From 49e29a10ccf9979817e7c40b903e7c7925ab2e5c Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Sun, 1 Sep 2019 15:21:06 -0400 Subject: meta-security: subtree update:6d399b34ab..30ea7a89dc Adrian Bunk (2): xmlsec1: Remove, moved to meta-oe libenv-perl: Remove, moved to meta-perl Armin Kuster (3): apparmor: fix RDPENDS apparmor: update to 2.13.3 integrity-image: IMA_EVM_KEY_DIR has no affect, remove Qi.Chen@windriver.com (2): ecryptfs-utils: remove openssl PACKAGECONFIG ecryptfs-utils: fix race condition in do_install Yuan Chao (2): python-scapy: upgrade 2.4.2 -> 2.4.3 checksec: upgrade 1.11.1 -> 2.1.0 Change-Id: I888703dc3a3df6fa0da471e1d112f9d88dcdc44b Signed-off-by: Brad Bishop --- meta-security/conf/distro/include/maintainers.inc | 2 - .../recipes-core/images/integrity-image-minimal.bb | 1 - .../recipes-mac/AppArmor/apparmor_2.13.2.bb | 160 -------------------- .../recipes-mac/AppArmor/apparmor_2.13.3.bb | 166 +++++++++++++++++++++ .../recipes-perl/perl/libenv-perl_1.04.bb | 21 --- .../recipes-security/checksec/checksec_1.11.1.bb | 19 --- .../recipes-security/checksec/checksec_2.1.0.bb | 19 +++ .../ecryptfs-utils/ecryptfs-utils_111.bb | 3 +- .../files/0001-avoid-race-condition.patch | 32 ++++ .../packagegroup-core-security-ptest.bb | 1 - .../packagegroup/packagegroup-core-security.bb | 1 - .../recipes-security/scapy/python-scapy.inc | 4 +- .../recipes-security/scapy/python-scapy_2.4.2.bb | 11 -- .../recipes-security/scapy/python-scapy_2.4.3.bb | 11 ++ .../recipes-security/scapy/python3-scapy_2.4.2.bb | 9 -- .../recipes-security/scapy/python3-scapy_2.4.3.bb | 9 ++ .../xmlsec1/change-finding-path-of-nss.patch | 67 --------- .../xmlsec1/xmlsec1/fix-ltmain.sh.patch | 26 ---- .../xmlsec1/xmlsec1/makefile-ptest.patch | 40 ----- .../recipes-security/xmlsec1/xmlsec1/run-ptest | 85 ----------- ...sec1-examples-allow-build-in-separate-dir.patch | 30 ---- .../recipes-security/xmlsec1/xmlsec1_1.2.28.bb | 64 -------- 22 files changed, 241 insertions(+), 540 deletions(-) delete mode 100644 meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb create mode 100644 meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb delete mode 100644 meta-security/recipes-perl/perl/libenv-perl_1.04.bb delete mode 100644 meta-security/recipes-security/checksec/checksec_1.11.1.bb create mode 100644 meta-security/recipes-security/checksec/checksec_2.1.0.bb create mode 100644 meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch delete mode 100644 meta-security/recipes-security/scapy/python-scapy_2.4.2.bb create mode 100644 meta-security/recipes-security/scapy/python-scapy_2.4.3.bb delete mode 100644 meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb create mode 100644 meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb delete mode 100644 meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch delete mode 100644 meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch delete mode 100644 meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch delete mode 100755 meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest delete mode 100644 meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch delete mode 100644 meta-security/recipes-security/xmlsec1/xmlsec1_1.2.28.bb (limited to 'meta-security') diff --git a/meta-security/conf/distro/include/maintainers.inc b/meta-security/conf/distro/include/maintainers.inc index 94b45f288..7b82ef749 100644 --- a/meta-security/conf/distro/include/maintainers.inc +++ b/meta-security/conf/distro/include/maintainers.inc @@ -35,7 +35,6 @@ RECIPE_MAINTAINER_pn-hash-perl = "Armin Kuster " RECIPE_MAINTAINER_pn-isic = "Armin Kuster " RECIPE_MAINTAINER_pn-keyutils = "Armin Kuster " RECIPE_MAINTAINER_pn-libaes-siv = "Armin Kuster " -RECIPE_MAINTAINER_pn-libenv-perl = "Armin Kuster " RECIPE_MAINTAINER_pn-libgssglue = "Armin Kuster " RECIPE_MAINTAINER_pn-libhtp = "Armin Kuster " RECIPE_MAINTAINER_pn-libmhash = "Armin Kuster " @@ -56,4 +55,3 @@ RECIPE_MAINTAINER_pn-smack = "Armin Kuster " RECIPE_MAINTAINER_pn-sssd = "Armin Kuster " RECIPE_MAINTAINER_pn-suricata = "Armin Kuster " RECIPE_MAINTAINER_pn-tripwire = "Armin Kuster " -RECIPE_MAINTAINER_pn-xmlsec1 = "Armin Kuster " diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb index e1bc6ffa0..1a3a30a19 100644 --- a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -17,6 +17,5 @@ inherit core-image export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb deleted file mode 100644 index 4eaec001e..000000000 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb +++ /dev/null @@ -1,160 +0,0 @@ -SUMMARY = "AppArmor another MAC control system" -DESCRIPTION = "user-space parser utility for AppArmor \ - This provides the system initialization scripts needed to use the \ - AppArmor Mandatory Access Control system, including the AppArmor Parser \ - which is required to convert AppArmor text profiles into machine-readable \ - policies that are loaded into the kernel for use with the AppArmor Linux \ - Security Module." -HOMEAPAGE = "http://apparmor.net/" -SECTION = "admin" - -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" - -DEPENDS = "bison-native apr gettext-native coreutils-native" - -SRC_URI = " \ - git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ - file://disable_perl_h_check.patch \ - file://crosscompile_perl_bindings.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ - file://run-ptest \ - " - -SRCREV = "af4808b5f6b58946f5c5a4de4b77df5e0eae6ca0" -S = "${WORKDIR}/git" - -PARALLEL_MAKE = "" - -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd - -PACKAGECONFIG ??= "python perl" -PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" -PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" -PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" -PACKAGECONFIG[apache2] = ",,apache2," - -PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" -HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - - -python() { - if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') -} - -DISABLE_STATIC = "" - -do_configure() { - cd ${S}/libraries/libapparmor - aclocal - autoconf --force - libtoolize --automake -c --force - automake -ac - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_compile () { - # Fixes: - # | sed -ie 's///g' Makefile.perl - # | sed: -e expression #1, char 0: no previous regular expression - #| Makefile:478: recipe for target 'Makefile.perl' failed - sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile - - - oe_runmake -C ${B}/libraries/libapparmor - oe_runmake -C ${B}/binutils - oe_runmake -C ${B}/utils - oe_runmake -C ${B}/parser - oe_runmake -C ${B}/profiles - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor - fi -} - -do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor - - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install - oe_runmake -C ${B}/binutils DESTDIR="${D}" install - oe_runmake -C ${B}/utils DESTDIR="${D}" install - oe_runmake -C ${B}/parser DESTDIR="${D}" install - oe_runmake -C ${B}/profiles DESTDIR="${D}" install - - # If perl is disabled this script won't be any good - if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then - rm -f ${D}${sbindir}/aa-notify - fi - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install - fi - - # aa-easyprof is installed by python-tools-setup.py, fix it up - sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof - chmod 0755 ${D}${bindir}/aa-easyprof - - install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install ${WORKDIR}/functions ${D}/lib/apparmor - install -d ${D}${systemd_system_unitdir} - install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} -} - -do_compile_ptest () { - oe_runmake -C ${B}/tests/regression/apparmor - oe_runmake -C ${B}/parser/tst - oe_runmake -C ${B}/libraries/libapparmor -} - -do_install_ptest () { - t=${D}/${PTEST_PATH}/testsuite - install -d ${t} - install -d ${t}/tests/regression/apparmor - cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression - - install -d ${t}/parser/tst - cp -rf ${B}/parser/tst ${t}/parser - cp ${B}/parser/apparmor_parser ${t}/parser - cp ${B}/parser/frob_slack_rc ${t}/parser - - install -d ${t}/libraries/libapparmor - cp -rf ${B}/libraries/libapparmor ${t}/libraries - - install -d ${t}/common - cp -rf ${B}/common ${t} - - install -d ${t}/binutils - cp -rf ${B}/binutils ${t} -} - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "apparmor" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE = "disable" - -PACKAGES += "mod-${PN}" - -FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" - -RDEPENDS_${PN} += "bash lsb" -RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb new file mode 100644 index 000000000..9322018bd --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -0,0 +1,166 @@ +SUMMARY = "AppArmor another MAC control system" +DESCRIPTION = "user-space parser utility for AppArmor \ + This provides the system initialization scripts needed to use the \ + AppArmor Mandatory Access Control system, including the AppArmor Parser \ + which is required to convert AppArmor text profiles into machine-readable \ + policies that are loaded into the kernel for use with the AppArmor Linux \ + Security Module." +HOMEAPAGE = "http://apparmor.net/" +SECTION = "admin" + +LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" + +DEPENDS = "bison-native apr gettext-native coreutils-native" + +SRC_URI = " \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ + file://disable_perl_h_check.patch \ + file://crosscompile_perl_bindings.patch \ + file://apparmor.rc \ + file://functions \ + file://apparmor \ + file://apparmor.service \ + file://run-ptest \ + " + +SRCREV = "2f9d9ea7e01a115b29858455d3b1b5c6a0bab75c" +S = "${WORKDIR}/git" + +PARALLEL_MAKE = "" + +inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd + +PACKAGECONFIG ??= "python perl" +PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" +PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" +PACKAGECONFIG[apache2] = ",,apache2," + +PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" +HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" + + +python() { + if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ + 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') +} + +DISABLE_STATIC = "" + +do_configure() { + cd ${S}/libraries/libapparmor + aclocal + autoconf --force + libtoolize --automake -c --force + automake -ac + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +} + +do_compile () { + # Fixes: + # | sed -ie 's///g' Makefile.perl + # | sed: -e expression #1, char 0: no previous regular expression + #| Makefile:478: recipe for target 'Makefile.perl' failed + sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile + + + oe_runmake -C ${B}/libraries/libapparmor + oe_runmake -C ${B}/binutils + oe_runmake -C ${B}/utils + oe_runmake -C ${B}/parser + oe_runmake -C ${B}/profiles + + if test -z "${HTTPD}" ; then + oe_runmake -C ${B}/changehat/mod_apparmor + fi + + if test -z "${PAMLIB}" ; then + oe_runmake -C ${B}/changehat/pam_apparmor + fi +} + +do_install () { + install -d ${D}/${INIT_D_DIR} + install -d ${D}/lib/apparmor + + oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install + oe_runmake -C ${B}/binutils DESTDIR="${D}" install + oe_runmake -C ${B}/utils DESTDIR="${D}" install + oe_runmake -C ${B}/parser DESTDIR="${D}" install + oe_runmake -C ${B}/profiles DESTDIR="${D}" install + + # If perl is disabled this script won't be any good + if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then + rm -f ${D}${sbindir}/aa-notify + fi + + if test -z "${HTTPD}" ; then + oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install + fi + + if test -z "${PAMLIB}" ; then + oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install + fi + + # aa-easyprof is installed by python-tools-setup.py, fix it up + sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof + chmod 0755 ${D}${bindir}/aa-easyprof + + install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor + install ${WORKDIR}/functions ${D}/lib/apparmor + install -d ${D}${systemd_system_unitdir} + install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} +} + +do_compile_ptest () { + oe_runmake -C ${B}/tests/regression/apparmor + oe_runmake -C ${B}/parser/tst + oe_runmake -C ${B}/libraries/libapparmor +} + +do_install_ptest () { + t=${D}/${PTEST_PATH}/testsuite + install -d ${t} + install -d ${t}/tests/regression/apparmor + cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression + + install -d ${t}/parser/tst + cp -rf ${B}/parser/tst ${t}/parser + cp ${B}/parser/apparmor_parser ${t}/parser + cp ${B}/parser/frob_slack_rc ${t}/parser + + install -d ${t}/libraries/libapparmor + cp -rf ${B}/libraries/libapparmor ${t}/libraries + + install -d ${t}/common + cp -rf ${B}/common ${t} + + install -d ${t}/binutils + cp -rf ${B}/binutils ${t} +} + +pkg_postinst_ontarget_${PN} () { +if [ ! -d /etc/apparmor.d/cache ] ; then + mkdir /etc/apparmor.d/cache +fi +} + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "apparmor" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_AUTO_ENABLE = "disable" + +PACKAGES += "mod-${PN}" + +FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" +FILES_mod-${PN} = "${libdir}/apache2/modules/*" + +RDEPENDS_${PN} += "bash lsb" +RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" +RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" diff --git a/meta-security/recipes-perl/perl/libenv-perl_1.04.bb b/meta-security/recipes-perl/perl/libenv-perl_1.04.bb deleted file mode 100644 index dd8e1159e..000000000 --- a/meta-security/recipes-perl/perl/libenv-perl_1.04.bb +++ /dev/null @@ -1,21 +0,0 @@ -SUMMARY = "Perl module that imports environment variables as scalars or arrays" -DESCRIPTION = "Perl maintains environment variables in a special hash named %ENV. \ -For when this access method is inconvenient, the Perl module Env allows environment \ -variables to be treated as scalar or array variables." - -HOMEPAGE = "http://search.cpan.org/~flora/Env/" -SECTION = "libs" -LICENSE = "Artistic-1.0 | GPL-1.0+" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=76c1cbf18db56b3340d91cb947943bd3" - -SRC_URI = "http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/Env-${PV}.tar.gz" - -SRC_URI[md5sum] = "fdba5c0690e66972c96fee112cf5f25c" -SRC_URI[sha256sum] = "d94a3d412df246afdc31a2199cbd8ae915167a3f4684f7b7014ce1200251ebb0" - -S = "${WORKDIR}/Env-${PV}" - -inherit cpan - -BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-security/checksec/checksec_1.11.1.bb b/meta-security/recipes-security/checksec/checksec_1.11.1.bb deleted file mode 100644 index 835dffcd8..000000000 --- a/meta-security/recipes-security/checksec/checksec_1.11.1.bb +++ /dev/null @@ -1,19 +0,0 @@ -SUMMARY = "Linux system security checks" -DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used." -SECTION = "security" -LICENSE = "BSD" -HOMEPAGE="https://github.com/slimm609/checksec.sh" - -LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" - -SRCREV = "3c15cb89641c700096fdec0c1904a0cf9b83c5e2" -SRC_URI = "git://github.com/slimm609/checksec.sh" - -S = "${WORKDIR}/git" - -do_install() { - install -d ${D}${bindir} - install -m 0755 ${S}/checksec ${D}${bindir} -} - -RDEPENDS_${PN} = "bash openssl-bin" diff --git a/meta-security/recipes-security/checksec/checksec_2.1.0.bb b/meta-security/recipes-security/checksec/checksec_2.1.0.bb new file mode 100644 index 000000000..5c6528e48 --- /dev/null +++ b/meta-security/recipes-security/checksec/checksec_2.1.0.bb @@ -0,0 +1,19 @@ +SUMMARY = "Linux system security checks" +DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used." +SECTION = "security" +LICENSE = "BSD" +HOMEPAGE="https://github.com/slimm609/checksec.sh" + +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" + +SRCREV = "04582bad41589ad479ca8b1f0170ed317475b5a5" +SRC_URI = "git://github.com/slimm609/checksec.sh" + +S = "${WORKDIR}/git" + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${S}/checksec ${D}${bindir} +} + +RDEPENDS_${PN} = "bash openssl-bin" diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index 1f780f9e3..e45ee0ba0 100644 --- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -14,6 +14,7 @@ DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native" SRC_URI = "\ https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.gz \ file://ecryptfs-utils-CVE-2016-6224.patch \ + file://0001-avoid-race-condition.patch \ file://ecryptfs.service \ " @@ -30,13 +31,13 @@ EXTRA_OECONF = "\ --disable-pywrap \ --disable-nls \ --with-pamdir=${base_libdir}/security \ + --disable-openssl \ " PACKAGECONFIG ??