diff options
| author | Andrew Geissler <geissonator@yahoo.com> | 2022-06-14 14:47:25 +0300 |
|---|---|---|
| committer | Andrew Geissler <andrew@geissonator.com> | 2022-06-17 20:13:53 +0300 |
| commit | 78b727985e7571e0b196561e44427690f04d57d9 (patch) | |
| tree | 6342b2dc624db0c1f7dde6e6f2a2a4d327405b83 /meta-security | |
| parent | 9036b819caacfa5ad9abd327b6127f0a19132eac (diff) | |
| download | openbmc-78b727985e7571e0b196561e44427690f04d57d9.tar.xz | |
subtree updates
meta-openembedded: a9e6d16e66..11df15765c:
Adrian Fiergolski (1):
python3-matplotlib: add missing dependency
Adrian Freihofer (6):
conntrack-tools: fix postinst script
networkmanager: improve dependency handling
networkmanager: simplify selective installation
networkmanager: use nftables by default
networkmanager: udpate to 1.38.0
modemmanager: update to 1.18.8
Armin Kuster (2):
mariadb: update to 10.7.4
mariadb: Fix i386 Clang builds
Bartosz Golaszewski (2):
python3-uinput: new package
python3-speedtest-cli: fix RDEPENDS
Changqing Li (1):
redis: upgrade 7.0-rc3 -> 7.0.0
Denys Dmytriyenko (1):
devmem2: the source and patches moved to github repo
Enrico Scholz (1):
nodejs-oe-cache-native: initial checkin
Jiaqing Zhao (1):
openldap: Remove unnecessary use-urandom.patch
Kai Kang (2):
libportal: add distro features check
graphviz: rrecommends on liberation-fonts
Khem Raj (5):
ubi-utils-klibc: Disable lzo compression by default
unattended-upgrades: Disable auto-detecting modules
sdbus-c++: Link with libatomic for rv32
sdbus-c++-libsystemd: Fix patch fuzz
python3-uinput: Fix build on 32bit arches using 64bit times_t
Luca Boccassi (1):
dbus-broker: update 29 -> 31
Marcel Ziswiler (1):
libavtp: add recipe for audio video transport protocol (avtp)
Markus Volk (6):
jack: allow to build native/nativesdk
pipewire: reduce native/nativesdk dependencies; add backport patch
p8platform: unbreak do_populate_sdk
pavucontrol: update; fix build for wayland only
gnome-disk-utility: fix build for wayland only
unblock some recipes for wayland
Martin Jansa (1):
mm-common: package the files from ${PN} in ${PN}-dev and use allarch
Ming Liu (1):
bluealsa: uprev to 4.0.0
Nikhil R (1):
duktape: Add ptest
Peter Marko (1):
libgpiod: move test dependencies to ptest package
Ross Burton (8):
python3-cppy: fix inherits and DEPENDS
python3-setuptools-scm-git-archive: add new recipe
python3-traitlets: upgrade to 5.2.1
python3-pathspec: add new recipe
python3-hatchling: add new recipe and build class
python3-editables: add new recipe
python3-setuptools-declarative-requirements: add new recipe
lzop: add (from oe-core)
Samuli Piippo (2):
flite: add recipe
libtomcrypt: add recipe
Thomas Perrot (1):
nbd: update 3.20 -> 3.24
Vyacheslav Yurkov (4):
packagegroup-meta-filesystems: fix build issue
overlayfs-progs: add new recipe
overlayfs-tools: add new recipe
xfstests: add new recipe
Wang Mingyu (38):
babeld: upgrade 1.12 -> 1.12.1
ctags: upgrade 5.9.20220508.0 -> 5.9.20220515.0
libbpf: upgrade 0.7.0 -> 0.8.0
evtest: upgrade 1.34 -> 1.35
nbdkit: upgrade 1.31.5 -> 1.31.7
smarty: upgrade 4.1.0 -> 4.1.1
thingsboard-gateway: upgrade 2.9 -> 3.1
opencl-headers: upgrade 2022.01.04 -> 2022.05.18
python3-robotframework: upgrade 5.0 -> 5.0.1
python3-watchdog: upgrade 2.1.7 -> 2.1.8
python3-web3: upgrade 5.29.0 -> 5.29.1
python3-xmlschema: upgrade 1.10.0 -> 1.11.0
python3-sqlalchemy: upgrade 1.4.35 -> 1.4.36
python3-yappi: upgrade 1.3.3 -> 1.3.5
apitrace: upgrade 11.0 -> 11.1
ctags: upgrade 5.9.20220515.0 -> 5.9.20220529.0
gedit: upgrade 42.0 -> 42.1
hidapi: upgrade 0.11.2 -> 0.12.0
libbytesize: upgrade 2.6 -> 2.7
libdvdread: upgrade 6.1.2 -> 6.1.3
links: upgrade 2.26 -> 2.27
libxmlb: upgrade 0.3.8 -> 0.3.9
ser2net: upgrade 4.3.5 -> 4.3.6
python3-awesomeversion: upgrade 22.5.1 -> 22.5.2
htop: upgrade 3.2.0 -> 3.2.1
hwdata: upgrade 0.359 -> 0.360
libnet-dns-perl: upgrade 1.33 -> 1.34
tinyproxy: upgrade 1.11.0 -> 1.11.1
function2: upgrade 4.2.0 -> 4.2.1
openvpn: upgrade 2.5.6 -> 2.5.7
poppler: upgrade 22.05.0 -> 22.06.0
sshfs-fuse: upgrade 3.7.2 -> 3.7.3
tgt: upgrade 1.0.82 -> 1.0.83
tracker: upgrade 3.3.0 -> 3.3.1
unbound: upgrade 1.15.0 -> 1.16.0
zabbix: upgrade 6.0.4 -> 6.0.5
botan: upgrade 2.19.1 -> 2.19.2
evolution-data-server: upgrade 3.44.1 -> 3.44.2
Wolfgang Meyer (1):
fbida: remove bash from RDEPENDS
Xu Huan (17):
python3-pint: upgrade 0.19.1 -> 0.19.2
python3-pylint: upgrade 2.13.7 -> 2.13.9
python3-redis: upgrade 4.2.2 -> 4.3.1
python3-werkzeug: upgrade 2.1.1 -> 2.1.2
python3-zeroconf: upgrade 0.38.4 -> 0.38.6
python3-sentry-sdk: upgrade 1.5.10 -> 1.5.12
python3-astroid: upgrade 2.11.3 -> 2.11.5
python3-cachetools: upgrade 5.0.0 -> 5.1.0
python3-imageio: upgrade 2.19.1 -> 2.19.2
