From 9a53395458785b43f205c5aa4a2730fa3d4057a3 Mon Sep 17 00:00:00 2001
From: Brad Bishop <bradleyb@fuzziesquirrel.com>
Date: Thu, 19 Dec 2019 16:39:26 -0500
Subject: meta-security: subtree update:2df7dd9fba..3001c3ebfc

Armin Kuster (6):
      meta-security: add layer index callouts
      meta-security-compliance/conf/layer.conf: fix typo
      python3-suricata-update: update to 1.1.1
      libhtp: bugfix only update 0.5.32
      lib/oeqa/runtime: suricata add tests
      suricata: update to 4.1.6

Philip Tricca (1):
      tpm2-abrmd: Port command line options to new version.

Trevor Woerner (1):
      tpm2-abrmd-init.sh: fix for /dev/tpmrmX

Yi Zhao (1):
      libseccomp: upgrade 2.4.1 -> 2.4.2

Change-Id: Ic00ca8ac8ff5d3fbe0b79aa4a42243b197080f14
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
---
 meta-security/lib/oeqa/runtime/cases/suricata.py   | 63 ++++++++++++--
 meta-security/meta-integrity/conf/layer.conf       |  2 +
 .../meta-security-compliance/conf/layer.conf       |  2 +
 meta-security/meta-tpm/conf/layer.conf             |  1 +
 .../tpm2-abrmd/files/tpm2-abrmd-init.sh            |  2 +-
 .../tpm2-abrmd/files/tpm2-abrmd.default            |  2 +-
 .../recipes-ids/suricata/libhtp_0.5.31.bb          | 15 ----
 .../recipes-ids/suricata/libhtp_0.5.32.bb          | 15 ++++
 .../suricata/python3-suricata-update_1.0.5.bb      | 15 ----
 .../suricata/python3-suricata-update_1.1.1.bb      | 15 ++++
 meta-security/recipes-ids/suricata/suricata.inc    |  6 +-
 .../recipes-ids/suricata/suricata_4.1.5.bb         | 98 ----------------------
 .../recipes-ids/suricata/suricata_4.1.6.bb         | 97 +++++++++++++++++++++
 ...on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch | 45 ++++++++++
 .../libseccomp/libseccomp_2.4.1.bb                 | 43 ----------
 .../libseccomp/libseccomp_2.4.2.bb                 | 44 ++++++++++
 16 files changed, 282 insertions(+), 183 deletions(-)
 delete mode 100644 meta-security/recipes-ids/suricata/libhtp_0.5.31.bb
 create mode 100644 meta-security/recipes-ids/suricata/libhtp_0.5.32.bb
 delete mode 100644 meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb
 create mode 100644 meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
 delete mode 100644 meta-security/recipes-ids/suricata/suricata_4.1.5.bb
 create mode 100644 meta-security/recipes-ids/suricata/suricata_4.1.6.bb
 create mode 100644 meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
 delete mode 100644 meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
 create mode 100644 meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb

(limited to 'meta-security')

diff --git a/meta-security/lib/oeqa/runtime/cases/suricata.py b/meta-security/lib/oeqa/runtime/cases/suricata.py
index 17fc8c508..7f052ecd7 100644
--- a/meta-security/lib/oeqa/runtime/cases/suricata.py
+++ b/meta-security/lib/oeqa/runtime/cases/suricata.py
@@ -1,6 +1,7 @@
 # Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
 #
 import re
+from tempfile import mkstemp
 
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
@@ -9,6 +10,22 @@ from oeqa.runtime.decorator.package import OEHasPackage
 
 class SuricataTest(OERuntimeTestCase):
 
+    @classmethod
+    def setUpClass(cls):
+        cls.tmp_fd, cls.tmp_path = mkstemp()
+        with os.fdopen(cls.tmp_fd, 'w') as f:
+            # use google public dns
+            f.write("nameserver 8.8.8.8")
+            f.write(os.linesep)
+            f.write("nameserver 8.8.4.4")
+            f.write(os.linesep)
+            f.write("nameserver 127.0.0.1")
+            f.write(os.linesep)
+
+    @classmethod
+    def tearDownClass(cls):
+        os.remove(cls.tmp_path)
+
     @OEHasPackage(['suricata'])
     @OETestDepends(['ssh.SSHTest.test_ssh'])
     def test_suricata_help(self):
@@ -18,10 +35,42 @@ class SuricataTest(OERuntimeTestCase):
         self.assertEqual(status, 1, msg = msg)
 
