data/debug-keys/privkey_ima.pem | 16 ++ .../meta-integrity/data/debug-keys/x509_ima.der | Bin 0 -> 707 bytes .../meta-integrity/lib/oeqa/runtime/cases/ima.py | 129 +++++++++++ .../recipes-core/base-files/base-files-ima.inc | 5 + .../recipes-core/base-files/base-files_%.bbappend | 1 + .../recipes-core/images/integrity-image-minimal.bb | 22 ++ .../initrdscripts/initramfs-framework-ima.bb | 28 +++ .../initrdscripts/initramfs-framework-ima/ima | 52 +++++ .../packagegroups/packagegroup-ima-evm-utils.bb | 9 + .../systemd/files/machine-id-commit-sync.conf | 2 + .../systemd/files/random-seed-sync.conf | 3 + .../recipes-core/systemd/systemd_%.bbappend | 13 ++ .../recipes-kernel/linux/linux-%.bbappend | 3 + .../0001-ima-fix-ima_inode_post_setattr.patch | 51 +++++ ...port-for-creating-files-using-the-mknodat.patch | 138 ++++++++++++ ...limit-file-hash-setting-by-user-to-fix-an.patch | 60 +++++ .../recipes-kernel/linux/linux/ima.cfg | 18 ++ .../recipes-kernel/linux/linux/ima_evm_root_ca.cfg | 3 + ...tils-link-to-libcrypto-instead-of-OpenSSL.patch | 65 ++++++ ...m-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 ++++ ...ls-include-hash-info.gen-into-distributio.patch | 31 +++ ...004-ima-evm-utils-update-.gitignore-files.patch | 34 +++ ...command-line-apply-operation-to-all-paths.patch | 68 ++++++ .../ima-evm-utils/disable-doc-creation.patch | 50 +++++ ...do-not-depend-on-xattr.h-with-IMA-defines.patch | 47 ++++ .../ima-evm-utils/ima-evm-utils_git.bb | 41 ++++ .../files/ima_policy_appraise_all | 29 +++ .../ima-policy-appraise-all_1.0.bb | 18 ++ .../ima_policy_hashed/files/ima_policy_hashed | 77 +++++++ .../ima_policy_hashed/ima-policy-hashed_1.0.bb | 20 ++ .../ima_policy_simple/files/ima_policy_simple | 4 + .../ima_policy_simple/ima-policy-simple_1.0.bb | 18 ++ .../meta-integrity/scripts/ima-gen-CA-signed.sh | 48 ++++ .../meta-integrity/scripts/ima-gen-local-ca.sh | 42 ++++ .../meta-integrity/scripts/ima-gen-self-signed.sh | 41 ++++ .../recipes-ids/samhain/samhain-client_4.3.2.bb | 1 + .../recipes-ids/samhain/samhain-server_4.3.2.bb | 1 + .../recipes-security/bastille/bastille_3.2.1.bb | 4 +- .../recipes-security/checksec/checksec_1.11.1.bb | 19 ++ .../recipes-security/checksec/checksec_1.11.bb | 19 -- .../files/0001-To-fix-build-error-of-xrang.patch | 28 +++ .../fail2ban/python3-fail2ban_0.10.4.0.bb | 4 + .../keyutils/files/fix_library_install_path.patch | 28 +++ .../recipes-security/keyutils/keyutils_1.6.bb | 14 +- .../recipes-security/scapy/python-scapy.inc | 7 - .../recipes-security/scapy/python-scapy_2.4.2.bb | 5 + .../recipes-security/scapy/python3-scapy_2.4.2.bb | 4 + 51 files changed, 1727 insertions(+), 35 deletions(-) create mode 100644 meta-security/lib/oeqa/runtime/cases/checksec.py create mode 100644 meta-security/meta-integrity/README.md create mode 100644 meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass create mode 100644 meta-security/meta-integrity/conf/layer.conf create mode 100644 meta-security/meta-integrity/data/debug-keys/privkey_ima.pem create mode 100644 meta-security/meta-integrity/data/debug-keys/x509_ima.der create mode 100644 meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py create mode 100644 meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc create mode 100644 meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend create mode 100644 meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb create mode 100644 meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb create mode 100644 meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima create mode 100644 meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb create mode 100644 meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf create mode 100644 meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf create mode 100644 meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg create mode 100644 meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg create mode 100644 meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch create mode 100644 meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch create mode 100644 meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch create mode 100644 meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch create mode 100644 meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch create mode 100644 meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch create mode 100644 meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch create mode 100644 meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb create mode 100644 meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all create mode 100644 meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb create mode 100644 meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed create mode 100644 meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb create mode 100644 meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple create mode 100644 meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb create mode 100755 meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh create mode 100755 meta-security/meta-integrity/scripts/ima-gen-local-ca.sh create mode 100755 meta-security/meta-integrity/scripts/ima-gen-self-signed.sh create mode 100644 meta-security/recipes-security/checksec/checksec_1.11.1.bb delete mode 100644 meta-security/recipes-security/checksec/checksec_1.11.bb create mode 100644 meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch create mode 100644 meta-security/recipes-security/keyutils/files/fix_library_install_path.patch (limited to 'meta-security') diff --git a/meta-security/lib/oeqa/runtime/cases/checksec.py b/meta-security/lib/oeqa/runtime/cases/checksec.py new file mode 100644 index 000000000..ff6d2f319 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/checksec.py @@ -0,0 +1,33 @@ +# Copyright (C) 2019 Armin Kuster +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class CheckSecTest(OERuntimeTestCase): + + @OEHasPackage(['checksec']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_checksec_help(self): + status, output = self.target.run('checksec --help ') + msg = ('checksec command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['checksec.CheckSecTest.test_checksec_help']) + def test_checksec_xml(self): + status, output = self.target.run('checksec --format xml --proc-all') + msg = ('checksec xml failed. Output: %s' % output) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['checksec.CheckSecTest.test_checksec_xml']) + def test_checksec_fortify(self): + status, output = self.target.run('checksec --fortify-proc 1') + match = re.search('FORTIFY_SOURCE support:', output) + if not match: + msg = ('checksec : fortify-proc failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md new file mode 100644 index 000000000..5bef76e8d --- /dev/null +++ b/meta-security/meta-integrity/README.md @@ -0,0 +1,250 @@ +This README file contains information on the contents of the +integrity layer. + +Please see the corresponding sections below for details. + + +Dependencies +============ + +This layer depends on: + + URI: git://git.openembedded.org/bitbake + branch: master + + URI: git://git.openembedded.org/openembedded-core + layers: meta + branch: master + + URI: git://github.com/01org/meta-security/meta-integrate + layers: security-framework + branch: master + + +Patches +======= + +For discussion or patch submission via email, use the +yocto@yoctoproject.org mailing list. When submitting patches that way, +make sure to copy the maintainer and add a "[meta-integrity]" +prefix to the subject of the mails. + +Maintainer: Armin Kuster + + +Table of Contents +================= + +1. Adding the integrity layer to your build +2. Usage +3. Known Issues + + +1. Adding the integrity layer to your build +=========================================== + +In order to use this layer, you need to make the build system aware of +it. + +Assuming the security repository exists at the top-level of your +yocto build tree, you can add it to the build system by adding the +location of the integrity layer to bblayers.conf, along with any +other layers needed. e.g.: + + BBLAYERS ?