python3-asyncinotify: upgrade 2.0.2 -> 2.0.3
python3-croniter: upgrade 1.3.4 -> 1.3.5
python3-google-api-core: upgrade 2.7.3 -> 2.8.0
python3-flask-socketio: upgrade 5.1.2 -> 5.2.0
python3-h5py: upgrade 3.6.0 -> 3.7.0
python3-lz4: upgrade 4.0.0 -> 4.0.1
python3-mypy: upgrade 0.950 -> 0.960
python3-pyscaffold: upgrade 4.2.1 -> 4.2.2
zhengrq.fnst (10):
python3-google-api-python-client: upgrade 2.45.0 -> 2.48.0
python3-grpcio-tools: upgrade 1.46.0 -> 1.46.3
python3-openpyxl: upgrade 3.0.9 -> 3.0.10
python3-paramiko: upgrade 2.10.4 -> 2.11.0
python3-humanize: upgrade 4.0.0 -> 4.1.0
python3-pychromecast: upgrade 12.1.1 -> 12.1.2
python3-cachetools: upgrade 5.1.0 -> 5.2.0
python3-google-api-python-client: upgrade 2.48.0 -> 2.49.0
python3-googleapis-common-protos: upgrade 1.56.1 -> 1.56.2
python3-imageio: upgrade 2.19.2 -> 2.19.3
zhengruoqin (6):
python3-bitarray: upgrade 2.5.0 -> 2.5.1
python3-eventlet: upgrade 0.33.0 -> 0.33.1
python3-googleapis-common-protos: upgrade 1.56.0 -> 1.56.1
python3-imageio: upgrade 2.18.0 -> 2.19.1
python3-pyjwt: upgrade 2.3.0 -> 2.4.0
python3-wrapt: upgrade 1.14.0 -> 1.14.1
poky: 13d70e57f8..ee0d001b81:
Alex Stewart (1):
opkg: upgrade to version 0.6.0
Alexander Kanavin (23):
bash: submit patch upstream
valgrind: submit arm patches upstream
apt: fix upstream version check
zip/unzip: mark all submittable patches as Inactive-Upstream
less: mark upstream version as unknown
wayland: exclude pre-releases from version check
mesa-demos: update 8.4.0 -> 8.5.0
seatd: update 0.6.4 -> 0.7.0
systemd: update 250.5 -> 251.2
btrfs-tools: update 5.16.2 -> 5.18
llvm: update 14.0.3 -> 14.0.4
python3-psutil: update 5.9.0 -> 5.9.1
tiff: update 4.3.0 -> 4.4.0
pulseaudio: update 15.0 -> 16.0
alsa-utils-scripts: merge into alsa-utils
alsa-utils: update 1.2.6 -> 1.2.7
ovmf: update 202202 -> 202205
cmake: update 3.23.1 -> 3.23.2
ltp: upgrade 20220121 -> 20220527
perl: update 5.34.1 -> 5.36.0
perl: drop perltoc regeneration
perl: clean prior to build
perl: enable _GNU_SOURCE define via d_gnulibc
Bruce Ashfield (7):
linux-yocto/5.15: bpf: explicitly disable unpriv eBPF by default
linux-yocto/5.15: update to v5.15.43
linux-yocto/5.10: update to v5.10.118
linux-yocto/5.15: Enable MDIO bus config
linux-yocto/5.15: cfg/xen: Move x86 configs to separate file
linux-yocto/5.15: update to v5.15.44
linux-yocto/5.10: update to v5.10.119
Chen Qi (1):
libsdl2: add back xvm and xinerama options
Daiane Angolini (1):
python3-pip: Fix RDEPENDS after the update
Davide Gardenal (2):
efivar: add musl libc compatibility
baremetal-image: fix broken symlink in do_rootfs
Dmitry Baryshkov (2):
go.bbclass: fix path to linker in native Go builds
linux-firmware: add support for building snapshots
Ernst Sjöstrand (2):
cve-check: Add helper for symlink handling
cve-check: Only include installed packages for rootfs manifest
He Zhe (1):
lttng-modules: Fix build failure for 5.10.119+ and 5.15.44+ kernel
Jack Mitchell (1):
meson.bbclass: add cython binary to cross/native toolchain config
Jeremy Puhlman (1):
gcc: depend on zstd-native
Jiaqing Zhao (1):
systemd: Correct 0001-pass-correct-parameters-to-getdents64.patch
Joerg Vehlow (1):
libseccomp: Add missing files for ptests
Jose Quaresma (1):
archiver: use bb.note instead of echo
Kai Kang (1):
xxhash: fix build with gcc 12
Marcel Ziswiler (2):
alsa-plugins: fix libavtp vs. avtp packageconfig
gstreamer1.0-plugins-bad: add libavtp packageconfig
Markus Volk (1):
gcr: build with gtk+3 for wayland
Marta Rybczynska (4):
cve-check: move update_symlinks to a library
cve-check: write empty fragment files in the text mode
cve-check: fix return type in check_cves
cve-update-db-native: make it possible to disable database updates
Martin Jansa (9):
makedevs: Don't use COPYING.patch just to add license file into ${S}
insane.bbclass: make sure to close .patch files
staging.bbclass: process direct dependencies in deterministic order
patch.py: make sure that patches/series file exists before quilt pop
lttng-modules: fix shell syntax
buildhistory.bbclass: fix shell syntax when using dash
rootfs.py: close kernel_abi_ver_file
ltp: use bfd even when gold is used with ld-is-gold
systemd: Fix build without utmp
Michael Opdenacker (1):
migration guides: release notes for 4.0.1
Mikko Rapeli (1):
bitbake: event.py: ignore exceptions from stdout and sterr operations in atexit
Ming Liu (1):
udev-extraconf: let automount base directory configurable
Mingli Yu (4):
perl: Fix build with gcc-12
ccache: Fix build with gcc-12
oescripts: change compare logic in OEListPackageconfigTests
python3-cryptography: remove test_x509.py
Naveen Saini (1):
pciutils: avoid lspci conflict with busybox
Pavel Zhukov (6):