= "nss \ ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ " PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss," -PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl," PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam," do_configure_prepend() { diff --git a/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch b/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch new file mode 100644 index 000000000..af28d5810 --- /dev/null +++ b/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch @@ -0,0 +1,32 @@ +From ab671b02e3aaf65dd1fd279789ea933b8140fe52 Mon Sep 17 00:00:00 2001 +From: Chen Qi +Date: Tue, 27 Aug 2019 16:08:00 +0800 +Subject: [PATCH] avoid race condition + +The rootsbin directory is self defined. The install-rootsbinPROGRAMS +is actually treated as part of install-data. + +This would avoid race condition which causes install failure. + +Upstream-Status: Pending + +Signed-off-by: Chen Qi +--- + src/utils/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/utils/Makefile.am b/src/utils/Makefile.am +index 83cf851..344883a 100644 +--- a/src/utils/Makefile.am ++++ b/src/utils/Makefile.am +@@ -67,6 +67,6 @@ ecryptfs_stat_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la + test_SOURCES = test.c io.c + test_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la + +-install-exec-hook: install-rootsbinPROGRAMS ++install-data-hook: install-rootsbinPROGRAMS + -rm -f "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private" + $(LN_S) "mount.ecryptfs_private" "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private" +-- +2.17.1 + diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb index 493488918..ddcf2086e 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb @@ -13,7 +13,6 @@ SUMMARY_${PN} = "Security packages with ptests" RDEPENDS_${PN} = " \ ptest-runner \ samhain-standalone-ptest \ - xmlsec1-ptest \ keyutils-ptest \ libseccomp-ptest \ python-scapy-ptest \ diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index 9165eef9f..20ba46f34 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -29,7 +29,6 @@ RDEPENDS_packagegroup-security-utils = "\ pinentry \ python-scapy \ ding-libs \ - xmlsec1 \ keyutils \ libseccomp \ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ diff --git a/meta-security/recipes-security/scapy/python-scapy.inc b/meta-security/recipes-security/scapy/python-scapy.inc index baa69b244..28e13f288 100644 --- a/meta-security/recipes-security/scapy/python-scapy.inc +++ b/meta-security/recipes-security/scapy/python-scapy.inc @@ -3,11 +3,11 @@ DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It i SECTION = "security" LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" S = "${WORKDIR}/git" -SRCREV = "bad14cb1a5aee29f8107fbe8ad008d4645f14da7" +SRCREV = "3047580162a9407ef05fe981983cacfa698f1159" SRC_URI = "git://github.com/secdev/scapy.git" inherit ptest diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb deleted file mode 100644 index 982620e0b..000000000 --- a/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb +++ /dev/null @@ -1,11 +0,0 @@ -inherit setuptools -require python-scapy.inc - -SRC_URI += "file://run-ptest" - -RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" - -do_install_append() { - mv ${D}${bindir}/scapy ${D}${bindir}/scapy2 - mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy2 -} diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.3.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.3.bb new file mode 100644 index 000000000..982620e0b --- /dev/null +++ b/meta-security/recipes-security/scapy/python-scapy_2.4.3.bb @@ -0,0 +1,11 @@ +inherit setuptools +require python-scapy.inc + +SRC_URI += "file://run-ptest" + +RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" + +do_install_append() { + mv ${D}${bindir}/scapy ${D}${bindir}/scapy2 + mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy2 +} diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb deleted file mode 100644 index abcaeeb0b..000000000 --- a/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb +++ /dev/null @@ -1,9 +0,0 @@ -inherit setuptools3 -require python-scapy.inc - -SRC_URI += "file://run-ptest" - -do_install_append() { - mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 - mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 -} diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb new file mode 100644 index 000000000..abcaeeb0b --- /dev/null +++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb @@ -0,0 +1,9 @@ +inherit setuptools3 +require python-scapy.inc + +SRC_URI += "file://run-ptest" + +do_install_append() { + mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 + mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 +} diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch deleted file mode 100644 index 1cec47fca..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch +++ /dev/null @@ -1,67 +0,0 @@ -From c1c980a95d85bcaf8802524d6148783522b300d7 Mon Sep 17 00:00:00 2001 -From: Yulong Pei -Date: Wed, 21 Jul 2010 22:33:43 +0800 -Subject: [PATCH] change finding path of nss and nspr - -Upstream-Status: Pending - -Signed-off-by: Yulong Pei -Signed-off-by: Mingli Yu -Signed-off-by: Yi Zhao ---- - configure.ac | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 951b3eb..1fdeb0f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -866,10 +866,10 @@ MOZILLA_MIN_VERSION="1.4" - NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss" - NSPR_PACKAGE=mozilla-nspr - NSS_PACKAGE=mozilla-nss --NSPR_INCLUDE_MARKER="nspr/nspr.h" -+NSPR_INCLUDE_MARKER="nspr.h" - NSPR_LIB_MARKER="libnspr4$shrext" - NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4" --NSS_INCLUDE_MARKER="nss/nss.h" -+NSS_INCLUDE_MARKER="nss3/nss.h" - NSS_LIB_MARKER="libnss3$shrext" - NSS_LIBS_LIST="-lnss3 -lsmime3" - -@@ -898,24 +898,24 @@ fi - dnl Priority 1: User specifies the path to installation - if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" != "zyes" ; then - AC_MSG_CHECKING(for nspr library installation in "$with_nspr" folder) -- if test -f "$with_nspr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/lib/$NSPR_LIB_MARKER" ; then -- NSPR_INCLUDE_PATH="$with_nspr/include" -- NSPR_LIB_PATH="$with_nspr/lib" -+ if test -f "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/${libdir}/$NSPR_LIB_MARKER" ; then -+ NSPR_INCLUDE_PATH="$with_nspr/usr/include" -+ NSPR_LIB_PATH="$with_nspr/${libdir}" - NSPR_FOUND="yes" - AC_MSG_RESULT([yes]) - else -- AC_MSG_ERROR([not found: "$with_nspr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/lib/$NSPR_LIB_MARKER" files don't exist), typo?]) -+ AC_MSG_ERROR([not found: "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/${libdir}/$NSPR_LIB_MARKER" files don't exist), typo?]) - fi - fi - if test "z$NSS_FOUND" = "zno" -a "z$with_nss" != "z" -a "z$with_nss" != "zyes" ; then - AC_MSG_CHECKING(for nss library installation in "$with_nss" folder) -- if test -f "$with_nss/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/lib/$NSS_LIB_MARKER" ; then -- NSS_INCLUDE_PATH="$with_nss/include" -- NSS_LIB_PATH="$with_nss/lib" -+ if test -f "$with_nss/usr/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/${libdir}/$NSS_LIB_MARKER" ; then -+ NSS_INCLUDE_PATH="$with_nss/usr/include/nss3" -+ NSS_LIB_PATH="$with_nss/${libdir}" - NSS_FOUND="yes" - AC_MSG_RESULT([yes]) - else -- AC_MSG_ERROR([not found: "$with_nss/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/lib/$NSS_LIB_MARKER" files don't exist), typo?]) -+ AC_MSG_ERROR([not found: "$with_nss/usr/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/${libdir}/$NSS_LIB_MARKER" files don't exist), typo?]) - fi - fi - --- -2.7.4 - diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch deleted file mode 100644 index af598fe74..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 847dc52f5a50e34ee4d6e3dc2c708711747a58ca Mon Sep 17 00:00:00 2001 -From: Yulong Pei -Date: Thu, 21 Jan 2010 14:11:20 +0800 -Subject: [PATCH] force to use our own libtool - -Upstream-Status: Inappropriate [ OE specific ] - -Signed-off-by: Yulong Pei - ---- - ltmain.