= " \ + /path/to/yocto/meta \ + /path/to/yocto/meta-yocto \ + /path/to/yocto/meta-yocto-bsp \ + /path/to/yocto/meta-security/meta-integrity \ + " + +It has some dependencies on a suitable BSP; in particular the kernel +must have a recent enough IMA/EVM subsystem. The layer was tested with +Linux 3.19 and uses some features (like loading X509 certificates +directly from the kernel) which were added in that release. Your +mileage may vary with older kernels. + +The necessary kernel configuration parameters are added to all kernel +versions by this layer. Watch out for QA warnings about unused kernel +configuration parameters: those indicate that the kernel used by the BSP +does not have the necessary IMA/EVM features. + +Adding the layer only enables IMA (see below regarding EVM) during +compilation of the Linux kernel. To also activate it when building +the image, enable image signing in the local.conf like this: + + INHERIT += "ima-evm-rootfs" + IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + +This uses the default keys provided in the "data" directory of the layer. +Because everyone has access to these private keys, such an image +should never be used in production! + +For that, create your own keys first. All tools and scripts required +for that are included in the layer. This is also how the +``debug-keys`` were generated: + + # Choose a directory for storing keys. Preserve this + # across builds and keep its private keys secret! + export IMA_EVM_KEY_DIR=/tmp/imaevm + mkdir -p $IMA_EVM_KEY_DIR + # Build the required tools. + bitbake openssl-native + # Set up shell for use of the tools. + bitbake -c devshell openssl-native + cd $IMA_EVM_KEY_DIR + # In that shell, create the keys. Several options exist: + + # 1. Self-signed keys. + $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh + + # 2. Keys signed by a new CA. + # When asked for a PEM passphrase, that will be for the root CA. + # Signing images then will not require entering that passphrase, + # only creating new certificates does. Most likely the default + # attributes for these certificates need to be adapted; modify + # the scripts as needed. + # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh + # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh + + # 3. Keys signed by an existing CA. + # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh + exit + +When using ``ima-self-signed.sh`` as described above, self-signed keys +are created. Alternatively, one can also use keys signed by a CA. The +``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA +and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then +supports adding tha CA's public key to the kernel's system keyring by +compiling it directly into the kernel. Because it is unknown whether +that is necessary (for example, the CA might also get added to the +system key ring via UEFI Secure Boot), one has to enable compilation +into the kernel explicitly in a local.conf with: + + IMA_EVM_ROOT_CA = "" + + + + +To use the personal keys, override the default IMA_EVM_KEY_DIR in your +local.conf and/or override the individual variables from +ima-evm-rootfs.bbclass: + + IMA_EVM_KEY_DIR = "" + IMA_EVM_PRIVKEY = "" + +By default, the entire file system gets signed. When using a policy which +does not require that, the set of files to be labelled can be chosen +by overriding the default "find" expression, for example like this: + + IMA_EVM_ROOTFS_FILES = "usr sbin bin lib -type f" + + +2. Usage +======== + +After creating an image with IMA/EVM enabled, one needs to enable +the built-in policies before IMA/EVM is active at runtime. To do this, +add one or both of these boot parameters: + + ima_tcb # measures all files read as root and all files executed + ima_appraise_tcb # appraises all files owned by root, beware of + # the known issue mentioned below + +Instead of booting with default policies, one can also activate custom +policies in different ways. First, boot without any IMA policy and +then cat a policy file into +`/sys/kernel/security/ima/policy`. This can only be done once +after booting and is useful for debugging. + +In production, the long term goal is to load a verified policy +directly from the kernel, using a patch which still needs to be +included upstream ("ima: load policy from the kernel", +). + +Loading via systemd also works with systemd, but is considered less +secure (policy file is not checked before activating it). Beware that +IMA policy loading became broken in systemd 2.18. The modified systemd +2.19 in meta-security-smack has a patch reverting the broken +changes. To activate policy loading via systemd, place a policy file +in `/etc/ima/ima-policy`, for example with: + + IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple" + +To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` + +To check that appraisal works, try modifying executables and ensure +that executing them fails: + + echo "foobar" >>/usr/bin/rpm + evmctl ima_verify /usr/bin/rpm + rpm --version + +Depending on the current appraisal policy, the `echo` command may +already fail because writing is not allowed. If the file was modified +and the current appraisal policy allows reading, then `evmctl` will +report (the errno value seems to be printed always and is unrelated to +the actual verification failure here): + + Verification failed: 35 + errno: No such file or directory (2) + +After enabling a suitable IMA appraisal policy, reading and/or +executing the file is no longer allowed: + + # evmctl ima_verify /usr/bin/rpm + Failed to open: /usr/bin/rpm + errno: Permission denied (13) + # rpm --version + -sh: /usr/bin/rpm: Permission denied + +Enabling the audit kernel subsystem may help to debug appraisal +issues. Enable it by adding the meta-security-framework layer and +changing your local.conf: + SRC_URI_append_pn-linux-yocto = " file://audit.cfg" + CORE_IMAGE_EXTRA_INSTALL += "auditd" + +Then boot with "ima_appraise=log ima_appraise_tcb". + +Adding auditd is not strictly necessary but helps to capture a +more complete set of events in /var/log/audit/ and search in +them with ausearch. + + +3. Known Issues +=============== + +EVM is not enabled, for multiple reasons: +* Signing files in advance with a X509 certificate and then not having + any confidential keys on the device would be the most useful mode, + but is not supported by EVM [1]. +* EVM signing in advance would only work on the final file system and thus + will require further integration work with image creation. The content + of the files can be signed for IMA in the rootfs, with the extended + attributes remaining valid when copying the files to the final image. + But for EVM that copy operation changes relevant parameters (for example, + inode) and thus invalidates the EVM hash. +* On device creation of EVM hashes depends on secure key handling on the + device (TPM) and booting at least once in a special mode (file system + writable, evm=fix as boot parameter, reboot after opening all files); + such a mode is too device specific to be implemented in a generic way. + +IMA appraisal with "ima_appraise_tcb" enables rules which are too strict +for most distros. For example, systemd needs to write certain files +as root, which is prevented by the ima_appraise_tcb appraise rules. As +a result, the system fails to boot: + + [FAILED] Failed to start Commit a transient machine-id on disk. + See "systemctl status systemd-machine-id-commit.service" for details. + ... + [FAILED] Failed to start Network Service. + See "systemctl status systemd-networkd.service" for details. + [FAILED] Failed to start Login Service. + See "systemctl status systemd-logind.service" for details. + +No package manager is integrated with IMA/EVM. When updating packages, +files will end up getting installed without correct IMA/EVM attributes +and thus will not be usable when appraisal is turned on. + +[1] http://permalink.gmane.org/gmane.comp.handhelds.tizen.devel/6281 +[2] http://permalink.gmane.org/gmane.comp.handhelds.tizen.devel/6275 diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass new file mode 100644 index 000000000..8aec388df --- /dev/null +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -0,0 +1,92 @@ +# No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be +# set explicitly in a local.conf before activating ima-evm-rootfs. +# To use the insecure (because public) example keys, use +# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" + +# Private key for IMA signing. The default is okay when +# using the example key directory. +IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" + +# Public part of certificates (used for both IMA and EVM). +# The default is okay when using the example key directory. +IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" + +# Root CA to be compiled into the kernel, none by default. +# Must be the absolute path to a der-encoded x509 CA certificate +# with a .x509 suffix. See linux-%.bbappend for details. +# +# ima-local-ca.x509 is what ima-gen-local-ca.sh creates. +IMA_EVM_ROOT_CA ?