     @OETestDepends(['suricata.SuricataTest.test_suricata_help'])
-    def test_suricata_unittest(self):
-        status, output = self.target.run('suricata -u')
-        match = re.search('FAILED: 0 ', output)
-        if not match:
-            msg = ('suricata unittest had an unexpected failure. '
-               'Status and output:%s and %s' % (status, output))
-            self.assertEqual(status, 0, msg = msg)
+    def test_ping_openinfosecfoundation_org(self):
+        dst = '/etc/resolv.conf'
+        self.tc.target.run('rm -f %s' % dst)
+        (status, output) = self.tc.target.copyTo(self.tmp_path, dst)
+        msg = 'File could not be copied. Output: %s' % output
+        self.assertEqual(status, 0, msg=msg)
+
+        status, output = self.target.run('ping -c 1 openinfosecfoundation.org')
+        msg = ('ping openinfosecfoundation.org failed: output is:\n%s' % output)
+        self.assertEqual(status, 0, msg = msg)
+
+    @OEHasPackage(['python3-suricata-update'])
+    @OETestDepends(['suricata.SuricataTest.test_ping_openinfosecfoundation_org'])
+    def test_suricata_update(self):
+        status, output = self.tc.target.run('suricata-update')
+        msg = ('suricata-update had an unexpected failure. '
+           'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['suricata.SuricataTest.test_suricata_update'])
+    def test_suricata_update_sources_list(self):
+        status, output = self.tc.target.run('suricata-update list-sources')
+        msg = ('suricata-update list-sources had an unexpected failure. '
+           'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources_list'])
+    def test_suricata_update_sources(self):
+        status, output = self.tc.target.run('suricata-update update-sources')
+        msg = ('suricata-update update-sources had an unexpected failure. '
+           'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources'])
+    def test_suricata_update_enable_source(self):
+        status, output = self.tc.target.run('suricata-update enable-source oisf/trafficid')
+        msg = ('suricata-update enable-source oisf/trafficid  had an unexpected failure. '
+           'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
index 962424ccb..bfc9c6ff1 100644
--- a/meta-security/meta-integrity/conf/layer.conf
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -24,3 +24,5 @@ OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
 LAYERSERIES_COMPAT_integrity = "zeus"
 # ima-evm-utils depends on keyutils from meta-oe
 LAYERDEPENDS_integrity = "core openembedded-layer"
+
+BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity"
diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf
index 0e93bd0e8..8572a1fce 100644
--- a/meta-security/meta-security-compliance/conf/layer.conf
+++ b/meta-security/meta-security-compliance/conf/layer.conf
@@ -11,3 +11,5 @@ BBFILE_PRIORITY_scanners-layer = "10"
 LAYERSERIES_COMPAT_scanners-layer = "zeus"
 
 LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
+
+BBLAYERS_LAYERINDEX_NAME_scanners-layer = "meta-security-compliance"
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 3af2d9517..175eba84e 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -14,3 +14,4 @@ LAYERDEPENDS_tpm-layer = " \
     core \
     openembedded-layer \
 "
+BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
index c8dfb7de3..9bb7da972 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
@@ -27,7 +27,7 @@ case "${1}" in
 	start)
 		echo -n "Starting $DESC: "
 
