diff options
| author | Andrew Geissler <geissonator@yahoo.com> | 2023-09-11 15:24:07 +0300 |
|---|---|---|
| committer | Andrew Geissler <geissonator@yahoo.com> | 2023-09-11 15:24:17 +0300 |
| commit | fc7e7973f3119e2bad511209aa336537dc5ffbed (patch) | |
| tree | 17f710baf630d26af09b667744e0381ac0967c50 /meta-security | |
| parent | 566b706ac11162bf6311c2885e9772473e25c7bc (diff) | |
| download | openbmc-fc7e7973f3119e2bad511209aa336537dc5ffbed.tar.xz | |
subtree updates
meta-security: b9bc938785..1856a7cf43:
Armin Kuster (1):
scap-security-guide: update to 0.1.69+
Lei Maohui (2):
paxctl: Fix do_package QA Issue.
ccs-tools: Fix do_package QA Issue.
Martin Jansa (1):
layer.conf: update LAYERSERIES_COMPAT for nanbield
Yi Zhao (1):
scap-security-guide: pass the correct cpe/schemas/xsl paths to oscap
meta-arm: 992c07f7c0..bd0953cc60:
Abdellatif El Khlifi (1):
arm-bsp/u-boot: corstone1000: detect the kernel size automatically
Anusmita Dutta Mazumder (5):
arm-bsp/u-boot: corstone1000: add unique firmware GUID
arm-bsp/trusted-firmware-m: corstone1000: add unique firmware GUID
arm-bsp/scp-firmware: Update N1SDP scp-firmware version
arm-bsp/n1sdp: Enable tests with pseudo trusted application
CI: Build custom image for N1SDP optee-xtest
Delane Brandy (1):
arm-bsp/corstone1000: mmc2-enablement
Emekcan Aras (2):
arm-bsp/trusted-firmware-a: corstone1000: Update TF-A v2.9
arm-bsp/optee-os: corstone1000: Update optee-os v3.22
Javier Tia (1):
optee-client: Add path condition to tee-supplicant.service
Jon Mason (14):
arm/trusted-firmware-a: update to 2.9.0
arm-bsp/juno: update kernel to 6.4
arm/linux-yocto: change defconfig patch for 6.4
arm/hafnium: update to v2.8
arm/linux-yocto: update kernel patches
arm/trusted-services: add SRCREV_FORMAT
arm-bsp/tc1: update optee
arm-bsp/fvp-baser-aemv8r64: update u-boot to 2023.01
arm-bsp/corstone500: upgrade u-boot to the latest
arm-bsp/corstone500: removal of support
arm: patch clean-ups
arm/edk2: update to 202305 version
arm/sbsa-acs: update to v7.1.2
arm-bsp/trusted-firmware-a: remove unneeded patches
Mariam Elshakfy (2):
arm-bsp/trusted-firmware-a: Update TF-A version for N1SDP
arm-bsp/n1sdp: Update edk2-firmware version for N1SDP to 202305
Ross Burton (3):
kas/: pass through DISPLAY from environment
Remove explicit SRCPV
arm-bsp/external-system: set PACKAGE_ARCH as this is machine-specific
meta-raspberrypi: 5e2f79a6fa..6501ec892c:
Andrei Gherzan (2):
ci: Add usrmerge to distro features
docs: Fix documentation theme
Sangmo Kang (1):
omxplayer: fix an error caused by new srcrev fetcher API
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Diffstat (limited to 'meta-security')
| -rw-r--r-- | meta-security/conf/layer.conf | 2 | ||||
| -rw-r--r-- | meta-security/meta-hardening/conf/layer.conf | 2 | ||||
| -rw-r--r-- | meta-security/meta-integrity/conf/layer.conf | 2 | ||||
| -rw-r--r-- | meta-security/meta-parsec/conf/layer.conf | 2 | ||||
| -rw-r--r-- | meta-security/meta-tpm/conf/layer.conf | 2 | ||||
| -rw-r--r-- | meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch | 388 | ||||
| -rw-r--r-- | meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb (renamed from meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb) | 10 | ||||
| -rw-r--r-- | meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb | 2 | ||||
| -rw-r--r-- | meta-security/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch | 26 | ||||
| -rw-r--r-- | meta-security/recipes-security/paxctl/paxctl_0.9.bb | 4 |
10 files changed, 42 insertions, 398 deletions
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index a436f97e87..3e8db1f17c 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "mickledore" +LAYERSERIES_COMPAT_security = "nanbield" LAYERDEPENDS_security = "core openembedded-layer" diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf index 4bc1cac2f0..c499e60a2b 100644 --- a/meta-security/meta-hardening/conf/layer.conf +++ b/meta-security/meta-hardening/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "harden-layer" BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_harden-layer = "6" -LAYERSERIES_COMPAT_harden-layer = "mickledore" +LAYERSERIES_COMPAT_harden-layer = "nanbield" LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index 7a9c1d188c..d00298ac8b 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "mickledore" +LAYERSERIES_COMPAT_integrity = "nanbield" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf index b162289748..503953a881 100644 --- a/meta-security/meta-parsec/conf/layer.conf +++ b/meta-security/meta-parsec/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "parsec-layer" BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_parsec-layer = "5" -LAYERSERIES_COMPAT_parsec-layer = "mickledore" +LAYERSERIES_COMPAT_parsec-layer = "nanbield" LAYERDEPENDS_parsec-layer = "core clang-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 1f270317cc..8075706269 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "6" -LAYERSERIES_COMPAT_tpm-layer = "mickledore" +LAYERSERIES_COMPAT_tpm-layer = "nanbield" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch deleted file mode 100644 index 0db2b1203c..0000000000 --- a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch +++ /dev/null @@ -1,388 +0,0 @@ -From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001 -From: Armin Kuster <akuster808@gmail.com> -Date: Wed, 14 Jun 2023 07:46:55 -0400 -Subject: [PATCH 1/2] scap-security-guide: add openembedded distro support - -includes a standard profile for out-of-the-box checks - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Upstream-Status: Pending -https://github.com/ComplianceAsCode/content/pull/10793 -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - CMakeLists.txt | 5 + - build_product | 1 + - products/openembedded/CMakeLists.txt | 6 + - products/openembedded/product.yml | 19 ++ - .../openembedded/profiles/standard.profile | 166 ++++++++++++++++++ - .../openembedded/transforms/constants.xslt | 10 ++ - .../oval/installed_OS_is_openembedded.xml | 33 ++++ - .../oval/sysctl_kernel_ipv6_disable.xml | 1 + - ssg/constants.py | 5 +- - 9 files changed, 245 insertions(+), 1 deletion(-) - create mode 100644 products/openembedded/CMakeLists.txt - create mode 100644 products/openembedded/product.yml - create mode 100644 products/openembedded/profiles/standard.profile - create mode 100644 products/openembedded/transforms/constants.xslt - create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 6b1ac00ff9..e4191f2cef 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be - option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) -+option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - - - option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) -@@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") - message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") - message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}") - message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}") -+message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}") - - - message(STATUS " ") -@@ -409,6 +411,9 @@ endif() - if(SSG_PRODUCT_UOS20) - add_subdirectory("products/uos20" "uos20") - endif() -+if (SSG_PRODUCT_OE) -+ add_subdirectory("products/openembedded" "openembedded") -+endif() - - # ZIP only contains source datastreams and kickstarts, people who - # want sources to build from should get the tarball instead. -diff --git a/build_product b/build_product -index fc793cbe70..7bdc03edfe 100755 ---- a/build_product -+++ b/build_product -@@ -333,6 +333,7 @@ all_cmake_products=( - UBUNTU2204 - UOS20 - MACOS1015 -+ OPENEMBEDDED - ) - - DEFAULT_OVAL_MAJOR_VERSION=5 -diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt -new file mode 100644 -index 0000000000..1981adf53e ---- /dev/null -+++ b/products/openembedded/CMakeLists.txt -@@ -0,0 +1,6 @@ -+# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way. -+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") -+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") -+endif() -+ -+ssg_build_product("openembedded") -diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml -new file mode 100644 -index 0000000000..debf6870ef ---- /dev/null -+++ b/products/openembedded/product.yml -@@ -0,0 +1,19 @@ -+product: openembedded -+full_name: OpemEmbedded -+type: platform -+ -+benchmark_id: OPENEMBEDDED -+benchmark_root: "../../linux_os/guide" -+ -+profiles_root: "./profiles" -+ -+pkg_manager: "dnf" -+ -+init_system: "systemd" -+ -+cpes_root: "../../shared/applicability" -+cpes: -+ - openembedded: -+ name: "cpe:/o:openembedded:nodistro:" -+ title: "OpenEmbedded nodistro" -+ check_id: installed_OS_is_openembedded -diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile -new file mode 100644 -index 0000000000..fcb9e0e5c2 ---- /dev/null -+++ b/products/openembedded/profiles/standard.profile -@@ -0,0 +1,166 @@ -+documentation_complete: true -+ -+title: 'Sample Security Profile for OpenEmbedded Distros' -+ -+description: |- -+ This profile is an sample for use in documentation and example content. -+ The selected rules are standard and should pass quickly on most systems. -+ -+selections: -+ - file_owner_etc_passwd -+ - file_groupowner_etc_passwd -+ - service_crond_enabled -+ - file_groupowner_crontab -+ - file_owner_crontab -+ - file_permissions_crontab -+ - file_groupowner_cron_hourly -+ - file_owner_cron_hourly -+ - file_permissions_cron_hourly -+ - file_groupowner_cron_daily -+ - file_owner_cron_daily -+ - file_permissions_cron_daily -+ - file_groupowner_cron_weekly -+ - file_owner_cron_weekly -+ - file_permissions_cron_weekly -+ - file_groupowner_cron_monthly -+ - file_owner_cron_monthly -+ - file_permissions_cron_monthly -+ - file_groupowner_cron_d -+ - file_owner_cron_d -+ - file_permissions_cron_d -+ - file_groupowner_cron_allow -+ - file_owner_cron_allow -+ - file_cron_deny_not_exist -+ - file_groupowner_at_allow -+ - file_owner_at_allow -+ - file_at_deny_not_exist -+ - file_permissions_at_allow -+ - file_permissions_cron_allow -+ - file_groupowner_sshd_config -+ - file_owner_sshd_config -+ - file_permissions_sshd_config -+ - file_permissions_sshd_private_key -+ - file_permissions_sshd_pub_key -+ - sshd_set_loglevel_verbose -+ - sshd_set_loglevel_info -+ - sshd_max_auth_tries_value=4 -+ - sshd_set_max_auth_tries -+ - sshd_disable_rhosts -+ - disable_host_auth -+ - sshd_disable_root_login -+ - sshd_disable_empty_passwords -+ - sshd_do_not_permit_user_env -+ - sshd_idle_timeout_value=15_minutes -+ - sshd_set_idle_timeout -+ - sshd_set_keepalive -+ - var_sshd_set_keepalive=0 -+ - sshd_set_login_grace_time -+ - var_sshd_set_login_grace_time=60 -+ - sshd_enable_warning_banner -+ - sshd_enable_pam -+ - sshd_set_maxstartups -+ - var_sshd_set_maxstartups=10:30:60 -+ - sshd_set_max_sessions -+ - var_sshd_max_sessions=10 -+ - accounts_password_pam_minclass -+ - accounts_password_pam_minlen -+ - accounts_password_pam_retry -+ - var_password_pam_minclass=4 -+ - var_password_pam_minlen=14 -+ - locking_out_password_attempts -+ - accounts_password_pam_pwhistory_remember_password_auth -+ - accounts_password_pam_pwhistory_remember_system_auth -+ - var_password_pam_remember_control_flag=required -+ - var_password_pam_remember=5 -+ - set_password_hashing_algorithm_systemauth -+ - var_accounts_maximum_age_login_defs=365 -+ - accounts_password_set_max_life_existing -+ - var_accounts_minimum_age_login_defs=7 -+ - accounts_password_set_min_life_existing -+ - var_accounts_password_warn_age_login_defs=7 -+ - account_disable_post_pw_expiration -+ - var_account_disable_post_pw_expiration=30 -+ - no_shelllogin_for_systemaccounts -+ - accounts_tmout -+ - var_accounts_tmout=15_min -+ - accounts_root_gid_zero -+ - accounts_umask_etc_bashrc -+ - use_pam_wheel_for_su -+ - sshd_allow_only_protocol2 -+ - journald_forward_to_syslog -+ - journald_compress -+ - journald_storage -+ - service_auditd_enabled -+ - service_httpd_disabled -+ - service_vsftpd_disabled -+ - service_named_disabled -+ - service_nfs_disabled -+ - service_rpcbind_disabled -+ - service_slapd_disabled -+ - service_dhcpd_disabled -+ - service_cups_disabled -+ - service_ypserv_disabled -+ - service_rsyncd_disabled -+ - service_avahi-daemon_disabled -+ - service_snmpd_disabled -+ - service_squid_disabled -+ - service_smb_disabled -+ - service_dovecot_disabled -+ - banner_etc_motd -+ - login_banner_text=cis_banners -+ - banner_etc_issue -+ - login_banner_text=cis_banners -+ - file_groupowner_etc_motd -+ - file_owner_etc_motd -+ - file_permissions_etc_motd -+ - file_groupowner_etc_issue -+ - file_owner_etc_issue -+ - file_permissions_etc_issue -+ - ensure_gpgcheck_globally_activated -+ - package_aide_installed -+ - aide_periodic_cron_checking -+ - grub2_password -+ - file_groupowner_grub2_cfg -+ - file_owner_grub2_cfg -+ - file_permissions_grub2_cfg -+ - require_singleuser_auth -+ - require_emergency_target_auth -+ - disable_users_coredumps -+ - configure_crypto_policy -+ - var_system_crypto_policy=default_policy -+ - dir_perms_world_writable_sticky_bits -+ - file_permissions_etc_passwd -+ - file_owner_etc_shadow -+ - file_groupowner_etc_shadow -+ - file_groupowner_etc_group -+ - file_owner_etc_group -+ - file_permissions_etc_group -+ - file_groupowner_etc_gshadow -+ - file_owner_etc_gshadow -+ - file_groupowner_backup_etc_passwd -+ - file_owner_backup_etc_passwd -+ - file_permissions_backup_etc_passwd -+ - file_groupowner_backup_etc_shadow -+ - file_owner_backup_etc_shadow -+ - file_permissions_backup_etc_shadow -+ - file_groupowner_backup_etc_group -+ - file_owner_backup_etc_group -+ - file_permissions_backup_etc_group -+ - file_groupowner_backup_etc_gshadow -+ - file_owner_backup_etc_gshadow -+ - file_permissions_unauthorized_world_writable -+ - file_permissions_ungroupowned -+ - accounts_root_path_dirs_no_write -+ - root_path_no_dot -+ - accounts_no_uid_except_zero -+ - file_ownership_home_directories -+ - file_groupownership_home_directories -+ - no_netrc_files -+ - no_rsh_trust_files -+ - account_unique_id -+ - group_unique_id -+ - group_unique_name -+ - wireless_disable_interfaces -+ - package_firewalld_installed -+ - service_firewalld_enabled -+ - package_iptables_installed -diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt -new file mode 100644 -index 0000000000..152571e8bb ---- /dev/null -+++ b/products/openembedded/transforms/constants.xslt -@@ -0,0 +1,10 @@ -+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> -+ -+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/> -+ -+<xsl:variable name="product_long_name">OpenEmbedded</xsl:variable> -+<xsl:variable name="product_short_name">openembedded</xsl:variable> -+<xsl:variable name="product_stig_id_name">empty</xsl:variable> -+<xsl:variable name="prod_type">openembedded</xsl:variable> -+ -+</xsl:stylesheet> -diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml -new file mode 100644 -index 0000000000..11ebdca913 ---- /dev/null -+++ b/shared/checks/oval/installed_OS_is_openembedded.xml -@@ -0,0 +1,33 @@ -+<def-group> -+ <definition class="inventory" id="installed_OS_is_openembedded" version="1"> -+ <metadata> -+ <title>OpenEmbedded</title> -+ <affected family="unix"> -+ <platform>multi_platform_all</platform> -+ </affected> -+ <description>The operating system installed is an OpenEmbedded based system</description> -+ </metadata> -+ <criteria comment="System is OpenEmbedded based" operator="AND"> -+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> -+ <criterion comment="OpenEmbedded distro" test_ref="test_os_openembedded" /> -+ <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" /> -+ </criteria> -+ </definition> -+ -+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_openembedded" version="1"> -+ <unix:object object_ref="obj_os_openembedded" /> -+ </unix:file_test> -+ <unix:file_object comment="check /etc/os-release file" id="obj_os_openembedded" version="1"> -+ <unix:filepath>/etc/os-release</unix:filepath> -+ </unix:file_object> -+ -+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_openembedded" version="1"> -+ <ind:object object_ref="obj_openembedded" /> -+ </ind:textfilecontent54_test> -+ <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded"> -+ <ind:filepath>/etc/os-release</ind:filepath> -+ <ind:pattern operation="pattern match">^ID=nodistro$</ind:pattern> -+ <ind:instance datatype="int">1</ind:instance> -+ </ind:textfilecontent54_object> -+ -+</def-group> -diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -index affb9770cb..4f22df262c 100644 ---- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -@@ -8,6 +8,7 @@ - <platform>multi_platform_debian</platform> - <platform>multi_platform_example</platform> - <platform>multi_platform_fedora</platform> -+ <platform>multi_platform_openembedded</platform> - <platform>multi_platform_opensuse</platform> - <platform>multi_platform_ol</platform> - <platform>multi_platform_rhcos</platform> -diff --git a/ssg/constants.py b/ssg/constants.py -index f66ba008fa..630fbdfcb9 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -219,6 +219,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = { - "Ubuntu 20.04": "ubuntu2004", - "Ubuntu 22.04": "ubuntu2204", - "UnionTech OS Server 20": "uos20", -+ "OpenEmbedded": "openembedded", - "Not Applicable" : "example" - } - -@@ -267,7 +268,7 @@ REFERENCES = dict( - - MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", - "opensuse", "sle", "ol", "ocp", "rhcos", -- "example", "eks", "alinux", "uos", "anolis"] -+ "example", "eks", "alinux", "uos", "anolis", "openembedded"] - - MULTI_PLATFORM_MAPPING = { - "multi_platform_alinux": ["alinux2", "alinux3"], -@@ -285,6 +286,7 @@ MULTI_PLATFORM_MAPPING = { - "multi_platform_sle": ["sle12", "sle15"], - "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"], - "multi_platform_uos": ["uos20"], -+ "multi_platform_openembedded": ["openembedded"], - } - - RHEL_CENTOS_CPE_MAPPING = { -@@ -454,6 +456,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = { - 'ocp': 'Red Hat OpenShift Container Platform', - 'rhcos': 'Red Hat Enterprise Linux CoreOS', - 'eks': 'Amazon Elastic Kubernetes Service', -+ 'openembedded': 'OpenEmbedded', - } - - # References that can not be used with product-qualifiers --- -2.34.1 - diff --git a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb index 988e48bd81..ac839dee44 100644 --- a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb +++ b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb @@ -6,11 +6,10 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820" LICENSE = "BSD-3-Clause" -SRCREV = "3a1012bc9ec2b01b3b71c6feefd3cff0f52bd64d" +SRCREV = "d09e81ae00509a9be4b01359166cfbece06e47f4" SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \ file://run_eval.sh \ file://run-ptest \ - file://0001-scap-security-guide-add-openembedded-distro-support.patch \ file://0002-scap-security-guide-Add-Poky-support.patch \ " @@ -22,9 +21,14 @@ B = "${S}/build" inherit cmake pkgconfig python3native python3targetconfig ptest +STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" +export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe" +export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas" +export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl" + OECMAKE_GENERATOR = "Unix Makefiles" -EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OE=ON" +EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OPENEMBEDDED=ON" do_configure[depends] += "openscap-native:do_install" diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb index ff800ce9ef..8185e51047 100644 --- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb +++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb @@ -23,7 +23,7 @@ do_make(){ } do_install(){ - oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} install + oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} SBINDIR=${sbindir} install } PACKAGE="${PN} ${PN}-dbg ${PN}-doc" diff --git a/meta-security/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch b/meta-security/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch new file mode 100644 index 0000000000..451cb7f96f --- /dev/null +++ b/meta-security/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch @@ -0,0 +1,26 @@ +From 824c5d7b96aeef1b4e182f657ac002bed6e14cd5 Mon Sep 17 00:00:00 2001 +From: Lei Maohui <leimaohui@fujitsu.com> +Date: Thu, 31 Aug 2023 08:20:56 +0000 +Subject: [PATCH] To fix package error if DESTDIR is set to /usr. + +Upstream-Status: Inappropriate +Signed-off-by: Lei Maohui <leimaohui@fujitsu.com> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 0d7bc0c..46fd664 100644 +--- a/Makefile ++++ b/Makefile +@@ -19,7 +19,7 @@ $(PROG).o: $(PROG).c $(PROG).h $(PROG)-elf.c + + install: $(PROG) + # $(MKDIR) $(DESTDIR)/sbin $(DESTDIR)$(MANDIR) +- $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/sbin/$(PROG) ++ $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/usr/sbin/$(PROG) + $(INSTALL) -D --owner 0 --group 0 --mode a=r $(PROG).1 $(DESTDIR)/$(MANDIR)/$(PROG).1 + + clean: +-- +2.34.1 diff --git a/meta-security/recipes-security/paxctl/paxctl_0.9.bb b/meta-security/recipes-security/paxctl/paxctl_0.9.bb index 5c9aff1558..3d2f2a36c4 100644 --- a/meta-security/recipes-security/paxctl/paxctl_0.9.bb +++ b/meta-security/recipes-security/paxctl/paxctl_0.9.bb @@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://paxctl.c;beginline=1;endline=5;md5=0ddd065c61020dda79 file://paxctl-elf.c;beginline=1;endline=5;md5=99f453ce7f6d1687ee808982e2924813 \ " -SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz" +SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz \ + file://0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch \ +" SRC_URI[md5sum] = "9bea59b1987dc4e16c2d22d745374e64" SRC_URI[sha256sum] = "a330ddd812688169802a3ba29e5e3b19956376b8f6f73b8d7e9586eb04423c2e" |