= "" + +# Sign all regular files by default. +IMA_EVM_ROOTFS_SIGNED ?= ". -type f" +# Hash nothing by default. +IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" + +# Mount these file systems (identified via their mount point) with +# the iversion flags (needed by IMA when allowing writing). +IMA_EVM_ROOTFS_IVERSION ?= "" + +ima_evm_sign_rootfs () { + cd ${IMAGE_ROOTFS} + + # Beware that all operations below must also work when + # ima_evm_sign_rootfs was already called earlier for the same + # rootfs. That's because do_image might again run for various + # reasons (including a change of the signing keys) without also + # re-running do_rootfs. + + # Copy file(s) which must be on the device. Note that + # evmctl uses x509_evm.der also for "ima_verify", which is probably + # a bug (should default to x509_ima.der). Does not matter for us + # because we use the same key for both. + install -d ./${sysconfdir}/keys + rm -f ./${sysconfdir}/keys/x509_evm.der + install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der + ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der + + # Fix /etc/fstab: it must include the "i_version" mount option for + # those file systems where writing files is allowed, otherwise + # these changes will not get detected at runtime. + # + # Note that "i_version" is documented in "man mount" only for ext4, + # whereas "iversion" is said to be filesystem-independent. In practice, + # there is only one MS_I_VERSION flag in the syscall and ext2/ext3/ext4 + # all support it. + # + # coreutils translates "iversion" into MS_I_VERSION. busybox rejects + # "iversion" and only understands "i_version". systemd only understands + # "iversion". We pick "iversion" here for systemd, whereas rootflags + # for initramfs must use "i_version" for busybox. + # + # Deduplicates iversion in case that this gets called more than once. + if [ -f etc/fstab ]; then + perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab + fi + + # Sign file with private IMA key. EVM not supported at the moment. + bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'" + find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY} + bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'" + find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash + + # Optionally install custom policy for loading by systemd. + if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then + install -d ./${sysconfdir}/ima + rm -f ./${sysconfdir}/ima/ima-policy + install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy + fi +} + +# Signing must run as late as possible in the do_rootfs task. +# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so +# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with +# _append instead of += because _append gets evaluated later. In +# particular, we must run after prelink_image in +# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables. + +IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; " + +# evmctl must have been installed first. +do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot" diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf new file mode 100644 index 000000000..2f696cf7c --- /dev/null +++ b/meta-security/meta-integrity/conf/layer.conf @@ -0,0 +1,24 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH =. "${LAYERDIR}:" + +# We have a packages directory, add to BBFILES +BBFILES := "${BBFILES} \ + ${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend" + +BBFILE_COLLECTIONS += "integrity" +BBFILE_PATTERN_integrity := "^${LAYERDIR}/" +BBFILE_PRIORITY_integrity = "6" + +# Set a variable to get to the top of the metadata location. Needed +# for finding scripts (when following the README.md instructions) and +# default debug keys (in ima-evm-rootfs.bbclass). +IMA_EVM_BASE := '${LAYERDIR}' + +# We must not export this path to all shell scripts (as in "export +# IMA_EVM_BASE"), because that causes problems with sstate (becames +# dependent on location of the layer). Exporting it to just the +# interactive shell is enough. +OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" + +LAYERSERIES_COMPAT_integrity = "warrior" diff --git a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem new file mode 100644 index 000000000..502a0b68d --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU +Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6 +IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p +OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1 +lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW +HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV +aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA +TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue +WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb +SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1 +xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+ +CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q +1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ +3vVaxg2EfqB1 +-----END PRIVATE KEY----- diff --git a/meta-security/meta-integrity/data/debug-keys/x509_ima.der b/meta-security/meta-integrity/data/debug-keys/x509_ima.der new file mode 100644 index 000000000..087ca6bea Binary files /dev/null and b/meta-security/meta-integrity/data/debug-keys/x509_ima.der differ diff --git a/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py new file mode 100644 index 000000000..0c8617a56 --- /dev/null +++ b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py @@ -0,0 +1,129 @@ +#!/usr/bin/env python +# +# Authors: Cristina Moraru +# Alexandru Cornea + +import string +from time import sleep +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature +from oeqa.core.decorator.data import skipIfDataVar, skipIfNotDataVar +import bb +blacklist = ["/usr/bin/uz", "/bin/su.shadow"] + +class IMACheck(OERuntimeTestCase): + + @classmethod + def setUpClass(cls): + locations = ["/bin", "/usr/bin"] + cls.binaries = [] + for l in locations: + status, output = cls.tc.target.run("find %s -type f" % l) + cls.binaries.extend(output.split("\n")) + + cls.total = len(cls.binaries) + + + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_ima_enabled(self): + ''' Test if IMA policy is loaded before systemd starts''' + + ima_search = "ima: " + systemd_search = "systemd .* running" + status, output = self.target.run("dmesg | grep -n '%s'" % ima_search) + self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search) + + + @skipIfNotFeature('systemd', + 'Test requires systemd to be in DISTRO_FEATURES') + @skipIfNotDataVar('VIRTUAL-RUNTIME_init_manager', 'systemd', + 'systemd is not the init manager for this image') + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_before_systemd(self): + ''' Test if IMA policy is loaded before systemd starts''' + ima_search = "ima: " + systemd_search = "systemd .