-		if [ ! -e /dev/tpm* ]
+		if [ ! -e /dev/tpm? ]
 		then
 			echo "device driver not loaded, skipping."
 			exit 0
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
index 987978a66..b4b3c2072 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
@@ -1 +1 @@
-DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transient-objects=20 --fail-on-loaded-trans"
+DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transients=20 --flush-all"
diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.31.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.31.bb
deleted file mode 100644
index 8305f7010..000000000
--- a/meta-security/recipes-ids/suricata/libhtp_0.5.31.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces."
-
-require suricata.inc
-
-LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
-
-DEPENDS = "zlib"
-
-inherit autotools pkgconfig
-
-CFLAGS += "-D_DEFAULT_SOURCE"
-
-S = "${WORKDIR}/suricata-${VER}/${BPN}"
-
-RDEPENDS_${PN} += "zlib"
diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb
new file mode 100644
index 000000000..8305f7010
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb
@@ -0,0 +1,15 @@
+SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces."
+
+require suricata.inc
+
+LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
+
+DEPENDS = "zlib"
+
+inherit autotools pkgconfig
+
+CFLAGS += "-D_DEFAULT_SOURCE"
+
+S = "${WORKDIR}/suricata-${VER}/${BPN}"
+
+RDEPENDS_${PN} += "zlib"
diff --git a/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb b/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb
deleted file mode 100644
index 63f75e096..000000000
--- a/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-SUMMARY = "The tool for updating your Suricata rules. "
-HOMEPAGE = "http://suricata-ids.org/"
-SECTION = "security Monitor/Admin"
-LICENSE = "GPLv2"
-
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
-
-SRCREV = "dcd0f630e13463750efb1593ad3ccae1ae6c27d4"
-SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.0.x'"
-
-S = "${WORKDIR}/git"
-
-inherit python3native setuptools3
-
-RDEPENDS_${PN} = "python3-pyyaml"
diff --git a/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb b/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
new file mode 100644
index 000000000..0070b5bcf
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
@@ -0,0 +1,15 @@
+SUMMARY = "The tool for updating your Suricata rules. "
+HOMEPAGE = "http://suricata-ids.org/"
+SECTION = "security Monitor/Admin"
+LICENSE = "GPLv2"
+
+LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
+
+SRCREV = "9630630ffc493ca26299d174ee2066aa1405b2d4"
+SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.1.x'"
+
+S = "${WORKDIR}/git"
+
+inherit python3native setuptools3
+
+RDEPENDS_${PN} = "python3-pyyaml"
diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc
index 1f4baffcc..3adbcf6d4 100644
--- a/meta-security/recipes-ids/suricata/suricata.inc
+++ b/meta-security/recipes-ids/suricata/suricata.inc
@@ -2,8 +2,8 @@ HOMEPAGE = "http://suricata-ids.org/"
 SECTION = "security Monitor/Admin"
 LICENSE = "GPLv2"
 
-VER = "4.1.5"
+VER = "4.1.6"
 SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
 
