From a2c571d75749fc09255b138d6fa0049b8e489a7f Mon Sep 17 00:00:00 2001
From: Brad Bishop <bradleyb@fuzziesquirrel.com>
Date: Mon, 14 Oct 2019 11:16:09 -0400
Subject: meta-security: subtree update:caaeb67863..a0dee993cd

Armin Kuster (1):
      layer.conf: Update for zeus series

Change-Id: I23627a0fcc2a55a051cb6c77af5fd3a569d5b1a2
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
---
 meta-security/conf/layer.conf                          | 2 +-
 meta-security/meta-integrity/conf/layer.conf           | 2 +-
 meta-security/meta-security-compliance/conf/layer.conf | 2 +-
 meta-security/meta-tpm/conf/layer.conf                 | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'meta-security')

diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index b9a4f254c..3e890e12e 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -9,6 +9,6 @@ BBFILE_COLLECTIONS += "security"
 BBFILE_PATTERN_security = "^${LAYERDIR}/"
 BBFILE_PRIORITY_security = "8"
 
-LAYERSERIES_COMPAT_security = "warrior"
+LAYERSERIES_COMPAT_security = "zeus"
 
 LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
index 41989da38..962424ccb 100644
--- a/meta-security/meta-integrity/conf/layer.conf
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -21,6 +21,6 @@ INTEGRITY_BASE := '${LAYERDIR}'
 # interactive shell is enough.
 OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
 
-LAYERSERIES_COMPAT_integrity = "warrior"
+LAYERSERIES_COMPAT_integrity = "zeus"
 # ima-evm-utils depends on keyutils from meta-oe
 LAYERDEPENDS_integrity = "core openembedded-layer"
diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf
index 9ccadab8b..0e93bd0e8 100644
--- a/meta-security/meta-security-compliance/conf/layer.conf
+++ b/meta-security/meta-security-compliance/conf/layer.conf
@@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "scanners-layer"
 BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_scanners-layer = "10"
 
-LAYERSERIES_COMPAT_scanners-layer = "warrior"
+LAYERSERIES_COMPAT_scanners-layer = "zeus"
 
 LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index cdccc553e..3af2d9517 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer"
 BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_tpm-layer = "10"
 
-LAYERSERIES_COMPAT_tpm-layer = "warrior"
+LAYERSERIES_COMPAT_tpm-layer = "zeus"
 
 LAYERDEPENDS_tpm-layer = " \
     core \
-- 
cgit v1.2.3


From 64940c3fc57528e29816d8b8cee2b229bcaae79b Mon Sep 17 00:00:00 2001
From: Brad Bishop <bradleyb@fuzziesquirrel.com>
Date: Tue, 15 Oct 2019 07:47:39 -0400
Subject: meta-security: subtree update:a0dee993cd..400eade386

Alexander Kanavin (2):
      apparmor: add PRIVATE_LIBS for ptest package
      apparmor: make bash dependency optional

Change-Id: Ic94b09e29b33bcda2bb054e0915e69ad1afc44d5
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
---
 meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'meta-security')

diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb
index 2e5d221c3..6183064f4 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb
@@ -32,11 +32,12 @@ PARALLEL_MAKE = ""
 
 inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd
 
-PACKAGECONFIG ??= "python perl"
+PACKAGECONFIG ??= "python perl aa-decode"
 PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages"
 PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native"
 PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native"
 PACKAGECONFIG[apache2] = ",,apache2,"
+PACKAGECONFIG[aa-decode] = ",,,bash"
 
 PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}"
 HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}"
@@ -97,6 +98,10 @@ do_install () {
 		rm -f ${D}${sbindir}/aa-notify
 	fi
 
+	if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
+		rm -f ${D}${sbindir}/aa-decode
+	fi
+
 	if test -z "${HTTPD}" ; then
 		oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
 	fi
@@ -161,7 +166,8 @@ PACKAGES += "mod-${PN}"
 FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
 FILES_mod-${PN} = "${libdir}/apache2/modules/*"
 
-RDEPENDS_${PN} += "bash"
 RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
 RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
 RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"
+
+PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*"
-- 
cgit v1.2.3


From 49fa52db6f9e5aff2bb2e47b3474c0b9e550aee0 Mon Sep 17 00:00:00 2001
From: Brad Bishop <bradleyb@fuzziesquirrel.com>
Date: Wed, 16 Oct 2019 14:23:15 -0400
Subject: meta-security: subtree update:400eade386..c55721b15e

Armin Kuster (2):
      suricata: fix compile issue
      checksec: add missing rdepends to readelf

Change-Id: Ib50c6bd74004c9cb0241bc70f8df5d90f45f5afe
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
---
 meta-security/lib/oeqa/runtime/cases/checksec.py          | 1 +
 meta-security/recipes-ids/suricata/suricata_4.1.5.bb      | 3 ---
 meta-security/recipes-security/checksec/checksec_2.1.0.bb | 2 +-
 3 files changed, 2 insertions(+), 4 deletions(-)