* running" + status, output = self.target.run("dmesg | grep -n '%s'" % ima_search) + self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search) + ima_id = int(output.split(":")[0]) + status, output = self.target.run("dmesg | grep -n '%s'" % systemd_search) + self.assertEqual(status, 0, "Did not find '%s' in dmesg" % systemd_search) + init_id = int(output.split(":")[0]) + if ima_id > init_id: + self.fail("IMA does not start before systemd") + + + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_hash(self): + ''' Test if IMA stores correct file hash ''' + filename = "/etc/filetest" + ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements" + status, output = self.target.run("echo test > %s" % filename) + self.assertEqual(status, 0, "Cannot create file %s on target" % filename) + + # wait for the IMA system to update the entry + maximum_tries = 30 + tries = 0 + status, output = self.target.run("sha1sum %s" %filename) + sleep(2) + current_hash = output.split()[0] + ima_hash = "" + + while tries < maximum_tries: + status, output = self.target.run("cat %s | grep %s" \ + % (ima_measure_file, filename)) + # get last entry, 4th field + if status == 0: + tokens = output.split("\n")[-1].split()[3] + ima_hash = tokens.split(":")[1] + if ima_hash == current_hash: + break + + tries += 1 + sleep(1) + + # clean target + self.target.run("rm %s" % filename) + if ima_hash != current_hash: + self.fail("Hash stored by IMA does not match actual hash") + + + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_signature(self): + ''' Test if IMA stores correct signature for system binaries''' + passed = 0 + failed = 0 + for b in self.binaries: + if b in blacklist: + continue + status, output = self.target.run("evmctl ima_verify %s" % b) + if status != 0: + failed += 1 + else: + passed += 1 + + if failed == self.total: + self.fail("Signature verifications failed (%s)" % self.total) + + #bb.warn("pass: %s, fail: %s, Total: %s" % (passed, failed, total)) + + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_overwrite(self): + ''' Test if IMA prevents overwriting signed files ''' + passed = 0 + failed = 0 + for b in self.binaries: + if b in blacklist: + continue + self.target.run("echo 'foo' >> %s" % b ) + status, output = self.target.run("evmctl ima_verify %s" % b) + + if status != 0: + failed += 1 + else: + passed += 1 + + if failed == self.total: + self.fail("Overwritting verifications failed (%s)" % self.total) diff --git a/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc new file mode 100644 index 000000000..7e9e2108d --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc @@ -0,0 +1,5 @@ +# Append iversion option for auto types +do_install_append() { + sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" + echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" +} diff --git a/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000000000..c006f0e62 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'base-files-ima.inc', '', d)} diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb new file mode 100644 index 000000000..6ed724df2 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -0,0 +1,22 @@ +DESCRIPTION = "An image as an exmaple for Ima support" + +IMAGE_FEATURES += "ssh-server-openssh" + + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-ima-evm-utils \ + os-release" + + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "integrity-image-minimal" + +INHERIT += "ima-evm-rootfs" +IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + +QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb new file mode 100644 index 000000000..6057e8daf --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -0,0 +1,28 @@ +# This recipe creates a module for the initramfs-framework in OE-core +# which initializes IMA by loading a policy before transferring +# control to the init process in the rootfs. The advantage over having +# that init process doing the policy loading (which systemd could do) +# is that already the integrity of the init binary itself will be +# checked by the kernel. + +SUMMARY = "IMA module for the modular initramfs system" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" + +SRC_URI = " file://ima" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install -d ${D}/init.d + install ${WORKDIR}/ima ${D}/init.d/20-ima +} + +FILES_${PN} = "/init.d ${sysconfdir}" + +RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} += "initramfs-framework-base" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima new file mode 100644 index 000000000..8616f9924 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Loads IMA policy into the kernel. + +ima_enabled() { + if [ "$bootparam_no_ima" = "true" ]; then + return 1 + fi +} + +ima_run() { + info "Initializing IMA (can be skipped with no_ima boot parameter)." + if ! grep -w securityfs /proc/mounts >/dev/null; then + if ! mount -t securityfs securityfs /sys/kernel/security; then + fatal "Could not mount securityfs." + fi + fi + if [ ! -d /sys/kernel/security/ima ]; then + fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel." + fi + + # Instead of depending on the kernel to load the IMA X.509 certificate, + # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492) + # where the loaded key was not checked sufficiently. We use keyctl here because it is + # slightly smaller than evmctl and is needed anyway. + # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349). + for kind in ima evm; do + key=/etc/keys/x509_$kind.der + if [ -s $key ]; then + id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1) + if [ "$id" ]; then + id=$(printf "%d" 0x$id) + fi + if [ -z "$id" ]; then + id=`keyctl search @u keyring _$kind 2>/dev/null` + if [ -z "$id" ]; then + id=`keyctl newring _$kind @u` + fi + fi + info "Loading $key into $kind keyring $id" + keyctl padd asymmetric "" $id <$key + fi + done + + # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly + # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when + # checking the write of each line. To minimize the risk of policy loading going wrong we + # also remove comments and blank lines ourselves. + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) /sys/kernel/security/ima/policy; then + fatal "Could not load IMA policy." + fi +} diff --git a/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb new file mode 100644 index 000000000..18acc9dca --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb @@ -0,0 +1,9 @@ +SUMMARY = "IMA/EVM userspace tools" +LICENSE = "MIT" + +inherit packagegroup + +# Only one at the moment, but perhaps more will come in the future. +RDEPENDS_${PN} = " \ + ima-evm-utils \ +" diff --git a/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf b/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf new file mode 100644 index 000000000..d6d3240f9 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=/bin/sync diff --git a/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf b/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf new file mode 100644 index 000000000..f4c170bda --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf @@ -0,0 +1,3 @@ +[Service] +ExecStopPost=/bin/sync +ExecStartPost=/bin/sync diff --git a/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 000000000..3b4554162 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1,13 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += " \ + file://machine-id-commit-sync.conf \ + file://random-seed-sync.conf \ +" + +do_install_append () { + for i in machine-id-commit random-seed; do + install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d + install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d + done +} diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend new file mode 100644 index 000000000..931854ef8 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" + +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}" diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch new file mode 100644 index 000000000..64016dd3e --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch @@ -0,0 +1,51 @@ +From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Tue, 8 Mar 2016 16:43:55 -0500 +Subject: [PATCH] ima: fix ima_inode_post_setattr + +Changing file metadata (eg. uid, guid) could result in having to +re-appraise a file's integrity, but does not change the "new file" +status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and +IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch +only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. + +With this patch, changing the file timestamp will not remove the +file signature on new files. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] + +Reported-by: Dmitry Rozhkov +Signed-off-by: Mimi Zohar +--- + security/integrity/ima/ima_appraise.c | 2 +- + security/integrity/integrity.