-SRC_URI[md5sum] = "0dfd68f6f4314c5c2eed7128112eff3b"
-SRC_URI[sha256sum] = "cee5f6535cd7fe63fddceab62eb3bc66a63fc464466c88ec7a41b7a1331ac74b"
+SRC_URI[md5sum] = "da5de1e8053f05cbd295793210117d34"
+SRC_URI[sha256sum] = "8441ac89016106459ade2112fcde58b3f789e4beb2fd8bfa081ffb75eec75fe0"
diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.5.bb b/meta-security/recipes-ids/suricata/suricata_4.1.5.bb
deleted file mode 100644
index b2700d63f..000000000
--- a/meta-security/recipes-ids/suricata/suricata_4.1.5.bb
+++ /dev/null
@@ -1,98 +0,0 @@
-SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine"
-
-require suricata.inc
-
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
-
-SRC_URI += " \
-    file://volatiles.03_suricata \
-    file://tmpfiles.suricata \
-    file://suricata.yaml \
-    file://suricata.service \
-    file://run-ptest \
-    file://0001-af-packet-fix-build-on-recent-Linux-kernels.patch \
-    "
-
-inherit autotools-brokensep pkgconfig python3-dir systemd ptest
-
-CFLAGS += "-D_DEFAULT_SOURCE"
-
-CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \
-                        ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no "
-
-EXTRA_OECONF += " --disable-debug \
-    --enable-non-bundled-htp \
-    --disable-gccmarch-native \
-    --disable-suricata-update \
-    "
-
-PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr"
-PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
-
-PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp,"
-PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," 
-PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ,"
-PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," 
-PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , "
-PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," 
-PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ,"
-PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue,"
-
-PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson"
-PACKAGECONFIG[file] = ",,file, file"
-PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," 
-PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," 
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3" 
-PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," 
-
-export logdir = "${localstatedir}/log"
-
-do_install_append () {
-
-    install -d ${D}${sysconfdir}/suricata
-
-    oe_runmake install-conf DESTDIR=${D}
-
-    oe_runmake install-rules DESTDIR=${D}
-
-    install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
-    install -m 0644 ${WORKDIR}/volatiles.03_suricata  ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata
-
-    install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
-
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-        install -d ${D}${sysconfdir}/tmpfiles.d
-        install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf
-
-        install -d ${D}${systemd_unitdir}/system
-        sed  -e s:/etc:${sysconfdir}:g \
-             -e s:/var/run:/run:g \
-             -e s:/var:${localstatedir}:g \
-             -e s:/usr/bin:${bindir}:g \
-             -e s:/bin/kill:${base_bindir}/kill:g \
-             -e s:/usr/lib:${libdir}:g \
-             ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
-    fi
-
-    # Remove /var/run as it is created on startup
-    rm -rf ${D}${localstatedir}/run
-
-}
-
-pkg_postinst_ontarget_${PN} () {
-if command -v systemd-tmpfiles >/dev/null; then
-    systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf
-elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
-    ${sysconfdir}/init.d/populate-volatile.sh update
-fi
-}
-
-SYSTEMD_PACKAGES = "${PN}"
-
-PACKAGES =+ "${PN}-socketcontrol"
-FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d"
-FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
-
-CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml"
-
-RDEPENDS_${PN}-python = "python"
diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.6.bb b/meta-security/recipes-ids/suricata/suricata_4.1.6.bb
new file mode 100644
index 000000000..9b7122b9e
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/suricata_4.1.6.bb
@@ -0,0 +1,97 @@
+SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine"
+
+require suricata.inc
+
+LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
+
+SRC_URI += " \
+    file://volatiles.03_suricata \
+    file://tmpfiles.suricata \
+    file://suricata.yaml \
+    file://suricata.service \
+    file://run-ptest \
+    "
+
+inherit autotools-brokensep pkgconfig python3-dir systemd ptest
+
+CFLAGS += "-D_DEFAULT_SOURCE"
+
+CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \
+                        ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no "
+
+EXTRA_OECONF += " --disable-debug \
+    --enable-non-bundled-htp \
+    --disable-gccmarch-native \
+    --disable-suricata-update \
+    "
+
+PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr"
+PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
+
+PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp,"
+PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," 
+PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ,"
+PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," 
+PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , "
+PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," 
+PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ,"
+PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue,"
+
+PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson"
+PACKAGECONFIG[file] = ",,file, file"
+PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," 
+PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," 
+PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3" 
+PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," 
+
+export logdir = "${localstatedir}/log"
+
+do_install_append () {
+
+    install -d ${D}${sysconfdir}/suricata
+
+    oe_runmake install-conf DESTDIR=${D}
+
+    oe_runmake install-rules DESTDIR=${D}
+