bitbake.conf: Make TCLIBC and TCMODE lazy assigned
bitbake: fetch2: Honour BB_FETCH_PREMIRRORONLY option
bitbake: Add tests to cover BB_FETCH_PREMIRRORONLY functionality
dbus: Specify runstatedir configure option
bitbake: tests/fetch: Drop unnecessary duplicated function
bitbake: tests/fetch: Add tests for premirror using real project
Peter Kjellerstedt (2):
libseccomp: Correct LIC_FILES_CHKSUM
license.bbclass: Bound beginline and endline in copy_license_files()
Quentin Schulz (2):
docs: set_versions.py: remove honister from active releases list
docs: set_versions.py: check for first latest release tag
Rasmus Villemoes (2):
vim: put xxd in its own package
e2fsprogs: add alternatives handling of lsattr as well
Ricardo Salveti (1):
gnu-efi: enable for riscv64
Richard Purdie (51):
cve-extra-exclusions: Add kernel CVEs
lzo: Add further info to a patch and mark as Inactive-Upstream
python3: Remove problematic paths from sysroot files
python3: Ensure stale empty python module directories don't break the build
Revert "qemu.inc: Remove empty egg-info directories before running meson"
Revert "meson.bblcass: Remove empty egg-info directories before running meson"
vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEs
tiff: Add jbig PACKAGECONFIG and clarify CVE-2022-1210
libxslt: Mark CVE-2022-29824 as not applying
oeqa/imagefeatures: Replace lzo with zst
oeqa/imagefeatures: Disable squashfs-lzo
cve-check: Allow warnings to be disabled
openssl: Backport fix for ptest cert expiry
bitbake: runqueue: Fix unihash cache mismatch issues
bitbake: cache/siggen: Add unihash cache copy function
bitbake: bitbake: Bump to version 2.0.1
populate_sdk_ext: Fix race condition on bb_unihashes.dat
gcc-cross-canadian: Add nativesdk-zstd dependency
glib-2.0: upgrade 2.72.1 -> 2.72.2
dnf: upgrade 4.12.0 -> 4.13.0
python3-dtschema: upgrade 2022.4 -> 2022.5
python3-sphinx: upgrade 4.5.0 -> 5.0.0
python3-pip: upgrade 22.1.1 -> 22.1.2
alsa-lib: upgrade 1.2.6.1 -> 1.2.7
sysklogd: upgrade 2.3.0 -> 2.4.0
libxkbcommon: upgrade 1.4.0 -> 1.4.1
piglit: upgrade to latest revision
sysstat: upgrade 12.4.5 -> 12.6.0
harfbuzz: upgrade 4.2.1 -> 4.3.0
gtk+3: upgrade 3.24.33 -> 3.24.34
xwayland: upgrade 22.1.1 -> 22.1.2
alsa-ucm-conf: upgrade 1.2.6.3 -> 1.2.7
gnutls: upgrade 3.7.5 -> 3.7.6
webkitgtk: upgrade 2.36.1 -> 2.36.3
diffoscope: upgrade 212 -> 215
populate_sdk_ext: Fix second bb_unihashes reference
sanity: Switch to make 4.0 as a minimum version
perl: Add dependency on make-native to avoid race issues
glibc: Drop make-native dependency
bitbake: fetch/wget: Move files into place atomically
bitbake: server/process: Avoid risk of exception deadlocks
bitbake: server/process: Remove daemonic thread usage
bitbake: server/process: Avoid tracebacks at exit
uboot-sign: Fix potential index error issues
selftest/multiconfig: Test that multiconfigs in separate layers works
bitbake: cooker: Drop sre_constants usage
classes/buildcfg: Move git/layer revision code into new OE module buildcfg
lib/buildcfg: Share common clean/dirty layer function
buildcfg: Drop unused svn revision function
base/buildhistory/image-buildinfo: Use common buildcfg function
image-buildinfo: Improve and extend to SDK coverage too
Robert Yang (1):
systemd: Set RebootWatchdogSec to 60s as watchdog
Ross Burton (8):
python3-pluggy: add BBCLASSEXTEND for native/nativesdk
btrfs-tools: add a PACKAGECONFIG for lzo
tiff: mark CVE-2022-1622 and CVE-2022-1623 as invalid
packagegroup-self-hosted: remove lzo
libarchive: disable LZO by default
squashfs-tools: disable LZO by default
lzop: remove recipe from oe-core
setuptools3: clean up class
Rusty Howell (1):
oe-depends-dot: Handle new format for task-depends.dot
Sean Anderson (1):
rootfs.py: find .ko.zst kernel modules
Stefan Wiehler (1):
kernel-yocto.bbclass: Reset to exiting on non-zero return code at end of task
Tobias Schmidl (2):
oeqa/selftest/wic.py: Repaired test_qemu()
wic/plugins/images/direct: Allow changes in fstab on rootfs
Vyacheslav Yurkov (2):
files: rootfs-postcommands: move helper commands to script
files: respect overlayfs owner from lower layer
Xiaobing Luo (1):
devtool: Fix _copy_file() TypeError
Zach Welch (2):
test-manual/intro: reorder bitbake-selftest steps
test-manual/intro: bitbake-selftest needs bitbake
leimaohui (1):
gnutls: Added fips option.
wangmy (30):
bind: upgrade 9.18.2 -> 9.18.3
ccache: upgrade 4.6 -> 4.6.1
init-system-helpers: upgrade 1.62 -> 1.63
ninja: upgrade 1.10.2 -> 1.11.0
python3-certifi: upgrade 2021.10.8 -> 2022.5.18.1
python3-cython: upgrade 0.29.28 -> 0.29.30
python3-hypothesis: upgrade 6.46.4 -> 6.46.7
python3-importlib-metadata: upgrade 4.11.3 -> 4.11.4
python3-magic: upgrade 0.4.25 -> 0.4.26