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ltmain.sh b/ltmain.sh -index 147d758..a61f16b 100644 ---- a/ltmain.sh -+++ b/ltmain.sh -@@ -6969,7 +6969,7 @@ func_mode_link () - dir=$func_resolve_sysroot_result - # We need an absolute path. - case $dir in -- [\\/]* | [A-Za-z]:[\\/]*) ;; -+ =* | [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - absdir=`cd "$dir" && pwd` - test -z "$absdir" && \ diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch deleted file mode 100644 index d45356924..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 83a1381e1d6bd1b5ec3df6f7c4bc1f4fe4f860b6 Mon Sep 17 00:00:00 2001 -From: Jackie Huang -Date: Thu, 15 Jun 2017 14:44:01 +0800 -Subject: [PATCH] xmlsec1: add new recipe - -This enables the building of the examples directory -and it's installed as ptest. - -Upstream-Status: Inappropriate [ OE ptest specific ] - -Signed-off-by: Jackie Huang - ---- - examples/Makefile | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/examples/Makefile b/examples/Makefile -index 89b1d61..c1cbcca 100644 ---- a/examples/Makefile -+++ b/examples/Makefile -@@ -8,9 +8,17 @@ PROGRAMS = \ - decrypt1 decrypt2 decrypt3 \ - xmldsigverify - -+ifndef CC - CC = gcc --CFLAGS += -g $(shell xmlsec1-config --cflags) -DUNIX_SOCKETS --LDLIBS += -g $(shell xmlsec1-config --libs) -+endif -+ -+CFLAGS += -I../include -g $(shell PKG_CONFIG_PATH=.. pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS -+LDLIBS += -L../src/.libs -g $(shell PKG_CONFIG_PATH=.. pkg-config --libs xmlsec1 ) -+ -+DESTDIR = /usr/share/xmlsec1 -+install-ptest: -+ if [ ! -d $(DESTDIR) ]; then mkdir -p $(DESTDIR); fi -+ cp * $(DESTDIR) - - all: $(PROGRAMS) - diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest b/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest deleted file mode 100755 index a203c38f2..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/sh - -check_return() { - if [ $? == 0 ]; then - echo -e "PASS: $1\n" - else - echo -e "FAIL: $1\n" - fi -} - -echo "---------------------------------------------------" -echo "Signing a template file..." -./sign1 sign1-tmpl.xml rsakey.pem > sign1-res.xml -./verify1 sign1-res.xml rsapub.pem -check_return sign-tmpl - -echo "---------------------------------------------------" -echo "Signing a dynamicaly created template..." -./sign2 sign2-doc.xml rsakey.pem > sign2-res.xml -./verify1 sign2-res.xml rsapub.pem -check_return sign-dynamic-templ - -echo "---------------------------------------------------" -echo "Signing with X509 certificate..." -./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml -./verify3 sign3-res.xml ca2cert.pem cacert.pem -check_return sign-x509 - -echo "---------------------------------------------------" -echo "Verifying a signature with a single key..." -./verify1 sign1-res.xml rsapub.pem -./verify1 sign2-res.xml rsapub.pem -check_return verify-single-key - -echo "---------------------------------------------------" -echo "Verifying a signature with keys manager..." -./verify2 sign1-res.xml rsapub.pem -./verify2 sign2-res.xml rsapub.pem -check_return verify-keys-manager - -echo "---------------------------------------------------" -echo "Verifying a signature with X509 certificates..." -./verify3 sign3-res.xml ca2cert.pem cacert.pem -check_return verify-x509 - -echo "---------------------------------------------------" -echo "Verifying a signature with additional restrictions..." -./verify4 verify4-res.xml ca2cert.pem cacert.pem -check_return verify-res - -echo "---------------------------------------------------" -echo "Encrypting data with a template file..." -./encrypt1 encrypt1-tmpl.xml deskey.bin > encrypt1-res.xml -./decrypt1 encrypt1-res.xml deskey.bin -check_return encrypt-tmpl - -echo "---------------------------------------------------" -echo "Encrypting data with a dynamicaly created template..." -./encrypt2 encrypt2-doc.xml deskey.bin > encrypt2-res.xml -./decrypt1 encrypt2-res.xml deskey.bin -check_return encrypt-dynamic-tmpl - -echo "---------------------------------------------------" -echo "Encrypting data with a session key..." -./encrypt3 encrypt3-doc.xml rsakey.pem > encrypt3-res.xml -./decrypt3 encrypt3-res.xml -check_return encrypt-session-key - -echo "---------------------------------------------------" -echo "Decrypting data with a single key..." -./decrypt1 encrypt1-res.xml deskey.bin -./decrypt1 encrypt2-res.xml deskey.bin -check_return encrypt-single-key - -echo "---------------------------------------------------" -echo "Decrypting data with keys manager..." -./decrypt2 encrypt1-res.xml deskey.bin -./decrypt2 encrypt2-res.xml deskey.bin -check_return encrypt-keys-manager - -echo "---------------------------------------------------" -echo "Writing a custom keys manager..." -./decrypt3 encrypt1-res.xml -./decrypt3 encrypt2-res.xml -check_return write-keys-manager diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch deleted file mode 100644 index 8b2533ed9..