diff options
Diffstat (limited to 'meta-security')
21 files changed, 146 insertions, 100 deletions
diff --git a/meta-security/README b/meta-security/README index 081669f6b3..2d1996b153 100644 --- a/meta-security/README +++ b/meta-security/README @@ -28,20 +28,10 @@ Dependencies This layer depends on: URI: git://git.openembedded.org/openembedded-core - branch: master + branch: [same one as checked out for this layer] URI: git://git.openembedded.org/meta-openembedded/meta-oe - branch: master - - URI: git://git.openembedded.org/meta-openembedded/meta-perl - branch: master - - URI: git://git.openembedded.org/meta-openembedded/meta-python - branch: master - - URI: git://git.openembedded.org/meta-openembedded/meta-networking - branch: master - + branch: [same one as checked out for this layer] Adding the security layer to your build ======================================== @@ -57,21 +47,22 @@ other layers needed. e.g.: BBLAYERS ?= " \ /path/to/oe-core/meta \ /path/to/meta-openembedded/meta-oe \ - /path/to/meta-openembedded/meta-perl \ - /path/to/meta-openembedded/meta-python \ - /path/to/meta-openembedded/meta-networking \ /path/to/layer/meta-security " -Optional Rust dependancy +Optional Dynamic layer dependancy ====================================== -If you want to use the latest Suricata that needs rust, you will need to clone - URI: https://github.com/meta-rust/meta-rust.git - branch: master + URI: git://git.openembedded.org/meta-openembedded/meta-oe + + URI: git://git.openembedded.org/meta-openembedded/meta-perl + + URI: git://git.openembedded.org/meta-openembedded/meta-python - BBLAYERS += "/path/to/layer/meta-rust" + BBLAYERS += "/path/to/layer/meta-openembedded/meta-oe" + BBLAYERS += "/path/to/layer/meta-openembedded/meta-perl" + BBLAYERS += "/path/to/layer/meta-openembedded/meta-python" -This will activate the dynamic-layer mechanism and pull in the newer suricata +This will activate the dynamic-layer mechanism. diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 7d57f9c850..fa7d79efbf 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "kirkstone" +LAYERSERIES_COMPAT_security = "kirkstone langdale" LAYERDEPENDS_security = "core openembedded-layer" diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py index 35e87ef32d..b8255c781c 100644 --- a/meta-security/lib/oeqa/runtime/cases/smack.py +++ b/meta-security/lib/oeqa/runtime/cases/smack.py @@ -29,8 +29,6 @@ class SmackBasicTest(OERuntimeTestCase): status,output = self.target.run("cat /proc/self/attr/current") self.current_label = output.strip() -class SmackAccessLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_access_label(self): ''' Test if chsmack can correctly set a SMACK label ''' @@ -54,8 +52,6 @@ class SmackAccessLabel(SmackBasicTest): "%s %s" %(LABEL,label_retrieved)) -class SmackExecLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_exec_label(self): '''Test if chsmack can correctly set a SMACK Exec label''' @@ -79,8 +75,6 @@ class SmackExecLabel(SmackBasicTest): "%s %s" %(LABEL,label_retrieved)) -class SmackMmapLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_mmap_label(self): '''Test if chsmack can correctly set a SMACK mmap label''' @@ -104,8 +98,6 @@ class SmackMmapLabel(SmackBasicTest): "%s %s" %(LABEL,label_retrieved)) -class SmackTransmutable(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_transmutable(self): '''Test if chsmack can correctly set a SMACK transmutable mode''' @@ -128,8 +120,6 @@ class SmackTransmutable(SmackBasicTest): "%s %s" %(LABEL,label_retrieved)) -class SmackChangeSelfLabelPrivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_privileged_change_self_label(self): '''Test if privileged process (with CAP_MAC_ADMIN privilege) @@ -145,8 +135,6 @@ class SmackChangeSelfLabelPrivilege(SmackBasicTest): self.assertIn("PRIVILEGED", output, "Privilege process did not change label.Output: %s" %output) -class SmackChangeSelfLabelUnprivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_unprivileged_change_self_label(self): '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) @@ -163,8 +151,6 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest): "Unprivileged process should not be able to change its label") -class SmackChangeFileLabelPrivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_unprivileged_change_file_label(self): '''Test if unprivileged process