python3-pip: upgrade 22.1 -> 22.1.1
python3-setuptools: upgrade 62.3.1 -> 62.3.2
python3-hypothesis: upgrade 6.46.7 -> 6.46.9
python3-semantic-version: upgrade 2.9.0 -> 2.10.0
python3-webcolors: upgrade 1.11.1 -> 1.12
python3-pytest-subtests: upgrade 0.7.0 -> 0.8.0
asciidoc: upgrade 10.1.4 -> 10.2.0
cups: upgrade 2.4.1 -> 2.4.2
iproute2: upgrade 5.17.0 -> 5.18.0
iw: upgrade 5.16 -> 5.19
logrotate: upgrade 3.19.0 -> 3.20.1
dpkg: upgrade 1.21.7 -> 1.21.8
repo: upgrade 2.25 -> 2.26
iso-codes: upgrade 4.9.0 -> 4.10.0
lttng-ust: upgrade 2.13.2 -> 2.13.3
meson: upgrade 0.62.1 -> 0.62.2
mtools: upgrade 4.0.39 -> 4.0.40
nettle: upgrade 3.7.3 -> 3.8
kbd: upgrade 2.4.0 -> 2.5.0
python3-hypothesis: upgrade 6.46.9 -> 6.46.11
xkeyboard-config: upgrade 2.35.1 -> 2.36
meta-security: 7628a3e90b..8c6fe006a1:
Armin Kuster (18):
swtpm: enable seccomp if DISTRO is enabled
security-tpm2-image: add swtpm
swtpm: enable gnutls
oeqa/swtpm: add swtpm runtime
oeqa/tpm2: fix and cleanup tests
tpm2-pkcs11: we really need the symlinks
smack-test: switch to python3
oeqa/smack: consolidate classes
checksec: update 2.6.0
chkrootkit: update SRC_URI
packagegroup-core-security: add arpwatch and chkrootkit to pkg grp
layer.conf: Post release codename changes
README: Update for dynamic layers
arpwatch: riscv not supported
packagegroup-core-security: drop arpwatch for riscv from pkg grp
chkrootkit: Fix missing includes for musl
arpwatch: update to 3.3
packagegroup-core-security: don't include aprwatch for musl
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ic83db16445cf0a1286685f11d378e1e3e9b794c3
Diffstat (limited to 'meta-security')
21 files changed, 146 insertions, 100 deletions
diff --git a/meta-security/README b/meta-security/README index 081669f6b3..2d1996b153 100644 --- a/meta-security/README +++ b/meta-security/README @@ -28,20 +28,10 @@ Dependencies This layer depends on: URI: git://git.openembedded.org/openembedded-core - branch: master + branch: [same one as checked out for this layer] URI: git://git.openembedded.org/meta-openembedded/meta-oe - branch: master - - URI: git://git.openembedded.org/meta-openembedded/meta-perl - branch: master - - URI: git://git.openembedded.org/meta-openembedded/meta-python - branch: master - - URI: git://git.openembedded.org/meta-openembedded/meta-networking - branch: master - + branch: [same one as checked out for this layer] Adding the security layer to your build ======================================== @@ -57,21 +47,22 @@ other layers needed. e.g.: BBLAYERS ?= " \ /path/to/oe-core/meta \ /path/to/meta-openembedded/meta-oe \ - /path/to/meta-openembedded/meta-perl \ - /path/to/meta-openembedded/meta-python \ - /path/to/meta-openembedded/meta-networking \ /path/to/layer/meta-security " -Optional Rust dependancy +Optional Dynamic layer dependancy ====================================== -If you want to use the latest Suricata that needs rust, you will need to clone - URI: https://github.com/meta-rust/meta-rust.git - branch: master + URI: git://git.openembedded.org/meta-openembedded/meta-oe + + URI: git://git.openembedded.org/meta-openembedded/meta-perl + + URI: git://git.openembedded.org/meta-openembedded/meta-python - BBLAYERS += "/path/to/layer/meta-rust" + BBLAYERS += "/path/to/layer/meta-openembedded/meta-oe" + BBLAYERS += "/path/to/layer/meta-openembedded/meta-perl" + BBLAYERS += "/path/to/layer/meta-openembedded/meta-python" -This will activate the dynamic-layer mechanism and pull in the newer suricata +This will activate the dynamic-layer mechanism. diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 7d57f9c850..fa7d79efbf 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "kirkstone" +LAYERSERIES_COMPAT_security = "kirkstone langdale" LAYERDEPENDS_security = "core openembedded-layer" diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py index 35e87ef32d..b8255c781c 100644 --- a/meta-security/lib/oeqa/runtime/cases/smack.py +++ b/meta-security/lib/oeqa/runtime/cases/smack.py @@ -29,8 +29,6 @@ class SmackBasicTest(OERuntimeTestCase): status,output = self.target.run("cat /proc/self/attr/current") self.current_label = output.strip() -class SmackAccessLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_access_label(self): ''' Test if chsmack can correctly set a SMACK label ''' @@ -54,8 +52,6 @@ class SmackAccessLabel(SmackBasicTest): "%s %s" %(LABEL,label_retrieved)) -class SmackExecLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_exec_label(self): '''Test if chsmack can correctly set a SMACK Exec label''' @@ -79,8 +75,6 @@ class SmackExecLabel(SmackBasicTest): "%s %s" %(LABEL,label_retrieved)) -class SmackMmapLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_mmap_label(self): '''Test