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..a384ba1 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) + if (iint) { + iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | + IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | +- IMA_ACTION_FLAGS); ++ IMA_ACTION_RULE_FLAGS); + if (must_appraise) + iint->flags |= IMA_APPRAISE; + } +diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h +index 0fc9519..f9decae 100644 +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -28,6 +28,7 @@ + + /* iint cache flags */ + #define IMA_ACTION_FLAGS 0xff000000 ++#define IMA_ACTION_RULE_FLAGS 0x06000000 + #define IMA_DIGSIG 0x01000000 + #define IMA_DIGSIG_REQUIRED 0x02000000 + #define IMA_PERMIT_DIRECTIO 0x04000000 +-- +2.5.0 + diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch new file mode 100644 index 000000000..6ab7ce277 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch @@ -0,0 +1,138 @@ +From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Thu, 10 Mar 2016 18:19:20 +0200 +Subject: [PATCH] ima: add support for creating files using the mknodat + syscall + +Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" +stopped identifying empty files as new files. However new empty files +can be created using the mknodat syscall. On systems with IMA-appraisal +enabled, these empty files are not labeled with security.ima extended +attributes properly, preventing them from subsequently being opened in +order to write the file data contents. This patch marks these empty +files, created using mknodat, as new in order to allow the file data +contents to be written. + +Files with security.ima xattrs containing a file signature are considered +"immutable" and can not be modified. The file contents need to be +written, before signing the file. This patch relaxes this requirement +for new files, allowing the file signature to be written before the file +contents. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356] + +Signed-off-by: Mimi Zohar +--- + fs/namei.c | 2 ++ + include/linux/ima.h | 7 ++++++- + security/integrity/ima/ima_appraise.c | 3 +++ + security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++- + 4 files changed, 42 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index ccd7f98..19502da 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3526,6 +3526,8 @@ retry: + switch (mode & S_IFMT) { + case 0: case S_IFREG: + error = vfs_create(path.dentry->d_inode,dentry,mode,true); ++ if (!error) ++ ima_post_path_mknod(dentry); + break; + case S_IFCHR: case S_IFBLK: + error = vfs_mknod(path.dentry->d_inode,dentry,mode, +diff --git a/include/linux/ima.h b/include/linux/ima.h +index 120ccc5..7f51971 100644 +--- a/include/linux/ima.h ++++ b/include/linux/ima.h +@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file); + extern int ima_file_mmap(struct file *file, unsigned long prot); + extern int ima_module_check(struct file *file); + extern int ima_fw_from_file(struct file *file, char *buf, size_t size); +- ++extern void ima_post_path_mknod(struct dentry *dentry); + #else + static inline int ima_bprm_check(struct linux_binprm *bprm) + { +@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) + return 0; + } + ++static inline void ima_post_path_mknod(struct dentry *dentry) ++{ ++ return; ++} ++ + #endif /* CONFIG_IMA */ + + #ifdef CONFIG_IMA_APPRAISE +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..20806ea 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -274,6 +274,11 @@ out: + xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { + if (!ima_fix_xattr(dentry, iint)) + status = INTEGRITY_PASS; ++ } else if ((inode->i_size == 0) && ++ (iint->flags & IMA_NEW_FILE) && ++ (xattr_value && ++ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { ++ status = INTEGRITY_PASS; + } + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, + op, cause, rc, 0); +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index eeee00dc..705bf78 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function, + ima_audit_measurement(iint, pathname); + + out_digsig: +- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) ++ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && ++ !(iint->flags & IMA_NEW_FILE)) + rc = -EACCES; + kfree(xattr_value); + out_free: +@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened) + EXPORT_SYMBOL_GPL(ima_file_check); + + /** ++ * ima_post_path_mknod - mark as a new inode ++ * @dentry: newly created dentry ++ * ++ * Mark files created via the mknodat syscall as new, so that the ++ * file data can be written later. ++ */ ++void ima_post_path_mknod(struct dentry *dentry) ++{ ++ struct integrity_iint_cache *iint; ++ struct inode *inode; ++ int must_appraise; ++ ++ if (!dentry || !dentry->d_inode) ++ return; ++ ++ inode = dentry->d_inode; ++ if (inode->i_size != 0) ++ return; ++ ++ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); ++ if (!must_appraise) ++ return; ++ ++ iint = integrity_inode_get(inode); ++ if (iint) ++ iint->flags |= IMA_NEW_FILE; ++} ++ ++/** + * ima_module_check - based on policy, collect/store/appraise measurement. + * @file: pointer to the file to be measured/appraised + * +-- +2.5.0 + diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch new file mode 100644 index 000000000..157c007ba --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch @@ -0,0 +1,60 @@ +From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001 +From: Patrick Ohly +Date: Tue, 15 Nov 2016 10:10:23 +0100 +Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log + modes" + +This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533. + +The original motivation was security hardening ("File hashes are +automatically set and updated and should not be manually set.") + +However, that hardening ignores and breaks some valid use cases: +- File hashes might not be set because the file is currently + outside of the policy and therefore have to be set by the + creator. Examples: + - Booting into an initramfs with an IMA-enabled kernel but + without setting an IMA policy, then installing + the OS onto the target partition by unpacking a rootfs archive + which has the file hashes pre-computed. + - Unpacking a file into a staging area with meta data (like owner) + that leaves the file outside of the current policy, then changing + the meta data such that it becomes part of the current policy. +- "should not be set manually" implies that the creator is aware + of IMA semantic, the current system's configuration, and then + skips setting file hashes in security.ima if (and only if) the + kernel would prevent it. That's not the case for standard, unmodified + tools. Example: unpacking an archive with security.ima xattrs with + bsdtar or GNU tar. + +Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/] + +Signed-off-by: Patrick Ohly +--- + security/integrity/ima/ima_appraise.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4b9b4a4..b8b2dd9 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, + result = ima_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + if (result == 1) { +- bool digsig; +- + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) + return -EINVAL; +- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); +- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) +- return -EPERM; +- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); ++ ima_reset_appraise_flags(d_backing_inode(dentry), ++ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); + result = 0; + } + return result; +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg new file mode 100644 index 000000000..b3e47ba37 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg @@ -0,0 +1,18 @@ +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +CONFIG_IMA_DEFAULT_HASH_SHA1=y +CONFIG_IMA_DEFAULT_HASH="sha1" +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_SIGNATURE=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" + +#CONFIG_INTEGRITY_SIGNATURE=y +#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg new file mode 100644 index 000000000..9a454257a --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg @@ -0,0 +1,3 @@ +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch new file mode 100644 index 000000000..5ccb73d9b --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch @@ -0,0 +1,65 @@ +From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Wed, 6 Mar 2019 01:08:43 +0300 +Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL + +There is no need to link to full libssl. evmctl uses functions from +libcrypto, so let's link only against that library. + +Signed-off-by: Dmitry Eremin-Solenikov +--- + configure.ac | 4 +--- + src/Makefile.am | 9 ++++----- + 2 files changed, 5 insertions(+), 8 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 60f3684..32e8d85 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -24,9 +24,7 @@ LT_INIT + # Checks for header files. + AC_HEADER_STDC + +-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) +-AC_SUBST(OPENSSL_CFLAGS) +-AC_SUBST(OPENSSL_LIBS) ++PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ]) + AC_SUBST(KERNEL_HEADERS) + AC_CHECK_HEADER(unistd.h) + AC_CHECK_HEADERS(openssl/conf.h) +diff --git a/src/Makefile.am b/src/Makefile.am +index d74fc6f..b81281a 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,11 +1,11 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) ++libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +-libimaevm_la_LIBADD = $(OPENSSL_LIBS) ++libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) + + include_HEADERS = imaevm.h + +@@ -17,12 +17,11 @@ hash_info.h: Makefile + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) ++evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) +-evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la ++evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la + + INCLUDES = -I$(top_srcdir) -include config.h + + CLEANFILES = hash_info.h + DISTCLEANFILES = @DISTCLEANFILES@ +- +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch new file mode 100644 index 000000000..8237274ca --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch @@ -0,0 +1,43 @@ +From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Wed, 6 Mar 2019 01:17:12 +0300 +Subject: [PATCH 2/4] ima-evm-utils: replace INCLUDES with AM_CPPFLAGS + +Replace INCLUDES variable with AM_CPPFLAGS to stop Automake from warning +about deprecated variable usage. + +Signed-off-by: Dmitry Eremin-Solenikov +--- + src/Makefile.am | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index b81281a..164e7e4 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,7 +1,7 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) ++libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +@@ -17,11 +17,11 @@ hash_info.h: Makefile + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) ++evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) + evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la + +-INCLUDES = -I$(top_srcdir) -include config.h ++AM_CPPFLAGS = -I$(top_srcdir) -include config.h + + CLEANFILES = hash_info.h + DISTCLEANFILES = @DISTCLEANFILES@ +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch new file mode 100644 index 000000000..3d250d2fc --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch @@ -0,0 +1,31 @@ +From c587ec307a6259a990bfab727cea7db28dba4c23 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Wed, 6 Mar 2019 01:22:30 +0300 +Subject: [PATCH 3/4] ima-evm-utils: include hash-info.gen into distribution + +Include hash-info.gen into tarball and call it from the sourcedir to fix +out-of-tree build (and thus 'make distcheck'). + +Signed-off-by: Dmitry Eremin-Solenikov +--- + src/Makefile.am | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 164e7e4..9c037e2 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -11,8 +11,9 @@ include_HEADERS = imaevm.h + + nodist_libimaevm_la_SOURCES = hash_info.h + BUILT_SOURCES = hash_info.h ++EXTRA_DIST = hash_info.gen + hash_info.h: Makefile +- ./hash_info.gen $(KERNEL_HEADERS) >$@ ++ $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@ + + bin_PROGRAMS = evmctl + +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch new file mode 100644 index 000000000..4ada1a271 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch @@ -0,0 +1,34 @@ +From b9f327c5c513ccea9cb56d4bbd50c1f66d629099 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Wed, 6 Mar 2019 01:24:04 +0300 +Subject: [PATCH 4/4] ima-evm-utils: update .gitignore files + +Signed-off-by: Dmitry Eremin-Solenikov +--- + .gitignore | 1 + + src/.gitignore | 1 + + 2 files changed, 2 insertions(+) + create mode 100644 src/.gitignore + +diff --git a/.gitignore b/.gitignore +index ca7a06e..cb82166 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -45,6 +45,7 @@ cscope.* + ncscope.* + + # Generated documentation ++*.1 + *.8 + *.5 + manpage.links +diff --git a/src/.gitignore b/src/.gitignore +new file mode 100644 +index 0000000..38e8e3c +--- /dev/null ++++ b/src/.gitignore +@@ -0,0 +1 @@ ++hash_info.h +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch new file mode 100644 index 000000000..35c316270 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch @@ -0,0 +1,68 @@ +From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly +Date: Fri, 30 Sep 2016 10:22:16 +0200 +Subject: [PATCH] command line: apply operation to all paths + +Previously, invocations like "evmctl ima_hash foo bar" silently +ignored all parameters after the first path name ("foo" in this +example). + +Now evmctl iterates over all specified paths. It aborts with an +error as soon as the selected operation fails for a path. + +Supporting more than one parameter is useful in combination with +"find" and "xargs" because it is noticably faster than invoking +evmutil separately for each file, in particular when run under pseudo +(a fakeroot environment used by the OpenEmbedded build system). + +This complements the recursive mode and can be used when more control +over file selection is needed. + +Signed-off-by: Patrick Ohly +--- + src/evmctl.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 23cf54c..2072034 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type) + static int do_cmd(struct command *cmd, find_cb_t func) + { + char *path = g_argv[optind++]; +- int err, dts = REG_MASK; /* only regular files by default */ ++ int err = 0, dts = REG_MASK; /* only regular files by default */ + + if (!path) { + log_err("Parameters missing\n"); +@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func) + return -1; + } + +- if (recursive) { +- if (search_type) { +- dts = get_file_type(path, search_type); +- if (dts < 0) +- return dts; ++ while (path && !err) { ++ if (recursive) { ++ if (search_type) { ++ dts = get_file_type(path, search_type); ++ if (dts < 0) ++ return dts; ++ } ++ err = find(path, dts, func); ++ } else { ++ err = func(path); + } +- err = find(path, dts, func); +- } else { +- err = func(path); ++ path = g_argv[optind++]; + } + + return err; +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch new file mode 100644 index 000000000..75076f52f --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch @@ -0,0 +1,50 @@ +From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly +Date: Wed, 13 May 2015 03:41:02 -0700 +Subject: [PATCH] Makefile.am: disable man page creation + +Depends on asciidoc, which is not available. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Patrick Ohly +--- + Makefile.am | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 06ebf59..4ddd52c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,5 +1,5 @@ + SUBDIRS = src +-dist_man_MANS = evmctl.1 ++# dist_man_MANS = evmctl.1 + + doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh + EXTRA_DIST = autogen.sh $(doc_DATA) +@@ -39,4 +39,21 @@ rmman: + + doc: evmctl.1.html rmman evmctl.1 + ++# requires asciidoc, xslproc, docbook-xsl ++# FIXME Disabled until docbook-xsl is unavaliable on tizen.org ++#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl ++# ++#evmctl.1.html: README ++# @asciidoc -o $@ $< ++# ++#evmctl.1: ++# asciidoc -d manpage -b docbook -o evmctl.1.xsl README ++# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl ++# rm -f evmctl.1.xsl ++# ++#rmman: ++# rm -f evmctl.1 ++# ++#doc: evmctl.1.html rmman evmctl.1 ++ + .PHONY: $(tarname) +-- +1.8.4.5 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch new file mode 100644 index 000000000..c0bdd9b49 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -0,0 +1,47 @@ +From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly +Date: Wed, 17 Jun 2015 14:28:18 +0200 +Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines + +Compilation on older Linux distros (like Ubuntu 12.04) fails +because linux/xattr.h does not yet have the IMA defines. Compiling +there makes sense when only the tools are needed, for example when +signing an image in cross-compile mode. + +To support this, add fallbacks for the two defines which are needed. +Their value is part of the Linux ABI and thus