From 59125e0dc92e9e1d6f103f91c865ad6f6c1f51f6 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 23 Jul 2021 12:56:22 -0400 Subject: meta-security: subtree update:46f7e7acbe..152cdb506b Anton Antonov (1): Do not use clang toolchain in Parsec recipes Armin Kuster (9): initramfs-framework: fix typo in conditional ssshgaurd: add packaage packagegroup-core-security: add sshguard initramfs-framework: rename files dir sssd: update to 2.5.1 suricata: update to 6.0.3 kas/kas-security-alt.yml: add meta-rust .gitlab-ci.yml: fix qemux86 musl order tpm-tools: fix build issue Yi Zhao (2): apparmor: upgrade 3.0 -> 3.0.1 apparmor: use its own initscript and service files Signed-off-by: Andrew Geissler Change-Id: Idf435d7f6b767d87ae2cc720b520e57c22645935 --- meta-security/.gitlab-ci.yml | 2 +- .../recipes-ids/suricata/libhtp_0.5.37.bb | 27 -- .../recipes-ids/suricata/libhtp_0.5.38.bb | 27 ++ .../meta-rust/recipes-ids/suricata/suricata.inc | 5 - .../recipes-ids/suricata/suricata_6.0.2.bb | 193 --------------- .../recipes-ids/suricata/suricata_6.0.3.bb | 206 ++++++++++++++++ meta-security/kas/kas-security-alt.yml | 5 + .../parsec-service/parsec-service_0.7.0.bb | 3 +- .../parsec-tool/parsec-tool_0.3.0.bb | 2 - .../recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb | 12 +- .../initrdscripts/initramfs-framework-dm/dmverity | 63 +++++ .../initrdscripts/initramfs-framework.inc | 2 +- .../initrdscripts/initramfs-framework/dmverity | 63 ----- .../initrdscripts/initramfs-framework_1.0.bbappend | 2 +- .../packagegroup/packagegroup-core-security.bb | 1 + .../recipes-mac/AppArmor/apparmor_3.0.1.bb | 175 +++++++++++++ meta-security/recipes-mac/AppArmor/apparmor_3.0.bb | 194 --------------- ...le-fix-hardcoded-installation-directories.patch | 51 ++++ ...iles-Update-make-check-to-select-tools-ba.patch | 2 +- .../0001-aa_status-Fix-build-issue-with-musl.patch | 31 --- .../files/0001-apparmor-fix-manpage-order.patch | 43 ---- ...pparmor-add-missing-include-for-socklen_t.patch | 36 --- ...file-dont-force-host-cpp-to-detect-reallo.patch | 37 --- ...-rc.apparmor.debian-add-missing-functions.patch | 57 +++++ ...-add-aa_features_new_from_file-to-public-.patch | 37 --- ...armor-add-_aa_asprintf-to-private-symbols.patch | 34 --- meta-security/recipes-mac/AppArmor/files/apparmor | 226 ----------------- .../recipes-mac/AppArmor/files/apparmor.rc | 98 -------- .../recipes-mac/AppArmor/files/apparmor.service | 22 -- .../recipes-mac/AppArmor/files/disable_pdf.patch | 33 --- meta-security/recipes-mac/AppArmor/files/functions | 271 --------------------- .../recipes-security/sshguard/sshguard_2.4.2.bb | 11 + .../recipes-security/sssd/files/musl_fixup.patch | 53 ++++ meta-security/recipes-security/sssd/sssd_2.5.0.bb | 131 ---------- meta-security/recipes-security/sssd/sssd_2.5.1.bb | 133 ++++++++++ 35 files changed, 793 insertions(+), 1495 deletions(-) delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb create mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb create mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb create mode 100644 meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity delete mode 100644 meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity create mode 100644 meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb delete mode 100644 meta-security/recipes-mac/AppArmor/apparmor_3.0.bb create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch delete mode 100644 meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch delete mode 100644 meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch delete mode 100644 meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch delete mode 100644 meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch delete mode 100644 meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch delete mode 100644 meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch delete mode 100644 meta-security/recipes-mac/AppArmor/files/apparmor delete mode 100644 meta-security/recipes-mac/AppArmor/files/apparmor.rc delete mode 100644 meta-security/recipes-mac/AppArmor/files/apparmor.service delete mode 100644 meta-security/recipes-mac/AppArmor/files/disable_pdf.patch delete mode 100644 meta-security/recipes-mac/AppArmor/files/functions create mode 100644 meta-security/recipes-security/sshguard/sshguard_2.4.2.bb create mode 100644 meta-security/recipes-security/sssd/files/musl_fixup.patch delete mode 100644 meta-security/recipes-security/sssd/sssd_2.5.0.bb create mode 100644 meta-security/recipes-security/sssd/sssd_2.5.1.bb (limited to 'meta-security') diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index 206d7241b..762ba66e1 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -66,7 +66,7 @@ qemux86: qemux86-musl: extends: .musl - needs: ['qemux86-parsec'] + needs: ['qemux86'] script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb deleted file mode 100644 index 34e72e9cb..000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb +++ /dev/null @@ -1,27 +0,0 @@ -SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." - -require suricata.inc - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" - -SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" -SRCREV = "eaa2db29e65e7f2691c18a9022aeb5fb836ec5f1" - -DEPENDS = "zlib" - -inherit autotools-brokensep pkgconfig - -CFLAGS += "-D_DEFAULT_SOURCE" - -#S = "${WORKDIR}/suricata-${VER}/${BPN}" - -S = "${WORKDIR}/git" - -do_configure () { - cd ${S} - ./autogen.sh - oe_runconf -} - -RDEPENDS_${PN} += "zlib" - diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb new file mode 100644 index 000000000..38dece9b1 --- /dev/null +++ b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb @@ -0,0 +1,27 @@ +SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." + +require suricata.inc + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" + +SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" +SRCREV = "fca44158911a1642880ea5c774151a33ad33d906" + +DEPENDS = "zlib" + +inherit autotools-brokensep pkgconfig + +CFLAGS += "-D_DEFAULT_SOURCE" + +#S = "${WORKDIR}/suricata-${VER}/${BPN}" + +S = "${WORKDIR}/git" + +do_configure () { + cd ${S} + ./autogen.sh + oe_runconf +} + +RDEPENDS_${PN} += "zlib" + diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc index 85f419e48..7d3509aa9 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc +++ b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc @@ -1,8 +1,3 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" - -VER = "6.0.2" -SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" - -SRC_URI[sha256sum] = "5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb deleted file mode 100644 index a4255d247..000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb +++ /dev/null @@ -1,193 +0,0 @@ -SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" - -require suricata.inc - -DEPENDS = "lz4 libhtp" - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -SRC_URI += " \ - file://volatiles.03_suricata \ - file://tmpfiles.suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - file://fixup.patch \ - " - -SRC_URI += " \ - crate://crates.io/autocfg/1.0.1 \ - crate://crates.io/semver-parser/0.7.0 \ - crate://crates.io/arrayvec/0.4.12 \ - crate://crates.io/ryu/1.0.5 \ - crate://crates.io/libc/0.2.86 \ - crate://crates.io/bitflags/1.2.1 \ - crate://crates.io/version_check/0.9.2 \ - crate://crates.io/memchr/2.3.4 \ - crate://crates.io/nodrop/0.1.14 \ - crate://crates.io/cfg-if/0.1.9 \ - crate://crates.io/static_assertions/0.3.4 \ - crate://crates.io/getrandom/0.1.16 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/siphasher/0.3.3 \ - crate://crates.io/ppv-lite86/0.2.10 \ - crate://crates.io/proc-macro-hack/0.5.19 \ - crate://crates.io/proc-macro2/0.4.30 \ - crate://crates.io/unicode-xid/0.1.0 \ - crate://crates.io/syn/0.15.44 \ - crate://crates.io/build_const/0.2.1 \ - crate://crates.io/num-derive/0.2.5 \ - crate://crates.io/base64/0.11.0 \ - crate://crates.io/widestring/0.4.3 \ - crate://crates.io/md5/0.7.0 \ - crate://crates.io/uuid/0.8.2 \ - crate://crates.io/byteorder/1.4.2 \ - crate://crates.io/semver/0.9.0 \ - crate://crates.io/nom/5.1.1 \ - crate://crates.io/num-traits/0.2.14 \ - crate://crates.io/num-integer/0.1.44 \ - crate://crates.io/num-bigint/0.2.6 \ - crate://crates.io/num-bigint/0.3.1 \ - crate://crates.io/num-rational/0.2.4 \ - crate://crates.io/num-complex/0.2.4 \ - crate://crates.io/num-iter/0.1.42 \ - crate://crates.io/phf_shared/0.8.0 \ - crate://crates.io/crc/1.8.1 \ - crate://crates.io/rustc_version/0.2.3 \ - crate://crates.io/phf/0.8.0 \ - crate://crates.io/lexical-core/0.6.7 \ - crate://crates.io/time/0.1.44 \ - crate://crates.io/quote/0.6.13 \ - crate://crates.io/rand_core/0.5.1 \ - crate://crates.io/rand_chacha/0.2.2 \ - crate://crates.io/rand_pcg/0.2.1 \ - crate://crates.io/num-traits/0.1.43 \ - crate://crates.io/rand/0.7.3 \ - crate://crates.io/enum_primitive/0.1.1 \ - crate://crates.io/phf_generator/0.8.0 \ - crate://crates.io/phf_codegen/0.8.0 \ - crate://crates.io/tls-parser/0.9.4 \ - crate://crates.io/num/0.2.1 \ - crate://crates.io/rusticata-macros/2.1.0 \ - crate://crates.io/ntp-parser/0.4.0 \ - crate://crates.io/der-oid-macro/0.2.0 \ - crate://crates.io/der-parser/3.0.4 \ - crate://crates.io/ipsec-parser/0.5.0 \ - crate://crates.io/x509-parser/0.6.5 \ - crate://crates.io/der-parser/4.1.0 \ - crate://crates.io/snmp-parser/0.6.0 \ - crate://crates.io/kerberos-parser/0.5.0 \ - crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ - crate://crates.io/log/0.4.0 \ - crate://crates.io/rand_hc/0.2.0 \ - crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \ - " - -# test case support -SRC_URI += " \ - crate://crates.io/test-case/1.0.1 \ - crate://crates.io/proc-macro2/1.0.1 \ - crate://crates.io/quote/1.0.1 \ - crate://crates.io/syn/1.0.1 \ - crate://crates.io/unicode-xid/0.2.0 \ - " - -inherit autotools pkgconfig python3native systemd ptest cargo - -EXTRA_OECONF += " --disable-debug \ - --disable-gccmarch-native \ - --enable-non-bundled-htp \ - --disable-suricata-update \ - --with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR} \ - " - -CARGO_SRC_DIR = "rust" - -B = "${S}" - -PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr " -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" - -PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," -PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," -PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap" -PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " -PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," -PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," -PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," - -PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" -PACKAGECONFIG[file] = ",,file, file" -PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," -PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core" -PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," - -export logdir = "${localstatedir}/log" - -CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes" - -do_configure_prepend () { - oe_runconf -} - -do_compile () { - # we do this to bypass the make provided by this pkg - # patches Makefile to skip the subdir - cargo_do_compile - - # Finish building - cd ${S} - make -} - -do_install () { - install -d ${D}${sysconfdir}/suricata - - oe_runmake install DESTDIR=${D} - - install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata - - install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata - install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf - - install -d ${D}${systemd_unitdir}/system - sed -e s:/etc:${sysconfdir}:g \ - -e s:/var/run:/run:g \ - -e s:/var:${localstatedir}:g \ - -e s:/usr/bin:${bindir}:g \ - -e s:/bin/kill:${base_bindir}/kill:g \ - -e s:/usr/lib:${libdir}:g \ - ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service - fi - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl -} - -pkg_postinst_ontarget_${PN} () { -if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf -elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi -} - -SYSTEMD_PACKAGES = "${PN}" - -PACKAGES =+ "${PN}-python" -FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" -FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" - -CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb new file mode 100644 index 000000000..632f1d874 --- /dev/null +++ b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb @@ -0,0 +1,206 @@ +SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" + +require suricata.inc + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz" +SRC_URI[sha256sum] = "daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602" + +DEPENDS = "lz4 libhtp" + +SRC_URI += " \ + file://volatiles.03_suricata \ + file://tmpfiles.suricata \ + file://suricata.yaml \ + file://suricata.service \ + file://run-ptest \ + file://fixup.patch \ + " + +SRC_URI += " \ + crate://crates.io/autocfg/1.0.1 \ + crate://crates.io/semver-parser/0.7.0 \ + crate://crates.io/arrayvec/0.4.12 \ + crate://crates.io/ryu/1.0.5 \ + crate://crates.io/libc/0.2.86 \ + crate://crates.io/bitflags/1.2.1 \ + crate://crates.io/version_check/0.9.2 \ + crate://crates.io/memchr/2.3.4 \ + crate://crates.io/nodrop/0.1.14 \ + crate://crates.io/cfg-if/0.1.9 \ + crate://crates.io/static_assertions/0.3.4 \ + crate://crates.io/getrandom/0.1.16 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/siphasher/0.3.3 \ + crate://crates.io/ppv-lite86/0.2.10 \ + crate://crates.io/proc-macro-hack/0.5.19 \ + crate://crates.io/proc-macro2/0.4.30 \ + crate://crates.io/unicode-xid/0.1.0 \ + crate://crates.io/syn/0.15.44 \ + crate://crates.io/build_const/0.2.1 \ + crate://crates.io/num-derive/0.2.5 \ + crate://crates.io/base64/0.11.0 \ + crate://crates.io/widestring/0.4.3 \ + crate://crates.io/md5/0.7.0 \ + crate://crates.io/uuid/0.8.2 \ + crate://crates.io/byteorder/1.4.2 \ + crate://crates.io/semver/0.9.0 \ + crate://crates.io/nom/5.1.1 \ + crate://crates.io/num-traits/0.2.14 \ + crate://crates.io/num-integer/0.1.44 \ + crate://crates.io/num-bigint/0.2.6 \ + crate://crates.io/num-bigint/0.3.1 \ + crate://crates.io/num-rational/0.2.4 \ + crate://crates.io/num-complex/0.2.4 \ + crate://crates.io/num-iter/0.1.42 \ + crate://crates.io/phf_shared/0.8.0 \ + crate://crates.io/crc/1.8.1 \ + crate://crates.io/rustc_version/0.2.3 \ + crate://crates.io/phf/0.8.0 \ + crate://crates.io/lexical-core/0.6.7 \ + crate://crates.io/time/0.1.44 \ + crate://crates.io/quote/0.6.13 \ + crate://crates.io/rand_core/0.5.1 \ + crate://crates.io/rand_chacha/0.2.2 \ + crate://crates.io/rand_pcg/0.2.1 \ + crate://crates.io/num-traits/0.1.43 \ + crate://crates.io/rand/0.7.3 \ + crate://crates.io/enum_primitive/0.1.1 \ + crate://crates.io/phf_generator/0.8.0 \ + crate://crates.io/phf_codegen/0.8.0 \ + crate://crates.io/tls-parser/0.9.4 \ + crate://crates.io/num/0.2.1 \ + crate://crates.io/rusticata-macros/2.1.0 \ + crate://crates.io/ntp-parser/0.4.0 \ + crate://crates.io/der-oid-macro/0.2.0 \ + crate://crates.io/der-parser/3.0.4 \ + crate://crates.io/ipsec-parser/0.5.0 \ + crate://crates.io/x509-parser/0.6.5 \ + crate://crates.io/der-parser/4.1.0 \ + crate://crates.io/snmp-parser/0.6.0 \ + crate://crates.io/kerberos-parser/0.5.0 \ + crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/log/0.4.0 \ + crate://crates.io/rand_hc/0.2.0 \ + crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \ + crate://crates.io/sawp/0.5.0 \ + crate://crates.io/sawp-modbus/0.5.0 \ + crate://crates.io/brotli/3.3.0 \ + crate://crates.io/flate2/1.0.20 \ + crate://crates.io/alloc-no-stdlib/2.0.1 \ + crate://crates.io/alloc-stdlib/0.2.1 \ + crate://crates.io/brotli-decompressor/2.3.1 \ + crate://crates.io/crc32fast/1.2.1 \ + crate://crates.io/miniz_oxide/0.4.4 \ + crate://crates.io/adler/1.0.2 \ + " + +# test case support +SRC_URI += " \ + crate://crates.io/test-case/1.0.1 \ + crate://crates.io/proc-macro2/1.0.1 \ + crate://crates.io/quote/1.0.1 \ + crate://crates.io/syn/1.0.1 \ + crate://crates.io/unicode-xid/0.2.0 \ + " + +inherit autotools pkgconfig python3native systemd ptest cargo + +EXTRA_OECONF += " --disable-debug \ + --disable-gccmarch-native \ + --enable-non-bundled-htp \ + --disable-suricata-update \ + --with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR} \ + " + +CARGO_SRC_DIR = "rust" + +B = "${S}" + +PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr " +PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" + +PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," +PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," +PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap" +PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " +PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," +PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," +PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," + +PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" +PACKAGECONFIG[file] = ",,file, file" +PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," +PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core" +PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," + +export logdir = "${localstatedir}/log" + +CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes" + +do_configure_prepend () { + oe_runconf +} + +do_compile () { + # we do this to bypass the make provided by this pkg + # patches Makefile to skip the subdir + cargo_do_compile + + # Finish building + cd ${S} + make +} + +do_install () { + install -d ${D}${sysconfdir}/suricata + + oe_runmake install DESTDIR=${D} + + install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata + + install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata + install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf + + install -d ${D}${systemd_unitdir}/system + sed -e s:/etc:${sysconfdir}:g \ + -e s:/var/run:/run:g \ + -e s:/var:${localstatedir}:g \ + -e s:/usr/bin:${bindir}:g \ + -e s:/bin/kill:${base_bindir}/kill:g \ + -e s:/usr/lib:${libdir}:g \ + ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + fi + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + + sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc + sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl +} + +pkg_postinst_ontarget_${PN} () { +if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf +elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi +} + +SYSTEMD_PACKAGES = "${PN}" + +PACKAGES =+ "${PN}-python" +FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" +FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" + +CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml index 151452452..25384dfba 100644 --- a/meta-security/kas/kas-security-alt.yml +++ b/meta-security/kas/kas-security-alt.yml @@ -3,6 +3,11 @@ header: includes: - kas-security-base.yml +repos: + meta-rust: + url: https://github.com/meta-rust/meta-rust.git + refspec: master + local_conf_header: alt: | DISTRO_FEATURES_append = " systemd" diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb index 0e149558c..d57a43a5a 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb +++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb @@ -10,8 +10,7 @@ SRC_URI += "crate://crates.io/parsec-service/${PV} \ file://parsec-tmpfiles.conf \ " -DEPENDS = "tpm2-tss" -TOOLCHAIN = "clang" +DEPENDS = "tpm2-tss clang-native" CARGO_BUILD_FLAGS += " --features all-providers,cryptoki/generate-bindings,tss-esapi/generate-bindings" diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb b/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb index 35c65c02a..881f8d896 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb +++ b/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb @@ -7,8 +7,6 @@ inherit cargo SRC_URI += "crate://crates.io/parsec-tool/${PV} \ " -TOOLCHAIN = "clang" - do_install() { install -d ${D}/${bindir} install -m 755 "${B}/target/${TARGET_SYS}/release/parsec-tool" "${D}${bindir}/parsec-tool" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb index 8aeb8ac4b..9e0a6862b 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb @@ -9,16 +9,16 @@ SECTION = "tpm" LICENSE = "CPL-1.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9" -DEPENDS = "libtspi openssl" +DEPENDS = "libtspi openssl perl" DEPENDS_class-native = "trousers-native" SRCREV = "bf43837575c5f7d31865562dce7778eae970052e" SRC_URI = " \ - git://git.code.sf.net/p/trousers/tpm-tools \ - file://tpm-tools-extendpcr.patch \ - file://04-fix-FTBFS-clang.patch \ - file://openssl1.1_fix.patch \ - " + git://git.code.sf.net/p/trousers/tpm-tools \ + file://tpm-tools-extendpcr.patch \ + file://04-fix-FTBFS-clang.patch \ + file://openssl1.1_fix.patch \ + " inherit autotools-brokensep gettext diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity new file mode 100644 index 000000000..888052ccd --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity @@ -0,0 +1,63 @@ +#!/bin/sh + +dmverity_enabled() { + return 0 +} + +dmverity_run() { + DATA_SIZE="__not_set__" + ROOT_HASH="__not_set__" + + . /usr/share/misc/dm-verity.env + + C=0 + delay=${bootparam_rootdelay:-1} + timeout=${bootparam_roottimeout:-5} + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + while [ ! -b "${RDEV}" ]; do + if [ $(( $C * $delay )) -gt $timeout ]; then + fatal "Root device resolution failed" + exit 1 + fi + + case "${bootparam_root}" in + ID=*) + RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" + ;; + LABEL=*) + RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" + ;; + PARTLABEL=*) + RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" + ;; + PARTUUID=*) + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + ;; + PATH=*) + RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" + ;; + UUID=*) + RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" + ;; + *) + RDEV="${bootparam_root}" + esac + debug "Sleeping for $delay second(s) to wait root to settle..." + sleep $delay + C=$(( $C + 1 )) + + done + + veritysetup \ + --data-block-size=1024 \ + --hash-offset=${DATA_SIZE} \ + create rootfs \ + ${RDEV} \ + ${RDEV} \ + ${ROOT_HASH} + + mount \ + -o ro \ + /dev/mapper/rootfs \ + ${ROOTFS_DIR} || exit 2 +} diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework.inc b/meta-security/recipes-core/initrdscripts/initramfs-framework.inc index dad9c967c..12010bf34 100644 --- a/meta-security/recipes-core/initrdscripts/initramfs-framework.inc +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework.inc @@ -1,4 +1,4 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +FILESEXTRAPATHS_prepend := "${THISDIR}/initramfs-framework-dm:" SRC_URI_append = "\ file://dmverity \ diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity deleted file mode 100644 index 888052ccd..000000000 --- a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/sh - -dmverity_enabled() { - return 0 -} - -dmverity_run() { - DATA_SIZE="__not_set__" - ROOT_HASH="__not_set__" - - . /usr/share/misc/dm-verity.env - - C=0 - delay=${bootparam_rootdelay:-1} - timeout=${bootparam_roottimeout:-5} - RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" - while [ ! -b "${RDEV}" ]; do - if [ $(( $C * $delay )) -gt $timeout ]; then - fatal "Root device resolution failed" - exit 1 - fi - - case "${bootparam_root}" in - ID=*) - RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" - ;; - LABEL=*) - RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" - ;; - PARTLABEL=*) - RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" - ;; - PARTUUID=*) - RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" - ;; - PATH=*) - RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" - ;; - UUID=*) - RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" - ;; - *) - RDEV="${bootparam_root}" - esac - debug "Sleeping for $delay second(s) to wait root to settle..." - sleep $delay - C=$(( $C + 1 )) - - done - - veritysetup \ - --data-block-size=1024 \ - --hash-offset=${DATA_SIZE} \ - create rootfs \ - ${RDEV} \ - ${RDEV} \ - ${ROOT_HASH} - - mount \ - -o ro \ - /dev/mapper/rootfs \ - ${ROOTFS_DIR} || exit 2 -} diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend index dc74e017f..f5d476edb 100644 --- a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend @@ -1 +1 @@ -require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity', 'initramfs-framework.inc', '', d)} +require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity-img', 'initramfs-framework.inc', '', d)} diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index e7b6d9bf3..8e06f30bc 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -40,6 +40,7 @@ RDEPENDS_packagegroup-security-utils = "\ softhsm \ libest \ opendnssec \ + sshguard \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb new file mode 100644 index 000000000..ff5b39b05 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb @@ -0,0 +1,175 @@ +SUMMARY = "AppArmor another MAC control system" +DESCRIPTION = "user-space parser utility for AppArmor \ + This provides the system initialization scripts needed to use the \ + AppArmor Mandatory Access Control system, including the AppArmor Parser \ + which is required to convert AppArmor text profiles into machine-readable \ + policies that are loaded into the kernel for use with the AppArmor Linux \ + Security Module." +HOMEAPAGE = "http://apparmor.net/" +SECTION = "admin" + +LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" + +DEPENDS = "bison-native apr gettext-native coreutils-native swig-native" + +SRC_URI = " \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \ + file://run-ptest \ + file://disable_perl_h_check.patch \ + file://crosscompile_perl_bindings.patch \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ + file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \ + file://0001-Makefile-fix-hardcoded-installation-directories.patch \ + file://0001-rc.apparmor.debian-add-missing-functions.patch \ + " + +SRCREV = "b0f08aa9d678197b8e3477c2fbff790f50a1de5e" +S = "${WORKDIR}/git" + +PARALLEL_MAKE = "" + +COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" + +inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion + +REQUIRED_DISTRO_FEATURES = "apparmor" + +PACKAGECONFIG ?