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0c38c6864e7ba8f53a657d87894f24374a6a4932 Mon Sep 17 00:00:00 2001 -From: Jackie Huang -Date: Tue, 30 Dec 2014 11:18:17 +0800 -Subject: [PATCH] examples: allow build in separate dir - -Upstream-Status: Inappropriate [ OE specific ] - -Signed-off-by: Jackie Huang - ---- - examples/Makefile | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/examples/Makefile b/examples/Makefile -index c1cbcca..3f1bd14 100644 ---- a/examples/Makefile -+++ b/examples/Makefile -@@ -12,8 +12,10 @@ ifndef CC - CC = gcc - endif - --CFLAGS += -I../include -g $(shell PKG_CONFIG_PATH=.. pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS --LDLIBS += -L../src/.libs -g $(shell PKG_CONFIG_PATH=.. pkg-config --libs xmlsec1 ) -+top_srcdir = .. -+top_builddir = .. -+CFLAGS += -I$(top_srcdir)/include -g $(shell PKG_CONFIG_PATH=$(top_srcdir) pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS -+LDLIBS += -L$(top_builddir)/src/.libs -g $(shell PKG_CONFIG_PATH=$(top_srcdir) pkg-config --libs xmlsec1 ) - - DESTDIR = /usr/share/xmlsec1 - install-ptest: diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.28.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.28.bb deleted file mode 100644 index 0a4c56aa0..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.28.bb +++ /dev/null @@ -1,64 +0,0 @@ -SUMMARY = "XML Security Library is a C library based on LibXML2" -DESCRIPTION = "\ - XML Security Library is a C library based on \ - LibXML2 and OpenSSL. The library was created with a goal to support major \ - XML security standards "XML Digital Signature" and "XML Encryption". \ - " -HOMEPAGE = "http://www.aleksey.com/xmlsec/" -DEPENDS = "libtool libxml2 libxslt zlib" - -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=352791d62092ea8104f085042de7f4d0" - -SECTION = "libs" - -SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ - file://fix-ltmain.sh.patch \ - file://change-finding-path-of-nss.patch \ - file://makefile-ptest.patch \ - file://xmlsec1-examples-allow-build-in-separate-dir.patch \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "69b8d95c009a404462e19f335e650241" -SRC_URI[sha256sum] = "13eec4811ea30e3f0e16a734d1dbf7f9d246a71d540b48d143a07b489f6222d4" - -inherit autotools-brokensep ptest pkgconfig - -CFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" -CPPFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" - -PACKAGECONFIG ??= "gnutls libgcrypt nss openssl des" -PACKAGECONFIG[gnutls] = ",,gnutls" -PACKAGECONFIG[libgcrypt] = ",,libgcrypt" -PACKAGECONFIG[nss] = "--with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../..,,nss nspr" -PACKAGECONFIG[openssl] = ",,openssl" -PACKAGECONFIG[des] = ",--disable-des,," - -# these can be dynamically loaded with xmlSecCryptoDLLoadLibrary() -FILES_SOLIBSDEV = "${libdir}/libxmlsec1.so" -FILES_${PN} += "${libdir}/libxmlsec1-*.so" -INSANE_SKIP_${PN} = "dev-so" - -FILES_${PN}-dev += "${libdir}/xmlsec1Conf.sh" -FILES_${PN}-dbg += "${PTEST_PATH}/.debug/*" - -RDEPENDS_${PN}-ptest += "${PN}-dev" -INSANE_SKIP_${PN}-ptest += "dev-deps" - -PTEST_EXTRA_ARGS = "top_srcdir=${S} top_builddir=${B}" - -do_compile_ptest () { - oe_runmake -C ${S}/examples ${PTEST_EXTRA_ARGS} all -} - -do_install_append() { - for i in ${bindir}/xmlsec1-config ${libdir}/xmlsec1Conf.sh \ - ${libdir}/pkgconfig/xmlsec1-openssl.pc; do - sed -i -e "s@${RECIPE_SYSROOT}@@g" ${D}$i - done -} - -do_install_ptest () { - oe_runmake -C ${S}/examples DESTDIR=${D}${PTEST_PATH} ${PTEST_EXTRA_ARGS} install-ptest -} -- cgit v1.2.3