diff options
20 files changed, 82 insertions, 63 deletions
diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 6057e8daf9..95c853a72d 100644 --- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 # This policy file will get installed as /etc/ima/ima-policy. # It is located via the normal file search path, so a .bbappend # to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_hashed" +IMA_POLICY ?= "ima-policy-hashed" SRC_URI = " file://ima" diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb index e84ed30f85..fd53fcba52 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb @@ -30,4 +30,4 @@ do_install () { FILES_${PN} += "${datadir}/oe-scap" -RDEPENDS_${PN} = "openscap" +RDEPENDS_${PN} = "openscap bash" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc index ed8d8ffa78..afa576a9bc 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -40,15 +40,14 @@ do_configure_append_class-native () { sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h } -do_clean[cleandirs] += "${STAGING_OSCAP_BUILDDIR}" -do_install[nostamp] = "1" - +do_install_class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" do_install_append_class-native () { oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} install -d $oscapdir cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir } + FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" RDEPENDS_${PN} += "libxml2 python3-core libgcc bash" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index 341721a069..3212310fb7 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -7,14 +7,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" LICENSE = "LGPL-2.1" DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" -RDEPENDS_${PN} = "openscap" S = "${WORKDIR}/git" inherit cmake pkgconfig python3native -#PARALLEL_MAKE = "" - STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" OECMAKE_GENERATOR = "Unix Makefiles" @@ -23,9 +20,13 @@ EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF" B = "${S}/build" +do_configure[depends] += "openscap-native:do_install" + do_configure_prepend () { sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt } FILES_${PN} += "${datadir}/xml" + +RDEPENDS_${PN} = "openscap" diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb index 8b504453f6..8385c9403e 100644 --- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb @@ -32,7 +32,7 @@ RRECOMMENDS_${PN} = "kernel-module-aes-generic \ kernel-module-xts \ " -RDEPENDS_${PN} += "lvm2" +RDEPENDS_${PN} += "lvm2 libdevmapper" RRECOMMENDS_${PN} += "lvm2-udevrules" RREPLACES_${PN} = "cryptsetup" diff --git a/meta-security/recipes-core/busybox/busybox_%.bbappend b/meta-security/recipes-core/busybox/busybox_%.bbappend index 8bb0706ec5..27a24824dc 100644 --- a/meta-security/recipes-core/busybox/busybox_%.bbappend +++ b/meta-security/recipes-core/busybox/busybox_%.bbappend @@ -1,3 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://head.cfg" +require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'busybox_libsecomp.inc', '', d)} diff --git a/meta-security/recipes-core/busybox/busybox_libsecomp.inc b/meta-security/recipes-core/busybox/busybox_libsecomp.inc new file mode 100644 index 0000000000..4af22ce3e9 --- /dev/null +++ b/meta-security/recipes-core/busybox/busybox_libsecomp.inc @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:" + +SRC_URI_append = " file://head.cfg" diff --git a/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch b/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch new file mode 100644 index 0000000000..74e9a56c18 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch @@ -0,0 +1,26 @@ +From b37554e0bc3cf383e6547c5c6a69c6f6849c09e3 Mon Sep 17 00:00:00 2001 +From: Eric Leblond <eric@regit.org> +Date: Wed, 17 Jul 2019 12:35:12 +0200 +Subject: [PATCH] af-packet: fix build on recent Linux kernels + +Upstream-Status: Backport +Signed-off-by: Armin kuster <akuster808@gmail.com> +--- + src/source-af-packet.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: suricata-4.1.4/src/source-af-packet.c +=================================================================== +--- suricata-4.1.4.orig/src/source-af-packet.c ++++ suricata-4.1.4/src/source-af-packet.c +@@ -64,6 +64,10 @@ + #include <sys/ioctl.h> + #endif + ++#if HAVE_LINUX_SOCKIOS_H ++#include <linux/sockios.h> ++#endif ++ + #ifdef HAVE_PACKET_EBPF + #include "util-ebpf.h" + #include <bpf/libbpf.h> diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.29.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.30.bb index 8305f70105..8305f70105 100644 --- a/meta-security/recipes-ids/suricata/libhtp_0.5.29.bb +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.30.bb diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc index 7be403ccb6..54f91c5e8f 100644 --- a/meta-security/recipes-ids/suricata/suricata.inc +++ b/meta-security/recipes-ids/suricata/suricata.inc @@ -2,8 +2,8 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" -VER = "4.1.3" +VER = "4.1.4" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" -SRC_URI[md5sum] = "35c4a8e6be3910831649a073950195df" -SRC_URI[sha256sum] = "6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0" +SRC_URI[md5sum] = "cb8bf6b8330c44ae78dfb5b083a6fe82" +SRC_URI[sha256sum] = "2da50d91f92adf8b1af930f388361f76424420b88f553f610e2780e4240f2009" diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.3.bb b/meta-security/recipes-ids/suricata/suricata_4.1.4.bb index d6f5937d10..f860af97ab 100644 --- a/meta-security/recipes-ids/suricata/suricata_4.1.3.bb +++ b/meta-security/recipes-ids/suricata/suricata_4.1.4.bb @@ -7,11 +7,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd SRC_URI += "file://emerging.rules.tar.gz;name=rules" SRC_URI += " \ - file://volatiles.03_suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - " + file://volatiles.03_suricata \ + file://suricata.yaml \ + file://suricata.service \ + file://run-ptest \ + file://0001-af-packet-fix-build-on-recent-Linux-kernels.patch \ + " SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb index 9322018bdd..848440420e 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -160,7 +160,7 @@ PACKAGES += "mod-${PN}" FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" FILES_mod-${PN} = "${libdir}/apache2/modules/*" -RDEPENDS_${PN} += "bash lsb" +RDEPENDS_${PN} += "bash" RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" diff --git a/meta-security/recipes-mac/AppArmor/files/apparmor b/meta-security/recipes-mac/AppArmor/files/apparmor index ac3ab9a4ac..604e48d569 100644 --- a/meta-security/recipes-mac/AppArmor/files/apparmor +++ b/meta-security/recipes-mac/AppArmor/files/apparmor @@ -47,7 +47,6 @@ log_end_msg () { } . /lib/apparmor/functions -. /lib/lsb/init-functions usage() { echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb index dba1be5748..37a79829f7 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb @@ -17,6 +17,8 @@ inherit autotools-brokensep pkgconfig ptest PACKAGECONFIG ??= "" PACKAGECONFIG[python] = "--enable-python, --disable-python, python" +DISABLE_STATIC = "" + do_compile_ptest() { oe_runmake -C tests check-build } diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb index ddcf2086e2..39873b8506 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb @@ -3,6 +3,10 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" +inherit distro_features_check + +REQUIRED_DISTRO_FEATURES = "ptest" + PACKAGES = "\ ${PN} \ " @@ -15,7 +19,7 @@ RDEPENDS_${PN} = " \ samhain-standalone-ptest \ keyutils-ptest \ libseccomp-ptest \ - python-scapy-ptest \ + python3-scapy-ptest \ suricata-ptest \ tripwire-ptest \ python-fail2ban-ptest \ diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index 20ba46f34d..e0a9d05347 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -11,7 +11,6 @@ PACKAGES = "\ packagegroup-security-scanners \ packagegroup-security-ids \ packagegroup-security-mac \ - ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -19,7 +18,6 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-scanners \ packagegroup-security-ids \ packagegroup-security-mac \ - ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -27,7 +25,7 @@ RDEPENDS_packagegroup-security-utils = "\ checksec \ nmap \ pinentry \ - python-scapy \ + python3-scapy \ ding-libs \ keyutils \ libseccomp \ diff --git a/meta-security/recipes-security/scapy/files/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest index 91b29f907f..797d8ecf78 100644 --- a/meta-security/recipes-security/scapy/files/run-ptest +++ b/meta-security/recipes-security/scapy/files/run-ptest @@ -1,4 +1,4 @@ #!/bin/sh -UTscapy -t regression.uts -f text -l -C \ +UTscapy3 -t regression.uts -f text -l -C \ -o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ 2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/meta-security/recipes-security/scapy/python-scapy.inc b/meta-security/recipes-security/scapy/python-scapy.inc deleted file mode 100644 index 28e13f2880..0000000000 --- a/meta-security/recipes-security/scapy/python-scapy.inc +++ /dev/null @@ -1,22 +0,0 @@ -SUMMARY = "Network scanning and manipulation tool" -DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc." -SECTION = "security" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -S = "${WORKDIR}/git" - -SRCREV = "3047580162a9407ef05fe981983cacfa698f1159" -SRC_URI = "git://github.com/secdev/scapy.git" - -inherit ptest - -do_install_ptest() { - install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} - sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest -} - -RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ - ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ - ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.3.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.3.bb deleted file mode 100644 index 982620e0b1..0000000000 --- a/meta-security/recipes-security/scapy/python-scapy_2.4.3.bb +++ /dev/null @@ -1,11 +0,0 @@ -inherit setuptools -require python-scapy.inc - -SRC_URI += "file://run-ptest" - -RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" - -do_install_append() { - mv ${D}${bindir}/scapy ${D}${bindir}/scapy2 - mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy2 -} diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb index abcaeeb0b4..925f188cde 100644 --- a/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb +++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb @@ -1,9 +1,30 @@ -inherit setuptools3 -require python-scapy.inc +SUMMARY = "Network scanning and manipulation tool" +DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc." +SECTION = "security" +LICENSE = "GPLv2" -SRC_URI += "file://run-ptest" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +S = "${WORKDIR}/git" + +SRCREV = "3047580162a9407ef05fe981983cacfa698f1159" +SRC_URI = "git://github.com/secdev/scapy.git \ + file://run-ptest" + +S = "${WORKDIR}/git" + +inherit setuptools3 ptest do_install_append() { mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 } + +do_install_ptest() { + install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} + sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest +} + +RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ + ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ + ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" |