if chsmack can correctly set a SMACK mmap label''' @@ -104,8 +98,6 @@ class SmackMmapLabel(SmackBasicTest): "%s %s" %(LABEL,label_retrieved)) -class SmackTransmutable(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_transmutable(self): '''Test if chsmack can correctly set a SMACK transmutable mode''' @@ -128,8 +120,6 @@ class SmackTransmutable(SmackBasicTest): "%s %s" %(LABEL,label_retrieved)) -class SmackChangeSelfLabelPrivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_privileged_change_self_label(self): '''Test if privileged process (with CAP_MAC_ADMIN privilege) @@ -145,8 +135,6 @@ class SmackChangeSelfLabelPrivilege(SmackBasicTest): self.assertIn("PRIVILEGED", output, "Privilege process did not change label.Output: %s" %output) -class SmackChangeSelfLabelUnprivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_unprivileged_change_self_label(self): '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) @@ -163,8 +151,6 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest): "Unprivileged process should not be able to change its label") -class SmackChangeFileLabelPrivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_unprivileged_change_file_label(self): '''Test if unprivileged process cannot change file labels''' @@ -183,8 +169,6 @@ class SmackChangeFileLabelPrivilege(SmackBasicTest): self.target.run("rm %s" % filename) self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename) -class SmackLoadRule(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_load_smack_rule(self): '''Test if new smack access rules can be loaded''' @@ -211,8 +195,6 @@ class SmackLoadRule(SmackBasicTest): self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) -class SmackOnlycap(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_onlycap(self): '''Test if smack onlycap label can be set @@ -223,7 +205,6 @@ class SmackOnlycap(SmackBasicTest): status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh") self.assertEqual(status, 0, output) -class SmackNetlabel(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_netlabel(self): @@ -246,7 +227,6 @@ class SmackNetlabel(SmackBasicTest): test_label, output, "Did not find expected label in output: %s" %output) -class SmackCipso(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_cipso(self): @@ -287,7 +267,6 @@ class SmackCipso(SmackBasicTest): self.assertEqual(status, 0, "Cipso rule C was not set") self.assertIn("/17,33", output, "Rule C was not set correctly") -class SmackDirect(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_direct(self): @@ -308,8 +287,6 @@ class SmackDirect(SmackBasicTest): "Smack direct label does not match.") -class SmackAmbient(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_ambient(self): test_ambient = "test_ambient" @@ -330,8 +307,6 @@ class SmackAmbient(SmackBasicTest): "Ambient label does not match") -class SmackloadBinary(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smackload(self): '''Test if smackload command works''' @@ -345,8 +320,6 @@ class SmackloadBinary(SmackBasicTest): self.assertEqual(status, 0, "Smackload rule was loaded correctly") -class SmackcipsoBinary(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smackcipso(self): '''Test if smackcipso command works''' @@ -362,8 +335,6 @@ class SmackcipsoBinary(SmackBasicTest): self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output) -class SmackEnforceFileAccess(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_enforce_file_access(self): '''Test if smack file access is enforced (rwx) @@ -375,8 +346,6 @@ class SmackEnforceFileAccess(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackEnforceMmap(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_mmap_enforced(self): '''Test if smack mmap access is enforced''' @@ -449,8 +418,6 @@ class SmackEnforceMmap(SmackBasicTest): "Output: %s" %output) -class SmackEnforceTransmutable(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_transmute_dir(self): '''Test if smack transmute attribute works @@ -473,8 +440,6 @@ class SmackEnforceTransmutable(SmackBasicTest): "Did not get expected label. Output: %s" % output) -class SmackTcpSockets(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_tcp_sockets(self): '''Test if smack is enforced on tcp sockets @@ -485,8 +450,6 @@ class SmackTcpSockets(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackUdpSockets(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_udp_sockets(self): '''Test if smack is enforced on udp sockets @@ -497,8 +460,6 @@ class SmackUdpSockets(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackFileLabels(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_labels(self): '''Check