= "python perl aa-decode" +PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG[python] = "--with-python, --without-python, python3 , python3-core python3-modules" +PACKAGECONFIG[perl] = "--with-perl, --without-perl, " +PACKAGECONFIG[apache2] = ",,apache2," +PACKAGECONFIG[aa-decode] = ",,,bash" + +python() { + if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ + 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') +} + +DISABLE_STATIC = "" + +do_configure() { + cd ${S}/libraries/libapparmor + aclocal + autoconf --force + libtoolize --automake -c --force + automake -ac + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +} + +do_compile () { + sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile + oe_runmake -C ${B}/libraries/libapparmor + oe_runmake -C ${B}/binutils + oe_runmake -C ${B}/utils + oe_runmake -C ${B}/parser + oe_runmake -C ${B}/profiles + + if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then + oe_runmake -C ${B}/changehat/mod_apparmor + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + oe_runmake -C ${B}/changehat/pam_apparmor + fi +} + +do_install () { + oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install + oe_runmake -C ${B}/binutils DESTDIR="${D}" install + oe_runmake -C ${B}/utils DESTDIR="${D}" install + oe_runmake -C ${B}/parser DESTDIR="${D}" install + oe_runmake -C ${B}/profiles DESTDIR="${D}" install + + if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then + rm -f ${D}${sbindir}/aa-decode + fi + + if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then + oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install + fi + + if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then + install -d ${D}${sysconfdir}/init.d + install -m 755 ${B}/parser/rc.apparmor.debian ${D}${sysconfdir}/init.d/apparmor + fi + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd + fi +} + +#Building ptest on arm fails. +do_compile_ptest_aarch64 () { + : +} + +do_compile_ptest_arm () { + : +} + +do_compile_ptest () { + sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile + oe_runmake -C ${B}/tests/regression/apparmor USE_SYSTEM=0 + oe_runmake -C ${B}/libraries/libapparmor +} + +do_install_ptest () { + t=${D}/${PTEST_PATH}/testsuite + install -d ${t} + install -d ${t}/tests/regression/apparmor + cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression + + cp ${B}/parser/apparmor_parser ${t}/parser + cp ${B}/parser/frob_slack_rc ${t}/parser + + install -d ${t}/libraries/libapparmor + cp -rf ${B}/libraries/libapparmor ${t}/libraries + + install -d ${t}/common + cp -rf ${B}/common ${t} + + install -d ${t}/binutils + cp -rf ${B}/binutils ${t} +} + +#Building ptest on arm fails. +do_install_ptest_aarch64 () { + : +} + +do_install_ptest_arm() { + : +} + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "apparmor" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_AUTO_ENABLE ?= "enable" + +PACKAGES += "mod-${PN}" + +FILES_${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages" +FILES_mod-${PN} = "${libdir}/apache2/modules/*" +FILES_${PN}-dbg += "${base_libdir}/security/.debug" + +DEPENDS_append_libc-musl = " fts " +RDEPENDS_${PN}_libc-musl += "musl-utils" +RDEPENDS_${PN}_libc-glibc += "glibc-utils" + +# Add coreutils and findutils only if sysvinit scripts are in use +RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" +RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" + +INSANE_SKIP_${PN} = "ldflags" +PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb deleted file mode 100644 index d9c3e4d83..000000000 --- a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb +++ /dev/null @@ -1,194 +0,0 @@ -SUMMARY = "AppArmor another MAC control system" -DESCRIPTION = "user-space parser utility for AppArmor \ - This provides the system initialization scripts needed to use the \ - AppArmor Mandatory Access Control system, including the AppArmor Parser \ - which is required to convert AppArmor text profiles into machine-readable \ - policies that are loaded into the kernel for use with the AppArmor Linux \ - Security Module." -HOMEAPAGE = "http://apparmor.net/" -SECTION = "admin" - -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" - -DEPENDS = "bison-native apr gettext-native coreutils-native swig-native" - -SRC_URI = " \ - git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \ - file://disable_perl_h_check.patch \ - file://crosscompile_perl_bindings.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ - file://0001-Makefile.am-suppress-perllocal.pod.patch \ - file://run-ptest \ - file://0001-apparmor-fix-manpage-order.patch \ - file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \ - file://0001-libapparmor-add-missing-include-for-socklen_t.patch \ - file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \ - file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \ - file://0001-aa_status-Fix-build-issue-with-musl.patch \ - file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \ - " - -SRCREV = "5d51483bfecf556183558644dc8958135397a7e2" -S = "${WORKDIR}/git" - -PARALLEL_MAKE = "" - -COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" - -inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion - -REQUIRED_DISTRO_FEATURES = "apparmor" - -PACKAGECONFIG ?= "python perl aa-decode" -PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" -PACKAGECONFIG[python] = "--with-python, --without-python, python3 , python3-core python3-modules" -PACKAGECONFIG[perl] = "--with-perl, --without-perl, " -PACKAGECONFIG[apache2] = ",,apache2," -PACKAGECONFIG[aa-decode] = ",,,bash" - -python() { - if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') -} - -DISABLE_STATIC = "" - -do_configure() { - cd ${S}/libraries/libapparmor - aclocal - autoconf --force - libtoolize --automake -c --force - automake -ac - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_compile () { - sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile - oe_runmake -C ${B}/libraries/libapparmor - oe_runmake -C ${B}/binutils - oe_runmake -C ${B}/utils - oe_runmake -C ${B}/parser - oe_runmake -C ${B}/profiles - - if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then - oe_runmake -C ${B}/changehat/mod_apparmor - fi - - if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then - oe_runmake -C ${B}/changehat/pam_apparmor - fi -} - -do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install - oe_runmake -C ${B}/binutils DESTDIR="${D}" install - oe_runmake -C ${B}/utils DESTDIR="${D}" install - oe_runmake -C ${B}/parser DESTDIR="${D}" install - oe_runmake -C ${B}/profiles DESTDIR="${D}" install - - if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then - rm -f ${D}${sbindir}/aa-decode - fi - - if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then - oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install - fi - - if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then - install -d ${D}/lib/security - oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install - fi - - install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} - fi -} - -#Building ptest on arm fails. -do_compile_ptest_aarch64 () { - : -} - -do_compile_ptest_arm () { - : -} - -do_compile_ptest () { - sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile - oe_runmake -C ${B}/tests/regression/apparmor USE_SYSTEM=0 - oe_runmake -C ${B}/libraries/libapparmor -} - -do_install_ptest () { - t=${D}/${PTEST_PATH}/testsuite - install -d ${t} - install -d ${t}/tests/regression/apparmor - cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression - - cp ${B}/parser/apparmor_parser ${t}/parser - cp ${B}/parser/frob_slack_rc ${t}/parser - - install -d ${t}/libraries/libapparmor - cp -rf ${B}/libraries/libapparmor ${t}/libraries - - install -d ${t}/common - cp -rf ${B}/common ${t} - - install -d ${t}/binutils - cp -rf ${B}/binutils ${t} -} - -#Building ptest on arm fails. -do_install_ptest_aarch64 () { - : -} - -do_install_ptest_arm() { - : -} - -pkg_postinst_ontarget_${PN} () { -if [ ! -d /etc/apparmor.d/cache ] ; then - mkdir /etc/apparmor.d/cache -fi -} - -# We need the init script so don't rm it -RMINITDIR_class-target_remove = " rm_sysvinit_initddir" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "apparmor" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE ?= "enable" - -PACKAGES += "mod-${PN}" - -FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" -FILES_${PN}-dbg += "/lib/security/" - -DEPENDS_append_libc-musl = " fts " -RDEPENDS_${PN}_libc-musl += "musl-utils" -RDEPENDS_${PN}_libc-glibc += "glibc-utils" - -# Add coreutils and findutils only if sysvinit scripts are in use -RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" - -INSANE_SKIP_${PN} = "ldflags" -PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch b/meta-security/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch new file mode 100644 index 000000000..f10acb163 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch @@ -0,0 +1,51 @@ +From 363114dcd72abf1c0dcd637c66037227b8be229b Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Mon, 21 Jun 2021 14:18:30 +0800 +Subject: [PATCH 1/2] Makefile: fix hardcoded installation directories + +Update the installation directories to fix the do_install error for +multilib and usrmerge. + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Yi Zhao +--- + changehat/pam_apparmor/Makefile | 2 +- + parser/Makefile | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/changehat/pam_apparmor/Makefile b/changehat/pam_apparmor/Makefile +index f6ece2d1..0143ae9f 100644 +--- a/changehat/pam_apparmor/Makefile ++++ b/changehat/pam_apparmor/Makefile +@@ -77,7 +77,7 @@ $(NAME).so: ${OBJECTS} + + # need some better way of determining this + DESTDIR=/ +-SECDIR ?= ${DESTDIR}/lib/security ++SECDIR ?= ${DESTDIR}/${base_libdir}/security + + .PHONY: install + install: $(NAME).so +diff --git a/parser/Makefile b/parser/Makefile +index 8250ac45..cf18bc11 100644 +--- a/parser/Makefile ++++ b/parser/Makefile +@@ -23,10 +23,10 @@ COMMONDIR=../common/ + include $(COMMONDIR)/Make.rules + + DESTDIR=/ +-APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor +-SBINDIR=${DESTDIR}/sbin +-USR_SBINDIR=${DESTDIR}/usr/sbin +-SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system ++APPARMOR_BIN_PREFIX=${DESTDIR}/${nonarch_base_libdir}/apparmor ++SBINDIR=${DESTDIR}/${base_sbindir} ++USR_SBINDIR=${DESTDIR}/${sbindir} ++SYSTEMD_UNIT_DIR=${DESTDIR}/${systemd_system_unitdir} + CONFDIR=/etc/apparmor + INSTALL_CONFDIR=${DESTDIR}${CONFDIR} + LOCALEDIR=/usr/share/locale +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch index 791437d1d..e7abd602c 100644 --- a/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch +++ b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch @@ -6,7 +6,7 @@ Subject: [PATCH] Revert "profiles: Update 'make check' to select tools based This reverts commit 6016f931ebf7b61e1358f19453ef262d9d184a4e. -Upstream-Statue: OE specific +Upstream-Status: Inappropriate [OE specific] These changes cause during packaging with perms changing. Signed-off-by: Armin Kuster diff --git a/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch deleted file mode 100644 index 239562a45..000000000 --- a/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001 -From: Armin Kuster -Date: Wed, 7 Oct 2020 08:27:11 -0700 -Subject: [PATCH] aa_status: Fix build issue with musl - -add limits.h - -aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'? -| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char)); - -Upstream-Status: Pending -Signed-off-by: Armin Kuster ---- - binutils/aa_status.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/binutils/aa_status.c b/binutils/aa_status.c -index 78b03409..41f1954e 100644 ---- a/binutils/aa_status.c -+++ b/binutils/aa_status.c -@@ -10,6 +10,7 @@ - #include - #include - #include -+#include - #include - #include - #include --- -2.17.1 - diff --git a/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch deleted file mode 100644 index 9f3dce426..000000000 --- a/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c9baef0c70122e1be33b627874772e6e9a5d7744 Mon Sep 17 00:00:00 2001 -From: Armin Kuster -Date: Fri, 2 Oct 2020 19:43:44 -0700 -Subject: [PATCH] apparmor: fix manpage order - -It trys to create a symlink before the man pages are installed. - - ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8 - | ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory - -Upstream-Status: Pending -Signed-off-by: Armin Kuster - -... - -install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8; - -Signed-off-by: Armin Kuster ---- - binutils/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/binutils/Makefile b/binutils/Makefile -index 99e54875..3f1d0011 100644 ---- a/binutils/Makefile -+++ b/binutils/Makefile -@@ -156,12 +156,12 @@ install-arch: arch - install -m 755 -d ${SBINDIR} - ln -sf aa-status ${SBINDIR}/apparmor_status - install -m 755 ${SBINTOOLS} ${SBINDIR} -- ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 - - .PHONY: install-indep - install-indep: indep - $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR} - $(MAKE) install_manpages DESTDIR=${DESTDIR} -+ ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 - - ifndef VERBOSE - .SILENT: clean --- -2.17.1 - diff --git a/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch deleted file mode 100644 index 2a56d8b85..000000000 --- a/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001 -From: Patrick Steinhardt -Date: Sat, 3 Oct 2020 20:37:55 +0200 -Subject: [PATCH] libapparmor: add missing include for `socklen_t` - -While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't -include the `` header to make its declaration available. -While this works on systems using glibc via transitive includes, it -breaks compilation on musl libc. - -Fix the issue by including the header. - -Signed-off-by: Patrick Steinhardt - -Upstream-Status: Backport -Signed-off-by: Armin Kuster - ---- - libraries/libapparmor/include/sys/apparmor.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h -index 32892d06..d70eff94 100644 ---- a/libraries/libapparmor/include/sys/apparmor.h -+++ b/libraries/libapparmor/include/sys/apparmor.h -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - #include - - #ifdef __cplusplus --- -2.17.1 - diff --git a/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch deleted file mode 100644 index 9f7ad3c55..000000000 --- a/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001 -From: Armin Kuster -Date: Wed, 7 Oct 2020 20:50:38 -0700 -Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray - -In cross build environments, using the hosts cpp gives incorrect -detection of reallocarray. Change cpp to a variable. - -fixes: -parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)': -| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope -| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1); - -Signed-off-by: Armin Kuster - -Upstream-Status: Pending - ---- - parser/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser/Makefile b/parser/Makefile -index acef3d77..8250ac45 100644 ---- a/parser/Makefile -+++ b/parser/Makefile -@@ -54,7 +54,7 @@ endif - CPPFLAGS += -D_GNU_SOURCE - - STDLIB_INCLUDE:="\#include " --HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true) -+HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true) - - WARNINGS = -Wall - CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS} --- -2.17.1 - diff --git a/meta-security/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch b/meta-security/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch new file mode 100644 index 000000000..53bdde807 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch @@ -0,0 +1,57 @@ +From a737c95ac0f887c365fe8f16583ea95da79de1e9 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Mon, 21 Jun 2021 16:53:39 +0800 +Subject: [PATCH] rc.apparmor.debian: add missing functions + +Add missing functions: + aa_log_action_start + aa_log_action_end + aa_log_daemon_msg + aa_log_end_msg + +Fixes: +$ /etc/init.d/apparmor start +/lib/apparmor/rc.apparmor.functions: line 294: aa_log_daemon_msg: command not found +/lib/apparmor/rc.apparmor.functions: line 214: aa_log_action_start: command not found + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao +--- + parser/rc.apparmor.debian | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/parser/rc.apparmor.debian b/parser/rc.apparmor.debian +index 8efd4400..f35124e8 100644 +--- a/parser/rc.apparmor.debian ++++ b/parser/rc.apparmor.debian +@@ -70,6 +70,26 @@ aa_log_skipped_msg() { + echo ": Skipped." + } + ++aa_log_action_start() ++{ ++ echo "$@" ++} ++ ++aa_log_action_end() ++{ ++ printf "" ++} ++ ++aa_log_daemon_msg() ++{ ++ echo "$@" ++} ++ ++aa_log_end_msg() ++{ ++ printf "" ++} ++ + usage() { + echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}" + } +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch deleted file mode 100644 index 333f40fbd..000000000 --- a/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001 -From: Patrick Steinhardt -Date: Sat, 3 Oct 2020 20:58:45 +0200 -Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public - symbols - -With AppArmor release 3.0, a new function `aa_features_new_from_file` -was added, but not added to the list of public symbols. As a result, -it's not possible to make use of this function when linking against -libapparmor.so. - -Fix the issue by adding it to the symbol map. - -Signed-off-by: Patrick Steinhardt - -Upstream-Status: Backport -Signed-off-by: Armin Kuster - ---- - libraries/libapparmor/src/libapparmor.map | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map -index bbff51f5..1579509a 100644 ---- a/libraries/libapparmor/src/libapparmor.map -+++ b/libraries/libapparmor/src/libapparmor.map -@@ -117,6 +117,7 @@ APPARMOR_2.13.1 { - - APPARMOR_3.0 { - global: -+ aa_features_new_from_file; - aa_features_write_to_fd; - aa_features_value; - local: --- -2.17.1 - diff --git a/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch deleted file mode 100644 index 543c7a185..000000000 --- a/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001 -From: Patrick Steinhardt -Date: Sat, 3 Oct 2020 21:04:57 +0200 -Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols - -While `_aa_asprintf` is supposed to be of private visibility, it's used -by apparmor_parser and thus required to be visible when linking. This -commit thus adds it to the list of private symbols to make it available -for linking in apparmor_parser. - -Signed-off-by: Patrick Steinhardt - -Upstream-Status: Backport -Signed-off-by: Armin Kuster - ---- - libraries/libapparmor/src/libapparmor.map | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map -index 1579509a..41e541ac 100644 ---- a/libraries/libapparmor/src/libapparmor.map -+++ b/libraries/libapparmor/src/libapparmor.map -@@ -127,6 +127,7 @@ APPARMOR_3.0 { - PRIVATE { - global: - _aa_is_blacklisted; -+ _aa_asprintf; - _aa_autofree; - _aa_autoclose; - _aa_autofclose; --- -2.17.1 - diff --git a/meta-security/recipes-mac/AppArmor/files/apparmor b/meta-security/recipes-mac/AppArmor/files/apparmor deleted file mode 100644 index 604e48d56..000000000 --- a/meta-security/recipes-mac/AppArmor/files/apparmor +++ /dev/null @@ -1,226 +0,0 @@ -#!/bin/sh -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008, 2009 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Steve Beattie -# Kees Cook -# -# /etc/init.d/apparmor -# -### BEGIN INIT INFO -# Provides: apparmor -# Required-Start: $local_fs -# Required-Stop: umountfs -# Default-Start: S -# Default-Stop: -# Short-Description: AppArmor initialization -# Description: AppArmor init script. This script loads all AppArmor profiles. -### END INIT INFO - -log_daemon_msg() { - echo $* -} - -log_end_msg () { - retval=$1 - if [ $retval -eq 0 ]; then - echo "." - else - echo " failed!" - fi - return $retval -} - -. /lib/apparmor/functions - -usage() { - echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" -} - -test -x ${PARSER} || exit 0 # by debian policy -# LSM is built-in, so it is either there or not enabled for this boot -test -d /sys/module/apparmor || exit 0 - -securityfs() { - # Need securityfs for any mode - if [ ! -d "${AA_SFS}" ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then - log_daemon_msg "AppArmor not available as kernel LSM." - log_end_msg 1 - exit 1 - else - log_daemon_msg "Mounting securityfs on ${SECURITYFS}" - if ! mount -t securityfs none "${SECURITYFS}"; then - log_end_msg 1 - exit 1 - fi - fi - fi - if [ ! -w "$AA_SFS"/.load ]; then - log_daemon_msg "Insufficient privileges to change profiles." - log_end_msg 1 - exit 1 - fi -} - -handle_system_policy_package_updates() { - apparmor_was_updated=0 - - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi -} - -# Allow "recache" even when running on the liveCD -if [ "$1" = "recache" ]; then - log_daemon_msg "Recaching AppArmor profiles" - recache_profiles - rc=$? - log_end_msg "$rc" - exit $rc -fi - -# do not perform start/stop/reload actions when running from liveCD -test -d /rofs/etc/apparmor.d && exit 0 - -rc=255 -case "$1" in - start) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not starting AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Starting AppArmor profiles" - securityfs - # That is only useful for click, snappy and system images, - # i.e. not in Debian. And it reads and writes to /var, that - # can be remote-mounted, so it would prevent us from using - # Before=sysinit.target without possibly introducing dependency - # loops. - handle_system_policy_package_updates - load_configured_profiles - rc=$? - log_end_msg "$rc" - ;; - stop) - log_daemon_msg "Clearing AppArmor profiles cache" - clear_cache - rc=$? - log_end_msg "$rc" - cat >&2 < and Jamie Strandboge " - -task - -start on starting rc-sysinit - -script - [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD - [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor - [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser - - . /lib/apparmor/functions - - systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true - - # Need securityfs for any mode - if [ ! -d /sys/kernel/security/apparmor ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then - exit 0 - else - mount -t securityfs none /sys/kernel/security || exit 0 - fi - fi - - [ -w /sys/kernel/security/apparmor/.load ] || exit 0 - - apparmor_was_updated=0 - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi - - if [ "$ACTION" = "teardown" ]; then - running_profile_names | while read profile; do - unload_profile "$profile" - done - exit 0 - fi - - if [ "$ACTION" = "clear" ]; then - clear_cache - exit 0 - fi - - if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then - clear_cache - load_configured_profiles - unload_obsolete_profiles - exit 0 - fi - - # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above, - # aa-clickhook will have already compiled the policy, generated the cache - # files and loaded them into the kernel by this point, so reloading click - # policy from cache, while fairly fast (<2 seconds for 250 profiles on - # armhf), is redundant. Fixing this would complicate the logic quite a bit - # and it wouldn't improve the (by far) common case (ie, when - # 'aa-clickhook -f' is not run). - load_configured_profiles -end script diff --git a/meta-security/recipes-mac/AppArmor/files/apparmor.service b/meta-security/recipes-mac/AppArmor/files/apparmor.service deleted file mode 100644 index e66afe4e1..000000000 --- a/meta-security/recipes-mac/AppArmor/files/apparmor.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=AppArmor initialization -After=local-fs.target -Before=sysinit.target -AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load -ConditionSecurity=apparmor -DefaultDependencies=no -Documentation=man:apparmor(7) -Documentation=http://wiki.apparmor.net/ - -# Don't start this unit on the Ubuntu Live CD -ConditionPathExists=!/rofs/etc/apparmor.d - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/etc/init.d/apparmor start -ExecStop=/etc/init.d/apparmor stop -ExecReload=/etc/init.d/apparmor reload - -[Install] -WantedBy=sysinit.target diff --git a/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch b/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch deleted file mode 100644 index c6b4bddc2..000000000 --- a/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: apparmor-2.10.95/parser/Makefile -=================================================================== ---- apparmor-2.10.95.orig/parser/Makefile -+++ apparmor-2.10.95/parser/Makefile -@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT - po/${NAME}.pot: ${SRCS} ${HDRS} - $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" - --techdoc.pdf: techdoc.tex -- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ -- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ -- grep -q "Label(s) may have changed" techdoc.log; \ -- do :; done -- --techdoc/index.html: techdoc.pdf -- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} -- --techdoc.txt: techdoc/index.html -- w3m -dump $< > $@ - - # targets arranged this way so that people who don't want full docs can - # pick specific targets they want. -@@ -159,9 +148,7 @@ manpages: $(MANPAGES) - - htmlmanpages: $(HTMLMANPAGES) - --pdf: techdoc.pdf -- --docs: manpages htmlmanpages pdf -+docs: manpages htmlmanpages - - indep: docs - $(Q)$(MAKE) -C po all diff --git a/meta-security/recipes-mac/AppArmor/files/functions b/meta-security/recipes-mac/AppArmor/files/functions deleted file mode 100644 index e9e2bbfbf..000000000 --- a/meta-security/recipes-mac/AppArmor/files/functions +++ /dev/null @@ -1,271 +0,0 @@ -# /lib/apparmor/functions for Debian -*- shell-script -*- -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008-2010 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Kees Cook - -PROFILES="/etc/apparmor.d" -PROFILES_CACHE="$PROFILES/cache" -PROFILES_VAR="/var/lib/apparmor/profiles" -PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles" -PROFILES_CACHE_VAR="/var/cache/apparmor" -PARSER="/sbin/apparmor_parser" -SECURITYFS="/sys/kernel/security" -export AA_SFS="$SECURITYFS/apparmor" - -# Suppress warnings when booting in quiet mode -quiet_arg="" -[ "${QUIET:-no}" = yes ] && quiet_arg="-q" -[ "${quiet:-n}" = y ] && quiet_arg="-q" - -foreach_configured_profile() { - rc_all="0" - for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do - if [ ! -d "$pdir" ]; then - continue - fi - num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l` - if [ "$num" = "0" ]; then - continue - fi - - cache_dir="$PROFILES_CACHE" - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then - cache_dir="$PROFILES_CACHE_VAR" - fi - cache_args="--cache-loc=$cache_dir" - if [ ! -d "$cache_dir" ]; then - cache_args= - fi - - # LP: #1383858 - expr tree simplification is too slow for - # Touch policy on ARM, so disable it for now - cache_extra_args= - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then - cache_extra_args="-O no-expr-simplify" - fi - - # If need to compile everything, then use -n1 with xargs to - # take advantage of -P. When cache files are in use, omit -n1 - # since it is considerably faster on moderately sized profile - # sets to give the parser all the profiles to load at once - n1_args= - num=`find "$cache_dir" -type f ! -name '.features' | wc -l` - if [ "$num" = "0" ]; then - n1_args="-n1" - fi - - (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ - while read profile; do - if [ -f "$pdir"/"$profile" ]; then - echo "$pdir"/"$profile" - fi - done) | \ - xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { - rc_all="$?" - # FIXME: when the parser properly handles broken - # profiles (LP: #1377338), remove this if statement. - # For now, if the xargs returns with error, just run - # through everything with -n1. (This could be broken - # out and refactored, but this is temporary so make it - # easy to understand and revert) - if [ "$rc_all" != "0" ]; then - (ls -1 "$pdir" | \ - egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ - while read profile; do - if [ -f "$pdir"/"$profile" ]; then - echo "$pdir"/"$profile" - fi - done) | \ - xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { - rc_all="$?" - } - fi - } - done - return $rc_all -} - -load_configured_profiles() { - clear_cache_if_outdated - foreach_configured_profile $quiet_arg --write-cache --replace -} - -load_configured_profiles_without_caching() { - foreach_configured_profile $quiet_arg --replace -} - -recache_profiles() { - clear_cache - foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load -} - -configured_profile_names() { - foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//' -} - -running_profile_names() { - # Output a sorted list of loaded profiles, skipping libvirt's - # dynamically generated files - cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//' -} - -unload_profile() { - echo -n "$1" > "$AA_SFS"/.remove -} - -clear_cache() { - clear_cache_system - clear_cache_var -} - -clear_cache_system() { - find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- -} - -clear_cache_var() { - find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- -} - -read_features_dir() -{ - for f in `ls -A "$1"` ; do - if [ -f "$1/$f" ] ; then - read -r KF < "$1/$f" || true - echo -n "$f {$KF } " - elif [ -d "$1/$f" ] ; then - echo -n "$f {" - KF=`read_features_dir "$1/$f"` || true - echo -n "$KF} " - fi - done -} - -clear_cache_if_outdated() { - if [ -r "$PROFILES_CACHE"/.features ]; then - if [ -d "$AA_SFS"/features ]; then - KERN_FEATURES=`read_features_dir "$AA_SFS"/features` - else - read -r KERN_FEATURES < "$AA_SFS"/features - fi - CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features` - if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then - clear_cache - fi - fi -} - -unload_obsolete_profiles() { - # Currently we must re-parse all the profiles to get policy names. :( - aa_configured=$(mktemp -t aa-XXXXXX) - configured_profile_names > "$aa_configured" || true - aa_loaded=$(mktemp -t aa-XXXXXX) - running_profile_names > "$aa_loaded" || true - LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do - unload_profile "$profile" - done - rm -f "$aa_configured" "$aa_loaded" -} - -# If the system debsum differs from the saved debsum, the new system debsum is -# saved and non-zero is returned. Returns 0 if the two debsums matched or if -# the system debsum file does not exist. This can be removed when system image -# flavors all move to snappy. -compare_and_save_debsums() { - pkg="$1" - - if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then - sums="/var/lib/dpkg/info/${pkg}.md5sums" - # store saved md5sums in /var/lib/apparmor/profiles since - # /var/cache/apparmor might be cleared by apparmor - saved_sums="${PROFILES_VAR}/.${pkg}.md5sums" - - if [ -f "$sums" ] && \ - ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then - cp -f "$sums" "$saved_sums" - return 1 - fi - fi - - return 0 -} - -compare_previous_version() { - installed="/usr/share/snappy/security-policy-version" - previous="/var/lib/snappy/security-policy-version" - - # When just $previous doesn't exist, assume this is a new system with - # no cache and don't do anything special. - if [ -f "$installed" ] && [ -f "$previous" ]; then - pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2` - iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2` - if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then - # snappy updates $previous elsewhere, so just return - return 1 - fi - fi - - return 0 -} - -# Checks to see if the current container is capable of having internal AppArmor -# profiles that should be loaded. Callers of this function should have already -# verified that they're running inside of a container environment with -# something like `systemd-detect-virt --container`. -# -# The only known container environments capable of supporting internal policy -# are LXD and LXC environment. -# -# Returns 0 if the container environment is capable of having its own internal -# policy and non-zero otherwise. -# -# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC -# system container technology being nested inside of a LXD/LXC container that -# utilized an AppArmor namespace and profile stacking. The reason 0 will be -# returned is because .ns_stacked will be "yes" and .ns_name will still match -# "lx[dc]-*" since the nested system container technology will not have set up -# a new AppArmor profile namespace. This will result in the nested system -# container's boot process to experience failed policy loads but the boot -# process should continue without any loss of functionality. This is an -# unsupported configuration that cannot be properly handled by this function. -is_container_with_internal_policy() { - local ns_stacked_path="${AA_SFS}/.ns_stacked" - local ns_name_path="${AA_SFS}/.ns_name" - local ns_stacked - local ns_name - - if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then - return 1 - fi - - read -r ns_stacked < "$ns_stacked_path" - if [ "$ns_stacked" != "yes" ]; then - return 1 - fi - - # LXD and LXC set up AppArmor namespaces starting with "lxd-" and - # "lxc-", respectively. Return non-zero for all other namespace - # identifiers. - read -r ns_name < "$ns_name_path" - if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ - [ "${ns_name#lxc-*}" = "$ns_name" ]; then - return 1 - fi - - return 0 -} diff --git a/meta-security/recipes-security/sshguard/sshguard_2.4.2.bb b/meta-security/recipes-security/sshguard/sshguard_2.4.2.bb new file mode 100644 index 000000000..bd7f97927 --- /dev/null +++ b/meta-security/recipes-security/sshguard/sshguard_2.4.2.bb @@ -0,0 +1,11 @@ +SUMARRY=" Intelligently block brute-force attacks by aggregating system logs " +HOMEPAGE = "https://www.sshguard.net/" +LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d" +LICENSE = "BSD-1-Clause" + + +SRC_URI="https://sourceforge.net/projects/sshguard/files/sshguard/${PV}/sshguard-${PV}.tar.gz" + +SRC_URI[sha256sum] = "2770b776e5ea70a9bedfec4fd84d57400afa927f0f7522870d2dcbbe1ace37e8" + +inherit autotools-brokensep diff --git a/meta-security/recipes-security/sssd/files/musl_fixup.patch b/meta-security/recipes-security/sssd/files/musl_fixup.patch new file mode 100644 index 000000000..68f267c7c --- /dev/null +++ b/meta-security/recipes-security/sssd/files/musl_fixup.patch @@ -0,0 +1,53 @@ +fix musl build failures + +Missing _PATH_HOSTS and some NETDB defines when musl is enabled. + +These are work arounds for now while we figure out where the real fix should reside (musl, gcompact, sssd): + +./sssd-2.5.1/src/providers/fail_over.c:1199:19: error: '_PATH_HOSTS' undeclared (first use in this function) +| 1199 | _PATH_HOSTS); +| | ^~~~~~~~~~~ + +and + +i./sssd-2.5.1/src/sss_client/nss_ipnetworks.c:415:21: error: 'NETDB_INTERNAL' undeclared (first use in this function) +| 415 | *h_errnop = NETDB_INTERNAL; + + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +Index: sssd-2.5.1/src/providers/fail_over.c +=================================================================== +--- sssd-2.5.1.orig/src/providers/fail_over.c ++++ sssd-2.5.1/src/providers/fail_over.c +@@ -31,6 +31,10 @@ + #include + #include + ++#if !defined(_PATH_HOSTS) ++#define _PATH_HOSTS "/etc/hosts" ++#endif ++ + #include "util/dlinklist.h" + #include "util/refcount.h" + #include "util/util.h" +Index: sssd-2.5.1/src/sss_client/sss_cli.h +=================================================================== +--- sssd-2.5.1.orig/src/sss_client/sss_cli.h ++++ sssd-2.5.1/src/sss_client/sss_cli.h +@@ -44,6 +44,14 @@ typedef int errno_t; + #define EOK 0 + #endif + ++#ifndef NETDB_INTERNAL ++# define NETDB_INTERNAL (-1) ++#endif ++ ++#ifndef NETDB_SUCCESS ++# define NETDB_SUCCESS (0) ++#endif ++ + #define SSS_NSS_PROTOCOL_VERSION 1 + #define SSS_PAM_PROTOCOL_VERSION 3 + #define SSS_SUDO_PROTOCOL_VERSION 1 diff --git a/meta-security/recipes-security/sssd/sssd_2.5.0.bb b/meta-security/recipes-security/sssd/sssd_2.5.0.bb deleted file mode 100644 index 84b7b0e46..000000000 --- a/meta-security/recipes-security/sssd/sssd_2.5.0.bb +++ /dev/null @@ -1,131 +0,0 @@ -SUMMARY = "system security services daemon" -DESCRIPTION = "SSSD is a system security services daemon" -HOMEPAGE = "https://pagure.io/SSSD/sssd/" -SECTION = "base" -LICENSE = "GPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" - -DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit" - -DEPENDS_append_libc-musl = " musl-nscd" - -# If no crypto has been selected, default to DEPEND on nss, since that's what -# sssd will pick if no active choice is made during configure -DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ - bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" - -SRC_URI = "https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz \ - file://sssd.conf \ - file://volatiles.99_sssd \ - file://no_gen.patch \ - file://fix_gid.patch \ - file://drop_ntpdate_chk.patch \ - file://fix-ldblibdir.patch \ - " -SRC_URI[sha256sum] = "afa62d7d8d23fca3aba093abe4ec0d14e7d9346c5b28ceb7c2c624bed98caa06" - -inherit autotools pkgconfig gettext python3-dir features_check systemd - -REQUIRED_DISTRO_FEATURES = "pam" - -SSSD_UID ?= "root" -SSSD_GID ?= "root" - -CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ - " - -PACKAGECONFIG ?="nss nscd autofs sudo infopipe" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" -PACKAGECONFIG[crypto] = ", , libcrypto" -PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" -PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" -PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " -PACKAGECONFIG[nss] = ", ,nss," -PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" -PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" -PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " -PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " -PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" - -EXTRA_OECONF += " \ - --disable-cifs-idmap-plugin \ - --without-nfsv4-idmapd-plugin \ - --without-ipa-getkeytab \ - --without-python2-bindings \ - --enable-pammoddir=${base_libdir}/security \ - --without-python2-bindings \ - --without-secrets \ - --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ - --with-pid-path=/run \ -" - -do_configure_prepend() { - mkdir -p ${AUTOTOOLS_AUXDIR}/build - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ - - # libresove has host path, remove it - sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 -} - -do_compile_prepend () { - echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h -} -do_install () { - oe_runmake install DESTDIR="${D}" - rmdir --ignore-fail-on-non-empty "${D}/${bindir}" - install -d ${D}/${sysconfdir}/${BPN} - install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} - install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf - fi - - # Remove /run as it is created on startup - rm -rf ${D}/run - - rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* -} - -pkg_postinst_ontarget_${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi - chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf -} - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" - -INITSCRIPT_NAME = "sssd" -INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = " \ - ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ - sssd-nss.service \ - sssd-nss.socket \ - sssd-pam-priv.socket \ - sssd-pam.service \ - sssd-pam.socket \ - sssd.service \ -" -SYSTEMD_AUTO_ENABLE = "disable" - -FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss*.so" -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" - -# The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" - -RDEPENDS_${PN} = "bind bind-utils dbus libldb libpam" diff --git a/meta-security/recipes-security/sssd/sssd_2.5.1.bb b/meta-security/recipes-security/sssd/sssd_2.5.1.bb new file mode 100644 index 000000000..92058437d --- /dev/null +++ b/meta-security/recipes-security/sssd/sssd_2.5.1.bb @@ -0,0 +1,133 @@ +SUMMARY = "system security services daemon" +DESCRIPTION = "SSSD is a system security services daemon" +HOMEPAGE = "https://pagure.io/SSSD/sssd/" +SECTION = "base" +LICENSE = "GPLv3+" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" + +DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" +DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit" + +DEPENDS_append_libc-musl = " musl-nscd" + +# If no crypto has been selected, default to DEPEND on nss, since that's what +# sssd will pick if no active choice is made during configure +DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ + bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" + +SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.gz \ + file://sssd.conf \ + file://volatiles.99_sssd \ + file://no_gen.patch \ + file://fix_gid.patch \ + file://drop_ntpdate_chk.patch \ + file://fix-ldblibdir.patch \ + file://musl_fixup.patch \ + " + +SRC_URI[sha256sum] = "ce2f5d84a3f1750093318afd27f4fd75b1e3e75f7d80fc42d21a40cc54b58ea4" + +inherit autotools pkgconfig gettext python3-dir features_check systemd + +REQUIRED_DISTRO_FEATURES = "pam" + +SSSD_UID ?= "root" +SSSD_GID ?= "root" + +CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ + ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ + " + +PACKAGECONFIG ?="nss nscd autofs sudo infopipe" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" +PACKAGECONFIG[crypto] = ", , libcrypto" +PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" +PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" +PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" +PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " +PACKAGECONFIG[nss] = ", ,nss," +PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" +PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " +PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " +PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" + +EXTRA_OECONF += " \ + --disable-cifs-idmap-plugin \ + --without-nfsv4-idmapd-plugin \ + --without-ipa-getkeytab \ + --without-python2-bindings \ + --enable-pammoddir=${base_libdir}/security \ + --without-python2-bindings \ + --without-secrets \ + --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ + --with-pid-path=/run \ +" + +do_configure_prepend() { + mkdir -p ${AUTOTOOLS_AUXDIR}/build + cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ + + # libresove has host path, remove it + sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 +} + +do_compile_prepend () { + echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h +} +do_install () { + oe_runmake install DESTDIR="${D}" + rmdir --ignore-fail-on-non-empty "${D}/${bindir}" + install -d ${D}/${sysconfdir}/${BPN} + install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} + install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf + fi + + # Remove /run as it is created on startup + rm -rf ${D}/run + + rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* +} + +pkg_postinst_ontarget_${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi + chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf +} + +CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" + +INITSCRIPT_NAME = "sssd" +INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." +SYSTEMD_SERVICE_${PN} = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ + sssd-nss.service \ + sssd-nss.socket \ + sssd-pam-priv.socket \ + sssd-pam.service \ + sssd-pam.socket \ + sssd.service \ +" +SYSTEMD_AUTO_ENABLE = "disable" + +FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss*.so" +FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" + +# The package contains symlinks that trip up insane +INSANE_SKIP_${PN} = "dev-so" + +RDEPENDS_${PN} = "bind bind-utils dbus libldb libpam" -- cgit v1.2.3