cannot change file labels''' @@ -183,8 +169,6 @@ class SmackChangeFileLabelPrivilege(SmackBasicTest): self.target.run("rm %s" % filename) self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename) -class SmackLoadRule(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_load_smack_rule(self): '''Test if new smack access rules can be loaded''' @@ -211,8 +195,6 @@ class SmackLoadRule(SmackBasicTest): self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) -class SmackOnlycap(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_onlycap(self): '''Test if smack onlycap label can be set @@ -223,7 +205,6 @@ class SmackOnlycap(SmackBasicTest): status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh") self.assertEqual(status, 0, output) -class SmackNetlabel(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_netlabel(self): @@ -246,7 +227,6 @@ class SmackNetlabel(SmackBasicTest): test_label, output, "Did not find expected label in output: %s" %output) -class SmackCipso(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_cipso(self): @@ -287,7 +267,6 @@ class SmackCipso(SmackBasicTest): self.assertEqual(status, 0, "Cipso rule C was not set") self.assertIn("/17,33", output, "Rule C was not set correctly") -class SmackDirect(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_direct(self): @@ -308,8 +287,6 @@ class SmackDirect(SmackBasicTest): "Smack direct label does not match.") -class SmackAmbient(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_ambient(self): test_ambient = "test_ambient" @@ -330,8 +307,6 @@ class SmackAmbient(SmackBasicTest): "Ambient label does not match") -class SmackloadBinary(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smackload(self): '''Test if smackload command works''' @@ -345,8 +320,6 @@ class SmackloadBinary(SmackBasicTest): self.assertEqual(status, 0, "Smackload rule was loaded correctly") -class SmackcipsoBinary(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smackcipso(self): '''Test if smackcipso command works''' @@ -362,8 +335,6 @@ class SmackcipsoBinary(SmackBasicTest): self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output) -class SmackEnforceFileAccess(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_enforce_file_access(self): '''Test if smack file access is enforced (rwx) @@ -375,8 +346,6 @@ class SmackEnforceFileAccess(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackEnforceMmap(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_mmap_enforced(self): '''Test if smack mmap access is enforced''' @@ -449,8 +418,6 @@ class SmackEnforceMmap(SmackBasicTest): "Output: %s" %output) -class SmackEnforceTransmutable(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_transmute_dir(self): '''Test if smack transmute attribute works @@ -473,8 +440,6 @@ class SmackEnforceTransmutable(SmackBasicTest): "Did not get expected label. Output: %s" % output) -class SmackTcpSockets(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_tcp_sockets(self): '''Test if smack is enforced on tcp sockets @@ -485,8 +450,6 @@ class SmackTcpSockets(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackUdpSockets(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_udp_sockets(self): '''Test if smack is enforced on udp sockets @@ -497,8 +460,6 @@ class SmackUdpSockets(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackFileLabels(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_labels(self): '''Check for correct Smack labels.''' diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf index bc33d973cb..5983161755 100644 --- a/meta-security/meta-hardening/conf/layer.conf +++ b/meta-security/meta-hardening/conf/layer.conf @@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "harden-layer" BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_harden-layer = "10" -LAYERSERIES_COMPAT_harden-layer = "kirkstone" +LAYERSERIES_COMPAT_harden-layer = "kirkstone langdale" LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index 3d58be4ae4..1fcf33c543 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "kirkstone" +LAYERSERIES_COMPAT_integrity = "kirkstone langdale" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf index 544cc4e792..a748d77edb 100644 --- a/meta-security/meta-parsec/conf/layer.conf +++ b/meta-security/meta-parsec/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "parsec-layer" BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_parsec-layer = "5" -LAYERSERIES_COMPAT_parsec-layer = "kirkstone" +LAYERSERIES_COMPAT_parsec-layer = "kirkstone langdale" LAYERDEPENDS_parsec-layer = "core clang-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index 7c076255ee..ec57541eb7 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "kirkstone" +LAYERSERIES_COMPAT_scanners-layer = "kirkstone langdale" LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-security/meta-security-isafw/conf/layer.conf b/meta-security/meta-security-isafw/conf/layer.conf index e8cdc1b91a..724742d7fc 100644 --- a/meta-security/meta-security-isafw/conf/layer.conf +++ b/meta-security/meta-security-isafw/conf/layer.conf @@ -14,4 +14,4 @@ LAYERVERSION_security-isafw = "1" LAYERDEPENDS_security-isafw = "core" -LAYERSERIES_COMPAT_security-isafw = "kirkstone" +LAYERSERIES_COMPAT_security-isafw = "kirkstone langdale" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 52e3ee0a1c..1fd2e4c1ba 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "kirkstone" +LAYERSERIES_COMPAT_tpm-layer = "kirkstone langdale" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py new file mode 100644 index 0000000000..df47b353ed --- /dev/null +++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py @@ -0,0 +1,24 @@ +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> +# +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +class SwTpmTest(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.tc.target.run('mkdir /tmp/myvtpm2') + cls.tc.target.run('chown tss:root /tmp/myvtpm2') + + @classmethod + def tearDownClass(cls): + cls.tc.target.run('rm -fr /tmp/myvtpm2') + + @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES') + @OETestDepends(['ssh.SSHTest.test_ssh']) + @OEHasPackage(['swtpm']) + def test_swtpm2_ek_cert(self): + cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2', + status, output = self.target.run(cmd) + self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output) diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py index c2c95e7159..e64d19d69e 100644 --- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py +++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py @@ -1,11 +1,19 @@ -# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com> # from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends from oeqa.runtime.decorator.package import OEHasPackage - +from oeqa.core.decorator.data import skipIfNotFeature class Tpm2Test(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.tc.target.run('mkdir /tmp/myvtpm2') + + @classmethod + def tearDownClass(cls): + cls.tc.target.run('rm -fr /tmp/myvtpm2') + def check_endlines(self, results, expected_endlines): for line in results.splitlines(): for el in expected_endlines: @@ -19,20 +27,19 @@ class Tpm2Test(OERuntimeTestCase): @OEHasPackage(['tpm2-tools']) @OEHasPackage(['tpm2-abrmd']) @OEHasPackage(['swtpm']) + @skipIfNotFeature('tpm2','Test tpm2_startup requires tpm2 to be in DISTRO_FEATURES') @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_tpm2_swtpm_socket(self): + def test_tpm2_startup(self): cmds = [ - 'mkdir /tmp/myvtpm', - 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &', - 'export TPM2TOOLS_TCTI="swtpm:port=2321"', - 'tpm2_startup -c' + 'swtpm socket -d --tpmstate dir=/tmp/myvtpm2 --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init', + 'tpm2_startup -c -T "swtpm:port=2321"', ] for cmd in cmds: status, output = self.target.run(cmd) self.assertEqual(status, 0, msg='\n'.join([cmd, output])) - @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket']) + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_startup']) def test_tpm2_pcrread(self): (status, output) = self.target.run('tpm2_pcrread') expected_endlines = [] @@ -49,7 +56,7 @@ class Tpm2Test(OERuntimeTestCase): @OEHasPackage(['p11-kit']) @OEHasPackage(['tpm2-pkcs11']) - @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket']) + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pcrread']) def test_tpm2_pkcs11(self): (status, output) = self.target.run('p11-kit list-modules -v') self.assertEqual(status, 0, msg="Modules missing: %s" % output) diff --git a/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb index 7e047d1274..941a6617ad 100644 --- a/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb +++ b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb @@ -7,6 +7,7 @@ IMAGE_INSTALL = "\ packagegroup-core-boot \ packagegroup-security-tpm2 \ os-release \ + swtpm \ " IMAGE_LINGUAS ?= " " diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb index 85e4c5d557..03899d8032 100644 --- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb @@ -20,14 +20,15 @@ inherit autotools pkgconfig perlnative TSS_USER="tss" TSS_GROUP="tss" -PACKAGECONFIG ?= "openssl" +PACKAGECONFIG ?= "openssl gnutls" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)}" PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}" PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" # expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is # used by swtpm-create-tpmca (the last two is provided by gnutls) # gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert -PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls, gnutls, expect bash tpm2-pkcs11-tools" +PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls-native gnutls, gnutls-bin expect bash tpm2-pkcs11-tools" PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux" PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse" PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb index e8812d06d0..dd0a0b57b5 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb @@ -25,15 +25,6 @@ do_compile:append() { } do_install:append() { - install -d ${D}${libdir}/pkcs11 - install -d ${D}${datadir}/p11-kit - - # remove symlinks - rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so - - #install lib - install -m 755 ${B}/src/.libs/libtpm2_pkcs11.so ${D}${libdir}/pkcs11/libtpm2_pkcs11.so - cd ${S}/tools export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}" ${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build @@ -53,5 +44,7 @@ FILES:${PN} += "\ ${datadir}/p11-kit/* \ " +INSANE_SKIP:${PN} += "dev-so" + RDEPENDS:${PN} = "p11-kit tpm2-tools " RDEPENDS:${PN}-tools = "${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index 901005440b..f381d91921 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -42,10 +42,13 @@ RDEPENDS:packagegroup-security-utils = "\ SUMMARY:packagegroup-security-scanners = "Security scanners" RDEPENDS:packagegroup-security-scanners = "\ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " arpwatch",d)} \ + chkrootkit \ isic \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \ " RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "clamav clamav-daemon clamav-freshclam" +RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "arpwatch" SUMMARY:packagegroup-security-audit = "Security Audit tools " RDEPENDS:packagegroup-security-audit = " \ diff --git a/meta-security/recipes-mac/smack/smack-test_1.0.bb b/meta-security/recipes-mac/smack/smack-test_1.0.bb index d7824aef65..3ab57c607e 100644 --- a/meta-security/recipes-mac/smack/smack-test_1.0.bb +++ b/meta-security/recipes-mac/smack/smack-test_1.0.bb @@ -22,4 +22,4 @@ do_install() { install -m 0755 *.sh ${D}${sbindir} } -RDEPENDS:${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test" +RDEPENDS:${PN} = "smack python3-core mmap-smack-test tcp-smack-test udp-smack-test" diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb index c8d31cf70d..8efb339750 100644 --- a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb +++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb @@ -1,7 +1,7 @@ SUMARRY = "The ethernet monitor program; for keeping track of ethernet/ip address pairings" LICENSE = "BSD-4-Clause" HOME_PAGE = "http://ee.lbl.gov/" -LIC_FILES_CHKSUM = "file://configure;md5=74ca964ed34fda7b46c6fe3e50bded9d" +LIC_FILES_CHKSUM = "file://configure;md5=0f6cca2f69f384a14e2f5803210ca92e" DEPENDS += "libpcap" @@ -9,10 +9,10 @@ SRC_URI = "https://ee.lbl.gov/downloads/arpwatch/${BP}.tar.gz \ file://arpwatch.conf \ file://arpwatch.default \ file://arpwatch_init \ - file://postfix_workaround.patch \ - file://host_contam_fix.patch " + file://host_contam_fix.patch \ + " -SRC_URI[sha256sum] = "ee1d15d9a07952c0c017908b9dbfd5ac988fed0058c3cc4fa6c13e0be36f3a9f" +SRC_URI[sha256sum] = "d47fa8b291fc37a25a2d0f3e1b64f451dc0be82d714a10ffa6ef8b0b9e33e166" inherit autotools-brokensep update-rc.d useradd @@ -80,4 +80,8 @@ CONFFILE_FILES = "${sysconfdir}/${PN}.conf" FILES:${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \ ${sysconfdir} /var/lib/arpwatch" +COMPATIBLE_HOST:riscv32 = "null" +COMPATIBLE_HOST:riscv64 = "null" +OMPATIBLE_HOST:libc-musl = "null" + RDEPENDS:${PN} = "libpcap" diff --git a/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch b/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch index 7d7ffacf76..2e27aa4ead 100644 --- a/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch +++ b/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch @@ -4,11 +4,11 @@ Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Armin Kuster <akuster808@gmail.com> -Index: arpwatch-3.0/configure +Index: arpwatch-3.3/configure =================================================================== ---- arpwatch-3.0.orig/configure -+++ arpwatch-3.0/configure -@@ -4349,8 +4349,8 @@ fi +--- arpwatch-3.3.orig/configure ++++ arpwatch-3.3/configure +@@ -4353,8 +4353,8 @@ fi CC=cc export CC fi diff --git a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb b/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb index 9a6e44a27c..f4a014e171 100644 --- a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb +++ b/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb @@ -4,10 +4,10 @@ SECTION = "security" LICENSE = "BSD-3-Clause" HOMEPAGE="https://github.com/slimm609/checksec.sh" -LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8d90285f711cf1f378e2c024457066d8" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=879b2147c754bc040c29e9c3b84da836" -SRCREV = "c3754e45e04f9104db93b2048afd094427102d48" -SRC_URI = "git://github.com/slimm609/checksec.sh;branch=master;protocol=https" +SRCREV = "2753ebb89fcdc96433ae8a4c4e5a49214a845be2" +SRC_URI = "git://github.com/slimm609/checksec.sh;branch=main;protocol=https" S = "${WORKDIR}/git" @@ -17,3 +17,5 @@ do_install() { } RDEPENDS:${PN} = "bash openssl-bin binutils" + +BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb b/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb index 20015a1cc0..fe0e9891be 100644 --- a/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb +++ b/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb @@ -5,7 +5,8 @@ SECTION = "security" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff" -SRC_URI = "ftp://ftp.pangeia.com.br/pub/seg/pac/${BPN}.tar.gz" +SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz \ + file://musl_fix.patch" SRC_URI[sha256sum] = "a81c0286ec449313f953701202a00e81b204fc2cf43e278585a11c12a5e0258b" inherit autotools-brokensep diff --git a/meta-security/recipes-scanners/rootkits/files/musl_fix.patch b/meta-security/recipes-scanners/rootkits/files/musl_fix.patch new file mode 100644 index 0000000000..a33523bfc1 --- /dev/null +++ b/meta-security/recipes-scanners/rootkits/files/musl_fix.patch @@ -0,0 +1,58 @@ +chkrootkit: Fix missing includes for musl + + +Upstream-Status: Backport +https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07737b95af2452c0055e1ed0660590c1487befdb +https://bugs.gentoo.org/715552 + +Signed-off-by: Armin Kuster <akuster808@gamil.com> + +Index: chkrootkit-0.55/chkdirs.c +=================================================================== +--- chkrootkit-0.55.orig/chkdirs.c ++++ chkrootkit-0.55/chkdirs.c +@@ -33,7 +33,7 @@ + #elif defined(__APPLE__) && defined(__MACH__) + #include <sys/syslimits.h> + #endif +- ++#include <limits.h> + #include <stdio.h> + #include <stdlib.h> + #include <sys/types.h> +Index: chkrootkit-0.55/chklastlog.c +=================================================================== +--- chkrootkit-0.55.orig/chklastlog.c ++++ chkrootkit-0.55/chklastlog.c +@@ -41,6 +41,7 @@ int main () { return 0; } + #include <stdlib.h> + #endif + #include <sys/stat.h> ++#include <fcntl.h> + #include <unistd.h> + #include <string.h> + #include <signal.h> +Index: chkrootkit-0.55/chkproc.c +=================================================================== +--- chkrootkit-0.55.orig/chkproc.c ++++ chkrootkit-0.55/chkproc.c +@@ -65,6 +65,7 @@ int main (){ return 0; } + #include <string.h> + #include <errno.h> + #include <sys/types.h> ++#include <fcntl.h> + #include <dirent.h> + #include <ctype.h> + #include <stdlib.h> +Index: chkrootkit-0.55/chkwtmp.c +=================================================================== +--- chkrootkit-0.55.orig/chkwtmp.c ++++ chkrootkit-0.55/chkwtmp.c +@@ -25,6 +25,7 @@ int main () { return 0; } + #include <stdio.h> + #include <stdlib.h> + #include <unistd.h> ++#include <fcntl.h> + #include <string.h> + #include <utmp.h> + #include <time.h> |