(limited to 'meta-security')

diff --git a/meta-security/lib/oeqa/runtime/cases/checksec.py b/meta-security/lib/oeqa/runtime/cases/checksec.py
index ff6d2f319..e46744c63 100644
--- a/meta-security/lib/oeqa/runtime/cases/checksec.py
+++ b/meta-security/lib/oeqa/runtime/cases/checksec.py
@@ -24,6 +24,7 @@ class CheckSecTest(OERuntimeTestCase):
         self.assertEqual(status, 0, msg = msg)
 
     @OETestDepends(['checksec.CheckSecTest.test_checksec_xml'])
+    @OEHasPackage(['binutils'])
     def test_checksec_fortify(self):
         status, output = self.target.run('checksec --fortify-proc 1')
         match = re.search('FORTIFY_SOURCE support:', output)
diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.5.bb b/meta-security/recipes-ids/suricata/suricata_4.1.5.bb
index cda1c870f..e15a9a337 100644
--- a/meta-security/recipes-ids/suricata/suricata_4.1.5.bb
+++ b/meta-security/recipes-ids/suricata/suricata_4.1.5.bb
@@ -52,9 +52,6 @@ do_install_append () {
 
     oe_runmake install-conf DESTDIR=${D}
 
-    # mimic move of downloaded rules to e_sysconfrulesdir
-    cp -rf  ${WORKDIR}/rules ${D}${sysconfdir}/suricata
-
     oe_runmake install-rules DESTDIR=${D}
 
     install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
diff --git a/meta-security/recipes-security/checksec/checksec_2.1.0.bb b/meta-security/recipes-security/checksec/checksec_2.1.0.bb
index 5c6528e48..b67c98bb6 100644
--- a/meta-security/recipes-security/checksec/checksec_2.1.0.bb
+++ b/meta-security/recipes-security/checksec/checksec_2.1.0.bb
@@ -16,4 +16,4 @@ do_install() {
     install -m 0755 ${S}/checksec ${D}${bindir}
 }
 
-RDEPENDS_${PN} = "bash openssl-bin"
+RDEPENDS_${PN} = "bash openssl-bin binutils"
-- 
cgit v1.2.3


From 5b842c844669dd3d597d64ffacd34db2738942da Mon Sep 17 00:00:00 2001
From: Brad Bishop <bradleyb@fuzziesquirrel.com>
Date: Mon, 21 Oct 2019 08:43:46 -0400
Subject: meta-security: subtree update:c55721b15e..27ddb45554

Armin Kuster (2):
      apparmor: fix systemd support so it works
      apparmor: ptest fail to build on arm

Change-Id: Ibe394a28d6fef07dd97031c6e24b4d7e9edf8cfb
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
---
 .../recipes-mac/AppArmor/apparmor_2.13.3.bb        | 34 ++++++++++++++++++----
 1 file changed, 29 insertions(+), 5 deletions(-)

(limited to 'meta-security')

diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb
index 6183064f4..60d5e6880 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb
@@ -42,7 +42,6 @@ PACKAGECONFIG[aa-decode] = ",,,bash"
 PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}"
 HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}"
 
-
 python() {
     if 'apache2' in d.getVar('PACKAGECONFIG').split() and \
             'webserver' not in d.getVar('BBFILE_COLLECTIONS').split():
@@ -86,7 +85,6 @@ do_compile () {
 do_install () {
 	install -d ${D}/${INIT_D_DIR}
 	install -d ${D}/lib/apparmor
-		
 	oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
 	oe_runmake -C ${B}/binutils DESTDIR="${D}" install
 	oe_runmake -C ${B}/utils DESTDIR="${D}" install
@@ -116,8 +114,22 @@ do_install () {
 
 	install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
 	install ${WORKDIR}/functions ${D}/lib/apparmor
-	install -d ${D}${systemd_system_unitdir}
-	install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+	sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions
+	sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions  
+
+	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+		install -d ${D}${systemd_system_unitdir}
+		install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+	fi
+}
+
+#Building ptest on arm fails.
+do_compile_ptest_aarch64 () {
+  :
+}
+
+do_compile_ptest_arm () {
+  :
 }
 
 do_compile_ptest () {
@@ -147,19 +159,31 @@ do_install_ptest () {
 	cp -rf ${B}/binutils ${t}
 }
 
+#Building ptest on arm fails.
+do_install_ptest_aarch64 () {
+  :
+}
+
+do_install_ptest_arm() {
+  :
+}
+
 pkg_postinst_ontarget_${PN} () {
 if [ ! -d /etc/apparmor.d/cache ] ; then
     mkdir /etc/apparmor.d/cache
 fi
 }
 
+# We need the init script so don't rm it
+RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
+
 INITSCRIPT_PACKAGES = "${PN}"
 INITSCRIPT_NAME = "apparmor"
 INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
 
 SYSTEMD_PACKAGES = "${PN}"
 SYSTEMD_SERVICE_${PN} = "apparmor.service"
-SYSTEMD_AUTO_ENABLE = "disable"
+SYSTEMD_AUTO_ENABLE ?= "enable"
 
 PACKAGES += "mod-${PN}"
 
-- 
cgit v1.2.3