fixed. + +Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net] + +Signed-off-by: Patrick Ohly + +--- + src/evmctl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/evmctl.c b/src/evmctl.c +index c54efbb..23cf54c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -56,6 +56,18 @@ + #include + #include + ++/* ++ * linux/xattr.h might be old to have this. Allow compilation on older ++ * Linux distros (like Ubuntu 12.04) by falling back to our own ++ * definition. ++ */ ++#ifndef XATTR_IMA_SUFFIX ++# define XATTR_IMA_SUFFIX "ima" ++#endif ++#ifndef XATTR_NAME_IMA ++# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX ++#endif ++ + #include + #include + #include +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb new file mode 100644 index 000000000..929d85348 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -0,0 +1,41 @@ +DESCRIPTION = "IMA/EVM control utility" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS += "openssl attr keyutils" + +DEPENDS_class-native += "openssl-native keyutils-native" + +PV = "1.0+git${SRCPV}" +SRCREV = "0267fa16990fd0ddcc89984a8e55b27d43e80167" +SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils" + +# Documentation depends on asciidoc, which we do not have, so +# do not build documentation. +SRC_URI += "file://disable-doc-creation.patch" + +# Workaround for upstream incompatibility with older Linux distros. +# Relevant for us when compiling ima-evm-utils-native. +SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" + +# Required for xargs with more than one path as argument (better for performance). +SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" + +SRC_URI += "\ + file://0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch \ + file://0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch \ + file://0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch \ + file://0004-ima-evm-utils-update-.gitignore-files.patch \ +" +S = "${WORKDIR}/git" + +inherit pkgconfig autotools + +EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" + +# blkid is called by evmctl when creating evm checksums. +# This is less useful when signing files on the build host, +# so disable it when compiling on the host. +RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all new file mode 100644 index 000000000..36e71a7d6 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -0,0 +1,29 @@ +# +# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) +# +# Do not measure anything, but appraise everything +# +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 + +appraise diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb new file mode 100644 index 000000000..b58d3fed9 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple appraise policy " +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_appraise_all" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed new file mode 100644 index 000000000..7f89c8d98 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -0,0 +1,77 @@ +# With this policy, all files on regular partitions are +# appraised. Files with signed IMA hash and normal hash are +# accepted. Signed files cannot be modified while hashed files can be +# (which will also update the hash). However, signed files can +# be deleted, so in practice it is still possible to replace them +# with a modified version. +# +# Without EVM, this is obviously not very secure, so this policy is +# just an example and/or basis for further improvements. For that +# purpose, some comments show what could be added to make the policy +# more secure. +# +# With EVM the situation might be different because access +# to the EVM key can be restricted. +# +# Files which are appraised are also measured. This allows +# debugging whether a file is in policy by looking at +# /sys/kernel/security/ima/ascii_runtime_measurements + +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +dont_measure fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +dont_measure fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +dont_measure fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +dont_measure fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +dont_measure fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +dont_measure fsmagic=0x6e736673 +# SMACK_MAGIC +dont_appraise fsmagic=0x43415d53 +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC +dont_appraise fsmagic=0x27e0eb +dont_measure fsmagic=0x27e0eb +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 +dont_measure fsmagic=0xde5e81e4 + +# Special partition, no checking done. +# dont_measure fsuuid=a11234... +# dont_appraise fsuuid=a11243... + +# Special immutable group. +# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 + +# All executables must be signed - too strict, we need to +# allow installing executables on the device. +# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC +# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC + +# Default rule. Would be needed also when other rules were added that +# determine what to do in case of reading (mask=MAY_READ or +# mask=MAY_EXEC) because otherwise writing does not update the file +# hash. +appraise +measure diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb new file mode 100644 index 000000000..3352daa03 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -0,0 +1,20 @@ +SUMMARY = "IMA sample hash policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" + +SRC_URI = " \ + file://${IMA_POLICY} \ +" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple b/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple new file mode 100644 index 000000000..38ca8f53d --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple @@ -0,0 +1,4 @@ +# Very simple policy demonstrating the systemd policy loading bug +# (policy with one line works, two lines don't). +dont_appraise fsmagic=0x9fa0 +dont_appraise fsmagic=0x62656572 diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb new file mode 100644 index 000000000..17132aa22 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_simple" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh new file mode 100755 index 000000000..5f3a728fa --- /dev/null +++ b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh @@ -0,0 +1,48 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +GENKEY=ima.genkey +CA=${1:-ima-local-ca.pem} +CAKEY=${2:-ima-local-ca.priv} + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_usr + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example signing key +emailAddress = john.doe@example.com + +[ v3_usr ] +basicConstraints=critical,CA:FALSE +#basicConstraints=CA:FALSE +keyUsage=digitalSignature +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +#authorityKeyIdentifier=keyid,issuer +__EOF__ + +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ + -CA $CA -CAkey $CAKEY -CAcreateserial \ + -outform DER -out x509_ima.der diff --git a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh new file mode 100755 index 000000000..b6007614a --- /dev/null +++ b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +GENKEY=ima-local-ca.genkey + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_ca + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example certificate signing key +emailAddress = john.doe@example.com + +[ v3_ca ] +basicConstraints=CA:TRUE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +# keyUsage = cRLSign, keyCertSign +__EOF__ + +openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv + +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh new file mode 100755 index 000000000..5ee876c05 --- /dev/null +++ b/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +GENKEY=ima.genkey + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example signing key +emailAddress = john.doe@example.com + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +__EOF__ + +openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ + -x509 -config $GENKEY \ + -outform DER -out x509_ima.der -keyout privkey_ima.pem diff --git a/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb index 812408e5e..0f53a8cde 100644 --- a/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb @@ -9,3 +9,4 @@ EXTRA_OECONF += " \ " RDEPENDS_${PN} = "acl zlib attr bash" +RCONFLICTS_${PN} = "samhain-standalone" diff --git a/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb index 9341d4440..d304912e7 100644 --- a/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb @@ -18,3 +18,4 @@ do_install_append() { } RDEPENDS_${PN} += "gmp bash perl" +RCONFLICTS_${PN} = "samhain-standalone" diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb index 152c03ae5..e9accb56f 100644 --- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb @@ -41,8 +41,7 @@ S = "${WORKDIR}/Bastille" do_install () { install -d ${D}${sbindir} - install -d ${D}${libdir}/perl/site_perl/Curses - ln -sf perl ${D}/${libdir}/perl5 + install -d ${D}${libdir}/perl5/site_perl/Curses install -d ${D}${libdir}/Bastille install -d ${D}${libdir}/Bastille/API @@ -51,7 +50,6 @@ do_install () { install -d ${D}${datadir}/Bastille/OSMap/Modules install -d ${D}${datadir}/Bastille/Questions install -d ${D}${datadir}/Bastille/FKL/configs/ - install -d ${D}${localstatedir}/lock/subsys/bastille install -d ${D}${localstatedir}/log/Bastille install -d ${D}${sysconfdir}/Bastille install -m 0755 AutomatedBastille ${D}${sbindir} diff --git a/meta-security/recipes-security/checksec/checksec_1.11.1.bb b/meta-security/recipes-security/checksec/checksec_1.11.1.bb new file mode 100644 index 000000000..835dffcd8 --- /dev/null +++ b/meta-security/recipes-security/checksec/checksec_1.11.1.bb @@ -0,0 +1,19 @@ +SUMMARY = "Linux system security checks" +DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used." +SECTION = "security" +LICENSE = "BSD" +HOMEPAGE="https://github.com/slimm609/checksec.sh" + +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" + +SRCREV = "3c15cb89641c700096fdec0c1904a0cf9b83c5e2" +SRC_URI = "git://github.com/slimm609/checksec.sh" + +S = "${WORKDIR}/git" + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${S}/checksec ${D}${bindir} +} + +RDEPENDS_${PN} = "bash openssl-bin" diff --git a/meta-security/recipes-security/checksec/checksec_1.11.bb b/meta-security/recipes-security/checksec/checksec_1.11.bb deleted file mode 100644 index 59a67bd65..000000000 --- a/meta-security/recipes-security/checksec/checksec_1.11.bb +++ /dev/null @@ -1,19 +0,0 @@ -SUMMARY = "Linux system security checks" -DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used." -SECTION = "security" -LICENSE = "BSD" -HOMEPAGE="https://github.com/slimm609/checksec.sh" - -LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" - -SRCREV = "a57e03c4f62dbaca0ec949bbc58491fb0c461447" -SRC_URI = "git://github.com/slimm609/checksec.sh" - -S = "${WORKDIR}/git" - -do_install() { - install -d ${D}${bindir} - install -m 0755 ${S}/checksec ${D}${bindir} -} - -RDEPENDS_${PN} = "bash openssl-bin" diff --git a/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch b/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch new file mode 100644 index 000000000..7f0812c4e --- /dev/null +++ b/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch @@ -0,0 +1,28 @@ +From fe3436d65518099d35c643848cba50253abc249c Mon Sep 17 00:00:00 2001 +From: Lei Maohui +Date: Thu, 9 May 2019 14:44:51 +0900 +Subject: [PATCH] To fix build error of xrange. + +NameError: name 'xrange' is not defined + +Signed-off-by: Lei Maohui +--- + fail2ban/__init__.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fail2ban/__init__.py b/fail2ban/__init__.py +index fa6dcf7..61789a4 100644 +--- a/fail2ban/__init__.py ++++ b/fail2ban/__init__.py +@@ -82,7 +82,7 @@ strptime("2012", "%Y") + + # short names for pure numeric log-level ("Level 25" could be truncated by short formats): + def _init(): +- for i in xrange(50): ++ for i in range(50): + if logging.getLevelName(i).startswith('Level'): + logging.addLevelName(i, '#%02d-Lev.' % i) + _init() +-- +2.7.4 + diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb index 5c887e857..23ef027b3 100644 --- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb +++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb @@ -2,3 +2,7 @@ inherit setuptools3 require python-fail2ban.inc RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" + +SRC_URI += " \ + file://0001-To-fix-build-error-of-xrang.patch \ +" diff --git a/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch b/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch new file mode 100644 index 000000000..938fe2eb5 --- /dev/null +++ b/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch @@ -0,0 +1,28 @@ +From b0355cc205543ffd33752874295139d57c4fbc3e Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Tue, 26 Sep 2017 07:59:51 +0000 +Subject: [PATCH] Subject: [PATCH] keyutils: use relative path for link + +The absolute path of the symlink will be invalid +when populated in sysroot, so use relative path instead. + +Upstream-Status: Pending + +Signed-off-by: Jackie Huang +Signed-off-by: Wenzong Fan +{rebased for 1.6] +Signed-off-by: Armin Kuster + +Index: keyutils-1.6/Makefile +=================================================================== +--- keyutils-1.6.orig/Makefile ++++ keyutils-1.6/Makefile +@@ -184,7 +184,7 @@ ifeq ($(NO_SOLIB),0) + $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) + $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) + mkdir -p $(DESTDIR)$(USRLIBDIR) +- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) ++ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) + sed \ + -e 's,@VERSION\@,$(VERSION),g' \ + -e 's,@prefix\@,$(PREFIX),g' \ diff --git a/meta-security/recipes-security/keyutils/keyutils_1.6.bb b/meta-security/recipes-security/keyutils/keyutils_1.6.bb index c961fa293..4d3a96f29 100644 --- a/meta-security/recipes-security/keyutils/keyutils_1.6.bb +++ b/meta-security/recipes-security/keyutils/keyutils_1.6.bb @@ -12,13 +12,13 @@ LICENSE = "LGPLv2.1+ & GPLv2.0+" LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \ file://LICENCE.LGPL;md5=7d1cacaa3ea752b72ea5e525df54a21f" - -inherit siteinfo ptest +inherit siteinfo autotools-brokensep ptest SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ file://keyutils-test-fix-output-format.patch \ file://keyutils-fix-error-report-by-adding-default-message.patch \ file://run-ptest \ + file://fix_library_install_path.patch \ " SRC_URI[md5sum] = "191987b0ab46bb5b50efd70a6e6ce808" @@ -28,14 +28,15 @@ EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ NO_ARLIB=1 \ BINDIR=${base_bindir} \ SBINDIR=${base_sbindir} \ - LIBDIR=${base_libdir} \ - USRLIBDIR=${base_libdir} \ + LIBDIR=${libdir} \ + USRLIBDIR=${libdir} \ + INCLUDEDIR=${includedir} \ BUILDFOR=${SITEINFO_BITS}-bit \ NO_GLIBC_KEYERR=1 \ " do_install () { - install -d ${D}/${nonarch_base_libdir}/pkgconfig + install -d ${D}/${libdir}/pkgconfig oe_runmake DESTDIR=${D} install } @@ -44,8 +45,9 @@ do_install_ptest () { sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh } -FILES_${PN}-dev += "${nonarch_base_libdir}/pkgconfig/libkeyutils.pc" RDEPENDS_${PN}-ptest += "lsb" RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils" RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/recipes-security/scapy/python-scapy.inc b/meta-security/recipes-security/scapy/python-scapy.inc index 99f30a7bf..baa69b244 100644 --- a/meta-security/recipes-security/scapy/python-scapy.inc +++ b/meta-security/recipes-security/scapy/python-scapy.inc @@ -12,13 +12,6 @@ SRC_URI = "git://github.com/secdev/scapy.git" inherit ptest -do_install_append() { - if [ "${PYTHON_PN}" = "python3" ]; then - sed -i -e 's/python/python3/' ${D}${bindir}/scapy - sed -i -e 's/python/python3/' ${D}${bindir}/UTscapy - fi -} - do_install_ptest() { install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb index 98db1fd6d..982620e0b 100644 --- a/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb +++ b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb @@ -4,3 +4,8 @@ require python-scapy.inc SRC_URI += "file://run-ptest" RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" + +do_install_append() { + mv ${D}${bindir}/scapy ${D}${bindir}/scapy2 + mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy2 +} diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb index 83c79f484..abcaeeb0b 100644 --- a/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb +++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb @@ -3,3 +3,7 @@ require python-scapy.inc SRC_URI += "file://run-ptest" +do_install_append() { + mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 + mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 +} -- cgit v1.2.3