for correct Smack labels.''' diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf index bc33d973cb..5983161755 100644 --- a/meta-security/meta-hardening/conf/layer.conf +++ b/meta-security/meta-hardening/conf/layer.conf @@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "harden-layer" BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_harden-layer = "10" -LAYERSERIES_COMPAT_harden-layer = "kirkstone" +LAYERSERIES_COMPAT_harden-layer = "kirkstone langdale" LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index 3d58be4ae4..1fcf33c543 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "kirkstone" +LAYERSERIES_COMPAT_integrity = "kirkstone langdale" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf index 544cc4e792..a748d77edb 100644 --- a/meta-security/meta-parsec/conf/layer.conf +++ b/meta-security/meta-parsec/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "parsec-layer" BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_parsec-layer = "5" -LAYERSERIES_COMPAT_parsec-layer = "kirkstone" +LAYERSERIES_COMPAT_parsec-layer = "kirkstone langdale" LAYERDEPENDS_parsec-layer = "core clang-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index 7c076255ee..ec57541eb7 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "kirkstone" +LAYERSERIES_COMPAT_scanners-layer = "kirkstone langdale" LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-security/meta-security-isafw/conf/layer.conf b/meta-security/meta-security-isafw/conf/layer.conf index e8cdc1b91a..724742d7fc 100644 --- a/meta-security/meta-security-isafw/conf/layer.conf +++ b/meta-security/meta-security-isafw/conf/layer.conf @@ -14,4 +14,4 @@ LAYERVERSION_security-isafw = "1" LAYERDEPENDS_security-isafw = "core" -LAYERSERIES_COMPAT_security-isafw = "kirkstone" +LAYERSERIES_COMPAT_security-isafw = "kirkstone langdale" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 52e3ee0a1c..1fd2e4c1ba 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "kirkstone" +LAYERSERIES_COMPAT_tpm-layer = "kirkstone langdale" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py new file mode 100644 index 0000000000..df47b353ed --- /dev/null +++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py @@ -0,0 +1,24 @@ +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> +# +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +class SwTpmTest(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.tc.target.run('mkdir /tmp/myvtpm2') + cls.tc.target.run('chown tss:root /tmp/myvtpm2') + + @classmethod + def tearDownClass(cls): + cls.tc.target.run('rm -fr /tmp/myvtpm2') + + @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES') + @OETestDepends(['ssh.SSHTest.test_ssh']) + @OEHasPackage(['swtpm']) + def test_swtpm2_ek_cert(self): + cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2', + status, output = self.target.run(cmd) + self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output) diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py index c2c95e7159..e64d19d69e 100644 --- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py +++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py @@ -1,11 +1,19 @@ -# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com> # from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends from oeqa.runtime.decorator.package import OEHasPackage - +from oeqa.core.decorator.data import skipIfNotFeature class Tpm2Test(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.tc.target.run('mkdir /tmp/myvtpm2') + + @classmethod + def tearDownClass(cls): + cls.tc.target.run('rm -fr /tmp/myvtpm2') + def check_endlines(self, results, expected_endlines): for line in results.splitlines(): for el in expected_endlines: @@ -19,20 +27,19 @@ class Tpm2Test(OERuntimeTestCase): @OEHasPackage(['tpm2-tools']) @OEHasPackage(['tpm2-abrmd']) @OEHasPackage(['swtpm']) + @skipIfNotFeature('tpm2','Test tpm2_startup requires tpm2 to be in DISTRO_FEATURES') @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_tpm2_swtpm_socket(self): + def test_tpm2_startup(self): cmds = [ - 'mkdir /tmp/myvtpm', - 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &', - 'export TPM2TOOLS_TCTI="swtpm:port=2321"', - 'tpm2_startup -c' + 'swtpm socket -d --tpmstate dir=/tmp/myvtpm2 --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init', + 'tpm2_startup -c -T "swtpm:port=2321"', ] for cmd in cmds: status, output = self.target.run(cmd) self.assertEqual(status, 0, msg='\n'.join([cmd, output])) - @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket']) + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_startup']) def test_tpm2_pcrread(self): (status, output) = self.target.run('tpm2_pcrread') expected_endlines = [] @@ -49,7 +56,7 @@ class Tpm2Test(OERuntimeTestCase): @OEHasPackage(['p11-kit']) @OEHasPackage(['tpm2-pkcs11']) - @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket']) + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pcrread']) def test_tpm2_pkcs11(self): (status, output) = self.target.run('p11-kit list-modules -v') self.assertEqual(status, 0, msg="Modules missing: %s" % output) diff --git a/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb index 7e047d1274..941a6617ad 100644 --- a/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb +++ b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb @@ -7,6 +7,7 @@ IMAGE_INSTALL = "\ packagegroup-core-boot \ packagegroup-security-tpm2 \ os-release \ + swtpm \ " IMAGE_LINGUAS ?= " " diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb index 85e4c5d557..03899d8032 100644 --- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb @@ -20,14 +20,15 @@ inherit autotools pkgconfig perlnative TSS_USER="tss" TSS_GROUP="tss" -PACKAGECONFIG ?= "openssl" +PACKAGECONFIG ?= "openssl gnutls" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)}" PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}" PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" # expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is # used by swtpm-create-tpmca (the last two is provided by gnutls) # gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert -PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls, gnutls, expect bash tpm2-pkcs11-tools" +PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls-native gnutls, gnutls-bin expect bash tpm2-pkcs11-tools" PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux" PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse" PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb index e8812d06d0..dd0a0b57b5 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb @@ -25,15 +25,6 @@ do_compile:append() { } do_install:append() { - install -d ${D}${libdir}/pkcs11 - install -d ${D}${datadir}/p11-kit - - # remove symlinks - rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so - - #install lib - install -m 755 ${B}/src/.libs/libtpm2_pkcs11.so ${D}${libdir}/pkcs11/libtpm2_pkcs11.so - cd ${S}/tools export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}" ${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build @@ -53,5 +44,7 @@ FILES:${PN} += "\ ${datadir}/p11-kit/* \ " +INSANE_SKIP:${PN} += "dev-so" + RDEPENDS:${PN} = "p11-kit tpm2-tools " RDEPENDS:${PN}-tools = "${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index 901005440b..f381d91921 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -42,10 +42,13 @@ RDEPENDS:packagegroup-security-utils = "\ SUMMARY:packagegroup-security-scanners = "Security scanners" RDEPENDS:packagegroup-security-scanners = "\ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " arpwatch",d)} \ + chkrootkit \ isic \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \ " RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "clamav clamav-daemon clamav-freshclam" +RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "arpwatch" SUMMARY:packagegroup-security-audit = "Security Audit tools " RDEPENDS:packagegroup-security-audit = " \ diff --git a/meta-security/recipes-mac/smack/smack-test_1.0.bb b/meta-security/recipes-mac/smack/smack-test_1.0.bb index d7824aef65..3ab57c607e 100644 --- a/meta-security/recipes-mac/smack/smack-test_1.0.bb +++ b/meta-security/recipes-mac/smack/smack-test_1.0.bb @@ -22,4 +22,4 @@ do_install() { install -m 0755 *.sh ${D}${sbindir} } -RDEPENDS:${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test" +RDEPENDS:${PN} = "smack python3-core mmap-smack-test tcp-smack-test udp-smack-test" diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb index c8d31cf70d..8efb339750 100644 --- a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb +++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb @@ -1,7 +1,7 @@ SUMARRY = "The ethernet monitor program; for keeping track of ethernet/ip address pairings" LICENSE = "BSD-4-Clause" HOME_PAGE = "http://ee.lbl.gov/" -LIC_FILES_CHKSUM = "file://configure;md5=74ca964ed34fda7b46c6fe3e50bded9d" +LIC_FILES_CHKSUM = "file://configure;md5=0f6cca2f69f384a14e2f5803210ca92e" DEPENDS += "libpcap" @@ -9,10 +9,10 @@ SRC_URI = "https://ee.lbl.gov/downloads/arpwatch/${BP}.tar.gz \ file://arpwatch.conf \ file://arpwatch.default \ file://arpwatch_init \ - file://postfix_workaround.patch \ - file://host_contam_fix.patch " + file://host_contam_fix.patch \ + " -SRC_URI[sha256sum] = "ee1d15d9a07952c0c017908b9dbfd5ac988fed0058c3cc4fa6c13e0be36f3a9f" +SRC_URI[sha256sum] = "d47fa8b291fc37a25a2d0f3e1b64f451dc0be82d714a10ffa6ef8b0b9e33e166" inherit