+    install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
+    install -m 0644 ${WORKDIR}/volatiles.03_suricata  ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata
+
+    install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
+
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        install -d ${D}${sysconfdir}/tmpfiles.d
+        install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf
+
+        install -d ${D}${systemd_unitdir}/system
+        sed  -e s:/etc:${sysconfdir}:g \
+             -e s:/var/run:/run:g \
+             -e s:/var:${localstatedir}:g \
+             -e s:/usr/bin:${bindir}:g \
+             -e s:/bin/kill:${base_bindir}/kill:g \
+             -e s:/usr/lib:${libdir}:g \
+             ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
+    fi
+
+    # Remove /var/run as it is created on startup
+    rm -rf ${D}${localstatedir}/run
+
+}
+
+pkg_postinst_ontarget_${PN} () {
+if command -v systemd-tmpfiles >/dev/null; then
+    systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf
+elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
+    ${sysconfdir}/init.d/populate-volatile.sh update
+fi
+}
+
+SYSTEMD_PACKAGES = "${PN}"
+
+PACKAGES =+ "${PN}-socketcontrol"
+FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d"
+FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
+
+CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml"
+
+RDEPENDS_${PN}-python = "python"
diff --git a/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
new file mode 100644
index 000000000..a53433fe5
--- /dev/null
+++ b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
@@ -0,0 +1,45 @@
+From 1ecdddb2a5b61cf527d1f238f88a9d129239f87a Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Tue, 5 Nov 2019 15:11:11 -0500
+Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
+
+We recently changed how libseccomp handles syscall numbers that are
+not defined natively, but we missed test #15.
+
+Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+
+Upstream-Status: Backport
+[https://github.com/seccomp/libseccomp/commit/1ecdddb2a5b61cf527d1f238f88a9d129239f87a]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ tests/15-basic-resolver.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
+index 6badef1..0c1eefe 100644
+--- a/tests/15-basic-resolver.c
++++ b/tests/15-basic-resolver.c
+@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
+ 	unsigned int arch;
+ 	char *name = NULL;
+ 
+-	if (seccomp_syscall_resolve_name("open") != __NR_open)
++	if (seccomp_syscall_resolve_name("open") != __SNR_open)
+ 		goto fail;
+-	if (seccomp_syscall_resolve_name("read") != __NR_read)
++	if (seccomp_syscall_resolve_name("read") != __SNR_read)
+ 		goto fail;
+ 	if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
+ 		goto fail;
+ 
+ 	rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
+-	if (rc != __NR_openat)
++	if (rc != __SNR_openat)
+ 		goto fail;
+ 
+ 	while ((arch = arch_list[iter++]) != -1) {
+-- 
+2.17.1
+
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
deleted file mode 100644
index 37a79829f..000000000
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
+++ /dev/null
@@ -1,43 +0,0 @@
-SUMMARY = "interface to seccomp filtering mechanism"
-DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp."
-SECTION = "security"
-LICENSE = "LGPL-2.1"
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-
-SRCREV = "fb43972ea1aab24f2a70193fb7445c2674f594e3"
-
-SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
-           file://run-ptest \
-"
-
-S = "${WORKDIR}/git"
-
-inherit autotools-brokensep pkgconfig ptest
-
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python"
-
-DISABLE_STATIC = ""
-
-do_compile_ptest() {
-    oe_runmake -C tests check-build
-}
-
-do_install_ptest() {
-    install -d ${D}${PTEST_PATH}/tests
-    install -d ${D}${PTEST_PATH}/tools
-    for file in $(find tests/* -executable -type f); do
-        install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests
-    done
-    for file in $(find tests/*.tests -type f); do
-        install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests
-    done
-    for file in $(find tools/* -executable -type f); do
-        install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools
-    done
-}
-
-FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*"
-FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug"
-
-RDEPENDS_${PN}-ptest = "bash"
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
new file mode 100644
index 000000000..07db82a60
--- /dev/null
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
@@ -0,0 +1,44 @@
+SUMMARY = "interface to seccomp filtering mechanism"
+DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp."
+SECTION = "security"
+LICENSE = "LGPL-2.1"
+LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
+
+SRCREV = "1b6cfd1fc0b7499a28c24299a93a80bd18619563"
+
+SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
+           file://0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch \
+           file://run-ptest \
+"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep pkgconfig ptest
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[python] = "--enable-python, --disable-python, python"
+
+DISABLE_STATIC = ""
+
+do_compile_ptest() {
+    oe_runmake -C tests check-build
+}
+
+do_install_ptest() {
+    install -d ${D}${PTEST_PATH}/tests
+    install -d ${D}${PTEST_PATH}/tools
+    for file in $(find tests/* -executable -type f); do
+        install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests
+    done
+    for file in $(find tests/*.tests -type f); do
+        install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests
+    done
+    for file in $(find tools/* -executable -type f); do
+        install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools
+    done
+}
+
+FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*"
+FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug"
+
+RDEPENDS_${PN}-ptest = "bash"
-- 
cgit v1.2.3