autotools-brokensep update-rc.d useradd @@ -80,4 +80,8 @@ CONFFILE_FILES = "${sysconfdir}/${PN}.conf" FILES:${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \ ${sysconfdir} /var/lib/arpwatch" +COMPATIBLE_HOST:riscv32 = "null" +COMPATIBLE_HOST:riscv64 = "null" +OMPATIBLE_HOST:libc-musl = "null" + RDEPENDS:${PN} = "libpcap" diff --git a/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch b/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch index 7d7ffacf76..2e27aa4ead 100644 --- a/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch +++ b/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch @@ -4,11 +4,11 @@ Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Armin Kuster <akuster808@gmail.com> -Index: arpwatch-3.0/configure +Index: arpwatch-3.3/configure =================================================================== ---- arpwatch-3.0.orig/configure -+++ arpwatch-3.0/configure -@@ -4349,8 +4349,8 @@ fi +--- arpwatch-3.3.orig/configure ++++ arpwatch-3.3/configure +@@ -4353,8 +4353,8 @@ fi CC=cc export CC fi diff --git a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb b/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb index 9a6e44a27c..f4a014e171 100644 --- a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb +++ b/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb @@ -4,10 +4,10 @@ SECTION = "security" LICENSE = "BSD-3-Clause" HOMEPAGE="https://github.com/slimm609/checksec.sh" -LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8d90285f711cf1f378e2c024457066d8" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=879b2147c754bc040c29e9c3b84da836" -SRCREV = "c3754e45e04f9104db93b2048afd094427102d48" -SRC_URI = "git://github.com/slimm609/checksec.sh;branch=master;protocol=https" +SRCREV = "2753ebb89fcdc96433ae8a4c4e5a49214a845be2" +SRC_URI = "git://github.com/slimm609/checksec.sh;branch=main;protocol=https" S = "${WORKDIR}/git" @@ -17,3 +17,5 @@ do_install() { } RDEPENDS:${PN} = "bash openssl-bin binutils" + +BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb b/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb index 20015a1cc0..fe0e9891be 100644 --- a/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb +++ b/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb @@ -5,7 +5,8 @@ SECTION = "security" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff" -SRC_URI = "ftp://ftp.pangeia.com.br/pub/seg/pac/${BPN}.tar.gz" +SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz \ + file://musl_fix.patch" SRC_URI[sha256sum] = "a81c0286ec449313f953701202a00e81b204fc2cf43e278585a11c12a5e0258b" inherit autotools-brokensep diff --git a/meta-security/recipes-scanners/rootkits/files/musl_fix.patch b/meta-security/recipes-scanners/rootkits/files/musl_fix.patch new file mode 100644 index 0000000000..a33523bfc1 --- /dev/null +++ b/meta-security/recipes-scanners/rootkits/files/musl_fix.patch @@ -0,0 +1,58 @@ +chkrootkit: Fix missing includes for musl + + +Upstream-Status: Backport +https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07737b95af2452c0055e1ed0660590c1487befdb +https://bugs.gentoo.org/715552 + +Signed-off-by: Armin Kuster <akuster808@gamil.com> + +Index: chkrootkit-0.55/chkdirs.c +=================================================================== +--- chkrootkit-0.55.orig/chkdirs.c ++++ chkrootkit-0.55/chkdirs.c +@@ -33,7 +33,7 @@ + #elif defined(__APPLE__) && defined(__MACH__) + #include <sys/syslimits.h> + #endif +- ++#include <limits.h> + #include <stdio.h> + #include <stdlib.h> + #include <sys/types.h> +Index: chkrootkit-0.55/chklastlog.c +=================================================================== +--- chkrootkit-0.55.orig/chklastlog.c ++++ chkrootkit-0.55/chklastlog.c +@@ -41,6 +41,7 @@ int main () { return 0; } + #include <stdlib.h> + #endif + #include <sys/stat.h> ++#include <fcntl.h> + #include <unistd.h> + #include <string.h> + #include <signal.h> +Index: chkrootkit-0.55/chkproc.c +=================================================================== +--- chkrootkit-0.55.orig/chkproc.c ++++ chkrootkit-0.55/chkproc.c +@@ -65,6 +65,7 @@ int main (){ return 0; } + #include <string.h> + #include <errno.h> + #include <sys/types.h> ++#include <fcntl.h> + #include <dirent.h> + #include <ctype.h> + #include <stdlib.h> +Index: chkrootkit-0.55/chkwtmp.c +=================================================================== +--- chkrootkit-0.55.orig/chkwtmp.c ++++ chkrootkit-0.55/chkwtmp.c +@@ -25,6 +25,7 @@ int main () { return 0; } + #include <stdio.h> + #include <stdlib.h> + #include <unistd.h> ++#include <fcntl.h> + #include <string.h> + #include <utmp.h> + #include <time.h> |